When it comes to guidance, words matter in compliance – and the Financial Action Task Force (FATF) has sharpened its definitions just as South Africa braces for its next big test.
With the country still waiting to hear in October whether it will be removed from the grey list, regulators are already preparing for FATF’s next mutual evaluation in April 2027. That review will determine whether South Africa’s anti-money laundering and counter-terrorist financing (AML/CFT) reforms are not just in place but working. A weak showing could land the country back on the grey list.
The FATF has revised its methodology for the current round of evaluations, which started in 2024. The emphasis now is less on ticking boxes and more about proving that AML/CFT systems are effective. Crucially, the framework now separates financial institutions from designated non-financial businesses and professions (DNFBPs), ensuring they are judged on their own performance.
At the Compliance Institute of Southern Africa’s recent conference, Christopher Malan (pictured), executive manager for compliance and prevention at the Financial Intelligence Centre (FIC), unpacked what this means for DNFBPs.
He pointed to the FATF’s Immediate Outcome 4, which tests how well supervisors oversee DNFBPs and whether these businesses apply AML/CFT measures proportionate to the risks they face.
Immediate Outcome 4: Supervisors appropriately supervise, monitor and regulate DNFBPs for compliance with AML/CFT requirements, and DNFBPs adequately apply AML/CFT preventive measures proportionate to the risks, and report suspicious transactions.
The focus, he explained, is on whether supervision is “appropriate” and whether implementation is “adequate”.
“‘Appropriately’, that’s going to be the term. It’s a very difficult term. What is appropriate? One would say it all depends on the circumstances, right? But we are required to appropriately supervise, monitor, and regulate DNFBPs for compliance with AML/CFT requirements,” Malan said.
On the other side of the coin, DNFBPs must prove they are applying preventative measures adequately.
“When you’re advising clients or advising your team or advising your management, you need to think ‘adequate’. Am I adequate in the following key respects, apply the preventative measures. And please when you read ‘preventative measures’, it’s not just tick-box compliance, it’s also the risk measures, because everything you do has to be proportionate,” he said.
Malan noted that the FATF’s language has also shifted. Where it once spoke of measures being “commensurate” with risk, it now requires them to be “proportionate” – a subtle but important shift tied to the risk-based approach to compliance.
Reporting suspicious transactions remains a cornerstone.
“They don’t sit in the cloud somewhere. They go into a black box, but the black box is under constant surveillance and management and interrogation… it gets worked and sweated daily, every second of the day,” Malan said.
He added that the FIC’s systems now process staggering volumes of information.
“The amount of data points that our systems have to analyse is approaching probably a trillion… millions and millions of lines of information, which we call data points or data elements. And we analyse that because our systems go and check on that on a 24/7 basis.”
Characteristics of an effective system
But the FATF’s checklist goes further. Immediate Outcome 4 now comes with detailed criteria: preventing criminals from holding significant interests in DNFBPs, addressing breaches of licensing or registration, and ensuring regulators truly understand and communicate money laundering and terrorist financing risks in the sector.
DNFBPs, in turn, are expected to show they can apply customer due diligence, maintain records, conduct enhanced checks on politically exposed persons and high-risk countries, and report suspicious transactions effectively.
“Now, for you guys that work in the financial institution space, there’s similar criteria, but I can assure you, it’s more or less similar,” Malan said.
He explained that the first line of defence is market entry – keeping criminals and their associates from becoming beneficial owners or holding management positions in DNFBPs. That’s not always straightforward in South Africa.
“Many of them are not licensed. Trusts are not licensed. There’s no licensing authority other than the Master’s Offices issuing letters of trusteeship and accepting the trust deed. But strictly speaking, it’s not a licensing regime, it’s an office of record,” Malan pointed out.
Supervision, he added, must also be ongoing. Regulators are expected to guide, monitor, and enforce compliance over time, showing measurable improvements in how DNFBPs apply AML/CFT measures. In South Africa, this is no small task.
“Essentially, everybody on our plate is in some shape or form, either inherent or close to residual, high risk,” Malan said.
He cautioned DNFBPs not to treat internal controls as a tick-box exercise.
“You can’t mitigate your risk if you’ve not done a business risk assessment. So please, before you even do an RMCP, or you modify your RMCP, refresh your business risk assessment,” he urged.
Malan reminded delegates that the entire FATF regime is about detection of unlawful activity and then reporting to the FIC so that law enforcement can be enabled through intelligence to pursue targeted entities and transactions. Ultimately, he said, the FATF’s end goal is to reduce money laundering and terrorist financing.
“So, stop there. If all of this you are doing is not leading to yourself becoming more resilient or more enabled to not be abused and not to be subject to these activities, or there is no reduction on your end to your potential for being abused, then perhaps you’ve not done well, because this is the ultimate issue.”
