South Africa’s FATF grey listing earlier this year served as a stark wake-up call revealing deficiencies in our adherence to global AML standards. In response, the FIC Act – a regulatory framework for identifying, assessing, and combating financial crime and anti-money laundering through a risk-based approach – was introduced. The FIC Act ensures that accountable institutions (those at high risk of criminal abuse for terrorist financing and money laundering) are adequately monitoring and reporting their clients’ profiles and activities. The complexities of this framework mean that its registration, reporting requirements and directives can be mishandled if they are not properly understood.
LexisNexis hosted a series of webinars outlining the complexities of FIC obligations, including registration, reporting and the directives that make up this framework. Ensuring that accountable institutions have the right support and tools at their disposal to master one of the fundamental requirements of the FIC Act – knowing your customer. SA currently has 49,000 active accountable institutions and each country is given 2 years to get themselves off the grey list – with the complexities of the legislation using the right technology to adhere to the FIC Act is key.
The FIC Act takes a risk-based approach to monitoring and reporting, identifying business risk and compliance risk as the two key categories. Within these categories, money laundering, terrorist financing and proliferation financing were listed as three focus areas. Eugene Joubert and Jan de Beer from CR Trustees were joined online by Ashleigh Mooij from the FIC to unpack these risks and provide a primer on compliance registration and reporting outlined in the FIC Act. 2002 Amendments to the Act to schedules 1, 2, and 3 saw changes including the addition of more accountable institutions and a “cleanup” of supervisory bodies and scope. Mooij explained how the three major supervisory bodies, the SARB, Financial Sector Conduct Authority and Financial Intelligence Centre, have a close working and collaborative relationship to avoid over-regulation – a necessary framework as some entities need to meet compliance requirements across the three bodies. Schedule 1 categories can complicate the registration process for this reason. Mooij explains that this is a structural issue with the way that reporting data is collected and collated across the three entities as the FIC needs to ensure that reporting is aligned with FATF standards and to mitigate this there is an oversight function allowing for one person to monitor all registrations.
According to Mooij, the process can be summed up simply by the idea that reporting follows registration and registration needs to be sector specific. Meeting the right registration and reporting deadlines are key here – these dates are readily available on the FIC’s website. Registration can be broken down into two parts: the registration of the entity, and the registration of the individuals in charge of reporting – most often the Chief Compliance Officer and Anti-Money Laundering Reporting Officer. To register individuals online you need to have completed the registration of your entity to receive an org ID number. It is important to remember that if any changes occur that may affect your entity or individual registration, the FIC must be informed within 90 days and these changes must include the correct documentation and authorisation showing FIC-specific approval.
Why are correct reporting procedures so essential? Mooij explains that supervisory bodies need to have a good understanding of potential risks to create financial intelligence reports and to inform their monitoring and evaluation processes. Directives 6 and 7 in the Act dictate the correct reporting requirements across accountable institutions and how to submit their risk and compliance returns. Mooij puts it simply “If reporting is not done correctly, we can’t do our jobs, we won’t gather the right data and we won’t make it off the grey list.” Directive 8 primarily focuses on people risk. Whether this is internal or external or where the two intersect, Directive 8 dictates that accountable institutions must periodically screen prospective and current employees against targeted financial sanctions lists for competence and integrity in a risk-based manner. It is also essential that a record of this screening is kept showing that the screening has been done and how exactly it was performed. The FIC’s Ashleigh Mooij led a second webinar on the nuances of Directive 8, explaining the repercussions of inadequate screening processes and reporting, and highlighting the importance of digital tools to assist in this often-arduous process.
“You want to focus on the highest risk the most, and where the lowest risk lies, that’s where you want to have at least some oversight and understanding in case this becomes a higher risk over time,” explains Mooij. This forms the foundation of the risk-based approach and means that individuals who can shape the AML strategy of your organisation and bring in high-risk clients should be the focus of your screening.
Mooij also stressed that the stipulations in the FIC Act regarding Directive 8 should align with your organisation's existing AML screening measures and controls, enhancing them by identifying weaknesses and filling gaps. Mooij encourages a holistic approach to the integration of the FIC Act into an organisation's existing RMCP. Organisational context matters concerning PCC5 – there is no one-size-fits-all approach.
While organisations that are newly appointed accountable institutions may be on a slightly longer leash, FICA compliance still needs to be prioritised. Non-compliance with this directive will result in administrative sanctions, the most severe of which is a fine not exceeding R10 million for natural persons and R50 million for legal persons. Submission deadlines for these directives have passed, with thousands of reports outstanding. Despite the complexities surrounding these processes, Mooij encourages Accountable Institutions to submit their reports and remain compliant or face penalties.
The final webinar in our series led by Jan de Beer provided a more comprehensive overview of ongoing FIC reporting obligations, covering reporting types and expectations for the future of the legislation. Numerous reporting obligations were discussed, such as terrorist property reports, suspicious transaction reports, and the significant impact of these reports in helping block funds and recover criminal proceeds. De Beer unpacked the information required under sections 28, 30 and 31 of the FIC Act, emphasising the importance of applying judgment to determine if a transaction is unusual or suspicious and no longer relying solely on thresholds. Overall, the webinar stressed the need for businesses to stay informed about regulatory changes, conduct proper due diligence, and adapt their reporting practices to meet evolving obligations.
Our webinar series untangled some of the complexities around the FIC Act, providing risk, compliance, and legal professionals with a good starting guide to fulfilling these constantly evolving obligations. However, having the right tools at your disposal is key. Lexis KYC is an intelligent, cost-effective solution aimed at small and medium-sized businesses allowing them to do more than their due diligence when it comes to vetting employees and clients. Lexis KYC plugs into global data to create free customisable risk assessments that identify risks and rank them according to low, medium, or high. Cut out complexity to ensure compliance with FICA through the rapid and accurate identification of potential entities that present regulatory, reputational, or financial risk to your organisation.