Guidance on outsourcing of compliance activities to third parties

by Tracy-Lee Janse van Rensburg, Director and Juliet Siwela, Candidate Attorney

On 21 July 2020, the Financial Intelligence Centre (“FIC“) published the draft public compliance communication, communication number 12A (“PCC12A“) for comment by members of the public. The submission date for comments was 11 August 2020. As has historically been the position, any guidance provided by the FIC is authoritative in nature and accountable institutions must comply with the guidance issued or will have to explain their reasons for non‑compliance if requested by the FIC. Enforcement action may also be instituted against an accountable institution for failure to comply with the provisions of the Financial Intelligence Centre Act, 38 of 2001, as amended (“FICA“), in areas where there has been non‑compliance with the guidance provided by the FIC.

As was previously indicated by the FIC, pursuant to the publication of public compliance communication 12 on 25 January 2012 (“PCC12“), accountable institutions remain responsible for their compliance obligations under FICA, irrespective of any internal arrangements which such accountable institutions may make relating to the manner in which those obligations are met. In terms of FICA, an accountable institution may not establish a business relationship or conclude a single transaction with a client, unless such accountable institution has established and verified the identity of that client. Whilst under PCC12, the FIC provided that an accountable institution may utilise the services of a third party to perform activities relating to establishing and verifying client identities, including in relation to the collection of documentation to establish and verify the identity of such clients and for record keeping purposes, an accountable institution will ultimately always remain liable for any compliance failures associated with and/or caused by any such outsourcing arrangement.

Accordingly, it is common cause that an accountable institution may employ the services of a third party to perform certain activities in fulfilling their compliance obligations under FICA and the regulations promulgated thereunder.

Pursuant to the provisions of PCC12A, it is evident that the FIC does not necessarily promote, dissuade or endorse any outsourcing arrangements. Should an accountable or reporting institution opt to make use of a third party service provider, this should be done at their own discretion. Ultimately, the relevant accountable institution will remain liable for any compliance failures which may arise as a result of any such outsourcing and this responsibility cannot be passed by the accountable institution to the third party service provider.

It is further pertinent to note that under PCC12A, the FIC is of the view that only certain compliance obligations may be outsourced by an accountable institution to a third party service provider and is further of the view that an accountable institution may not utilise the services of a third party service provider to risk rate their clients, nor to fulfil or discharge their reporting and registration obligations under FICA. Set out below is an analysis of some of the guidance contemplated in PCC12A by the FIC.

When considering whether to outsource its compliance activities, an accountable institution should take note of the following factors:

• an accountable institution that establishes a business relationship or concludes a single transaction with a client, remains fully responsible for compliance with FICA;

• an accountable institution must exercise strict control over the functions which are being outsourced in order to minimise the risks associated with such outsourcing;

• any outsourcing arrangement should be recorded in a formal agreement between the accountable institution and the third party to whom the functions are being outsourced;

• an accountable institution should ensure that the third party is capable and competent to assist with its duties under FICA;

• an accountable institution cannot be indemnified from any possible administrative penalty or criminal prosecution resulting from a contravention of FICA on the grounds that compliance with a function under FICA was outsourced to a third party service provider;

• an accountable institution must adhere to legislation with regards to the sharing of clients’ personal information with third parties and should obtain the necessary consent from clients in this regard; and

• where no such consent can be obtained from a client, an accountable institution must ensure that the obligations are met outside of such outsourcing agreement as the accountable institution ultimately remains liable for compliance with FICA.

Accordingly, accountable institutions should carefully consider the above factors prior to concluding any outsourcing arrangement in relation to their obligations to identify and verify clients in terms of FICA.

The FIC has also identified defined parameters in relation to various activities which may not be outsourced by an accountable institution to a third party service provider. These include, inter alia, 

• whilst an accountable institution may seek assistance from a third party service provider in the development and implementation of its risk management and compliance programme (“RMCP“), it is incumbent on the accountable institution to be actively involved in the development thereof and to ensure that the RMCP is suitable to address their risk appetite. Furthermore, whilst a third party service provider may assist in conducting risk assessments, the ultimate determination or approval of any such risk assessment remains the obligation and responsibility of the accountable institution and cannot be outsourced;

• whilst an accountable institution may employ the services of a third party service provider to assist in the collection of documentation required for purposes of undertaking their customer due diligence process (“CDD process“), this CDD process cannot be outsourced to a third party service provider in totality. The accountable institution must ultimately have sufficient controls in place to ensure that its customer due diligence obligations are being adequately met;

• where an accountable institution appoints a third party to keep, on its behalf, any records which that institution must retain, such accountable institution must without delay provide the FIC and any relevant supervisory body with the following information:
  • the third party’s full name, if the third party is a natural person; or the registered name, if the third party is a close corporation or company;
  • the name under which the third party conducts business;
  • the full name and contact particulars of the individual who exercises control over access to those records;
  • the address where the records are kept;
  • the address from where the third party exercises control over the records; and
  • the full name and contact particulars of the individual who liaises with the third party on behalf of the accountable institution concerning the retention of the records.

Whilst records relating to information and/or documentation obtained through an accountable institution’s FICA processes may be stored by a third party service provider, the FIC does not recommend that an accountable institution outsource the requirement to retain regulatory reports which are to be submitted to the FIC nor any records of information relating to the contents or such reports. In particular, the FIC does not recommend that any reports required to be provided under sections 28, 28A and 29 of FICA should be outsourced to a third party service provider;

• as it is not possible for an accountable institution to outsource the compliance function. The obligations under section 42 of FICA must be fulfilled by the accountable institution itself;

• no third party service provider may register an entity as an accountable institution nor any related users of such accountable institution on behalf of an accountable institution. Similarly, no third party service provider should have any access to reporting information held by an accountable institution on the reporting platform of the FIC; and

• any reporting which is required to be undertaken in terms of FICA cannot be outsourced to a third party service provider. This includes the obligation to report suspicious and unusual transactions and respond to any information request by a supervisory body who is exercising their duties in terms of section 45B of FICA. Similarly, accountable institutions may not transfer the responsibilities, including compliance recommendations and enforcement actions imposed on them by supervisory bodies in terms of sections 45, 45B and 45C of FICA to a third party service provider.

As such, an accountable institution must take cognisance of the various activities which simply may not be outsourced to a third party service provider and in respect of which they will ultimately remain responsible for in fulfilling their obligations under FICA.

Finally, insofar as an accountable institution does outsource certain of its functions to a third party service provider, it would be good practice for such accountable institution to conduct quality assessments of their third party service providers at various intervals. Such quality assessments may be done through the use of an internal audit function or external auditors to ensure that adequate levels of service offered by a third party service provider are in fact being met.

In conclusion, whilst the identification and verification of the identity of clients and certain record keeping activities may be outsourced to third parties, an accountable institution will always remain liable for any compliance failures relative to such outsourced function and under PCC12A an accountable institution may not, under any circumstances, outsource specific identified functions.