The failure of some accountable institutions to submit their risk and compliance returns (RCRs) has proved costly, to both the institutions and South Africa’s efforts to get off the Financial Action Task Force’s grey list, highlighting a significant gap in compliance.
All accountable institutions are required to register with the Financial Intelligence Centre (FIC) and fulfil various regulatory obligations.
As of 31 March this year, the FIC database recorded 51 020 registered institutions, a notable increase from 45 392 in the previous year, according to the FIC’s recently published 2023/24 annual report.
Grey-listing – risk and compliance
The Financial Intelligence Centre Act (FICA) establishes a framework mandating specific businesses, termed accountable institutions in Schedule 1 of the Act, to implement compliance measures. These include conducting business risk assessments for anti-money laundering (AML) and countering the financing of terrorism (CFT) and proliferation financing. Institutions must also train their employees on FICA compliance and their Risk Management and Compliance Programmes (RMCPs).
In alignment with these requirements, the FATF mandates that countries understand their money laundering (ML) and terrorist financing (TF) risks and adopt a risk-based approach to supervision. To meet this obligation, the FIC periodically assesses the ML and TF risks faced by the sectors it regulates under FICA.
A lack of understanding of the ML and TF risks faced by Designated Non-Financial Businesses and Professions (DNFBPs) contributed to South Africa being grey-listed by the FATF in February 2023. To address this issue, the FIC developed the RCR questionnaire.
On 31 March 2023, the FIC issued Directive 6, requiring DNFBPs – including legal practitioners, trust and company service providers, estate agents, and gambling institutions – to complete and submit their RCRs by 31 May 2023. These institutions were already listed in Schedule 1 of FICA before 19 December 2022.
Additionally, the FIC published Directive 7 on the same day, obligating credit providers, the South African Postbank, high-value goods dealers, the South African Mint Company, and crypto asset service providers to submit their RCRs by 31 July 2023. These institutions fell under the scope of FICA from 19 December 2022.
The RCRs, designed as an online questionnaire accessible through the FIC website, helps institutions assess their vulnerability to ML and TF. The information gathered aids the FIC in understanding risk exposure levels, allowing for more effective risk-based supervision.
Institutions that failed to submit their RCRs by the deadlines were considered non-compliant and categorised as high-risk.
According to the report, by 31 March this year (just under a year after the original deadline), of the 35 110 registered accountable institutions that were required to submit RCRs, 20 517 had done so.
The online portal remains open for submissions.
Of the 558 inspections conducted during 2023/24, 269 focused specifically on the non-submission of RCRs. The FIC identified 191 institutions that failed to comply with this critical obligation. In addition, the FIC issued 186 notices of intention to sanction DNFBPs, which included remedial directives and imposed financial penalties of R10 000 each for non-compliance.
Risk and Compliance Analytical Assessment tool
Under “highlights of the year” in the annual report, the FIC describes the development and implementation of the Risk and Compliance Analysis Assessment tool to assist in risk assessment. The assessment tool assists in identifying accountable institutions at higher risk of being abused for money laundering and terrorist financing purposes.
However, for this process, the FIC required accountable institutions to submit their RCRs. According to the FIC, by using the tool on the submitted RCRs, the FIC was able to produce reliable risk assessment results.
“Detail acquired from analysis was also used to report on South Africa’s progress in addressing the shortcomings identified by FATF. It is envisaged that the FIC will continue to use this approach following the country’s exit from the FATF grey list,” the FIC states in the report.
As explained in the report, the FIC also uses a risk matrix to rate institutions in accordance with their exposure to risks of money laundering and terrorist financing. Risk factors such as media reports, the risk rating of the sector, the institutional type and compliance with the registration and reporting requirements are considered.
The report states that during 2023/24, the FIC conducted 129 compliance reviews and issued reports to assist reviewed institutions with improving their understanding and execution of the compliance obligations under FICA.
FIC risk-based inspections
Following the FIC supervision manual, up to mid-July 2023, the scope of inspections – either limited or full scope – was determined through a manual application of the risk-based approach. Full-scope inspections examined all compliance obligations under FICA, while limited-scope inspections focused on specific areas.
After mid-July 2023, the FIC shifted to analysing the RCR submitted by accountable institutions, utilising assessment tool for its risk-based supervision. This tool enabled the FIC to categorise and identify DNFBPs at higher risk. Those categorised as high or higher risk triggered inspections, while low- and medium-risk entities prompted other forms of supervision, including monitoring.
Post mid-July 2023, the FIC’s risk-based supervision and inspections were informed by the analysis of information from accountable institutions’ RCRs. This analysis shaped the FIC’s supervisory plan, focusing inspections on legal practitioners and estate agents, which were also identified as high-risk in sector assessments.
From 1 April 2023 to 31 March 2024, the FIC conducted a total of 558 inspections. These included inspections based on manual methodology, follow-up inspections on institutions required to remediate prior non-compliance, inspections of institutions that had not submitted RCRs, and inspections informed by RCR analysis.
Analysis of inspection findings
Most legal practitioners and estate agents inspected were based in Gauteng and the Western Cape. The FIC states this was in accordance with the plan to focus inspections in areas where high-value property transactions and related legal services were offered, as identified in the sector risk assessments.
Of the 558 inspections in 2023/24, 269 specifically scrutinised the non-submission of RCRs.
The FIC found that 191 institutions were non-compliant with the requirement to submit an RCR. The remaining inspections were targeted at one or more of the other compliance obligations under FICA.
The results of these inspections show that the inspected institutions were largely non-compliant in the following areas:
- Failure to develop or implement an RMCP.
- Failure to timeously register with the FIC or to update registration information.
- Failure to properly identify and verify beneficial owners of legal entities and trusts.
- Failure to provide confirmation that clients were screened against the United Nations Security Council’s Targeted Financial Sanctions (TFS) lists.
According to section 42 of FICA, all accountable institutions must maintain an RMCP. This documented plan outlines how they will address risks associated with money laundering, terrorist financing, and proliferation financing.
An RMCP should detail processes for customer due diligence (identification and verification), record-keeping, reporting, and employee training procedures. This requirement extends to branches and subsidiaries, which must implement adequate safeguards to protect the confidentiality of exchanged information.
Institutions are legally obligated to understand their exposure to money laundering and terrorist financing risks. An RMCP helps in assessing these risks, thereby protecting both the institution’s integrity and the broader South African financial system.
Institutions must provide copies of their RMCP to supervisory bodies, such as the FIC and the FSCA, upon request. Failure to comply may result in administrative sanctions, including financial penalties.
Non-submission of RCRs
The FIC issued notices of intention to sanction accountable institutions that were non-compliant with Directives 6 and 7 for non-compliance and/or non-submission of RCRs.
The FIC issued 186 such notices to non-compliant institutions. These notices contain an admission of non-compliance fine and a directive to submit their RCRs.
In addition, a fine was introduced specifically for the non-submission of RCRs and was intended to speed up the enforcement process and the receipt of RCRs.
Of the 186 notices issued, 83 remediated their non-compliance by submitting the RCR, 18 paid fines as admission of non-compliance and the rest filed representations to request the FIC to reconsider the financial penalty.
“These matters, the ones that filed representations, will be presented to the FIC’s adjudication panel for consideration,” the FIC states.
Remediation related to inspections conducted
Following the 558 limited and full-scope inspections conducted, 245 institutions were found to be non-compliant in terms of FICA and were issued with reports requiring them to implement remedial actions.
Of the 245 reports issued to institutions, 123 corrected or undertook to implement the remedial actions or instructions. Those that did not were consequently subjected to enforcement or monitoring.
“Some of the latter institutions were still in the process of remediating the identified shortcomings at the close of the financial year. The changes in compliance behaviour from such remediation will be monitored in the new financial year,” the FIC states.
Remediation actions on DNFBPs
Between 1 April 2023 to 31 March 2024, the FIC issued remediation actions on DNFBPs, as follows:
- 186 notices of intention to sanction DNFBPs (for non-compliance with the requirement to submit an RCR). The notices all contained remedial directives combined with admission of non-compliance financial penalty of R10 000.
- Nine notices of sanction issued to inspected entities (through the FIC adjudication panel for serious and extensive non-compliance with FICA) which all contained a directive to take remedial action.
The FIC makes remedial recommendations in the final inspection reports to assist inspected institutions to become compliant.
“For the reporting period, remedial recommendations were made in 245 inspection reports on failures of institutions to comply with AML and CFT obligations of which 123 remediated (corrected the shortcomings identified in the inspection report) and 54 were in the process of remediating the shortcomings at the end of the financial year,” the FIC states.
Enforcement resulting from inspection reports
Following 268 inspections, where the institutions were found non-compliant, the FIC sanctioned nine institutions in 2023/24.
Their most prevalent areas of non-compliance were:
- Section 21B – not determining beneficial ownership.
- Section 28A(3) – not screening clients against the TFS list.
- Section 42 – not developing and implementing an RMCP.
- Directive 6 – failure to submit an RCR by 31 May 2023.
- Directives 1, 2 and 4 – institutions must ensure their registration details are updated within 90 days of any changes thereto. Log-in credentials for the FIC’s reporting platform must not be shared.
The nine administrative sanctions included financial penalties and remedial instructions.
The FIC states that before the financial year end, five institutions that were non-compliant with Directive 6 submitted their RCRs, and all nine submitted their RMCPs.
Remediations by these sanctioned institutions were finalised by 31 March.
Three of the institutions lodged appeals with the FIC Appeal Board shortly after year-end.
At the financial year-end, the FIC was finalising South Africa’s national risk assessment on terrorist financing, the conclusions of which will be published in the next annual report.
