What the FSCA is actually looking for: six findings that decide whether your institution is FICA compliant
Published on FICACompliant.co.za | FICA compliance | FSCA inspections | AML | Accountable Institutions | South Africa
Being FICA compliant has always meant more than submitting FICA registration and filing an RMCP. But what the FSCA's 2024/25 inspection program makes clear is that regulators are now testing compliance in granular operational detail, sampling client files, interviewing staff, and auditing version histories.
Under the Financial Intelligence Centre Act, every accountable institution faces this scrutiny: financial services providers, estate agents, attorneys, accountants, crypto asset service providers, and motor dealers alike. The FSCA's findings reveal six recurring failure patterns that are driving sanctions across the sector. Understanding them is the most direct way to assess your own exposure before an inspector does it for you.
100
FICA inspections conducted by the FSCA in 2024/25 alone
67%
Year-on-year increase in overall on-site inspections reported in the FSCA's annual report
257%
Growth in AML/CFT supervisory staff between 2022 and 2024... the capacity to inspect is now there
What a FSCA FICA inspection actually involves
Inspections follow a structured sequence: a notice is issued, documentation is requested and submitted, and then inspectors conduct an on-site or virtual engagement. They work through the submitted FICA documents, sample approximately 50 client files, and interview staff directly on their understanding of due diligence procedures and reporting obligations. A draft report follows, with an opportunity to remediate but substantive timing failures identified during this process cannot be cured after the fact. If client verification or sanctions screening was not performed at onboarding and evidence was not retained at that time, conducting those steps retrospectively does not remedy the original breach. Sanctions have been issued on exactly this basis.
The six themes regulators keep finding
1. A business risk assessment without a defensible methodology
Every RMCP must be built on a business risk assessment that evaluates client base, products and services, delivery channels, and geographic exposure — assigning each category a risk rating of low, medium, or high based on likelihood and impact. The recurring finding is not that this assessment is absent, but that institutions cannot explain or justify how the ratings were arrived at. Where risk classifications appear inconsistent with the institution's actual exposure, or where the methodology is not documented, the entire compliance framework becomes indefensible. The FIC's national and sectoral risk assessments must also be demonstrably considered.
2. An RMCP that lists obligations rather than describes processes
Section 42 of the FIC Act requires institutions to document not just what they must do, but how they do it, step by step, with named responsibilities and timing triggers. High-level statements about customer due diligence are insufficient. The RMCP must specify the sequence of onboarding steps, the documents required for verification, when and how sanctions screening occurs, what enhanced due diligence entails for high-risk clients, and who is responsible at each stage. For reporting obligations, the decision-making process a compliance officer follows when classifying a report under section 29 of the FIC Act must be captured explicitly in the RMCP.
3. A gap between what the RMCP says and what staff actually do
This is the finding that most surprises institutions during inspections and the one that is hardest to remediate quickly. If the RMCP describes a manual client verification process but the institution is using third-party software for onboarding, the RMCP is describing a process that does not exist. Inspectors cross-reference the documented process against client files and staff interview responses. Inconsistency between the three (the RMCP, the files, and the staff) is treated as a compliance failure regardless of the quality of the document.
4. Version control and record-keeping that cannot evidence a review history
The RMCP is a living document and must be treated as one. Inspectors examine whether institutions maintain version histories, amendment records, formal sign-off at an appropriate governance level, and evidence that updated FIC guidance, directives, and sectoral risk assessments were considered between reviews. An RMCP that cannot demonstrate it has been actively maintained since FICA registration raises immediate questions about whether the compliance program is operational or merely archival. Record retention obligations (a minimum of five years from the end of a business relationship) apply equally to all due diligence and screening evidence.
5. The assumption that retrospective action cures a timing failure
This is the starkest lesson from FSCA inspection outcomes: there is no such thing as retrospective compliance for operational obligations. Sanctions screening must occur at onboarding, during transactions, and as part of ongoing due diligence, the timing is prescribed, not discretionary. If evidence that screening occurred at the required moment does not exist, performing the screening after an inspection notice has been received does not address the original breach. Sanctions have been imposed specifically for timing failures of this kind, even where the institution's documentation was otherwise in reasonable order.
6. Governance and training treated as administrative rather than operational controls
The FSCA inspects whether the RMCP has been formally approved at board or senior management level, whether responsibilities are clearly allocated and understood by the individuals holding them, and whether training records confirm that all relevant staff have received current, content-specific AML and FICA training. Using a compliance service provider or verification software does not transfer accountability. The FIC Act places ultimate responsibility with the board, senior management, or the person at the highest level of authority and inspectors look for evidence of that oversight in governance records, not just in the RMCP text. A goAML submission log that cannot be cross-referenced against staff training records and compliance officer sign-offs is a gap that will be noted.
Practical steps before your next FSCA FICA inspection
Test your business risk assessment by asking whether you could defend every risk rating to a regulator, if the methodology is not documented, document it now.
Rewrite any high-level RMCP sections as step-by-step operational procedures, naming responsible roles and specifying timing triggers for each action.
Walk through three or four recent client files against your RMCP and check for consistency if what was done differs from what is documented, you have a theme 3 finding waiting to happen.
Establish a version control log for your RMCP that records what changed, when, why, and who approved it and review it against current FIC guidance notes at least annually.
Audit your onboarding records to confirm that sanctions screening and verification evidence was captured at the time of onboarding, not retrospectively.
Produce a training register with dates, attendees, and content and ensure it is signed off at senior management level and cross-referenced in your RMCP governance section.
Conclusion
The FSCA's inspection programme has moved well past the point of checking whether institutions have an RMCP on file. Inspectors are now assessing whether the programme is defensible, operational, consistently applied, and governed at the appropriate level. Being FICA compliant in 2026 means being able to open any client file, produce any training record, and explain any risk rating under examination and to do so without retrospective correction. The institutions that are receiving sanctions are not, in most cases, institutions that ignored compliance entirely. They are institutions that treated it as documentation rather than operations.
If your RMCP is not built to withstand this level of scrutiny, visit FICACompliant.co.za to get your free RMCP tailored for your business, structured around the FIC Act's section 42 requirements and the FSCA's current inspection focus areas and use it to close the gaps before an inspector finds them.
