As South Africa steps into its post-greylist era, one message from regulators is unmistakably clear: the country expects accountable institutions to demonstrate real, risk-based compliance—not box-ticking, not templates copied from the internet, and not outdated onboarding procedures. Due diligence processes must be professionaly crafted, genuinely customised to risk, and implemented reliably and flawlessly.  

The risk-based approach, long emphasised in FATF standards and embedded in the Financial Intelligence Centre Act (FICA), is now the central determinant of whether a business can withstand regulatory scrutiny. Yet many institutions—especially SMEs and DNFBPs—still grapple with what the risk-based approach truly means in practice, and how it should shape their day-to-day KYC operations.

This article, the second in ThisIsMe’s KYC/FICA 2026 Compliance Series, offers a clear, plain-language guide to the risk-based approach in South Africa. It explains what regulators expect, how businesses should structure their internal models, and why a well-calibrated risk framework is essential for both compliance and commercial success.

Why the Risk-Based Approach Matters More Than Ever

South Africa’s exit from the FATF grey list has raised, not lowered, regulatory expectations. Regulators are now expected to tighten the net around non-compliance and reduce tollerance for failures. Businesses are expected to apply the risk-based approach consistently, produce audit-ready documentation, and demonstrate that they understand the true risk profile of each customer.

In simple terms, the risk-based approach requires businesses to allocate their compliance resources where the risk is highest. Instead of treating all customers the same, FICA expects companies to identify which clients pose elevated money-laundering, fraud, or terror-financing risks—and adjust their due-diligence efforts accordingly.

This approach is both practical and strategic. It prevents low-risk customers from being over-burdened with unnecessary checks, while ensuring that high-risk customers go through enhanced due diligence (EDD). But it also creates accountability. If a customer causes harm to the financial system, regulators will ask whether the institution accurately rated the risk and whether its controls were appropriate for that rating.

For businesses, this means that a risk-based approach is no longer a theoretical concept. It is the backbone of every KYC decision, every audit file, and every regulator conversation.

What FICA Expects: The Core Components of a Risk-Based KYC Framework

South Africa’s AML/CFT regime is built around several core elements that together constitute a functioning risk-based program. At minimum, regulators expect businesses to maintain:

• A documented Management and Compliance Programme (RMCP) that explains how the business identifies, assesses, and mitigates money-laundering risks.
• A sound Customer Risk Rating (CRR) methodology that assigns risk levels logically and consistently.
• Clear customer-due-diligence (CDD) and enhanced-due-diligence (EDD) procedures, aligned to the risk profile of each customer.
• Accurate beneficial ownership verification processes, including for trusts, juristic persons, and multi-layered structures (a requirement that is in development alongside the CIPC's development of its beneficial ownership database). 
• Ongoing monitoring that is risk-triggered, event-driven, and proportional to customer behaviour.
• Record-keeping standards that allow auditors or supervisors to understand every decision made throughout the customer lifecycle.
• A clear escalation structure for suspicious activity, culminating in timely and defensible STR filing.

These components work together to form a unified risk-based system. If one pillar is weak—such as beneficial ownership verification—the entire framework is compromised.

When Standard Due Diligence Isn’t Enough: Understanding EDD

Enhanced Due Diligence (EDD) is triggered when a customer poses a higher-than-normal risk—either due to their industry, geography, ownership structure, behaviour, or public exposure. Contrary to common belief, EDD is not a punishment. It is a safeguard that protects both the business and the financial system.

EDD may be warranted when customers are:

• Identified as being a Politically Exposed Person (PEP), or being closely associated with a know PEP
• Linked to high-risk jurisdictions or sanctioned regions
• Part of multi-layered or foreign ownership structures
• Exhibiting transactional behaviour that deviates from their profile
• Subject to adverse media, unresolved allegations, or past misconduct

In South Africa’s post-greylist context, regulators will closely examine whether institutions correctly identified when EDD should have been applied, and whether the additional scrutiny was adequate.

EDD is less about volume of paperwork and more about quality of understanding. It requires businesses to establish where client funds come from, what purpose accounts will serve, and whether the customer’s behaviour aligns with legitimate economic activity.

Ongoing Monitoring: The Backbone of the Risk-Based Approach

Many institutions treat onboarding as the most important step in the KYC process. In reality, regulators view onboarding as only the beginning. Ongoing monitoring is where most risk signals surface, and where most institutions fall short.

Effective monitoring is continuous, not periodic. It requires a combination of automated tools and human oversight to detect changes in customer behaviour, ownership, PEP status, sanctions exposure, or risk profile. South Africa’s regulators expect institutions to review and refresh risk ratings whenever new information emerges—not simply on an annual cycle.

The most successful institutions adopt an “always-on” mindset: they treat monitoring as a living process rather than a static step. This approach not only strengthens compliance but reduces the probability of serious breaches that could damage both reputation and regulatory standing.

Internal Controls: The Infrastructure Behind a Strong KYC Program

A risk-based approach cannot function without strong internal controls. Policies must be clear, procedures must be executable, and documentation must be thorough. Staff should be trained regularly, and the business should maintain a transparent audit trail that explains how each customer was assessed and why specific decisions were made.

In practice, this means ensuring that the RMCP is not a theoretical document. It must be actively used and continually updated to reflect new risks, new products, and new regulatory expectations. A RMCP written in 2023 but not updated post-greylisting will not survive regulatory scrutiny in 2026.

Record-keeping is equally crucial. Supervisors place high value on evidence. If an institution cannot show how it verified a beneficial owner, how it calculated a risk score, or how it responded to a suspicious trigger, regulators may conclude that compliance controls are inadequate—even if the business intended to follow the rules.

How ThisIsMe Supports a Modern, Risk-Based Framework

ThisIsMe’s identity verification and compliance solutions are built specifically to support South Africa’s risk-based regime. Our tools integrate seamlessly into onboarding workflows and monitoring systems, providing authoritative data, automated checks, and audit-ready documentation.

We help businesses verify beneficial ownership accurately, maintain continuous sanctions and PEP monitoring, calibrate CRR models, and reduce manual workloads without compromising accuracy. As South Africa’s regulatory expectations rise, ThisIsMe ensures businesses remain both compliant and competitive.

The Road Ahead: Risk-Based Compliance as a Strategic Advantage

The risk-based approach is no longer an abstract regulatory concept. It is the operating system of modern compliance in South Africa. Companies that invest in strong CRR models, robust monitoring, and high-quality verification will move through audits more easily, onboard clients faster, and build credibility with global partners.

Those who continue to treat risk assessment as a one-time formal exercise will find themselves vulnerable in a world that now expects more—from institutions and from South Africa as a whole.

A strong, risk-based KYC program is not just about avoiding penalties; it is a foundation for sustainable, trusted, and scalable growth.