In terms of the amended section 42 of the Financial Intelligence Centre Act, No. 38 of 2001 (“the FIC Act”) all accountable institutions, as from 02 October, 2017 must have a Risk Management and Compliance Programme (“RMCP”). Gone are the Internal Rules and shortly accountable institutions must develop, document, maintain and implement a RMCP.
In a recent contact session in September 2017, the Financial Intelligence Centre (“the Centre”) indicated that it understands that all accountable institutions may not be quite ready with the implementation of the various new sections which will be effective as from 02 October 2017. The Centre and the Supervisory Bodies will therefore not immediately commence with enforcement regarding non-compliance with these new sections. A word of caution to accountable institutions though – you still need to comply with the old applicable sections of FIC Act. Don’t for a moment think that the Centre and the Supervisory Bodies will not take enforcement action on what you have been supposed to haven been complying with. The sooner accountable institutions fully comply with the new provisions such as the risk-based approach, customer due diligence, the RMCP, sanctions screening etc. the better.
However as much as accountable institutions cannot delay with constructing a RMCP, speed is not the main issue but what is rather required, is a properly constructed, well considered Risk-Based Approach (“RBA”) and a RMCP that portrays the accountable institutions knowledge and understanding of the Risk-Based Approach, the FIC Act and the Anti-Money Laundering/Terrorist Financing (“AML/TF”) regulatory framework. If you are an accountable institution you would want amaze and bedazzle the Centre and Supervisory Bodies with the quality of your RMCP and your insight. In terms of the new section 42(4) of the FIC Act, the Centre or the relevant Supervisory Body may request a copy of an accountable institution’s RMCP and the accountable institution must provide it upon request. Accountable intuitions will be foolish to underestimate the impact that this section will have on compliance monitoring and ultimately on enforcement of the FIC Act. A poorly drafted RMCP will leave accountable institutions and especially the board of directors and senior management, exposed.
Accountable institutions must develop, document, maintain and implement a RMCP that incorporates all the elements in the FIC Act that are linked to the Customer Due Diligence measures.
WHAT MUST A RMCP BE COMPOSED OF?
Section 42 of the FIC Act is clear on what should be contained in the RMCP. If an accountable institution is of the view that any requirement in section 42 of the FIC Act is not applicable to it then it must indicate so in its RMCP and it must provide reasons why these requirements are not applicable to it.
The content of the RMCP should consist of how an accountable institution:
- Identifies, assesses, monitors, mitigates and manages ML/TF risk;
- Determines if a person is a prospective or existing client;
- Ensures that it has no anonymous clients;
- Identifies and verifies different types of clients;
- Determines if future transactions are consistent with its knowledge of a prospective client;
- Conducts additional due diligence for legal persons, partnerships and trusts;
- Conducts ongoing due diligence and account monitoring;
- Examines and retains (keep) written findings of; complex or unusually large transactions and unusual patterns of transactions which have no apparent business or lawful purpose;
- Confirms information relating to a client where there are doubts about the veracity of previously obtained information;
- Performs Customer Due Diligence in the course of a business relationship where the accountable institution suspects that the activity or the transaction is suspicious;
- Terminates existing business relationships in circumstances where it is unable to conduct customer due diligence;
- Determines if a prospective client is a foreign or domestic prominent person;
- Conducts enhanced due diligence for high risk relationships and when simplified Customer Due Diligence may be allowed;
- Keep records and confirms where such records are kept;
- Determines if a transaction or activity is reportable to the Centre;
- Provides for processes for reporting information to the Centre.
The RMCP must provide for the manner in which:
- The RMCP is implemented in branches, subsidiaries and other operations in foreign countries so as to enable the institution to comply with its obligations under this FIC Act;
- The accountable institution will determine if the host country of a foreign branch or subsidiary permits the implementation of measures required under the FIC Act; and
- The accountable institution will inform the Centre and the relevant Supervisory Body if the host country mentioned above does not permit the implementation of measures as required by the FIC Act.
The RMCP must provide for the processes that the accountable institution will use to implement the RMCP. Lastly the FIC Act has a catch all phrase that stipulates that a RMCP must provide for any prescribed matter.
Accountable institutions must review their RMCPs at regular intervals, in order to ensure that it remains relevant to their operations at all times. Not only must the RMCP be made available to employees of the accountable institution, involved in transactions to which the FIC Act applies, but they must also receive training on the contents. In line with the general governance theme of the new FIC Act amendments the board of directors, senior management or other person or group of persons, who exercises the highest level of authority in the accountable institution, must approve the RMCP. Accountability for the RMCP sits right at the top of an organisation.
The Centre in issuing draft Guidance Note 7 addresses some issues pertaining to the RMCP. It is anticipated that there will [hopefully] be lots of guidance issued to assist accountable institutions with constructing a Risk-Based Approach and with the drafting of a RMCP. An accountable institution’s ability to apply the Risk-Based Approach effectively is dependent on the quality of its RMCP. The Centre emphasizes that a RMCP does not only compromises of policy documents but also procedures, systems and controls. In my view, it is very much a “how to” guide. Again, I urge accountable institutions to apply their minds in the construction of the RMCP and to ensure that it meets the expectations of the legislation and the Regulator.
The 2017 FIC Act amendments have dawned a new era in FIC Act compliance obligations and the RMCP is a magnifying glass through which one should view these obligations. Accountability for the RMCP sits right at the top and it is the board of directors and senior management who must take ownership of the RMCP and who will ultimately be held accountable if the content of the RMCP is found to be inadequate.
The Centre in its Draft Guidance Note 7 suggests that a RMCP should include the following:
- A description of the board of directors or senior management’s accountability and the appointment of a person with adequate seniority and experience to assist with ensuring compliance with the FIC Act. The overall responsibility for the establishment and maintenance of effective AML/CFT systems and controls be allocated expressly to a specific director or senior manager and that this be described in the accountable institution’s RMCP.
- Appropriate training on money laundering and terrorist financing to ensure that employees are aware of, and understand, their legal and regulatory responsibilities and their role in handling criminal property and money laundering/terrorist financing risk management;
- Provision of regular and timely information to the board of directors or senior management relevant to the management of the institution’s money laundering/terrorist financing (ML/TF) risks;
- Appropriate documentation of the institution’s risk management policies and risk profile in relation to money laundering and terrorist financing, including documentation of the institution’s application of those policies;
- Appropriate descriptions of decision-making processes in respect of the application of different categories of Customer Due Diligence and other risk management measures, including escalation of decision-making to higher levels of seniority in the accountable institution where necessary; and
- Appropriate measures to ensure that money laundering risks are taken into account in the day-to-day operation of the institution, including in relation to:
– The development of new products;
– The taking-on of new clients; and
– Changes in the institution’s business profile.
An accountable institution’s RMCP must be in line with the size and complexity of the institution and the nature of its business. A RMCP for an accountable institution which does not provide a wide range of products or services or deal with a diverse range of clients could be relatively simple, whilst the RMCP of a complex financial institution would be expected to be much more complex in nature.
The nature and extent of an accountable institution’s internal systems and controls which form part of its RMCP depends on a variety of factors, including:
- The nature, scale and complexity of the accountable institution’s business
- The diversity of its operations, including geographical diversity;
- Its client, product or services profile;
- Its distribution channels;
- The volume and size of its transactions; and
- The degree of risk associated with each area of its operation.
Accountable institutions which operate in groups of companies may implement group-wide RMCPs. In doing so accountable institutions must ensure that the various elements of group-wide RMCPs, including internal processes, systems and controls are appropriate for the different entities within the group and adequately tailored where necessary.
As already mentioned above, accountable institutions which operates in jurisdictions outside of South Africa should also be aware of local AML/CFT obligations in all jurisdictions where they operate. This should be reflected in the accountable institution’s RMCP. Procedures should be in place to meet local AML/CTF obligations in each jurisdiction where an accountable institution operates. If there are conflicts between South African and local AML/CTF requirements and meeting local requirements would result in a lower standard than in the South Africa the accountable institution must implement measures which meet the South African requirements.
It is important that the content of an accountable institution’s RMCP is communicated widely throughout the institution, as may be applicable, to increase the effectiveness of its implementation. Rest assured that the knowledge and understanding of the staff of accountable institutions will be tested by the Centre and by the Supervisory Bodies.
The RMCP is in my view the embodiment of an accountable institutions understanding of its risks for being abused for ML/TF. Initially the word “Programme” in RMCP was peculiar and now, after having regard for the amendments and the Centre’s Guidance, the word choice seems more deliberate and purposeful and less random. Who says that the RMCP must only consist of one document or one format. I believe that accountable institutions have a discretion as to the form, look and feel. The crux of the matter lies in understanding the obligations and in producing a carefully crafted product that portrays knowledge and understanding.
I view the RMCP as a vehicle that will never reach its destination. The RMCP will never be finalised and that is the nature of it. If accountable institutions think that they will construct it and file it away, then they do not have a proper understanding of these concepts.
Much easier said than done though. Here is hoping that your RMCP will be a pillar of strength and not your Achilles heel. Good luck.
Article written for CPB by Advocate Jan Augustyn
Advocate Jan Augustyn has been a Regulator, and specifically an enforcer of compliance for over 15 years He has also witnessed the compliance challenges that industry faces through his consultation and legal representation over the last 3 years. Jan writes and conducts presentations on FICA and related issues. Jan has been appointed by Consumer Profile Bureau as their FICA Compliance counsel specialist.
Consumer Profile Bureau (CPB) has taken the market by storm with their unique “paperless” FICA solution that allows Accountable Institutions to ensure compliance and risk mitigation in terms of their Risk Based Compliance Programme.