South Africa celebrated its exit from the FATF grey list in October 2025, but the next Mutual Evaluation cycle is almost upon us again. A lot changed during our time in the regulatory wilderness, but there is a certain irony in organisations scrutinising a R50 000 transaction while failing to scrutinise the compliance officer who approves it. In a quite literal sense, "measuring" employee competence alongside integrity is a serious compliance concern we’ll need to prioritise this year.
The Financial Intelligence Centre (FIC) has spent years training accountable institutions to look outward. As we battled out of the shadow of our greylisting, we were whipped into shape to obsess over "Know Your Client" (KYC) protocols, to hunt for ultimate beneficial owners, to screen for politically exposed persons and to proactively assess risk coming from the outside.
But as the FATF is probably near done with planning travel itineraries for their check-up on us, we need to realise that Directive 8 is a direct command to scrutinise the very people inside your business that you’ve entrusted to keep the criminals out.
If the person clicking "approve" or processing a transaction hasn't been properly vetted, or lacks the moral backbone to flag a suspicious payment, your entire FICA framework can start looking like a house of cards.
The Integrity Gap
For years, employee vetting has been treated like a perfunctory HR task – a quick reference check at the start of a contract and a look at a degree certificate. But in the 2026 regulatory environment, "integrity" has become a material factor in an organisation’s survival.
Integrity screening is crucial, and it matters just as much as competence – both are heavy-hitting factors if you fail an audit. You can have the most expensive software on the planet, but if the employee operating it is compromised then that software becomes rather ornamental.
The Effectiveness Trap
The 2026 Mutual Evaluation cycle represents the phase where the FATF will be taking another long hard look at South Africa, and just having a thick Risk Management and Compliance Programme (RMCP) binder sitting on a shelf won’t be enough. Without seeing it in motion, there won’t be much to celebrate.
This is where the trap is set for the complacent. Many organisations are sitting on what I call "paper shields" – policies that look perfect on paper but fall apart the moment a real-world stress test is applied.
The regulators are looking for the "velocity" of your compliance. They want to know if you are mitigating the risk in your business of being abused by criminals effectively and whether you can move from a red flag to a reported transaction before the trail goes cold.
If your internal processes are sluggish or ineffective because your employees aren’t trained, or because you haven't bothered to screen management for integrity, you are effectively a sitting duck for a serious consequences like a considerable fine.
Lessons in Operational Hygiene
We don’t have to look far for a warning. The R3 000 000 fine recently issued to Discovery Bank by the Prudential Authority is a masterclass in why "policy" without "performance" is a liability. It wasn't that the bank lacked technology, either. They had automated monitoring systems that were doing exactly what they were supposed to: spotting trouble.
The failure was human and operational. Discovery was hit for failing to address over 2 280 automated alerts within the mandatory 48-hour window. It doesn’t matter how well your automatic monitoring alerts are if there isn’t a process to address their human review at the same speed. It’s like having a top-of-the-range alarm system but the security company has one car and it’s not available right now (please try again later).
Even more telling was the failure in training. Nearly half of the new employees sampled hadn't received training within their first month, and even senior management – the people responsible for the entire compliance culture – had gaps in their knowledge.
Whilst these are now historic findings, when the human layer of an organisation is out of sync with its digital defences, the result is a massive, expensive hole in the hull.
It’s absolutely essential that every person in the chain has the integrity and the skills to act – and it's every organisation’s own responsibility to ensure it.
The R50 000 000 Risk
For a lot of businesses, FICA can feel like an administrative headache that gets in the way of “real work”. But, lest we forget, legal organisations, as an example, can face fines for these operational lapses that can reach R50 million in some instances. In a low-growth economy, very few can afford a R50 million wake-up call.
Years ago the Zondo Commission already showed us exactly what happens when internal controls are bypassed by people who were never properly vetted or held to an integrity standard. Directive 8 is the legislative answer to that era of state capture and institutional erosion. It demands that organisations treat "honesty" as an auditable metric.
This is especially critical for the "gatekeepers" – the lawyers, estate agents, and high-value goods dealers who are the primary targets for syndicates looking to wash the proceeds of crime. It is not a farfetched possibility for one unscreened rogue employee who looks the other way on a property deal or transaction, to ruin a firm's reputation and its bank balance in a single afternoon.
From Box-ticking to Operational Reality
As the FATF assessors finalise preparations for the looming Mutual Evaluation, every South African board needs to ask themselves a question: "If the regulator walked in today, would we be able to confidently attest to our employees’ integrity to protect us – and prove it?" Because it is the highest authority of a company that is ultimately responsible for ensuring compliance – and there is personal liability attached to that.
Compliance has to move from the filing cabinet stuffed full of paper to the heart and soul of how you operate. It means moving away from manual, spreadsheet-based tracking and toward systems that actually work and allow you to continue business effectively but in a compliant way.
The era of domestic enforcement is just getting started. To stay off the grey list for good, we have to prove we have the internal discipline to manage risk at speed. Integrity is not a soft skill or a nice-to-have buzzword. In the current regulatory environment, it is one of the most valuable assets your organisation has.
As always, nCino KYC is committed to bringing you the latest news and information relating to the FIC Act. If you haven't already, sign up to our Newsletter to keep updated with the latest Financial Crime, AML and FICA compliance news.
