PCC 12A – Guidance on outsourcing to third parties

FIC

Financial Intelligence Centre

PUBLIC COMPLIANCE COMMUNICATION

PUBLIC COMPLIANCE COMMUNICATION

No. 12A (PCC 12A)

GUIDANCE ON OUTSOURCING OF COMPLIANCE ACTIVITIES TO THIRD-PARTY SERVICE PROVIDERS

24 March 2021

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 2 of 14

PCC SUMMARY

Accountable institutions remain responsible for their compliance obligations in terms of the Financial Intelligence Centre Act, 2001 (Act 38 of 2001) (FIC Act) regardless of their internal arrangements relating to the manner in which those obligations are met.

Outsourcing refers to when an accountable institution seeks the advice or assistance of a third-party service provider in relation to the performance of their compliance obligations. The third-party service provider cannot discharge any FIC Act obligations on an accountable institution's behalf, and as such, an accountable institution remains liable for compliance failures associated with and/or caused by such an outsourcing arrangement.

An accountable institution may use the services of a third-party service provider to perform compliance activities relating to risk assessments and the collection and processing of documents and/or information for customer due diligence (CDD) to a limited extent, and for record-keeping purposes as required in terms of the FIC Act and the Regulations to the FIC Act. An accountable institution may utilise the services of a third-party service provider to scrutinise client information in terms of the FIC Act.

An accountable institution may not use the services of a third-party service provider to fulfil and discharge CDD, reporting and registration obligations in terms of the FIC Act, nor the accountable institution's obligations that arise in terms of section 27 and 32 of the FIC Act. In addition, an accountable institution may not outsource the obligation to obtain senior management approval as required in terms of section 21F, 21G and 21H of the FIC Act.

Outsourcing of compliance obligations to a third-party service provider is not the same as placing reliance on a third-party accountable institution.

DISCLAIMER

The publication of a PCC concerning any particular issue, as with other forms of guidance which the Centre provides, does not relieve the user of the guidance from the responsibility to exercise their own skill and care in relation to the users' legal position. The Centre accepts no liability for any loss suffered as a result of reliance on this publication.

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 3 of 14

COPYRIGHT NOTICE

This PCC is copyright. The material in a PCC may be used and reproduced in an unaltered form only for personal and non-commercial use within your institution.

Apart from any use permitted under the Copyright Act 1978, (Act 98 of 1978) all other rights are reserved.

OBJECTIVE

The objective of this PCC is to provide guidance and clarity on what compliance activities can be outsourced by an accountable and reporting institution, where applicable, to third-party service providers.

1. INTRODUCTION

1.1. Compliance control measures for money laundering, financing of terrorism and related activities as well as financial sanctions as prescribed by the FIC Act, impose certain obligations on accountable institutions. These obligations are listed in Chapter 3 of the FIC Act and include inter alia:

- Part 1 – CDD

- Part 2 – The duty to keep record

- Part 2A – Financial sanctions

- Part 3 – Reporting duties and access to information

- Part 4 – Measures to promote compliance by accountable institutions.

1.2. This PCC applies to the interpretation and application of the FIC Act requirements and does not apply to the interpretation of other regulatory requirements as issued by other regulatory or supervisory bodies. This PCC does not define outsourcing for purposes of application of other legal requirements.

2. OUTSOURCING OF FIC ACT COMPLIANCE OBLIGATIONS

Outsourcing arrangements

2.1 PCC12A is applicable to all accountable institutions that outsource assistance from third-party service providers in aid of the accountable institution's performance of certain FIC Act compliance obligations. Similarly, this PCC is applicable to reporting institutions in respect of their registration and reporting compliance obligations in terms of the FIC Act.

2.2 For purposes of this PCC, outsourcing refers to when an accountable institution contracts with a third-party service provider to seek assistance (including advice and/or other services) in relation to the performance of their compliance obligations. The third-party service provider cannot and does not discharge any FIC Act obligations on behalf of the accountable institution with which it has entered a contractual relationship.

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 4 of 14

2.3 The Centre does not promote, dissuade, or endorse any such outsourcing arrangements. Should an accountable or reporting institution opt to make use of such third-party service providers, they do so at their own discretion.

2.4 The Centre reminds all accountable institutions that they remain fully accountable, responsible and liable for any compliance failures that may result from or be associated with an outsourcing arrangement and as such, the accountable institution's liability and/or culpability for non-compliance with the FIC Act obligations cannot be transferred to a third-party service provider.

2.5 The third-party service provider in an outsourcing arrangement may also be an accountable institution in its own right. If so, the same principles as discussed above will apply. The fact that a third-party service provider is an accountable institution does not absolve the accountable institution, requesting such assistance, of their FIC Act obligations pertaining to its client.

2.6 When considering whether to outsource compliance activities, it is important that an accountable institution takes cognisance of the following:

2.6.1 That when establishing a business relationship or concluding a single transaction with a client, the accountable institution remains fully responsible for compliance with the FIC Act in respect of that client

2.6.2 Adequate controls of oversight, accountability, monitoring and risk management in respect of functions outsourced must be ensured, to enable the accountable institution to comply with its obligations

2.6.3 Outsourcing arrangement should be contained in a formal agreement between the accountable institution and the person or entity to whom functions are being outsourced in terms of the FIC Act, and is to be clearly indicated in the accountable institution's risk management and compliance programme (RMCP)

2.6.4 Care should be taken that the outsourced entity is capable and competent to assist the accountable institution with its duties

2.6.5 There cannot be indemnity for accountable institutions from any possible administrative penalties and/or criminal prosecutions resulting from a

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 5 of 14

contravention of the FIC Act on the grounds that compliance with a function pursuant to the FIC Act is outsourced to a third-party service provider

2.6.6 Adhere to relevant legislation regarding the processing and sharing of clients' personal information with third-party service providers is required of accountable institutions.

Outsourcing vs placing reliance

2.7 A distinction is drawn between outsourcing and placing reliance on another accountable institution. Outsourcing does not amount to the placing of reliance as envisioned in PCC43. Placing reliance refers to circumstances where an accountable institution places reliance on another third-party accountable institution where assistance is received in the obtaining of CDD information and/or documentation in relation to shared clients. Refer to PCC 43 for a discussion on reliance in relation to shared clients.

Group structures

2.8 For purposes of this PCC, group structures are considered to be separate legal entities or accountable institutions who have a common shareholder that controls these entities.

2.9 In the context of this PCC, the Centre does not consider the conducting of compliance activities between accountable and/or reporting institutions within a group structure as outsourcing of compliance activities to third-party service providers.

2.10 The Centre is aware that within group structures compliance functions are often centralised. The Centre encourages accountable institutions within a group structure to apply a group wide RMCP.

3. OUTSOURCING OF RISK MANAGEMENT

3.1. Guidance Note 7 discusses in detail the process required for accountable institutions to determine the money laundering and terrorist financing (ML and TF) risks posed by their clients within the ambit of a risk-based approach and accountable institution's RMCP.

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 6 of 14

3.2. The FIC Act does not prohibit outsourcing, and section 42(1) of the Act provides that:

"An accountable institution must develop, document, maintain and implement a programme for anti-money laundering and counter terrorist financing risk management and compliance".

and, section 42(2)(a) of the FIC Act provides that

"A RMCP must enable the accountable institution to identify, assess, monitor, mitigate and manage the risk that the provision by the accountable institution of products or services may involve or facilitate money laundering activities or the financing of terrorist and related activities".

3.3. Accountable institutions may seek the assistance of third-party service providers when conducting their risk assessments. However, the ultimate determination and approval of the risk assessment remains the obligation and responsibility of the accountable institutions, which may not be outsourced. An accountable institution must ensure that the parameters and indicators used in the determination of ML and TF risk are in line with its risk appetite. In other words, the level of risk the accountable institution is willing to accept. These parameters and indicators may only be applied if accepted and approved by the accountable institution's board of directors, senior management or persons exercising the highest level of authority within the accountable institution.

3.4. An accountable institution may seek assistance from a third-party service provider for the development and implementation of an RMCP, which includes the identification of risks and mitigating controls. However, the accountable institution has the best understanding of the ML and TF risk that it faces due to the nature of its business and should be actively involved in the developing and ensuring that its RMCP is suitable to address the institution's risk appetite.

3.5 It would not be sufficient for an accountable institution to make use of or apply an RMCP template obtained from a third-party service provider without having reviewed

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 7 of 14

and applied their understanding of the risks from an enterprise-wide risk management perspective (refer to Guidance Note 7 on risk indicators such as product, client, geographies etc). An RMCP must be approved by the accountable institution's board of directors, senior management or persons exercising the highest level of authority within the accountable institution prior to implementation.

4. OUTSOURCING OF THE ACTIVITIES RELATING TO CUSTOMER DUE DILIGENCE

4.1. The requirements as set out in Chapter 3, Part 1 of the FIC Act prevent accountable institutions from establishing a business relationship or concluding a single transaction with a client unless they have conducted CDD measures, which include but are not limited to establishing and verifying the identity of the client.

4.2. The main purpose or core function of conducting CDD, is for the accountable institution to know and understand who its clients are. Therefore, the accountable institution cannot outsource its CDD obligation, and the accountable institution will always remain responsible for conducting CDD.

4.3. However, an accountable institution may seek the assistance of a third-party service provider to assist with the CDD operational functions such as the collection and processing of documentation and/or information for CDD purposes. Irrespective of what CDD operational functions are outsourced, which may vary from collection to processing etc., the accountable institution must still conduct CDD, and comply with its obligations in terms of Chapter 3, Part 1 of the FIC Act.

4.4. Accountable institutions may not assume that their obligations have been adequately fulfilled where the third-party service provider has completed its CDD operational function. The accountable institution must have sufficient controls in place to ensure that its CDD obligations have been met.

4.5. The accountable institution must determine whether the CDD documentation and/or information collected and/or processed are acceptable in terms of the FIC Act requirements and the accountable institution's RMCP.

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 8 of 14

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 9 of 14

Foreign prominent public officials (FPPO) and domestic prominent influential persons (DPIP)

4.6 An accountable institution cannot outsource their obligations to obtain senior management approval as required in terms of section 21F, 21G and 21H of the FIC Act.

4.7 The FIC Act does not prohibit the outsourcing of the activity of scrutinising client information to determine whether the client is a FPPO or a DPIP by the accountable institution.

5. SCRUTINISING OF CLIENT INFORMATION

5.1. The scrutinising of client information as required in section 28A of the FIC Act may be determined by the accountable institution (see Guidance Note 6A), and the FIC Act does not prohibit this function from being outsourced to a third-party service provider.

5.2. Where a client is identified against a sanctions list as published in terms of section 26A of the FIC Act and/or section 25 of the POCDATARA Act, the third-party service provider must provide this information to the accountable institution for reporting purposes.

6. OUTSOURCING OF RECORD-KEEPING REQUIREMENTS

6.1. Outsourcing of record-keeping requirements is regulated in sections 22 to 25 of the FIC Act and regulation 20 of the Money Laundering and Terrorist Financing Control (MLTFC) Regulations to the FIC Act.

6.2. Regulation 20 sets out the process to be followed when an accountable institution opts to appoint a third-party service provider to keep records on their behalf.

MLTFC Regulation 20 – Particulars of third parties keeping records

If an accountable institution appoints a third-party to keep on its behalf any records which that institution must retain in terms of the Act, that institution must, without delay, provide the Centre and the relevant supervisory body with—

(a) the third-party’s

(i) full name, if the third-party is a natural person; or

(ii) registered name, if the third-party is a close corporation or company;

(b) the name under which the third-party conducts business

(c) the full name and contact particulars of the individual who exercises control over access to those records

(d) the address where the records are kept

(e) the address from where the third-party exercises control over the records

(f) the full name and contact particulars of the individual who liaises with the third-party on behalf of the accountable institution concerning the retention of the records.

6.3. The storing of records relates to the information and/or documentation that has been obtained through the accountable institution's processes and stored by the third-party service provider.

6.4. The Centre advises reporters against the outsourcing of record-keeping relating to regulatory reports submitted to the Centre, specifically reports in terms of section 28, 28A and 29 of the FIC Act.

7. OUTSOURCING OF COMPLIANCE GOVERNANCE

Compliance function

7.1. Section 42A(2)(a) of the FIC Act requires that an accountable institution have a compliance function to assist the board of directors or the senior management in discharging their compliance obligations. There are certain elements of the compliance function that may be outsourced.

7.2. The compliance function can only be outsourced to third-party service providers, where the third-party service provider:

7.2.1. Understands the business of an accountable institution

7.2.2. Has knowledge of how the accountable institution operates internally (as an internal member of the accountable institution would know), including the accountable institution's RMCP

7.2.3. Can advise on the requirements of the FIC Act.

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 10 of 14

7.3. The outsourcing of the compliance function is not permissible in instances, as noted in this PCC, including:

7.3.1 Approval of RMCP (see part 3 above)

7.3.2 Conducting of CDD (see part 4 above)

7.3.3 Registering with the Centre (refer to part 8 below)

7.3.4 Filing reports with the Centre (refer to part 9 below).

Compliance officer

7.4 Section 42A(2)(b) requires that an accountable institution assign a person with sufficient competence and seniority to ensure the effectiveness of the compliance function (this person is referred to as the compliance officer for purposes of this PCC).

7.5 The compliance officer must be a member of the accountable institution (i.e. employee, director etc.). The compliance officer may seek assistance from a third-party service provider in fulfilling their duties subject to the restrictions as set out in paragraph 7.1, 7.2 and 7.3 above.

8 OUTSOURCING OF REGISTRATION OBLIGATIONS

8.1 Registration with the Centre is set out in section 43B of the FIC Act and MLTFC regulation 27A. Regulation 27A(4) stipulates that registration with the Centre must be done in the prescribed format as specified by the Centre. Directive 2 (issued in 2014) and Directive 4 (issued in 2016) issued by the Centre provides further clarity on the registration requirement.

8.2 Although the FIC Act does not explicitly prohibit the registration of an accountable institution by a third-party service provider, Directive 2 prohibits the sharing of usernames and passwords on the Centre's registration profile. The registration process requires the generation of a username and password, and for this reason no third-party service provider may register the entity and related users of that entity on an accountable institution's behalf.

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 11 of 14

8.3 The Centre's reporting and registration platform, goAML, only caters for the accountable institution's compliance officer and money laundering and reporting officer to be registered against the entity's profile (refer to the goAML registration user guides). Read with paragraph 9 below, no third-party service provider should have access to reporting information held by the accountable institutions on the reporting platform.

8.4 The Centre will not permit a third-party service provider to be registered on the Centre's reporting and registration system as the accountable institution's employees should fulfil this role. The third-party service provider may, however, advise and assist an accountable institution on the steps required to register. However, the third-party service provider may not have access to the accountable institution's goAML system, nor maintain such system information.

8.5 The Centre will not provide any information, nor take any instruction in relation to registration profiles or reporting information from any person who is either not registered against the accountable institution's profile, or not an employee of the accountable institution. It should be noted that a third-party service provider is not considered to be an employee of an accountable institution.

9 OUTSOURCING OF REPORTING OBLIGATIONS

9.1 Regulation 22(1) of the MLTFC Regulations requires a reporter to report in accordance with the format and method as developed by the Centre, that is made available to a person who is required to make such a report. In this regard Directives 1, 2 and 4 sets out the prescribed reporting format and methodology.

9.2 Further, in terms of Directive 2, the login credentials may only be used by the person who has registered with the Centre on goAML (see further the discussion in paragraph 8).

9.3 Therefore, reporting done in terms of the FIC Act cannot be outsourced to a third-party service provider.

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 12 of 14

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 13 of 14

Reporting of suspicious and unusual transactions in terms of section 29 of the FIC Act

9.4 Section 29 of the FIC Act does not make provision for the reporting of suspicious and unusual transactions to be performed by a party other than the "person who carries on a business or is in charge of or manages a business or who is employed by a business".

9.5 A person who is required to submit a report in terms of section 29 of the FIC Act is not permitted to disclose any information regarding that report or the submitting of that, this would include to a third-party service provider.

9.6 As such, section 29 of the FIC Act implicitly prohibits the outsourcing of the activity to report such transactions to the Centre.

9.7 A third-party service provider may assist an accountable institution in developing the parameters and indicators for purposes of identifying suspicious and unusual activity and transactions. However, the third-party service provider cannot conduct the investigation or analysis of transactions or activities to form a suspicion on behalf of an accountable institution. (See Directive 5 on the Automated Transaction Monitoring System).

Reporting in terms of sections 28 and 28A of the FIC Act

9.8 A third-party service provider may assist an accountable institution in identifying reportable transactions. However, the accountable institution must determine if these transactions are reportable and must report to the Centre accordingly.

9.9 All reporting obligations that are imposed by the FIC Act must be performed by the accountable or reporting institution, and the activity to report such transactions to the Centre may not be outsourced.

Public Compliance Communication 12A Guidance on outsourcing of compliance activities to third-party service providers

Page 14 of 14

Reporting in terms of sections 27 and 32 of the FIC Act

9.10 Accountable institutions may not disclose information regarding, nor outsource the obligations that arise in terms of, section 27 and 32 of the FIC Act to third-party service providers.

11. SUPERVISION

11.1 Accountable institutions may not transfer their responsibilities, including compliance recommendations and enforcement actions imposed on them by supervisory bodies in terms of section 45, 45B and 45C of the FIC Act.

11.2 Accountable institutions must respond to all information requests by supervisory bodies that are exercising their duty in terms of section 45B, without transferring such responsibility to a third-party service provider.

11.3 An accountable institution may request assistance from a third-party service provider, as detailed in this PCC, to assist in such remediation efforts stemming from supervisory actions.

12. COMMUNICATION WITH THE CENTRE

12.1 The Centre has a dedicated compliance contact centre geared to help accountable institutions to understand their compliance obligations in terms of the FIC Act. Should you have any queries please contact the compliance contact centre on 012 641 6000 and select option 1.

12.2 In addition, online compliance queries may be submitted by clicking on: http://www.fic.gov.za/ContactUs/Pages/ComplianceQueries.aspx or visit the Centre's website and submitting an online compliance query.

**Issued By:**

The Director Financial Intelligence Centre

Private Bag X177

CENTURION

0046

24 March 2021