Financial Services Regulation - Monthly Update: August 2022

​​​​​​​​​Keep up to date on the most important Financial Services Regulation developments in South Africa during August 2022.

Prudential Authority Communication 10 of 2022

On 3 August 2022 the Prudential Authority (PA) published Communication 10 of 2022 on climate-related risks (the communication). The communication sets out an overview of climate risk drivers and the interconnection between climate risk and financial risk. It highlights the role of boards and senior management in considering climate-related risks and describes the PA's current climate risk initiatives and approach to climate-related oversight.

Impact and Risk

The communication notes the overarching global threat posed by climate change, which poses a systemic risk that will affect financial stability. Central banks play a role in mitigating and managing these risks and the PA has therefore embarked on various initiatives through the Prudential Authority Climate Task Team (PACTT).

The communication acknowledges the significant impact of climate change on traditional risk categories in the financial sector and states that financial risks manifest in two categories. The first category is physical risk, which arises from the physical effects of climate change and impacts assets and liabilities. The second category is transition risk, which is associated with the transition to a low greenhouse gas economy and arises from changes in climate-related policy and resulting changes in behaviour and pricing.

Role of boards and senior management

The PA notes that supervised institutions should be enhancing their knowledge and understanding of climate-related risks and how their business models may be influenced by it. Critically, climate risk should be considered as part of governance, risk management and reporting frameworks and action should be taken at management level to build reliance to the effects of climate change. It is also important for supervised institutions to identify climate-related information to be disclosed to stakeholders and include it as part of disclosure frameworks.

The PA's current climate risk initiatives

The PA is continuing to advance initiatives through the PACTT. These are geared towards building capacity and enhancing the PA's regulatory and supervisory frameworks with a view to climate-related risks. Supervisory guidance is being developed and the PA's ability to monitor climate risks will be augmented in 2023. A key area which will be monitored is how supervised financial institutions have integrated climate risk into their governance, risk management and reporting processes.

Importantly, specific regulatory guidance will be issued in 2023 on the PA’s expectations on how climate risks should be integrated into supervised institutions’ risk management, governance and reporting processes in accordance with its internal roadmap.

FSCA Communication 22 of 2022 – Publication of notice of draft amendment for comment on the FSCA’s exemption of certain persons from Joint Standard 1 of 2020

On 5 August 2022, the Financial Sector Conduct Authority (FSCA) published Communication 22 of 2022 for comment. The FSCA is proposing to amend the exemption afforded to significant owners of financial service providers (FSPs), as defined under the Financial Advisory and Intermediary Act, 2002 from the requirements of Joint Standard 1 of 2020. The amendment is intended to prevent South Africa from being placed on the Financial Action Task Force's (FATF) grey list.

The FSCA has proposed removing the current exemption afforded to FSPs from Joint Standard 1 of 2020 pertaining to honesty, integrity, reporting and procedures for assessing fitness and propriety. It is an interim step to address the FATF's finding, pending further legislative amendments that will create an enabling framework for the regulation and supervision of beneficial owners holistically.

Rationale informing the amendment of the exemption

The FSCA’s reassessment of the extent to which the requirements of the Joint Standard should apply to significant owners of FSPs concluded that:

Honesty and integrity

The main aim of the Joint Standard is to ensure that significant owners are honest and have the necessary integrity. Honesty and integrity are fundamental characteristics that should be displayed by significant owners of all financial institutions, and this requirement will not place an undue burden on the significant owners of FSPs, including the significant owners of small FSPs.

Procedures for assessing fitness and propriety, and reporting

The Joint Standard requires significant owners to have procedures in place for assessing and attesting to fitness and propriety. It also obliges a financial institution to notify the FSCA if it becomes aware of:

• Significant ownership or potential significant ownership; and
• Non-compliance with the Joint Standard by a significant owner.

The requirements will not place an undue burden on the significant owners of FSPs. The requirements are necessary to support the implementation of, and monitoring compliance with, the honesty and integrity requirements. The requirements will further support the FSCA in executing its project focused on identifying the owners of financial institutions more effectively.

Competence and financial standing

The Joint Standard requires that significant owners have the competence and financial standing required to support the business of a financial institution The FSCA has decided to retain, "for now", the exemption for the significant owners of FSPs from the Joint Standard. Imposing the requirement on some significant owners might be onerous for some small businesses.

Withdrawing the exemption for significant owners of FSPs will bring a broader scope of beneficial owners within the scope of the Joint Standard. Although a significant owner is not the same as a beneficial owner, the definition of significant owner in the FSR Act captures a relatively broad scope, thereby subjecting them to the fit and proper requirements. As a result, it partially addresses the FATF’s concerns.

The comment period closed on 29 August 2022. Enquiries can be directed to the Regulatory Framework Department of the FSCA.

FSCA Information Request 6 of 2022 – Request for Information relating to ownership of certain financial institutions

The FSCA published Information Request 6 of 2022 on 12 August 2022 (RFI). The RFI is addressed to certain FSPs and collective investment scheme (CIS) managers and requests information on their ownership. The request comes as part of efforts to head off South Africa's potential grey listing by the FATF. The FSCA has called for a review of the ownership of financial institutions, to help reduce the risk of their being used to facilitate criminal activity. It said that, in some instances, the owner (including a beneficial owner) of a financial institution can influence and control the institution's business. A financial institution may unwittingly be used by such an owner as a mechanism or channel to facilitate crime. Affected financial institutions must submit the requested information by 30 September 2022.

FSPs excluded from the RFI

• Banks, mutual banks and insurers licensed by the PA. These entities will be required to provide ownership information to the PA in a form and manner determined by the PA.
• FSPs that are authorised for non-life insurance and/or health service benefit products, only because these entities are not designated as accountable institutions in terms of the Financial Intelligence Centre Act (FICA).
• Sole proprietors and partnerships, as these businesses are not separate legal entities. They are owned and operated by the individuals directly licensed by the FSCA.

Capturing and validating information

Impacted financial institutions must upload an organogram showing their total ownership and controlling structure. The RFI provides an example of how the organogram must be set out to enable verification of ownership information by the FSCA.

Impacted financial institutions are required to submit two levels of ownership information.

Level 1 ownership information – Direct ownership of impacted financial institution

Impacted financial institutions are required to provide and validate information relating to 100% of their direct ownership, regardless of the type of owner or percentage of ownership held. This means they must provide all ownership data relating to the direct ownership of the impacted financial institution, regardless of what type of shareholding they have.

Level 2 ownership information – Next ownership levels (indirect ownership of impacted financial institution)

In terms of the level 2 information, impacted financial institutions are required to provide information relating to all owners holding an indirect ownership in the impacted financial institution. Indirect ownership in an impacted financial institution entails ownership of any legal entity.

Natural persons holding 5% or more of the ownership or voting rights of any legal entity are also required to provide information.

Failure to provide the specified information within the timeframe specified constitutes an offence under section 267 of the Financial Sector Regulation Act.

Enquiries about the RFI must be emailed to the FSCA Business Centre at RFI@fsca.co.za.

Public Compliance Communication No. 53 on the risk management and compliance programme in terms of section 42 of the Financial Intelligence Centre Act, 38 of 2001 for designated non-financial businesses and professions.

Public Compliance Communication 53 (PCC 53) was published on 30 August 2022. It provides guidance to accountable institutions that are designated as non-financial businesses and professions (DNFBPs) on the drafting of a risk management and compliance programme (RMCP) document describing the RMCP. PCC 53 is only intended for accountable institutions that are DNFBPs and not financial institutions, DNFBPs that fall within group structures or DNFBPs that have advanced compliance or complex structures.

Accountable institutions must develop, document, maintain and implement an RMCP for anti-money laundering and combating the financing of terrorism (AML/CTF) that meets all the requirements set out in section 42 read with section 42A of FICA. These requirements are discussed thematically as follows:

• the RMCP governance;
• Money Laundering (ML)/Terrorist Financing (TF) / Proliferated Financing (PF) risk assessment and risk-rating framework;
• customer due diligence controls;
• targeted financial sanctions controls aimed at terrorist financing;
• targeted financial sanctions controls aimed at proliferation financing (section 26A, 26B and 26C of the FICA);
• prominent influential person controls;
• account monitoring;
• reporting controls, and
• record-keeping controls.

PCC 53 discusses in depth what DNFBP accountable institutions should include in relation to the above requirements and also includes a principal discussion on effective documentation of an RMCP document, a reference table of all applicable sections of FICA that must be included in an RMCP (Annexure A), an editable template that could be used as a guide (Annexure B), and a list of indicators that may be used to assess the money laundering, terrorist financing, and proliferation financing (ML/TF/PF) risk.

A DNFBP accountable institution should note that in response to a request for documentation in terms of section 42(4) of FICA, the accountable institution should provide the RMCP document. Failure to produce an RMCP document to the supervisory body or the Financial Intelligence Centre would amount to non-compliance.

PCC 53 also provides that a DNFBP accountable institution must make its RMCP document available to each of its employees.

Guidance Note 10 of 2022 on banking sector practices regarding AML and CFT controls in relation to crypto assets

Guidance Note 10 (the Guidance Note) was published on 15 August 2022. It informs banks and controlling companies about practices related to the effective implementation of adequate anti-money laundering and countering-financing of terrorism (AML/CFT) controls in relation to crypto assets (CAs) and crypto asset services providers (CASPs).

Not all digital currencies are widely used and the anonymity of such currencies has an impact on the ability to implement AML/CFT requirements in relation to digital currency transactions. A risk-based approach is therefore necessary. FICA requires banks to develop and implement programmes for AML/CFT management to assess, monitor and manage these risks. A risk-based approach in the banking sector is underpinned by risk assessment and must enable banks to understand the extent of their vulnerability to money laundering, terrorist financing and proliferation financing (ML/TF/PF). Proper documentation and communication of information is essential, and financial institutions should identify and assess risks which may arise in the development of new products and new business practices.

Risk assessment does not necessarily imply avoiding risk entirely, such as by terminating customer relationships. De-risking in this manner may in fact pose a threat to financial integrity and should only be considered after careful due diligence. Instead, it is prudent for banks to categorise risk in relation to CA/CASP-related clients. The PA is empowered to require banks to strengthen risk management policies or procedures, or their internal control system, if the PA considers that such policies are inadequate.

The Guidance Note provides guidelines on certain aspects linked to the treatment of CASPs and CAs, based on the application of a risk-based approach:

• Crypto Assets and Crypto Asset Service Providers are defined and the specific activities performed by CASPs within South Africa are identified.
• The application of a risk-based approach is set out in terms of identification and assessment of risks. Banks should demonstrate an understanding of what elements are driving or reducing ML/TF/PF risk within CASPs and CAs.
• Implemented policies and controls should be robust, flexible and well-documented. Banks should collect sufficient information during onboarding processes to establish a risk profile in respect of the CASP as a client. As part of this process, the bank should ascertain if the CASP client has documented ML/TF/PF risk management policies and systems of its own.
• When higher risks emerge during onboarding, enhanced due diligence should be undertaken.
• It is imperative that banks conduct regular assessments of the changing risks associated with CAs and CASPs and that they assess each CASP in relation to new technical developments, rather than adopting a ‘one-size-fits-all' approach.

In relation to monitoring client relationships, the Guidance Note highlights the following:

• It is essential to monitor clients’ transactional activity to pick up unusual activity.
• Adequate records of fiat-to-crypto and crypto-to-fiat transactions should be kept for a minimum of five years.
• The introduction of terrorist property to a business linked to CASPs or CAs should be reported to the Financial Intelligence Centre.
• Ongoing due diligence should be performed on all customers.

Proposed Directive issued by PA to all life insurers on their customer due diligence measures in terms of FICA

The PA published on 23 August 2022 a proposed directive on the Requirement to Conduct Customer Due Diligence (CDD) measures on the beneficiaries of life insurance policies and incorporate the beneficiaries as a risk factor when determining the overall money laundering and terrorist financing risk rating of a client (Directive). The Directive is addressed to all insurers conducting life insurance business that fall under the supervision of the PA.

The Directive requires life insurers to undertake specific activities in relation to certain aspects of CDD and ML/TF risk assessment as it relates to beneficiaries of life insurance policies. The Directive states that, in addition to the CDD measures required in terms of FICA, life insurers must obtain the particulars of a beneficiary of life insurance policies, as soon as the beneficiary is identified, designated, or amended by the client.

The CDD measures and the ML/TF risk assessment should be conducted at the time of the pay-out but before actual pay-out of the policy proceeds to the beneficiary.

Life insurers are required to take reasonable measures to determine whether the beneficiary and/or, where required, the beneficial owner of the beneficiary, is a domestic prominent influential person (DPIP) or foreign public prominent official (FPPO). They should also take reasonable measures to determine whether the beneficiary and/or, where required, the beneficial owner of the beneficiary, is not a person listed on a sanctions list.

The Directive is effective from date of publication on the website of the South African Reserve Bank. The PA invited interested parties to submit comments to PA-insurancedirective@resbank.co.za by no later than 10 business days from the date of publication of the proposed Directive.

Webber Wentzel's Financial Services Round Up|Cape Town edition

Please join us in Cape Town for our upcoming seminar where the experts from our Financial Services Sector Group will present their key insights of the following issues impacting the sector:

Please register for this event by clicking here.