How to FICA a Tenant in South Africa: A Step-by-Step Guide

Why does a letting agent need to FICA a tenant?

The Financial Intelligence Centre Act lists estate agents - which today means anyone performing the activities of an estate agent under the Property Practitioners Act - as Accountable Institutions in Schedule 1. That places a set of duties on letting agencies, property managers, and the occasional landlord doing it themselves: client due diligence on every party to the lease, record-keeping for at least five years, and reporting suspicious transactions to the FIC.

A residential lease is a business relationship under the Act. The duty applies whether the lease is for R5,000 a month or R500,000 a month, whether the tenant is a professional with three payslips ready or a foreign national on a study visa. The penalties for non-compliance are real: administrative sanctions from the FIC, professional consequences from the PPRA, and the prospect of losing a Fidelity Fund Certificate.

The good news: doing FICA properly is mostly a discipline question. You collect the same data points every time, verify them in the same order, and store them in a way you can defend at audit. For the broader regulatory backdrop, see the FICA Schedule 1 for property transactions guide, and the property practitioner FICA requirements guide for who counts as an Accountable Institution.

What do you collect for tenant FICA?

The Schedule 1 data points for a residential tenant break into seven groups:

• Identity: SA ID number, with passport, asylum, or refugee permit fallback for non-citizens. Visa type and expiry for foreign nationals.
• Residential address: a recent utility bill, bank statement, municipal rates account, or signed lease under twelve months old. Name and current address must match.
• Contact details: phone number, email address, sometimes an employer reference for follow-up.
• Bank details: bank, account number, account type, plus a recent bank statement to verify the relationship is real and to support affordability under the National Credit Act.
• PEP declaration: a yes-or-no question, with enhanced due diligence triggered only when the answer is yes.
• Source of funds:usually a single line for residential leases ("salary", "pension"), but more detailed when the rent is high or the tenant is a corporate entity.
• Beneficial ownership: only if the applicant is a company or trust. This is where you look through the corporate veil.

The structured FICA Verification flow captures every one of these data points in one mobile-friendly session, with each field tagged at the database level rather than buried in a free-text PDF. For the full document checklist, see the FICA documents required for a tenant application guide.

How do you verify identity (not just collect it)?

This is the distinction most letting agencies miss. Asking the tenant to email an ID copy is collection. Verifying that the person submitting the document is the document holder is verification. The FIC Act expects both.

For SA citizens, verification means matching the photo on the ID to the person, ideally with a selfie or a liveness check captured in the same session. Where the budget allows, the ID number can be checked against the Department of Home Affairs database via a verification service.

For non-citizens, verification means matching the passport to the person, confirming the visa or permit is current, and capturing the visa expiry. An expired visa is a red flag - not because the tenant is doing anything wrong, but because the regulator expects you to notice.

The audit-trail point is the same in both cases: record what you verified, how, and when. "We checked the ID against the photo on 5 May 2026" is what an FIC inspector wants to see, in a system that survives staff changes.

How do you verify the residential address?

The proof-of-address document must be in the tenant's name (not their flatmate's, not their employer's), under three months old, and reflect the address they declare as their current residence. Acceptable documents include utility bills, bank statements, municipal rates accounts, signed short-term leases, and telecoms accounts in the tenant's name.

What is not acceptable: mobile phone bills (these are easily faked and not address-bound), store accounts, and hand-written confirmation letters from a friend.

There are three common edge cases:

• Recently moved tenants who do not yet have a bill in their name. A bank statement at the new address usually solves it; failing that, a sworn affidavit signed at a SAPS station confirming residence does the job.
• Tenants sharing accommodation with parents or a partner without a bill in their own name. Same pattern: an affidavit, plus the household head's proof of address.
• Recent immigrants who have not yet established local utilities. Affidavit plus a copy of the visa as supporting evidence.

In every case, capture the document, capture the address as a structured field, and capture the verification timestamp.

When does PEP and source of funds apply to a residential lease?

A Politically Exposed Person is someone holding a prominent public office, or a close family member or known associate of one. For most residential leases the question is a yes-or-no declaration on the application form, and enhanced due diligence only kicks in when the answer is yes.

Source of funds works the same way. For an R8,000 a month lease, "salary" is sufficient. For an R150,000 a month lease, or for a corporate tenant, the FIC Act expects a more credible answer - the kind that ties back to a payslip, a tax return, or company financials.

Document the source of funds in the FICA pack even when the answer is "salary". The audit point is that the question was asked and the answer was recorded, not that the answer was complicated.

What about corporate or trust tenants?

A company or trust as the tenant introduces an extra layer: beneficial ownership.

For a company, collect the company registration number, the registered address, and the IDs of the natural persons who own or control more than the threshold (commonly five percent, though firms may set a stricter internal threshold). For a trust, collect the trust deed (or letter of authority from the Master of the High Court), the founder's ID, the trustees' IDs, and the named beneficiaries.

The point is to look through the corporate veil to a real person. A company is not a person, but a person controls the company - and the FIC Act wants that person on the file. The same applies to trusts: the trust is a legal arrangement, not a natural person, and the regulator wants to see the people behind it.

How long do you keep the FICA pack?

The FIC Act requires identity and verification records to be kept for at least five years from the end of the business relationship. For a tenant that means five years from the end of the lease, not from the start. A two-year lease that ran from 2024 to 2026 has FICA records that must be retained until 2031.

Practically that means storing the documents, the structured fields, the signed declarations, and the audit trail in a system that survives staff changes, laptop replacements, and inbox cleanouts. A folder on a shared drive does not meet the standard - the records have to be retrievable on demand and protected against tampering.

POPIA pulls in the same direction: personal information must be retained only as long as needed for the named purpose. The FIC's five-year minimum and POPIA's "no longer than necessary" sit comfortably together when the retention is explicit and configurable. See the POPIA and tenant onboarding guide for the data-protection side.

How do you do this without burning a day per tenant?

The manual pattern (the bad version): email the tenant a list of documents, chase them for two weeks, scan and file what comes back, hope nothing is missing, and rely on someone's memory for the audit trail. A 50-property letting agency loses about four hours of admin per onboarding to that pattern.

The automated pattern (the good version): send one mobile-friendly link, the tenant completes identity, address, bank details, PEP, and the signed declaration in one session, the structured data and the documents save against the tenant's record automatically, and the audit trail timestamps every action.

The difference at scale is staff time and audit defensibility. Either you have a system that does this for you, or you have an employee whose entire job is doing it manually. See FICA Verification for the standalone product.

Common mistakes

• Treating "I have an ID copy" as FICA. Collection is not verification.
• Skipping PEP because "this is just a tenant". The question still has to be asked and the answer recorded.
• Storing the FICA pack in the agent's email, the partner's email, and the laptop's downloads folder. None of these are tamper-evident or retrievable in a Subject Access Request.
• Skipping the audit trail because "we are a small agency". The audit trail is the proof you actually did the work.
• Forgetting to FICA the landlord. The landlord is also a party to the business relationship and needs the same treatment.
• Failing to re-check at lease renewal or when something material changes. Ongoing monitoring is part of CDD, not a one-off.