Bob Dylan sang,  "The times they are a changin'...". This song is especially relevant in the wake of the ongoing regulatory changes and we need to keep up with them if we want to keep our eye on the horizon (see what I did there?). In line with the Twin Peaks changes, on 1 April the regulator we all know and love as the FSB (Financial Services Board) has changed its name to the FSCA (Financial Sector Conduct Authority). Most of the staff complement is the same for now but will likely change a bit during the transition period. The website itself seems to still have allot of work that needs to be done.

Although the guardhouse has a new coat of paint, FAIS (the Financial Advisory and Intermediary Services Act) itself is still keeping watch. It does have a few new accoutrements in the form of Fit and Proper amendments. These changes include:

There is a big move towards a principles based approach of regulation and it will be interesting to see how the FSB will enforce this and whether they will provide further guidelines on some of the gray areas. 

Have a look at the new FSCA website and let us know what you think. The old FSB site will still be up and running for a while during the transition phase (sorry if the link is no longer working due to obvious reasons).
​

Seeing your country being pulled down by corruption is hard for anyone. As compliance officers, it's even more difficult as we are often faced with situations where clients and other businesses are actually involved in this to some degree. I can tell you, from experience, that it is not something that one should take lightly. Let's take a look at the risks one faces with PEP's and what to do with them.

The FIC Amendment Act of 2017 still includes the concept of PEPs, however, the naming conventions have now changed to distinguish between foreign and domestic PEPs as follows:

• Foreign prominent public officials (FPPO) which equates to the currently used term of Foreign PEP and
• Domestic prominent influential persons (DPIP) which equates to currently accepted term of Domestic PEP however includes people in the private sector who do business with government, traditional leaders etc. 

 
What is the risk?
We must be able to identify PEPs because their prominent public position may increase the risk of their involvement in bribery and corruption and consequently of laundering the proceeds of any such activity (as one can see from the recent corruption scourge that plagued our country).
 
Example
A high ranking South African government official opened a number of accounts with an overseas bank. However, his activity raised a number of concerns that the account was being used to launder the proceeds of corruption. The value of cash deposits into these accounts was inconsistent with the stated purpose of the accounts and the customer’s income. In addition, the official opened an offshore company in a “tax friendly” jurisdiction with himself as sole director and sole shareholder. The deposits paid into the company accounts were considerably more than expected and, contrary to what is expected of a functioning business, there were no outgoing payments. After a Suspicious Transaction Report (STR) was submitted, the individual was investigated and charged with money laundering offences and subsequently sentenced to prison.

What are the proposed controls? 
Due to the susceptibility of bribery and corruption associated with PEPs, businesses often don’t want to do business with them, however this is an unintended consequence of the associated risk. Processes and procedures need to be in place to identify customers who are PEPs and when you identify a PEP you must follow your business procedures and compliance policies.
 
When looking at guidance from international bodies such as the Wolfsberg Group and the Financial Action Task Force, PEP relationships are considered higher risk and should ideally be subject to Enhanced Due Diligence (EDD) such as verifying their source of wealth, regular CDD/KYC reviews and the requirement for Senior Management to give their approval prior to entering into or maintaining the customer relationship. It can also happen that a PEP is not a customer of the accountable institution, but rather a related party such as a beneficial owner. The accountable institution needs to decide what its approach will be in these instances as well. This will usually be contained in the internal rules/policy/processes.
 
It is important to remember that categorising a customer as a PEP does not mean that they are, or have been, involved in any criminal activity. The can also be risk rated in terms of the accountable institution’s Risk Based Approach (RBA).
 
The FIC Amendment Act also requires that the following requirements be met for higher risk Foreign Prominent Public Officials and Domestic Prominent Influential Persons:

• Obtain senior management approval for establishing the business relationship;
• Take reasonable measures to establish the source of wealth and source of funds of the client; and
• Conduct enhanced on-going monitoring of the business relationship.

Risk rating your customers are very important in the new improved version of FICA and PEP's are certainly no exception. Do not take any chances and report any instances of proven or suspected criminal activity via the right channels. You would be doing yourself and everyone, for that matter, a great service. 

Responsibilities are Key
The requirements and responsibilities placed upon Key Individuals (KI's) by the FAIS Act are numerous and it is important to note that although they can delegate some of their functions (for instance, compliance) the ultimate responsibility lies with the KI from the regulator's point of view.
The responsibilities of KI's can be divided into two main pillars:
·           Maintaining the personal character qualities of honesty and integrity; and
·           Competence and operational ability.
We'll look at these two pillars separately below. This is just a short overview but it will give you a good indication of where the battle lines are drawn.

Honesty & Integrity
According to the General Code of Conduct, to assess whether a FAIS KI complies with the requirement of honesty and integrity, the Registrar may refer to any information brought to its attention. Thus, any dishonesty or lapses of integrity that are material can be taken into consideration. Without detracting from the broad statement above, any of the following items also constitutes prima facie (on first encounter) evidence that a KI is no longer compliant with the honesty and integrity requirements if he/she:

(a)            has been found guilty in any criminal proceedings or liable in any civil proceedings by a court of law (whether in the Republic or elsewhere) of having acted fraudulently, dishonestly, unprofessionally, dishonourably or in breach of a fiduciary duty;

(b)            has been found guilty by any statutory professional body or voluntary professional body (whether in the Republic or elsewhere) recognised by the Board, of an act of dishonesty, negligence, incompetence or mismanagement, sufficiently serious to impugn the honesty and integrity of the Financial Services Provider (FSP), KI or representative;

(c)            has been denied membership of anybody referred to in subparagraph (b) on account of an act of dishonesty, negligence, incompetence or mismanagement, sufficiently serious to impugn the honesty and integrity of the KI;

(d)            has:

(i)          been found guilty by any regulatory or supervisory body (whether in the Republic or elsewhere), recognised by the Board; or

(ii)         had its authorisation to carry on business refused, suspended or withdrawn by any such body,
on account of an act of dishonesty, negligence, incompetence or mismanagement sufficiently serious to impugn the honesty and integrity of the KI;

(e)        has had any license granted to the financial services provider by any regulatory or supervisory body referred to in subparagraph (d) suspended or withdrawn by such body on account of an act of dishonesty, negligence, incompetence or mismanagement, sufficiently serious to impugn the honesty and integrity of the KI; or

(f)          has at any time been disqualified or prohibited by any court of law (whether in the Republic or elsewhere) from taking part in the management of any company or other statutorily created, recognised or regulated body, irrespective whether such disqualification has since been lifted or not.

Furthermore, any material non-compliance with the Act, in a manner which is dishonest and negatively affects the KI's honesty and integrity can also be taken into account.

For example: When there is a conflict of interest prevalent, the KI has an obligation to mitigate and avoid the conflict of interest. If the conflict is not mitigated or avoided it would constitute non-compliance with, among others, section 3(1) b and possibly section 3A(1)(b) of the General Code of Conduct.

The result of an honesty and integrity transgression is seen as serious by the Registrar of Financial Services Providers. It could lead to debarment of any KI's and Representatives involved and a withdrawal of the FSP licence in some cases. In less serious cases of where breach of any section of the Act is prevalent a penalty may be imposed.

​Competence and Operational Ability
Although it might be misleading, Competence, when referred to in the Act, does not refer to a person's actual ability to conduct work. It rather refers to the qualification and experience requirements of the KI's as put in place by the FAIS Act and its subsidiary fit and proper regulations.

Operational ability refers to the KI, in respect of his or her management and oversight of an FSP. The KI must have, and be able to maintain, the operational ability to fulfil the responsibilities imposed by the Act on FSPs, specifically the oversight of financial services (regarding of advice and intermediary services) provided by the FSP.

This is quite a broad responsibility in that it effectively states that the KI is ultimately responsible for the oversight of all the rendering of financial services and the operations ancillary thereto. The KI must be able to illustrate that he/she can do this. This relates to all items in the Act, Rules, Codes of Conduct and Determinations. Thus any material non-compliance of the Act can also be included. For example: Where an FSP does not have the necessary indemnity insurance in place as required by section (7) of Part VIII of the Determination of Fit and Proper Requirements.
​
The result of a lack of operational ability is that the FSP license may be withdrawn in serious cases and a penalty may be imposed in less serious cases. So think carefully when accepting a KI appointment. And for those KI's that have been doing it for a long time make sure you cover all of the bases.

The new amendments of FICA changes the compliance framework for accountable institutions to a great extent and we'll discuss some of the more pertinent items in this blog post.

According to the new requirements of FICA, accountable institutions now need to take a risk based approach to FICA and the implementation thereof. This includes:
 

• The nature, scale and complexity of the accountable institution’s business; 
• The diversity of its operations, including geographical diversity; 
• Its client, product or services profile; 
• Its distribution channels; 
• The volume and size of its transactions; and 
• The degree of risk associated with each area of its operation. 

 
One must also now be able to risk rate clients according to the risk that they pose with regards to being used for money laundering or to channel the proceeds of any crime. Certain customers and businesses are a lower risk than others and some are a higher risk. Some of the aspects that one can look at to determine the risk a client poses are:
 

• Does the client operate in a sector or industry that is subject to specific standards, market entry or market conduct requirements, other regulatory requirements (especially AML/CFT measures)? 
• Has the client been in a business relationship with the institution for a period of time? 
• What has been the patterns of transaction behaviour (e.g. speed, frequency, size, volume, etc.) of a client who has a history of a business relationship with an institution? 
• Has the institution previously observed suspicious or unusual activities or transactions on the part of the client? 
• If the client is a corporate vehicle, is it part of a complex or multi layered structure of ownership or control? 
• What information does the client provide concerning their source(s) of income? 
• What is the nature of the client’s business activity, e.g. does the activity involve transacting in large amounts of cash, cross-border movements of funds, trading in sensitive, controlled or sanctioned commodities, etc? 
• What is the nature of the type of the products and services offered by the client? 
• Does the client operate solely within the country or do they have cross-border operations? 
• Is the client’s product selection rational with a view to support their business or personal needs? 
• Does the client occupy a prominent public position or perform a public function at a senior level or does it have such individuals within its ownership and control structure? 
• Is there adverse information about the client available from public or commercial sources? 
• Is the client known to be subject to financial sanctions? 

 

When and if you see that a customer is a medium to higher risk we always advise in taking extra measures with software such as:
PEP (Politically Exposed Person) checks 
Sanctions checks
Adverse news checks (i.e. that shows allegations or actual proven criminal activity)
Understanding the sources of funds better and the transaction aims
Asking any other questions that would comply with your risk based approach and set you mind at ease or that would prover your concerns with the client

We can assist you with any policy drafting requirements, risk measurements, training and software checks for PEPs, Sanctions and Adverse news screening. Contact us today for assistance to ensure your business is safe!

Schedule 1 and 3 to the Financial Intelligence Centre Act lists who should register with the FIC as Accountable and Reporting Institutions respectively. A failure to register with the FIC carries maximum penalties of up to R10m (R50m for entities) and 5 years in prison. Yikes!

It is also quite important to note that each branch of a business must register with the FIC separately, not just the head office.

The difference between Accountable and Reporting institutions are that Reporting Institutions merely report certain transactions on a continual basis, whereas Accountable institutions need to have policies and procedures to identify clients, to risk rate them according to a risk management control program and ultimately report certain transactions to the FIC such as Cash Threshold Reports (CTR's) and Suspicious Transaction Reports (STR's), among other things.

At the time this is published the list of Accountable and Reporting institutions are as follows:

Now it is also interesting to note that these lists are under review by the FIC and they will likely be expanded to include other service and product companies such as credit providers and auctioneers.

If you or your company needs any advice or services that with regards to FICA and Anti-Money Laundering please give us a call!

We recently did a study for an international law firm group where we assessed Regtech and Fintech. What we saw is that these technologies are in the early stages of disruption of the financial services industry globally and in South Africa as well but that their growth is fast and the change is going to be permeating. 

With $36 Billion (yes, that's 9 zeroes) invested in 2016 in Fintech, the industry certainly has allot going for it. It can potentially cause allot of job loss or job creation, depending at how you look at it. Me, I'm a glass half-full kind of guy so I like to think that these changes are to the betterment of us all and that people can (if they are willing and able) migrate to other professions that will be born from this disruption or that other jobs will be created in startups and smaller companies. Even if AI does take over many human roles in financial services, I believe one is still going to need allot of human interaction to provide a good service (as was evidenced by some recent interactions I had with a bank that it is so focused on leveraging tech that it is bleeding clients due to the lack of human assistance when things go boom).

Automation and AI has essentially been around us for quite a while now and for some reason people tend to not think about these simple things as AI. They usually think of AI as some smooth talking humanoid robot. AI is defined by the Merriam Webster dictionary as:

1 : a branch of computer science dealing with the simulation of intelligent behavior in computers.
2 : the capability of a machine to imitate intelligent human behavior

Now, if you take your average mobile phone, for example. It is an AI device but we don't realise it. Yes, some people use it to only call or play a game of Angry Birds but for others it's a powerhouse of automation (if you're not refreshing facebook or your emails every minute that is, because that will kill your productivity quickly). As beauty is in the eye of the beholder so is tech in the hand of the user. It's all about how you use this technology that's going to make the difference.

"As beauty is in the eye of the beholder so is tech in the hand of the user."

Whether Fintech will become as accepted in South Africa as it is already in other parts of the world remains to be seen. What is clear is that more and more companies are getting on the bandwagon even in South Africa. Even regulators are taking more notice as we've seen at the Financial Services Board FAIS Conference earlier in the year where they gave their commitment to regulate these new Fintech services.

Accountable institutions such as lawyers, financial services providers and estate agents (among others) are required by the Financial Intelligence Centre Act 38 of 2001 (FICA) to provide training to staff on FICA in terms of section 43. The training must enable staff to comply with FICA and the internal rules of the company itself and it is not a requirement that this particular training puts them to sleep (although some compliance training providers can readily be regarded as sleep training experts).

A recent "Public Compliance Communication No. 18" by the FIC stated that the training must educate the employees on a range of different factors. Different training levels can be implemented at different levels of the organisation. We believe one can have a General Awareness for all staff in the company and then a more in-depth Specific Awareness training course. However, as always, it depends on the organisation to conduct training commensurate to the risks it is facing.

"The training can take place in any manner that the company deems fit. I.e. online or in person."

The training can take place in any manner that the company deems fit. I.e. online or in person. Tests must also be done to assess the knowledge gained and record must be kept of the training given and attendance. The FIC stated that the training must be "ongoing" and "refresher" training must be conducted. We believe that a good rule of thumb is to do any AML/FICA/KYC training once a year and as soon as any new joiners start with a company.

Any non-compliance with the Act in relation to the above-mentioned can result in a fine of R10 million and 5 years in prison.

So, if you don't want to be a jailbird, ensure your training procedures are in place or give us a shout to provide you with training at: hello@horizoncompliance.co.za.

A question we get asked most often is whether or not a specific service falls within the ambit of the Financial Advisory and Intermediary Services Act 37 of 2002 (FAIS, and soon to be known as the Conduct of Financial Institutions Act).

The first leg of this assessment focuses on whether or not the specific Product or basket of Products are defined in the FAIS Act. The second leg focuses on the definition of Advisory and Intermediary Services. Remember: the FAIS Act does not regulate the products themselves but rather only the Advisory and Intermediary Services provided in conjunction with these products. What must also be taken into account is whether or not a product falls within any specific exemptions, such as credit and property.

​"Remember: the FAIS Act does not regulate the products"
​
If one establishes that your business does not need to comply with FAIS, good for you. If  you do establish that you need to comply, one needs to move on to more in depth assessments such as which categories to register for and so on but I won't get into it in this post. 

Ultimately one would have to do a thorough review of a business to ensure whether or not one needs to comply with the FAIS Act. It is certainly one of the most convoluted pieces of legislation we have in South Africa and isn't for the fain of heart. It is also important that you ensure you comply with any other pieces of legislation that regulate your Product(s) because, as I mentioned earlier, FAIS does not regulate your product. 

For more info or assistance give us a shout at hello@horizoncompliance.co.za or on 0723511653.