Financial Services Compliance Pack

Every accountable institution must develop, document, maintain, and implement a Risk Management and Compliance Programme (RMCP) as required by FICA s42. The RMCP must address: ML/TF risk identification and assessment, customer due diligence measures, record keeping, reporting obligations, employee training, and compliance monitoring and testing. The RMCP must be approved by senior management and reviewed annually. The FIC may request a copy at any time. Penalty: Administrative sanction up to R50 million for non-compliance (FICA s45C). Criminal prosecution possible for wilful non-compliance.

Every person who furnishes advice or renders an intermediary service in respect of a financial product must be authorised by the FSCA as a financial services provider (FSP). Application requires: completed application form, proof of professional indemnity insurance, proof of compliance officer appointment, fit and proper documentation for Key Individuals, operational ability assessment, and prescribed fees. Processing time: 6-12 weeks. Penalty: Rendering financial services without authorisation is a criminal offence — fine up to R10 million or imprisonment up to 10 years (s7(1) FAIS Act).

FSPs must establish and maintain an internal complaints resolution system that complies with the Policyholder Protection Rules (PPR) and the FAIS General Code of Conduct. Complaints must be acknowledged within 3 business days and resolved within 6 weeks. Unresolved complaints must be escalated to the FAIS Ombud. FSPs must also demonstrate adherence to the six Treating Customers Fairly (TCF) outcomes: (1) fair treatment embedded in culture; (2) suitable products; (3) clear information; (4) suitable advice; (5) expected product performance; (6) no unreasonable barriers to claims/switching. The FSCA conducts TCF self-assessments and on-site reviews. Penalty: Administrative penalty up to R1 million per contravention; debarment of individuals.

FSPs must adopt, implement, and maintain a conflict of interest management policy as required by the FAIS General Code of Conduct (s3A, as amended by Board Notice 58 of 2010). The policy must: identify all actual and potential conflicts of interest; set out measures to avoid, mitigate, or manage identified conflicts; address financial interest received from or paid to third parties (commissions, fees, other benefits); ensure full disclosure of financial interests to clients; and prohibit receipt of financial interest that may influence advice. Immaterial financial interests are capped at R1,000 per representative per product supplier per year. Policy must be reviewed annually and all staff trained. Penalty: Suspension or withdrawal of licence; administrative penalty.

All Key Individuals and representatives must complete prescribed CPD hours annually as required by Board Notice 194 of 2017 (Determination of Fit and Proper Requirements). Minimum CPD requirements: Key Individuals — minimum of 18 CPD hours per annum, of which at least 6 must be in product-specific training and 6 in ethics, regulatory, and compliance matters. Representatives — minimum of 12 CPD hours per annum. CPD records must be maintained and made available to the FSCA on request. CPD providers must be recognised by the relevant professional body. Penalty: Failure to maintain CPD may result in loss of fit and proper status and debarment from rendering financial services.

Accountable institutions must file reports with the FIC: (1) Suspicious and Unusual Transaction Reports (STRs/SUTRs) — report within 15 business days of forming a suspicion of money laundering, terrorist financing, or proliferation financing (FICA s29). Tipping off the subject is a criminal offence. (2) Cash Threshold Reports (CTRs) — report all cash transactions of R24,999.99 or more within 2 business days (FICA s28). (3) Terrorist Property Reports (TPRs) — report within 5 business days of knowledge (FICA s28A). Reports filed via the FIC's goAML platform. Penalty: Failure to report — fine up to R100 million or imprisonment up to 15 years (FICA s68).

Accountable institutions must conduct customer due diligence (CDD) before establishing a business relationship or concluding a single transaction above the prescribed threshold (R25,000 for occasional transactions). CDD includes: establishing and verifying client identity (FICA s21), identifying beneficial owners, understanding the purpose of the business relationship, and conducting ongoing due diligence including transaction monitoring. Enhanced due diligence (EDD) required for foreign prominent public officials, complex/unusual transactions, and high-risk clients. Records must be kept for at least 5 years after the business relationship ends. Penalty: Administrative sanction up to R50 million (FICA s45C).

Category I and II FSPs must maintain minimum financial soundness requirements as prescribed by the FSCA. FSPs must submit financial soundness reports demonstrating compliance with: (a) minimum liquid asset requirements; (b) minimum capital adequacy ratios; (c) professional indemnity insurance cover adequate for the nature and scope of their activities. Category II, IIA, and III FSPs have additional capital requirements. Insurers regulated under the Insurance Act must comply with the Solvency Assessment and Management (SAM) framework administered by the Prudential Authority. Penalty: Suspension of licence; requirement to submit a financial recovery plan.

Key Individuals and representatives of authorised FSPs must at all times meet the fit and proper requirements prescribed in Board Notice 194 of 2017 (as amended). Requirements include: (a) Honesty and integrity — no disqualifying offences or sanctions; (b) Competence — relevant qualifications (NQF Level 5 minimum for Key Individuals, NQF Level 4 for representatives) and recognised regulatory examinations (RE1 for Key Individuals, RE5 for representatives); (c) Operational ability — adequate systems and controls; (d) Financial soundness — no unrehabilitated insolvency. Changes in fit and proper status must be reported to the FSCA within 15 business days. Penalty: Withdrawal of licence; personal liability for Key Individuals.

All authorised FSPs must pay the annual FSCA levy by the prescribed date. The levy is calculated based on the FSP's category of authorisation and revenue. FSPs must also confirm that all licence conditions remain satisfied, including professional indemnity cover, compliance officer appointment, and Key Individual fit and proper status. Failure to pay the levy may result in suspension or withdrawal of the FSP licence. Penalty: Lapse of authorisation — FSP may not render financial services. Reference: FAIS Act s8, FSCA Levies Act.

All authorised FSPs must submit an annual statutory return to the FSCA within four months of their financial year-end. The return includes: (a) audited or independently reviewed annual financial statements; (b) compliance report prepared by the compliance officer; (c) confirmation of Key Individual and representative fit and proper status; (d) updated professional indemnity insurance details; (e) details of complaints received and resolved. Category I FSPs with annual turnover below R50 million may submit independently reviewed (not audited) financial statements. Penalty: Failure to submit — suspension of licence; late submission penalty.

Every person who carries on business as a credit provider and has a total principal debt owing to them exceeding R0 (all credit providers must register) must register with the National Credit Regulator (NCR). Registration must be renewed annually. Registration requirements: completed application (Form 1), prescribed fee (sliding scale based on loan book size), proof of compliance management systems, and FICA compliance. Credit providers must comply with NCA provisions on: reckless credit assessment (s81), affordability assessment, credit information reporting to credit bureaux, and collection practices. Annual compliance report required. Penalty: Conducting credit business without registration — fine up to R1 million or imprisonment up to 10 years (NCA s157).

FSPs must conduct thorough due diligence on all product suppliers whose financial products they advise on or intermediate. The FAIS General Code (s7) requires FSPs to ensure products are suitable for their target market and that suppliers are licensed. Where functions are outsourced (e.g., administration, IT, compliance), the FSP remains responsible and must ensure the outsource provider: (a) is competent; (b) maintains adequate controls; (c) protects client information per POPIA; (d) allows FSCA access for inspection purposes. The outsourcing arrangement must be documented in a formal service level agreement. Joint Standard 2 of 2020 (Outsourcing) applies to insurers. Penalty: Regulatory action for inadequate governance; liability for outsource provider failures.