8 July 2024: Legal practitioners, as account­able institutions must develop, maintain and implement a risk management and compliance programme (RMCP) for combating money laundering, terrorist financing and proliferation financing (ML, TF and PF).

In terms of the Financial Intelligence Centre Act (FIC Act), having an RMCP in place is a legislative requirement for all accountable institutions, including legal practitioners.

An RMCP captures the institution’s understanding of their assessment and exposure to risks of ML, TF and PF, and details what measures they will take to identify, manage and mitigate these risks.

The accountable institution’s RMCP must address all the requirements out­lined in section 42 of the FIC Act. These include policy documents, processes, systems and controls employed in customer due diligence (identification and verification of clients), record keeping, reporting, ap­plication of the risk-based approach and related training of employees.

Legal practitioners and all accountable institutions can capture their RMCP in documentation along the follow­ing themes:

• RMCP governance
• Money laundering, terrorist financing and proliferation financing risks as­ sessment and risk-rating framework
• Customer due diligence controls
• Targeted financial sanctions controls aimed at combating terrorist financing and proliferation financing
• Controls related to politically exposed persons
• Account monitoring
• Reporting controls
• Record-keeping controls.

The RMCP should be drafted and im­plemented and based on the ML, TF and PF risks encountered specific to the indi­vidual institution. The RMCP documen­tation must be updated on an ongoing basis.

Risk assessments

In achieving a risk-based approach, ac­countable institutions must identify, assess, monitor, mitigate and manage the risk of ML, TF and PF. The account­ able institution should conduct an entity wide anti-money laundering, counter ter­rorist financing and counter proliferation financing risk assessment prior to drafting their RMCP.

There are three types of risk assess­ments:

• A business level risk assessment: This assessment must be conducted at the outset, referred to as the entity wide anti-money laundering, counter terror­ist financing and counter proliferation financing risk assessment.
• A product and services risk assessment: The institution must document how it would determine the ML, TF and PF risk weightings of the products and services offered. This should be updat­ed when new products or services are introduced and to be offered to clients.
• A client level risk assessment: The in­stitution must indicate the ML, TF and PF risks different business relation­ships or single transactions pose. The accountable institution must demon­strate that it has conducted client-level risk assessments before establishing a business relationship or a single trans­action. A client-level risk assessment is used to determine the level of cus­tomer due diligence required, whether it is simplified due diligence, normal due diligence, or enhanced due dili­gence, and the associated compliance controls.

Refer to public compliance communi­cation 53 (PCC 53) for an example of a cli­ent-risk assessment matrix. Guidance Note 7 also explains each of the risk factors which include client type, the delivery channel, geographic location, products and services.

Entity-wide business risk assessment

Legal practitioners must apply the risk assessment by taking into account the operational factors such as their busi­ness’ nature and size, products or servic­es offered, and their geographic location. As an example, the business risk assess­ment of a law firm that provides only con­veyancing services, would be different to that of a law firm that offers civillitiga­tion.

The RMCP for an accountable institu­tion which does not provide a wide range of products and/or services could be rela­tively simple. Complex institutions offer­ing a wide range of products and services or which deal with a diverse range of cli­ ents would be expected to have a more complex and multifaceted RMCP.

Reporting suspicious and unusual transactions

As part of their FIC Act obligations, legal practitioners must identify and report to the FIC transactions or activities deemed to be suspicious and unusual. The FIC analyses this information to develop fi­nancial intelligence, which it shares with law enforcement, prosecutorial and other competent authorities for their investigations and applications for asset forfei­ture.

The person filing a suspicious and un­usual transaction report (STR) or suspi­cious activity report (SAR) does not have to prove that the funds or activity involved are linked to a crime.

STRs and SARs can be based on sub­jective suspicion and there is no mone­tary threshold applicable when filing an STR. The transaction or activity must be reported, irrespective of the amount of money involved.

When a transaction has not been con­cluded, but the client’s behaviour leads to the suspicion that the legal practitioner’s firm may be abused for money laundering, terrorist financing or proliferation fi­nancing, this must be reported in an SAR. All STRs and SARs must be submitted without delay, and no later than 15 days after a business be­ comes aware and/or suspicion is raised regarding an activity or transaction. The report must be filed via the FIC’s on­line registration and reporting platform, called goAML. Filing either of these reports does not prevent a business from continuing with the transaction.

A person involved in making a report may not inform anyone, including the cli­ent or any other person associated with a reported transaction, of the contents of a suspicious transaction or activity report, or that a report has been made. Legal practitioners should consult Guidance Note 4B for more information.

Risk indicators

When monitoring payment for legal ser­ vices and client activity for suspicious and unusual activity, there are some indicators of possible criminal behaviour which may be flagged for consideration:

• Anonymity of clients and transactions that are complex in nature for which legal advice is provided.
• High-risk customers and jurisdictions, such as clients linked to institutions or jurisdictions on the targeted financial sanctions lists.
• Clients introduce complex legal struc­tures to avoid detection, ownership, sources and control of illicit proceeds of crime. For more information about complex legal structures and beneficial owners, consult PCC 59 on beneficial ownership.
• Clients who offer to pay extraordinary fees for services that would not war­ rant such fees.
• Payments from non-associated or un­ known third parties or atypical pay­ments of fees in cash
• Legal practitioners, including those act ing as financial intermediaries, physi­cally handle the receipt and transmission of funds through accounts they control, they may be requested to transfer property between parties in an unusually short period.
• The client uses multiple bank accounts or foreign accounts without good rea­ son.
• Involvement of foreign politically ex­ posed persons or domestic politically exposed persons in instances where the entity, structure or relationships of the client make it difficult to iden­tify its beneficial owner or controlling interests. Consult PCC 51.
• Instances where clients, for no appar­ent reasons, change the way in which transactions are concluded or change their instructions to the legal practi­tioner on short notice or in a manner that does not make economic sense.

Consult the FIC’s sector risk assessment for legal pracitioners for further in­ formation. For guidance on the interpretation of legal practition­ers in terms of the FIC Act and further risk indicators refer to PCC 47A. All documents in this article are available on the FIC website.

The FIC’s compliance contact centre can be reached on +27 12 641 6000 or log an online compliance query by clicking on compliance queries.