IRC - Financial Intelligence Centre Act PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document is about the Financial Intelligence Centre Act (FICA) in South Africa. It describes the role of the FIC and how it contributes to the criminal justice system by combating financial crimes such as money laundering and terrorist financing. It also outlines the measures the Financial Intelligence Centre implements.
Full Transcript
Financial Intelligence Centre Act (FICA) ---------------------------------------- Why does the FIC exist? The Financial Intelligence Centre (FIC) exists to apply measures outlined in the Financial Intelligence Centre Act, 2001 (Act 38 of 2001), which are intended to make the financial system intol...
Financial Intelligence Centre Act (FICA) ---------------------------------------- Why does the FIC exist? The Financial Intelligence Centre (FIC) exists to apply measures outlined in the Financial Intelligence Centre Act, 2001 (Act 38 of 2001), which are intended to make the financial system intolerant to abuse. The FIC does this by working towards fulfilling its mandate of assisting in identifying the proceeds of crime, combating money laundering, the financing of terrorism and the proliferation of weapons of mass destruction. ** ** What the FIC does? **As the country\'s financial intelligence unit, the FIC implements its part of the country\'s framework for anti-money laundering and combating of terrorist financing by r**eceiving transaction and other data from accountable and reporting institutions and other business and conducting analysis on this data and producing financial intelligence from this data, for the use of competent authorities in their investigations and applications for forfeiture of assets. In this way, the FIC contributes to the achievements in the criminal justice system. Diagram Description automatically generated How does it fulfil its role? The FIC does this by, among other measures: - Providing for customer due diligence measures including regarding beneficial ownership - Providing for a risk-based approach to client identification and verification - Providing for implementation of financial sanctions and administering resolutions of the United Nations Security Council - Sharing FIC and supervisory body information with competent authorities - Providing for risk management and compliance programmes, governance and training on combating money laundering and terrorist financing - Issuing FIC and supervisory body directives - Along with supervisory bodies, applying administrative sanctions where there is non-compliance. ### FATF - The Financial Action Task Force (FATF) is the global money laundering and terrorist financing watchdog. The inter-governmental body sets international standards that aim to prevent these illegal activities and the harm they cause to society. As a policy-making body, the FATF works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas. - With more than 200 countries and jurisdictions committed to implementing them. The FATF has developed the FATF** **[Recommendations](https://www.fatf-gafi.org/publications/fatfrecommendations/documents/internationalstandardsoncombatingmoneylaunderingandthefinancingofterrorismproliferation-thefatfrecommendations.html)**, **or FATF Standards, which ensure a coordinated global response to prevent organised crime, corruption and terrorism. They help authorities go after the money of criminals dealing in illegal drugs, human trafficking, and other crimes. The FATF also works to stop funding for weapons of mass destruction. - The FATF reviews money laundering and terrorist financing techniques and continuously strengthens its standards to address new risks, such as the regulation of virtual assets, which have spread as cryptocurrencies gain popularity. The FATF monitors countries to ensure they implement the FATF Standards fully and effectively and holds countries to account that do not comply. South Africa became a member of FATF in 2003. What do the Recommendations do? The Recommendations can commonly be regarded as the global standards which all countries should seek to ascribe to in order to effectively combat money laundering and terrorist financing. You will find that many of the FATF member countries already have legislation in place which has considered components of the current Recommendations. Adherence to these Recommendations promotes a stable international financial system and promotes the financial soundness of a country, encouraging investors. ### General Laws (Anti-Money Laundering and Combating Terrorism Financing) Amendment Act *The primary objective of the General Laws (Anti-Money Laundering and Combatting Terrorism Financing) Amendment Act, 2022, is to address the deficiencies identified in the Mutual Evaluation Report relating to the customer due diligence measures contained in the FIC Act. The amendments to the FIC Act contained in the Amendment Act does not substantially change the principles on which the customer due diligence provisions are based. The amendments will result in a stronger* A*nti-Money Laundering/Counter Terrorist Financing/Proliferation Financing (AML/CFT/PF) regulatory framework.* The General Laws Amendment Act was assented to by the President on 22 December 2022. ***High level summary of changes:*** - *The Amendment Act extends the powers of the Centre to request for information or for access to any database held by any organ of state as well as to have access to information contained in a register that is kept by an organ of state. This is necessary to ensure that the Centre has access to a sufficiently wide range of information that is held in the public sector to perform its functions effectively.* - *Schedule 2 contains the list of supervisory bodies that are responsible for ensuring compliance with the provisions of the FIC Act. The objective of the proposed amendments to Schedule 2 to the FIC Act is to ensure effective supervision of the estate agency and gambling sector. Schedule 2 is amended to entrust the supervision of compliance with the FIC Act in the estate agency and gambling sectors to the Centre.* - *The Amendment Act also addresses several recommendations in the Mutual Evaluation Report that necessitate amendments to the Trust Property Control Act, 1988 (Act No. 57 of 1988) (''the TPCA''), the Non-profit Organisations Act, 1997 (Act No. 71 of 1997) (''the NPO Act''), the Companies Act, 2008 (Act No. 71 of 2008) (''the Companies Act''), and the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017) (''the FSRA'').* - *Recommendation 25 and IO.5 - Amend the TPCA to provide legal framework for beneficial ownership information in respect of trusts-* - *Require trustees to hold information on agents and service providers to trusts;* - *Require all trustees to keep information which they obtain up to date and accurate;* - *Provide for broader grounds for disqualification to be a trustee; and* - *Provide for offences for trustees in respect of specified breaches of the TPCA.* - *Recommendation 8 and IO.10 - Amend the NPO Act in line with Recommendation 8 requirements-* - *Implement policy recommendations to improve the oversight of its broader Non-profit Organisation (''NPO'') sector;* - *Apply controls of the NPO Act to all NPOs, not just NPOs that register voluntarily; an* - *Provide for offences and penalties in respect of specified contraventions of the NPO Act.* - *Recommendation 24 and IO.5 - Amend the Companies Act to provide for a legal framework for beneficial ownership information in respect of companies-* - *Provide for a requirement that companies must keep securities registers on shareholding up to date;* - *Require that companies keep accurate and up-to-date information on their beneficial owners;* - *Provide for a comprehensive mechanism through which the Companies and Intellectual Property Commission can keep accurate and updated beneficial ownership information; and* - *Expand the grounds for disqualification to be a director of a company to include convictions for offences relating to money laundering, terrorist financing or proliferation financing activities.* - *Recommendation 26 and IO.03 - Amend the FSRA to provide an enabling framework for financial sector regulators to test the fitness and propriety of beneficial owners of financial institutions as part of market entry controls and on an ongoing basis-* - *Provide a definition of ''beneficial owner'' in respect of financial institutions;* - *Provide a legal mechanism through which financial sector regulators can test the honesty and integrity of beneficial owners of financial institutions and require them to provide relevant information regarding their beneficial ownership;* - *Provide a legal mechanism through which financial sector regulators can require financial institutions to identify and verify their beneficial owners and require them to provide relevant information regarding their beneficial owners; and* - *Enable financial sector regulators to take specified action against beneficial owners who contravene or are likely to contravene a financial sector law.* ### Exchanges **The FSCA is the supervisory body in terms of the Act (Schedule 2), however such s**upervisory powers have been delegated to exchanges i.e., JSE, A2X etc. These supervisory bodies (i.e., the licenced exchanges) are responsible for supervising compliance of its authorised users that are **Accountable Institutions (AI's).** FSCA however remains responsible for all enforcement action. Money laundering objectives The methods by which money may be laundered are varied and can range in sophistication. Money laundering often occurs in three steps: first, cash is introduced into the financial system by some means (\"placement\"), the second involves carrying out complex financial transactions to camouflage the illegal source (\"layering\"), and the final step entails acquiring wealth generated from the transactions of the illicit funds (\"integration\"). Some of these steps may be omitted, depending on the circumstances; for example, non-cash proceeds that are already in the financial system would have no need for placement. **Placement** - Criminals may wish to place the money in the financial system, for instance, by depositing stolen money or the proceeds of a crime into a member's account for the acquisition of shares or Krugerrands. However, most placements of funds involve the placement of cash into the system and therefore is more likely to happen through an institution which accepts cash, such as a bank. **Layering** - Money launderers may wish to engage in a series of unnecessary transactions in an attempt to make it difficult for law enforcement to follow the money trail, for instance, by maintaining a number of accounts in various names and by transferring the money from one account to the other. The purpose of this series of transactions is to hide the nature and the location of the money under a layer of complex transactions. **Integration** - This final stage of money laundering involves amassing the original funds, less the costs of the laundering process, under the control of the criminal as apparently legitimate business funds. It must be noted that at this stage it may be extremely difficult for an individual or a company to either recognise or ascertain that the money is derived from criminal activities. Money laundering takes several different forms. These include smurfing (also known as structuring) and the use of shell companies and trusts. **Structuring**: Often known as \"smurfing\", is a method of placement by which cash is broken into smaller deposits of money, used to defeat suspicion of money laundering and to avoid anti-money laundering reporting requirements. A sub-component of this is to use smaller amounts of cash to purchase bearer instruments, such as money orders, and then ultimately deposit those, again in small amounts. **Shell companies and trusts**: Trusts and shell companies can disguise the true owner of money. Trusts and corporate vehicles, depending on the jurisdiction, need not disclose their true, beneficial ownership (s21B). ![A diagram of a bank Description automatically generated](media/image2.png) ### What is a Predicate Offence? 6th Anti-Money Laundering Directive (6AMLD) defines and expands the list of crimes that qualify as money laundering predicate offenses. ***"Predictable Offence"** - Means the offences mentioned below, by committing which within or outside the country, the money or property derived from its laundered or attempt to be laundered, namely:- corruption and bribery, counterfeiting currency, counterfeiting deeds and documents, extortion, fraud, theft or robbery or dacoity or piracy or hijacking of aircraft etc. or any other offence declared as predicate offence by Bangladesh Bank, with the approval of the Government, by notification in the official Gazette, for the purpose of this Act.* Diagram Description automatically generated ### An Accountable Institutions (AI's) - Risk Management Compliance Program (RMCP) The term "accountable institution" is defined as a person or organisation referred to in **Schedule 1** of the FIC Act that carries out business of any entity listed. **Schedule 1 Accountable Institutions** AI's report into supervisory bodies. In terms of the FIC Act, they are required to formulate and implement internal rules concerning: - The establishment and verification of the identity of persons whom the institution must identify; - the information of which records must be kept; - the manner in which and place at which such records must be kept; - the steps to be taken to determine when a transaction is reportable to ensure the institution complies with its duties; and - any other matters as may be prescribed. **Schedule 1 Accounting Institutions comprise** - Attorneys as defined in the Attorneys Act. - A board of executors or a trust company or any other person that invests, keeps in safe custody, controls, or administers trust property within the meaning of the Trust Property Control Act. - Estate agents as defined in the Estate Agents Act. Financial instrument traders as defined in the Financial Markets Control Act, - Management companies registered in terms of the Unit Trusts Control Act, - A person who carries on the \'business of a bank\' as defined in the Banks Act, - A mutual bank as defined in the Mutual Banks Act. - A person who carries on a \'long-term insurance business\' as defined in the - Long-Term Insurance Act, including an insurance broker and an agent of an insurer. - A person who carries on a business in respect of which a gambling licence is required to be issued by a provincial licensing authority. - A person who carries on the business of dealing in foreign exchange. - A person who carries on the business of lending money against the security of securities. - A person who carries on the business of rendering investment advice or investment broking services, including a public accountant as defined in the Public Accountants and Auditors Act, who carries on such a business. - A person, who issues, sells, or redeems travellers\' cheques, money orders or similar instruments. - The Postbank referred to in the Postal Services Act. - A member of a stock exchange licensed under the Stock Exchanges Control Act. - The Ithala Development Finance Corporation Limited. - A person who has been approved or who falls within a category of persons approved by the Registrar of Stock Exchanges in terms of the Stock Exchanges Control Act. - A person who has been approved or who falls within the category of persons approved by the Registrar of Financial Markets in terms of the Financial Markets Control Act. - A person who carries on the business of a money remitter **Risk Management Compliance Program (RMCP)** - In terms of section 42 of the FIC Act, an accountable institution must develop, document, maintain and implement a programme for anti-money laundering and counter-terrorist financing risk management and compliance. - An accountable institution's RMCP must always be commensurate with the size and complexity of the institution and the nature of its business. - A RMCP documents the entire approach an authorised user adopts in dealing with its financial crime responsibilities and obligations under the FIC Act. - The RMCP is key to effectively documenting an organisation's end to end process and should clearly depict what, how and why an accountable institution continuously manages its risk. - The risk management compliance programme documents the entire approach identifying, assessing, monitoring, mitigating, and managing the specific AML/CFT/CPF risks faced by an organisation. - The nature and extent of an AI's internal systems and controls which form part of its RMCP depends on a variety of factors, including- - The nature, scale, and complexity of the accountable institution's business; - The diversity of its operations, including geographical diversity; - Its client, product, or services profile; - Its distribution channels; - The volume and size of its transactions; and - The degree of risk associated with each area of its operation. - The RMCP is a holistic consolidation of an organisations assessment of their risk towards ML/TF/PF and must include a comprehensive risk-based assessment including a detailed methodology, policies, procedures. - A RMCP should include a description of the board of directors' or senior management's accountability and the appointment of a person with adequate seniority and experience to assist with ensuring compliance with the FIC Act. - Appropriate provision of regular and timely information to the board of directors or senior management relevant to the management of the institution's money laundering and terrorist financing risks; - Appropriate documentation of the institution's risk management policies and risk profile in relation to money laundering and terrorist financing, including documentation of the institution's application of those policies. - Appropriate descriptions of decision-making processes in respect of the application of different categories of CDD and other risk management measures, including escalation of decision-making to higher levels of seniority in the AI where necessary; and - Appropriate measures to ensure that money laundering risks are considered in the day-to-day operation of the institution, including in relation to- - The development of new products; - The taking-on of new clients; and - Changes in the institution's business profile. - An AI's RMCP must always be commensurate with the size and complexity of the institution and the nature of its business. This implies that a RMCP for an AI which does not provide a wide range of products or services or deal with a diverse range of clients could be relatively simple while that of a complex financial institution would be expected to be much more complex. - An AI is required to indicate in its RMCP if any of the elements described in section 42 of the FIC Act do not apply to that particular institution. The institution is also required to indicate in its RMCP the reason why such processes are not applicable to the institution. - It is important that the content of an AI's RMCP is communicated widely throughout the institution, as may be applicable, to increase the effectiveness of its implementation. - An AI must review its RMCP at regular intervals to ensure that it remains relevant to the institution's operation and the risks identified. - Appropriate training on AML/CTF/CPF to ensure that employees are aware of, and understand, their legal and regulatory responsibilities and their role in handling criminal property and money laundering/terrorist financing risk management; - Appropriate documentation of the institution's risk management policies and risk profile in relation to money laundering and terrorist financing, including documentation of the institution's application of those policies; - Appropriate measures to ensure that money laundering risks are considered in the day-to-day operation of the institution, including in relation to the development of new products; the taking-on of new clients; and changes in the institution's business profile etc. - An AI's ability to apply a risk-based approach effectively is largely dependent on the quality of its RMCP. An AI's RMCP must be sufficient for countering the ML/TF/PF risks facing the institution. It is important for AIs to bear in mind that a RMCP not only comprises of policy documents, but also of procedures, systems and controls that must be implemented within the institution. The RMCP can therefore be described as the foundation of an AI's efforts to comply with its obligations under the FIC Act on a risk sensitive basis - Appropriate training on money laundering and terrorist financing to ensure that employees are aware of, and understand, their legal and regulatory responsibilities and their role in handling criminal property and money laundering/terrorist financing risk management; *The recent changes to the FIC Act have had some minor changes to section 42. Please ensure you are familiar with the changes that were made effective from 31 December 2022. Click the link to access the document -* [General Laws (Anti-Money Laundering and Combating Terrorism Financing) Amendment Act 22 of 2022 (English / Afrikaans) (www.gov.za)](https://www.gov.za/sites/default/files/gcis_document/202212/47815anti-moneylaunderingact22of2022.pdf) **So, who is responsible for compliance by the AI?** The board of directors, senior management, or the person with the highest level of authority is ultimately responsible for ensuring that the institution maintains an effective internal AML/CFT/CPF control structure through a RMCP. Section 42A specifically states the following - The board of directors of an accountable institution which is a legal person with a board of directors, or the senior management of an accountable institution without a board of directors, must ensure compliance by the accountable institution and its employees with the provisions of this Act and its RMCP. - An AI, which is a legal person, must--- - have a compliance function to assist the board of directors or the senior management, as the case may be, of the institution in discharging their obligations under subsection (1); and - assign a person with sufficient competence and seniority to ensure the effectiveness of the compliance function contemplated in paragraph 40 (a). - The person or persons exercising the highest level of authority in an AI which is not a legal person must ensure compliance by the employees of the institution with the provisions of this Act and its RMCP, in so far as the functions of those employees relate to the obligations of the institution. +-----------------------+-----------------------+-----------------------+ | **^PENALTIES\ FOR\ NO | | | | N-COMPLIANCE^** | | | +=======================+=======================+=======================+ | **^SECTION^** | **^COMMENTARY^** | **^ PENALTY^** | +-----------------------+-----------------------+-----------------------+ | **Section 61** | Failure to implement | Administrative | | | an anti-money | Sanction: | | | laundering and | | | | counter-terrorist | Up to R10 000 000 | | | financing risk | (Natural Person) | | | management and | | | | compliance program | Up to R50 000 000 | | | (42)(1)(2) 2A, 2B, | (Legal Person) | | | 2C, 42(3) | | +-----------------------+-----------------------+-----------------------+ ### Risk-Based Approach (RBA) in the context of FICA A risk-based approach means accountable institution must **identify, assess, and understand** the **money laundering** and **terrorist financing** risk to which they are exposed, and take the appropriate mitigation measures in accordance with the level of risk. It is central to the effective implementation of the FATF Recommendations and is based on the risk assessment which therefore provides the basis for the risk-sensitive application of AML/CFT/CPF measures. - A risk-based approach is the approach adopted by an AI towards a specific set of risks presented in a specific set of circumstances. - The 'approach' adopted implies that specific controls /systems or both are required when dealing with varying situations of differing risk levels. - The controls in place have to be adequate to address the degree of risk posed i.e., it must be proportionate to the risk faced. Simply put, it entails how an AI risk rates its clients based on the outcome of the customer due diligence conducted on the client - The obligation to apply a risk-based approach gives accountable institutions greater discretion to determine the appropriate steps to take. - By applying a risk-based approach accountable institutions are able to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified. This will ensure that resources are directed in accordance with priorities, so that the greatest risks receive the highest attention. The risk-based approach also affords accountable institutions the flexibility to use a range of mechanisms to establish and verify the identities of their clients, creating opportunities for accountable institutions to explore more innovative ways of offering financial services to a broader range of clients and bringing previously excluded sectors of society into the formal economy. If applied correctly, it will improve the efficacy of measures to combat money laundering and terrorist financing while promoting financial inclusion without undermining AML/CFT/CPF objectives. Accountable institutions should also ensure alignment between Treating Customer Fairly principles and its application of guidance on Money Laundering/Terrorist Financing/Proliferation Financing ML/TF/PF risk issues. - The risk-based approach further allows accountable institutions to simplify the due diligence measures applied where they assess ML/TF/PF risks to be lower. Instead of relying on rigid requirements in regulations and exemptions granted at the executive level, accountable institutions will have greater discretion to determine the appropriate compliance steps to be taken in given instances, in accordance with their internal compliance and risk management programmes - It is important to note that the risk-based approach does not exempt an accountable institution from applying effective AML/CFT/CPF controls. It is the responsibility of accountable institutions to effectively manage all ML/TF/PF risks and to be able to clearly demonstrate this to a regulator when required. Risk rating Risk-rating implies assigning different categories to different levels of risk according to a risk scale and classifying the ML/TF risks pertaining to different relationships or client engagements in terms of the assigned categories. As no two accountable institutions are the same, the level of risk and therefore the risk ratings attributed to particular business relationships or other engagements with clients may vary between accountable institutions. A risk-based approach allows one to assess the relevant risks while providing a set of recommended internal controls (monitoring) actions to effectively reduce the risk ML/TF/PF activities failing FICA compliance, in line with an AI's risk appetite. Risk in the context of AML/CFT/CPF has been defined in Guidance Note 7 issued by the FIC as the following: *Risks that relate to threats and vulnerabilities that may promote the laundering of proceeds of unlawful activities or the financing of terrorism, on the one hand, or may jeopardise the detection, investigation or prosecution of these activities or the possibility of the forfeiture of proceeds of unlawful activities, on the other (FIC Guidance Note 7).* Risk appetite is a measure and allocation of the amount of risk that an AI is willing to accept in pursuit of its strategy and business objectives. The Board and management could use a balanced approach in determining the acceptable levels of risk to undertake. Typically, a risk appetite approach should reflect its position that risk management is as much about enabling risk taking as it is about constraining adverse risk. Risk thus entails a series of threats which exist in particular circumstances, with a corresponding level of likelihood and impact. The likelihood and the impact can be decreased through the introduction of risk mitigation i.e., introducing adequate and appropriate controls to address the risk posed. In this regard, there are two important concepts, that of 'inherent' risk, versus 'residual' risk, which are defined as follows: **Inherent Risk:** The risks and probability of risk prior to the implementation of controls. **Residual Risk:** The risk that remains after introduction of the controls and mitigating factors have been introduced. 'Risk factors' means variables that, either on their own or in combination, may increase or decrease the ML/TF/PF risk posed by a business relationship or single transaction. The ML/TF/PF risk associated with a particular client engagement is not static. The factors underlying any given risk-rating will inevitably change over time. It is therefore essential that AIs re-evaluate the relevance of particular risk factors and the appropriateness of previous risk-ratings from time to time and determine the intervals at which this will be done. ### Risk factors considered The challenge thus remains that many financial institutions with varying types of customers, products, and channels though which risk can present itself, and it is a task on its own for many financial crime compliance and business partners to formulate a risk management compliance programme that will adequately and sufficiently enable an institution to state that it knows and understands each and every one of its customers and the financial crime risk each individual / company etc. presents to the institution. For some institutions financial exclusion could be prevented where institutions proactively decide to 'manage' risk as opposed to eliminate it completely where it is not warranted to do so. ML/TF/PF risk indicators Factors that may be indicative of ML/TF/PF risks relate to a number of aspects such as customer risks, product or service risks, delivery channel risk, geographic risk, business risk, industry risk etc. and each of these may interact differently with the characteristics of different types of clients. A **threat** is a person or group of people, object, or activity with the potential to cause harm. In the context of money laundering and terrorist financing this includes criminals, terrorist groups and their facilitators, their funds, as well as the past, present and future money laundering, or terrorist financing activities. The concept of **vulnerabilities** comprises those things that can be exploited by the threat or that may support or facilitate its activities. Identifying vulnerabilities, as distinct from threats, means focusing on, for example, the factors that represent weaknesses or features that may be exploited in a given system, institution, product, service etc. The areas in which these vulnerabilities may arise are discussed in more detail later in this guidance. Consequences refer to the impact of a threat or the exploitation of a vulnerability if this impact is to materialise. ***Risk in the context of ML/TF/PF can therefore be thought of as the likelihood and impact of ML/TF/PF activities that could materialise as a result of a combination of threats and vulnerabilities manifesting in an accountable institution based on the business activities conducted.*** ### Risk assessment The risk assessment process will therefore assist AI's in determining the nature and extent of resources necessary to mitigate identified risks. AI's must establish and implement systems and controls in response to the assessed risks. These controls must be designed to detect money laundering and terrorist financing and respond appropriately when risks materialise. - Where there are higher ML/TF/PF risks, enhanced measures must be taken to mitigate those risks. This means that the range, degree, frequency or intensity of preventive measures and controls conducted will be stronger in higher risk scenarios. - Where the ML/TF/PF risks are assessed as lower, simplified measures may be applied. This means that controls must include certain CDD measures, but that the degree, frequency and/or the intensity of the controls conducted will be relatively lighter. - An AI should always have grounds on which it can base its justification for a decision that the appropriate balance was struck in a given circumstance. - The systems and controls by which an institution decides to manage ML/TF/PF risks and the levels of due diligence it chooses to apply in relation to various risk levels must be documented in its RMCP. What risk factors must be considered? - Products and Services Risk - Delivery Chanel Risk - Client Risk - Geographic risk - Business Risk *(NB: Refer to Guidance Note 7 (this is required reading) published by the FIC for Further information regarding these risks -- risks above are no exclusive). Note the FIC did publish a draft update to GN7 (viz GN7A).* Where does CDD fit into the risk mitigation process? Institutions should use the CDD process as one of the measures to mitigate the ML/TF/PF risk associated with a proposed business relationship or single transaction. The CDD process provides an AI with the information required to know who they are doing business with, to know who benefits from the business it does with its clients, to understand the nature of the business it does with its clients and to determine when the business with clients should be considered suspicious or unusual. This is one of the mechanisms at the AI's disposal to mitigate the risk of exploitation for money laundering or terrorist financing purposes. Further requirements based on the last FATF Mutual Evaluation Results: ### Customer Due Diligence (CDD) Customer due diligence (CDD) refers to the knowledge that an AI has about its client and the institution's understanding of the business that the client is conducting with it. In terms of section 21 of the Act an AI must, in the course of establishing a **business relationship** or entering into a **single transaction**, **establish and verify the identity** of the customer and, if applicable, the person representing the customer as well as any other person on whose behalf the customer is acting. CDD measures, if properly implemented, enable an AI to better manage its relationships with customers and to better identify possible attempts by customers to exploit the institution's products and services for illicit purposes and thus is a key component of a framework to combat money laundering and terrorism financing effectively. A **business relationship** is defined in the FIC Act as an arrangement between a client and an AI for the purpose of concluding transactions on a regular basis. A business relationship therefore entails an element of a time duration to the engagement with the client. AIs need to determine what constitutes a business relationship as well as a transaction in the context of their particular business for purposes of complying with the obligations of the FIC Act in as far as it applies to a business relationship. The manner and the point in time at which an AI determines that a person is a prospective client or a client for the purposes of determining when the obligations of the FIC Act commence should be spelled out in an AI's RMCP, both in respect of a business relationship and a single transaction. The AI should therefore determine, considering its particular business, who is to be regarded as a prospective client and client in order to apply the CDD and other requirements in terms of the FIC Act. The FIC Act defines a **single transaction** as a transaction other than a transaction concluded in the course of a business relationship and where the value of the transaction is not less than the prescribed amount (currently R49 999.99as determined by the Minister of Finance in the Regulations), except in the case of s20 stating that An accountable institution may not establish a business relationship or conclude a single transaction with an anonymous client or a client with an apparent false or fictitious name. In addition, the JSE Equities Rules prescribe that an authorised user cannot transact in cash amounts above R5,000.00). This can be described as occasional or once-off business where there is no expectation on the part of the AI or the client that the engagements would recur over a period of time. ***Note:*** Previously AIs were required to establish and verify the identity of a client in accordance with the ML/TF/PF Regulations. The principle of client identification and verification is now expanded significantly with the introduction of the obligation to conduct CDD on customers/prospective customers. Establishing the identity of a customer's entails the following: - obtaining a range of information about the customer; - information is obtained from the customer during the take on stage or part of the customer engagement process; - understanding the nature and intention of the transactions; - identifying the source of funds; - the information required is informed by the Act; - the information obtained ought to give one enough data to build a profile of the customer and assign a risk rating thereto. Verifying the identity of the customer entails the following: - using other sources of information to confirm/validate the information obtained from identifying the customer; - the nature and extent of the verification is determined on the assessed risk and in terms of RMCP; - verification must occur while conducting a single transaction/business relationship and be complete before concluding a transaction; - Obtain the relevant documents. Enhanced due diligence and additional due diligence measures should be considered depending on the risk rating and client categorisation. High-risk customers Business relationships with foreign prominent public officials (FPPOs) must always be considered high-risk. If an AI finds out that it is dealing with an FPPO, senior management approval must be obtained to establish the business relationship. AIs must also take reasonable measures to establish the source of wealth and source of funds of the client and conduct enhanced ongoing monitoring of the business relationship. AIs are not required to verify the information about the client's source of wealth and source of funds but will have to include this information in its client profile which will be used as the basis for enhanced ongoing monitoring. These requirements also apply to immediate family members and known close associates of such prominent public officials. Refer to sections 21F,21G,21H below. *Note changes to schedule 3B to change the name of FPPO to FPEPs (Foreign Politically Exposed Persons).* Enhanced due diligence measure must be conducted in the case of high-risk customers and these measures must be adequately documented in the AI's RMCP. ### Ultimate Beneficial Ownership (UBO) Beneficial Ownership Process of Elimination - ADD **To effectively determine who are the natural person/s who has a controlling ownership interest in a legal person, the accountable institution must understand the legal person's ownership and control structure and understand exactly which natural persons exercises influence over decisions taken and/or operations.** **The different types of legal persons have different forms of ownership interest i.e.:** - **Companies issue shares which shareholders own** - **Co-operative members own interest that is referred to as membership share** - **Close corporations own a member's interest** With the amendment of the Act in 2017, the concept of **ultimate beneficial ownership** was introduced as a formal requirement. To this end, beneficial ownership applies to legal persons, partnerships, trusts, or similar arrangements between natural persons. The natural person standing to benefit from the activities/business relationships/transactions effected in respect of legal persons/partnerships/trusts held with AIs, are the **beneficial owners**, irrespective of how complex that entity's structure may be. Therefore, it is vital to have a clear view of the person standing to benefit from such relationships. The lack of adequate, accurate and timely beneficial ownership information has the potential to facilitate ML/TF/PF by disguising: - the identity of known or suspected criminals; - the true purpose of an account or property held by the legal entity; or - the source or use of funds or property associated with the legal entity Understanding the UBO is also extremely important in creating a holistic view of your customer profile and consequently assessing the true risk that such customers could pose. With the aim of ultimately looking for the party/parties who has controlling interest, the following steps may be taken to identify the beneficial owner (differs per entity type): - understand the structure of the customer - review the ownership and control structure; - identify shareholders who hold more than 25% of the total shareholding; - perform due diligence to identify and verify these persons; - also identify the persons who exercising effective control over the entity and perform due diligence on these persons - if no person exercises more than 25% shareholding/ownership and a person/s exercising majority control over the entity cannot be identified then look to the senior management of the entity (executive, non-executive director, director, or manager), who has control of the business Section 21 also applies to clients who are not natural persons acting in their personal capacity. Clients of this nature are referred to as corporate vehicles. The Act classifies corporate vehicles (legal persons) as follows - - any person other than a natural person - Legal persons (CC's, local companies, foreign companies, or any other form of corporate arrangement or association but not - Partnerships - Trusts or - Sole proprietors In addition to establishing and verifying a legal person's identity an AI must as set out in section 21B, apply additional due diligence measures namely to establish- - the nature of the client's business; - the ownership and control structure of the client; and - the beneficial ownership of clients (refer to section above), and - to take reasonable steps to verify the identity of the beneficial owners. Furthermore, in instances of legal persons etc. where a natural person may have been authorised to affect a transaction/enter into a business relationship with the AI, the AI must obtain the following to evidence that such authority has indeed been conferred- - A mandate/resolution - An order of court - A power of attorney - A contract evidencing the allocation/assignment of authority The three-step process must be documented and implemented to ensure compliance with the Act. Once an AI has obtained the information deemed necessary in terms of its risk-based FICA and CDD processes and procedures as documented in its approved RMCP, the AI should use the findings from their risk assessment (discussed in the next section) to decide on the appropriate level and type of CDD that they will apply to a client (or business relationship and single transactions). AIs should also determine when they consider persons to be prospective clients to whom their CDD measures apply. An AI's RMCP must describe the CDD measures which the institution applies and how these measures are attenuated or intensified on the basis of ML/TF/PF risks. *Note recent changes --* - *section 21B now provides for instances where the partners in a partnership or, in the case of trusts, founders, trustees or beneficiaries, are legal persons.* +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 46** | Failure to identify | Administrative | | | persons (Section | Sanction: | | | 21(1) or 21 1A or 21 | | | | (2)) | Up to R10 000 000 | | | | (Natural Person) | | | | | | | | Up to R50 000 000 | | | | (Legal Person) | +-----------------------+-----------------------+-----------------------+ **Section 21C: Ongoing due diligence measures** These measures follow on from the obligation to understand the purpose and intended nature of a business relationship. They include the scrutiny of transactions undertaken throughout the course of a relationship, to ensure that the transactions being conducted in the course of a business relationship are consistent with an AI's knowledge of the customer (i.e., do not allow for unexplained discrepancies), and the customer's business and risk profile, including, where necessary, the source of funds. It also requires AIs to ensure that the information that an AI has about a customer is still accurate and relevant. Ensure that records remain accurate, up-to-date, and relevant by undertaking regular reviews of existing records and updating the CDD information can other competent authorities, law enforcement agencies or financial intelligence units make effective use of that information in order to fulfil their own response the context of AML/CFT/CPF. In addition, keeping up-to-date information will enhance the accountable institution as ability to effectively monitor the account for unusual or suspicious activities." Knowing the Customer is a **continuing** obligation where the accountable institution is required to conduct **ongoing due diligence** of the customer on a **continual** basis throughout the customer lifecycle and includes the following pillars: - Transaction Monitoring - Scrutiny of transactions undertaken throughout the business relationship. Paying attention to unusual patterns of transactions or unusually large or complex transactions - Customer Information re-verification processes conducted to ensure that up to date and correct customer information is being retained - Continual due diligence processes which include the reassessment of the risk profile of the customer and screening processes. *Note the recent amendment that now provides for instances where the AI suspects that a transaction or activity is suspicious in terms of section 29* *Suspicious Transaction Report - (STR) and the AI reasonably believes that performing the customer due diligence (CDD) measures in terms of section 21C will disclose to the client that an STR will be made to the Centre, it may discontinue the CDD process and consider filing an STR.* +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 46A** | An AI that fails to | Administrative | | | comply with the duty | Sanction: | | | to perform additional | | | | due diligence | Up to R10 000 000 | | | measures in | (Natural Person) | | | accordance with | | | | section 21C is | Up to R50 000 000 | | | non-compliant and is | (Legal Person) | | | subject to an | | | | administrative | | | | sanction. | | +-----------------------+-----------------------+-----------------------+ Section 21D: Doubts about veracity of information When an AI doubts the veracity or adequacy of previously obtained information (when entering into a single transaction or establishing a business relationship) the AI -- - must repeat the steps contemplated in sections 21 and 21B in accordance with its RMCP and to the extent that is necessary to confirm the information in question (application of an RBA); and - submit a Suspicious Transaction Report (STR) under section 29, via the FIC website. +-----------------------+-----------------------+-----------------------+ | PENALTIES FOR | | | | NON-COMPLIANCE | | | +=======================+=======================+=======================+ | SECTION | COMMENTARY | PENALTY | +-----------------------+-----------------------+-----------------------+ | **Section 46A** | An AI That fails to | Administrative | | | comply with the duty | Sanction: | | | to perform additional | | | | due diligence | Up to R10 000 000 | | | measures in | (Natural Person) | | | accordance with | | | | section 21D is | Up to R50 000 000 | | | non-compliant and is | (Legal Person) | | | subject to an | | | | administrative | | | | sanction. | | +-----------------------+-----------------------+-----------------------+ Section 21E: Inability to conduct CDD If an AI is unable to - - establish and verify the identity of a client or other relevant person as per Section 21 or 21B; - obtain the information contemplated in section 21A; - or conduct ongoing due diligence as contemplated in section 21C, the AI may not - - establish a business relationship or conclude a single transaction with a client; - may not conclude a transaction in the course of a business relationship, or perform any act to give effect to a single transaction; Instead, the AI must terminate, in accordance with its Risk Management and Compliance Programme, an existing business relationship with a client, and consider making a report under section 29, via the FIC website Within any current customer base and potential future customers, there will be certain customers that flag as **high-risk customers.** Thus, it will also be necessary to carry out enhanced due diligence, as well as enhanced monitoring. This could be informed by the following factors: - the risk assessment and rating assigned at onboarding; - the fact that a customer may be an automatic high-risk customer (e.g., a FPPO, DPIP, their associates). - the fact that the risk rating changes following the outcome of a due diligence review. - high level of STRs/CTRs being submitted in respect of a customer. - whether the customer is in a non-FATF country - whether the customer is in a sanctioned country +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 46A** | An AI that fails to | Administrative | | | comply with the duty | Sanction: | | | to perform additional | | | | due diligence | Up to R10 000 000 | | | measures in | (Natural Person) | | | accordance with | | | | section 21E is | Up to R50 000 000 | | | non-compliant and is | (Legal Person) | | | subject to an | | | | administrative | | | | sanction. | | +-----------------------+-----------------------+-----------------------+ Section 21F: Foreign Prominent Public Official AIs must with all Prospective clients or beneficial owners of such clients, identify any persons that are **Foreign Prominent Public Officials (FPPOs)**, as FPPOs are automatically deemed as **high-risk clients** and should not be transacted with unless, - senior management approval is obtained for establishing the business relationship, - take reasonable measures to establish the source of wealth and source of funds of the client; and - conduct enhanced ongoing monitoring of the business relationship. Schedule 3B lists the persons roles that are considered as FPPOs. *Note the recent amendment - The definition of ''foreign prominent public official'' is amended to instead refer to ''foreign politically exposed person''. Associated amendments are made to sections 21F and 21H and Schedule 3B.* +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 46A** | An AI that fails to | Administrative | | | comply with the duty | Sanction: | | | to perform additional | | | | due diligence | Up to R10 000 000 | | | measures in | (Natural Person) | | | accordance with | | | | section 21F is | Up to R50 000 000 | | | non-compliant and is | (Legal Person) | | | subject to an | | | | administrative | | | | sanction. | | +-----------------------+-----------------------+-----------------------+ Section 21G: Domestic Prominent Influential Persons Business relationships with **Domestic Prominent Influential Persons** (DPIPs) are **not inherently high-risk**. AIs must consider each such relationship on its own merits in order to determine whether there is any reason to conclude that it brings higher risk of abuse for money laundering and terrorist financing purposes. If so, the AI must apply the same requirements as for FPPOs. Schedule 3A lists the persons roles that are considered as DPIPs. *Note the recent amendment - The definition of ''domestic prominent influential person'' is amended to instead refer to ''domestic politically exposed person''. A new definition of ''prominent influential person'' is inserted as a distinct category of person from ''politically exposed person'', to better align with the FATF terminology and relevant requirements. Associated amendments are made to sections 21G and 21H and Schedule 3A, and a new Schedule 3C is inserted that specifies categories of ''prominent influential persons''.* +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 46A** | An AI that fails to | Administrative | | | comply with the duty | Sanction: | | | to perform additional | | | | due diligence | Up to R10 000 000 | | | measures in | (Natural Person) | | | accordance with | | | | section 21G is | Up to R50 000 000 | | | non-compliant and is | (Legal Person) | | | subject to an | | | | administrative | | | | sanction. | | +-----------------------+-----------------------+-----------------------+ Section 21H: family members and known close associates Sections 21F and 21G apply to immediate family members known **close associates** of a person in a foreign (FPPO) or domestic (DPIP) prominent position. An immediate family member includes: - the spouse, civil partner, or life partner; - the previous spouse, civil partner, or life partner, if applicable; - children and stepchildren and their spouse, civil partner, or life partner; - parents; and - sibling and step sibling and their spouse, civil partner, or life partner +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE WITH | | | | KEY PROVISIONS OF THE | | | | FICA** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 46A** | An AI That fails to | Administrative | | | comply with the duty | Sanction: | | | to perform additional | | | | due diligence | Up to R10 000 000 | | | measures in | (Natural Person) | | | accordance with | | | | section 21H is | Up to R50 000 000 | | | non-compliant and is | (Legal Person) | | | subject to an | | | | administrative | | | | sanction. | | +-----------------------+-----------------------+-----------------------+ ***In summary, the concept of CDD refers to the procedures and processes necessary for understanding and knowing one's customer, which includes:*** - Setting out the types of information and verification methods required to successfully identify and verify the different customer/entity types - Obtaining knowledge about your customers and understand the business that they are conducting - Using reliable sources of information to adequately identify and verify the customer (at on boarding). as far as possible an AI will use source information documentation, but where this is not possible, third-party sources may be used. This is commensurate with the application of a risk-based approach - Identifying the beneficial owner (the ownership and control structure) of the customer - Understanding the purpose and nature of the business relationship - Establishing the source of Income/Funds for all customers - Establishing the intended purpose of the business relationship - Better identifying possible attempts by your customers to exploit your products and services for illicit purposes - Prescribing what is required in instances (enhanced CDD) where a customer is treated as a high-risk customer, noting that in the absence of a customer being regarded as high-risk, it is still necessary to perform CDD - With low-risk customers, simplified due diligence may be permissible, on approval from the appropriate head of the business before proceeding to onboard the customer in this manner. - Simplified due diligence does not exempt one from obtaining and recording information with regards to the person with whom a single transaction has been entered into at a basic level. - An AI is required to specify the methodology for Enhanced Due Diligence and Simplified Due Diligence in its RMCP - CDD remains the key component of the FICA framework to combat money laundering and terrorism financing effectively. ### Monitoring and Enforcement Best practices in CDD/KYC ongoing screening for Politically Exposed Persons (PEPs), Beneficial ownership and United Nations Security Council resolution (UNSCR) Targeted Financial Sanctions Lists (TFSs) ![Timeline Description automatically generated with low confidence](media/image4.png) **Screening** AI's must be able to determine whether they have a sanctioned person or entity as a customer or whether a prospective customer is a sanctioned person or entity to determine their exposure to TFS-related obligations. This implies that AIs which are likely to encounter sanctioned persons or entities can screen customers and prospective customers against the relevant sanction's lists. This should be done during the customer-take-on process as well as subsequently (ongoing due diligence) as and when the UNSCR adopts new TFS measures or expand existing ones. AIs should be mindful of the fact that failure to comply with TFS obligations is a criminal offence under section 49A of the FIC Act. The fact that an AI had relied on a commercially available screening capability or that it had considered the risk of being exposed to TFS-related obligations to be low, would not be a defence against such a criminal charge. The Centre will maintain an updated sanctions list which will be available on its website, and which will reflect available identity particulars of persons and entities contained in notices published by the Director. An AI should also screen for adverse news media. It is important to note that such news must be verified before adjusting your client's risk-rating. *Note the recent amendment the draft Directive and PCC that will require all employees to be screened based on their role and the risk that role potentially exposes the AI to ML/TF/PF.* ### Sanctions vs Targeted Financial Sanctions What are Sanctions? - Preventive measures against threats to peace and security, including terrorism and proliferation of weapons of mass destruction. - Directed at certain countries, individuals, or entities. - Generally, NOT requiring a finding of criminal guilt or civil entities. - Legal basis is Chapter VII, Article 41, United Nations Charter What are Targeted Financial Sanctions? - 'Financial embargo' on designated individuals and entities - Captured under FATF Recommendation 6 (Terrorism) and FATF Recommendation 7 (Proliferation) - Prohibition against dealings with the assets (assets freeze) of designated individuals and entities, those owned controlled by them, or on their behalf. - Prohibition against making assets (and financial service) available to, or for the benefit of, designated individuals and entities, as well as those owned or controlled by them, or acting on their behalf. - Procedural and human rights protection apply. Use of third parties Where an AI uses third parties to assist with the fulfilment of its customer identification and verification requirements it will perform the following: - maintain a register of all third-party service providers. It is possible that certain third-party data sources could have obtained personal information about a client without the client's consent or knowledge. A'I's must have comfort that where information is held by the third party, the third party can provide confirmation that no breaches of the Protection of Personal Information Act (POPIA) have occurred. Although, the processing and further processing of personal information of a client for purposes of the Act is permitted, it is possible that certain third-party data sources could have obtained personal information about a client without the client's consent or knowledge. Transactional monitoring The Act requires an AI to perform transactional monitoring in line with their risk-based approach and incorporating customer due diligence, which must be clearly documented in its RMCP. If a client is categorised as a higher risk, then more frequent monitoring will be required. Evidence of this monitoring must be easily available. Recordkeeping Recordkeeping is an essential component of a successful system to combat money laundering and terrorist financing. Often the records of customers' identities and their transaction activities would be the only evidentiary trail to assist law enforcement authorities in the detection, investigation, prosecution, and confiscation of criminal funds where illicit flows of funds are concerned. Recordkeeping is therefore the other side of the coin to CDD measures and together these two elements bring greater transparency to the financial system. It is for this reason that the Act requires AIs to retain records concerning customer identification and transaction activity, throughout the life cycle of the customer. - **Section 22** of the FIC Act provides for an obligation on accountable institutions to keep customer due diligence records. This means that AI's must keep record of all information pertaining to a client obtained in the course of its processes to comply with sections 21 to 21H of the FIC Act. Such records must include copies of, or references to, information provided to or obtained by the AI to verify the person's identity. - AI's must keep transaction records of single transactions and transactions concluded in the course of the business relationship with the client in terms of **section 22A** of the FIC Act. This means that the AI must keep records of every transaction which that AI has with a client. Transaction records must be sufficient to enable the transaction to be reconstructed and include the amount, currency, date of transaction, parties to the transaction, the nature of the transaction, pertinent or relevant business correspondence and also the identifying particulars of all accounts and account files related to the transaction if the AI provides account facilities. **Manner in which records must be kept**. - The FIC Act is not prescriptive as to the manner in which records must be kept. This implies that records may be stored in accordance with an AI's standard procedures for the capturing of information and retention of records. Records can therefore be kept by way of storing original documents, photocopies of original documents, scanned versions of original documents or otherwise in computerised or electronic form. There are many examples of mechanisms which may be used for the storage of records which allow AIs to reduce the volume and density of records such as - - Internal networks - Physical storage devices e.g., hard drives, CDs, DVDs, memory sticks, etc. - Cloud storage - Electronic document repositories - Fintech capabilities. - Regardless of the manner in which records are kept, accountable institutions must ensure that the following principles are met: - The AI must have free and easy (in other words unencumbered) access to the relevant records; - The records must be readily available to the Centre and the relevant supervisory body when required; - The records must be capable of being reproduced in a legible format and - If the records are stored off-site the Centre and the relevant supervisory body must be provided with the details of the third party storing the records. - It is advisable that records include details that will assist in the identification of the records. - AI's must ensure that records are tamper proof and that there are safeguards in place to prevent the unauthorised access to information stored electronically. **Period for which records must be kept** -- - Records in relation to establishment of a business relationship referred to in section 22 of the FIC Act must be kept for at least five years from the date on which the business relationship is terminated. - Records of all transactions concluded referred to in section 22A must be kept for at least five years from the date which that transaction was concluded. - Records of a transaction or activity which gave rise to a report contemplated in section 29 of the FIC Act must be kept for at least five years from the date on which the report was submitted to the Centre. - Records may be kept in paper form or may be kept electronically. Although AIs are allowed to outsource the storage and maintenance of records to a third parties, the AI is still liable for any failure by the third party to comply with the requirements of the Act. Requirements and processes to be documented within the RMCP -- - Client account opening information, - Transaction records must be sufficient to enable the transaction to be reconstructed and include the amount, currency, date of transaction, parties to the transaction, the nature of the transaction, pertinent or relevant business correspondence and also the identifying particulars of all accounts and account files related to the transaction if the accountable institution provides account facilities, - must readily be available to the FIC, - must be easily accessible by the AI, - must be capable of being produced in a legible format, - must be tamper proof and access controlled, - if records are stored by a third party- notification must be provided to the FIC and regular assessment conducted by the AI in respect of the third party to test its capability to provide access and records timeously. +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 47** | Failure to keep | Administrative | | | records in terms of | Sanction: | | | Section 22,23,24 | | | | | Up to R10 000 000 | | | | (Natural Person) | | | | | | | | Up to R50 000 000 | | | | (Legal Person) | +-----------------------+-----------------------+-----------------------+ ### Reporting obligations Sections of the FIC Act impose obligation on any person who carries on a business or is in charge of / or manages a business or who is employed by a business to report certain transactions to the FIC. The FIC utilises the transactional and other data received from businesses and accountable and reporting institutions to conduct an analysis to create financial intelligence reports. Where necessary and upon request, this information is shared with local and international partners in the law enforcement environment and with the South African Revenue Service (SARS). What makes a good regulatory report: **Who?** The subject, its association, and relationships ------------ --------------------------------------------------------------------------------------- **What?** The transaction or activity **When?** Date of detection **Where?** Location of the client and where the transaction occurred **How?** Describe how the activity/transaction was completed **Why?** Result of your investigation into why the activity/transaction is reported/suspicious **Reporting to the FIC** *Source: * +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 50** | An AI, reporting | Administrative | | | institution or person | Sanction: | | | that is required to | | | | make a report in | Up to R10 000 000 | | | terms of section 29 | (Natural Person) | | | that fails to inform | | | | the Centre in | Up to R50 000 000 | | | accordance with | (Legal Person) | | | section 27 | | | | | Criminal Sanction: | | | | imprisonment for a | | | | period not exceeding | | | | 15 years or to a fine | | | | not exceeding R100 | | | | million. | +-----------------------+-----------------------+-----------------------+ Cash Threshold Reporting (CTRs) - Duty to report all cash transactions over the prescribed amount (R49 999.99 i.e., funds paid out to or received from a client) - **Section 28 of the FIC Act, Regulation 22B and C, Guidance Note 5B** - Duty to report applies to aggregated amounts adding up to R24 999.99 within a 24-hour period in respect of the client. Pending amendment to increase reportable Cash Transaction to be increased from R 24 999 to R49 999 - Reports are made via the GoAML platform - Report CTRs as soon as possible but no later than 3 days after becoming aware of the transaction exceeding the limit prescribed. - Cash includes coin and paper money of the Republic or of another country that is designated as legal tender as well as traveller\'s' cheques. +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 51** | Failure to report | Administrative | | | cash transactions | Sanction: | | | | | | | | Up to R10 000 000 | | | | (Natural Person) | | | | | | | | Up to R50 000 000 | | | | (Legal Person) | | | | | | | | Criminal Sanction: | | | | imprisonment for a | | | | period not exceeding | | | | 15 years or to a fine | | | | not exceeding R100 | | | | million. | +-----------------------+-----------------------+-----------------------+ - **Terrorist Property Reporting (TPRs)** - TPR report made by virtue of the accountable institution becoming aware of it holding a customer that is designated by the United Nations Security Council (UNSC) (as proclaimed by the President of South Africa in a Government Gazette in terms of Section 25 of the POCDATARA Act) - Applicable to accountable institutions only - UN Security Council Resolutions are the only sanctions lists legally recognised in SA (however an accountable institution may well screen persons against other Sanctions lists in line with its risk appetite) - As soon as possible but no later than five (5) days after a natural person who is an accountable institution or is in charge of, manages or is employed by an accountable institution, had established that the accountable institution has property associated with terrorist and related activities in its possession or under its control, unless the Centre has approved the report being sent after the expiry of this period. +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 51A** | Failure to report | Administrative | | | property associated | Sanction: | | | with terrorist and | | | | related activities | Up to R10 000 000 | | | and financial | (Natural Person) | | | sanctions pursuant to | | | | Resolutions of United | Up to R50 000 000 | | | Nations Security | (Legal Person) | | | Council (Section 28A | | | | (1) (2) and (3) | Criminal Sanction: | | | | imprisonment for a | | | | period not exceeding | | | | 15 years or to a fine | | | | not exceeding R100 | | | | million. | +-----------------------+-----------------------+-----------------------+ - **Suspicious Transaction Reporting (STRs)** Section 29 of the FIC Act refers to reports being made in connection with suspicions concerning the proceeds (received or about to receive) of unlawful activities and money laundering or terror financing offences as opposed to criminal activity in general. An AI must submit such reports in the prescribed manner within 15 days. Some red flags examples of STRs - A customer provides insufficient, vague, or suspicious information concerning a transaction - Accounts that show unexpectedly large cash deposits and immediate withdrawals - A frequent exchange of small denomination notes for larger denomination notes - Involvement of significant amounts of cash in circumstances that are difficult to explain - Unwarranted involvement of structures such as trusts and corporate vehicles in transactions - A transaction seems to be unusually large or otherwise inconsistent with the customer's financial standing or patterns of usual activities - Buying or selling securities with no apparent concern for making a profit or avoiding a loss - Performing similar transactions (i.e., cash deposits) at multiple branches of the same institution on the same business day - Performing transactions in a manner to attempt to conceal the underlying client and/or the ultimate beneficiary of the transaction. +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 52** | Failure to report | Administrative | | | suspicious and | Sanction: | | | unusual transactions | | | | | Up to R10 000 000 | | | | (Natural Person) | | | | | | | | Up to R50 000 000 | | | | (Legal Person) | | | | | | | | Criminal Sanction: | | | | imprisonment for a | | | | period not exceeding | | | | 15 years or to a fine | | | | not exceeding R100 | | | | million. | +-----------------------+-----------------------+-----------------------+ Suspicious Activity Report (SAR) - **A SAR must be submitted in respect of when suspicion relates to the proceeds of unlawful activity, or money laundering activity, or contravention under prohibitions under section 26 B within 15 days. The FIC has however clarified this requirement, that STR's, and SARs must be reported as a soon as possible, however the reportable period should not exceed 15 days. The 15-day period is the outmost last date and is not a target date for reporting.** - **A SAR is submitted where the suspicion does not relate to a transaction conducted between two or more persons.** - **Inquiries about a transaction which has not been made as yet.** - **A SAR can be submitted in respect of a suspicious transaction which has been abandoned or not completed.** **Between 2015 to 2021, the FIC has recovered over 3.3 billion Rands through the reporting of suspicious acts and 613 million Rands has been frozen.** **Terrorist Financing Activity Report (TFAR)** **A TFAR must be submitted when a suspicion relates to terrorist financing and in relation -** - **to an activity which does not involve a transaction between two or more parties; or** - **to a transaction to which enquiries have been made, but not completed and may have aborted, attempted, interrupted, or cancelled.** **Electronic Funds Transfer Reporting** - **Section 31 of the FIC Act.** - **Duty to report all electronic transfer sends money in excess of a prescribed amount out of the Republic or receives money in excess of a prescribed amount from outside the Republic on behalf, or on the instruction, of another person.** - **Report via GoAML platform.** +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 56** | Failure to report | Administrative | | | electronic fund | Sanction: | | | transfers (Section | | | | 31) | Up to R10 000 000 | | | | (Natural Person) | | | | | | | | Up to R50 000 000 | | | | (Legal Person) | | | | | | | | Criminal Sanction: | | | | imprisonment for a | | | | period not exceeding | | | | 15 years or to a fine | | | | not exceeding R100 | | | | million. | +-----------------------+-----------------------+-----------------------+ **International Fund Reports (IFTR)** Commencement of section 31 of the FIC Act which will allow for the reporting of International Funds Reports. (IFTR) is pending and upcoming. IFTR reports will provide for the reporting of cross-border transactions above R5000 and must be filed within 72 hours The publication of the draft amendments to the Regulations which deals with this section is a step towards this section coming into effect. The objective of this section is to ensure that information relating to cross-border electronic funds transfers is reported to the Centre through the submission of an IFTR to enhance the FIC's ability to analyse information concerning financial flows which, in turn, strengthens its ability to detect possible suspicious or unusual activity and to disseminating the relevant information to investigating and prosecuting authorities. ***Note there is a draft directive and guidance note amendment, key aspects of which are detailed below -*** - ***Directive 1 of 2022 deals with industry-specific application of the requirements for processing electronic funds transfers as per Recommendation 16 of the Financial Action Task Force (FATF).*** - ***The Draft Guidance Note 102A provides guidance on the conduct of accountable institutions relating to electronic funds transfer in South Africa, as required in the Directive 1 of 2022. The intention is to align the regimes for combating money laundering and terrorist financing to the FATF Recommendations.*** - ***The FIC together with the National Payment System Department (NPSD) of the South African Reserve Bank jointly published Draft Guidance Note 102A for a second round of consultation.*** - ***The limit above which a report needs to be made is R10,000.*** Section 43: Training An AI must provide ongoing training to its employees to enable them to comply with the provisions of this Act and the Risk Management and Compliance Program. Training is imperative for ensuring that all the AI employees are aware of their duties to assist with ensuring that the AI is less vulnerable to being abused for facilitation of funds linked to money laundering/counter financing of terrorism activities. Training should be conducted in respect of all aspects of the RMCP- from how to conduct customer due diligence, to identifying and reporting suspicious and usual activity, to understanding the risks associated with various products and being able to perform ongoing due diligence and escalate matters where necessary. Training must be ongoing, and the material revised often to ensure that it stays current and incorporates any changes to the AI's business and standard operating procedures. +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 62** | Failure to provide | Administrative | | | training to employees | Sanction: | | | | | | | | Up to R10 000 000 | | | | (Natural Person) | | | | | | | | Up to R50 000 000 | | | | (Legal Person) | +-----------------------+-----------------------+-----------------------+ ### Registration with the FIC Registration with the Financial Intelligence Centre (FIC) is a legal requirement in terms of the FIC Act, as amended, and applies to all accountable and reporting institutions -- listed in Schedules 1 and 3 of the FIC Act, respectively, in order to fulfil various FIC Act compliance obligations. - Persons who commence new businesses which are regarded as accountable or reporting institutions are required to register with the Centre within 90 days from the date the business commenced. - All registrations must be completed and submitted to the FIC electronically within the prescribed period using the [GoAML registration system](https://goweb.fic.gov.za/goAMLWEb_PRD/Home). In exceptional circumstances an accountable or reporting institution may make use of a manual paper-based mechanism to register. - There is **no cost** to register the business. +-----------------------+-----------------------+-----------------------+ | **PENALTIES FOR | | | | NON-COMPLIANCE** | | | +=======================+=======================+=======================+ | **SECTION** | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | **Section 61A** | Failure to register | Administrative | | | with the FIC | Sanction: | | | | | | | | Up to R10 000 000 | | | | (Natural Person) | | | | | | | | UP to R50 000 000 | | | | (Legal Person) | +-----------------------+-----------------------+-----------------------+ Other Offences and Penalties +-----------------------+-----------------------+-----------------------+ | PENALTIES FOR | | | | NON-COMPLIANCE | | | +=======================+=======================+=======================+ | SECTION | **COMMENTARY** | ** PENALTY** | +-----------------------+-----------------------+-----------------------+ | Section 49(A) | Contravention of | Administrative | | | prohibitions relating | Sanction: | | | to persons and | | | | entities identified | Up to R10 000 000 | | | by Security Council | (Natural Person) | | | of United Nations, | | | | failure to comply | Up to R50 000 000 | | | with Section 26B | (Legal Person) | | | | | | | | Criminal Sanction: | | | | imprisonment for a | | | | period not exceeding | | | | 15 years or to a fine | | | | not exceeding R100 | | | | million. | +-----------------------+-----------------------+-----------------------+ | Section 58 | Failure to comply | Administrative | | | with direction from | Sanction: | | | the FIC (34)(1) | | | | | Up to R10 000 000 | | | | (Natural Person) | | | | | | | | Up to R50 000 000 | | | | (Legal Person) | | | | | | | | Criminal Sanction: | | | | imprisonment for a | | | | period not exceeding | | | | 15 years or to a fine | | | | not exceeding R100 | | | | million. | +-----------------------+-----------------------+-----------------------+ | Section 61 B | Failure to comply | Administrative | | | with governance | Sanction: | | | requirements relating | | | | to the board/senior | Up to R10 000 000 | | | management ensuring | (Natural Person) | | | compliance, | | | | non-appointment of a | UP to R50 000 000 | | | suitable person (42A | (Legal Person) | | | (1), 42A (2) (42A (3) | | | | or (42(A)(4) | | +-----------------------+-----------------------+-----------------------+ | Section 62(E) | An AI that fails to | Administrative | | | comply with a | Sanction: | | | directive of the | | | | Centre or a | Up to R10 000 000 | | | supervisory body in | (Natural Person) | | | terms of section 43A | | | | (3) or 45C(3)(c) | Up to R50 000 000 | | | | (Legal Person) | | | | | | | | Criminal Sanction: | | | | imprisonment for a | | | | period not exceeding | | | | 15 years or to a fine | | | | not exceeding R100 | | | | million. | +-----------------------+-----------------------+-----------------------+ | Section 64 | Conducting | | | | transactions to avoid | | | | reporting duties | | +-----------------------+-----------------------+-----------------------+ | Section 68(1) | \(1) A person