Accountable institutions, including legal practitioners, can expect an increase in Financial Intelligence Centre (FIC) inspections following South Africa’s greylisting by the Financial Action Task Force (FATF) in February 2023.
However, few legal firms have proper (if any) Risk Management and Compliance Programmes (RMCPs) in place. In this article, we look at how legal practitioners can beef up their RMCPs to pass muster with the FIC when it comes knocking.
Our Compliance Officers have noticed an uptick in FIC inspections of legal practitioners. This is likely due to the Centre tightening the reins on Financial Intelligence Centre Act (FICA) compliance as they try to do their part in getting the country off the greylist. Legal practitioners also had a duty to comply with the FIC’s Directive 6 which required legal firms, amongst other accountable institutions, to submit a Risk and Compliance Return (RCR) to the FIC by 31 May 2023. In February 2024, the FIC stated that there has been a disappointingly poor response from the legal practitioner sector regarding the submission of their RCRs. The FIC confirmed that while the date for filing of submissions has long passed, the platform remains open. Additionally, the FIC stated that those who have failed to submit their outstanding RCRs, are deemed by the FIC as delinquent high-risk entities requiring an inspection.
One of the documents a legal practice is expected to hand over during an inspection is a copy of their RMCP, as specified in terms of Section 42 of FICA, as well as proof that it was approved by their board of directors or senior management. They must also name someone as the firm’s Compliance Officer. This individual is responsible for ensuring that the practice and its employees comply with FICA.
Yet, despite this greater focus on FICA compliance, many legal firms either don’t have an RMCP in place, or their RMCPs are generic and not robust enough to pass a FIC inspection.
Why are legal practitioners vulnerable to money laundering, terrorism financing and proliferation financing abuse?
The type of services offered by legal practitioners, i.e. the transfer of funds, cash transactions and setting up complex legal structures, puts legal practitioners at greater risk of money laundering (ML), terrorist financing (TF) and proliferation financing (PF) misuse. Examples of these services include, but are not limited to, advising on and creating legal entities, for example shell companies or trusts; managing client affairs; setting up and servicing charities and non-governmental or non-profit organisations; litigation; and the recovery of fictitious debts.
Regarding risks specific to the Legal Practitioner sector in South Africa, a 2022 FIC report found a prevalence of cash transactions in this sector, which contributes to the increased risk profile of the local industry. The report also identified conveyancing services, particularly when a legal practitioner is introduced to a client through an estate agent, as another area of risk.
Identifying risks:
As an accountable institution listed in Schedule 1 of FICA, legal practitioners are required to adopt a risk-based approach when establishing a business relationship or conducting a single transaction with a client. Furthermore, the implemented controls must be proportionate to the identified risk. Simply having a generic RMCP in place won’t do. It should be customised to address the ML/TF/PF risks specific to a particular legal practice and incorporate control measures that effectively mitigate those risks.
Before compiling their RMCP, legal practitioners should conduct a thorough identification and assessment of potential risks associated with their products, client types, delivery channels, geographic considerations and other relevant factors. This will enable them to assign risk ratings to their clients, and those with higher ratings need more rigorous controls and enhanced due diligence.
According to an article by the FIC, legal practitioners should reflect on the following:
- When evaluating products and/or services, consider factors such as the level of client anonymity, the possibility of third-party payments, the ease of converting the product/service to cash, and any additional checks required, such as credit or regulatory approvals.
- Legal practitioners must understand their customers and the risks they pose. In general, natural persons are less risky than legal persons, i.e. companies or trusts. Criminals can exploit the complex structures of entities for nefarious purposes. Identifying the beneficial owners of legal entities, including shareholders and beneficiaries, is crucial. They should also assess negative media coverage, sources of income and wealth, and the risk associated with the client’s occupation or sector in terms of ML/TF/PF.
- How are clients onboarded? Is it face-to-face or via virtual onboarding methods? In general, the former holds less risk that the latter.
- Certain geographical locations may pose higher risks due to perceived corruption or lower levels of anti-money laundering (AML), countering the financing of terrorism (CFT) and counter proliferation financing (CPF) regulations.
- Other factors to consider include client sanctions, domestic and foreign politically exposed persons (DPEPs and FPEPs) and prominent influential persons (PIPs).
How legal practitioners can bolster their RMCPs:
After identifying and assessing the risks specific to their business, the next step for legal practitioners is to implement the necessary risk-mitigating controls via policies, procedures, systems, training, reporting and so forth. All these controls should be integrated into the firm’s RMCP.
In addition, it is crucial to view an RMCP as a dynamic document that is reviewed and updated regularly. In the event of changing ML/TF/PF risks, such as the introduction of new services or the onboarding of a new type of client, or updates to AML/CFT/CPF legislation, the RMCP should be promptly revised to effectively address these new challenges.
An RMCP should cover all the aspects detailed in Section 42 of FICA and include the following:
- Client profiling: Methods and factors used to determine a client’s overall risk rating and source of funds verification.
- Customer due diligence: Effective implementation and monitoring of customer due diligence procedures which must include client verification, risk rating and source of fund verification.
- Additional due diligence: Identify and reasonably verify beneficial owners and relevant individuals and source of fund verification.
- Enhanced due diligence: When dealing with higher-risk clients, obtain senior management approval and implement enhanced measures.
- Simplified due diligence: With lower-risk clients, legal practitioners can apply less stringent measures.
- Client transaction profiling: Profile expected activity for products, services and client types.
- Ongoing due diligence: Maintain up-to-date and accurate client information.
- Account monitoring: Monitor client accounts for suspicious and unusual activity.
- Client screening: Check these against the targeted financial sanctions list on the FIC website.
- FIC reports: Submit suspicious and unusual transactions reports, terrorist property reports, and cash threshold reports to the Centre using their online system.
- Senior management reports: The firm’s AML/CFT/CPF Compliance Officer must regularly report to the sole proprietor, director or partners of the law practice.
- Record-keeping: Maintain records of customer information, transaction details and reports submitted to the FIC.
- Ongoing updates: Maintain and review the firm’s RMCP and all ML/TF/PF related policies and procedures on a continuous basis.
- FICA training: Provide ongoing training to new and current employees, keep records as evidence to prove that training took place and that the training enabled staff to understand and comply with FICA and the firm’s RMCP. The firm’s RMCP should also be available to all employees.
- Relationship with the FIC: Consult with representatives of the FIC and register and maintain the legal practice’s information on the Centre’s website.
The price of non-compliance:
Legal practitioners who fail to meet their FICA compliance requirements, including maintaining a strong RMCP that adapts to evolving circumstance, can face profound consequences. The maximum penalty for non-compliance is imprisonment for up to 15 years or a fine of up to R100 million.
Do you need assistance with your FICA RMCP?
Our knowledgeable Compliance Officers possess extensive expertise in FICA regulations and have a proven track record of implementing FICA requirements within legal businesses. We are well-equipped to assist you in tailoring and implementing a FICA RMCP that aligns with your legal practice. Additionally, we can provide valuable guidance to help you prepare for a FIC inspection.
If you wish to arrange onsite training, get in touch with us or reach out to the Masthead Regional Office closest to you. Our Compliance Officers and Practice Management Consultants can assist you with developing and updating your legal firm’s RMCPs. You can also register for the How to avoid FIC sanctions as a Legal Practitioner webinar on the Masthead Learning Centre.