Bradley Elliott, CEO at RelyComply, a global anti-financial crime platform for enterprise financial services, unpacks the meaning of the recent publication of the Generally Accepted Compliance Practice.
When South Africa was grey-listed by the Financial Action Task Force (FATF) in 2023, financial institutions had their work cut out. Policies were rapidly reviewed, controls swiftly strengthened, and resources were aimed towards addressing the shortcomings that had been identified.
The publication of the Generally Accepted Compliance Practice (GACP), created and maintained by the Compliance Institute Southern Africa (CISA), is level 2 in the game, because, for the first time, the industry has a shared benchmark for anti-money laundering compliance.
The GACP does not create new legal obligations. What it does is provide a structured framework for institutions to assess the maturity and consistency of their existing programmes – something that has been notably absent from the South African compliance landscape until now.
Over the past three years, much of the focus has been on addressing regulatory findings. The publication of a common standard allows us to look beyond remediation and examine how anti-money laundering programmes actually operate in practice.
Accountability: Before and after compliance
Anti-money laundering programmes are often considered synonymous with compliance teams because they carry the lion’s share of the responsibility for implementation, monitoring and reporting. However, when serious failures occur, governance, oversight and big-picture decision-making fall under scrutiny.
Ultimately, executives are expected to understand the risks facing their organisations. Boards are expected to understand how those risks are being managed and whether controls are performing as intended. This is crucial because global enforcement has made it clear that individual accountability follows institutional failure and that millions in penalties may be payable for shortcomings.
For example, a financial institution operating across several countries may use many different solutions to facilitate customer onboarding, sanctions screening, investigations and reporting. Understanding how those moving parts interact across the organisation can be difficult, particularly when information is spread across business units, jurisdictions and technology platforms.
Seeing risk all over the organisation
A board may receive reports from multiple functions, business units and jurisdictions without receiving a single, consolidated view of how those risks connect. And without a clear view across the organisation, institutions can find themselves responding to individual issues without fully understanding the broader risk picture.
This is not a South Africa-specific problem. The 2023 Deloitte Global Boardroom Survey found that fewer than half of board members at financial institutions felt they had sufficient visibility of non-financial risk across the organisation. Anti-money laundering programme performance sits squarely in that category.
Crime is also a business
Artificial intelligence today can generate convincing fake identities, automate fraud attempts and tailor social engineering attacks to specific individuals at scale. The United Nations Office on Drugs and Crime has estimated that between 2 and 5 per cent of global GDP is laundered annually - a figure that predates the widespread availability of generative AI tools, which have materially lowered the barrier to entry for fraud.
Financial institutions are investing heavily in their own capabilities, but the pace of change means that controls, governance structures and risk-management approaches need to evolve continuously. And again, the creeping question of who’s accountable for breaches, theft, or leaked information slides into any investigation after the fact.
Why a common benchmark helps
Financial institutions vary enormously in size, structure and complexity. A community bank, a multinational insurer and a Pan-African financial services group face different operational realities, but they all operate within the same broader regulatory environment.
A common benchmark like the GACP changes the conversation in two important ways. First, it gives regulators and institutions a shared reference point for assessing programme adequacy, reducing the ambiguity that has historically allowed underinvestment to go unchallenged. Second, it raises the floor. Institutions that have been operating below a reasonable standard of practice can no longer claim uncertainty about what that standard looks like.
The responsibility for applying the necessary principles will fall to the people managing financial crime risk every day. Chief Compliance Officers, Heads of Financial Crime, Money Laundering Reporting Officers, Chief Risk Officers and compliance practitioners across South Africa's banking, insurance, investment, financial services and FinTech sectors will be the ones translating standards into operational reality.
The GACP provides something that was not there before: a defensible, industry-endorsed framework to take into board conversations, budget discussions and programme design. That is a monumental development.
