More than two years ago, South Africa was found to have insufficiently addressed money laundering and terrorist financing, leading to its greylisting by the Financial Action Task Force (FATF). This greylisting has significant economic and reputational consequences for any country, prompting South Africa to set a deadline of January 2025 to fulfil all requirements for removal from the greylist.
Unfortunately, two action items remain unresolved following the latest plenary meetings in France in February 2025. One item requires South Africa to demonstrate a sustained increase in the investigations and prosecutions of serious and complex money laundering, particularly those involving professional money laundering networks/enablers and third-party money laundering, aligned with its risk profile. Additionally, South Africa must show a sustained increase in the effective identification, investigation, and prosecution of the full spectrum of terrorist financing activities, consistent with its risk profile. As a result of missing the deadline, we have now entered our first four-month rolling review cycle (from March to June 2025) with the FATF.
In a media statement, Treasury committed to addressing both outstanding action items by June 2025 to facilitate our exit from the greylist by October 2025. With the next reporting deadline approaching, it is unsurprising that we are experiencing increased compliance sanctions from the Financial Intelligence Centre (FIC) and the Financial Sector Conduct Authority (FSCA), aimed at demonstrating to the FATF that sufficient action is being taken against non-compliance. This serves as a stern warning to all TCSPs to comply immediately with the aspects discussed below, at least before the end of May 2025, which will allow the FIC to prepare for the next FATF review in June 2025.
Guidance from fines already issued
Several Designated Non-Financial Businesses and Professions (DNFBPs), a relatively new category of persons and entities obligated to comply with the FIC Act, have already faced administrative sanctions for non-compliance. The FIC included TCSPs in this new category of ‘accountable institutions’, as, due to the unique nature of the services they offer, they are vulnerable to abuse by entities seeking to misuse corporate structures to facilitate the movement of illicit funds.
These sanctions arose from failures to adhere to FIC directives and the provisions of the FIC Act, such as submitting Risk and Compliance Returns (RCRs) and developing and implementing a Risk Management and Compliance Programme (RMCP). Some published examples include Capital Point Properties (for failing to develop and implement an RMCP, scrutinise clients against the targeted financial sanctions list, and comply with Directive 6, which requires certain accountable institutions to file an RCR), Alpha Trust (for non-compliance with Directive 6, requiring the submission of an RCR), KR Inc (for failing to comply with Directives 1, 2, and 4 regarding registration details on the goAML system, non-compliance with Directive 6, which mandates certain accountable institutions to file an RCR, and for sharing login credentials), the life insurers Sanlam Life and Fedgroup Life (for weaknesses in their money laundering control measures), and most recently Ninety One Fund Managers SA (for having a “technically deficient” and poorly implemented RMCP, particularly in risk-rating its clients, among other shortcomings of the FIC Act). This list should guide trust and company service providers who have not yet complied with their ‘new’ obligations to comply immediately, some of which are discussed below.
Register with the FIC as ‘Accountable Institution’
If you or your business qualifies as an ‘accountable institution’, you are obligated to register with the FIC. Failing to do so does not imply that you will be exempt from oversight. Non-registration will result in sanctions imposed by the FIC. The FIC statistics clearly indicate that many TCSP ‘accountable institutions’ have not yet registered, including accountants, attorneys, financial advisors, and other service providers offering the envisaged services as a business. Since the FIC’s net is quite wide, any service provider dealing with companies and trusts should verify the types of activities they perform against the qualifying criteria set forth by the FIC. Schedule 1 (item 2) to the FIC Act and Public Compliance Communication 6A (PCC 6A) provide practical guidance on this topic.
Submit RCR
The FIC realised that DNFBPs, as a new ‘accountable institution’ type, are unaware of the money laundering and terrorist financing risks they face, making this sector and South Africa vulnerable to exploitation by criminals. Therefore, they developed the RCR to address this gap. The FIC believes that RCRs are integral to ensuring that businesses understand how they can be used for laundering proceeds acquired through criminal activities. According to the FIC, “Filing a RCR is thus central to ensuring that businesses survive and are robust in the fight against financial crime.”
The RCR is a questionnaire that assists businesses in identifying the risks they face from money laundering and terrorist financing abuse. The FIC uses its risk and compliance assessment analysis tool to evaluate the RCRs it receives, identifying DNFBPs at higher risk of money laundering and terrorist financing.
Directive 6 was issued on March 31, 2023, obligating TCSPs to submit an RCR to the FIC by May 31, 2023. Directive 6 requires legal practitioners, estate agents, trust service providers, company service providers, and casinos to complete and submit their RCRs online via the FIC’s website. The deadline for these submissions was May 31, 2023. For those TCSPS who have not yet submitted the RCR, they must do so immediately on the FIC portal. Non-compliance will be dealt with harshly, as they are quoted as saying, “It is inevitable that the longer the non-compliance persists, the harsher the financial penalties will become.”
Submit RMCP
All ‘accountable institutions’, including trust and company service providers, must implement an RMCP. This structured framework of policies, procedures, and controls is designed to identify, assess, and mitigate risks, ensuring that an organisation adheres to relevant laws, regulations, and internal policies. The FIC requires ‘accountable institutions’ to indicate client types along with the degree of risk for money laundering, terrorist financing, and proliferation financing. This assists TCSPs in applying varying degrees of verification during onboarding and ongoing relationships.
The RMCP helps TCSPs understand their business environments while implementing risk mitigation measures and controls to protect their businesses. The risk-based approach includes identifying various client types, determining what additional measures must be in place, and outlining what training their teams need to deal with such behaviours. The RMCP must be documented, kept updated, and implemented. Staff should understand the RMCP, as they are the ones at the coalface of the business.
On March 4, 2025, the FIC issued a notification requesting all ‘accountable institutions’ supervised by it to submit a copy of the documentation describing their RMCP to the FIC on or before the close of business on Wednesday, 12 March 2025, in terms of section 42(4)(a) of the FIC Act 38 of 2001. The FIC advised that failure to comply with this request by March 12, 2025, would constitute non-compliance and might lead to administrative sanctions being imposed, including a financial penalty in terms of section 45C of the FIC Act.
TCSPs who have not met the deadline to submit their RMCPs as per the above notification are urged to do so immediately to avoid further penalties. The FIC reminded accountable institutions that non-submission of the RMCP constitutes non-compliance with the FIC Act. The FIC, however, warns ‘accountable institutions’ not to merely submit a deficient RMCP and assume that will tick the compliance box. The FIC warned that the RMCP will be tested against legislative requirements through inspections and compliance monitoring.
Therefore, TCSPs should ensure that the required attention is given when compiling the RMCP.
The FIC confirmed in a media statement on May 7, 2025, that “RMCPs are fundamental to protecting accountable institutions and ultimately, the integrity of our financial system.” The FIC reiterated that “Accountable institutions who are in default must immediately submit their outstanding RMCPs electronically to the FIC on the goAML platform.”
Communication from FIC on goAML
goAML is an integrated software solution that the FIC uses for registration, reporting, data collection, analysis, case management, and secure communications. It is essentially the FIC’s preferred IT platform for handling its daily operations. ‘Accountable institutions’ were strongly urged by the FIC to consult and monitor the FIC goAML message board daily (under their Org ID profile as registered with the FIC) to immediately attend to outstanding RMCP and other requests from the FIC.
Conclusion
South Africa’s greylisting signalled that the country’s effectiveness in combating financial crimes, such as money laundering and terror financing, was below international standards. This resulted in increased scrutiny from international regulators, along with reputational and economic damages. It is understandable that the government is implementing measures to convince the FATF that sufficient actions are being taken for the country to exit the greylist.
If South Africa is not delisted by October 2025, it will be required to continue reporting to the FATF Africa Joint Group every four months until all action items are addressed. This situation would not bode well for the country. The RCRs and RMCPs are critical documentary evidence that the FIC must demonstrate to convince the FATF that the country has a sufficient handle on money laundering and terrorist financing. TCSPs, therefore, have no choice but to comply and visit goAML as a daily routine to stay out of trouble.
* Van der Spuy is a Chartered Accountant with a Masters’s degree in tax and a registered Fiduciary Practitioner of South Africa®, a Chartered Tax Adviser, a Trust and Estate Practitioner (TEP), and the founder of Trusteeze®, the provider of a digital trust solution.
PERSONAL FINANCE
