The new foundation for FSPs to comply with the principal Financial Intelligence Centre (FIC) Act and the FIC Amendment Act on a risk sensitive basis is the Risk Management and Compliance Programme (RMCP).
The RMCP has replaced Section 42 of the principal FIC Act, which required accountable institutions to implement ‘internal rules’. The RMCP not only comprises policy documents, but also the procedures, systems and controls that must be implemented within a business.
FSPs, as accountable institutions, therefore now need to develop, document, maintain and implement a RMCP that enables them to identify, assess, monitor, mitigate and manage the risks associated with money laundering or terrorist financing (ML/TF).
The foundation on which to develop a RCMP that addresses ML/TF risks is a solid understanding of the ML/TF risks to which you are exposed. You also need to:
- Re-affirm your commitment to your role in the fight against financial crime;
- List your products, services, clients, geographical locations and distribution channels and evaluate each in respect of the ML/TF risks.
- Understand how each of these factors could facilitate ML/TF.
It is the responsibility of the board of directors, senior management or person with the highest level of authority in the business to ensure the business maintains an effective internal anti-money laundering control structure through a RMCP. Boards or senior management should be fully engaged in decision making processes and take ownership of the risk-based measures adopted in the RMCP, as they will be held accountable. This includes all customer due diligence measures, record keeping and reporting related matters, as well as the processes.
What else should the RMCP include?
The RMCP should include:
- Training on ML/TF to ensure employees are aware of and understand their responsibilities and role in handling criminal property and ML/TF risk management;
- Provision and ongoing information to your board or senior management to manage your business’s ML/TF risks;
- Documented policies and risk profile in relation to ML/TF, including documentation of how your business applies those policies;
- Decision-making processes in respect of risk management measures, including escalation of decision making to higher levels of seniority where necessary; and
- Appropriate measures to ensure ML/TF risks are taken into account in your day-to-day operations, including in relation to:
- the take-on of new clients and
- changes to your business profile.
The following factors must also be taken into account:
- The nature, scale and complexity of your business;
- The diversity of your operations, including geographical diversity;
- Your clients, products and/or services profile;
- Your distribution channels;
- The volume and size of transactions; and
- The degree of risk associated with each area of operation.
Your processes should help you to identify specific threats, assess unique vulnerabilities to determine their risks, identify ways to reduce the risks and then implement risk reduction efforts according to your business strategy.
To mitigate risks, all your employees should know about your RMCP. This ensures a common understanding of risks and responsibilities without disrupting work activities. By identifying, avoiding and dealing with potential risks in advance, you and your employees can respond effectively. Communicating the RMCP is part of the risk management process.
To remain compliant, it is important to review your RMCP regularly to ensure it remains relevant to your operation and the risks identified. You may also need to make a copy of your RMCP available to the FIC on request.
We can assist you, as a key individual, to identify risk within your business and to implement the necessary procedures and structures to eliminate or mitigate the risks. Contact us for details.