There has been a lot of noise in recent months about South Africa facing the possibility of being “grey listed” due to a poor score in the Financial Action Task Force’s (FATF) effective outcomes to combat money laundering and the financing of terrorism. This has been amplified by the recent R35 million fine that was imposed on Nedbank by the South African Reserve Bank (SARB) for failing to comply with specific administrative requirements of the Financial Intelligence Centre Act (FICA).
Whilst the fine relates to findings from 2019 it is not difficult to join up the dots with the FATF actions. The South African authorities are being scrutinised for having a weak investigative and prosecutorial record. It is logical that further fines and warnings may follow to other banks as the country faces up to the criticism from the FATF findings. It is therefore more important than ever for South Africa, as a jurisdiction to be viewed as tough and rigid when it comes to compliance with the FIC Act. It is also in the best interest of banks to partner with government to try and avoid being added to the grey list or to exit the grey list as soon as possible, should South Africa be added.
There was no evidence of Nedbank’s involvement in, or facilitating of, transactions involving money laundering or the financing of terrorism. However, like many European financial institutions, the fine was imposed due the absence of a clear programme and policy mandated by the FICA Amendment Act (FICAA) of 2017. According to SARB, Nedbank failed to apply the following:
A risk-based approach across its business sectors in line with their Risk Management and Compliance Programme.
Enhanced due diligence controls.
Risk-rate their clients.
To clearly demonstrate and prove that they had developed and documented end-to-end procedures and methods used during the on-boarding process of their clients.
To prove that their controls could effectively obtain the right data that would help them to correctly risk-rate their clients.
The crux of the matter is that Nedbank had not transitioned from a rule-based to a risk-based approach regarding KYC, nor had the bank developed the necessary framework to support and maintain this. Such a transition is challenging and takes time and expertise to implement effectively.
It is likely that we will see other accountable institutions face similar consequences. While we wait for the FATF decision, South African banks should be considering how they can support the government to demonstrate to the FATF that serious change is being implemented. One way to do this is to implement a robust risk-based approach.
However, this is easier said than done. Not only is a strong framework required but the implementation and wider application of the approach can be challenging to adopt and to oversee on an ongoing basis.
Re-aligning KYC to a risk-based approach
Whilst there are several elements to consider when re-aligning a KYC approach, it is worth highlighting four key components.
Appetite: There is not a one size fits all when it comes to risk appetite. All companies have their individual strengths and weaknesses according to the markets they operate in and the sectors they target for growth. It is therefore important that each business can outline why they are in certain markets and how they mitigate the risks of conducting such business using their own bespoke enhanced due diligence processes. A good example of this is how the historically conservative Canadian banks embraced the growth of Cannabis as a new market.
Framework: This is the handbook and policy that KYC teams will operate within. It needs to be sufficiently detailed whilst also applying practical instructions to users. Updates to the policy need to be introduced in a coherent manner.
Technology: KYC has historically been a manually intensive, time consuming and expensive exercise. This is gradually evolving as ‘REGTECH’ solutions flood the market in areas such as on-boarding, customer screening (sanctions/adverse news) and transaction monitoring. There are undoubtedly good solutions available, and this space will change dramatically in the years to come. However, the market is in a phase of consolidation and the winners are still to be determined.
Furthermore, vendor selection and implementation are time consuming processes that require substantial investment in resourcing from both the buyer and the vendor. Added to this, is the knowledge shortage within the banking sector regarding new technologies. Buyers need to ask vendors the right questions and the only way to learn this is by being immersed in and familiar with the capabilities and limitations of the various technology platforms.
People and standardisation: Individuals will still play a key role in the KYC process, but their responsibilities will become more technical and subjective but crucially, much more interesting which should improve motivation and performance levels. The historic rule-based approach uses a fairly robotic application of human resources which can lead to human error. Efficiently managed KYC teams need to conform to a standard that will change regularly as global events drive policy changes. Therefore, to monitor and maintain these standards remains a constant and continuous challenge.
Global lessons learned
South Africa can lead the way and learn from the anti-money laundering (AML) and Counter Financing of Terrorism (CFT) legislation that other countries have adopted and implemented. The European Union (EU) and the United Kingdom (UK) have always been viewed as leading global financial hubs with well-established regulatory frameworks. Therefore, a risk-based approach was introduced into EU legislation by the Fourth EU Anti-Money Laundering Directive (4AMLD) in June 2015, and transposed into UK legislation in June 2017 (MLR, 2017) by considering the latest FATF Recommendations of 2012.
EU and UK firms experienced the same set of complications that South African firms are currently experiencing when they adopted a risk-based approach. They had similar concerns as to what it meant to apply a risk-based approach and how to implement this approach within their policies and procedures.
Experience goes a long way
South Africa is a G20 economy and viewed as a leading, regional financial hub for sub-Saharan Africa which is why it is important to set the standard for the rest of the continent. There seem to be a lot of discussions about the negative long-term implications of being gey listed when in fact, this could be viewed as an opportunity to lead the way by addressing the identified challenges, head-on.
The Lysis Group has more than 20 years’ experience as global financial crime compliance experts and they have successfully helped many UK-based financial institutions to move from a rule-based to a risk-based approach. They can bring their lessons learned from these journeys to help South African regulated financial institutions to make a successful transition to a risk-based approach in both a cost effective and sustainable manner. The Lysis Group operates within South Africa from their Cape Town offices.
Co-authored by Chris Oliver, Head of Lysis Operations and Wendy Murray, Director of the Lysis Group operations in South Africa.