Three fines, one pattern: what FICA compliant really means for forex dealers and financial institutions
Published on FICACompliant.co.za | FICA compliance | Forex dealer | AML | Accountable Institutions | South Africa
Being FICA compliant is a condition of operating as an accountable institution in South Africa, not a box to check at registration and revisit only when something goes wrong.
Under the Financial Intelligence Centre Act, every accountable institution carries ongoing obligations. These include maintaining a current and operational risk management and compliance programme (RMCP), identifying and verifying all clients through documented customer due diligence and providing regular staff training.
Regulators across the SARB, the Prudential Authority, and the FSCA are now enforcing these obligations with a consistency and specificity that leaves no room for incomplete programs.
How three separate penalties were levied against one forex dealer
The South African Reserve Bank's sanctions against Access Forex, an Authorised Dealer in foreign exchange with Limited Authority (ADLA) operating across Zimbabwe, the United Kingdom, and South Africa were not issued as a single lump-sum finding. They were issued as three distinct penalties, each referencing a specific section of the FIC Act. That structure is significant because it shows exactly how regulators read a compliance programme during a FICA inspection.
R100 000
Section 42(1) — RMCP not developed, documented, or implemented to the required standard
R37 500
Section 20 — failure to identify and verify certain clients before establishing business relationships
R25 000
Section 43 — failure to provide adequate ongoing FICA training to staff
Each penalty maps directly to a foundational compliance requirement. The RMCP failure attracted the largest portion of the fine because without a functioning RMCP, everything downstream is structurally compromised. An institution that has not properly documented how it identifies risk, how it conducts due diligence, and how it responds to suspicious activity cannot demonstrate compliance in any area. The FICA documents required to evidence customer onboarding and transaction monitoring are only as reliable as the programme that governs them.
The FSCA's concurrent R10.6 million fine against Sanlam Collective Investments for inadequate client identification, failure to verify beneficial owners and insufficient ongoing and enhanced due diligence reinforces the same point at a much larger scale. The size of the institution does not change the nature of the obligation. The size of the penalty scales with it.
Three lessons that apply across every accountable institution
Your RMCP must reflect the FIC Act's requirements in full, not selectively. The SARB's finding against Access Forex specifically noted that important provisions of the FIC Act were absent from the firm's RMCP document. This is a common failure mode: institutions produce a compliance document at the point of FICA registration, populate it with broad procedural language, and do not return to it when their business activities change or when new FIC Act obligations come into effect. Section 42 of the FIC Act is unambiguous... the RMCP must identify, assess, and mitigate the money laundering and terrorist financing risks specific to your institution. A generic template that has not been reviewed against your current operations is not compliant, regardless of its length.
Anonymous or inadequately verified clients represent a direct regulatory violation. Section 20A of the FIC Act prohibits accountable institutions from establishing a business relationship or concluding a transaction with a client whose identity cannot be confirmed. For forex dealers specifically who handle cross-border transfers that are inherently attractive to money launderers, the beneficial ownership requirements are particularly critical. The FSCA found that Sanlam had not adequately identified beneficial owners across a segment of its client base. For smaller institutions managing this manually, the exposure is proportionally higher: a single unverified client in the wrong transaction can constitute a breach that survives a goAML submission.
Staff training is a legal requirement, not an internal HR matter. Section 43 of the FIC Act places an explicit obligation on accountable institutions to provide ongoing training, not once at onboarding, but continuously, as the RMCP evolves and as regulatory requirements change. The Access Forex penalty for training failure was the smallest of the three, but its presence in the sanction record is significant. It tells regulators, in a FICA inspection, that the institution either did not invest in training or did not document that it had. Both outcomes carry the same consequence.
Practical actions to take now
Open your RMCP today and check whether it explicitly addresses sections 20, 42, and 43 of the FIC Act. If it does not, it is incomplete by regulatory definition.
Review your client onboarding records for any business relationships where identity verification or beneficial ownership documentation is missing or out of date.
Establish a training register — a dated log of all FICA training sessions, attendees, and content covered. If you cannot produce this during a FICA inspection, the training may as well not have happened.
If you use goAML for suspicious transaction reporting, audit your submission log against your client risk assessments. Are high-risk clients being monitored and reported consistently?
Confirm that your FICA registration details are current and that your designated compliance officer's appointment is reflected in writing within your RMCP.
Conclusion
The Access Forex and Sanlam cases, taken together, describe an enforcement environment in which regulators are auditing compliance line by line against the FIC Act and issuing penalties for each gap they find. Being FICA compliant is no longer a matter of having a document on file. It is a matter of having a programme that is current, specific, fully documented and actively implemented across every function that touches client onboarding, transaction monitoring, and staff conduct.
If your institution's RMCP is not in that condition today, visit FICACompliant.co.za to get your free tailored RMCP structured around the FIC Act's specific requirements and use it to close the gaps before a regulator does it for you.
