Business Risk Assessments - The Cornerstone of an Effective RMCP

Subscribe here to receive more articles like this from Masthead.

A well-executed business risk assessment (BRA) is more than a compliance obligation – it’s the foundation of an effective risk management and compliance programme (RMCP). With regulatory scrutiny on the rise, all accountable institutions, including financial service providers (FSPs), must ensure their risk assessments and RMCPs are robust, documented and defensible.

Since South Africa’s greylisting by the Financial Action Task Force (FATF), supervisory bodies such as the Financial Intelligence Centre (FIC) and the Financial Sector Conduct Authority (FSCA), in the case of FSPs, have significantly intensified their inspections. A key finding from their audits is the widespread failure by accountable institutions to conduct BRAs to inform their RMCPs.

In this article, we explore how a BRA forms the foundation of an effective RMCP. We also offer practical guidance to help accountable institutions, especially FSPs, conduct thorough, tailored assessments that meet both regulatory expectations and operational needs.

The evolving risk landscape

Over the years, the Financial Intelligence Centre Act (FICA) has significantly expanded the compliance obligations placed on accountable institutions. Initially, FICA applied to a limited group, which included FSPs, with a focus on knowing your client.

Subsequent amendments broadened the scope to include additional sectors such as legal practitioners, crypto asset service providers (CASPs) and trust and company service providers, among others. Updates also introduced the requirement for institutions to know their employees – ensuring they understand who works within their business and the risks those individuals may pose.

More recently, there has been a strong emphasis on knowing your business. Accountable institutions are now required to assess how their own operations, products, services and delivery channels may be exploited for money laundering (ML), terrorist financing (TF) and proliferation financing (PF).

Regulators require accountable institutions to conduct BRAs as the foundation of their RMCPs. For all institutions falling under FICA, a documented BRA is no longer optional – it is a critical and enforceable component of compliance.

Understanding BRAs

A BRA is a structured, documented process used to identify and evaluate ML/TF/PF risks a business may face. It forms the foundation of an accountable institution’s RMCP, as required under Section 42 of FICA. Guidance Note 7A, issued by the Financial Intelligence Centre (FIC), provides the primary guidance on conducting BRAs.

The BRA enables institutions to identify areas vulnerable to exploitation by criminal actors and determine the level of risk involved. Based on this assessment, the business must consider what controls to implement to mitigate the identified risks.

Every accountable institution – regardless of its size, complexity or sector – must assess and document its exposure to risk categories. Within each of these categories, there are multiple risk factors. For example:

• Client risk: Consider the different types of clients that your business deals with – for example, natural persons, legal persons and complex structures.
• Product and service risk: Review the full range of products and services you offer and how they could potentially be used to disguise the movement of funds. Certain offerings, such as those involving crypto assets or offshore exposure, are commonly viewed as higher risk.
• Geographic risk: Assess where your business and your clients are located. Jurisdictions with weak anti-money laundering (AML) and countering the financing of terrorism (CFT) controls or those under FATF monitoring are, for example, generally considered higher risk.
• Delivery channel risk: Evaluate how you engage with clients. Face-to-face interactions are typically viewed as lower risk compared to non-face-to-face onboarding. Other factors to consider include online transactions or the use of intermediaries and digital platforms.
• Transaction or payment risk: Examine the types of payments used. Electronic funds transfers (EFTs), which can be tracked, are usually considered lower risk than cash payments. Other higher-risk indicators include third-party funding or cross-border transfers.

Institutions must assess their risks by the likelihood and potential impact of each risk. They should apply risk ratings (such as low, medium or high) and clearly explain the rationale for each rating. This rationale should be guided by the country’s national risk assessment, relevant sector risk assessments (such as the FSCA’s assessment for FSPs) and guidance issued by the FIC, FATF and other authorities. The resulting BRA must then directly inform the RMCP’s mitigation and management of the risks identified and must address both inherent and residual risks.

How to structure an FSP’s BRA

While the core risk categories apply across all sectors of accountable institutions, FSPs face specific risk exposures due to the nature of their products, clients and delivery models. Common examples include, but are not limited to, the following:

• Products and services: FSPs offering lump-sum investments, long-term savings products or crypto assets must evaluate the high-risk nature of these services. Even when crypto exposure is minimal or offered through regulated partners, it must be acknowledged and rated accordingly.
• Client risk: Clients such as foreign nationals, legal persons with layered structures or high-net-worth individuals making large or high-frequency transactions may require enhanced due diligence (EDD). FSPs should also evaluate the risk posed by politically exposed persons (PEPs) and clients with no clear connection to South Africa.
• Geographic risk: Institutions conducting business with clients from or through high-risk or greylisted jurisdictions, or facilitating cross-border transactions, must factor these into their risk assessments. FSPs offering offshore investments or international remittance channels should conduct regular geographic profiling.
• Payment risk: Any acceptance of third-party deposits, non-traceable funds or cash transactions must be flagged. Ensuring funds flow through regulated trust accounts or known sources is critical.
• Delivery channels: FSPs using remote onboarding, third-party advisors or intermediary platforms must account for the potential loss of visibility into the customer’s identity and intent. These models require additional safeguards and monitoring controls.

By systematically evaluating these risks, FSPs can create a BRA that not only satisfies regulatory requirements but also strengthens their operational resilience. The assessment should be documented, regularly reviewed and updated whenever there are material changes to the business, product offerings or client base.

Common pitfalls – and solutions

• Using a generic BRA with no specific detail - Solution: Develop a customised risk assessment that reflects your actual products, services, client base and delivery methods.
• Failing to consider the full range of risk factors in the BRA - Solution: Don’t focus only on high-risk areas. Make sure your BRA covers the full range of your products, client types, delivery channels and other relevant risk categories.
• Failure to apply your BRA to your RMCP Using a generic BRA with no specific detail - Solution: Use the findings of your BRA to directly inform your RMCP structure. This includes applying differentiated customer due diligence (CDD), transaction monitoring thresholds, reporting protocols and staff training based on the identified risks.
• Using an outdated assessment - Evaluating your business risks is not a once-off endeavour. You BRA needs to be reviewed and updated whenever your product offering, client profile, delivery channels or business structure changes – and your RMCP should evolve alongside it.

The strategic role of a BRA

All accountable institutions are operating in a regulatory environment where scrutiny is intensifying – and the non-compliance can carry severe consequences. The regulators have made it clear that a BRA should be more than a once-off supporting document – it should form the foundation of a compliant and effective RMCP.

But beyond regulatory expectations, a well-executed BRA offers tangible benefits to businesses. For example, it:

• Enables better allocation of resources for compliance, client onboarding and transaction monitoring
• Enhances audit readiness for FSCA and FIC inspections
• Supports more accurate product and service risk profiling
• Facilitates early detection of high-risk client behaviours
• Informs tailored staff training and robust escalation procedures

Whether your business offers traditional insurance and investment products or is expanding into high-risk areas like crypto, your BRA must accurately reflect the operational realities of your business. It should be documented, regularly updated and capable of withstanding regulatory scrutiny.

When treated as a living, strategic tool – not just a compliance checkbox – the BRA becomes central to protecting your institution, your clients and the integrity of South Africa’s financial system.

How Masthead Can Assist

Masthead supports accountable institutions across South Africa – including FSPs, legal and property practitioners, credit providers, crypto asset service providers (CASPs) and high-value goods dealers (HVGD) – with their FICA compliance obligations.

Need assistance with your BRA? We can help you develop and maintain a tailored BRA that aligns with your RMCP. Get in touch to find out how we can support you.

Looking to refresh your FICA knowledge? The Masthead Learning Centre offers a range of FICA-related online courses that you can complete at your own pace – and they’re CPD-recognised. Click here to browse our available courses.