Having a Risk Management and Compliance Programme (RMCP) isn’t just a procedural formality – it is a legal requirement under Section 42 of the Financial Intelligence Centre Act (FICA). More importantly, it has become the focal point of regulatory enforcement, with recent penalties confirming that the Financial Sector Conduct Authority (FSCA) will not hesitate to act when institutions fall short.
In April, the FSCA announced fines totalling R735,000 against three financial services providers (FSPs) that failed to implement proper RMCPs. One firm had no RMCP at all. Others submitted incomplete, generic documents or failed to link procedures to their actual business risks. These were not isolated oversights – each case demonstrates a growing intolerance for compliance frameworks that exist in theory but not in practice.
The consequences of non-compliance
One firm was fined R300,000 for not having an RMCP in place. Additional penalties were issued for failures in risk-rating clients, conducting customer due diligence, and screening against the Targeted Financial Sanctions (TFS) lists.
Beyond the financial penalties, the FSCA has made it clear that enforcement is not temporary, it is the new normal. Institutions must expect greater scrutiny going forward, especially as South Africa remains under international pressure to improve its anti-money laundering (AML) and counter-terrorism financing (CFT) frameworks in line with FATF standards.
What an RMCP is – and what it is not
An RMCP is more than a document. It is a strategic, risk-based approach that must be tailored to the institution’s size, business model, client profile, and sector risks. The board of directors or most senior governing body is responsible for approving and maintaining it – this responsibility cannot be delegated.
At a minimum, an RMCP must demonstrate how the institution identifies and assesses risks associated with its clients, transactions, and services. It must explain the procedures used to mitigate those risks, how these are monitored, and how the institution will ensure that due diligence is conducted consistently. It must also outline how the institution will meet its reporting obligations under FICA and ensure that employees are trained to understand and carry out their compliance duties. If these measures are not implemented, regularly reviewed, and embedded in daily operations, institutions are at risk – even if an RMCP has been drafted.
A living document in a shifting environment
Guidance Note 7A, issued by the Financial Intelligence Centre, has raised the bar for RMCP expectations. It clarifies that institutions must maintain version control, ensure internal documents referenced in the RMCP are available during inspections, and link controls directly to their risk assessments. The FSCA has already acted against firms that failed to do this.
An RMCP that’s copied from a template or not approved by the board is insufficient. Regulators want evidence that the document is understood, applied, and updated as risks evolve.
Supporting compliance with technology
With expectations rising and enforcement tightening, technology is becoming essential in ensuring that RMCPs are not just in place, but actually embedded into daily operations.
VOCA, powered by SearchWorks, enables institutions to put their compliance framework into action. It automates customer due diligence, client risk profiling, ongoing monitoring, and regulatory reporting – ensuring that the day-to-day execution of your RMCP is aligned with FICA requirements. By embedding these processes into your operations, VOCA turns policy into practice.
For institutions needing to draft a new RMCP or update an existing one, our trusted partner, Moonstone, specialises in compliance and risk management. Their team provides expert guidance tailored to your business model and sector-specific risks, helping ensure that your RMCP meets both regulatory expectations and practical needs.
Together, VOCA and Moonstone provide an end-to-end compliance solution – from expert support in shaping your RMCP, to seamless implementation and operational enforcement. It is a practical, scalable approach to managing risk and staying audit-ready.