Page 95 - Profile's Unit Trusts & Collective Investments - March 2026
P. 95
Legislation and guidelines Chapter 5
conducts its operations, and so on. In the case of trusts, details of all trustees and all beneficiaries
may be required.
Risk Management and Compliance Programme
FICA requires every accountable institution to draw up a Risk Management and Compliance
Programme (RMCP).
Accountable institutions can tailor the processes they implement to satisfy the FICA requirements
in accordance with entity-specific risk profiles.
The systems and controls used to manage ML/TF risks must be documented in each organisation’s
RMCP. The Act requires the RMCP to specify, inter alia, how the accountable institution will:
R Establish and verify the identities of clients and associated persons
R Distinguish between actual clients and prospective clients
R Determine if a prospective client is a foreign prominent public official or domestic prominent
influential person
R Ensure that it does not deal with anonymous or fictitious customers
R Distinguish between low-risk and high-risk clients and what CDD procedures will apply
in each case
R Terminate a business relationship when it is unable to complete CDD requirements
R Scrutinise complex and abnormally large transactions and identify transactions with no
apparent business or lawful purpose
R Determine when suspicious transactions or clients must be reported
The RMCP must also set out the record management process, including where records will be kept.
Employees of accountable institutions must receive comprehensive and ongoing training
on FICA in accordance with the RMCP to ensure that they are aware of their duties when engaging
with clients.
Under the amended Act, responsibility for FICA compliance cannot simply be delegated by
executives. The amended Act tasks the person/s with the highest level of authority with ensuring
FICA compliance. A specific individual with sufficient competence and seniority may be appointed
to assist with ensuring compliance, but ultimate oversight rests with executives.
Notwithstanding the rigorous requirements of the Act, the FIC recognises that detecting ML/TF
activity is not an exact science. To quote again from the guidance notes: “The risk-based approach is
not a ‘zero failure’ approach as there may be occasions where an institution has taken all reasonable
measures to identify and mitigate ML/TF risks, but it is still exploited for money laundering or terrorist
financing purposes.”
POPI
The Protection of Personal Information Act (POPI), gives effect to the constitutional right to
privacy in SA. The Act tries to balance the legitimate needs of entities to collect and use personal
data for business and other purposes, and the right to privacy of individuals and organisations.
Although the Act was signed into law in November 2013, the Regulator was only formalised in
February 2017. The commencement date for the act was 1 July 2020. A grace period of one year
was granted, meaning that organisations that process “personal information” had until 1 July 2021
to comply with the legislation.
Note that the implementation of Section 58(2) of POPI – and only this section – was extended
till 1 February 2022. Section 58(2) states that, where prior authorisation is required, no information
processing may be carried out until the Information Regulator has given the all clear.
Responsible parties
POPI defines three parties (who can be natural or juristic) that are potentially involved in the
processing of personal data:
The data subject: the party to whom the information relates.
Profile’s Unit Trusts & Collective Investments March 2026 93
