THE RISK MANAGEMENT AND COMPLIANCE PROGRAMME AS A COMPLIANCE TOOL IN  KIT DURING THE COVID-19 PANDEMIC

1. INTRODUCTION:

The Financial Intelligence Centre (“FIC”) on 30 March 2020 issued Public Communication (“PCC”) 46 on the Commencement and Enforcement of the Financial Intelligence Centre Act No. 38 of 2001 as amended by the Financial Intelligence Centre Amendment Act, No.1 of 2017. PCC 46 confirms that all provisions that commenced on 02 October 2017 or prior to this date, was enforceable as at 02 October 2020. However, the Prudentail Authority (“PA”) and the Financial Sector Conduct Authority (“FSCA”) in conjunction with the FIC, permitted a transitional period whereby the sanctioning of non-compliance in respect of these amendments are deferred until 01 April 2019. Clearly through the issuing of PCC 46 on 30 March 2020, the FIC is drawing a line in the sand, indicating that non-compliance with the amendments that became effective on 02 October 2017 and prior thereto, will now be subject to Administrative Sanctions. The principle is simple, if AIs don’t comply by 01 April 2019, they run the risk of enforcement action imposed upon them.

One of the major amendments that became effective on 02 October 2017, is the scrapping of the Internal Rules in section 42 of the Financial Intelligence Centre Act, No. 38 of 2001, as amended (“FIC Act”) in favour of the Risk Management and Compliance Programme (“RMCP”).

In previous articles, early after the amendments became effective on 02 October 2017, I proclaimed that, speed is not the main issue but what is rather required, is a properly constructed, well considered Risk-Based Approach (“RBA”) and a RMCP that portrays the accountable institution’s (“AI’s”) knowledge and understanding of the Risk-Based Approach, the FIC Act and the Anti-Money Laundering/Terrorist Financing (“AML/TF”) regulatory framework. AIs must amaze and bedazzle the Centre and Supervisory Bodies with the quality of your RMCP and your insight into anti-money laundering.

That was some time ago and today, in May 2020, there is no excuse for AIs not to have developed, documented, implemented and is maintaining such a RMCP. In terms of section 42(4) of the FIC Act, the FIC or the relevant Supervisory Body, may request a copy of an AI’s RMCP and the AI must provide it. It would be foolish to underestimate the impact that this section has on compliance monitoring and ultimately on enforcement of the FIC Act. A poorly drafted RMCP will leave AIs and especially the board of directors and senior management, vulnerable and exposed.

AIs must develop, document, maintain and implement a RMCP that incorporates all the elements in the FIC Act that are linked to the Customer Due Diligence measures. The responsibility to comply with the FIC Act and the RMCP falls squarely on The Board of Directors in the case of a legal person, or the senior management in the absence of a Board of Directors.  Accountability in terms of the FIC Act sits right at the top and there is no escaping it.

2. COVID-19 PANDEMIC:

The COVID-19 global Pandemic and the various levels of lockdown impacts severely and negatively on both individuals and businesses worldwide. On the one hand there is need to deal with the health issues and accompanying health protocols and on the other hand there are the various debilitating effects on businesses and its staff members. Some business can operate if authorised to do so in terms of the Regulations issued under the Disaster Management Act, 2002. Other businesses will join those that can operate, under the various levels, when allowed and in a phased-in approach.

On 21 April 2020, in a joint communication the Prudential Authority, the National Payment System Department, the Financial Surveillance Department of the South African Reserve Bank, the Financial Sector Conduct Authority and the Financial Intelligence Centre issued Joint Communication 2 of 2020 regarding the Covid-19 pandemic. This response focuses on the observed and possible impact of the pandemic on South African AIs which are supervised by the Authorities (Supervisory Bodies). It also relates to ensuring the compliance of AIs with their legislative obligations in terms of the Financial Intelligence Centre Act, Act 38 of 2001 (the FIC Act).

These Supervisory Bodies recognised that the Covid-19 pandemic may have an impact on the manner in which AIs operate, particularly in regard to their compliance with certain provisions of the FIC Act. They emphasised that they are cognisant that the Covid-19 pandemic may present criminals with further opportunities to engage in illicit or unlawful activities. The Financial Action Task Force (FATF) on 1 April 2020, encouraged governments to work with AIs and other businesses in support of Covid-19 aid and efforts to curtail the spread thereof, whilst remaining alert to new and emerging risks. The statement[1] encouraged applying flexibility to the application of the FATF’s risk-based approach, and the fullest use of reliable digital customer on-boarding[2]. Such an approach would accord well with the discretion and flexibility afforded to AIs as reflected in the customer due diligence obligations of the FIC Act. The Supervisory Bodies support the FATF statement and state as follows; ”The Authorities adopt the stance of FATF as mentioned in its recent publication following the onset of COVID-19, whereby it encourages the use of technology, including Fintech, Regtech and Suptech[3] to the fullest extent possible”.

The Supervisory Bodies nevertheless expect that AIs continue to operate their businesses in a prudent and socially responsible manner and ensuring compliance with the FIC Act obligations. The Joint Communication outlines some of the potential actions that can be taken by AIs to assist in achieving compliance with the FIC Act. It furthermore implored AIs to act prudently, whilst remaining cognisant of the role the financial sector plays within the broader South African economy, as well as their role in countering and mitigating money laundering, terrorist financing and proliferation financing risk, in this sector.

I predict that this Joint Communication will not be the last regarding COVID-19 during the various stages of lockdown. Undoubtedly the COVID-19 pandemic and Lockdown will affect AIs and they must study the content of Joint Communication 2 of 2020 and any other future communications regarding this issue, to ensure that they make informed decisions.

3. WHAT MUST A RMCP CONSIST OF:

Section 42 of the FIC Act stipulates what should be contained in a RMCP. If an accountable institution is of the view that any requirement in section 42 of the FIC Act is not applicable to it then it must indicate so in its RMCP and it must provide reasons why not.

The content of the RMCP should consist of how an AI:

• Identifies, assesses, monitors, mitigates and manages ML/TF risk.
• Determines if a person is a prospective or existing client.
• Ensures that it has no anonymous clients.
• Identifies and verifies different types of clients and why.
• Determines if future transactions are consistent with its knowledge of a prospective client.
• Conducts additional due diligence for legal persons, partnerships and trusts.
• Conducts ongoing due diligence and account monitoring.
• Examines and retains (keep) written findings of;
  • complex or unusually large transactions and
  • unusual patterns of transactions which have no apparent business or lawful purpose.
• Confirms information relating a client where there are doubts about the veracity of previously obtained information.
• Performs Customer Due Diligence in the course of a business relationship where the AI suspects that the activity or the transaction is suspicious.
• Terminates existing business relationships in circumstances where it is unable to conduct customer due diligence.
• Determines if a prospective client is a foreign or domestic prominent person.
• Conducts enhanced due diligence for high risk relationships and when simplified Customer Due Diligence may be allowed.
• Keep records and where such records are kept.
• Determines if a transaction or activity is reportable to the Centre.
• Provides for processes for reporting information to the Centre.

The RMCP must provide for the manner in which:

• The RMCP is implemented in branches, subsidiaries and other operations in foreign countries so as to enable the institution to comply with its obligations under this FIC Act.
• The AI will determine if the host country of a foreign branch or subsidiary permits the implementation of measures required under the FIC Act; and
• The AI will inform the Centre and the relevant Supervisory Body if the host country mentioned above does not permit the implementation of measures as required by the FIC Act.

The RMCP must provide for the processes that the AI will use to implement the RMCP. Lastly the FIC Act has a catch all phrase that stipulates that a RMCP must provide for any prescribed matter.

RMCPs must be reviewed frequently, to ensure that it always remains relevant to operations. The RMCP be made available to employees of the AI, involved in transactions to which the FIC Act applies, and they must also receive training on the contents of it. In line with the general governance theme of the new FIC Act amendments, the board of directors, senior management or other person or group of persons, who exercises the highest level of authority in the AI, must approve the RMCP. Accountability for the RMCP sits right at the top of an organisation.

4. GUIDANCE NOTE 07 OF 02 OCTOBER 2017:

The Centre in issuing draft Guidance Note 7, addresses some issues pertaining to the RMCP amongst others:

• A description of the board of directors’ or senior management’s accountability and the appointment of a person with adequate seniority and experience to assist with ensuring compliance with the FIC Act. The overall responsibility for the establishment and maintenance of effective AML/CFT systems and controls be allocated expressly to a specific director or senior manager and that this be described in the AI’s RMCP.
• Appropriate training on money laundering and terrorist financing to ensure that employees are aware of, and understand, their legal and regulatory responsibilities and their role in handling criminal property and money laundering/terrorist financing risk management.
• Provision of regular and timely information to the board of directors or senior management relevant to the management of the institution’s money laundering/terrorist financing (ML/TF) risks.
• Appropriate documentation of the institution’s risk management policies and risk profile in relation to money laundering and terrorist financing, including documentation of the institution’s application of those policies.
• Appropriate descriptions of decision-making processes in respect of the application of different categories of Customer Due Diligence and other risk management measures, including escalation of decision-making to higher levels of seniority in the accountable institution where necessary.
• Appropriate measures to ensure that money laundering risks are considered in the day-to-day operation of the institution, including in relation to:
  • The development of new products;
  • The taking-on of new clients; and
  • Changes in the institution’s business profile.

An AI’s RMCP must be in line with the size and complexity of the institution and the nature of its business. A RMCP for an AI which does not provide a wide range of products or services or deal with a diverse range of clients could be relatively simple, whilst the RMCP of a complex financial institution would be expected to be much more complex in nature.

The nature and extent of an accountable institution’s internal systems and controls which form part of its RMCP depends on a variety of factors, including:

• The nature, scale and complexity of the AI’s business
• The diversity of its operations, including geographical diversity;
• Its client, product or services profile;
• Its distribution channels;
• The volume and size of its transactions; and
• The degree of risk associated with each area of its operation.

AIs which operate in groups of companies may implement group-wide RMCPs. In doing so AIs must ensure that the various elements of group-wide RMCPs, including internal processes, systems and controls are appropriate for the different entities within the group and adequately tailored where necessary.

As already mentioned above, AIs which operates in jurisdictions outside of South Africa should also be aware of local AML/CFT obligations in all jurisdictions where they operate. This should be reflected in the AI’s RMCP. Procedures should be in place to meet local AML/CTF obligations in each jurisdiction where an AI operates. If there are conflicts between South African and local AML/CTF requirements and meeting local requirements would result in a lower standard than in the South Africa the AI must implement measures which meet the South African requirements.

It is important that the content of an AI’s RMCP is communicated widely throughout the institution, as may be applicable, to increase the effectiveness of its implementation. Rest assured that the knowledge and understanding of the staff of AIs will be tested by the FIC and by the Supervisory Bodies.

5. CONCLUSIONS

The RMCP is in my view the embodiment of an AI’s understanding of its risks for being abused for ML/TF. In the COVID-19 environment, it is vital that the AIs consider the information that the FIC and other Supervisory Bodies provide.

I view the RMCP as a vehicle that will never reach its destination. The RMCP will never be finalised and that is the nature of it. If AIs think that they will construct it and file it away, then they do not have a proper understanding of these concepts. The COVID-19 pandemic demonstrates why it is prudent to continuously revisit your RMCP.

The RMCP must display an AIs understanding of its business, products and services being abused for purposes of ML / TF.

A well drafted RMCP may just avert the eye of the FIC or relevant Supervisory Body.

In a time of massive change, as the Globe and South Africa is experiencing during the COVID-19 Pandemic, it is of vital importance for Ais to revisit their RMCPs and to consider guidance provided by FATF and the FIC and Supervisory Bodies. Where chaos reign, criminality and money laundering flourish.

Adv JA Augustyn

May 2020

[1] https://www.fatf-gafi.org/publications/fatfgeneral/documents/statement-Covid-19.html

[2] My emphasis

[3] See Joint Communication 2 of 2020 and specifically paragraph 4, page 3 “Impact On Certain Regulatory Requirements