The Financial Intelligence Centre Act (FICA), as amended, requires all Accountable Institutions (AIs) to have a Risk Management and Compliance Programme (RMCP) in place. The requirement to implement a RMCP came into effect on 2 October 2017, and since then the RMCP has been a buzzword in the financial industry with many articles and workshops on the topic. Due to the nature of the RMCP, AIs have been given until 2 April 2019 to fully adopt and implement a RMCP within their businesses. Given that this deadline is fast approaching, we recap some of the main areas that you ought to be familiar with by now in case the FIC comes knocking at your door.
1. What is a RMCP?
The RMCP is a documented plan that must set out how the AI will deal with money laundering and terrorist financing risk management and compliance. It replaces the previous requirement to have a set of Internal Rules. The RMCP must contain policy documents, and must detail all the processes, systems and controls used for things like customer due diligence (identification and verification of clients), recordkeeping, reporting and how the risk-based approach will be applied.
2. Who does the requirement apply to?
The requirement to have a RMCP in place applies to all AIs as listed in Schedule 1 of FICA. Financial Service Providers (FSPs) (excluding those FSPs only approved for short-term insurance and/or health services benefits) are amongst those listed under Schedule 1.
3. Why must you have a RMCP in place?
It is a legislative requirement[1] that AIs must be able to understand their exposure to money-laundering and terrorist-financing risks. The purpose of the RMCP is to assist AIs in identifying and assessing these risks in order to protect and maintain the integrity of their businesses and the integrity of the financial system of South Africa, by developing systems and controls to monitor, mitigate and manage these risks. AIs must also provide copies of their RMCP, if requested to do so, to supervisory bodies such as the Financial Intelligence Centre (FIC) or Financial Sector Conduct Authority (FSCA). Non-compliance with the requirements contained in FICA can result in an administrative sanction which may include a financial penalty.
4. How does the RMCP work?
The RMCP must contain procedures on how AIs will: Identify, Assess, Monitor, Mitigate, and Manage the risks mentioned above. A risk-based approach must be used by AIs when interacting with clients. This approach gives flexibility to AIs to decide what they consider to be high or low risk and how to manage these. The RMCP must also set out how the AI will conduct customer due diligence, maintain records, deal with reporting obligations, and how it will ensure ongoing training for all staff.
Let’s look at how the AI can use a risk-based approach in a bit more detail:
4.1. Identify
AIs need to identify the unique money laundering and/or terrorist financing risks that their business or industry may face. Every business is different and must be treated as such. The process used to identify these risks must account for a range of factors which may indicate threats and vulnerabilities to a greater or lesser extent in specific scenarios. Clients, products and services, and other aspects of an AI don’t all pose the same risk. To identify all the factors that may affect the business, a holistic view must be taken of the information gathered at various levels and stages of conducting business. In identifying the risk the AI must be able to, for example, set out how it will determine if its dealing with an existing or prospective client, ensure that it does not do business with anonymous clients, how it will identify and verify different types of clients such as natural or legal persons, how it will determine if future transactions are consistent with its knowledge of a client and that particular client’s financial means, etc. These measures can be performed through various checklists.
4.2. Assess
After identifying the money-laundering and terrorist financing risks, the likelihood of these occurring and the impact of these risks on the business needs to be assessed. Various factors can assist in assessing the risks such as taking into account the size, structure and complexity of the business, the nature and range of products and services on offer, delivery channels (the way in which institutions and clients communicate with each other in the process of offering products and services), geographic areas, and client indicators such as the level of public influence or importance of a client as well as suspicious behaviour. AIs should be able to show how they classify risks, based on these different factors. This can be done by documenting a risk-rating methodology or risk scale. These factors can also assist in determining the amount and type of risk a business is willing to tolerate.
4.3. Monitor
AIs must have sufficient systems and controls in place to manage and monitor the risks that have been identified and assessed. For example, if the risks are higher, the range, degree, frequency or intensity of preventive measures and controls conducted must be stronger. AIs must document their processes for monitoring business relationships in their RMCPs and this monitoring must be done according to the risks involved. All clients and business relationships are different and the way that they are monitored should reflect this.
4.4. Mitigate
To mitigate risks means to use methods to control and minimise the money-laundering and terrorist-financing risks that were identified and assessed. Customer due diligence (including identification and verification) is one of the measures that can be used to mitigate risks involved in a business relationship or single transaction. Customer due diligence refers to what the AI knows about its client, what it understands about the business the client is conducting and the type of transactions it can reasonably expect in the course of the business relationship. This can be performed through checklists setting out as much detail about the client and their circumstances.
4.5. Manage
AIs must apply effective controls to manage the risks identified. In order to manage the risk, the AI must plan a risk response for previously identified and assessed risks. This has to be done by using a risk-based approach. The controls that will be used to manage risks must be documented in the AI’s RMCP.
Have you implemented a FICA Risk Management and Compliance Programme to replace your FICA Internal Rules?
Masthead hosts A Practical Guide to developing your own FICA Risk Management & Compliance Programme seminar where you can learn how to customise a RMCP for your business. The seminar, at which you can earn CPD points, also provides examples of Questionnaires, Risk Rating methods, and Checklists.
Masthead also offers face-to-face implementation of the RMCP in your business with one of our specialised Practice Management Consultants. For more information on the Seminars and/or implementation, please get in touch or contact your Compliance Officer.