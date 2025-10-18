Share current article via Email Share current article via Facebook Share current article via Twitter Share current article via LinkedIn

If you’re embedded in the financial services sector, you’ll know that South Africa is still greylisted by the Financial Action Task Force (FATF) — a global body that sets standards to combat money laundering, terrorist financing and proliferation financing. The good news is that we’re up for evaluation this month, a crucial step towards being delisted.

But outside of compliance circles, many still don’t fully understand what the term “risk-based approach” means, or why it matters. Today’s column aims to demystify this concept, including the often-cited RMCP (risk management and compliance programme) that every accountable institution (AI), from banks to financial services providers (FSPs), must have in place.

Since our greylisting, the Financial Intelligence Centre (FIC) has been laser-focused on ensuring compliance. It has issued several administrative sanctions and fines to institutions that have failed to implement proper risk management frameworks. What’s become evident is that even within many FSPs, only compliance staff truly understand the RMCP, while frontline teams, business developers and even senior management often remain unclear on its purpose.

At the same time, clients frequently push back against Fica requirements — from supplying ID documents to source-of-funds declarations — often viewing them as unnecessary bureaucracy. But once everyone understands the principle behind the “risk-based approach,” it becomes clear: this isn’t about red tape; it’s about protecting the financial system and ensuring South Africa remains trusted internationally.

A risk-based approach (RBA) means you don’t treat every client the same. Instead, each client is assessed individually and placed into a risk category — low, medium or high — based on factors that determine their potential exposure to financial crime.

The RMCP outlines exactly how this assessment is done and how the institution must respond at each level.

Here’s a simple guide:

Low-risk clients

These are clients with transparent income streams, limited complexity and no red flags. Examples include salaried individuals with long-standing employment records and local residency.

Action: Apply standard due diligence (SDD) — collect basic Fica documents (ID, proof of address, tax number) and conduct initial verification.

Medium-risk clients

These may include small business owners, entities with moderate transaction volumes or those with some foreign exposure.

Action: Apply enhanced checks — confirm source of funds and source of wealth, monitor transactions periodically and update records annually.

High-risk clients

These include PEPs (politically exposed persons), PIPs (prominent influential persons), clients from high-risk jurisdictions, or those with adverse media.

Action: Apply enhanced due diligence (EDD) — obtain senior management approval before onboarding, conduct detailed source-of-wealth verification and monitor transactions continuously.

High-risk clients are not automatically rejected, but they require more scrutiny. The goal is not to exclude, but to understand and manage risk responsibly. Alongside the risk-based approach, sanctions screening is a non-negotiable process. Every accountable institution must screen all clients and transactions against international and domestic sanctions lists, including those from the UN, the EU, the US and South Africa.

This screening must happen at onboarding, whenever client information changes and on a continuous basis. If a match or “hit” is found, the institution must immediately freeze the account, report it to the FIC, and cease all business activity with that client. Failing to act can lead to severe penalties and reputational damage.

So when a compliance officer asks you for documents, remember they’re not being difficult, they’re applying the law, protecting both the business and the country’s standing. The risk-based approach gives flexibility, it allows institutions to focus their resources where the risk is highest, rather than treating everyone as a potential criminal. This is the very essence of smart regulation.

For South Africa, consistent implementation of this approach is essential to restore international confidence and unlock greater foreign investment and trade opportunities.

As we head towards the FATF evaluation, progress is visible. Regulations have been strengthened, supervision improved and awareness is growing. But true success will depend on culture, not just compliance.

We must reach a point where every employee, every client and every institution understands that compliance isn’t a burden; it’s a badge of credibility.

So the next time you’re asked for a source-of-funds document, or your account is flagged for review, don’t resist — embrace it. You are part of a system that’s rebuilding South Africa’s reputation, one verified transaction at a time.

Because at its heart, a risk-based approach isn’t about suspicion; it’s about responsible partnership — and that’s what good business is built on.

• Bezuidenhout is the founder of financial services provider BeztForex.co.za and the global trade AI platform Zynched.com