The need to use reliable independent third-party sources during customer identification and verification within the risk-based approach system

April 1st, 2018

By Nkateko Nkhwashu

The Financial Intelligence Centre Amendment Act 1 of 2017 (the Amendment Act) introduces a risk-based approach (RBA) to customer identification and verification (or Customer Due Diligence as it is now referred to in the Amendment Act). This is opposed to the previous ‘tick-box’ approach used under the Financial Intelligence Centre Act 38 of 2001 (FICA). The former entails a situation wherein accountable institutions have to first identify, assess and understand the risks they are being exposed to, namely, money laundering, terrorist financing etcetera, and thereafter, put measures or controls in place to deal with them. The latter, on the other hand entails a situation wherein a financial regulator or supervisory body, namely, the Financial Intelligence Centre (FIC) or South African Reserve Bank, through secondary legislation, prescribe ways that will be used by accountable institutions in identifying and verifying customers’ identities by, for example, regulations or guidance notes etcetera.

In a RBA regime, resources to address risks are targeted where needed the most, thus ensuring the approach’s efficiency and flexibility. This is part of the reason why throughout the consultation period to the Amendment Act it was emphasised that the RBA’s flexibility will remove some of the anomalies currently experienced in trying to comply with some of the rigid requirements of a ‘tick-box’ approach to customer identification and verification. One example of such a rigid requirement is the need for proof of a residential address when a customer has to access certain financial products or services. This requirement has been a headache to all for quite some time as the majority of the South African citizens do not have physical proof of residential addresses for various reasons.

It is hoped that the above challenge will be dealt with or solved under the new RBA regime. Previously various attempts were made to solve this issue, for example, by exempting accountable institutions from having to verify the information provided by customers at on-boarding stage or other moves by local branches (of banks, for example) wherein municipalities were forced to issue customers with documents purporting to be proof of residence coupled with an affidavit from the police. The challenge with the first attempt is that accountable institutions were later required by the regulator or supervisory body, to verify the information provided by the customer at on-boarding. More often than not, this proved difficult and as a result customer accounts had to be closed. Lastly, the challenge with the second attempt remains that the content or information contained in the purported ‘municipal proof of residential address’ could not be relied on for the purposes of complying with FICA as it is, both given and confirmed by the customer themselves. This information cannot be said to be from a ‘reliable and independent third-party source’ (Guidance Note 7 on The Implementation of Various Aspects of The Financial Intelligence Centre Act, 2001 (Guidance Note 7) (, accessed 13-3-2018) at para 83).

It is further hoped that the new RBA will ‘bring previously excluded sectors of society into the formal economy’ and as a result ‘improve the efficacy of measures to combat terrorism financing and money laundering, while also promoting financial inclusion’ (Louis de Koker South African Money Laundering and Terror Financing Law (Durban: LexisNexis 2016)). Going through some of the documents on the Amendment Act, for example, Memorandum on the objects of the Financial Intelligence Centre Amendment Bill 2015 etcetera, one gets the sense that much hope was placed on the supposed ‘flexibility’ of the RBA when it comes to dealing with some of the challenges outlined above, especially those related to customer identification and verification, as well as access to financial services (or financial inclusion). Furthermore, it was as if accountable institutions were going to be spoilt for choice when it came to sources or ways to use when identifying and verifying customers, but the revised Draft Guidance on the Implementation of Various Aspects of the Financial Intelligence Centre Act 38 of 2001 (Guidance Note) issued for public comment on 30 August 2017, called for caution as it clearly showed that it is not ‘all systems go’ when it comes to sources that will be used for customer identification and verification.

Things to be cautious of when identifying and verifying customers

It is imperative to note that in most developing countries, including South Africa (SA), one of the key challenges to accessing financial services or products, is the fact that most people find it difficult or are unable to get government issued identity documents or even worse, some countries do not have a national identification system. Poor people are usually affected the most by these situations. In certain countries, however, due to technological advancements and flexibility in their regulatory frameworks, which allows for innovation. Access to financial services has since improved without the need to rely on government issued documents and/or sources, for example, the Kenyan success story of M-Pesa.

The Guidance Note provides examples on how accountable institutions are expected to identify and verify customers. It also provides a non-exhaustive list of reliable sources that can be used as well. What is important – for the purposes of this article – is that it also cautions accountable institutions on which sources or ways that may not be used or relied on for the purposes of complying with the Amendment Act. All the suggested sources or reliable ways of identifying and verifying customers seem to suggest that only government issued documents or sources should be heavily relied on, as they seem to meet the standard of being ‘independent reliable third-party sources’ (Guidance Note 7 at para 87). The use of electronic sources is also acknowledged, however, such use or the use of other innovative ways like biometrics or personal attributes/physical appearance, seem to be suggested as ‘supplements’ rather than initial sources, which may be used.

The language of the Guidance Note is couched in a cautious, prescriptive and not so-flexible manner. It is conceded that some of the basic attributes, which can only be verified by using government issued sources will remain, however, the suggested general rule should not be that only ‘government issued or controlled sources be used as the means of verification when verifying basic identity attributes’ (Guidance Note 7 at para 88). The Guidance Note is for the use of pro-government issued sources, as opposed to electronic and other methods of verification. For example, in certain parts of the Guidance Note where electronic means of verification are suggested, a ‘disclaimer’ of some sort is provided. One such is as follows:

‘Accountable Institutions making use of electronic data sources to verify a prospective client’s identity remain responsible and accountable in their own capacity for compliance with the requirements of the FIC Act. The use of electronic data sources … does not provide automatic indemnity from regulatory action relating to the institution’s compliance with these requirements. It is important therefore that accountable institutions apply due diligence in choosing electronic solutions as a means to enable verification of a prospective client’s identity’ (Guidance Note 7 at para 90).

It is further conceded that the standard or requirement of using reliable independent third-party sources when verifying customer’s identities is in line with international best practice. However, in developing countries, more often than not, corroborating these sources entails relying on government-related data or sources, for example, the Department of Home Affairs, Companies and Intellectual Property Commission, South African Revenue Services and others. The challenge, especially for the poor living in remote parts of the country, is that customers/citizens do not have these documents or the records are not accurate and up to date. Despite all these examples, the question remains whether the new regulatory framework is going to be conducive enough for efforts aimed at realising the objective of financial inclusion. Furthermore, will accountable institutions be bold and daring enough when it comes to coming up with innovative ways of identifying and verifying customers given the cautious way in which the Guidance Note is couched or will accountable institutions opt for the safe ‘conservative corporate compliance’ route by sticking to the suggested ways and sources, thus shunning innovation and the use of electronic sources?


It short, the adoption of an RBA is a very welcome development within the regulatory framework of SA. The discretion now given to the accountable institutions on how to go about identifying and verifying customers will surely help in dealing with some of the challenges currently faced by the majority of citizens when trying to get access to financial services and products, provided that the expectations of the regulators, supervisory bodies and accountable institutions are aligned. Furthermore, the regulatory environment should be user-friendly and the use of electronics should be encouraged. However, after having had sight of the language in which the Guidance Note is couched, it remains to be seen whether in practice accountable institutions will be bold and flexible enough to think outside of the box or be innovative and still be able to meet the expectations of the regulatory authorities. After all, it has been stated countless times by the Financial Action Task Force representatives that a risk-based approach and financial inclusion are not mutually exclusive.

Nkateko Nkhwashu LLB (University of Venda) LLM (UJ) Cert in Legislative Drafting (UP) Cert in Compliance Management (UJ) Cert in Money Laundering Controls (UJ) Cert in Policy Development (Pro Active College) is an advocate at Empowerment Dynamics Consulting in Centurion.

Mr Nkhwashu writes in his personal capacity.

This article was first published in De Rebus in 2018 (April) DR 22.

De Rebus