South Africa celebrated its exit from the Financial Action Task Force (FATF) greylist in October, but the next mutual evaluation cycle is almost upon us again.
A lot changed during our time in the regulatory wilderness. Still, there is a certain irony in organisations scrutinising a R50,000 transaction while failing to scrutinise the compliance officer who approves it. In a literal sense, “measuring” employee competence alongside integrity is a serious compliance concern everyone will have to prioritise this year.
The Financial Intelligence Centre (FIC) has spent years training accountable institutions to look outward. As we battled out of the shadow of our greylisting we were whipped into shape to obsess over “know your client” protocols, to hunt for ultimate beneficial owners, to screen for politically exposed persons and to proactively assess risk from the outside.
However, with the FATF probably nearly done planning travel itineraries for its check-up on us, we need to realise Directive 8 is a direct command to scrutinise the very people in your business whom you have entrusted to keep out criminals.
If the person clicking “approve” or processing a transaction hasn’t been properly vetted or lacks the moral backbone to flag a suspicious payment, the entire Financial Intelligence Centre Act (Fica) framework can start looking like a house of cards.
The integrity gap
For years employee vetting in South Africa has been treated like a perfunctory HR task — a quick reference check at the start of a contract and a look at a degree certificate. However, in the 2026 regulatory environment “integrity” has become a material factor in an organisation’s survival.
Integrity screening is crucial, and it matters just as much as competence — both are heavy-hitting factors if you fail an audit. You can have the most expensive software available, but if the employee operating it is compromised the software becomes little more than ornamental.
The effectiveness trap
The FATF 2026 mutual evaluation cycle represents the phase in which the task force will take another hard look at South Africa, and having a thick risk management and compliance programme binder on a shelf won’t be enough. Without seeing it in motion, there won’t be much to celebrate.
This is where the trap is set for the complacent. Many organisations are sitting on “paper shields” — policies that look perfect on paper but fall apart when a real-world stress test is applied.
The regulators are looking for the “velocity” of compliance. They want to know if you are effectively mitigating the risk in your business of being abused by criminals, and whether you can move from a red flag to a reported transaction before the trail goes cold.
If your internal processes are sluggish or ineffective because your employees aren’t trained, or because you haven’t bothered to screen management for integrity, you are a sitting duck for serious consequences, such as a considerable fine.
Lessons in operational hygiene
We don’t have to look far for a warning. The R3m fine recently issued to Discovery Bank by the Prudential Authority is a masterclass in why “policy” without “performance” is a liability. It wasn’t that the bank lacked technology. It had automated monitoring systems that were doing exactly what they were supposed to: spot trouble.
The failure was human and operational. Discovery was hit for failing to address more than 2,280 automated alerts within the mandatory 48-hour window. It doesn’t matter how well your automatic monitoring alerts are if there isn’t a process to review them at the same speed. It’s like having a top-of-the-range alarm system when the armed response security company has one car and it’s not available right now (please try again later).
Even more telling was the failure in training. Nearly half of the new employees sampled hadn’t received training within their first month, and even senior management — the people responsible for the entire compliance culture — had gaps in their knowledge.
While these are historic findings, when the human layer of an organisation is out of sync with its digital defences the result is a huge, expensive hole in the hull.
It’s essential that every person in the chain has the integrity and skills to act, and it is every organisation’s responsibility to ensure it.
The R50m risk
For many businesses Fica can feel like an administrative headache that gets in the way of “real work”. But legal organisations for example can face fines for such operational lapses that can reach R50m in some instances. In a low-growth economy, few firms can afford a R50m wake-up call.
Years ago the Zondo commission of inquiry showed us exactly what happens when internal controls are bypassed by people who were not properly vetted or held to an integrity standard. Directive 8 is the legislative answer to the era of state capture and institutional erosion. It demands organisations treat “honesty” as an auditable metric.
This is especially critical for the “gatekeepers” — the lawyers, estate agents and high-value goods dealers who are the primary targets for syndicates looking to wash the proceeds of crime. It is not a far-fetched possibility for one unscreened rogue employee who looks the other way on a property deal or transaction to ruin a firm’s reputation, and its bank balance, in a single afternoon.
From box-ticking to operational reality
As the FATF assessors finalise preparations for the looming mutual evaluation, every South African board needs to ask itself a question: “If the regulator walked in today, would we be able to confidently attest to our employees’ integrity to protect us, and prove it?”. It’s the highest authority of a company that is ultimately responsible for ensuring compliance, and personal liability is attached to it.
Compliance has to move from the filing cabinet stuffed full of paper to the heart and soul of how you operate. It means moving away from manual, spreadsheet-based tracking and toward systems that actually work and allow you to continue business effectively and compliantly.
The era of domestic enforcement is only getting started. To stay off the greylist for good, we have to prove we have the internal discipline to manage risk at speed. Integrity is not a soft skill or nice-to-have buzzword. In the current regulatory environment, it is one of the most valuable assets your organisation has.
• McEwan is director of financial crime risk & compliance at nCino KYC Africa.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.