Meet your CPD requirements effortlessly with our quick Express CPD activities before the cycle ends on 31 May 2024. Learn more.

Media Articles

Is your RMCP up to date?

Posted on 7 Jun 2023

When last did you review your Risk Management and Compliance Programme (RMCP)? The Financial Sector Conduct Authority (FSCA) recently stated that they’ll be stepping up their Financial Intelligence Centre (FIC) inspections. And when they come knocking, they expect accountable institutions to have their RMCPs in order.

Why is there a renewed emphasis on risk management and compliance? And how can you beef up your risk assessment and mitigations protocols to meet the new FIC Act requirements?

When Michelle Fourie, a senior specialist at FSCA’s FICA Supervision Department, took to the stage at the Masthead MasterClass event in Pretoria on 29 March, she warned attendees that her organisation would start FIC inspections afresh in April.

“If we knock on your door, I can tell you that we’re going to ask for two RMCPs. I’m going to ask you for the one you have now, and I’m going to ask you for the previous one,” she explained. “I want to see what you changed. I want to see whether in terms of the FATF [Financial Action Task Force] standards your RMCP and business risk assessments are dynamic.”

How did we get here?

The fact that South Africa was greylisted by the FATF is seen as a major contributing factor to the FSCA’s decision to step up FIC inspections. Before the international financial crimes watchdog made the official announcement, the South African government took various steps, for example actioning various FICA amendments in December 2022, to avoid being greylisted.

However, the country’s compliance with international anti-money laundering (AML) and countering the financing of terrorism (CFT) standards was still found to be lacking. As a result, South Africa was officially greylisted on 24 February 2023.

Now, there is additional pressure on accountable institutions to improve their compliance measures and strengthen their efforts to combat financial crimes. The FSCA expects these institutions to, amongst other requirements, create a risk-based approach to monitoring and reporting suspicious transactions; implement enhanced due diligence (EDD) measures for high-risk clients; give greater attention to sanctions, domestic and foreign politically exposed persons (PEPs) and prominent influential persons (PIPS); and offer comprehensive and ongoing FICA training to their employees.

The benefits of implementing robust RMCPs

Accountable institutions will now have to spend more time and resources on updating their RMCPs but this will be resources well spent as both the economy and accountable institutions stand to profit greatly from a stronger approach to identifying and mitigating financial crime risks.

The benefits are numerous, but four stand out. Firstly, accountable institutions can minimise the risk of being used for money laundering, terrorist financing, proliferation financing or other financial crimes. This protects the integrity of the South African financial system and helps to reduce the harm caused by financial crime.

Secondly, South Africa is subject to international AML/CFT standards – and since the December 2022 amendments, counter proliferation financing (CPF) requirements as well – set by bodies like the FATF. By implementing strict risk management and compliance measures, accountable institutions can ensure that they meet these standards and avoid being sanctioned by international bodies.

Thirdly, customers, including international firms, want to do business with institutions that take their compliance obligations seriously and are committed to protecting their clients’ assets. South Africa took a reputational hit when it was greylisted. This is likely to negatively impact foreign trade as international stakeholders are now more wary of doing business with local firms. However, by adhering to FICA compliance requirements, accountable institutions can do their part in helping South Africa get off the greylist, which will go a long way in restoring the country’s reputation.

Finally, stricter RMCPs are necessary because older AML/CFT/CPF controls may be ineffective in detecting or preventing new money laundering or terrorist financing and proliferation financing methods. Criminals and terrorist organisations are constantly developing new ways to launder money and finance their activities.

What are the biggest changes?

The General Laws (Anti-Money Laundering and Combating Terrorism Financing) Amendment Act (GLAA) made several alterations to the FIC Act’s RMCP requirements – too many to cover in one article – but here are three significant changes:

  1. The definition of beneficial owner has been updated, and accountable institutions will now have to make provisions and thoroughly document their due diligence process and elimination processes for identification and verification of beneficial owners.
  2. Proliferation financing (the raising, moving or making available funds or other economic resources and assets to assist with the proliferation of nuclear, chemical or biological weapons) has been added as a risk. Accountable institutions are required to document how they identify and assess proliferation financing risks, plus how they’ll mitigate these risks.
  3. PIPs (prominent influential persons who hold specified positions in certain companies that make them susceptible to corruption and bribery) have been added and accountable institutions must now assess the money laundering risk associated with this type of client.

And in addition to the GLAA, further AML/CFT/CPF measures that affect accountable institutions are being introduced. For example, Directive 8 of 2023, which came into effect in March, requires them to screen their employees for competence and integrity, as well as scrutinise employee information against the targeted financial sanctions (TFS) lists.

What are the hallmarks of a robust RMCP?

It is imperative that accountable institutions understand the nature of their business and thoroughly comprehend the concept of money laundering, terrorist financing and proliferation financing and how it applies to them.

In addition, they must grasp what a risk-based approach is and apply it consistently throughout their business. A robust and effective RMCP requires a risk-based approach, adequate policies, procedures and controls, strong leadership commitment, ongoing training and awareness raising, independent monitoring and review, and a continuous improvement culture.

Finding a solution

In practice, implementing a strong RMCP is easier said than done. Across the board, accountable institutions seem to struggle with understanding certain regulations. For example, Section 21B, which refers to conducting due diligence relating to legal persons, trusts and partnerships, throw many off kilter, and our Compliance Officers are often called on to help clients implement this requirement, amongst others, in their RMCPs.

Another issue that often comes up during our discussions with accountable institutions is the adoption of a very generic risk-based approach. A RMCP will exist, but it doesn’t meet the accountable institution’s requirements or suit its business model. The mere existence of an RMCP won’t help you pass a FIC inspection because the FSCA expects a RMCP to address the specific risks faced by a specific accountable institution.

Many accountable institutions also fail to adhere to Section 43 of the Act, which requires that they provide their staff with ongoing training on how to comply with FICA and their RMCPs.

Working with a Compliance Officer and practice management partner can go a long way in helping accountable institutions understand their money laundering and terrorism and proliferation financing risks. These experts can help businesses update and implement robust RMCPs that go beyond just checking compliance boxes, so that when the FSCA comes knocking, they can pass their FIC inspection with flying colours.

By Chantelle Ann Wilford, Masthead Compliance and Practice Management Consultant, and Shanal Boodiram, Masthead Compliance Manager


A national supplier of risk management services to independent financial advisors and other licensed financial service providers (FSPs). Established in 2004, we help our clients overcome their risk management challenges so they can grow and thrive in an increasingly regulated industry. Providing professional guidance and practical support, our team of specialists is passionately committed to delivering tangible solutions.

Why Masthead?



021 686 3588


  Show Email


Masthead is a level 1 B-BBEE contributor.

Read more and view certificate