The Financial Intelligence Centre (FIC) concluded a comprehensive consultation process, resulting in the publication of the final Guidance Note 7A (GN 7A) on 13 February 2025. GN 7A replaces Guidance Note 7 (GN 7), incorporating valuable stakeholder input from three rounds of consultation held between April 2022 and June 2024.

There have been material amendments to the new Chapter 4 of GN 7A (previously Chapter 4 of the GN 7), which provides guidance to the board of directors (where the accountable institution is a legal person with a board of directors), senior management (of an accountable institution without a board of directors), and persons holding the highest authority in accountable institutions regarding their obligations in relation to the risk management and compliance programme (RMCP) obligations of an accountable institution as set out in section 42B of the Financial Intelligence Centre Act, 2001 (FICA).

GN 7A reflects significant amendments relating to an accountable institution's RMCP.  Some of the substantive amendments in GN 7A are noted below:

Responsibilities relating to approval and compliance: The board of directors, senior management, or other person(s) exercising the highest level of authority must: (i) approve the RMCP after careful consideration of the overall risks, and risk appetite of their business, which responsibility cannot be delegated to any other person(s), committees or structures within the accountable institution; and (ii) ensurecompliance by the accountable institution and its employees with the provisions of FICA and its RMCP.     

Culture of compliance: The board of directors, senior management, and person(s) with the highest authority are solely responsible for the adequacy, suitability, and effectiveness of the RMCP and will be held accountable if the RMCP is found to be inadequate. An example provided in GN 7A is when a supervisory body conducts an inspection and identifies a version control issue. This occurs when, for example, a financial service provider (FSP) updates its approved RMCP but fails to obtain board approval for the revised version. In this case, the board's omission constitutes non-compliance with its obligations under FICA.

Elements of an effective RMCP and the documentation of an RMCP: As a minimum, the FIC recommends that the RMCP documentation includes the following three parts:

Part 1 – Identification and assessment of risk.

Part 2 – Mitigation and management of risks identified through applying appropriate controls, including customer due diligence (CDD), reporting, and record-keeping, among other things.

Part 3 – Monitoring whether the controls implemented are adequate and effective in mitigating and managing the risks identified and assessed.

Risk identification: The RMCP must be drafted accordingly for each business after considering the nature, size, industry, and jurisdictions in which the business operates. Practically, the RMCP should inform the reader of how the business will comply with FICA.

The FIC differentiates between a business risk assessment and a client risk assessment. The latter is part of the business risk assessment. The risk assessment should not be limited to the client risk assessment but must be broader to cover all the business aspects of the accountable institution.

A risk-based approach is a fundamental requirement for accountable institutions to ensure that they adequately manage the risks associated with money laundering and terrorist financing. Institutions must have a comprehensive understanding of the risks posed by their clients, transactions, and business relationships. This approach involves assessing inherent risks (the risk of an event or circumstance which exists before controls or mitigation measures are applied) and residual risks (the level of risk that remains after controls and mitigation measures were implemented), including potential threats, vulnerabilities, and consequences.

Documentation considerations: GN 7A provides     , amongst other things that the RMCP documentation must reference related documentation that constitutes and enables the full implementation of the RMCP. Documentation not referenced in the RMCP will not be considered part of the RMCP.

Group-wide RMCPs: GN 7A notes that accountable institutions may implement a group-wide RMCP. However, if accountable institutions elect to implement a group-wide RMCP, it must specify what does and what does not apply to the different entities within the group.

GN 7A underscores South Africa's efforts to strengthen its anti-money laundering and combating the financing of terrorism regulations and to address the Financial Action Task Force's (FATF) criterion of South Africa's outstanding deficiencies. For example, GN 7A now prescribes that the development of new products, services, delivery mechanisms, practices, and technologies must be covered under the accountable institutions' risk assessment.

Accountable Institutions must ensure that their RMCP is updated in line with GN 7A, including documenting systems and controls for managing money laundering and terrorist financing risks.

GN 7A came into force on the date of publication. A copy of GN 7A may be found here.

Written by Dawid de Villiers, Partner, Lerato Lamola, Partner, Lenee Green, Partner, Mariam Ismail, Associate & Christopher Williamson, Associate at Webber Wentzel