Six key themes from the FSCA’s FICA compliance inspections

Recent inspections under the Financial Intelligence Centre Act (FICA) by the Financial Sector Conduct Authority highlight recurring patterns of non-compliance across accountable institutions, including financial services providers of varying sizes.

The FSCA significantly ramped up inspections of accountable institutions under FICA in the 2024/25 financial year (1 April 2024 to 31 March 2025). This intensification formed part of South Africa’s efforts to address grey-listing by the Financial Action Task Force.

In its 2024/25 annual report, the FSCA reported a 67% year-on-year increase in overall on-site inspections. This built on capacity growth: anti-money laundering/counter-terrorist financing (AML/CFT) supervisory staff rose by 257% between 2022 and 2024, enabling more robust monitoring, follow-ups on prior non-compliance, pre-licensing checks, bilateral meetings, and thematic reviews.

The FSCA’s inspections on accountable institutions reached 100 in 2024/25, focusing on Risk Management and Compliance Programmes (RMCPs) and customer due diligence (CDD).

The inspection process typically follows a structured sequence:

• The accountable institution is sent a notice of inspection.
• The institution must submit the requested documentation.
• The Authority conducts an on-site and/or a virtual inspection engagement. It will work through the documents supplied by the institution, sample a selection of client files, and interview members of staff.
• The Authority will send the institution a draft inspection report.
• The institution is provided with an opportunity to comment on the draft report and remediate the identified deficiencies.

• The Authority will evaluate the feedback provided and assess whether the deficiencies have been satisfactorily addressed. It will identify any remaining areas of non-compliance captured in the full report.
• The institution is provided with an opportunity to comment on the final report and remediate the identified deficiencies.
• If the institution is still non-compliant, the Authority will send a notice of intention to sanction, including the findings and the proposed sanctions, which may include a financial penalty.
• If the institution does not accept the sanction, and the findings on which it is based, it must follow the appeal process in terms of section 45D of FICA.

Accountable institutions often report a lack of guidance from the regulator on how to remediate identified deficiencies, and if they do remediate, they are often uncertain as to whether the steps taken will meet the required standards.

Moonstone Compliance has received numerous inspection reports from clients that have been inspected by the FSCA. Marili Orffer, the Legal and Regulatory Support Team Leader at Moonstone Compliance, analysed these reports. The following six recurring and often interlinked themes emerge:

1. A robust Business Risk Assessment with a clear methodology

The AML/CTF Business Risk Assessment forms the cornerstone of an institution’s AML framework. It must evaluate risks relating to the following main categories (also known as risk factors):

• Client base;
• Products and services;
• Delivery channels;
• Geographic location; and
• Other.

Within those categories, the institution must determine the likelihood that it will be abused or misused for money laundering, terrorist financing, or proliferation financing, and the impact on the business if a risk does materialise. Using a matrix based on likelihood and impact, the accountable institution must assign a risk level – low, medium, or high – to each category.

Orffer says a recurring issue identified in inspection feedback is the absence of a clearly articulated methodology for determining risk ratings. There is no prescribed methodology for determining risk ratings, although Guidance Note 7A provides some guidance in this regard on pages 22 and 23.

The institution must be able to explain its methodology and justify its risk categorizations. Where classifications cannot be explained or appear inconsistent with the institution’s actual risk exposure, this weakens defensibility.

Institutions are also expected to demonstrate consideration of the Financial Intelligence Centre’s national and sectoral risk assessments and, where relevant, reflect these risks within their own framework.

The controls described in the institution’s RMCP must correspond to the identified risks. Higher-risk exposures should attract enhanced measures, while lower-risk exposures may be treated proportionately. Alignment between identified risks, assigned ratings, and documented controls is a core supervisory focus.

2. Detailed process capture in the RMCP

Section 42 of FICA requires accountable institutions to document the manner in and process by which compliance obligations are fulfilled.

The accountable institution must not only include the required content of section 42, but it must also capture the processes that meet the identified risks. The control measures must be proportionate to the risk level.

Many institutions have concentrated on simply including the content required by the Act when compiling their RMCPs. Orffer says the FSCA has moved away from this tick-box approach. Instead, it wants to see that the processes described in the RMCP are specific and proportionate to the risks identified by the business.

Inspection feedback indicates that high-level or principle-based statements are insufficient. The RMCP must describe operational processes in clear, step-by-step terms. For example, instead of broad statements regarding CDD, the RMCP should specify:

• The sequence of client onboarding steps;
• The documents required for verification;
• How and when sanctions screening is performed;
• What enhanced due diligence entails; and
• Who is responsible for each step.

Timing triggers are particularly important. In the context of targeted financial sanctions (TFS), for example, PCC 44A requires screening at onboarding, during transactions, and as part of ongoing due diligence. The RMCP should clearly reflect when and how such screening must occur.

Similarly, decision-making processes relating to reporting obligations should be structured and documented.

For example, section 29 of FICA prescribes four types of reports (suspicious and unusual transactions, suspicious and unusual activity, terrorist financing transactions, and terrorist financing activity). The RMCP needs to capture the decision-making process the Money Laundering Reporting Officer or FICA Compliance Officer will follow when deciding which type of report to make, based on the information provided by an employee who services the client or processes the transaction.

The key takeaway is that an accountable institution cannot be too detailed when documenting processes – even those that appear operationally straightforward – in its RMCP.

3. Alignment between the RMCP and actual practice

Inspection engagements test whether documented processes are followed in practice.

File sampling (usual about 50 files) enables inspectors to identify any inconsistencies. Staff interviews form part of this process and may test understanding of due diligence procedures and reporting obligations.

A common finding arises where the RMCP prescribes specific steps, but client files or interviews with the FSP’s staff do not demonstrate that those steps were taken. This can occur, for example, in the context of CDD where the RMCP describes a fully manual process for the identification and verification of clients or their representatives, while in practice the institution makes use of a third-party’s software system to verify clients or their representatives.

The supervisory focus is on consistency and operational alignment. The business’s actual practice must reflect what is documented in the RMCP, says Orffer.

4. Version control, record-keeping, and evidence

The RMCP should be treated as a living document that is constantly revised and updated to take account of evolving risks and amendments to legislation and subordinate regulation, including the Public Compliance Communications and Guidance Notes issued by the FIC.

Inspectors examine whether institutions maintain:

• Clear control version histories;
• Records of amendments;
• Evidence of formal approval and sign-off;
• Review records reflecting consideration of updated guidance, directives, or sector risk assessments.

Where version controls and review logs do not clearly reflect what changes were made and why, this may be raised during inspections. Some might question the reasoning. However, version control and review logs demonstrate consideration of current provisions in comparison with any legislative or business changes or regulator guidance or risk assessments that may have transpired since the last review of the RMCP, says Orffer.

Record-keeping is equally critical. Institutions must be able to produce evidence that required actions – such as sanctions screening or verification – were performed at the relevant time.

Reliance on software systems does not remove this obligation. Institutions must be able to demonstrate that due diligence and screening, for example, occurred at the required stage and retain evidence accordingly.

Retention obligations generally require records to be kept for at least five years from the termination of a business relationship or completion of a transaction.

5. No retrospective compliance for operational obligations

A clear theme emerging from inspection feedback is that certain compliance failures cannot be cured retrospectively, Orffer says.

If customer due diligence, verification, or sanctions screening was not performed at the mandated time – such as at onboarding – and evidence thereof is not retained, conducting those steps after an inspection does not remedy the original non-compliance.

Although documentary deficiencies in the RMCP itself may often be remediated during an inspection, substantive timing failures remain non-compliant. Such timing failures have resulted in administrative sanctions in inspection outcomes.

Embedding compliance steps into operational processes at the appropriate stage is therefore critical. As Orffer emphasised, “there is no such thing as retrospective compliance” when it comes to practice.

6. Governance, training, and accountability

AML compliance extends beyond documentation to governance structures and people.

Inspectors examine whether:

• The RMCP has been formally approved at an appropriate level;
• Responsibilities are clearly allocated; and
• Senior management oversight is evident.

FICA compliance cannot be outsourced or delegated. Even where compliance service providers or verification software are used, ultimate accountability remains with the accountable institution, more specifically, the board of directors, senior management, or the person at the highest level of authority.

Staff training is treated as an operational control. Institutions are expected to conduct ongoing AML/FICA and RMCP training, ensure that content is relevant, and retain records that employees attended training sessions.

Strengthen your FICA compliance with Moonstone Compliance

Navigating FICA and AML requirements doesn’t have to be overwhelming. Moonstone Compliance offers tailored compliance solutions designed to help accountable institutions meet their regulatory obligations with confidence. From developing and implementing robust RMCPs to providing step-by-step support with goAML registration, Moonstone ensures your business fulfils its legal duties while effectively managing financial crime risks. Our expert team delivers practical support across documentation, framework development, ongoing compliance oversight, and regulator engagement – all customised to your organisation’s unique needs.

Please click here to find out more.