KYC for Fintech Startups in South Africa

VerifyNow is an SA-native KYC API for fintech startups: Home Affairs HANIS, AML/PEP, bank + CIPC, face match, sandbox, POPIA-ready. Pay per check from R2.99, no subscription.

What VerifyNow covers for fintechs

Every service is a single REST call, billed in credits, with full audit trail retained for the 7-year FICA Section 23 record-keeping window. Unlike many cross-border providers, VerifyNow is SA-native with direct Home Affairs HANIS integration rather than a derived dataset.

• Home Affairs SA ID verification

  Real-time HANIS lookup with full names, DOB, citizenship, vital status and the ID photo on record.

• AML / PEP / sanctions screening

  Screen individuals and entities against OFAC, UN, EU, UK and 190+ country lists, including adverse media.

• Bank account verification

  Confirm the customer actually owns the bank account before you debit or pay out.

• CIPC company & director checks (KYB)

  Registration status, registered directors, and director-to-ID cross-reference for business onboarding.

• Face match + liveness

  Match a selfie to the Home Affairs ID photo with a confidence score and anti-spoofing liveness.

• Document verification

  OCR + authenticity checks on SA ID books, smart IDs, driver’s licences and 190+ country passports.

• Consumer & phone trace

  Recover current address, contact numbers and employment from a verified SA ID for dispute or collections workflows.

• Customer consent (POPIA)

  Built-in consent capture with signed audit trail so every verification has a lawful basis.

Developer workflow — sandbox to production in an afternoon

Every endpoint takes a Bearer API key in the Authorization header and returns JSON. Add an Idempotency-Key header for safe retries. Here is the path most fintech teams follow:

1. 1

   Sign up and land in the dashboard

   Create a free VerifyNow account at /register. No credit card. You get the dashboard, a sandbox API key, and access to every endpoint from day one.

2. 2

   Grab a sandbox API key

   In Settings → API Keys, create a sandbox key. Sandbox requests do not consume credits and return deterministic fixtures for a documented set of SA ID numbers.

3. 3

   POST /verify with an SA ID

   Send a Bearer-auth POST to /verify with a test ID number. You get back JSON: ID valid, names, DOB, gender, citizenship, vital status, and (when requested) the photo.

4. 4

   Layer on /aml-pep, /face-match and /cipc/company

   For full KYC/KYB stitch together /aml-pep (sanctions + PEP), /face-match (selfie vs ID photo) and /cipc/company or /cipc/director for business customers.

5. 5

   Flip to production

   Generate a production key, point the same request at the live base URL, and start billing real credits. Idempotency-Key header makes retries safe.

POST https://sandbox.verifynow.co.za/verify
Authorization: Bearer sk_sandbox_***
Idempotency-Key: onboard_42a1

{
  "id_number": "9001015009087",
  "include_photo": true
}

POPIA checklist for fintechs

Ship your KYC flow with POPIA baked in, not bolted on. These are the eight items a fintech Information Officer will ask you about before launch.

Capture explicit written consent before every verification

POPIA Section 11 requires lawful processing. Use the built-in consent form or your own; store the signed record against each check.

Define and document a lawful purpose

For a fintech this is typically FICA Section 21 identification, fraud prevention, or contract performance. Write it into your RMCP.

Apply purpose limitation and minimisation

Only run the checks you actually need for onboarding. Don’t pull a consumer trace on a low-risk retail customer.

Keep personal data in South Africa

VerifyNow hosts request and response data in SA. If you use a third-party processor, confirm their data residency matches.

Retain records for 7 years (FICA Section 23)

Customer identification records, including KYC API responses, must be kept for at least 5 years after the relationship ends. Most fintechs keep 7 to cover overlapping obligations.

Honour subject access and correction requests

Data subjects can request what you hold on them and correct inaccuracies. Your dashboard should expose this per customer.

Report breaches to the Information Regulator within 72 hours

POPIA Section 22 requires prompt notification of security compromises that affect personal information. Have an incident runbook ready before you go live.

Run a DPIA for high-risk processing

Biometric matching, automated decision-making and cross-border data flows each warrant a Data Protection Impact Assessment documented before launch.

Pricing — pay per check, no subscription

Every verification is priced in credits. You buy credits once, spend them across any endpoint, and the per-credit price drops as you scale. No seats, no monthly minimums, no recurring subscription fee.

Every service is billed in credits. See the full pricing page for the credit cost of each endpoint.

Fintech KYC FAQ

Is VerifyNow FICA compliant?

Yes. VerifyNow verifies SA IDs against the official Department of Home Affairs population register, which satisfies FICA Section 21’s requirement to identify customers using reliable, independent sources. Verification records are retained for 7 years to cover FICA Section 23 record-keeping.

What does the sandbox return?

Sandbox requests return deterministic fixture data for a documented set of SA ID numbers — a successful verification, an invalid ID, a deceased flag, a PEP hit, a sanctions hit, and a failed liveness check. Sandbox requests do not consume credits so you can build and test freely.

How do I rotate API keys?

Go to Settings → API Keys in the dashboard. You can create a new key, mark the old one as scheduled for rotation, update your environment, then revoke the old key. We recommend rotating at least every 90 days.

Do you charge for failed verifications?

We charge for every completed API call that consumes a data-source query, which includes most failures (e.g. the ID is invalid or not found). We do not charge for sandbox requests or for requests that fail before reaching the data source (auth errors, validation errors, 5xx on our side).

How fast is a Home Affairs check?

A Home Affairs SA ID verification typically returns in 3 to 7 seconds end-to-end. The request hits the DHA population register in real time, so turnaround depends on upstream availability. We surface latency in the response meta object.

Do you store PII?

We store request and response metadata (status, credits spent, latency, audit trail) for the 7-year FICA window. Personal payload data is stored according to your account retention policy — by default, full payloads are available for 30 days, then reduced to metadata-only. All data is hosted in South Africa.

Can I white-label VerifyNow?

Yes. We offer a white-label option that lets you rebrand the dashboard, consent forms and customer-facing flows under your own domain, backed by the same API. Unlike many cross-border providers, VerifyNow is SA-native with direct Home Affairs HANIS integration, so your brand sits on top of first-party SA data.