The Financial Intelligence Centre (FIC) published draft Public Compliance Communication (PCC) 12A together with a Consultation Note. Draft PCC 12A provides guidance and clarity on what compliance activities can be outsourced by an accountable institution to third parties and is an update to the existing PCC 12 which was issued in January 2012 dealing with the outsourcing of compliance activities. The updates contained in draft PCC 12A seeks to align the PCC with the provisions that came into effect when the FIC Act was amended in October 2017.
Outsourcing
For the purposes of draft PCC 12A, outsourcing refers to when an accountable institution contracts with a third-party service provider to seek advice and assistance in relation to the performance of their compliance obligations. It is important to note that the third-party service provider cannot perform any FICA obligations on behalf of the accountable institution with which it has entered into a contractual relationship. This means that the accountable institution remains fully accountable and responsible for compliance failures that may result from an outsourcing arrangement and will remain liable for these compliance failures – liability cannot be transferred to a third party.
Draft PCC 12A sets out a few factors that accountable institutions should consider when determining whether to outsource compliance activities. These are:
- The accountable institution that establishes a business relationship or concludes a single transaction with a client remains fully responsible for compliance with the FIC Act;
- The accountable institution must exercise strict control over the functions that are being outsourced to minimise the risks associated with such outsourcing;
- The outsourcing arrangement should be contained in a formal agreement between the accountable institution and the person or entity to whom functions are being outsourced in terms of the FIC Act;
- Accountable institutions should take care that the outsourced entity is capable and competent to assist the accountable institution with its duties;
- Accountable institutions cannot be indemnified from any possible administrative penalties or criminal prosecutions resulting from a contravention of the FIC Act on the grounds that compliance with a function pursuant to the FIC Act is outsourced to a third-party service provider;
- Accountable institutions are to adhere to relevant legislation regarding the sharing of clients’ personal information with third parties and should consider obtaining the required client consent where so required;
- Where no such consent can be obtained from a client, the accountable institution must ensure that the obligations are met outside of such an outsourcing agreement as the accountable institution remains liable for full compliance with the FIC Act.
Clarity on the outsourcing of risk management
Accountable institutions are required to determine the money laundering and terrorist financing risks that they are exposed to and, using a risk-based approach, develop and maintain a Risk Management and Compliance Programme. Draft PCC 12A explains that although an accountable institution may seek assistance from a third party to develop an RMCP and the risk assessment process, the ultimate determination and approval of the risk assessment remains the responsibility and obligation of the accountable institution. Furthermore, where an accountable institution makes use of a template or obtains assistance from a third party to develop an RMCP, this must be reviewed and approved by the accountable institution’s board of directors or senior management, who must apply their own understanding of their risks.
Clarity on the outsourcing of a compliance function
Section 42A of the FIC Act requires that an accountable institution have a compliance function to assist the board of directors or the senior management in discharging their compliance obligations and that a person be assigned with sufficient competence and seniority to ensure the effectiveness of the compliance function.
Draft PCC 12A clarifies that the compliance function cannot be outsourced to a third party. Instead the accountable institution must appoint a senior person with sufficient competence from within the business to assist the board or management with FICA compliance. Accountable institutions can, however, seek assistance and advice from third-party service providers.
Some of the other areas that draft PCC 12A provides guidance on relate to the outsourcing of risk management, the activities relating to customer due diligence, scrutinising of client information, record keeping, registration, reporting, quality assurance, and supervision.
The period to comment on the draft guidelines closed on 11 August 2020 and the next step is for the FIC to consider submissions. The FIC intends on concluding the consultation on Draft PCC 12A by publishing a final version by 31 August 2020.