South Africa’s compliance crossroads: from greylist pressure to supervisory vigilance, regulator feedback

Insights from the ACAMS South Africa Chapter’s 2025 Financial Crime Webinar

By James George, Director, Compli-Serve Cape

As South Africa stands on the precipice of potential removal from the FATF grey list, the compliance fraternity is experiencing a decisive shift from passive alignment to proactive enforcement. The ACAMS South Africa Chapter’s flagship webinar, held on 11 June 2025, served as a critical briefing for professionals navigating this transition. Hosted by Jamie Rowland, Co-Chair of the ACAMS South Africa Chapter, the event brought together high-level regulators and industry experts to dissect the country’s readiness, highlight systemic vulnerabilities, and map the way forward for designated non-financial businesses and professions (DNFBPs) and financial institutions.

The session featured two of the country’s foremost voices in AML/CFT supervision:

Advocate Jan Augustyn, Manager: Supervision and Enforcement, Financial Intelligence Centre (FIC)

Charl Giel, Head: AML/CFT Supervision Department, Financial Sector Conduct Authority (FSCA)

Their messages were clear: greylisting may end, but regulatory pressure will not.

From Fragmentation to Oversight: The FIC’s Rapid Recalibration

Advocate Augustyn opened with a frank account of how South Africa’s fragmented supervisory regime prior to December 2022 had left vast areas of the financial and non-financial system unsupervised or under-regulated. This culminated in the FATF’s February 2023 greylisting, citing poor supervision, weak enforcement, and inadequate risk-based monitoring of DNFBPs.

In response, the FIC underwent a radical structural reform, assuming full supervisory control over:

Legal practitioners
Estate agents
Dealers in precious metals and stones
Trust and company service providers
Gambling entities
Motor vehicle and Krugerrand dealers
Credit providers
Crypto asset service providers (shared with FSCA)
Postbank and the South African Mint

To enable targeted supervision, the FIC introduced its Risk and Compliance Return (RCR)—a 160-question diagnostic submitted by accountable institutions and assessed via a proprietary Risk and Compliance Analysis (RCA) Tool. Institutions that failed to submit their RCRs by the May 2024 deadline were categorised as high risk by default.

The Numbers Behind the Overhaul: Enforcement in Action

In the 2024/25 financial year, the FIC exceeded its target of 500 inspections, completing 556 supervisory inspections comprising:
478 off-site reviews
78 on-site inspections

Breakdown by sector:

Legal practitioners: 242 inspections
Estate agents: 165 inspections
Dealers in precious metals/stones: 90 inspections

Compliance findings were sobering

Risk Management and Compliance Programme (RMCP) compliance failures:
156 out of 242 legal practitioners were non-compliant
108 out of 165 estate agents failed to meet RMCP standards
53 out of 61 dealers in precious metals/stones did not comply

Customer Due Diligence (CDD)

Only 23 legal practitioners were fully compliant
138 estate agents exhibited serious deficiencies

Targeted Financial Sanctions (TFS)

64 out of 74 inspected legal firms failed to meet TFS obligations
40 out of 45 estate agents were non-compliant with TFS screening

Notably, the FIC reported that template-based RMCPs were a significant contributor to poor outcomes. Some institutions were found to have copy-pasted RMCPs from other firms—complete with incorrect names and irrelevant controls.

In terms of remedial action

330 formal remedial actions issued
214 institutions remediated successfully within 90 days
351 Notices of Admission of Non-Compliance issued
Retrospective financial sanctions ranged from R20,000 to over R7.8 million

FSCA’s Parallel Push: Terrorist Financing, Beneficial Ownership and Sanctions Failures

Charl Giel of the FSCA echoed Augustyn’s urgency and took the conversation further into the evolving threat landscape, particularly terrorist financing (TF) and proliferation financing (PF).

South Africa’s Terrorism Financing National Risk Assessment (TF NRA), updated in June 2024, reclassified the country’s TF risk from moderate to high.

According to Giel:

‘South Africa may not be a primary target for attacks, but it is increasingly exploited as a base for financing terrorism abroad—especially through refugee abuse, NPO misuse, and informal remittance channels.’

The FSCA’s data reinforces this:

All recent sanctions issued by FSCA involved Risk-Based Approach (RBA) and RMCP deficiencies.

The top three compliance failures identified

Sanctions screening failures
Non-identification of beneficial owners
Inadequate CDD application

Out of a sample of enforcement cases post-greylisting:

100% included RMCP deficiencies
60% involved sanctions screening breaches
55% cited beneficial ownership identification failures
40% showed weak or missing CDD processes

The FSCA reiterated that Section 28A (objective TFS reporting) and Section 29 (subjective suspicion reporting) of FICA are being routinely misunderstood.

Giel highlighted:

‘A match to a UN Security Council list requires a Section 28A report and immediate asset freeze. Failure to freeze could constitute a criminal offence.’

The FSCA has since mandated that every accountable institution screen:
All clients
Beneficial owners
Employees (per Directive 8)

At onboarding and upon any updates to the UN Consolidated List

RMCPs: The Root of Systemic Weakness

Both Augustyn and Giel emphasised that RMCP quality remains the single greatest systemic failure in compliance programmes across institutions. Giel warned that most RMCPs reviewed in inspections were:
Outdated
Generic or templated
Not approved by the board or senior management
Silent on key procedures such as escalation, training, or asset freezing

Michelle Fourie from the FSCA reinforced this point at the recent Moonstone Compliance Conference:
‘An RMCP that says ‘We identify our clients’ without explaining how, when, or who is responsible, is not an RMCP. It’s a document masquerading as compliance.’

Enforcement Is the New Normal
While regulators expressed cautious optimism that FATF may clear South Africa by the end of 2025, both speakers underscored that the intensity of enforcement will only increase:

On-site and off-site inspections will continue to scale.

Institutions using outdated risk frameworks or off-the-shelf RMCPs will face administrative sanctions—even if remediation is later achieved.

Late or non-responses to inspection notices will no longer be tolerated.

Reliance on external compliance officers during inspections is permitted, but the accountable institution must speak for itself.

Post-Greylisting, the Hard Work Begins

As Advocate Augustyn concluded:

‘There is no hiding anymore. South Africa’s regulatory landscape has matured. Institutions must stop seeing compliance as an obligation and start treating it as strategic risk mitigation.’

The tone of the webinar was clear: greylisting may be reversible, but regulatory expectations are not. Institutions must move from policy to practice—embedding compliance into every corner of their operations. Failing to do so will no longer be ignored, and excuses will no longer be entertained.