Financial services providers should expect to see a lot more of the FSCA in the coming months. As South Africa edges closer to exiting the Financial Action Task Force’s grey list as early as October, regulators are stepping up their oversight.
National Treasury and the FSCA have been working to meet the FATF’s stringent action plan. Tomorrow could bring news on whether the country has ticked off the two final outstanding tasks: increasing prosecutions for serious money laundering and boosting investigations into terrorist financing. If these benchmarks are met, South Africa could exit the grey list this year, following an on-site review in September.
But this isn’t the end of the road. Preparations for the FATF’s next mutual evaluation in 2026/27 are already under way. Treasury has launched high-level assessments of South Africa’s anti-money laundering and counter-terrorism financing (AML/CFT) compliance, with the FSCA playing a critical role in various working groups.
Read: AML/CFT | Strict enforcement will be the new normal
Michelle Fourie, senior specialist in the FSCA’s FICA supervision unit, told compliance officers at the recent Moonstone Compliance conference that on-site and off-site inspections will be significantly stepped up.
“The industry can be ready to see more of us,” she warned.
Terror financing risk heightens focus on RMCPs
South Africa’s terrorism financing risk has escalated from moderate to high, according to the updated Terrorism Financing National Risk Assessment (TF NRA) released in June 2024. The report highlights the growing likelihood that funds or assets could be raised in or moved through South Africa to support terrorism.
It warns that although South Africa is not a primary target for terrorist attacks, it is increasingly implicated in funding activities abroad.
Against this backdrop, the FSCA urges FSPs to ensure their Risk Management and Compliance Programmes (RMCPs) are robust and effectively implemented.
Fourie said inspections continue to reveal serious shortcomings.
“One of the big things we see when we do on-site assessments is deficiencies in conducting a business risk assessment (BRA) and RMCPs,” she said.
BRAs and RMCPs have been mandatory since 2017, yet common failures persist.
According to Fourie, many RMCPs are outdated, generic, and poorly applied. There is often a disconnect between what is documented and what is actually put into practice.
“Often, they are copy and paste. ‘I have to identify beneficial owners. I have to identify my clients. I have to train my staff. I have to keep records.’ But they are not saying how they are going to do it.”
She added that governance gaps are widespread, with many RMCPs lacking board or senior management approval.
Fourie emphasised that BRAs must be tailored to each business and completed by the business owner.
“None of you in this room, including me, can do a business risk assessment on behalf of an FSP. It’s an impossible task to put yourself in someone else’s position in the business they’ve built for years.”
Emphasising the importance of conducting a proper risk assessment, she said it is essential to understand the risks in order to stay safe.
“If you don’t understand it, if you don’t know that when you cross the road in the middle of the night with no shiny clothes on, and you’re not lit up like a Christmas tree, the chances are very good that a car is going to hit you. If you don’t assess it, you can’t do anything to control it.”
Regarding customer due diligence (CDD), she said many FSPs are failing to apply a risk-based approach or maintain regular contact with clients. As clients’ circumstances change over time, they may not volunteer crucial information unless asked.
She cautioned against relying solely on transactions to trigger due diligence reviews, noting that most financial services providers operate in environments that are not transaction-intensive.
What the FSCA expects from FSPs during FICA inspections
Fourie outlined what the regulator expects from accountable institutions (AIs) when conducting Financial Intelligence Centre Act (FICA) inspections.
AIs are expected to respond promptly and fully to inspection notices. Fourie said some entities attempt to delay inspections with excuses or by ignoring communication.
She explained that some entities attempt to delay or avoid inspections by citing personal reasons such as being abroad or experiencing health issues. While acknowledging that these circumstances can be legitimate, she noted they are frequently used as excuses to evade inspection.
Fourie added that if an institution fails to respond to calls or emails to agree on an inspection date, the FSCA has the legal right to proceed with the inspection regardless.
FSPs must ensure relevant staff are available and that all records, including client files, are accessible. Fourie acknowledged that scheduling can be a challenge, particularly in large firms or one-person operations, but emphasised its importance.
AIs are expected to co-operate fully during inspections and be transparent about any compliance shortcomings. She encouraged institutions to openly share the challenges they face, even if they have not yet started addressing certain requirements, as this allows for an honest and constructive conversation.
Although external advisers, such as compliance officers, may attend inspections, they may not answer questions on behalf of the FSP. The responsibility falls on the AI to answer the FSCA’s questions when asked. Fourie said a compliance officer will not be allowed to intervene on its behalf during an on-site inspection.
Fourie said the FSCA expects accountable institutions to submit the most recent RMCP that has been approved by the board or senior management in response to an inspection notice. She emphasised that this version, regardless of any plans to update it soon, is the one that will be assessed.
Finally, FSPs must respond timeously and comprehensively to any follow-up requests and to the draft inspection report to ensure accuracy.
Fourie acknowledged that the FSCA’s issuance of reports has been slower than desired and that improvements are needed, but stressed the importance of receiving timely information from providers to facilitate the process.
Enforcement actions – remediation does not rule out sanctions
Visitors to Moonstone’s website will have noticed a sharp increase in FSCA sanctions in recent months.
In May, the FSCA took administrative action against Ninety One Fund Managers and Donaldson Global Investments for failing to comply with provisions of FICA. A month earlier, it sanctioned Adams Chrambanis & Associates CC, ID Capital, and Henk Kolver Investment Management Services CC for similar failures.
Read: FSCA imposes R3m fine on Ninety One for FICA lapses
Read: FSP fined for inadequate client-screening processes
Read: No RMCP, no excuse: FSCA fines three FSPs a combined R735 000
Fourie said the FSCA does not issue sanctions lightly, noting that enforcement actions involve a significant amount of work and do not result in any financial gain for the regulator. She added that one of the reasons South Africa was grey-listed was the perception that sanctions had not been sufficiently proportionate or effective in deterring non-compliance.
She added that although the FSCA actively monitors the remediation of findings, remediation of non-compliance does not prevent sanctions.
Sanctions may still be imposed if:
- The non-compliance has been remediated.
- The institution poses a low money laundering, terrorist financing, or proliferation financing risk.
- No actual money laundering or terrorist financing occurred.
The fact that a transgression has been rectified does not mean it was not a transgression and cannot or should not be the object of a sanction.
A recent case involving Capital Point Properties, an estate agency, reinforces this. On 13 August last year, the FIC Appeal Board dismissed the agency’s appeal against administrative sanctions imposed following a failed inspection.
Inspectors found the firm had not implemented a RMCP in the required timeframe and failed to screen clients against the Targeted Financial Sanctions list. Despite addressing some issues after the enforcement process began, the FSCA’s fine of R266 000 stood.
