South Africa may soon exit the grey list, but the country’s anti-money laundering and counter-terrorist financing (AML/CFT) reforms will face a real test during the Financial Action Task Force’s next mutual evaluation, scheduled for April 2027. A poor showing could see it back on the list.
The FATF has updated its assessment methodology to focus more on results, placing greater weight on the effectiveness of AML/CFT frameworks rather than technical compliance alone. Under the new approach, regulators will scrutinise whether laws and regulations are applied in practice and are achieving their intended outcomes. For financial services providers, this means getting a firm grip on their risk-based approach (RBA) for AML –yesterday.
South Africa’s shift to an RBA for AML is nearly eight years old, but FSPs are still navigating its complexities. Introduced through 2017 amendments to the Financial Intelligence Act (FICA), the RBA requires institutions to assess their exposure to money laundering and terrorist financing, applying stricter controls for high-risk clients and lighter measures for low-risk ones.
The system is designed to prevent the blanket “de-risking” of legitimate, low-risk customers while maintaining robust safeguards. Yet many FSPs complain that compliance remains resource-intensive, with new policies and procedures pulling the focus from core business functions such as managing client capital – and passing costs on to customers.
At the Compliance Institute of Southern Africa’s 2025 conference, financial crime risk consultant Willem Kruger (pictured) highlighted the importance and the challenges of an RBA. Drawing on more than 30 years of banking experience and his current role as a consultant at ARC, Kruger said the move from rules to risk remains “very complex”, demanding detailed mapping of money laundering, terrorist financing, and proliferation risks.
AML, he argued, must be integrated into the DNA of the business rather than treated as a “sideshow”.
“Every other risk that we deal in the business… is integrated into business. Yet AML is kind of sitting here on the side,” he said.
Without understanding their products, FSPs risk wasting resources chasing low-risk clients instead of focusing on genuine threats. Done well, the RBA can also improve customer insight and add business value.
“It’s a complex thing, it’s an expensive thing to build, but the better you set it up upfront, the easier it is,” Kruger said, noting that costs can be offset over the lifecycle of the institution.
Fixing the small stuff
Kruger emphasised the practical importance of risk-based compliance, drawing on the “broken windows” principle used by New York mayor Rudy Giuliani in the early 1990s.
“They reduced crime by 56% and murders by 65% purely by fixing the small stuff,” he said.
He applied the same logic to AML, noting that minor irregularities can indicate larger issues if addressed consistently.
AML effectiveness, he said, relies on partnerships both within institutions and with regulators, as well as a mindset shift from rule-following to genuine risk management.
“We are as strong as the weakest link within this whole chain,” he said, adding that the goal is to “fix the broken windows” and stop money from flowing the wrong way.
Shift to risk-based regulation
Kruger noted that more than half of FICA regulations are already risk-based, with other legislation – including FAIS and the Financial Markets Act – following suit.
“So, there’s been a massive shift from rules to risk… the whole compliance environment is moving to risk,” he said.
Financial institutions, he argued, should learn from credit and operational risk management, integrating AML into the business rather than seeing it as a burden.
Although FSPs only see part of the picture, their reports help regulators and law enforcement to assemble the full puzzle.
“By doing our little bit, everyone does their little bit, we can help law enforcement. We can help the regulators to identify those things… They see a number of small pieces, and they put them together, and then the prosecutions happen,” Kruger said, noting that millions of rands have been recovered through these processes.
“What we do actually matters. It does help.”
AML as a partnership
Kruger called for AML teams to move beyond compliance checklists and work hand-in-hand with businesses.
“A partnership needs to be there. We need to understand that risk,” he said.
Understanding, identifying, and monitoring risks enables AML frameworks to adapt effectively while improving efficiency and cost-effectiveness.
“It’s not you and I, it’s us that needs to work,” he added.
He also warned against generic risk documentation.
“Simple thing, your RMCP [Risk Management and Compliance Programme]. If your RMCP is not specialised and clearly identifies the risks within your organisation, if the inspector comes in… he’s going to see you as the same as the guy next door, and you are not the same,” he explained.
Properly documented risk allows regulators to differentiate institutions rather than lumping them together.
Focusing resources on real risks
Kruger advised FSPs to differentiate clients based on risk, focusing limited resources where the real threats lie.
“Do not treat your low- and high-risk clients the same, because you put a lot of effort into low-risk clients, where the likelihood of money laundering is low,” he said.
He illustrated the value of strong partnerships with a practical example: combining monitoring data, onboarding insights, and forensic investigation enabled his team to uncover hidden risks.
“They just did the new beneficial owners structure. What did they find? A complex layer. This company should not have a complex system, and my forensics team said your criminal sits five times removed from your client. So that’s where they sit. They don’t sit next to your client. And by putting all this information together, you can now paint a picture of what is wrong and what is happening within your environment,” he said.
He said, in summary, compliance officers needed to get better.
“To get that partnership going from a compliance fraternity, to sell ourselves better to business… and it’s not in our world just about compliance, but it’s what we do on top of that,” Kruger said.
Arrest the NEC = 98% cure.