Are You FICA Compliant? 7 Key Requirements You Need to Know
The Financial Intelligence Centre Act (FICA) was introduced to fight financial crime, such as money laundering, tax evasion, and terrorist financing activities by making it more difficult for criminals to benefit from the proceeds of crime. The FIC Amendment Act (FICAA) brings South Africa closer to international standards and best practices recommended by the Financial Action Task Force (FATF).
The key obligations in terms of the FIC are:
1. Register with the FIC
Accountable and Reporting Institutions are required to register with the Financial Intelligence Centre (FIC). Registration can take place on the FIC’s goAML EE online system which can be accessed via the FIC’s website www.fic.gov.za
2. Appoint an Anti-Money-Laundering (AML) / Combating the Financing of Terrorism (CFT) Compliance Officer
The senior management or board of directors of an Accountable Institution need to formally appoint a Compliance Officer to ensure compliance with FICAA. Ideally, the person appointed should have the competence and seniority to ensure the effectiveness of the Accountable Institution’s compliance function.
3. Develop an RMCP
Accountable Institutions are required to apply a risk-based approach when establishing a business relationship and/or conducting a single transaction with a client. Part of this risk-based approach includes developing controls which mitigate and manage the businesses’ anti-money laundering risks, and fulfil the FICA requirements. All the controls developed and implemented should be documented to form part of their risk management and compliance programme (RMCP). The RMCP should be reviewed and continuously updated (where necessary) to ensure that they are effective and sufficient.
4. Perform Customer Due Diligence
An important part of mitigating risk to your business is performing customer due diligence. Customer due diligence refers to the process of analysing information about an individual or legal person from multiple sources. This means that to adequately perform due diligence you will need to collect and evaluate specific information to truly know your client and ultimately ensure that your client is who they say they are.
Not only does this include collecting and analysing documentation but it should also include:
- Verifying the identity of an individual or the registration of a legal person and their address or location
- Obtaining information regarding the economic sector or occupation of your client
- Obtaining information regarding the nature and purpose of your client’s relationship with you
- Monitoring transactions
- Developing a risk rating scheme to categorise your clients
- Checking data against third-party data sources
- Identifying the source of funds
- Identify whether your client, a related party, authorised person or Ultimate Beneficial Owner (UBO) is on a sanctions list or has appeared in any adverse media
- Identify whether your client, a related party, an authorised person or UBO is a Domestic Prominent Influential Person (DPIP) or Foreign Prominent Public Official (FPPO) and then carry out enhanced due diligence on them. (As of 29 December 2022, Domestic Prominent Influential Persons (DPIPs) and Foreign Prominent Public Officials (FPPOs) have been replaced with the acronyms Domestic Politically Exposed Persons (DPEPs) and Foreign Politically Exposed Persons (FPEPs).
5. Submit reports to the FIC
Both Accountable and Reporting Institutions are obligated to report any suspicious behaviour or transactions to the FIC. This includes reporting any cash transaction in excess of R49 999. This is known as a cash threshold report (CTR). Other types of reports that can be submitted are known as a suspicious transaction or suspicious activity reports (STRs/SARs). These reports should be submitted when there is either a transaction or activity by the client that appears to be suspicious or unusual. Lastly, the fourth type of report that can be submitted is a terrorist property report (TPR). A TPR should be submitted when you think your client may possess or control property belonging to a client that could be linked to terrorism.
6. Record Keeping
FICAA requires Accountable Institutions to keep records of not only the due diligence that was carried out, but also details of any transactions that took place – including any counter-parties to those transactions. This is to ensure that evidence is available should the FIC or the authorities require it for an investigation or a prosecution.
These must be kept for a minimum of five years from the later of either; when a client last transacts, when they cease being a client, when a report about them is submitted to the FIC or an active investigation is closed. The key here is to keep records for at least 5 years. It can be in paper or electronic form – it doesn’t matter as long as it is kept securely, safely, in confidence and is accessible by the FICAA Compliance Officer.
7. Ongoing Training
According to section 43 of the FICAA Accountable Institutions must provide ongoing training relating to AML/CFT to its employees with the purpose of complying with the provisions set out by FICAA and their internal RMCP.
Accountable Institutions should bear in mind that the FICAA training requirement is not optional and businesses that fail to provide their employees with the required training, are regarded as non-compliant with the Act and could face potential administrative sanctions.
New Directives – additional requirements to consider
The FIC issued new directives (6,7 & 8) which were gazetted on Sunday 2 April 2023 and backdated to 31 March 2023, when they came into force.
Directive 6 & 7: Serve to inform certain Accountable Institutions that they must submit information regarding their understanding of money laundering, terrorist financing and proliferation financing risks and their assessment of compliance with obligations in terms of the FIC Act to the FIC through a risk and compliance return.
Directive 8: Requires Accountable Institutions to screen prospective employees and current employees for competence and integrity, as well as to scrutinise employee information against the Targeted Financial Sanctions lists, in order to identify, assess, monitor, mitigate and manage the risk of money laundering, terrorist financing and proliferation financing.