A R3 Million Wake-Up Call: What Discovery Bank's FICA Fine Means for Your Business
Published on FICACompliant.co.za | FICA compliance | AML | Accountable Institutions | South Africa
Being FICA compliant is not a once-off milestone. Under the Financial Intelligence Centre Act (FIC Act), every accountable institution from attorneys and estate agents to financial services providers and accountants carry an ongoing legal obligation.
That obligation includes maintaining a risk management and compliance programme (RMCP), submitting suspicious transaction reports via goAML, conducting regular FICA inspections of internal processes, and ensuring all staff are trained on their duties. Failure on any of these fronts exposes your business to regulatory sanction, reputational damage and as Discovery Bank's case makes clear, substantial financial penalties.
What the Discovery Bank penalty actually found
The Prudential Authority's investigation identified failures that will be uncomfortably familiar to many compliance officers. At the centre of the findings were 2,281 automated transaction monitoring alerts that were mismanaged, and unacceptable delays in reporting suspicious transactions to the Financial Intelligence Centre. Investigators also found gaps in FICA training not just for junior staff, but for senior management.
These are not exotic compliance failures requiring specialist forensic investigation to uncover. They are breakdowns in basic operational discipline: alerts not actioned, reports not filed on time, training not completed. The kind of failures that accumulate quietly until a regulator looks closely.
Hawken McEwan, Director of Risk & Compliance at nCino KYC Africa, put it plainly: the Prudential Authority was not merely asking whether a monitoring system existed, it was asking whether the system was effective and whether the people operating it were adequately trained. On both counts, Discovery Bank fell short.
Three lessons every accountable institution must take from this
Having a compliance system is not the same as having a compliant system. The bank had automated transaction monitoring in place. The problem was that alerts were not being actioned appropriately. For smaller accountable institutions such as law firms, estate agencies, motor dealers the risk is even more acute. Many rely on manual processes or basic spreadsheets. If alerts are not reviewed, escalated and resolved in a documented, auditable way, the system's existence provides no protection whatsoever during a FICA inspection.
Training gaps at management level are a structural failure, not an administrative oversight. The Prudential Authority specifically noted inadequate FICA training among senior staff. This matters because an RMCP only functions as designed when management understands and enforces it. If your senior team cannot articulate your institution's risk appetite, customer due diligence procedures, or reporting obligations, your RMCP is just a document, not a programme. The FIC Act requires provable competence, not paper compliance.
South Africa's exit from the FATF greylist has not reduced regulatory pressure . The discovery that domestic regulators are applying the same scrutiny previously applied by international watchdogs is precisely the point. McEwan's warning bears repeating: "The era of domestic enforcement is just beginning, and this penalty is a R3 million wake-up call for every accountable institution, not just banks." FICA registration alone does not insulate your business. Ongoing demonstrable compliance does.
What "box-ticking compliance" looks like to a regulator
McEwan described the new baseline as "provable, end-to-end compliance, from the RMCP to real-time monitoring and mandatory training for everyone." That phrase "provable, end-to-end" is the standard your institution will be held to during a FICA inspection. Not whether you have a policy document filed somewhere but whether you can demonstrate that the policy is understood, implemented and functioning. Regulators are looking for evidence trails: training records with dates and participant lists, alert resolution logs, goAML submission timestamps, customer due diligence files that are complete and current.
For attorneys, estate agents, and dealers of high-value goods, the implications of this case extend beyond banking. The underlying failures, inadequate training, poor alert management and delayed reporting are sector-agnostic. If your FICA documents are outdated, your staff have not been trained in the past twelve months, or your RMCP has not been reviewed to reflect your current business activities, you are carrying regulatory risk today.
Practical actions to take now
Review your RMCP against your current products, services and customer base. The FIC Act requires it to reflect your actual risk profile, not a generic template.
Audit your goAML reporting history. Are suspicious transaction reports being submitted within the required timeframes? Is there an auditable log of the decisions made on every alert?
Conduct a training gap analysis. When did your senior management last complete formal FICA training? Do you have dated records to prove it?
Test your monitoring process end-to-end. If an alert is triggered today, can you demonstrate step by step what happens to it, who reviews it and how it is resolved or escalated?
Check your FICA registration status and ensure all reportable persons within your institution are correctly registered with the Financial Intelligence Centre.
Conclusion
Discovery Bank's R3 million penalty is not an isolated banking sector story. It is a clear statement from South African regulators about what being FICA compliant actually requires and what it costs when institutions fall short. The FIC Act does not distinguish between a tier-one bank and a small estate agency when assessing compliance obligations. The standard is the same. The scrutiny is increasing. The documentation requirements are non-negotiable.
If your institution does not have a current, functional RMCP or if you are not certain that it meets the FIC Act's requirements, visit FICACompliant.co.za to receive a free tailored RMCP. It is the foundation on which every other obligation rests and the first thing a regulator will ask to see.
