The significance of having a robust Risk Management and Compliance Programme (RMCP) for combating Money Laundering (ML), Terrorist Financing (TF) and Proliferation Financing (PF), cannot be taken lightly.
An adequate RMCP can safeguard accountable institutions. It protects them from legal entities and individuals seeking criminal abuse.nMoreover, RMCPs play a fundamental role. They protect accountable institutions and uphold the integrity of our financial system.
Who must implement an RMCP?
All financial and non-financial accountable institutions listed in the FIC Act must develop, document, maintain, and implement an RMCP.
In addition, they must provide copies of their RMCPs upon request. This applies regardless of their supervisory authority.
Compliance failures prompt regulatory action
Through FIC Act inspections, the FIC has noted widespread failure by accountable institutions to develop or implement RMCPs. This failure was compounded by an absence of a prior completed and documented business risk assessment of their ML, TF and PF risks, that informed the development of the RMCPs.
This was a primary motivation for the FIC to issue a general request to certain affected sectors on 4 March 2025 to submit a copy of their RMCPs electronically on the goAML platform, by 12 March 2025.
Ongoing obligation to submit RMCPs
The requirement to submit RMCPs to the FIC remains in force, even after the closing date expired. It continues to bind all accountable institutions. Those in default must immediately submit outstanding RMCPs via the goAML platform.
Furthermore, developing and implementing RMCPs forms part of broader compliance duties under the FIC Act. These obligations apply to businesses and sectors listed in Schedule 1 as accountable institutions.
The RMCP and related duties aim to strengthen the business environment. They also help protect the financial system from abuse. Specifically, they guard against money laundering and terrorist financing.
Risks and client behaviour
To fulfil the RMCP obligation, institutions must understand how criminals can abuse their products and services.
They must also understand how these can be used to launder money, finance terrorism, or fund weapons proliferation. Additionally, institutions need to assess the level of risk posed by their different client types.
Identifying and managing client risk
Institutions must understand their business environment and implement risk mitigation measures and controls for money laundering. They must include these measures in their RMCP to protect the business effectively.
In addition, institutions must document the RMCP and keep it updated at all times.
The highest business authorities must take ultimate responsibility for implementing the RMCP.
Accountable institutions must identify client types that pose higher or lower risks for money laundering and terrorist financing. They must include this risk assessment in their RMCPs.
This process helps institutions apply appropriate verification and other measures during onboarding or ongoing relationships. Therefore, RMCPs remain central to the continuity and resilience of the business.
Practical application – estate agencies
Estate agents, for example, must stay alert when clients purchase high- or low-end properties from them using cash. They should also question clients who rent property, pay cash upfront, and then request refunds soon after.
Agencies must consider how to handle these and similar clients in line with their internal policies. These scenarios must appear clearly in the estate agency’s RMCP as part of their risk assessment.
In addition, the risk-based approach requires identifying different client types and their associated risks. Agencies must define what extra measures are needed to manage such risks effectively. They must also train their teams on how to recognise and respond to suspicious client behaviour.
Consequences of non-compliance
The FIC reminds accountable institutions that failing to submit an RMCP constitutes non-compliance with the FIC Act.
Non-compliant institutions must submit their outstanding RMCPs through the FIC’s registration and reporting portal, goAML. However, institutions must not assume that 
submission alone meets all RMCP compliance requirements. The FIC will test the RMCP against legislative standards during inspections and ongoing compliance monitoring.
Stay informed
Accountable institutions are strongly urged to daily consult and monitor the FIC goAML message board (under their Org ID profile as registered with the FIC) to immediately attend to outstanding RMCP and other requests from the FIC.
Christopher Malan | Head | Compliance and Prevention | Financial Intelligence Centre (FIC) | mail me |
