Risk Management and Compliance Programme Framework 2022 Reviewed

RISK MANAGEMENT AND COMPLIANCE PROGRAMME (“RMCP”): WHAT TO CONSIDER WHEN YOU DRAFT / REVIEW YOUR RMCP INTRODUCTION AND PURPOSE OF THIS DOCUMENT The Financial Sector Conduct Authority (“the FSCA”), as a supervisory body, is responsible for supervising and enforcing compliance with the Financial Intelligence Centre Act, no 38 of 2001 (“the FIC Act”) by all accountable institutions regulated or supervised by it (section 45(1) of the FIC Act). By implication this entails performing supervisory and enforcement activities in relation to accountable institutions listed in items 4, 5 and 12 of Schedule 1 to the FIC Act on a risk-based approach. Section 42 of the FIC Act requires all accountable institutions to develop, document, maintain and implement a programme for anti-money laundering and the counter-terrorist financing risk management and compliance. In an effort to assist accountable institutions to develop an RMCP, the FSCA provides a framework of what should be incorporated in an RMCP. This is not a template and should not be used as such. The purpose of this framework should assist an accountable institution to assess its own money laundering and terrorist financing risk in line with the guidance issued by the Financial Intelligence Centre (“the Centre”) in Guidance Note 7. It includes practical examples to promote an understanding of risk-based obligations set out in section 42 of the FIC Act. Guidance Note 7: https://www.fic.gov.za/Documents/171002_FIC%20Guidance%20Note%2007.pdf The reader still needs to read the FIC Act, regulations or guidance issued by the FIC to understand the exact requirements of the FIC Act and obligations it places on accountable institutions. In particular, take note of draft GN 7A and draft PCC 114 as well. The Authority accepts no liability for any non-compliance or loss suffered as a result of reliance on this document. By clicking on the link below, you will be directed to the FIC’s website where you will be able to find contact particulars of the FIC, the FIC Act, regulations and guidance issued by the FIC: https://www.fic.gov.za/Pages/Home.aspx

Risk Management and Compliance Programme Detailing the money laundering (“ML”), terrorism financing (“TF”) and proliferation financing (“PF”) risk assessment and mitigating controls For Accountable Institution ABC

1. Background of the accountable institution and governance Provide details of persons accountable for the development, documentation, implementation and maintenance (including review) of the RMCP. The role of the compliance officer, board of directors / senior management in ensuring compliance with section 42 of the FIC Act must be provided for in the RMCP. In addition, consider the characteristics of the accountable institution such as the nature of the business, the size of the business, whether the business is supervised by other regulators (local and / or foreign), whether the institution is registered with the Financial Intelligence Centre etc. For example: 1.1. The senior management of ABC has the ultimate responsibility to ensure the RMCP is developed, documented, maintained and implemented. The persons responsible for this function include: 1.1.1 Mr X – sole member of the Close Corporation 1.1.2 Mrs Y – compliance officer 1.2. ABC is a close corporation with CIPC registration number 12345678. The sole member of ABC is John Doe who is also the key individual for ABC. ABC operates from 123 Bokveld Street, City of Dreams, Gauteng. ABC has two other staff members who only provide administrative services for ABC. 1.3. ABC is licensed as a category 1 financial services provider with license number 12345. ABC is also registered with the Financial Intelligence Centre with Org ID number 45678. 1.4. ABC has 10 clients and the client base predominantly includes:

1.4.1. Natural persons; OR 1.4.2. Legal persons; OR 1.4.3. Foreigners 1.5. ABC provide the following services as authorized to these clients: 1.5.1. Financial advisory services in respect of life insurance policies 2. Risk assessment and risk rating (ML / TF / PF) 2.1 Risk management starts with identifying your inherent risk. You cannot mitigate or manage what you are not able to identify. There is no such thing as “no risk”! Your inherent risk relates to risk that you are exposed to (to whatever degree) before you apply any mitigating controls. Consider factors like clients, products and services, distribution channels, geographic locations etc (this is not an exhaustive list). Apply your mind on a granular level to assess what about these factors may introduce more or less risk to your business / specific business area. 2.2 When you think of clients, consider the characteristics of the client and how this could increase or decrease the risk: 2.2.1 The type of client (i.e natural person / legal person / trust / partnership). 2.2.2 Is the client acting on behalf of another person or is another person acting on behalf of the client? 2.2.3 Consider whether the client has beneficial owners that you need to identify. 2.2.4 Ask yourself what makes a local client more or less risky than a foreign client. 2.2.5 Consider the nationality / citizenship of your client. 2.2.6 Whether your client is a domestic prominent influential person or a foreign prominent public official. 2.2.7 Be specific and detailed in your assessment. 2.2.8 Remember that although you are required to follow a risk-based approach, there are still some rules that apply: ABC will perform customer due diligence on all its clients and will not enter into a business relationship with an anonymous client or a client with an apparent false or fictitious name.1

1 See section 42(2)(c) read with section 20A of the FIC Act and paragraphs 79-81 of Guidance Note 7

2.3 When you think of products and services, consider the characteristics of the product and how this could increase or decrease the risk: 2.3.1 Is it a local or foreign product? 2.3.2 Does the product allow for the use of cash? 2.3.3 Does the product allow for cross-border flow of funds? 2.3.4 Does the product allow for payment to or from third parties? 2.3.5 Does the product have features like cooling-off periods? 2.3.6 Does the product provide anonymity? 2.3.7 Does the product have exposure to crypto assets or new technology? 2.3.8 Is the product acquired through premiums / lump sum? 2.3.8.1 Example 1: Funeral policies cannot be converted into cash, are low value products and does not provide anonymity. This could be considered a low risk. 2.3.8.2 Example 2: Investment in unlisted shares can be funded / topped up in cash, are not traded on a registered exchange and are not as highly regulated as other investments. This could be considered high risk. 2.4 When you think of geographic locations, consider how the following could increase or decrease the risk: 2.4.1 Why would local clients / products pose a lower risk than foreign clients / products? 2.4.2 From a local perspective, are all places in South Africa equally risky? 2.4.2.1 Example 1: Would the risk increase if the client is close to a border/ reside in a large metro / domiciled in an area with high crime rates or gangster activities? 2.4.2.2 Example 2: Would the risk increase if the client is a foreigner and the country of origin is a FATF member country? 2.4.3 Is the country of origin a known tax haven? 2.4.4 Is the country of origin sanctioned? 2.4.5 What was the result of the sector risk assessment in terms of geographic locations?

2.4.6 How difficult would it be to verify the client’s address details in a foreign jurisdiction? 2.5 When you think of distribution channels, consider how the following could increase or decrease the risk: 2.5.1 Does the manner in which you onboard a client introduce an element of anonymity? 2.5.1.1 Example 1: When you onboard a client telephonically, how do you know that you are speaking to the person you think you are speaking to? 2.5.1.2 Example 2: When you onboard a client through an electronic platform, how do you know that the person who completed the application information is in fact the person you are onboarding as a client? 2.5.1.3 Example 3: If you appointed a juristic representative who onboards a new client, are you familiar with the core business of the juristic representative and how its core business may be exposing your business to money laundering / terrorist financing? 2.5.2 Does the manner in which you engage with your clients for purposes of customer due diligence introduce an element of anonymity? 2.6 Other There are many other factors that you may want to consider when you do your risk assessment that are not listed above. Please use the same methodology and assess the risk. 2.6.1 Example 1: Do you consider the age of your client and how the interest by the client in a particular product could raise suspicion? If you onboard a client coming from a middle-income household and just finished school but shows interest in a complex, high risk product (i.e forex) with a sizeable minimum prescribed investment amount, would this impact how you risk rate this client? 2.6.2 Example 2: Are you struggling to get your new client to cooperate with providing you all with the information that you need to risk rate the client?

2.6.3 Example 3: Do you conduct adverse media screening on clients and does finding adverse content persuade you to increase the client’s risk rating? 2.7 This is a very important part of risk management and the reason why you indicate that a factor is high, medium or low risk is of the utmost importance. Please refer to the reasons set out in Guidance Note 7 as well as draft Guidance Note 7A read with draft PCC114 and/or the sector risk assessment and/or the national risk assessment to motivate your conclusion. Ideally you should give more than one reason per risk factor to motivate your conclusion. Not all products, geographic locations and client types can be low or medium risk. In any organization there will be low, medium and high-risk factors. Steer away from a general statement that the factor is low risk for money laundering unless you are able to substantiate your conclusion. 2.8 Assessment / Matrix (the assessment of risks should ultimately draw together all risk factors and measurements). See annexure A. Risk classification Risk score Low risk 1 Medium risk 2 High risk 3 You need to add up the risk score for each risk factor (see annexure A). You may then decide on what information you require for each risk category for purposes of conducting customer due diligence. Sum of risk score Risk classification Information to obtain from client Documentation required to verify information 3-5 Low risk: Simplified CDD Full names, ID number, Source of funds ID or passport or driver’s license 6-7 Medium risk: Standard CDD Full names, ID number, Source of funds, Residential address ID or passport, proof of residence 8-9 High risk: Enhanced CDD Full names, ID number, Source of funds, Source of income, Residential address, work name and address ID or passport, proof of residence, 3 months salary advice or 3 months bank statements and

approval by senior management 3 Customer due diligence (CDD) 3.1 A client to ABC is someone that … (provide details of who you regard as your existing clients / clients that you are willing to onboard) 2 3.2 Explain what CDD measures you would require for each risk assessment/measurement i.e low, medium and high. See paragraph 2.8 above. 3.3 Explain how you will determine that future transactions are consistent with your knowledge of the clients. 3 3.4 Explain how you will identify and verify legal persons, trusts and partnerships4 3.5 Explain how you will conduct ongoing due diligence and account monitoring5 3.6 Explain the recording of complex or unusually large transactions and/or unusual patterns of transactions which have no apparent business or lawful purpose and how you will investigate it.6 3.7 Explain what you will do if you have doubts about the veracity of information you have obtained7 3.8 Explain how you will terminate an existing business relationship if you are unable to: • Identify and verify a client or other relevant person • Conduct ongoing due diligence8 3.9 Explain how you determine if a prospective client is a foreign prominent public official or a domestic prominent influential person or a family member or known close associate of such person and what information you will obtain from such person. 9 3.10 What will you do with regards to CDD if a transaction is reportable? The client’s risk profile may change as a result of the transaction or activity and

2 See section 42(2)(b) of the FIC Act read with paragraphs 76-78 of Guidance Note 7 and the definitions of client, business relationship and single transaction 3 See section 42(2)(e) read with section 21A of the FIC Act and paragraphs 123-126 of Guidance Note 7 4 See section 42(2)(f) read with section 21B of the FIC Act and paragraphs 95-118 of Guidance Note 7 5 See section 42(2)(g) read with section 21C of the FIC Act and paragraphs 127-130 of Guidance Note 7 6 See section 42(2)(h) read with section 21C of the FIC Act and paragraphs 128 & 130 of Guidance Note 7 7 See section 42(2)(i) read with section 21D of the FIC Act and paragraphs 131-133 of Guidance Note 7 8 See section 42(2)(k) read with section 21E of the FIC Act and paragraphs 134-137 of Guidance Note 7 9 See section 42(2)(l) read with sections 21F-21H of the FIC Act and paragraphs 138-160 of Guidance Note 7

therefore additional information must be obtained from the client as the client is now a higher risk for money laundering or terrorist financing. 10 3.11 If a particular requirement is not relevant to your business, include in the RMCP why this requirement is not relevant to your business. For example: With reference to section 42(2)(f) of the FIC Act, ABC does not enter into business relationships with / conclude single transactions with legal persons, trust and partnerships. 4 Record Keeping Address procedures that you follow for keeping records. Also address what information you will keep, how you will keep the information, who will keep the information and the period that you will keep the information for. 11 Records that should be kept relate to the following: 4.1 records related to customer due diligence; 4.2 records related to transactions; 4.3 records related to screening of clients; 4.4 records related to risk rating of clients, including the reason for the risk rating and any risk rating adjustments; 4.5 records of reports filed with the Centre in terms of section 28, 28A and 29 of the FIC Act; 4.6 records that relate to training provided / conducted; 4.7 records of decisions explaining why a transaction / activity was not reported to the Centre. 5 Reporting Address procedures that you follow for reporting suspicious (activity/transaction) reports and other applicable reports. Mention the use of Go-AML. Also address the following questions:

• When is a transaction reportable?
• How will you determine a reportable transaction?
• Who will file the report with the Centre?
• How do you maintain the confidentiality of the information you reported?

10 See section 42(2)(j) read with sections 21C & 33, of the FIC Act and paragraphs 28, 46, 65-70 & 159 of Guidance Note 7 11 See section 42(2)(n) read with sections 22-24 of the FIC Act and paragraphs 161-179 of Guidance Note 7

Mention all the reportable occasions (cash threshold transaction, suspicious activity/transactions and transactions related to terrorism and financial sanctions)12 It is important not to merely acknowledge the fact that you have a reporting obligation. How you identify and how you report are processes that you need to unpack in your RMCP. 6 Risk Management and Compliance Programme 6.1 Explain how the RMCP will be implemented in branches. If you do not have branches, explain that you will not comply with this section because in line with your business structure, it does not apply to you.13 6.2 Explain how you will implement the RMCP in your organisation14 6.3 This RMCP will be reviewed and updated … (This document must be reviewed and updated on a regular basis. Please state how often it will be reviewed, who will review it and the reasons for reviewing it. Make sure you have a version control system in place.) 6.4 Ensure that you make reference to all underlying related operational business procedures and controls which would collectively constitute the RMCP. 7 Training Address procedures that you follow for training yourself and staff (if applicable) regarding the FIC Act and the RMCP. 15

8 Go-AML Mention who has access to the Go-AML and how often it is monitored.16 9 Prohibitions relating to persons and entities identified by the Security Council of the United Nations Provide in your RMCP for the prohibitions related to dealing with persons / entering into transactions with people who are included in the published list. These

12 See section 42(2)(o) & (p) read with sections 28, 28A & 29 of the FIC Act, Guidance Notes 4B, 5C & 6A and Directive 3 13 See section 42(2)(q) of the FIC Act 14 See sections 42(2)(r), 42(2B), 42(2C) & 42(3) of the FIC Act read with paragraphs 180-190 of Guidance Note 7 15 See section 43 of the FIC Act read with paragraph 184 of Guidance Note 7 16 See Directive 1 and 2

prohibitions are set out in section 26B of the FIC Act. Your RMCP should also provide for the processes related to screening clients (refer section 28A of the FIC Act) and filing the relevant reports to the Centre in the prescribed timeframe in terms of section 29(1)(b)(vi) of the FIC Act. This Risk Management and Compliance Programme has been approved / reviewed by …………………………. in his/her capacity as …………………………………… at ………………………………………………… on this the …….. day of ……………………………. 20xx.

---

Signature of owner