Expert advice on FIC compliance

A R10 million fine for an FSP’s non-compliance with Financial Intelligence Centre (FIC) regulations made headlines in October. Ensuring compliance with the FIC Act is a priority. Your compliance officer can assist, but you are ultimately responsible for ensuring you identify your clients, money laundering and other risks, and implement an RMCP. Kobus Wentzel, Group Distribution Executive at 1Life Insurance and Clientèle, talks to the experts so you can get on top of your FIC compliance.

Financial advisers and FIC compliance

Accountable institutions, which includes FSPs, need to register with the FIC, ensure risks are identified, complete due diligence and required reporting and implement a risk management compliance programme (RMCP).

Register with the FIC

“All accountable institutions must register with the FIC,” says Clive Stephenson, Compliance Consultant at Masthead. Accountable institutions include, among others:

• All FSPs licensed by the FSCA
• Banks, attorneys, estate agents, insurance businesses and certain investment institutions
• Crypto asset service providers (CASPs)

Stephenson adds that FSPs conducting short-term insurance and health service benefits business who were previously exempt must now comply with section 26B and section 29 of FICA and register as a “Business Entity with a Reporting Obligation in terms of section 29 of the FIC Act”.

Stephenson says that FSPs may also need to register more than once, known as dual registration in terms of the following:

Dual registration: an accountable institution must be registered with the FIC itself and with its sector regulator.

Category registration: when a business conducts certain different categories of activities that fall under more than one of the accountable institutions categorised in Schedule 1 of FICA, it must register each category separately with the FIC on the GoAML website, both as an FSP and a CASP accountable institution.

Keep your registration updated

FSPs also need to make sure their details are updated with the FIC if circumstances change, such as:

• Change of business name, address or contact details
• Change in compliance officer details
• Structural or ownership changes

Identify your exposure to risks

Risks include money laundering, where funds are channelled from a criminal business to a legitimate business, terrorist financing and proliferation financing.

Stephenson explains that terrorist financing involves providing funds or assets directly or indirectly, knowing or intending that they will be used to commit, facilitate or carry out a terrorist act or benefit terrorist organisations. Proliferation financing is the act of providing funds or financial services directly or indirectly that support the development, acquisition, manufacture, transport or use of nuclear, chemical, or biological weapons and their delivery systems. In simple terms, this is money movement linked to weapons of mass destruction. “It covers not only buying the weapons but also financing the technology, materials, transport and logistics that make proliferation possible.”

Stephenson notes that FSPs must consider their business risk factors such as client types, products, services, delivery channels and geographic location of business and clientele as risk factors.

Examples of where risks may be present include when there is:

• Anonymity: when you don’t know who the client or beneficiary or payer is
• A third-party transaction: one person or organisation is the owner, another the payer, another the beneficiary
• Cross border transaction: including all Southern Africa countries such as Lesotho and Eswatini
• Cash: or quick payments of benefits such as when a claim is made on a short-term policy shortly after taking it out
• Cooling off cancellations: a client pays R100 000 for a structured product and then invokes the cooling off cancellation and receives a R100 000 back: money laundered
• Offshore residence: including in high-risk jurisdictions, such as when a particular client’s country of residence or jurisdiction is grey or blacklisted, as per the FATF “Black and grey lists” published on their website

Knowing where and how you are exposed to risks strengthens customer due diligence, one of the most critical FIC compliance areas for advisers.

Have a clear customer due diligence (CDD) process in place

KYC may have had a bad reputation in the past, but it is now as essential as submitting annual financial statements to the FSCA.

When completing a CDD Stephenson says you must always consider:

• Who the client is
• What they’re doing
• Where the funds flow
• How they interact with your products

He has three easy steps for a CDD:

1. Implement clear onboarding and verification steps (KYC)
2. Apply enhanced due diligence for high-risk clients and simplified measures for low-risk clients.
3. Include ongoing due diligence with periodic reviews every 3 years for low-risk clients, 2 years for medium-risk clients and annually for high-risk clients

Put your CDD processes in writing and make sure all agents and representatives are aware of and follow your CDD.

You should also screen clients and counterparties against Targeted Financial Sanctions (TFS) lists, UN sanctions, and other relevant local or international lists. Your compliance officer can advise on these.

Finally, remember to report any suspicious transaction to the FIC and “never tip off the client regarding this.”

Enhanced due diligence for high-risk clients and PEPs

Higher risk clients and Politically Exposed Persons (PEPs) require more due diligence measures. Stephenson says these include a certified copy of KYC documents and a source of funds check, such as against bank accounts, salary slips, proof of sale agreements or audited financial statements.

Stephenson says FSPs need to monitor PEPs and flag any unusual or complex financial transactions and conduct annual due diligence reviews.  

Representatives should also always check with the FSP KI or compliance officer when onboarding a PEP client, and product providers should be notified as they may require further checks.

A word on legacy clients

These clients are long-standing clients whose files may not meet current FICA CDD standards and requirements. “Legacy clients should be reviewed, reverified and updated in line with your risk management compliance programme, prioritising clients that pose a higher risk,” says Stephenson.

Set up a risk management and compliance programme (RMCP)

Not having this or following it has resulted in fines and suspensions so make it a priority. Stephenson says your RMCP must be tailored to your business. “The regulators expect the RMCP to address a business’ specific risks, and a one-size-fits-all approach won’t do. Some accountable institutions were fined despite having RMCPs because theirs weren’t customised or properly implemented.”

Stephenson says your RMCP is “your formal compliance framework required under FICA” and should describe:

• Your risk assessment approach, known as Business Risk Assessment, which includes Inherent and Residual Risks of the business.
• CDD processes: the simplified to enhanced CDD measures in place.
• Screening against UN sanctions lists using the FIC search tool on the FIC website or accredited KYC screening tools.
• Record-keeping, for at least five years after a business relationship ends.
• Reporting Suspicious and unusual Transactions Reports (STR), Cash Threshold Reports (CTR) for transactions above R49 999, Terrorist Property Reports (TPRs), Suspicious Activity Reports (SAR), Terrorist Financing Activity Reports (TFAR) and Terrorist Financing Transaction Reports (TFTR).
• Staff training, which should cover FIC and money laundering and an RMCP test assessment for all staff, be ongoing, at least once a year, and ensure the RMCP processes and requirements are followed.

Prioritise, get help and implement

Advisers need to make FIC compliance a priority. The requirements are broad and complex, so it’s essential to understand and implement them correctly. Your compliance officer and product providers can help, so don’t hesitate to seek guidance or clarification.

The FSCA has increased inspections and is issuing fines for non-compliance. Acting proactively will help ensure your FSP remains fully compliant and protected.