How to draw up a risk management and compliance programme

Accountable institutions that do not develop and implement an effective risk management and compliance programme (RMCP) are particularly vulnerable to threats of financial crime such as money laundering and terrorist financing. 

The international Financial Action Task Force assessment of SA's system for combating money laundering, terrorist financing and proliferation financing has flagged the inadequate implementation of risk management among certain businesses sectors. 

In the mutual evaluation report released in October 2021 after the assessment, the task force found that accountable institutions that are designated non-financial businesses and professions, such as legal practitioners, property practitioners, and trust company service providers, had an undeveloped identification and understanding of money laundering risks. To mitigate their risks, these institutions need to enhance their RMCPs. 

Section 42 of the Financial Intelligence Centre (FIC) Act sets out the requirement for accountable institutions to develop and implement a RMCP. 

To assist accountable institutions to enhance their risk understanding and application through their RMCPs, the FIC published draft public compliance communication 114 (draft PCC 114), which offers guidance on how to adequately document such a RMCP.

The documentation of a RMCP must describe all the controls the accountable institution has in place internally to combat money laundering, terrorist financing and proliferation financing. 

The RMCP document must set out the governance controls, the money laundering, terrorist financing and proliferation financing risk assessments as well as aspects including the risk-rating framework, customer due diligence, targeted financial sanctions aimed at terrorist financing, proliferation financing, prominent influential person controls, account monitoring, reporting and record-keeping controls. 

Draft PCC 114 emphasises the importance of the accountable institution documenting the inherent money laundering, terrorist financing and proliferation financing risks, its understanding flowing from the assessment of risks in these areas, the risk mitigation measures, monitoring and management measures in the RMCP. The risk-based approach must provide for business-level, new products and processes, as well as client-level risk assessments. 

As an outcome of the risk assessments, the accountable institution can make informed decisions as to the appropriate methods, levels of verification and enhanced controls that must be applied in a given circumstance, for example, the manner in which enhanced due diligence is conducted where a high-risk business relationship has been identified.

As part of the customer due diligence processes, the accountable institution must set out the manner in which it conducts customer due diligence on the different types of potential clients, existing clients, beneficial owners, people acting on behalf of the client and other people. 

The RMCP must include how the accountable institution will scrutinise client information to identify people included on a targeted financial sanctions list, as published in terms of section 26A of the FIC Act. One of these targeted financial sanctions lists can be found on the FIC's website, while a consolidated sanctions list can be found on UN Security Council's website.

The accountable institution must document how it conducts account monitoring that is, whether this will be done manually, via an automated process or an end-to-end internal process for identifying possible reportable transactions. 

The documented record-keeping processes must clearly indicate which records are kept, how, and for what periods and who has access to them as well as what the confidentiality controls are in place. Where any record-keeping obligations are outsourced to third parties the RMCP must describe these processes. 

Lastly, draft PCC 114 provides an example of an RMCP template, which could aid smaller accountable institution that are designated non-financial businesses and professions, when developing the written RMCP document. The template is a basic framework from which accountable institutions can build, customise and enhance to suit the money laundering, terrorist financing and proliferation financing risks unique to their business.

The FIC strongly cautions accountable institutions against copying the template document “as is” without making changes to adapt it to their own institution. The accountable institution would be non-compliant with the FIC Act obligations if it does not customise the RMCP template as it would not be able to demonstrate that it has adequately identified, assessed, monitored, mitigated or managed their money laundering, terrorist financing and proliferation financing risks.

The accountable institution must be able to demonstrate through its RMCP that it has applied its mind to identifying and assessing the money laundering, terrorist financing and/or proliferation financing risks, and developed and implemented controls aimed at monitoring, mitigating and management that risk. 

For more compliance information and guidance, refer to the FIC website, contact the FIC’s compliance contact centre on (+27) (0)12 641 6000 or log an online compliance query by clicking here.

This article was paid for by the Financial Intelligence Centre.