FIC Act obligations

The FIC Act introduces a regulatory framework of measures requiring certain categories of business to fulfil compliance obligations. These compliance obligations are critical to assisting in identifying and disrupting money laundering, terrorist and proliferation financing. The FIC Act deems these categories of business, called accountable institutions, as being vulnerable to being abused by criminals for money laundering and terrorist financing purposes.

All FIC Act compliance obligations are premised on institutions implementing a risk-based approach to combating money laundering and terrorist financing. Refer to the Reference guide for all accountable institutions for more information on the FIC Act obligations.

Compliance obligations for accountable institutions:

Registering with the FIC

Registration with the FIC enables accountable institutions to submit regulatory reports to the FIC. Accountable institutions are required to register with the FIC within 90 days from the date the business commenced with their operations.

Registrations must be completed and submitted to the FIC electronically using the online registration and reporting system called goAML. Registration with the FIC is free. The failure to register with the FIC or the failure to update registration information when it has changed are offences and may result in a fine not exceeding R10 million. Refer to Guidance Note 7 and PCC 5D. Also consult the FIC’s registration user guide.

Submitting regulatory reports to the FIC

Sections of the FIC Act impose obligations on accountable institutions to file regulatory reports to the FIC. The FIC uses the transactional and other data received from businesses and accountable institutions to conduct analysis to create financial intelligence reports. Where necessary and upon request, this information is shared with local and international partners in the law enforcement agencies, investigative agencies and other supervisory bodies.

The FIC obtains financial intelligence and other data in the form of reports. The three main reporting streams are:
Cash threshold reports (CTRs): On transactions i.e. cash received or issued exceeding R49 999.99. Refer to Guidance Note 5C.
Terrorist property reports (TPRs): Where transaction match with one or more parties on the listings in respect of resolution adopted under Chapter VII of the Charter of the United Nations. These lists are referred to as the targeted financial sanctions list (TFS list). Refer to Guidance Note 6A.
Suspicious and unusual transaction reports (STRs): On transactions that are unusual or arouse suspicion in terms of money laundering or terrorist financing activities. Refer to Guidance Note 4B.
International funds transfer reports (IFTRs): Accountable institutions that may legally conduct cross-border transactions must report transactions above the threshold of R19 999.99. Refer to draft Guidance Note 104A.

Implementing a risk-based approach

A risk-based approach requires business to understand the money laundering, terrorist financing and proliferation financing risks to which they are exposed at an institutional level and at a client level. Using this approach, accountable institutions must identify, assess, monitor, mitigate and manage the risk that their products or services may be abused by criminals for money laundering, terrorist financing and proliferation financing purposes. Refer to Guidance Note 7 and PCC 53.

Developing a risk management and compliance programme

Section 42 of the FIC Act requires all accountable institutions to have in place a risk management and compliance programme (RMCP). An RMCP documents the identified money laundering, terrorist and proliferation financing risks the institution faces, and how it will deal with these risks. An institution’s RMCP must contain the institutional risk assessment, policy documents, and detail all the processes, systems and controls used for aspects such as customer due diligence, record keeping, reporting, and how the risk-based approach will be applied across the institution. Refer to PCC 53, Guidance Note 7, and draft Guidance Note 7A.

Establishing beneficial ownership

Accountable institutions are required to establish who is the beneficial owner of the legal person, partnership or trust and take reasonable steps to verify the beneficial owner’s identity. Beneficial ownership refers to the natural person(s) who owns or exercises effective control over the client of the accountable institution. Beneficial ownership applies to legal persons, partnerships, and trusts. Refer to Guidance Note 7.

Conducting customer due diligence

All accountable institutions must identify and verify their clients. Customer due diligence (CDD) refers to the knowledge that an accountable institution has about its clients and the institution’s understanding of the business that the client is conducting with it. The level of identification and verification must be determined in line with the client’s risk profile. Refer to Guidance Note 7.

Scrutinise clients against targeted financial sanctions list

Accountable institutions must determine whether they have a sanctioned person or entity as a client or whether a prospective client is a sanctioned person or entity. This is to determine their exposure to targeted financial sanctions (TFS) obligations in terms of the FIC Act.

Screening against the relevant sanctions lists should be done during the client-take-on process and when the UNSC adopts new TFS measures or expand existing ones. The TFS list which can be found on the FIC website, is updated without delay, and includes a search tool. Visit the TFS page for more information or refer to PCC 44 and PCC 54.

Determine whether clients are politically exposed persons

Accountable institutions are required to determine whether their client is a foreign politically exposed person, domestic politically exposed person, or domestic prominent influential person. Refer to PCC 51 on the topic. Further compliance controls are required for these specific categories of clients and can be found in the FIC Act.

Transaction monitoring

An accountable institution must understand the purpose and intended nature of a business relationship. This includes the scrutiny of transactions throughout the course of the relationship to ensure the transactions are consistent with an accountable institution’s knowledge of the client, and the client’s business and risk profile, including where necessary the source of funds. Refer to Guidance Note 7.

Keeping records of customer transactions

Accountable institutions must keep records of client information, transactional information and regulatory reports filed with the FIC. These records must be kept for at least five years from the date on which the business relationship was terminated, five years from the date that a single once-off transaction was concluded, or a regulatory report submitted to the FIC. Accountable institutions must document their record keeping process in their RMCP. Refer to Guidance Note 7.

Appointing a compliance officer

To assist management in discharging their obligations in terms of the FIC Act, they must appoint a compliance function including a compliance officer who has sufficient competency and seniority to ensure effectiveness. Refer to Guidance Note 7A .

Training employees on how to comply with the FIC Act

Ongoing training on the FIC Act as well as the accountable institution’s RMCP must be provided to the institution’s employees at regular intervals as specified in the RMCP. A copy of the training material should be kept and be made available to your supervisory body upon request. Refer to Guidance Note 7A.


Sign up to receive the latest updates and information from the FIC.