The risk-based approach (RBA) is the foundation of modern KYC compliance. It replaced the old rules-based approach — which prescribed specific documents for specific customer types — with a more flexible and more effective system. Under the RBA, accountable institutions must assess the money laundering and terrorist financing risk of each customer and each business relationship, and apply due diligence measures proportionate to that risk. This guide explains what the RBA means in practice for South African businesses.
Where Does the Risk-Based Approach Come From?
The risk-based approach was introduced into South African law by the Financial Intelligence Centre Amendment Act 1 of 2017, which came into force in 2019. The 2017 amendments aligned South Africa's AML framework with the FATF Recommendations, which require countries to adopt a risk-based approach to AML and counter-terrorist financing (CTF).
Before the 2017 amendments, FICA prescribed specific identification requirements for specific customer types. The new approach requires accountable institutions to think about risk, not just tick boxes. An institution must ask: what is the money laundering risk of this customer, this product, this delivery channel, and this geographic area? The answer determines what due diligence is required.
What the Risk-Based Approach Requires
Under FICA Section 42, every accountable institution must develop, document, maintain, and implement a Risk Management and Compliance Programme (RMCP). The RMCP must include a documented risk assessment that covers:
- Customer risk. Who are your customers? What industries do they operate in? Are any of them Politically Exposed Persons (PEPs)? Do any have complex ownership structures?
- Product and service risk. What products and services do you offer? Which ones are more susceptible to money laundering (e.g., cash-intensive products, cross-border transfers)?
- Delivery channel risk. How do you deliver your products? Face-to-face delivery is generally lower risk than digital or remote delivery.
- Geographic risk. In which countries or regions do you operate? Do any of your customers come from or transact with high-risk jurisdictions?
The risk assessment must be reviewed at least annually and updated when material changes occur in the business or its environment.
Customer Risk Ratings
The practical output of the risk-based approach at the customer level is the customer risk rating. Each customer is assigned a risk rating — typically low, medium, or high — based on the risk factors identified in the institution's risk assessment. The risk rating determines the level of due diligence applied:
- Low risk → Simplified Due Diligence (SDD). Reduced verification requirements and less frequent monitoring. Applies to customers with a demonstrably low risk profile, such as listed companies or government entities.
- Standard risk → Customer Due Diligence (CDD). Standard Customer Due Diligence applies to the majority of customers.
- High risk → Enhanced Due Diligence (EDD). Enhanced Due Diligence applies to customers with a higher risk profile, including PEPs, customers from high-risk jurisdictions, and customers with complex ownership structures.
The Risk Management and Compliance Programme (RMCP)
The RMCP is the master document that describes how an accountable institution manages its money laundering and terrorist financing risk. It must be in writing, approved by senior management, and reviewed regularly. The RMCP must cover:
- The institution's risk assessment methodology and findings
- Customer due diligence procedures (including CDD, EDD, and SDD)
- Transaction monitoring procedures
- Suspicious transaction reporting procedures
- Record-keeping procedures
- Staff training programme
- Internal audit and compliance monitoring
The FIC can inspect the RMCP as part of a compliance inspection. An institution that does not have a documented RMCP, or whose RMCP does not reflect its actual practices, is at significant risk of administrative sanctions.
Frequently Asked Questions
- What is the difference between a rules-based and a risk-based approach to KYC?
- A rules-based approach prescribes specific documents and procedures for specific customer types. A risk-based approach requires institutions to assess the risk of each customer and apply due diligence proportionate to that risk. The risk-based approach is more flexible and more effective at targeting resources where the risk is highest.
- Does every accountable institution need an RMCP?
- Yes. FICA Section 42 requires every accountable institution to develop, document, maintain, and implement a Risk Management and Compliance Programme. There is no size exemption — even small businesses that are accountable institutions must have an RMCP.
- How often must the risk assessment be reviewed?
- The RMCP must be reviewed regularly. The FIC recommends at least annual review, and more frequent review when material changes occur in the business, the regulatory environment, or the threat landscape.
- Can a low-risk customer ever require EDD?
- Yes. A customer may be assigned a low risk rating at onboarding but subsequently trigger EDD requirements if their transaction patterns change, if they are identified as a PEP, or if information comes to light that increases their risk profile.
- What happens if an accountable institution does not have an RMCP?
- Failure to develop and implement an RMCP is a contravention of FICA Section 42. The FIC can impose administrative sanctions, including financial penalties of up to R10 million per contravention. The FIC has conducted compliance inspections and issued sanctions for RMCP failures.