The Global Context
Since its initial promulgation on 1 February 2002, FICA has engendered a fair bit of antipathy from those regulated by it (Accountable Institutions). This is usually to be expected of any piece of legislation with which it is costly and administratively burdensome to comply. However, some of the antipathy is informed by the popular view that FICA represents the government’s attempt to outsource a part of its law enforcement function to the private sector. While that view has some truth to it, it is somewhat over-simplified. This becomes clear when one traces FICA to its origins.
South Africa is a member of the Financial Action Task Force (FATF), an inter-governmental organisation headquartered in Paris and composed of 37 member states. The FATF was formed in 1989. At that time, the G7 countries identified the pressing need for a unified response to AML, which was recognised as a threat to the integrity of the global financial system and the various players within it. The FATF sets international standards comprising 49 recommendations (Recommendations) pertaining to various aspects of AML. Member countries are expected to adopt the Recommendations by tailoring them to their peculiar circumstances, and ultimately giving them the force of law as domestic legislation. FICA is an articulation of South Africa’s FATF obligations. In certain places, its wording borrows heavily from the FATF’s nomenclature.
An important detail about the FATF is that it is not akin to the UN, in that it cannot impose embargos, sanctions and similar measures against its members. Rather, its punitive power lies in its ability to influence inter-member trade relations. Every five years, each member undergoes a peer review culminating in what is known as a mutual evaluation report, assessing its level of compliance with the Recommendations. A negative report signals that the offending member is not combatting AML as vigorously as it should be. This, in turn, hampers the ability of the member concerned to attract foreign investment from its compliant counterparts, who represent some of the largest economies in the developed and developing world. South Africa’s Amendments were prompted by the report of 2014, which sharply criticised certain aspects of FICA and the underlying machinery used to implement it.
FICA is a consequence of South Africa’s membership of an international community, whose AML stance is becoming progressively robust; in some senses it is a consequence of the economic hardship that would ensue if South Africa’s stance were perceived as any less robust.
The salient features of the Amendments are the following:
- Risk-based approach
The Amendments heralded the FATF’s migration to a risk-based approach, which is best understood when described in relation to its predecessor, the rules-based approach. At the FATF’s inception and for a number of years thereafter, the best practice of the day was to impose a rigid, formulaic set of rules to deal with specific situations. This thinking was incorporated in the Recommendations and, by extension, in the first iteration of FICA. The rules-based approach was precisely why banks, for example, were inflexible in the documents they required of their clients. The FATF eventually realised that this sort of dogmatism was untenable, and substituted the rules-based approach with the risk-based approach. It adjusted its Recommendations accordingly, and this in turn occasioned the Amendments.
- Extended customer due diligence obligations
Under the previous dispensation, an Accountable Institution’s customer due diligence (CDD) obligations were centred in the identification of clients. Discharging these obligations now entails going beyond mere identification, by taking steps to understand such things as the nature of the client’s business, the services sought from the Accountable Institution, and the identity of the client’s ultimate beneficial owners (being the natural persons ultimately benefitting from the client’s assets and profits). The latter piece of information can be difficult to obtain, as ultimate beneficial owners are often several steps removed from the client, and often designedly so.
- Personalised compliance
Section 42 of FICA introduces the concept of a risk management and compliance programme (RMCP), which every Accountable Institution is required to design for itself and implement (it succeeds the “internal rules” of the previous dispensation). The RMCP exhaustively sets out an Accountable Institution’s FICA compliance strategy in respect of three broad duties, namely “know-your-customer” (KYC), recordkeeping and reporting. FICA is not prescriptive as to the precise wording of the RMCP. It does, however, list the minimum matters that must be addressed in it, as well as certain things that it must enable its user to do. In broad terms, for every “what” appearing in FICA in relation to the three duties, a corresponding “how” must appear in the RMCP. Under the Amendments, Accountable Institutions are afforded considerable discretion to tailor their RMCP to fit their unique AML exposure and business requirements. This discretion is accompanied by an equal measure of responsibility. Under the old dispensation, FICA compliance was a matter of passive compliance with the hard and fast rules then imposed; in the wake of the Amendments, FICA no longer lends itself to passivity, and compliance now has two dimensions to it: (a) an Accountable Institution must adhere to its RMCP; and (b) the RMCP, in turn, must be in harmony with FICA. Both dimensions require of an Accountable Institution active engagement with its AML environment, and a thorough grasp of the risk-based approach. The most difficult part of designing an RMCP is deciding on the appropriate risk model to be applied when ascribing risk to a given client. A number of factors might bear upon on risk, and the permutations regarding the interplay between these factors as well as their relative weighting are potentially endless. Once the risk model is in place, the Accountable Institution can then detail the documentary requirements under its bespoke CDD procedures. A core tenet of the risk-based approach is that the stringency of the CDD procedures must be graduated according to each client’s risk profile. The Accountable Institution’s estimation of a client’s risk is determinative of how that client is on-boarded. This is in stark contrast to the rules-based approach, as it was indifferent to risk and treated all clients equally.
The Amendments were, on the whole, well intended and necessary. The proving ground for their efficacy will be the mutual evaluation report of 2019, which South Africa will hopefully withstand. That said, the transition to the new FICA regime is anything but painless for Accountable Institutions, which will have to expend substantial resources in giving effect to the new regime.