Storm warning for accountable institutions without an updated RMCP

The Financial Intelligence Centre (“FIC”) is empowered by the FIC Act to enforce the Act and ensure that accountable institutions meet their required obligations. They are also empowered to hand out sanctions and penalties for non-compliance.

As part of its compliance obligations under the FIC Act, all accountable institutions are required to develop and implement a Risk Management and Compliance Programme (“RMCP”). This is an apex policy document, which sets out the compliance obligations of the accountable institution, as well as its risk-based approach to dealing with and mitigating inherent and residual risks.

The FIC on 04 March 2025 issued a notice requiring all accountable institutions to submit their latest approved and signed RMCP to the FIC by 12 March 2025. This requirement is part of the continuing strengthening by the FIC of its financial controls in a bid to escape the grey listing of South Africa. At the same time, this is a warning to accountable institutions that there is no hiding from the FIC.  

Accountable institutions not only had to submit their RMCPs but also had to ensure that these complied with the various publications issued by the FIC under the FIC Act over the past several months—many of which necessitate extensive amendments to existing RMCPs to maintain ongoing, up-to-date compliance.

As all accountable institutions are required to be registered with the FIC electronically, the FIC will be able to easily establish which accountable institutions failed to submit by the deadline. All RMCPs that were submitted will also be available for further scrutiny to assess compliance.

The major risk for accountable institutions that did not submit by the deadline is that it will constitute an act of non-compliance, which may invite an audit from FIC and possible penalties and sanctions. Not having an RMCP that is fully aligned with the legal requirements will also constitute non-compliance with the FIC Act.

The FIC has been ramping up its enforcement of the FIC Act in recent months, increasing the number of audits and sanctions for non-compliance. This is driven by South Africa’s attempt to be removed from the Financial Action Task Force’s grey list. To be removed from the list, South Africa must provide, amongst other things, evidence that it effectively enforces the FIC Act. Audits and possible sanctions for non-compliance are therefore more likely than not.

Accountable institutions should accordingly take note and ensure that their RMCP’s reflect the latest compliance requirements, and have been approved, signed off and submitted to the FIC. 

Compliance with the FIC Act can be a challenging landscape for accountable institutions to navigate, and it may be wise to seek the assistance of legal or compliance experts to assist in ensuring that they are compliant.


Disclaimer: This article is the personal opinion/view of the author(s) and is not necessarily that of the firm. The content is provided for information only and should not be seen as an exact or complete exposition of the law. Accordingly, no reliance should be placed on the content for any reason whatsoever and no action should be taken on the basis thereof unless its application and accuracy have been confirmed by a legal advisor. The firm and author(s) cannot be held liable for any prejudice or damage resulting from action taken on the basis of this content without further written confirmation by the author(s).