FICA : RISK AND COMPLIANCE MANAGEMENT PROGRAMME GOVERNANCE
The accountable institution’s RMCP document must provide for all the requirements as set out in section 42 read with section 42A of the FIC Act and regular interval dates upon when the RMCP will be reviewed. The Centre recommends that the accountable institution reviews its RMCP annually, as ML/TF/PF risks change continuously. Training must be a regular feature of the AML controls and applied regularly (at least annually) within the accountable institution
RMCP requirements as set out in section 42:
1. The RMCP governance: The roles, responsibilities, governance structures and oversight functions of the section 42A compliance officer, the compliance function, board of directors, senior management or other persons exercising the highest level of authority in relation to compliance with the FIC Act and the accountable institution’s RMCP.
2. ML/TF/PF risks assessment and risk-rating framework: A business-level risk assessment indicating the ML/TF/PF risk the accountable institution as an entity faces, and the risk each of the accountable institution’s different business areas faces. The accountable institution must stipulate which indicators should be considered when conducting the risk assessments. The monitoring, mitigating and management controls that must be applied to the different risk ratings must be clearly noted.
3. Customer due diligence controls: The accountable institution must include in the RMCP document its customer due diligence (CDD) processes, which should indicate the manner in which the accountable institution:
3.1 Determines which persons are deemed to be clients, and further determine whether a person(s) is an existing client.
3.2 Prevents the on-boarding of anonymous clients, and clients acting under a false or fictitious name.
3.3 Conducts CDD on the different types of prospective clients, existing clients, beneficial owners, persons acting on behalf of the client and other persons. This includes determining the level of verification which forms part of the CDD as a result of the client’s risk rating.
3.4 Conducts additional due diligence (ADD) in respect of clients that are legal persons, trusts or partnerships.
3.5 Conducts ongoing due diligence (ODD) and at which intervals.
3.6 Conducts enhanced due diligence (EDD) where a high-risk business relationship or single transaction has been identified.
3.7 Conducts simplified due diligence where a low-risk business relationship or single transactions has been identified. 3.8 Conducts client on-boarding approval including for high-risk business relationships or single transactions.
3.9 Determines processes where CDD cannot be conducted, including where the accountable institution must not enter into business relationship or conduct a single transaction, and where an existing business relationship should be terminated and consider filing a suspicious transaction report.
3.10 Conducts profiling including determining which future transactions are consistent with the accountable institution’s knowledge of a prospective client.
3.11 Confirms information relating to a client, where the accountable institution doubts the accuracy of previously obtained information.
4. Targeted financial sanctions controls aimed at terrorist financing: The accountable institution must detail the process to comply with the targeted financial sanctions regime aimed at terrorist financing in the RMCP document. The manner in which the accountable institution will scrutinise client information in order to identify persons listed on a United Nations Security Council 1267 resolutions list, that is published in terms of section 25 of the Protection of Constitutional Democracy Against Terrorism and Related Activity Act, 2004 (Act 33 of 2004) (POCDATARA Act). The systems used and supporting processes for scrutinising client information.
5. Targeted financial sanctions controls aimed at proliferation financing (section 26A, 26B and 26C of the FIC Act): The accountable institution should document its processes in place to comply with the TFS regime aimed at proliferation financing, as set out in section 26A, 26B and 26C of the FIC Act in the RMCP document (refer to PCC 44). A TFS process must provide for:
5.1 The manner in which the accountable institution will scrutinise client information in order to identify persons listed on a TFS list as published on the Centre’s website in terms of section 26A of the FIC Act.
5.2 The systems used and supporting processes for scrutinising client information.
5.3 The freezing process that must be followed should a client or potential client be listed on a TFS list.
5.4 It is important to note that client information includes information regarding the client, prospective client, beneficial owner, person acting on behalf of the client and transaction or payment information.
6. Politically Exposed Persons controls: An accountable institution must document its process regarding prominent influential persons in the RMCP document which sets out:
6.1 The manner in which the accountable institution scrutinises prospective clients, persons acting on behalf of the client and the beneficial owner’s information to determine whether they are domestic politically exposed persons (DPEP) foreign politically exposed persons (FPEP), their immediate family members or known close associates (refer to PCC 51).
6.2 The manner in which the accountable institution will obtain senior management approval to establish a business relationship with an FPEP, or if considered high risk, a DPIP.
6.3 The manner in which the accountable institution will determine the source of funds and wealth of a client that is an FPEP, a high-risk DPEP, their immediate family member or known close associate.
6.4 The data sources relied upon to determine whether a client is an FPPO or DPIP
7. Account and Transaction Monitoring monitoring: An accountable institution must include its process to monitor client transactional activity in the RMCP document, which indicates:
7.1 The manual or automated processes in place for account, transaction or activity monitoring in terms of section 21C of the FIC Act, to determine whether the transactions or activity is consistent with the client’s business and risk profile.
7.2 The manner in which accountable institution will examine complex and unusually large transactions and unusual patterns of transactions which have no apparent business or lawful purpose, as well as the process in place to keep written findings of the accountable institution’s decisions in this regard.
8. Reporting controls: The end-to-end internal process for identifying possible reportable transactions (refer also to Directive 5 and PCC 45), analyse and report transactions to the Centre, in terms of sections 28, section 28A, and section 29, where applicable. This would include who must submit the report, and the periods within which the reports must be submitted to the Centre.
9. Record-keeping controls: An accountable institution must document its record-keeping process in the RMCP document. This process could include:
9.1. What records must be kept
9.2. In what format will these records be kept (e.g. hard copies or electronic records)
9.3. The period for which records must be kept
9.4. If the records are kept by a third party, details thereof as prescribed in regulation of the Money Laundering and Terrorist Financing Control Regulations.