On 2 October 2017, various amendments to FICA were enacted to align South Africa’s anti-money laundering (AML) and counter terrorist financing (CFT) laws with international best practise. The amendments included a migration from the rules-based approach to the risk-based approach (RBA) to customer due diligence (CDD).
The RBA requires institutions to apply varied levels of due diligence commensurate to the degree of AML risk identified. Although there is no numerus clausus of risk categories, commonly identified risk categories include geographic, customer and product/service risk. As a result, by applying the RBA, institutions can direct their resources in a manner that is proportionate to the identified risk thereby promoting an efficient use of resources with minimal burden on their customers. It is also designed to afford institutions greater flexibility to use a wider range of mechanisms to achieve their know-your-customer (KYC) requirements, simplify their CDD measures in instances where a lower risk has been identified and provide institutions with a greater discretion to determine the appropriate steps to be taken to ensure compliance with their internal AML and CFT rules. As a result, the RBA is recognised internationally as the preferred approach to CDD in various sectors including real estate, gambling, insurance, securities and banking.
Section 42 of FICA requires accountable institutions (AIs) to adopt a Risk Management and Compliance Programme (RMCP). This was required to be done by 2 April 2019. Implementation of an RMCP by AIs is critical to ensuring compliance with the RBA. The RMCP should include, amongst others, an AI’s RMCP policy document, procedures, systems and internal controls directed at risk assessment and these should be tailored to the AI’s particular business as no two AI’s are likely to be the same. In the premise, a large AI which offers a wide range of services to a diverse client base would develop a more comprehensive RMCP in comparison to a smaller AI which offers a limited range of products to a smaller client base.
Section 42(2) of FICA requires the RMCP to enable AIs to, amongst others, identify and manage risk arising from the provision of its products or services. The RMCP incorporates various aspects relating to customer identification and verification, ongoing and enhanced due diligence measures and record keeping by specifying the way AIs must:
- determine if a person is a prospective client in the process of establishing a business relationship or entering into a single transaction or has already done so;
- comply with section 20A of FICA, which prohibits AIs from establishing a business relationship or concluding a single transaction with anonymous clients or a client with an apparent false name;
- establish and verify the identity of persons;
- determine whether future transactions are consistent with its knowledge of a prospective client;
- conduct additional due diligence measures in respect of legal persons, trusts and partnerships;
- conduct ongoing due diligence and account monitoring in respect of business relationships;
- examine complex or unusually large transactions and unusual patterns of transactions and keep written findings of the above;
- confirm information relating to a client when it has doubts about the veracity of information received;
- perform customer due diligence requirements when it suspects that a transaction or activity is suspicious;
- terminate existing business relationships;
- determine whether a prospective client is a foreign prominent public official or domestic prominent influential person;
- specify instances when simplified customer due diligence might be permitted; and
- maintains records as required by section 21 of FICA.
Section 42(2A) of FICA provides AIs with the discretion to indicate whether any of the above requirements do not apply to them. If this is the case, those AI’s should provide reasons in their RMCP.
The RMCP must enable AIs to determine when a transaction or activity is reportable in terms of FICA as well as outline the processes for reporting such information. It must also provide for its implementation in the AI’s branches, subsidiaries or foreign operations including the processes relating to implementation.
Section 42(2B) of FICA requires the board of directors, senior management or persons exercising the highest level of authority in an AI to approve the RMCP. Thereafter, AIs are, in terms of s42(2C), required to review their RMCP at regular intervals to ensure that it remains relevant to the AI’s operations as well as compliance with FICA.
Although most AIs have existing mechanisms to assess risk in respect of potential and existing clients and transactions, those mechanisms may require further alignment to achieve compliance with the principles of the RBA. As a result, the successful adoption and implementation of an RMCP will require existing policies, procedures and internal controls to be streamlined into an RMCP that is tailored to the AI’s operations and which approaches CDD measures in a manner that is proportionate to the identified category of risk.