The Financial Intelligence Centre Amendment Act, 2017: Part 1
Some of the sections of the Financial Intelligence Centre Amendment Act, 2017 (“the FICAA”), which amend the requirements that an accountable institution (“AI”) must comply with in regard to the combating of money laundering and terrorist financing, came into effect on 2 October 2017. The sections that came into effect as such are those that deal with –
- the risk management and compliance programme;
- customer due diligence;
- record keeping; and
The FICAA incorporates a so-called risk-based approach (“RBA”) to compliance elements into the regulatory framework. A RBA requires an AI to understand its potential exposure to money laundering and terrorist financing risks (as opposed to just ticking a compliance box) as, by understanding and managing its money laundering and terrorist financing risks, the AI is able to protect and maintain the integrity of its business and contribute to the integrity of the whole of the South African financial system.
Risk Management and Compliance Programme
The AI must develop, document, maintain and implement a dedicated risk management and compliance programme (“the RMCP”) regarding the combating of money laundering and terrorist financing, which comprise policy documents, procedures, systems and controls that must be implemented within the AI.
The AI’s ability to apply a RBA will effectively be dependent on the quality of its RMCP.
The documentation describing the RMCP must be made available by the AI to each of its employees involved in transactions to which the Act applies. A copy of the RMCP documentation must also, on request, be made available to the Financial Intelligence Centre (“the FIC”) or any supervisory body that performs regulatory or supervisory functions in respect of the AI.
Customer Due Diligence
The principle of client identification and verification is expanded and an obligation on the AI to conduct customer due diligence measures (“CDD”) is introduced. Accordingly, the previous regulations and exemptions relating to client identification and verification have been amended significantly, with most of the regulations having been repealed and exemptions withdrawn.
The AI should use its risk assessment to determine the appropriate level and type of CDD measures that it will apply to a client and should also determine when it considers a person or persons to be a prospective client or clients, to whom the AI’s CDD measures will apply.
The AI’s RMCP must describe the CDD measures which it applies and how these measures are either weakened or strengthened on the basis of its money laundering and terrorist financing risks.
The AI must retain all CDD and transaction records. There is no prescribed manner in which the records must be kept, save that it must be in accordance with the AI’s standard procedures for the capture and retention of records.
The record-keeping requirement is not dependent on risk and it is applicable to all the CDD, transaction and any other information collected.
Appropriate training on money laundering and terrorist financing must be provided to employees of the AI to ensure that they are aware of and understand their legal and regulatory responsibilities, and to enable them to comply with the provisions of the Act, and the provisions of the RMCP that are applicable to them.
Who is responsible for compliance?
The highest authority of the AI, and not only the compliance officer, is now responsible for compliance by the AI and its employees. The highest authority of an AI is, for example, its board of directors, senior management or any other person or persons exercising the highest level of authority of that particular institution.
The AI’s highest authority should be fully engaged in decision making processes and take ownership of the risk-based measures that are implemented, since it will be held accountable if the content of the RMCP, or its application within the AI, is insufficient.
The AI must have a compliance function, and must assign a person with sufficient competence and seniority to ensure the effectiveness of the compliance function.
What are the consequences of failure to comply?
The regulator is empowered to impose administrative sanctions on an AI, which may include the restriction or suspension of certain business activities of the AI and/or financial liability of up to R50 million.
Individuals who are found to be responsible for non-compliance by an AI may be liable for administrative sanction that can involve a financial penalty of up to R10 million.
The imposition of any administrative sanctions on an AI must also be disclosed publicly, unless there are exceptional circumstances that would prohibit such disclosure.
The Financial Intelligence Centre Amendment Act, 2017: Part 2 will deal with the Risk Management and Compliance Programme
Should you require any assistance with the implementation of the relevant sections of the FICAA, please contact us.