Writing a FICA Risk Management and Compliance Programme (RMCP): A Practical Guide for Accountable Institutions

Writing a FICA Risk Management and Compliance Programme (RMCP)

If your business is listed as an Accountable Institution under Schedule 1 of the Financial Intelligence Centre Act (FICA), you are required to have a documented Risk Management and Compliance Programme (RMCP). This guide explains what an RMCP is, what it generally needs to cover, and how a risk-based approach shapes the way you build and maintain it.

> Disclaimer: This article is general information based on published Financial Intelligence Centre (FIC) guidance. It is not legal advice. For your specific situation — including your institution's specific risk profile and obligations — consult a qualified attorney or compliance specialist.

---

What Is an RMCP?

An RMCP is a written document that describes how your institution identifies, assesses, monitors, and manages the risks of money laundering, terrorist financing, and proliferation financing (ML/TF/PF) that arise in your business. The FIC uses the term "risk-based approach" to describe the underlying principle: your controls and resources should be proportionate to the actual risks your institution faces, rather than being a one-size-fits-all checklist.

The obligation to have an RMCP arises under FICA. Because FICA section numbers for these requirements have not been verified against our anchor list, we describe the obligations here without citing specific section numbers — we recommend referring directly to the Act and the FIC's published guidance at fic.gov.za for the precise provisions.

---

Why the Risk-Based Approach Matters

The risk-based approach is the backbone of a defensible RMCP. Rather than applying identical controls to every client or transaction, your institution is expected to:

• Assess inherent risk — identify the ML/TF/PF risks posed by your client types, products and services, delivery channels, and geographic exposure.
• Apply proportionate controls — direct enhanced due diligence (EDD) at higher-risk relationships and standard or simplified measures where risk is demonstrably lower.
• Document your reasoning — the FIC expects to see not just what you do, but *why* you concluded a particular risk rating was appropriate.

A well-structured risk-based approach means your RMCP is a living document tied to real business risk, not a filing-cabinet exercise.

---

Core Components of an RMCP

While the FIC's guidance details the exact content requirements, an RMCP typically addresses the following areas:

#### 1. Risk Assessment

This is the foundation. Document the categories of risk relevant to your institution — client risk, product/service risk, delivery-channel risk, and country/geographic risk. For each category, explain how you rate risk (for example, low / medium / high) and what criteria inform that rating.

#### 2. Client Due Diligence (CDD) Procedures

Describe your step-by-step process for identifying and verifying clients, beneficial owners, and authorised representatives. Explain the thresholds and triggers for:

• Standard CDD — applied to most clients.
• Enhanced Due Diligence (EDD) — applied to higher-risk clients, including Politically Exposed Persons (PEPs) and clients from high-risk jurisdictions.
• Simplified Due Diligence — where the FIC's rules permit it for demonstrably lower-risk situations.

#### 3. Ongoing Monitoring

The RMCP should explain how your institution monitors business relationships and transactions on a continuing basis. This includes how you identify transactions that are unusual or potentially suspicious, and the internal escalation path that follows.

#### 4. Record-Keeping

FICA sets out requirements for how long client records and transaction records must be kept. Your RMCP should reference your institution's record-keeping policy, the retention periods you apply, and how records are stored and retrieved. For precise retention periods, refer to the Act and guidance at fic.gov.za.

#### 5. Reporting Obligations

Document your institution's internal process for filing the reports FICA requires — Cash Threshold Reports (CTRs), Suspicious and Unusual Transaction Reports (STRs/UTRs), and any other reports applicable to your institution type. Include who is responsible, what the timelines are, and how you keep a record of reports filed.

#### 6. Training Programme

Your RMCP should describe how your institution trains relevant staff — what the training covers, how often it is delivered, how completion is recorded, and how training content is updated when obligations change.

#### 7. Internal Controls and Governance

Explain the internal oversight structure: who is the designated compliance officer, what their responsibilities are, and how senior management signs off on the RMCP. Include your process for periodically reviewing and updating the programme.

---

Tailoring Your RMCP to Your Institution

The FIC publishes sector-specific guidance papers for different categories of Accountable Institution — including attorneys, accountants, estate agents, motor vehicle dealers, and financial services providers, among others. These guidance papers describe the particular risk indicators and due-diligence expectations for each sector. Your RMCP should reflect your institution's sector, client base, and actual business model — a copy-pasted template that does not match your operations is unlikely to satisfy an FIC inspection.

Key questions to ask when drafting:

• What types of clients does your institution serve, and what risk do they present?
• What products or services could be misused for ML/TF/PF, and how?
• Are any of your delivery channels (for example, non-face-to-face onboarding) higher risk?
• Do you deal with clients or counterparties in jurisdictions identified as high-risk by the Financial Action Task Force (FATF)?

Answers to these questions should drive the controls you describe in your RMCP, reflecting a genuine risk-based approach.

---

Keeping Your RMCP Current

An RMCP is not a once-off document. The FIC expects institutions to review and update their programme when:

• Their business model, products, or client base changes significantly.
• Regulatory guidance or the Act is amended.
• An internal audit, inspection, or adverse event reveals a gap.

Build a review cycle into your governance calendar — at minimum annually — and document each review with a version history.

---

Where to Find Authoritative Guidance

• Financial Intelligence Centre: fic.gov.za — publishes the Act, regulations, guidance notes, and sector-specific papers.
• FATF: fatf-gafi.org — publishes the international standards underpinning South Africa's risk-based approach and the lists of high-risk jurisdictions.

Always work from the most current versions of these documents, as guidance is updated periodically.

---

> Disclaimer: This article is general information based on published Financial Intelligence Centre (FIC) guidance. It is not legal advice. For your specific situation — including your institution's specific risk profile and obligations — consult a qualified attorney or compliance specialist.