The main reason the FSCA fined FSPs in terms of the Financial Intelligence Centre Act (FICA) last year was for failing to implement a risk management and compliance programme (RMCP), the Financial Intelligence Centre’s annual report for the year to 31 March 2021 shows.
The FSCA is one of the supervisory bodies in terms of the FIC Act.
According to its 2020/21 annual report, the FSCA imposed administrative sanctions, totalling R1 116 980, on 13 FSPs and one authorised user of an exchange for non-compliance with FICA. The biggest penalty it imposed on one entity was R420 000, the FIC’s annual report states.
Most cases of non-compliance concerned section 42 of FICA, which sets out what an accountable institution must do to meet the requirements of an RMCP. Nine sanctions were imposed for non-compliance with the related section 43, which requires accountable institutions to provide “ongoing training” to their employees on FICA and their RMCP.
The FSCA said its inspections of FSPs found that the two main shortcomings regarding their compliance with FICA both concerned RMCPs:
- They have difficulty understanding their money laundering/terror financing (ML/TF) risks and, as a result, struggle to develop customised RMCPs and roll out such customised RMCPs to reflect in the ML/TF risk assessment of clients and conduct the relevant customer due diligence in line with their risk-based approach.
- Although most accountable institutions have an RMCP, it is not customised but mostly a template, which creates difficulty in implementing an individual risk assessment of clients.
RMCP requirements
Section 42A makes the board of directors or the senior management responsible for ensuring the institution and its employees comply with the RMCP, and requires institutions to establish a compliance function.
In terms of section 61 of FICA, an accountable institution is non-compliant if it fails to:
- Develop, document, maintain and implement an anti-money laundering and counter-terrorist financing RMCP;
- Obtain approval for its RMCP;
- Regularly review its RMCP;
- Make its RMCP available to its employees; or
- Make a copy of its RMCP available to the FIC or a supervisory body.
The annual report states: “It is a legislative requirement that accountable institutions understand their exposure to money laundering and terrorist financing risks. An RMCP assists accountable institutions in identifying and assessing these risks in order to protect and maintain the integrity of their business and the integrity of the financial system of South Africa. Accountable institutions must provide copies of their RMCP, if requested to do so, to supervisory bodies such as the FIC and FSCA.”
The FIC says an RMCP “…must set out how an accountable institution will deal with the risks associated with money laundering and terrorist financing. An institution’s RMCP must contain policy documents, and detail all the processes, systems and controls used for aspects such as customer due diligence (identification and verification of clients), record-keeping, reporting and how the risk-based approach will be applied.”
The RMCP must contain procedures on how an accountable institution will identify, assess, monitor, mitigate, and manage the risks mentioned above, according to the FIC.
“A risk-based approach must be used by accountable institutions when interacting with clients. This approach gives flexibility to accountable institutions to decide what they consider to be high or low risk and how to manage these. The RMCP must also set out how the accountable institution will conduct customer due diligence, maintain records, deal with reporting obligations, and how it will ensure ongoing training for all its employees.”
It wasn’t only “small players” that fell foul of the RMCP requirements. The SARB’s Financial Surveillance Department imposed a penalty of R100 000 on Master Currency for non-compliance with section 43, while the Prudential Authority (PA) issued cautions to Hollard Life Assurance and OUTsurance for not providing their staff with RMCP and FICA training.
Deutsche Bank made headlines in April when the PA fined it R38 million (R10m of which was suspended for three years) for not complying with the anti-money-laundering and due diligence provisions of FICA. These included non-compliance with section 42A.
The PA also fined Discovery Life R2m (of which R500 000 was suspended for three years) for failing to comply with the cash threshold reporting requirements. It was also fined for transgressing sections 42, 42A and 43 of FICA.
Prior to the pandemic, the FSCA focused quite heavily on FICA compliance during onsite visits, in an effort to provide guidance on implementation of procedures and systems. Do not rely on this continuing ad infinitum. Some big players have recently received hefty administrative penalties.