Using a risk-based approach to combat money laundering and terrorist financing

March 1st, 2020

By the Financial Intelligence Centre

As accountable institutions listed in sch 1 of the Financial Intelligence Centre Act 38 of 2001 (FIC Act), legal practitioners are required to apply a risk-based approach when establishing a business relationship and/or conducting a single transaction with a client.

This requirement aligns with the Financial Action Task Force (FATF), which sets international standards on combating money laundering and terrorist financing.

The application of a risk-based approach – when implementing controls –
allows a legal practitioner to mitigate money laundering and terrorist financing. Controls put in place by legal practitioners must be in proportion to the risks they identify. To comply with the requirement of applying a risk-based approach, legal practitioners must identify, assess, monitor, mitigate and manage the risk that their products and/or services may be abused by criminals for money laundering and/or terrorist financing.

Identifying and assessing risk

As part of identifying risks, legal practitioners must assess all factors relevant to establishing a business relationship and/or conducting a single once-off transaction with their clients.

Legal practitioners can take into account the following factors when identifying potential money laundering and terrorist financing risks:

  • Products and/or services: Consider the extent to which the legal practitioner’s product and/or service offers anonymity to the client; does the product and/or service allow for third party payments; can the product be converted easily to cash; and is the product and/or service subject to additional checks, such as credit or regulatory approvals and so on.
  • Client types: From a money laundering and terrorist financing perspective, different client types present different levels of risk. Legal practitioners must delvelop a deep understanding of who their customers are, and the potential risks they pose. Such considerations would include whether the client is a natural person or a complex structure. Legal practitioners may find that dealing with a client who is a natural person presents less risk than dealing with a legal entity, such as a company. Some companies may be abused by a criminal attempting to hide behind a corporate structure. In light of this, it is vital that legal practitioners identify beneficial owners of legal persons. Beneficial owners can include shareholders of companies and beneficiaries of trusts, and so on. In addition, legal practitioners need to consider whether there is negative coverage on their clients in the media, the client’s source of income and source of wealth. They need to ask, whether the client is in an occupation or sector that presents a higher risk from a money laundering and terrorist financing perspective.
  • Delivery channels: The way in which a client is on-boarded (familiarising a client with one’s services) must be considered. Do they on-board clients through an intermediary or on a virtual platform with no face to face contact? The latter approach to on-boarding clients may hold a higher risk than face to face on-boarding.
  • Geographic location: Legal practitioners must take their own location into account, namely where they provide their products and/or services, in relation to where their client is located. Some accountable institutions do not necessarily provide products and services in different countries, in this instance the different provinces and even regions can be assessed and compared from a risk perspective. Some geographical locations may pose a higher risk due to a heightened perception of corruption, as well as lower levels of regulations regarding anti-money laundering and combating of terrorist financing.
  • Other factors, which should be considered, include: Whether the client is a sanctioned person; a domestic prominent influential person; or a foreign prominent influential person.

Legal practitioners may also refer to industry guidance on whether certain products and/or services, client types, or sectors and so on, pose a higher risk from a money laundering and terrorist financing perspective.

After identifying and assessing the potential risks, the legal practitioner can then assign different weightings based on the perceived risk to yield an overall client rating. The higher the overall client rating, the more stringent the controls must be. Enhanced control measures should be applied to mitigate the heightened risk. Where the client risk rating is lower, there may be fewer control measures.

Key aspects to managing risk

Legal practitioners must develop controls, which mitigate and manage the risks, and which fulfil the Financial Intelligence Centre’s (FIC’s) compliance requirements. Controls include, but are not limited to –

  • policies;
  • procedures;
  • systems;
  • training;
  • reporting; and
  • other aspects.

All controls implemented must be monitored for adequacy and effectiveness. All the controls developed and implemented by the legal practitioner forms part of their risk management and compliance programme.

In summary, the controls that must be included in a risk management and compliance programme must provide for:

  • Client profiling – factors and methods to be taken into account when determining the overall client risk rating.
  • Customer due diligence, which includes identifying and verifying clients and all other required persons.
  • Additional due diligence, which includes identifying and taking reasonable steps to verify beneficial owners and other persons.
  • Enhanced due diligence, which includes obtaining senior management approval and putting in place any other enhanced measures to mitigate dealing with higher risk clients.
  • Simplified due diligence, which includes less stringent measures when dealing with lower risk clients.
  • Client transaction profiling methods, which includes profiling expected activity for products/services and client types.
  • Ongoing due diligence, which includes keeping client information up to date and accurate.
  • Account monitoring, where client products and services (ie, accounts) are monitored to identify suspicious and unusual activity.
  • Client screening and payment screening against financial sanctions of the United Nations Security Council (UNSC), which is available on the UNSC website ( and against the targeted financial sanctions list, which is available on the FIC website at
  • Reports submitted to the FIC –

– suspicious and unusual transactions reports;

– terrorist property reports;

– cash threshold reports; and

– international fund transfer reports.

  • Keeping records of all customer information, transaction information and reports submitted to the FIC.

Legal practitioners must ensure their risk management and compliance programme covers all the aspects as set out in s 42 of FIC Act. The risk management and compliance programme must be approved by the legal practitioner’s board of directors, senior management or other person or group of persons exercising the highest level of authority in the accountable institution.

This article was first published in De Rebus in 2020 (March) DR 6.