The stakes for South African businesses failing to properly implement a Risk Management and Compliance Programme (RMCP) have never been higher.
This year alone, the Financial Sector Conduct Authority and Financial Intelligence Centre (FIC) issued multimillion-rand fines to large financial firms and smaller accountable institutions for weak or non-existent RMCPs, citing failures in client due diligence, transaction monitoring, and enhanced scrutiny of high-risk clients.
The FIC is urging designated non-financial businesses and professions (DNFBPs) to ditch generic, “one-size-fits-all” compliance templates in favour of practical, risk-focused approaches tailored to each business’s operations.
In a recent webinar hosted by the FIC, DNFBPs were given a clear blueprint for doing just that. The online session focused on the development of an RMCP and the conduct of entity-wide risk assessments. It highlighted the importance of understanding and assessing risks – particularly those related to money laundering, terror financing, and proliferation financing –and emphasised that RMCPs should reflect the actual operations of the business.
“Too many businesses are overcomplicating their RMCPs,” the FIC said. “A one-person firm does not need a 200-page document. We want to see that the owner has applied themselves, understands their business risks, and has appropriate controls in place.”
Drawing on Public Compliance Communication 53 and Revised Guidance Note 7A, the webinar also outlined important regulatory updates, including:
- Beneficial ownership thresholds revised from 25% to 5%.
- Updates to Schedule 3A and 3B.
- A new definition of beneficial ownership.
Participants were advised that an effective RMCP should:
- Follow a risk-based approach, tailored to the specific nature and complexity of the business.
- Document business risk assessments, including identification of risks, mitigation controls, and monitoring mechanisms.
- Ensure governance and accountability lie with the highest authority in the business, even for smaller operations.
- Include targeted training for staff, with onboarding for new employees and ongoing updates proportional to risk exposure.
- Maintain proper record-keeping, including client due diligence, transaction monitoring, and evidence of compliance with the Targeted Financial Sanctions (TFS).
The FIC also emphasised proportionality in client due diligence. Low-risk clients should not be overburdened with unnecessary documentation, while high-risk clients – including foreign politically exposed persons (PEPs) – require enhanced scrutiny. Businesses should clearly document how they identify, verify, and monitor clients, including ongoing due diligence and transaction monitoring, in their RMCP.
Risk identification and business risk assessments
Before any compliance programme can be developed, businesses must identify and assess their risks. This is commonly documented as a business risk assessment.
“Because you can’t have a Risk Management and Compliance Programme if you haven’t identified your risks,” the FIC emphasised. Inspectors often review this document first during inspections to verify that the business understands its risks and has applied itself to the assessment process.
Businesses are encouraged to document the entire process, including how risks were identified, the controls implemented, and ongoing monitoring measures.
Governance and accountability
The FIC underlined that the highest authority in the business is ultimately responsible for the RMCP. Even a one-person firm must ensure that all obligations under the Financial Intelligence Centre Act (FICA) are applied effectively.
Governance does not require a large compliance team. Small businesses are expected to apply RMCP measures proportionate to their size and complexity, ensuring controls are practical and tailored to actual risks.
Employee training
Training is an essential component of an RMCP. All employees must understand compliance obligations, including the duty to report suspicious activities under section 29 of FICA.
The FIC recommends:
- Onboarding for new employees to introduce them to compliance responsibilities.
- Targeted training for staff with AML/CFT obligations, conducted more frequently than general training.
- Documentation of training schedules, materials, and attendance to provide evidence to inspectors.
Customer due diligence
An RMCP must detail how the business identifies and verifies clients. The FIC emphasised proportionality in approach:
- Low-risk clients – minimal documentation, avoid unnecessary burdens.
- Medium-risk clients – appropriate checks based on assessed risk.
- High-risk clients – enhanced due diligence, including source of funds and wealth verification.
For legal entities, businesses must understand ownership, control structures, and beneficial owners, and apply the updated thresholds (now 5%), while using a risk-based approach.
Ongoing due diligence
Compliance doesn’t end at onboarding. Businesses must review client relationships periodically, adjusting review frequency by risk category:
- Low-risk clients – less frequent review.
- Medium-risk clients – periodic review.
- High-risk clients, including foreign PEPs – continuous, detailed monitoring.
This ensures transactions align with expected client behaviour and allows early detection of suspicious activity.
Targeted Financial Sanctions
Businesses must comply with Targeted Financial Sanctions, screening clients against the FIC’s list derived from United Nations Security Council resolutions. The FIC highlighted that the search function on its website can be used free of charge, eliminating the need for third-party services. RMCPs should specify:
- How searches are conducted using the FIC tool.
- How results are recorded (for example, dated screenshots).
- Procedures for managing false positives or matches.
Record-keeping
All businesses are required to retain records for five years after ending a client relationship. RMCPs must detail:
- Format of records (physical or electronic).
- Access procedures, including third-party storage arrangements.
- Transaction records and reports submitted to the FIC.
Proper documentation allows inspectors to verify compliance and ensures businesses can respond to regulatory inquiries.
Promoting a compliance culture
The FIC emphasised that a culture of compliance must be set from the top. The highest authority should:
- Approve and sign off the RMCP.
- Ensure it is adequate and implemented throughout the business.
- Monitor that risk controls are applied proportionally to identified risks.
Businesses were reminded that RMCPs do not need to be long or complex; what matters is that the programme reflects what is happening on the ground.
Applying a risk-based approach
Ultimately, the FIC encourages DNFBPs to apply practical, tailored measures instead of blindly following regulations or templates. Overcomplicating RMCPs or applying the same controls to all clients can frustrate operations and clients alike.
The session repeatedly underscored that RMCPs are meant to support practical compliance, not to create unnecessary complexity. Inspectors will assess whether a business is applying its RMCP in practice, not just on paper.
“The RMCP should reflect what actually happens in your business. We are not trying to put you out of business or frustrate operations,” the FIC said. “We want to see that the programme is tailored, risk-based, and actively managed.”
Help with FICA compliance
Moonstone Compliance offers compliance, consulting, and training options for accountable institutions of all types and sizes to help them meet the requirements of FICA.
Moonstone Compliance provides a wide range of services, from providing documentation to implementing a full compliance framework. You can select a combination of services and have them customised according to your needs.
Click here to read more about Moonstone Compliance’s suite of FICA services or submit an online enquiry.
