Draft General Laws (AML/CTF) Amendment Bill, 2025: What’s changing — and what it means for South Africa’s compliance community

By Sholane Sathu | 26 January 2026

South Africa is gearing up for its next FATF mutual evaluation (anticipated to be completed in October 2027), while working to close remaining gaps highlighted through the enhanced follow-up and grey-listing process. The Draft Bill proposes focused amendments across four key statutes — the Nonprofit Organisations Act (NPO Act), the Financial Intelligence Centre Act (FIC Act), the Companies Act, and the Financial Sector Regulation Act (FSR Act).

What stands out is a clear “system tightening” theme: expanded monitoring powers, stronger information-sharing, firmer enforcement mechanisms, and clearer consequences for non-compliance — especially around beneficial ownership, sanctions implementation, and higher-risk activity.

1) Nonprofit Organisations Act: stronger monitoring, sanctions, and penalties (Clauses 1–4)

The Bill shifts the NPO framework from largely administrative oversight toward more explicit supervision and enforcement.

  • Expanded enforcement mandate (Clause 1). The Directorate’s functions are extended to explicitly include monitoring and enforcing compliance by NPOs.
  • Broader appeal rights (Clause 2). Section 14 is substituted so an organisation may appeal not only a refusal to register, but also a decision to impose an administrative sanction. The appeal process is routed through an Arbitration Tribunal with powers to confirm, modify, or set aside the sanction (subject to court review/appeal).
  • Compliance notices and administrative sanctions (Clause 3). Section 20 is strengthened so the Director must issue a compliance notice where an organisation fails to comply, and may also impose an administrative sanction (or refer for criminal investigation where appropriate).
  • Higher penalties (Clause 4). Offences may attract a fine up to R1 million, imprisonment up to five years, or both. Draft AMLCFT Amendment What’s c…

Sathu says: This represents a decisive shift from “registration administration” to active supervision and enforcement in the NPO space. The test will be proportional implementation — ensuring enforcement is risk-based and does not become administratively punitive for low-risk, good-faith organisations.

2) Financial Intelligence Centre Act: expanded tools, wider information-sharing, and higher baseline expectations (Clauses 5–25)

The FIC Act amendments are the Bill’s centre of gravity, strengthening the Centre’s operational capabilities and widening the compliance footprint for accountable institutions.

2.1 The Centre’s expanded role and investigative capability

Expanded functions (Clause 6). The Bill expands the Centre’s functions to include administering measures related to freezing of property/transactions under UN Security Council resolutions, producing forensic evidence using specialised scientific methods, conducting lifestyle audits, and strengthening the Centre’s compliance supervision and enforcement role.

Lifestyle audits explicitly enabled (Clause 7). Section 4 is amended to add bodies such as the Public Procurement Office and Border Management Authority and to enable lifestyle audits, including for persons in Schedule 3A or other prescribed categories, at the request of an organ of state/public entity/municipality where relevance is established.

Broader state information access (Clause 8). The Centre may request information, database access, or regular access to registers held by organs of state, public entities, and municipalities to perform its functions effectively.

2.2 Higher baseline expectations for accountable institutions

Record-keeping extended from five to seven years (Clause 9). Section 23 is substituted so accountable institutions must keep records for at least seven years, including business relationship and transaction records and records linked to reportable transactions/activities.

“New product/new technology” risk hardening (Clause 20). Section 42 is amended so that, before launching a new product/service, institutions must identify and assess risk including new delivery mechanisms and new/developing technologies, and then apply measures to manage and mitigate those risks.

Sathu says: This is one of the most practically important shifts for the private sector. “Innovation” is no longer neutral in AML/CTF terms — it becomes explicitly risk-scoped, and governance over product approval, third-party platforms, and digital onboarding must be demonstrably audit-ready.

2.3 Sanctions administration, information-sharing, POPIA alignment, and enforcement

Sanctions-related notification clarity (Clause 10). The section 26A heading is reframed to cover notification tied to UNSC resolutions or a High Court order.

  • Information sharing widened and formalised (Clause 18). Section 40 is amended so the Centre may share reported/obtained information and analysis as well as information obtained via lifestyle audits and related analysis, expanding recipients (including the Border Management Authority and Public Procurement Office) and strengthening safeguards (written requests, stated purpose, procedural protections).
  • Enhanced good-faith protections (Clause 17). Protections are broadened to cover good-faith actions including making/contributing to reports and sharing information to facilitate reporting.
  • POPIA alignment for information sharing (Clause 19). The Minister may prescribe requirements for protecting personal information to facilitate sharing between accountable institutions where needed to carry out specified sections.
  • Administrative sanction exposure clarified (Clause 21). Contravention of section 20A or 21(1) triggers non-compliance and administrative sanction exposure.
  • Offences and sanctions strengthened (Clauses 22–23). Consequences are expanded for failures tied to terrorist property reporting (including failures to report attempts), and failure to comply with monitoring orders becomes both an offence and sanctionable non-compliance.

Sathu says: The combined effect is a major operational uplift. Institutions should anticipate increased expectations around sanctions screening controls and evidence, information-sharing governance and POPIA controls, record retention, and product governance — especially where technology changes risk profiles.

3) Companies Act: beneficial ownership and register enforcement with real consequences (Clauses 26–30)

These amendments focus on improving compliance and enforcement around securities registers and beneficial interest registers.

  • Deregistration lever (Clause 26). A new deregistration ground is inserted: where, on demand by the Commission, a company fails to submit a securities register or register of beneficial interest for two or more years in succession.
  • Administrative fines and a higher ceiling (Clauses 27–28). If a person fails to comply with a compliance notice relating to these registers, the Commission may impose an administrative fine. The fine framework is capped at the greater of 10% of turnover for the period of non-compliance and the maximum prescribed amount; and the prescribed maximum baseline is increased from R1 million to not less than R10 million.
  • Tribunal review mechanism (Clause 29). A review route is created: an application can be made to the Companies Tribunal within 15 business days (or longer on good cause), with the Tribunal empowered to confirm, modify, or set aside the fine.

Sathu says: This is a meaningful enforcement turn. A turnover-linked fine structure is designed to bite — and it reinforces that beneficial ownership and register obligations are not “box-ticking.” Boards and company secretariats should treat register governance and evidentiary trail as standing controls, not reactive tasks.

4) Financial Sector Regulation Act: technology-neutral perimeter and licensing alignment (Clauses 31–37)

These changes respond to market innovation where new structures mimic regulated activity without neat legal labels.

  • Broader “financial investment” concept (Clause 31). The definition is updated so that contribution of economic value qualifies, irrespective of whether the investor has day-to-day control.
  • Technology-neutral capture (Clause 32). The scope is broadened to include arrangements similar in nature/outcome to financial products/instruments irrespective of the technology used.
  • Licensing alignment tools (Clauses 33–34). The Bill introduces a mechanism for dual licensing where required, and allows standards to require categories of financial institutions to be licensed under the FSR Act even where other licensing requirements already exist, if needed to achieve objectives.

Sathu says: Regulators are being equipped to look through form to substance — catching arrangements that function like regulated products/services even if delivered via new platforms or structures. For new entrants and hybrid models, licensing analysis becomes a front-end design question, not an afterthought.

5) Commencement and what organisations should do now (Clause 38)

The Act will commence on a date determined by the President by proclamation in the Gazette.

Even at draft stage, the Bill provides a clear readiness roadmap. Key priorities include:

  • Record retention uplift planning (systems, storage, retrieval, audit readiness).
  • New product approval governance updated to include delivery mechanisms and new/developing technology risk assessments.
  • Sanctions controls and evidence strengthened (screening, freezing, escalation, documentation).
  • Information-sharing and POPIA controls for accountable institutions (policy, safeguards, traceability).
  • Companies register compliance governance and responsiveness to Commission demands.

About the author

Sholane Sathu is the Founder of Navigate Compliance. She is a seasoned Governance, Risk, and Compliance (GRC) professional, project manager, and board advisor with extensive experience supporting organizations in highly regulated environments. Sholane manages complex compliance projects and advises senior leadership on practical, high-impact regulatory transformation programs.

About Navigate Compliance Navigate Compliance is a multidisciplinary GRC and IT practice specializing in regulatory transformation, high-impact project delivery, and specialized resourcing. We bridge the gap between strategy and execution, helping organizations translate complex obligations into effective controls and measurable outcomes. www.navigatecompliance.io. FSCA licensed compliance practice| QCTO Accredited

Categories

Navigate isn’t for everyone.
We are built for institutions who see compliance not as a constraint, but as a competitive advantage.