The Financial Intelligence Centre (FIC) has brought Directive 11 of 2026 into force while simultaneously inviting comment on Draft Public Compliance Communication 125 (PCC 125), which combines firm reporting deadlines with detailed expectations on how institutions must comply.
Together, the directive and draft guidance introduce a more structured, data-driven reporting regime for the 2026 risk and compliance returns (RCRs), with tight timelines and limited room for error. Directive 11 establishes the obligation, while Draft PCC 125 sets out how that obligation is expected to be met.
For accountable institutions, the immediate focus is twofold: preparing for submission in May and assessing whether the draft guidance is workable before the comment window closes.
Directive 11: the obligation
Directive 11 sets the framework for the submission of the 2026 RCRs, introducing structured reporting requirements, defined submission windows, and standardised data expectations. It strengthens the link between institutions’ risk assessments and their regulatory obligations, requiring that underlying data, controls, and risk frameworks are clearly reflected in submissions.
In practical terms, the directive sets out:
- How accountable institutions must submit their RCRs (electronically via the FIC platform).
- What information must be included, including risk exposure and implementation of controls.
- Which reporting periods must be covered.
- When submissions must be made.
The RCR functions as a supervisory tool, enabling the FIC to assess how institutions identify and manage risks related to money laundering, terrorist financing, and proliferation financing.
Who it applies to
Directive 11 applies to specified accountable institutions listed in Schedule 1 of the FIC Act, including:
- Items 1, 2, 3, and 9
- Item 11 (excluding banks, mutual banks, and co-operative bank credit providers)
- Items 14, 20, 21, and 22
This spans a broad range of sectors, from financial service providers and casinos to crypto asset service providers and high-value goods dealers.
What institutions must do
Affected institutions are required to:
- Complete the 2026 RCR in full, answering all applicable questions.
- Base responses on their own risk assessments and the effectiveness of their controls.
- Submit electronically via the FIC’s designated platform.
- Ensure information aligns with the specified reporting periods.
The reporting periods generally span:
- 1 April 2023 to 31 March 2026, or
- 1 July 2023 to 31 March 2026
Key dates and deadlines:
- Directive effective: 1 April 2026
- RCR submission opens: 4 May 2026
Submission deadlines are staggered across two key dates.
Returns are due by 30 June 2026 at 17:00 for institutions falling under item 11 (non-banks), as well as items 14, 21, and 22, including casinos classified under items 2 and 9.
A later deadline of 31 July 2026 at 17:00 applies to high-value goods dealers (item 20), along with institutions captured under items 1, 3 and 9 that do not operate as casinos.
PCC 125: how the FIC expects it to be done
Draft PCC 125 builds on Directive 11 by setting out the practical requirements for completing and submitting the RCRs. It is open for comment until 24 April 2026.
Although still in draft, the guidance is positioned as authoritative and will inform how compliance is assessed.
Several operational requirements stand out:
- Preparation ahead of submission: Institutions are expected to download the RCR template, gather data in advance, and prepare responses before accessing the live system, shifting much of the workload to the pre-submission phase.
- Structured, multi-period reporting: RCR data must be completed separately for each reporting year or period within a single submission. Submission is only possible once all required periods are fully completed.
- Registration as a prerequisite: Only institutions registered on goAML, with a valid organisation identity (Org ID), can submit. Unregistered entities will be unable to comply.
- One return – except when it’s not: Institutions must generally submit a single consolidated return covering head office and branches. However, separate legal entities must submit their own RCRs, franchise networks must submit separately, and institutions operating across multiple Schedule 1 activities must submit multiple RCRs, one per activity and Org ID.
- Governance accountability: While compliance teams may complete the return, responsibility rests with senior management or the board.
- No second chances after submission: Once submitted, an RCR cannot be edited or withdrawn. Errors must be reported through a formal query process, reinforcing the need for accuracy upfront.
What this signals
Directive 11 is not a procedural formality. Failure to comply constitutes non-compliance with the FIC Act and may result in administrative sanctions.
More broadly, the directive and draft PCC reflect a shift towards standardised, comparable and verifiable data, with increased emphasis on how institutions demonstrate their understanding of financial crime risk and the effectiveness of their controls.
The consultation note indicates that improved data quality will support more effective sectoral and national risk assessments, suggesting that submissions will feed directly into supervisory and policy decisions
Comments on Draft PCC 125 must reach the Centre by no later than the close of business on Friday, 24 April 2026. Written comments must be submitted to the Centre electronically only using this link.
Accountable institutions are encouraged to monitor their goAML message boards regularly – ideally on a daily basis – for any critical communications from the FIC.
Queries can be directed to the Centre’s compliance contact centre on 012 641 6000, while written queries can be submitted on the FIC’s website, by clicking on the compliance queries link: https://www.fic.gov.za/compliance-queries/.
