There has been a lot of noise in recent months about South Africa facing the possibility of being “greylisted” due to a poor score in the Financial Action Task Force’s (FATF) effective outcomes to combat money laundering and the financing of terrorism.
This has been amplified by the recent R35 million ($2m) fine that was imposed on Nedbank by the South African Reserve Bank (SARB) for failing to comply with specific administrative requirements of the Financial Intelligence Centre Act (FICA). Greylist countries include Panama, Syria and Yemen.
Asked about the possibility of becoming the second G20 country to be added to the greylist after Turkey, joint Standard Bank Group chief executive Sim Tshabalala commented to the Financial Times that such a measure would undoubtedly contribute to higher costs of business and as a result inflation and higher unemployment, as well as restrict South Africans’ ability to invest offshore.
South Africa’s weak record
While the Nedbank fine relates to findings from 2019, it is not difficult to join up the dots with the FATF actions. The South African authorities are being scrutinised for having a weak investigative and prosecutorial record. It is logical that further fines and warnings may follow to other banks as the country faces up to the criticism from the FATF findings.
It is therefore more important than ever for South Africa, as a jurisdiction, to be viewed as tough and rigid when it comes to compliance with the FICA. It is also in the best interest of banks to partner with government to try and avoid being added to the greylist, or to exit the greylist as soon as possible, should South Africa be added.
There was no evidence of Nedbank’s involvement in, or facilitating of, transactions involving money laundering or the financing of terrorism. However, like we saw with many European financial institutions, the fine was imposed due to the absence of a clear programme and policy mandated by the FICA Amendment Act (FICAA) of 2017. According to SARB, Nedbank failed to apply the following:
- A risk-based approach across its business sectors in line with their Risk Management and Compliance Programme;
- Enhanced due diligence controls;
- Risk-rating their clients;
- To clearly demonstrate and prove that they had developed and documented end-to-end procedures and methods used during the on-boarding process of their clients;
- To prove that their controls could effectively obtain the right data that would help them to correctly risk-rate their clients.
The crux of the matter is that Nedbank had not transitioned from a rule-based to a risk-based approach regarding Know Your Customer (KYC), nor had the bank developed the necessary framework to support and maintain this. Such a transition is challenging and takes time and expertise to implement effectively.
It is likely that we will see other accountable institutions face similar consequences. While we wait for the FATF decision, South African banks should be considering how they can support the government to demonstrate to the FATF that serious change is being implemented. One way to do this is to implement a robust risk-based approach.
However, this is easier said than done. Not only is a strong framework required but the implementation and wider application of the approach can be challenging to adopt and to oversee on an ongoing basis.
Re-aligning KYC to a risk-based approach
Whilst there are several elements to consider when re-aligning a KYC approach, it is worth highlighting four key components.
Risk Appetite: There is not a one size fits all when it comes to risk appetite. All companies have their individual strengths and weaknesses according to the markets they operate in and the sectors they target for growth. It is therefore important that each business can outline why they are in certain markets and how they mitigate the risks of conducting such business using their own bespoke enhanced due diligence processes. A good example of this is how the historically conservative Canadian banks embraced the growth of cannabis as a new market.
Framework: This is the handbook and policy that KYC teams will operate within. It needs to be sufficiently detailed while also applying practical instructions to users. Updates to the policy need to be introduced in a coherent manner.
Technology: KYC has historically been a manually intensive, time consuming and expensive exercise. This is gradually evolving as ‘regtech’ solutions flood the market in areas such as on-boarding, customer screening (sanctions/adverse news) and transaction monitoring. There are undoubtedly good solutions available, and this space will change dramatically in the years to come. However, the market is in a phase of consolidation and the winners are still to be determined.
Furthermore, vendor selection and implementation are time consuming processes that require substantial investment in resourcing from both the buyer and the vendor. Added to this is the knowledge shortage within the banking sector regarding new technologies. Buyers need to ask vendors the right questions and the only way to learn this is by being immersed in and familiar with the capabilities and limitations of the various technology platforms.
People and standardisation: Individuals will still play a key role in the process, and their responsibilities will become more technical and subjective but much more interesting, which should improve motivation and performance levels. The historic rule-based approach uses a fairly robotic application of human resources which can lead to human error. Efficiently managed KYC teams need to conform to a standard that will change regularly as global events drive policy changes. Therefore, to monitor and maintain these standards remains a constant and continuous challenge.
Global lessons learned
South Africa can lead the way and learn from the anti-money laundering (AML) and Counter Financing of Terrorism (CFT) legislation that other countries have adopted and implemented. The European Union (EU) and the United Kingdom (UK) have always been viewed as leading global financial hubs with well-established regulatory frameworks. Therefore, a risk-based approach was introduced into EU legislation by the Fourth EU Anti-Money Laundering Directive (4AMLD) in June 2015, and transposed into UK legislation in June 2017 (MLR, 2017) by considering the latest FATF Recommendations of 2012.
EU and UK firms experienced the same set of complications that South African firms are currently experiencing when they adopted a risk-based approach. They had similar concerns as to what it meant to apply a risk-based approach and how to implement this approach within their policies and procedures.
South Africa, a G20 economy, is still viewed as a leading regional financial hub for sub-Saharan Africa which is why it is important to set the standard for the rest of the continent. There seem to be a lot of discussions about the negative long-term implications of being greylisted. But all is not yet lost. In fact, this should be viewed as an opportunity to lead the way by addressing the identified challenges, head-on. It will take significant political will but it is possible to transition from a rule-based to a risk-based approach. Other regions have done it. With the sophistication of South African banks, they are also well equipped to succeed.
Wendy Murray is director of the Lysis Group operations for South Africa, based out of Cape Town. Chris Oliver is associate director, and head of Lysis Operations, based in London.