Moonstone Monitor, 27 June 2022

Businesses that do not develop and implement an effective risk management and compliance programme (RMCP) are particularly vulnerable to financial crime, such as money laundering and terrorist financing.

A Financial Action Task Force (FATF) assessment of South Africa’s system for anti-money laundering, countering the financing of terrorism and countering the financing of the proliferation of weapons of mass destruction (AML/CFT/CPF) flagged the inadequate implementation of risk management among certain business sectors.

The global anti-money laundering and counter-terrorist financing watchdog identified that certain accountable institutions have an undeveloped understanding of money laundering risks.

The FATF’s mutual evaluation report recommended that institutions’ risk-based approach and risk assessment must be agile. The report emphasised that risk assessments among certain business categories were “static and reactive rather than dynamic [which could result in them missing] … important trigger events, incidents, and structural changes to threats and vulnerabilities, e.g., trends or patterns following Zondo Commission subpoenas, media coverage of relevant developments, or the introduction of new statutory requirements”.

The assessors recommended that accountable institutions conduct thorough risk assessments to identify and understand the money laundering and terrorist financing risks their businesses face. To mitigate the identified risks, these institutions need to refine and implement their RMCPs.

Section 42 of the Financial Intelligence Centre Act (FIC Act) sets out the requirement for accountable institutions to develop and implement an RMCP. The FIC Act requires accountable institutions to apply a risk-based approach as a preventive measure against money laundering (ML), terrorist financing (TF) and proliferation financing (PF).

The Financial Intelligence Centre (FIC) published guidance note 7A, which offers guidance on how to develop an RMCP document, to assist accountable institutions in understanding their obligations in terms of section 42.

The RMCP document must set out the governance controls, the ML, TF and PF risk assessments, as well as other aspects including a risk-rating framework, customer due diligence, targeted financial sanctions aimed at terrorist financing and proliferation financing, prominent influential person controls, account monitoring, reporting and record-keeping controls. In addition, the accountable institution must indicate how a risk- based approach will be applied. The development and implementation of RMCPs are considered dynamic exercises as opposed to rules-based policy and procedure manuals.

Guidance note 7A emphasises the importance of the accountable institution documenting the inherent ML/TF/PF risks, its understanding flowing from the assessment of the risks in these areas, as well as the mitigation, monitoring and management measures in the RMCP.

The risk-based approach must provide for a business-level, new products, processes and client-level risk assessment.

Guidance note 7 further sets out various factors that may be considered when determining client level risk, which include:

The type of client, including the size, structure and complexity of a corporate client; The nature and range of the products and services on offer;

Delivery channels (the way in which institutions and clients communicate with each other in the process of offering products and services); and

Geographic areas relating to, for example, where the client resides, and where their funds are coming from or going to.

Assessing their risk assists the accountable institution to make informed decisions on the appropriate methods and levels of verification and enhanced controls that must be applied in a given scenario – for example, the manner in which enhanced due diligence is conducted where a high-risk business relationship has been identified. Accountable institutions must therefore adjust the controls to ensure they are proportionate to the emerging risks.

The accountable institution must be able to demonstrate through its RMCP, together with all other controls aimed at AML/CFT/CPF, that it has applied its mind to identifying and assessing the risks, and has developed and implemented controls aimed at monitoring, mitigating and managing that risk.

For more compliance information and guidance offered to accountable institutions, refer to the FIC website ( For further information contact, the FIC’s compliance contact centre on +27 12 641 6000 or log an online compliance query by clicking here.