What sounds like a swear word (to which one would take offence), is actually a legally valid requirement. And whilst heavy with compliance obligations, is nothing to be offended about.
We are aware that the subject of FICA has been discussed many times before, but with so many firms recently attending presentations on FICA management, we thought it would be a good idea to reacquaint ourselves with the reasons and virtues of FICA. Taking special note that a systematic approach is the safest way to remove human error and facilitate accuracy.
Ready? Let’s begin….
What is FICA?
FICA is a requirement by South African legislation (under The Financial Intelligence Centre Act 38 of 2001 (FICA) which has been amended by the Financial Intelligence Centre Amendment Act 1 of 2017 (FICAA) to conform to international standards set by the Financial Action Task Force (FATF).
FATF is an international body of countries tasked with setting best practices to combat money laundering, terrorist financing, tax evasion as well as the financing of proliferation of weapons of mass destruction (which we will refer to as “prohibited actions”). South Africa has been a member of FATF since 2003 and is also a signatory to the United Nations (UN) Convention Against Corruption in 2004.
FATF requires financial and other entities to (actually) know their clients to whom they provide services to. This is referred to as “Know-Your-Client (KYC)” or “Client Due Diligence (CDD)”. Every person (and every entity) in South Africa is subject to a standard KYC process. FATF has also set out recommendations in a comprehensive and consistent framework of measures which all signatory countries should implement in order to combat the prohibited actions. However, countries around the world all have diverse legal, administrative and operational frameworks and different financial systems and therefore cannot all take identical measures to counter these threats.
What to do?
Essentially, the FATF has set out an international standard, (which all signatory countries should implement) through measures adapted to their particular circumstances. And this is where FICA and FICAA come in (where South Africa is concerned).
Who does FICA (and FICAA) apply to?
All persons and all businesses operating in South Africa (“Accountable Institutions”) are required to abide by both FICA and FICAA. As required by the Acts, Accountable Institutions are required to comply with KYC regulations and take responsibility for ensuring that those they do business with are not involved in any prohibited actions. And this is largely achieved by due diligence measures, a risk-based approach, financial sanctions and compliance programmes.
What if there is non-compliance?
Non-compliance with existing laws and regulations or failure to prevent incidents could result in unlimited fines for companies, jail terms, director disqualification and individuals could be imprisoned for up to 10 years. Companies, therefore, must take stringent measures to ensure that they understand their suppliers, partners, acquisition targets, contractors, resellers, grant applicants, clients and other associates effectively and efficiently.
Wait. What are Accountable Institutions?
An ‘Accountable Institution’ is any person defined in schedule 1 of the Act. Amongst those listed include attorneys, trustees and executors, estate agents, financial instrument trade and stock brokers, management companies, bankers and those involved in the remittance of currency, but this is not a closed list.
What are the duties imposed on Accountable Institutions?
FICA stipulates that an Accountable Institution may only establish a business relationship or conclude a single transaction with a client once such institution has, in accordance with its Risk Management and Compliance Programme (“RCMP”), established the actual identity of the client. But, if a client is acting on behalf of another person, the Accountable Institution must establish the identity of the instructing person as well as the authorisation that the client received in order to establish a business relationship. In the event of a person acting on behalf of the client, the institution shall establish the identity of that person and the authority that person must act on behalf of the client.
Section 20A of the Act prohibits an Accountable Institution from establishing a business relationship or concluding a single transaction with an anonymous client or a client with an apparent false or fictitious name.
Where natural persons are clients, Section 21A states as follows –
“…that the Accountable Institution shall, in accordance with its RMCP, obtain information regarding a prospective client which will reasonably enable the institution to determine whether future transactions that will be performed during the business relationship concerned are consistent with the institution’s knowledge of that prospective client.”
Where juristic persons are clients, Section 21B states as follows:
“…provides that, when dealing with a client which is a partnership or trust, an Accountable Institution must establish, in terms of its RMCP, the nature of the client’s business and the ownership and control structure of the client which includes the identity of every partner or natural person who purports to be authorised to enter into business on behalf of the partnership.”
Should an Accountable Institution enter into a transaction or business relationship with a legal person, it must establish the identity of the beneficial owner of the client. This may be done by determining the identity of each natural person who either has a controlling ownership interest in the legal person or has control over the legal person or which exercises control over the management of the legal person.
How did FICAA change things?
The most significant change implemented by FICAA is the introduction of the risk-based approach (as opposed to a rules based approach) to identify and assess prohibited actions. The risk-based system of KYC makes it easier for clients, who pose less risk to committing financial crimes, to comply with FICA. Principally, the amendments introduced by FICAA can mostly be categorised as relating to KYC. Additionally, FICAA has introduced the safeguarding of personal information in line with the requirements of the Protection of Personal Information Act, inspection powers for regulatory compliance purposes and enhanced administrative and enforcement mechanisms.
Let’s break this down…
Ok, so what is KYC (or CDD)?
KYC (or CDD) policies are the cornerstones of an effective FICA compliance program. Put simply, they are the act of performing background checks on the client to ensure that they are properly risk assessed before being on-boarded.
KYC ensures Accountable Institutions establish and verify the actual identity of their clients before or during the time they do business. This is done to certify that clients are not involved in any prohibited actions which are criminal and unscrupulous (especially when such prohibited actions could negatively affect all those that are associated with them). Accountable Institutions are required to comply with a host of responsibilities and measures which must be incorporated into their due diligence practices in order to detect money laundering and terrorist financing. This includes KYC, which is possibly one of the key aspects of FICA as it sets the wheels in motion for all other due diligences.
What does a KYC due diligence include?
KYC controls usually include the collection and verification of identity documentation, screening against warning lists, client risk assessment and investigations into clients’ financial transactions. Basically an on-going due diligence. This intensive and on-going due diligence would include monitoring, periodically obtaining fresh client information and regularly reviewing certain categories of clients. KYC in business relationships with foreign prominent public officials and domestic prominent influential persons, is also required. But FICAA extends the list of persons and institutions with whom the FIC will share information – especially noteworthy is the inclusion of the supervisory bodies and the Public Protector.
However, identification of the client and the confirmation that such client exists is not the only requirement. Institutions undertaking a KYC must dig deeper and inquire into matters such as the nature of the client’s business operations as well as the identity of its ultimate beneficial owner (being the natural person who ultimately benefits from the client’s assets and profits).
But importantly, the key to a successful KYC (according to Phatshoane Henney Attorneys) is consistency.
Is there any particular industry that is effected by the requirements of KYC?
Law firms are particularly effected by the intensive, continuous and ongoing due diligences required for their client’s, for whom they need to undertake regular audits in order to double-check compliance with FICA and FICAA. This process involves exhaustive time spent on KYC documentation collection, risk-assessment and confirming that clients are not on any sanction lists. What is often the case is that support staff are not able to consistently check and/or identify risks (due to time constraints and work load), placing a massive burden on both admin staff and compliance officers. Not an ideal situation. At all.
How do companies, like law firms, undertake the KYC requirements on a day-to-day basis?
Undertaking a KYC need not be a long, intensive and drawn-out process, wasting time and money on resources. By implementing online solutions to assist your business with these requirements, you can avoid compliance risks by vetting and monitoring clients as well as agents, partners, suppliers and other third parties in a quick, consistent and comprehensive manner. Without labour intensive work being placed on admin staff and compliance officers.
The best way to achieve this seamless process is to automate the FICA processes and standardise risk assessments by automatically conducting the necessary client checks when onboarding. This will ensure that all checks are centrally collated, stored and managed ensuring a standardised and consistent experience for all staff and clients. Burden on staff as well as FICA risk will be drastically reduced.
So is FICA friend or foe?
Well, if you consider the purpose of FICA i.e. ensuring that you not only know your client but also ensure that they are not involved in unlawful activity – we would conclude friend.
And with firms searching for a dedicated “FICA management system” to add to their financial and practice management systems, providers such as AJS, take the worry out of finding yet another provider by offering an inbuilt FICA management system in their overall practice and financial management “toolkit”.
With the AJS system, information is only captured once, allowing for the same information to then be re-used for other matters for the same client. So, firms need only collect the FICA information which is either missing or which has expired. Which should be minimal. This will save time and safeguard efficiency whilst also ensuring that all compliance obligations are met.
Another bonus? With the AJS FICA management system, if you are already a subscriber the system is automatically included as part of your overall toolkit. All you need to do is contact AJS and they will activate FICA for you (with some added training thrown in.) At no extra expense to those firms already subscribed to AJS. One less thing to worry about…..
Increase compliance and reduce both the time and resources needed by looking into automating your KYC process and ensure that “FICA yourself” never becomes a swear word in your company. Remember FICA is your friend.
Written by Alicia Koch on behalf of AJS