Accountable institutions must ensure their Risk Management and Compliance Programmes (RMCPs) include well-defined processes to detect and report suspicious transactions or activities related to money laundering (ML), terrorist financing (TF), or proliferation financing (PF).
A failure to demonstrate adequate compliance with this requirement was one of the reasons the Financial Sector Conduct Authority fined Donaldson Global Investments (Pty) Ltd (DGI) a total of R200 000, of which half was conditionally suspended.
In a statement last week, the FSCA said the sanctions imposed on DGI show the Authority will take firm regulatory action against accountable institutions that are not compliant with the Financial Intelligence Centre Act (FICA).
It urged institutions continually to review and enhance their anti-money laundering and terrorist financing controls at the highest level and to conduct thorough risk assessments regularly.
An inspection by the Authority in January last year disclosed that DGI was non-compliant in two areas: its RMCP was deficient, and it had not screened clients against the Targeted Financial Sanctions (TFS) lists.
Deficiencies in the RMCP
Section 42 of FICA requires accountable institutions to maintain a robust RMCP to identify, assess, monitor, mitigate, and manage risks related to ML/TF/PF.
DGI’s RMCP was found to be deficient in the following respects:
- The RMCP did not include processes for screening clients against the TFS lists, as required by section 28A(3) of FICA.
- DGI failed to develop and document processes for identifying and reporting suspicious activities and transactions, as well identifying and reporting terrorist financing activities or transactions. Specifically, the RMCP lacked:
- A step-by-step process for analysing transactions and identifying reportable activities.
- Guidelines for recognising different types of reportable transactions.
- Details on investigations, decision-making for reporting, and record-keeping of findings.
- Specified timeframes for submitting reports to the Financial Intelligence Centre (FIC).
- The RMCP did not address compliance with section 26B of FICA, which prohibits dealings with persons or entities that have been sanctioned by the United Nations Security Council. Specifically, it failed to include:
- Processes for freezing property related to sanctioned persons or entities.
- Measures to ensure DGI did not onboard or maintain relationships with sanctioned clients.
Deficiencies in TFS screening
In terms of section 28A read with section 26A to 26C of FICA and Guidance Note 7, accountable institutions must scrutinise client information to determine whether any of their clients are listed on the TFS lists published under the Protection of Constitutional Democracy Against Terrorist and Related Activities Act and by the UN Security Council.
The FSCA found that none of the 39 sampled clients was screened against the TFS lists at the time of onboarding.
Critical elements of compliance
The FSCA, in the Notice of Sanction, said non-compliance with the RMCP requirements is not a minor issue, because it breaches one of the core principles of FICA – namely, a risk-based approach to all the compliance elements of the Act.
“The importance of a risk-based approach is underscored by the fact that this is the very first recommendation of the Financial Action Task Force, of which South Africa is a member jurisdiction and is required to comply with its recommendations,” the Notice states.
It points out that accountable institutions must have well-defined and documented processes within their RMCPs to detect and report suspicious transactions or activities related to ML/TF/PF. The following elements are critical:
- Institutions need step-by-step guidelines to identify suspicious activities, such as through Suspicious Activity Reports or Terrorist Property Reports.
- Reports must be submitted to the FIC within specified timeframes to ensure prompt action.
- There should be documented steps for investigating potential suspicious activities and deciding whether to report them.
- These processes must be embedded in the accountable institution’s daily operations, not just exist on paper.
An effective RMCP is vital not only because it assists accountable institutions to protect and maintain the integrity of their own businesses but also because it helps to contribute to the integrity of the South African financial system.
The FSCA also emphasised the importance of screening clients against the TFS lists, both at onboarding and throughout the business relationship.
Screening is not a one-time task; clients may be added to the sanctions lists after onboarding, requiring continuous checks. A failure to screen clients increases the risk of dealing with sanctioned individuals or entities, which is a serious breach of FICA.
Remediation attempts and FSCA’s response
After the inspection, DGI submitted a revised RMCP and evidence of TFS screening in April 2024. However, the FSCA found these efforts insufficient. A further revised RMCP submitted in October last year was still found not to be fully compliant.
The FSCA issued a Notice of Intention to Sanction in December 2024, prompting DGI to submit representations in January this year.
DGI submitted that its RMCP was compliant and contended that clients onboarded after May 2019 were screened against the TFS lists, but the screenshots were not saved by the key individual.
The FSCA said the onus lies with the accountable institution to provide evidence that it complied with the provisions of FICA. Furthermore, the fact that clients were known to the key individual did not exonerate DGI from screening these clients.
Half of the penalty suspended
The FSCA directed DGI to remediate the identified deficiencies by 2 April and cautioned the FSP not to repeat the non-compliant conduct.
DGI was fined R100 000 for having a deficient RMCP and R100 000 for failing to screen clients.
In light of the remedial actions taken by DGI, the FSCA suspended R100 000 of the penalty for three years, conditional upon full remediation and sustained compliance with relevant provisions of FICA during the suspension period.
DGI was negligent by not following the FICA requirements and resulted to being sanctioned by the FSCA