Non-compliance with the Financial Intelligence Centre (FIC) Act has led to a rise in administrative sanctions across several sectors, with penalties reaching up to R7.8 million. In this article, we summarise key inspection findings and highlight the most common compliance failures over the past year – along with practical lessons for accountable institutions on how to avoid similar outcomes.
Over the past year, the FIC and other supervisory bodies – like the Financial Sector Conduct Authority (FSCA) in the case of financial service providers (FSPs) – have significantly ramped up enforcement action against non-compliance with the FIC Act.
When an accountable institution is found to be in breach of the FIC Act, these bodies may impose penalties, known as administrative sanctions, which can include an order, determination or directive. These sanctions may also contain a caution to not repeat the non-compliant conduct, a reprimand, a directive to take remedial action, a restriction or suspension of certain specified business activities.
In addition, a non-compliant institution can face a financial penalty – up to R10 million for natural persons and R50 million for legal persons. Between April 2024 and April 2025, the FIC imposed financial penalties ranging from R20 000 to R7.8 million, primarily for failures identified during inspections.
Key non-compliance trends and inspection findings (April 2024 – April 2025)
Risk and Compliance Return (RCR) non-submission
The RCR was introduced through Directives 6 and 7 in March 2023, requiring Designated Non-Financial Businesses and Professions (DNFBPs) to complete and submit a return indicating their understanding of money laundering, terrorist financing and proliferation financing (ML/TF/PF) risks.
More than half of all administrative sanctions published by the FIC this past year were due to the non-submission of the RCR. Legal practitioners and estate agents accounted for most of these cases.
Although the submission deadline passed in 2023, the RCR submissions platform remains open on the FIC website. Click here for more information on the latest RCR developments.
Risk Management and Compliance Programme (RMCP)
Several sanctions stemmed from failures to develop, document, maintain and implement a proper RMCP. During inspections, the regulators found that some institutions had no RMCP in place, while others had RMCPs that were generic, outdated or not tailored to the business.
In addition, many accountable institutions fell short of conducting an enterprise-wide business risk assessment to adequately identify and assess the ML/TF/PF risks they face.
RMCPs should also be regularly reviewed and updated to reflect any changes to the risks in the business and to keep up with changes in regulation.
Registration
In terms of Section 43B of the FIC Act, businesses or sectors listed in Schedule 1 of the Act must register with the FIC within the prescribed period. Moreover, Directive 1 of 2013 and Directive 4 of 2016 require that accountable institutions must ensure that their registration details are updated within 90 days of any changes to the registration information.
In December 2022, Schedule 1 of the FIC Act was amended, expanding the scope of sectors that fall under the ambit of the Act. Yet, more than two years after these amendments took effect, many of these new accountable institutions have still not registered or updated their details. Over 40% of sanctions in the past year were due to registration failures. Credit providers and CASPs accounted for most of these cases.
Targeted financial sanctions (TFS)
Section 28A, read with Sections 26A – 26C of the FIC Act, requires accountable institutions to screen clients against the TFS list. TFS screening complies with United Nations Security Council (UNSC) resolutions. It is designed to prevent the financing of terrorism and the proliferation of weapons of mass destruction by ensuring that financial services are not provided to individuals or entities sanctioned by the UNSC. The requirement includes freezing assets and prohibiting transactions with listed persons or entities. This requirement has become even more critical as South Africa works to address strategic deficiencies identified during its greylisting by the Financial Action Task Force (FATF).
Non-compliance with this requirement was another recurring finding during inspections. Institutions found to be in breach were directed to put internal procedures in place to ensure that all clients are screened against the TFS list. These screening and asset-freezing processes must be clearly documented and incorporated into the institution’s RMCP.
Customer due diligence (CDD)
The FIC Act requires accountable institutions to conduct CDD which includes, among other things, identifying and verifying clients, obtaining information on the nature of business relationships, conducting ongoing due diligence and establishing whether clients are politically exposed persons (PEPs).
A common area of concern highlighted in many sanction notices – particularly amongst FSPs – was the failure to properly identify beneficial owners in accordance with FIC guidance. It should be noted that guidance provided by the FIC is authoritative in nature and accountable institutions must either apply the guidance issued or demonstrate an equivalent level of compliance with the relevant obligations under the FIC Act.
Remediated non-compliance
A common misconception and argument raised during appeal proceedings is that remediating non-compliance after the fact should exempt an institution from sanction. This argument was frequently put forward when corrective action was taken after the enforcement process had already begun.
However, this view was refuted in the FIC Act Appeal Board matter of Capital Point Properties (Pty) Ltd, where it was stated that: “The fact that a transgression has been rectified does not mean that it was not a transgression and cannot or should not be the subject of a sanction.”
Lessons
- Check that you are registered appropriately: Assess your business activities with reference to the definitions in Schedule 1 of the FIC Act. If your business activities fall under more than one item under Schedule 1, you may need to register under each – a process known as dual registration. You will also need to meet the compliance obligations applicable to all of these items.
- Understand your risks: A sound RMCP starts with a thorough business risk assessment that considers the ML/TF/PF risks your business may face. Regularly reviewing and understanding your risks – especially when there are changes in your business – is not only a regulatory requirement; it helps protect your business from being exploited by criminals. When risks are properly understood, you can implement effective controls, such as red flag training for staff to help mitigate them.
- Customise your RMCP: A generic, off-the-shelf RMCP that is just filed away and forgotten won’t pass muster with the regulators. It must incorporate the specific FIC Act requirements that apply to your business and be tailored to your operations.
- Update your RMCP: Regularly review and maintain your RMCP to keep up with changes in your business. For example, if you offer a new service or product, be sure to update your RMCP accordingly.
- Include TFS processes: Your RMCP must make provision for screening clients against the TFS list and clearly outline the steps your institution will take to freeze assets without delay when a positive match is identified.
- CDD: Conducting thorough checks and proper due diligence of all clients is essential to identify and mitigate the risk of suspicious and criminal elements infiltrating the financial system.
- Be proactive: Don’t wait for a FIC or FSCA inspection to address non-compliance. Measures to achieve compliance should be frequently revisited, and the effectiveness of your risk controls should be monitored and updated as needed. Identify and fix process gaps early – and keep your house in order before the regulators come knocking.
Need assistance with your FICA compliance?
Masthead supports all accountable institutions with a full range of FICA compliance services – from staff training and RMCP development to hands-on assistance with implementation and guidance before and during FIC inspections.
For assistance, contact the regional office closest to you or click here for more information. Our Learning Centre also offers several CPD accredited FICA-related courses. Don’t miss our upcoming webinar, A Practical Guide to Developing Your Own FICA RMCP, happening on Tuesday, 3 June 2025 at 09:00. Click here to register.