Get Started

Menu

Verify Now - Identity Verification Platform

Back to All Articles

How to Perform Criminal Checks in South Africa: A Complete Guide for Compliance

how-to-perform-criminal-checks-in-south-africa-a-complete-guide-for-compliance

How to Perform Criminal Checks in South Africa: A Complete Guide for Compliance

In today's fast-paced South African business landscape, ensuring trust and mitigating risk are paramount. Whether you're onboarding new employees, verifying clients for FICA compliance, or conducting thorough background checks, performing criminal checks in South Africa is a non-negotiable step. This guide will walk you through the essential steps, legal considerations, and best practices for conducting these crucial verifications efficiently and compliantly. With the right approach and a trusted partner like VerifyNow, you can safeguard your business and uphold regulatory standards.

TL;DR

Performing criminal checks in South Africa requires explicit consent, adherence to POPIA and FICA regulations, and access to official databases like the SAPS AFIS system. Leveraging a reputable identity verification platform like VerifyNow streamlines this process, ensuring compliance, accuracy, and efficiency while protecting personal data.

Key Facts

  • FICA Record Keeping: Under FICA Act 38 of 2001 Section 23, accountable institutions must keep records of client identities and transactions for a minimum of five years after the business relationship ends.
  • POPIA Penalties: Non-compliance with the Protection of Personal Information Act (POPIA) Act 4 of 2013 can lead to significant penalties, including fines up to ZAR 10 million or imprisonment for up to 10 years for serious offences.
  • Consent is King: According to POPIA, explicit, informed consent is mandatory before processing an individual's personal information, including criminal records.
  • Identity Verification Speed: Digital identity verification solutions, such as those offered by VerifyNow, can return results for ID checks via Home Affairs database integration in under 10 seconds, significantly speeding up the overall verification process.
  • FIC Oversight: The Financial Intelligence Centre (FIC) is the supervisory body responsible for combating financial crime in South Africa, including money laundering and terrorist financing, and mandates certain client due diligence, which can include background checks.

Why are criminal checks so crucial for businesses operating in South Africa? It boils down to a combination of legal obligations, risk management, and maintaining a trustworthy environment. Failing to conduct proper due diligence can expose your organisation to significant financial, legal, and reputational damage.

Regulatory Compliance: FICA, KYC, and AML

South Africa has robust regulatory frameworks designed to combat financial crime and ensure transparency. When you perform criminal checks, you're often fulfilling a part of these broader obligations.

Definition Block: FICA

FICA (Financial Intelligence Centre Act 38 of 2001): The cornerstone of South Africa's anti-money laundering (AML) and counter-terrorist financing (CTF) regime. It mandates "accountable institutions" to identify and verify clients, keep records, report suspicious transactions, and implement a Risk Management and Compliance Programme (RMCP).

Definition Block: KYC

KYC (Know Your Customer): A critical process within FICA, requiring businesses to verify the identity of their clients and assess their suitability and potential risks. This includes understanding the nature of the business relationship and potentially conducting enhanced due diligence (EDD) for higher-risk clients.

Definition Block: AML

AML (Anti-Money Laundering): A set of procedures, laws, and regulations designed to stop the practice of generating income through illegal actions. FICA is South Africa's primary AML legislation.

According to South African law, specifically the FIC Act 38 of 2001, certain businesses (known as accountable institutions) must implement robust KYC procedures. This often includes some form of background check to assess a client's risk profile. While FICA doesn't explicitly mandate criminal checks for all clients, it certainly encourages a risk-based approach. For high-risk individuals or specific roles (e.g., financial advisors, security personnel), a criminal check becomes an essential component of Customer Due Diligence (CDD) or Enhanced Due Diligence (EDD).

💡 Important compliance note: The FIC requires accountable institutions to develop and implement a Risk Management and Compliance Programme (RMCP). This programme dictates how your organisation assesses and mitigates risks, which can include the necessity of criminal checks for certain scenarios. Learn more in our FICA Guide.

Risk Mitigation: Protecting Your Business and Reputation

Beyond legal compliance, criminal checks are a powerful tool for risk management.

  • Employee Onboarding: Hiring someone with a history of fraud or theft into a position of trust can lead to internal losses, legal liabilities, and a toxic work environment.
  • Client Relationships: Engaging with clients involved in illicit activities can inadvertently link your business to criminal networks, leading to severe reputational damage and potential legal action.
  • Fraud Prevention: Verifying an individual's background helps in preventing identity fraud and other deceptive practices.

By proactively conducting these checks, you're not just ticking a box; you're actively building a safer and more secure operational environment.

The "How": Step-by-Step Guide to Performing Criminal Checks in South Africa

Performing a criminal check in South Africa is a structured process that requires adherence to legal guidelines and access to reliable data. Here's how it generally works:

This is arguably the most critical step. Under the Protection of Personal Information Act (POPIA) Act 4 of 2013, you must obtain explicit, informed, and voluntary consent from the individual before conducting a criminal check. This consent must clearly state:

  • What information you are collecting (e.g., criminal record data).
  • Why you are collecting it (e.g., employment verification, FICA compliance).
  • How the information will be used and stored.
  • Who will have access to it.

📝 Expert Insight: According to the Information Regulator, processing sensitive personal information, which includes criminal records, requires a higher standard of consent. Ensure your consent forms are clear, unambiguous, and easily accessible.

Step 2: Gather Necessary Identity Information

To initiate a criminal check, you'll typically need the individual's:

  • Full Name
  • South African ID Number (or passport number for foreign nationals)
  • Date of Birth
  • Fingerprints (for traditional checks or certain digital methods)

Step 3: Choose Your Verification Method

Traditionally, criminal checks involved sending fingerprints to the South African Police Service (SAPS) for manual processing. However, modern technology offers more efficient and streamlined solutions.

A. Traditional Fingerprint-Based Checks (SAPS AFIS)

  • Process: The individual's fingerprints are taken (digitally or ink-based) and submitted to the SAPS Automated Fingerprint Identification System (AFIS).
  • Turnaround Time: This method can be time-consuming, often taking several days to weeks.
  • Legal Standing: Provides an official SAPS criminal record report.

B. Digital, Biometric-Driven Checks (Recommended for Efficiency & Compliance)

This is where platforms like VerifyNow shine. By leveraging advanced technology and direct integrations with authoritative data sources, VerifyNow can facilitate criminal checks much faster and with greater ease.

  1. Biometric Capture: The individual provides their biometric data (e.g., fingerprints via a certified scanner or even advanced facial recognition for identity confirmation).
  2. Consent Confirmation: VerifyNow's platform ensures that explicit consent is captured and recorded in a POPIA-compliant manner.
  3. Secure Data Transmission: The encrypted data is securely transmitted to official databases (e.g., SAPS AFIS via accredited providers).
  4. Automated Processing & Reporting: The system processes the request, and a comprehensive report is generated, detailing any criminal history.

Using a platform like VerifyNow significantly reduces manual effort, speeds up turnaround times, and provides an auditable trail for compliance purposes. Our platform integrates seamlessly to provide a complete employment verification and background check solution.

Step 4: Interpret and Act on the Results

Once the report is generated, it's crucial to understand what it means. A criminal record check will typically indicate:

  • Whether the individual has a criminal record.
  • The nature of any convictions (e.g., fraud, theft, assault).
  • The date of conviction and sentence.

⚖️ Important Consideration: Having a criminal record does not automatically disqualify an individual. Your organisation's policies should define how different types of convictions relate to specific roles or business relationships, always considering fairness and non-discrimination.

💡 Ready to streamline your compliance? Sign up for VerifyNow and start verifying identities and backgrounds in seconds.

The Protection of Personal Information Act (POPIA) is central to performing criminal checks in South Africa. Non-compliance is not an option, especially with the Information Regulator actively enforcing the Act.

Definition Block: POPIA

POPIA (Protection of Personal Information Act 4 of 2013): South Africa's comprehensive data protection law, regulating how personal information is collected, processed, stored, and shared. It grants individuals rights over their data and imposes strict obligations on organisations (responsible parties).

Key POPIA Principles for Criminal Checks:

  1. Accountability: You, as the "responsible party," are accountable for ensuring compliance with POPIA throughout the entire process of collecting and processing criminal record data.
  2. Lawfulness of Processing: Processing criminal records is considered processing "special personal information" under POPIA. This type of processing is generally prohibited unless specific conditions are met, such as obtaining explicit consent or if it's required by law (e.g., for specific employment sectors).
  3. Purpose Specification: You must collect criminal record data for a specific, explicitly defined, and lawful purpose directly related to a function or activity of your organisation. You cannot collect it "just in case."
  4. Information Quality: Ensure the data collected is accurate, complete, and not misleading.
  5. Security Safeguards: You must implement appropriate technical and organisational measures to protect the personal information (including criminal records) against loss, damage, unauthorised destruction, and unlawful access or processing. This includes secure storage and transmission.
  6. Openness: Be transparent with individuals about what information you are collecting and how it will be used.
  7. Individual Participation: Individuals have the right to access their personal information and request corrections or deletions.

The Implications of Non-Compliance

The Information Regulator is actively monitoring and enforcing POPIA. Recent updates include:

  • Data Breach Reporting: Organisations must report data breaches to both the Information Regulator and affected data subjects without undue delay.
  • Increased Penalties: As mentioned in our Key Facts, non-compliance can result in substantial administrative fines up to ZAR 10 million or imprisonment.
  • **Reput