From CompliNEWS | Financial Service Intelligence Watch
Guidance on the Risk Management and Compliance Programme (RMCP) – Guidance Note 7A (GN 7A) released by FIC
The Financial Intelligence Centre (FIC) has released Guidance Note 7A (GN 7A), providing updated guidance for accountable institutions on compliance with the Risk Management and Compliance Programme (RMCP) requirements under section 42 of the Financial Intelligence Centre Act 38 of 2001 (FIC Act).
This latest guidance replaces Chapter 4 of Guidance Note 7, offering enhanced direction to boards of directors, senior management, or any individuals or groups holding the highest level of authority within an accountable institution. These entities are responsible for approving and overseeing the RMCP. Additionally, GN 7A clarifies expectations around the documentation and description of an institution’s RMCP.
The development of GN 7A involved extensive consultation over three rounds, incorporating feedback received to ensure clarity and alignment with industry needs.
Key Highlights from Guidance Note 7A (GN 7A) on the Implementation of the FIC Act
The Financial Intelligence Centre (FIC), in collaboration with the National Treasury, South African Reserve Bank (SARB), and Financial Sector Conduct Authority (FSCA), has published Guidance Note 7A (GN 7A) to support the implementation of the Financial Intelligence Centre Act, 2001 (FIC Act). This guidance provides direction to accountable institutions on compliance obligations, with a specific focus on the Risk-Based Approach (RBA) to managing money laundering (ML), terrorist financing (TF), and proliferation financing (PF) risks.
1. Risk-Based Approach (RBA) and Compliance Requirements
• Accountable institutions must adopt a risk-based approach (RBA) to anti-money laundering (AML) and counter-terrorist financing (CFT) compliance.
• Customer Due Diligence (CDD) must be tailored based on assessed risk levels rather than applying a one-size-fits-all approach.
• Institutions must document their Risk Management and Compliance Programme (RMCP) and update it regularly to reflect evolving risks.
2. Key Aspects of Risk Management and Compliance Programme (RMCP)
• Approval & Oversight – The RMCP must be approved by the board or senior management, and its implementation must be actively monitored.
• Risk Assessments – Institutions must conduct regular business-wide risk assessments, considering factors such as customer profiles, geographic exposure,
product risks, and transaction patterns.
• Enhanced Due Diligence (EDD) – Where higher risks are identified, additional scrutiny and verification procedures must be applied.
3. Ultimate Beneficial Ownership (UBO) Requirements
• Accountable institutions must identify and verify the ultimate beneficial owners (UBOs) of legal entities.
• The UBO threshold is set at 5% ownership or control, meaning institutions must determine any natural persons who hold 5% or more of the shares or voting
rights or otherwise exercise effective control over a legal entity.
• If no individual meets the 5% ownership threshold, institutions must identify persons who exercise control through other means, such as executive management or shareholder agreements.
4. Customer Due Diligence (CDD) & Record-Keeping
• Accountable institutions must implement robust CDD measures, ensuring accurate and up-to-date client information.
• Institutions must verify the identities of all key persons, including UBOs, directors, trustees, and senior management.
• Records must be maintained for at least five years to ensure compliance with regulatory obligations.
5. Implementation of UN Security Council Sanctions & Freezing of Assets
• Institutions must screen clients against sanctions lists and ensure that prohibited persons and entities do not gain access to financial services.
• The FIC outlines mechanisms for the freezing of assets and reporting obligations under international sanctions.
Final Implementation & Compliance Monitoring
Institutions must regularly review and update their AML/CFT policies to align with evolving risks and regulatory expectations.
The FIC warns that failure to comply with GN 7A could lead to enforcement actions, including administrative penalties or criminal liability.
Key Highlights from the Consultation Feedback on Guidance Note 7A (GN 7A)
The Financial Intelligence Centre (FIC) conducted three rounds of consultation from April 2022 to June 2024, receiving input from various stakeholders, including banks, financial services providers, legal practitioners, insurers, industry associations, and independent consultants.
Key points raised and addressed in the final Guidance Note 7A (GN 7A) include:
1. RMCP Approval and Board Accountability
• Stakeholders requested clarity on the delegation of RMCP approval to board sub-committees.
• The FIC reaffirmed that ultimate accountability for RMCP approval cannot be delegated to committees; however, operational functions and advisory roles may be assigned within the institution.
2. Frequency of RMCP Reviews
• Concerns were raised about how often RMCPs should be reviewed and updated.
• The FIC clarified that regular review intervals must be maintained to ensure relevance, but not every minor change requires board reapproval.
3. Complexity and Documentation of RMCPs
• Large institutions noted challenges in presenting RMCPs as a single document, as controls often sit across multiple policies and procedures.
• The FIC confirmed that RMCPs can be documented across multiple documents, but they must be referenced in the main RMCP and made available upon request.
4. Business Risk Assessments (Enterprise-wide Scope)
• There was confusion regarding whether risk assessments should cover an entire enterprise, including non-accountable institutions.
• The FIC clarified that entity-wide risk assessments must be conducted for accountable institutions, but group-wide assessments should distinguish between regulated and non-regulated entities.
5. Level of Detail Required in RMCPs
• Stakeholders sought clarification on what constitutes ‘sufficient information’ in RMCP documentation.
The FIC specified that RMCPs should include:
• Risk identification and assessment of Money Laundering (ML), Terrorist Financing (TF), and Proliferation Financing (PF).
• Controls and mitigation measures to manage identified risks.
• Monitoring mechanisms to evaluate the effectiveness of controls.
6. Approval Evidence and Documentation
• Queries were raised regarding whether RMCP approval requires a separate resolution or signed letter.
• The FIC confirmed that the format of approval evidence is not prescribed, as long as the institution can demonstrate that the board has reviewed and approved the RMCP.
7. Governance and Compliance Functions
• Concerns were raised about the role of compliance functions in RMCP oversight.
• The FIC reiterated that while compliance teams assist with RMCP implementation, the board remains responsible for overall compliance and risk management oversight.