South African businesses face an increasingly complex compliance landscape. The Financial Intelligence Centre Act (FICA), the Protection of Personal Information Act (POPIA), the Prevention and Combating of Corrupt Activities Act (PRECCA), and anti-money laundering obligations all impose real duties — and real penalties for non-compliance.
What I find in practice is that most businesses understand they have obligations. Far fewer have actually mapped those obligations against their operations and built appropriate controls.
Key Risk Areas
- Accountable institutions under FICA must conduct customer due diligence, file suspicious transaction reports (STRs), and appoint a compliance officer. Many smaller businesses are unaware they qualify as accountable institutions.
- POPIA requires lawful processing of personal information — critically relevant to any background checking or surveillance activity.
- PRECCA imposes a duty to report corruption. Failure to report when you have reasonable grounds is itself a criminal offence.
Practical Steps
Start with a compliance gap analysis — map your actual activities against your statutory obligations. Identify where controls are absent or inadequate. Build proportionate procedures, train the relevant staff, and establish a review cycle. This doesn’t need to be a bureaucratic exercise. It needs to be functional, documented, and defensible.