Interpretation-based regulatory requirements, the establishment of multiple Regulatory Bodies, digital innovation and RegTech (to mention but a few) have rapidly changed the South African anti-money laundering and combating of terrorist and related activities (collectively referred to as “financial crime”) operating environment during the past two years.
The evolving regulatory landscape that accompanies these changes, worldwide political changes and hefty regulatory fines have made financial crime compliance a major challenge for financial institutions, not only in South Africa, but across the globe.
Does your RBA create a sense of false hope?
A question often posed by Accountable Institutions is “How can we guarantee that our RBA will meet the Regulators’ expectations? There seems to be neither a right nor a wrong approach? As if it’s uncharted territory”.
Accountable Institutions have been afforded the opportunity to fully implement the requirements of the Financial Intelligence Centre Act 38 of 2001 (as amended 2017, referred to as the “Amendment Act”) by the 2nd of April 2019, which includes the development and implementation of a RMCP (section 42 of the Amendment Act). With less than a year to achieve full compliance, there is still a sense of discomfort amongst many Accountable Institutions – especially with regards to the interpretation and application of the Risk Based Approach (RBA). Uncertainty can perhaps be expected from Accountable Institutions who have previously been exempted from the full ambit of FICA, i.e. estate agents, insurers, asset managers etc.
Surprisingly, the RBA is not a new concept. The implementation of a RBA has previously (2007) been optional, but since 2012 it was made mandatory under the Financial Action Task Force’s (FATF) 40 Recommendations. As South Africa is a member of FATF, Accountable Institutions have been evaluated against these standards, as well as previous guidance notes issued by FIC on the RBA, long before the Amendment Act.
Despite several guidance documents issued (both internationally and locally) on the formulation and implementation of a RBA, there is NO guarantee that the Regulators’ view will even be remotely aligned to the Accountable Institution’s subjective thought process behind its RBA. What might be “reasonable measures” for a particular Accountable Institution, does not necessarily bear the same meaning for another, especially a Regulator.
The significance of a RBA
Theoretically, the RBA concept is simple, yet sensible – in industries and sectors where resources are often limited, the correct application of a RBA ensures that the use of systems, controls and people to mitigate financial crime risk is as effective as possible. In practice however, successful implementation of a RBA, is not that simple… Except for reminding one of an extract from an academic journal, the FATF definition and purpose of a RBA says very little (if anything) about the application and further practicalities of a RBA. FATF defines a RBA as “to identify, assess, and understand the money laundering and terrorist financing risk to which they (countries, competent authorities and banks) are exposed, and take appropriate mitigation measures in accordance with the level of risk.” While the purpose of a RBA is “to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.”
What does however draw Accountable Institutions’ attention is that the RBA was never intended to be a “zero failure” approach and that despite Accountable Institutions taking all “reasonable measures” to identify, assess and mitigate financial crime risks, it might still be exploited.
In an ideal world, the RBA created the opportunity for Accountable Institutions to express their freedom in defining their own practices and standards, supporting their unique businesses and ways of work - operationalisation thereof however remains a challenge. The ability of the Accountable Institution to perform a balancing act between strategic objectives and the amount of risk that the Accountable Institution is willing to take, on pursuit of value and profit, is both challenging and dynamic.
Staying true to the envisaged RBA
Both international and local legislation, place significant emphasis on the critical role played by an effective RBA, which includes the ability to make intelligent decisions, documenting those decisions thoroughly with substantiating reasons and balancing the financial crime risks against available resources and limitations. The envisaged end result is, amongst others, to ensure that Accountable Institutions’ battle against financial crime are well understood, sustainable and as effective as possible.
The RBA has been developed in response to the limitations of a previous “rule-based approach” – where controls were black and white, regardless of the circumstances. The RBA allows for flexibility to reduce or increase controls proportionate to a collection of financial crime risks the Accountable Institution faces – traditional risk factors predominantly considered in a financial crime risk assessment are i.e. the customer, product, geography, delivery channel, transactions, adverse media, other regulatory factors etc.
In Closure
The RBA may not have panned out exactly as hoped for by the Regulators, but it is certainly superior to the old tick box approach. The concept remains sound - it is the overly complex manner in which it has been interpreted and implemented, that has led to confusion and gaps in day-to-day financial crime risk management and operationalisation thereof. What’s needed is simplicity of assessment and application, because the very real risk faced by Accountable Institutions is that they may spend substantial amounts of time, effort and money, creating a control environment that complies with legislation, but doesn’t actually manage the real risks they face. A typical case of form over substance. This inadvertently contributes to increased regulatory risk.
I am of the view that less might be the new more. Your RBA should be “fit for purpose” for your business, addressing real risks faced. Caution should be taken against an over-controlled environment, where the risk does not warrant such. When correctly implemented, these controls will free up resources that can be focused on higher risk areas – bearing in mind that “low risk” does not equal “no risk”. Despite making provision for a RBA, the Amendment Act and supporting Regulations are in part still rule-based, which should undeniably be complied with. The implementation of a risk-based control environment, which can respond to new threats instantaneously, ensure consistent responses to all threats and consistent application throughout the business, not to even mention the change management challenges associated to process or control changes, are not easily achievable – or is it?
Please see part 2 and 3 of this series of articles for more information.
Part 2: Risk Based Approach: Critical success factors for an effective RBA.
Part 3: Risk Based Approach - Implementation of an effective and bespoke RBA, whilst living up to the aim and philosophy of the Amendment Act.
Article written by: