Seventy-seven percent. That is the share of South African businesses that reported experiencing fraud in the two years to 2023, according to PwC's Global Economic Crime and Fraud Survey. Behind most of those incidents was a common failure: inadequate verification of the entities those businesses were dealing with.
Know Your Business (KYB) is the discipline that closes that gap. It is the structured process of verifying a business's legal identity, ownership structure, financial conduct, and risk profile — before, and continuously throughout, a commercial relationship. Done properly, KYB is not an administrative burden. It is an early-warning system.
KYB Is Not the Same as KYC
The distinction matters more than most compliance teams acknowledge. Know Your Customer (KYC) is built around natural persons: confirming an individual's identity and assessing their personal risk profile. KYB applies the same rigour to legal entities — companies, trusts, partnerships, and the people who ultimately own or control them.
The complexity is an order of magnitude higher. A business may carry layered ownership structures, nominee directors, or group entities spread across multiple jurisdictions. Static, once-off verification misses the changes that matter most: a director added to a sanctions list, a company that changes hands mid-contract, a key supplier facing adverse regulatory action in another market.
Effective KYB is not a once-off event. It is a continuous monitoring function — and South African regulators now expect organisations to treat it as one.
The Regulatory Landscape Has Shifted
South Africa's exit from the FATF grey list in 2025 was hard-won. The Financial Intelligence Centre (FIC) and the South African Reserve Bank (SARB) spent years strengthening enforcement, and that posture has not softened since. The expectation now is that accountable institutions maintain what was built — and can demonstrate it on demand.
The Financial Intelligence Centre Act (FICA) makes this concrete. Under FICA, accountable institutions are required to:
- Identify and verify the legal entity and its authorised representatives against reliable, independent sources
- Establish beneficial ownership — tracing the chain to every natural person who ultimately owns or controls more than 25% of the entity
- Assess and document the business relationship risk using a proportionate, risk-based approach
- Apply Enhanced Due Diligence (EDD) where the entity, sector, or jurisdiction elevates the inherent risk profile
- Monitor the relationship on an ongoing basis and update records materially when circumstances change
The Protection of Personal Information Act (POPIA) runs alongside FICA. Any data collected during KYB verification must be handled lawfully, with appropriate consent, purpose limitation, and retention controls — adding a data governance dimension to every compliance workflow that many programmes have not yet fully absorbed.
Where KYB Programmes Break Down
Most compliance failures are not caused by ignorance of the rules. They are caused by gaps in execution. The three most common points of failure in South African KYB programmes are consistent across sectors.
Verification that stops at registration
Confirming that a company is registered with the CIPC is the floor, not the ceiling. Registration tells you that an entity exists — it does not tell you who controls it today, whether that control has recently changed, or whether any of its directors or beneficial owners carry elevated risk. A programme that treats CIPC confirmation as sufficient KYB will not survive an FIC audit.
Ownership structures that are never fully resolved
Complex group structures — holding companies, trusts, and layered subsidiaries — exist for entirely legitimate commercial reasons. They are also the primary mechanism through which financial crime is concealed. Resolving the beneficial ownership chain to the natural person level is a non-negotiable requirement under FICA, yet it remains one of the most commonly incomplete steps in practice. The difficulty is not an excuse regulators accept.
Static records in a dynamic environment
A business that was low-risk at onboarding may not remain low-risk twelve months later. Directors change. Sanctions lists are updated weekly. Adverse media surfaces without warning. Without a continuous monitoring programme that flags these changes in near real time, a compliance team is always operating on yesterday's picture — which is precisely the gap enforcement actions are designed to expose.
What Rigorous KYB Looks Like in Practice
The transition from checkbox compliance to genuine risk management requires four capabilities working together consistently:
- Identity and registration verification — confirming legal existence, registration status, and registered address against authoritative sources, not self-reported documentation
- Beneficial ownership resolution — tracing ownership chains to the natural person level, with documented evidence and a defensible risk rating at each node in the structure
- Sanctions, PEP, and adverse media screening — covering the entity itself, every director, every officer, and every significant shareholder, against current global databases
- Ongoing monitoring with event-driven alerts — automated triggers that surface material changes to any of the above in real time, ensuring records remain current between formal review cycles
The FIC's enforcement actions in recent years have consistently cited failures in ongoing monitoring — not just initial onboarding. A programme that onboards carefully but does not monitor is incomplete by design, and regulators treat it that way.
The True Cost of Getting It Wrong
The direct costs of KYB failure are visible: regulatory fines, enforcement orders, and the reputational damage that follows a public action. In 2023, the FIC issued enforcement notices against institutions across banking, insurance, and the estate agency sector — all citing deficiencies in entity and business due diligence. These are not edge cases. They are the predictable consequence of programmes built for appearances rather than outcomes.
The indirect costs are harder to quantify but typically larger. A business onboarded without adequate KYB becomes a liability the moment the relationship deepens. Contracts extended, credit facilities approved, and transactions processed on the basis of insufficient due diligence all carry residual exposure that compounds quietly over time — until it does not.
Compliance officers who can demonstrate a robust, documented KYB programme — with clear audit trails, risk ratings, and evidence of ongoing monitoring — are not just satisfying a regulatory requirement. They are providing their institutions with a defensible position when scrutiny arrives. And in the current South African regulatory environment, scrutiny will arrive.
Three Questions Every KYB Programme Must Answer
The most effective programmes share a common architecture: automated where automation adds speed and accuracy, human-reviewed where judgment is required, and fully documented throughout. Every decision — to onboard, to flag for EDD, to decline, or to exit a relationship — should be traceable to a specific risk assessment supported by verified data.
For compliance teams operating under FICA, that means building a programme capable of answering three questions at any point in time, without preparing for the answer in advance:
- Who is this business, and who ultimately controls it?
- What is the current risk rating for this relationship, and on what verified basis was it assigned?
- When did we last verify this information, and what material changes have occurred since?
If your programme cannot answer all three consistently — across every entity in your portfolio, not just the ones you recently onboarded — the gaps are worth addressing before your next regulatory review locates them first.
References
- PwC South Africa. (2023). Global Economic Crime and Fraud Survey 2023.
- Financial Intelligence Centre (FIC). (2023). Enforcement Actions and Compliance Updates.
- South African Reserve Bank (SARB). (2023). AML/CTF Regulatory Guidelines.
- Financial Action Task Force (FATF). (2025). South Africa — Mutual Evaluation Follow-Up Report.
