Group-wide RMCP’s

Accountable institutions that are part of a group of companies may implement a group-wide Risk Management and Compliance Programme (RMCP). This can be an effective way to align processes and consolidate compliance efforts, but it comes with important conditions as set out in the Financial Intelligence Centre’s Guidance Note 7A.

The FIC permits group-wide RMCP’s only if they are appropriately tailored to reflect the individual risks of each entity or branch within the group. Institutions must avoid a blanket approach and instead ensure that internal processes, systems, and controls are specific and justifiable.

Key requirements institutions must follow:

• You can centralise certain policies and procedures, but they need to be tailored where necessary.

• Your RMCP should spell out clearly which parts apply to which entities, which don't, and why.

• Every entity in the group must do its own risk assessment, which then feeds into the group-wide risk picture

• The final group-wide AML/CFT/CPF risk assessment must be comprehensive, covering everything such as business areas, products, technologies, services, delivery methods, client types, and processes.

• You also need to state explicitly in the RMCP if all group entities were included in the group-wide risk assessment.
  
  

If any legal requirements under section 42 of the FIC Act are not applicable, your RMCP must explain why. Institutions must also ensure their RMCP is documented, approved by the board of directors or senior management (accountable institution without a board of directors), and kept up to date.