Developing and implementing a risk management and compliance programme (RMCP) is an important starting point for legal practitioners to take when applying a risk-based approach to combating money laundering, terrorist financing and proliferation financing.

Listed as accountable institutions, legal practitioners are required to develop, document, maintain and implement an RMCP in terms of section 42 of the FIC Act.

Legal practitioners must conduct thorough assessments to identify and understand the money laundering, terrorist financing and proliferation financing risks specific to their business and operating environment. To mitigate the identified risks, legal practitioners must refine and implement their RMCPs which outline in detail their approach to anti-money laundering (AML), combating the financing of terrorism (CFT) and combatting proliferation financing (CPF).

The RMCP should reflect management’s approach towards combating money laundering, terrorist financing and proliferation financing and can act as a reference document for employees. For guidance on drafting an RMCP please refer to the FIC’s public compliance communication (PCC) 53.

Identifying money laundering, terrorist financing and proliferation financing risks

Each institution’s RMCP must include the way it identifies, assesses, monitors, mitigates, and manages money laundering, terrorist financing and proliferation financing (ML/TF/PF) risk. This also includes the way the institution rates the level of ML/TF/PF risk.

The ML/TF/PF risk assessment and identification is the basis of an accountable institution’s RMCP. As a first step, it is vital that the institution spends time and effort on identifying and assessing risk.

A client-level risk matrix could serve as a tool to provide an objective basis for the assessment of several risk indicators in relation to a business relationship or single transaction with a client. The RMCP must document how the accountable institution risk rates or weighs the various indicators, characteristics, and the method of determining the overall risk ratings.

The appropriate levels of verification and enhanced controls must be applied in each circumstance based on risk assessment results.

The monitoring, mitigating and management controls that must be applied to the different risk ratings must be clearly noted. For a discussion of risk, please refer to the FIC’s Guidance Note (GN) 7.

Customer due diligence

The legal practitioner must include customer due diligence (CDD) processes in their RMCP. This includes conducting CDD on the different types of clients, beneficial owners, persons acting on behalf of clients and other persons, and enhanced due diligence where a high-risk business relationship or single transaction has been identified.

Targeted financial sanctions

Accountable institutions must outline the process for scrutinising clients when on-boarding them, (and the recording of the match or non-match depending on the outcome) in the RMCP. Institutions are required to search for mention of their clients against two lists, the targeted financial sanctions (TFS) list as published on the FIC website and the United Nations Security Council website. Where a person is listed on a targeted financial sanction list the accountable institution cannot provide services to that person. Refer to PCC 44 for further information in this regard.

Account transaction or activity monitoring

An institution must include in its RMCP, its processes for monitoring transaction activity. To determine whether the client’s activity is consistent with the client’s business and risk profile as per section 21C of the FIC Act.

The RMCP should include the way an institution will examine complex and unusually large transactions and unusual patterns of transactions which have no apparent business or lawful purpose, as well as the process to keep written findings of their decisions in this regard.

Reporting controls

The institution should include the reporting process in their RMCP which sets out:

• The end-to-end internal process for identifying possible reportable transactions in terms of cash threshold reports, suspicious and unusual transaction reports, and terrorist property reports.
• Who must submit the report, and the periods within which the reports must be submitted to the FIC.
• The process in place to deal with section 27, section 32, section 34 requests, and section 35 monitoring orders in terms of the FIC Act.
• A clear instruction of no tipping off and the non-disclosure of reports to other persons as per section 53 of the FIC Act.

Please refer to Guidance Notes 5B, 4B and 6A for further information on the different types of reports.

Record-keeping controls

An institution must document its record-keeping process in the RMCP. This process should clearly indicate records access and confidentiality controls. This process could include:

• What records must be kept
• In what format the records will be kept e.g., hard copies or electronic records
• The period for which records must be kept
• If the records are kept by a third party, the details thereof in terms of the Money Laundering and Terrorist Financing Control Regulations. 

Legal practitioners should be prepared to amend and update their RMCP, as it is a living document which may change depending on new or evolving risks identified through their risk assessments.

For more information and guidance refer to the FIC website (www.fic.gov.za), for various guidance notes and public compliance communications. Alternatively, contact the FIC’s compliance contact centre on +27 12 641 6000 or log an online compliance query on the FIC website.