If you’re embedded in the financial services sector, you’ll know that South Africa is still greylisted by the Financial Action Task Force (FATF) — an international body that sets standards to combat money laundering, terrorist financing and proliferation financing. The good news is we’re due for evaluation this month, a crucial step towards being delisted.
Outside compliance circles, few people fully understand what the term "risk-based approach" means, or why it matters. Today’s column aims to demystify the concept, including the often-cited RMCP (risk management and compliance programme) that every accountable institution, from banks to financial services providers, must have in place.
Since our greylisting, the Financial Intelligence Centre (FIC) has been laser-focused on ensuring compliance. It has issued several administrative sanctions and fines to institutions failing to implement proper risk management frameworks. What’s become evident is that even within many financial services providers, only compliance staff truly understand the RMCP; frontline teams, business developers and even senior management are often unclear on its purpose.
Clients frequently push back against Fica requirements — from supplying ID documents to source-of-funds declarations — often viewing them as unnecessary bureaucracy. But once everyone understands the principle behind the "risk-based approach" it becomes clear this isn’t about red tape; it’s about protecting the financial system and ensuring South Africa remains trusted internationally.
A risk-based approach means each client is assessed individually and placed into a risk category — low, medium or high — based on factors that determine their potential exposure to financial crime.
The RMCP outlines how this assessment is done and how the institution must respond at each level.
Here’s a simple guide:
Low-risk clients
Those with transparent income streams, limited complexity and no red flags. Examples include salaried individuals with long-standing employment records and local residency.
Action: Apply standard due diligence: collect basic Fica documents (ID, proof of address, tax number) and conduct initial verification.
Medium-risk clients
May include small business owners, entities with moderate transaction volumes or those with some foreign exposure.
Action: Apply enhanced checks: confirm source of funds and source of wealth, monitor transactions periodically and update records annually.
High-risk clients
Includes politically exposed persons, prominent influential persons, clients from high-risk jurisdictions or with adverse media.
Action: Apply enhanced due diligence: obtain senior management approval before onboarding, conduct detailed source-of-wealth verification and monitor transactions continuously.
High-risk clients are not automatically rejected, but they require more scrutiny. The goal is not to exclude, but to understand and manage risk responsibly. Every accountable institution must screen all clients and transactions against international and domestic sanctions lists, including those from the UN, the EU, the US and South Africa.
This must take place at onboarding, whenever client information changes and continuously. If a match or "hit" is encountered, the institution must immediately freeze the account, report it to the FIC and cease all business activity with that client. Failing to act can lead to severe penalties and reputational damage.
When a compliance officer asks you for documents they’re not being difficult — they’re applying the law, protecting both the business and the country’s standing. The risk-based approach gives flexibility, it allows institutions to focus their resources where the risk is highest, rather than treating everyone as a potential criminal. This is the very essence of smart regulation.
Consistent implementation of this approach is essential to restore international confidence in South Africa and unlock greater foreign investment and trade opportunities.
As we head towards the FATF evaluation, progress is visible. Regulations have been strengthened, supervision improved and awareness is growing. But true success will depend on culture, not just compliance. We must reach a point where every employee, every client and every institution understands that compliance isn’t a burden, it’s a badge of credibility.
So, the next time you’re asked for a source-of-funds document or your account is flagged for review, don’t resist — embrace it. You are part of a system that’s rebuilding South Africa’s reputation.
• Bezuidenhout is the founder of financial services provider BeztForex.co.za and the global trade AI platform Zynched.com
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.