FAIS
FICA
POPIA

Compliance Health Check

27 Jan 2026

A practical guide for South African entities

In a landscape where the regulatory bar keeps rising, having the right documentation is just not enough anymore. Regulators want to see living, breathing compliance framework that is integrated into your business, not just policies on the shelf.

This checklist style guide will help you quickly assess whether your FAIS, FICA and POPIA obligations are truly covered, or whether it’s time for a refresh.

Financial Advisory & Intermediary Services Act (FAIS)

Are you:

  1. Maintaining a current Compliance Monitoring Plan (CMP) that reflects your actual business operations, risks and changes? A generic CMP won’t cut it anymore. The FSCA is looking for risk-based plans that tie into your product offering, distribution channels and client categories.

  2. Performing and documenting regular competence assessments and oversight of representatives? Are they acting within their fit and proper requirements and are their CPD hours all up to date.

  3. Reviewing your Conflict-of-Interest Policy and disclosures annually and applying it to real scenarios. Regulators are scrutinising relationships with product providers, third parties’ incentives and client communication.

  4. Monitoring, recording and escalating breaches, incidents and complaints with proper root cause analysis? Having a register is one thing, but are issues being tracked through to resolution and learnings fed back into training, policy and change.

  5. Ensuring your internal/external compliance officer is proactive, not just filing template reports? Are they asking the right questions, supporting remediation and helping your team stay ahead of changes?

Financial Intelligence Centre Act (FICA)

Are you:

  1. Keeping your Risk Management and Compliance Programme (RMCP) up to date and evolving to changes in products, clients and delivery channels. Many RMCP’s are drafted for licensing purposes and then forgotten. RMCP’s should be reviewed annually - or sooner if your risk profile shifts. At the moment, the most fines are being handed for insufficient or outdated RMCP’s.

  2. Conducting customer due diligence (CDD) that goes beyond tick boxing? Are you performing Enhanced Due Diligence (EDD) for high-risk clients? How well are you documenting your rationale for risk ratings?

  3. Applying ongoing due diligence during the client relationship? Are you monitoring transactions, re-validating client information periodically and looking out for red flags?

  4. Maintaining records in line with Section 22-23 of FICA? Are you confident in your ability to produce required client files, KYC data and internal decision if FIC came knocking?

  5. Reporting of Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) correctly and on time? Many firms underreport, not because nothing happens, but because staff are not trained to recognize reportable events.

  6. Conducting annual FICA training for staff and keeping evidence of it? Even a brief in-house refresher counts, as long as it is documented. Trainings are essential for reducing risk.

Protection of Personal Information Act (POPIA)

Are you:

  1. Ensuring your Information Officer (IO)has been appointed, trained and registered with the Information Regulator? Appointing someone by name only isn’t enough, they need to understand their role and be empowered to act on it.

  2. Publishing a PAIA manual that is accessible, accurate and reviewed annually? This is often overlooked. Failing to publish a compliant manual can lead to fines or complaints.

  3. Reviewing and communicating privacy notices on your website, client onboarding documentation and marketing material? Are client’s aware what data you are collecting, why and with whom is it shared? Are they giving informed consent?

  4. Maintaining a Personal Information Impact Assessment (PIIA) or at least documenting the processing activities your business performs? It is important to understand how data flows through your systems in order to help defend in the occurrence of a breach or complaint.

  5. Implementing a clear breach response plan? If data is lost or stolen, who acts? What gets reported? How fast? You must be able to act quickly and transparently.

  6. Training staff on handling Personal Information appropriately? Most data breaches occur from human error. Awareness is key.

Need a fresh set of eyes?

Regulators are looking for more than just compliance on paper. They want evidence that it’s happening in practice. If your compliance feels like a hassle, or is outdated, or you are unsure where to begin. I am here to help.

I work with FSP’s and global businesses looking to build sustainable, risk-based compliance frameworks that support their business’s growth and success, not slow them down.

Contact us

Contact us

Find more

Find more