As an accounting practice registered with the Financial Intelligence Centre (FIC), you are legally obligated to combat money laundering, terrorist financing, and other financial crimes. Two critical responsibilities are developing a Risk Management and Compliance Programme (RMCP) and adopting a Risk-Based Approach (RBA).

1. The Risk Management and Compliance Programme (RMCP)

The RMCP is a tailored programme outlining how your practice identifies, assesses, and mitigates the risks associated with financial crime. It is a legal requirement that protects your practice and clients, helping to ensure that you comply with regulations while safeguarding your business from reputational damage.

Your practice’s RMCP should include information on how you:

• Identify and handle high-risk clients,

• Ensuring client due diligence,

• Monitoring transactions, and

• Reporting suspicious activities to the FIC.

What is in the RMCP?

1. Assign clear compliance roles, including appointing a compliance officer and ensuring senior management involvement.

2. Document your practice's risks based on client types, services offered, and geographic exposure.

3. Document how you handle high-risk clients and suspicious transactions.

4. Specify that you document suspicious activity, report it to the FIC, and maintain comprehensive records.

Examples of Risks in Accounting Practices

Criminals may approach you requesting services that seem above board. Understanding the risks of specific services can prevent you from unknowingly becoming an accomplice in criminal activity. The FATF Guidance for a Risk-Based Approach for Accounting Practices provides a list of risks accountants may encounter. These include:

• Forming shell companies and trusts

  When forming a company or trust for a client, be aware that criminals may request the creation of shell companies or trusts to obscure beneficial ownership and hide illicit funds. A shell company is essentially a business that exists only on paper and doesn’t operate. It can be used to hide who owns it (the "beneficial owner") and where the money is coming from. This is often done to conceal illegal money or avoid detection by authorities.

• Facilitating illegal transactions

  Large, unusual financial transactions, such as moving funds across borders without legitimate business reasons, may be an attempt to launder money.

• Financial and tax advice to evade taxes

  Criminals may use accountants to place assets out of reach to avoid liabilities, such as hiding proceeds of crime through offshore accounts or complex tax structures.

• Integrating illicit funds through property transactions

  Buying or selling property may be a method of integrating illicit funds into the financial system.

• Misuse of trust accounts

  Criminals may use accountants’ client accounts for cash deposits or withdrawals or to make unusual payments that mask illicit activities.

• Implementing an RMCP

  A small accounting firm’s RMCP should be straightforward, while a larger firm may require a more detailed document.

  Integration with daily operations is key. Required verifications and checks should be embedded into the company's workflows, and staff should be trained on implementing the RMCP.

  Keep the RMCP updated. Review at least annually or whenever changes to services, clients, or regulations occur.

2. Implementing a Risk-Based Approach (RBA)

An RBA allows you to focus your resources on areas where the risks are highest. Not all clients or transactions present the same level of risk, so resources should be prioritised where they are most needed. This targeted approach ensures compliance while minimising disruption to low-risk clients.

What is a Risk-Based Approach?

Implementing a risk-based approach helps practices focus on areas with the highest risk of illegal activities, such as money laundering or terrorist financing. It involves identifying, assessing, and categorising risks based on the likelihood of high, medium and low financial crimes. It also includes applying appropriate mitigation strategies in line with the risk rating.

Examples of Risk Factors in an RBA

1. Client Risks:

   Politically Exposed Persons (PEPs), senior government officials or their families may present higher risks due to the potential for corruption or misuse of funds.

   High-net-worth individuals with complex financial arrangements, such as offshore trusts, can obscure the source of funds.

   If a client falls into these categories, the risks of services provided to this person will increase, resulting in more detailed checks and verifications.

2. Service Risks:

   Criminals may acquire your services to hide income or evade taxes.

   High-risk clients may request trust and company formation services to hide ownership or transfer illicit funds.

3. Geographic Risks:

   Clients or transactions linked to jurisdictions with weak anti-money laundering (AML) controls, i.e. from jurisdictions under ‘greylisting’.

   Transactions involving countries under international sanctions or known for high levels of corruption.

4. Transaction Risks:

   Large cash or multiple small transactions are designed to avoid reporting thresholds (structuring).

   Unusual payment methods, such as using cryptocurrencies without clear justification.

   Significant cross-border transfers without a clear business purpose.

Steps to Apply a Risk-Based Approach

1. Risk Assessment

   Analyse your client profiles, transaction history, and geographic connections to identify potential red flags.

2. Risk Categorisation of Clients

   Low-risk clients or services with no complex structures or significant financial activity.

   Medium-risk clients with moderate financial activity or services that involve some complexity.

   High-risk clients include politically exposed persons, cross-border transactions, or services involving jurisdictions with weak anti-money laundering controls.

3. Controls and Mitigation

   Conduct enhanced due diligence for high-risk clients, including verifying the source of wealth and monitoring transactions more frequently.

   For low-risk clients, implementing more straightforward checks, such as primary identity verification, may suffice.

4. Ongoing Monitoring

   Continuously review client activity and update risk assessments as needed.

The FIC requirements

Section 42 of the FIC Act requires all accountable institutions to have a documented risk management and compliance programme (RMCP) identifying risks and how to deal with them. The RMCP must contain the institutional risk assessment and policy documents and detail all the processes, systems and controls used for aspects such as customer due diligence, record keeping, reporting, and how the risk-based approach will be applied across the institution.

For further guidance refer to PCC 53, Guidance Note 7, and draft Guidance Note 7A.

Learn more about risks accountable institutions must identify and manage, enroll for CIBA course: What you need to know about Terrorist Financing & related risks as an Accountable Institution

What you will learn

This webinar equips professionals with the knowledge and skills to address the risks and regulatory requirements related to terrorist financing. Participants will learn to identify threats, vulnerabilities, and the impact of terrorist financing on South Africa and its neighboring countries, while understanding the critical role of targeted financial sanctions in mitigating these risks.

Key Learning Outcomes:

• Gain insight into terrorist financing risks and strategies to prevent them through targeted financial sanctions.

• Understand your legal responsibilities when working with clients who may be non-compliant with terrorist financing regulations.

• Learn the proper procedures for reporting suspicious transactions to relevant authorities, ensuring compliance and protecting your institution.

• Stay updated on the Financial Intelligence Centre Act (FICA) and its related guidelines to ensure regulatory compliance.