Anti-money laundering compliance is one of the most technically demanding areas of the regulatory environment facing South African financial service providers. The Financial Intelligence Centre Act places specific, ongoing obligations on accountable institutions , and the consequences of non-compliance have become increasingly tangible.

Yet in practice, many FSPs approach AML compliance the same way they approach compliance generally: with a policy document, a risk matrix that was last updated eighteen months ago, and an assumption that not being audited means not having a problem.

That assumption is becoming harder to sustain.

What the FIC Act Actually Requires

The FIC Act, together with its associated regulations and guidance notes, imposes a structured set of obligations on accountable institutions , a category that includes most licensed FSPs, asset managers, insurance intermediaries, and payment-adjacent businesses.

These obligations include:

• Customer due diligence (CDD) , identifying and verifying clients, understanding the nature of their business, and assessing the risk they represent.
• Enhanced due diligence (EDD) , applying additional scrutiny to higher-risk clients, including Politically Exposed Persons (PEPs) and non-resident clients.
• Ongoing monitoring , continuously reviewing transactions and client relationships against established risk profiles.
• Suspicious transaction reporting (STRs) and cash threshold reporting (CTRs) , submitting required reports to the FIC in specified formats and timeframes.
• Record-keeping , maintaining documentation for a minimum of five years in formats accessible for regulatory inspection.
• Training , ensuring that all staff with AML responsibilities receive appropriate, documented training on a regular basis.

Each of these obligations requires a system. A policy document alone does not constitute compliance. The FIC will want to see evidence that the system operates , not just that it exists on paper.

Where Most FSPs Fall Short

The most common compliance failures in the AML space are not dramatic. They are structural. Businesses that are broadly well intentioned about compliance still carry significant exposure because their AML systems were designed to document intent rather than to produce and retain operational evidence.

Common structural weaknesses include:

• CDD processes that are applied at onboarding but not maintained , client risk profiles that were accurate three years ago but have never been updated.
• PEP and sanctions screening that is performed manually and inconsistently, with no audit trail demonstrating that screening occurred on a specified date against a specified list.
• STR and CTR reporting workflows that exist in principle but have never been tested , and where staff are uncertain about the threshold and timing requirements.
• Training records that are incomplete, undated, or that reflect general financial services training rather than FIC Act-specific content.
• Risk Appetite Statements and Business Risk Assessments (BRAs) that are generic, template-based, and disconnected from the actual risk profile of the business.

None of these failures require malicious intent. They are the natural result of building a compliance environment around documentation rather than operation. But the FIC does not distinguish between intentional non-compliance and structural inadequacy. The exposure is the same.

The AML/FIC Intelligence Framework

ICS approaches AML compliance through what we call an AML/FIC Intelligence Framework , a structured operating environment that automates workflows, tracks reporting obligations, and produces the evidence that demonstrates ongoing compliance.

This framework is built around the specific obligations of the FIC Act and is designed to do three things:

First, it automates the workflows that most businesses try to manage manually , CDD completion tracking, PEP and sanctions screening, STR generation, CTR monitoring, and training records. Automation reduces error rates and creates consistent, dated evidence trails.

Second, it aligns reporting to the actual regulatory cycle. FIC reporting obligations have specific timing requirements. A compliant business needs systems that surface those obligations in advance, not after the fact.

Third, it produces an audit-ready output at every stage. When the FIC or the FSCA requests evidence of AML compliance, the framework produces it , structured, traceable, and complete.

The FSCA’s Increasing Focus on AML Governance

The FSCA’s supervisory framework includes AML governance as a component of broader conduct and operational risk assessments. Licenced FSPs are increasingly being assessed not just on whether they have AML policies, but on whether those policies are implemented, maintained, and evidenced.

This is consistent with global regulatory trends. The FATF mutual evaluation framework, to which South Africa is subject, places significant weight on operational effectiveness , the degree to which the formal compliance system actually produces the intended outcomes. South Africa’s most recent FATF evaluation highlighted structural weaknesses in how private sector entities implement their AML obligations. Regulators are responding.

For FSPs, this means that the adequacy standard is rising. A policy that was sufficient three years ago may not meet current supervisory expectations. Businesses that have not reviewed and updated their AML infrastructure recently are likely carrying more exposure than they realise.

Building a Compliance Environment That Can Be Evidenced

The key distinction in AML compliance , as in compliance generally , is between systems that are designed to be filed and systems that are designed to be operated and evidenced.

A filed system produces a folder. An operated system produces a trail.

The trail is what the regulator needs to see. Date-stamped screening results. Completed CDD records with review dates. STR submissions with reference numbers. Training completion records with attestations. BRAs that reflect the actual risk profile of the business, reviewed on a documented schedule.

Building that trail requires intentional system design. It does not happen automatically as a by-product of ordinary business operations. It requires an AML framework that is integrated into how the business operates , not bolted on as an afterthought.

Who This Applies To

The FIC Act’s accountable institution definition is broad. If your business holds client funds, facilitates transactions, provides investment advice, distributes financial products, or operates in payment-adjacent spaces, you are almost certainly subject to FIC Act obligations.

This includes:

• Licensed FSPs under the FAIS Act , regardless of category or size.
• Discretionary and administrative FSPs managing client portfolios.
• Insurance and risk intermediaries in distribution roles.
• Fintech platforms facilitating transactions or holding client value.
• Payment-adjacent businesses operating under FSCA authorisation or in adjacent regulatory frameworks.

The FIC Act does not have a small business exemption. The obligations apply to the business, not to its size. What scales with size is the sophistication of the required systems , but the obligations themselves are universal.

The Next Step

ICS works with regulated businesses to assess their current AML/FIC compliance environment, identify structural gaps, and implement the systems needed to close them. The process begins with a detailed review of existing policies, workflows, and evidence trails , and produces a clear remediation and implementation plan.

If your AML environment was built to be filed rather than operated, now is the time to change that.

Contact Integrated Compliance Solutions at info@integratedcompliancesolutions.co.za or visit www.integratedcompliancesolutions.co.za to request a compliance architecture review.