Customer due diligence and risk management and compliance programme

December 1st, 2019

In my previous article, ‘How FICA affects you and your legal practice’ 2019 (Oct) DR 6, I explored the requirements of the legal practitioner’s annual statement on trust accounts required in terms of the Legal Practice Council Rules (LPC Rules). In it I dealt extensively with ss 43B, 21, 42, 28, and 29 of the Financial Intelligence Centre Act 38 of 2001 (FICA). This article seeks to dig deeper into s 21 of FICA, and focusses specifically on customer due diligence, as well as the value of preparing and maintaining a risk management and compliance programme by an accountable institution to achieve the requirements of s 21. Readers are advised and encouraged to read this article together with my previous article, as well as the article by Nkateko Nkhwashu ‘Do trust account advocates need a mind shift to deal with FICA?’ 2019 (Oct) DR 13 for the best understanding and benefit of FICA, as well as the article written by the Financial Forensic Investigation Team of the Attorneys Fidelity Fund ‘Find the problem before it finds you’ 2015 (July) DR 29.

Section 21 of FICA specifically deals with knowing your client. For an accountable institution to fulfil this requirement, accountable institutions are expected, especially for legal persons, trusts and partnerships, to conduct a due diligence on their prospective and existing clients. This due diligence is aimed at ensuring that the accountable institution is onboard when dealing with a client known to the accountable institution. This requirement automatically poses an obligation on an accountable institution to comply with the requirements of FICA. As already indicated in my previous article, it is compulsory for accountable institutions to register with the Financial Intelligence Centre, and legal practices are listed as accountable institutions in terms of sch 1 of FICA.

The purpose of FICA, inter alia, is to introduce transparency into the South African financial system. A country’s measure to combat money laundering and terrorist financing work effectively if the financial system in that country is transparent (based on robust customer due diligence measures) to ensure that adequate information is captured in the records of financial and other institutions and to make the sharing of information that may support further investigation of money laundering and terrorist financing possible (‘Guidance Note 7 on the implementation of various aspects of the Financial Intelligence Centre Act’, 2001 (, accessed 17-10-2019)).

From the foregoing paragraph it becomes evident that at the cornerstone of adhering to the requirements of FICA is s 21, which requires that an accountable institution knows who they are dealing with. This is so because, the requirements of s 29 reporting can only be meaningful if the accountable institution knows their client, whom they would know through customer due diligence performed on the client (for purposes of this article client refers to existing and prospective client). Simply put, unless an accountable institution knows who or what they are dealing with, they would have difficulty identifying suspicious transactions and activity for that client. The suspicion is brought about by the understanding or knowledge of the client and the business and/or source of income for the client, which, if anything out of the ordinary for that specific client happens, then becomes suspicious to the accountable institution.

In case of prospective clients, accountable institutions need to have a general understanding of the type of business that the prospective client is involved in. In this regard, the requirements of s 42 regarding the risk management and compliance programme of the accountable institution become important, these are important even for existing clients especially in respect of ongoing due diligence. FICA incorporates a risk-based approach to customer due diligence, which helps accountable institutions understand their exposure to money laundering and terrorist financing risks. Rule of the LPC Rules on the other hand, requires of legal practices to ensure implementation of adequate internal controls for safeguarding of trust funds. Internal controls are a response mechanism to identified and assessed risks.

Risks for an accountable institution, simply put, are events that influence the strategic objectives of an accountable institution, and these can have negative or positive effects. Events with positive effects on the objectives are opportunities to the accountable institution and should be channelled back to the strategic objectives of the accountable institution, whereas events with negative effects should be managed. The latter events are those, which the accountable institution must concern itself with and respond to, and it is these events that I pay attention to in the next paragraphs.

Risks are measured in terms of likelihood and impact. Likelihood concerns itself with the probability of an event taking place, while impact deals with the extent to which the strategic objectives will be affected should that probability materialise. At this stage, I deal with inherent risks and residual risks. Inherent risks are risks that exist before any control measures are put in place, they exist by the mere existence of a business or an activity. Residual risks are those risks that remain after control measures have been put in place, and their effectiveness assessed, and these are the risks to which the accountable institution should respond as they may expose the accountable institution to unwanted consequences.

There are mainly four ways in which an accountable institution may respond to residual risks:

  • Treat: Introduce control measures in order to reduce the impact and likelihood of the risk materialising. This speaks to mitigating the risk exposure.
  • Tolerate: The risk is known to and accepted by the legal practice.
  • Transfer: The risk continues to exist, but it is passed on to a third party to manage, for example an insurer or outsourced company.
  • Terminate: The legal practice has no appetite for the risk and will, therefore, move away from the activity that attracts that particular risk.

There are various databases that may be available to an accountable institution at a national and regional scale, which may influence what is contained in an accountable institution’s risk management and compliance programme. There are also various factors, which may contain risk indicators that an accountable institution should consider such as –

  • indicators relating to products and services;
  • indicators relating to delivery channels;
  • indicators relating to geographic locations;
  • indicators relating to clients; and
  • other factors.

To indicate the link between customer due diligence as required under ss 21 and 42, I specifically deal with the indicators relating to clients. Clients of an accountable institution are not always natural persons, but sometimes legal persons/entities. Clients bring about their own risks to an accountable institution, depending on the type of client. For an accountable institution to deal effectively with risks brought about by their clients, it becomes important for the accountable institution to consider the client against the products and services to be rendered to the client. Different clients pose different risks, even for specific products, and could require of an accountable institution to individualise the risks assessments or deal with them in terms of categories considering similarity in the profiles of the various types of clients that the accountable institution deals with.

Customer due diligence refers to the knowledge that an accountable institution has about its client and the understanding of the business that the client is conducting with it, and customer due diligence is a risk mitigation measure. The risk mitigation measure attribute stems from the fact that the accountable institution on having conducted a proper due diligence on the client, may better identify possible attempts by the client to exploit the institution’s products and services for illicit purposes. Among the different types of clients that an accountable institution may deal with are legal persons, trusts and partnerships. These types of clients call for additional due diligence measures. While legal persons, such as shell companies are generally legitimate entities in their nature, there is a tendency by criminals to abuse such structures and use them for illicit purposes, and legal practitioners need to be awake to that reality. ‘[S]hell companies are considered to be companies that are incorporated that have no significant operations or related assets’ (FATF ‘Guidance on Transparency and beneficial ownership (Recommendations 24 & 25)’ (2014) (, accessed 31-10-2019)). Criminals who intend using such entities for illicit purposes tend to create complex structures using these entities together with trusts and other legal arrangements, which enable the separation of legal ownership and beneficial ownership of assets in a bid to confuse the flow of funds; and to disguise and convert the proceeds of crime before introducing them into the financial system, as well as hide the ultimate beneficiaries (natural persons).

It is important, therefore, that, as part of the risk management and compliance programme framework of an accountable institution, the programme deals specifically with how due diligence for legal persons, trusts, partnerships and hybrid structures should be undertaken. More importantly, the accountable institution needs to know who the beneficial owner of these entities and structures are. A beneficial owner is always a natural person or individual – irrespective of how complex a structure is – there is ultimately a natural person who is the ultimate beneficiary.

The Financial Action Task Force (FATF), an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction, has issued certain recommendations, and these recommendations are encapsulated in various legislations in various jurisdictions, including South Africa. Recommendations 24 and 25 of the FATF deal with transparency and beneficial ownership, while recommendations 10 and 22 deal with customer due diligence. The FATF recommendations define a ‘beneficial owner’ as ‘natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement’. This definition applies in those cases where ownership or control is exercised through a chain of ownership or by means of control other than direct control. Readers are urged to read the FATF ‘Guidance on Transparency and Beneficial Ownership (Recommendations 24 & 25)’ (op cit).

An accountable institution’s risk management and compliance programme must, at a minimum, describe the customer due diligence measures, which the institution applies to individual clients, legal persons, trusts and partnerships, and hybrid structures; and how these measures are intensified on the basis of money laundering and/or terrorist financing risks. An accountable institution can also determine how to conduct due diligence on its clients depending on whether the client is for a single transaction or a business relationship, and the risk management and compliance programme of an accountable institution must be clear on these, including the frequency of conducting ongoing customer due diligence. A risk management and compliance programme of an accountable institution should, therefore, allow for sufficient customer due diligence, which must be consistently applied to similar situations.


In conclusion, each accountable institution may face risks that are different from another, even within the same industry. An accountable institution should, therefore, assess its own position relative to the risks the institution wishes to address and apply such measures as are commensurate to the risks faced by the institution. In doing so, the institution should also fully appreciate its size and capabilities and take on risks that it is able to deal with and has an appetite for. As part of risk mitigation measures for terrorist financing, institutions should access and monitor the lists issued from time to time warning of countries that are burdened with terrorist attacks and, therefore, blacklisted, and should also be aware of jurisdictions that are embroiled in tax evasion, with minimal or no legislative regime around tax issues. These are referred to as tax havens. Additional and ongoing customer due diligence is always advisable.

If legal practices heed the call to implement these measures, not only will they be protecting their reputation as individual legal practices, but they will also be positively influencing and/or contributing to the global fight or plight against money laundering and terrorist financing.

Simthandile Kholelwa Myemane BCom Dip Advanced Business Management (UJ) Cert Forensic and Investigative Auditing (Unisa) Certified Control Self Assessor (Institute of Internal Auditors) Cert in Management and Investigation of Cyber and Electronic Crimes Cert in Fraud Risk Management Cert in Law for Commercial Forensic Practitioners Cert in Investigation of Financial Crimes Cert in Investigation and Detection of Money Laundering (UP) is the Practitioner Support Manager at the Legal Practitioners’ Fidelity Fund in Centurion.

This article was first published in De Rebus in 2019 (Dec) DR 6.