FICA Compliance

Risk Management and Compliance Programme

MJ Kotze Inc's comprehensive framework for ensuring compliance with the Financial Intelligence Centre Act (FICA) and combating money laundering and terrorist financing.

Version 2.0 | Last Updated: 20 October 2025

1. Introduction

1.1 Accountable Institution Status

MJ Kotze Inc. is an accountable institution as defined in the Financial Intelligence Centre Act, 2001 (Act 38 of 2001) ("the Act") and is subject to the obligations and duties set out in the Act and the Money Laundering and Terrorist Financing Control Regulations, 2002 ("the Regulations").

MJ Kotze Inc. is a Designated Non-Financial Business and Profession (DNFBP) and an accountable institution in terms of Schedule 1 of FICA due to the following activities:

Legal practice providing conveyancing services
Legal services involving the buying and selling of immovable property
Legal services involving the management of client money, securities, or other assets
Legal services for the creation, operation, or management of legal persons or trusts
Legal services for the buying and selling of business entities

1.2 RMCP Establishment

This Risk Management and Compliance Programme ("RMCP") has been established in terms of section 42 of the Act and regulation 24 of the Regulations.

1.3 Purpose

The purpose of this RMCP is to:

Enable MJ Kotze Inc. to identify, assess and understand its money laundering, terrorist financing, and proliferation financing risks
Establish policies, procedures and controls to manage and mitigate identified risks
Ensure compliance with the Act and Regulations
Protect MJ Kotze Inc. from being used as a vehicle for money laundering, terrorist financing, or proliferation financing activities

1.4 Applicability

MJ Kotze Inc. operates from a single location in South Africa and does not have any branches, subsidiaries, or foreign operations. Accordingly, section 42(2)(q) of FICA (relating to implementation in branches and foreign operations) is not applicable.

This RMCP applies to all employees, directors, and contractors of MJ Kotze Inc. involved in client-facing activities or the handling of client matters.

1.5 RMCP Approval

This RMCP has been approved by the senior management of MJ Kotze Inc. in accordance with section 42(2B) of the Financial Intelligence Centre Act.

Approved by:

MJ Kotze

Director / Senior Management

Date of Approval:

20 October 2025

Note: A signed copy of this approval is maintained in the firm's compliance records.

2. Definitions

In this RMCP, the following words and expressions bear the meanings ascribed to them:

Accountable Institution

Any of the entities listed under Schedule 6.

The "Firm"

MJ Kotze Inc., with registration number 123, a personal liability company, registered in accordance with the laws of South Africa, to which this RMCP applies.

Business Relationship

Shall have the meaning ascribed thereto in section 1 of the FICA.

Cash

Shall have the meaning ascribed thereto in section 1 of the FICA.

CDD

Means the customer due diligence referred to in section 21 of FICA, which must be conducted in accordance with the procedures set out in this document.

Counter-Party

Includes any counter-party in an agreement to which the Client is a party.

DPIP

Refers to a "domestic prominent influential person" and shall have the meaning ascribed thereto in section 1 of the FICA.

Employee

Means any person acting as such within the Firm (whether as a director, shareholder, member, manager, employee, or contractor), or any other Client-facing staff member of the Firm.

FATF

Means the Financial Action Task Force (of which South Africa is a member), an international standard-setting body dedicated to combatting MLFT, and headquartered in Paris, France.

FATF Member State

Means any country listed under Schedule 3.

FIC

Means the Financial Intelligence Centre, a juristic person created under chapter 2 of the FICA.

FICA

Means the Financial Intelligence Centre Act, No 38 of 2001, and included regulations published thereunder, as amended from time to time.

FPPO

Means a foreign prominent public official, being a person, or immediate family member or known close associate of a person, who occupies, or within the past 12 (twelve) months occupied, any of the positions listed in Schedule 4 in a country other than South Africa.

List 1267

Means a list published at the URL http://www.un.org/sc/suborg/en/sanctions/1267/aq_sanctions_list, on which list appear persons and entities that are under financial sanctions pursuant to resolution 1267 of the United Nations Security Council, and which list is amended from time to time.

MLFT

Means money laundering and the financing of terrorism, where "money laundering" refers to any practice through which the proceeds of crime are dealt with so as to obscure their illegal origins.

POCDATARA

Means the Protection of Constitutional Democracy Against Terrorism and Related Activities Act, No 33 of 2004, as amended from time to time.

Principal

Means, for purposes of the Questionnaire, the party on behalf of whom a Client is authorised to complete the Questionnaire and deal with the Firm.

Questionnaire

Means the list of questions posed to a Client or Prospective Client, in the format set out in Schedule 2, and in fulfilment of the CDD obligations imposed by FICA and this RMCP.

Representative

Means, for purposes of the Questionnaire, the person who is authorised to complete the Questionnaire and deal with the Firm on behalf of the Client.

Risk Officer

Means the person within the Firm charged with overseeing compliance with FICA and this RMCP.

RMCP

Means the risk management and compliance programme contained in this document, which has been designed in response to the Firm's obligations under section 42 of FICA.

Secondary Accountable Institution

Shall bear the meaning ascribed to it in paragraph 6.2.2 (relating to abbreviated CDD procedures).

Terrorist Activities

Means any of the offences specified in POCDATARA, all of which relate to terrorism.

Transaction

Means a transaction between the Firm and the Client under which Value will be transferred between the Firm on one hand, and the Client, its Principal or its Representative, its Counter-Party or any other person for the Client's account on the other hand.

Value

Means any form of economic benefit worth R5,000.00 (five thousand rand) or more.

Client

Means a person who has mandated the Firm, where:

such person or its Counter-Party is likely, in the discretion of the Risk Officer, to transfer Value to the Firm; or
such person or its Counter-Party has firmly indicated that it would like or is ready to transfer Value to the Firm in giving effect to a single Transaction or a Business Relationship,

and in any given situation, the determination of who the Client is must be made in accordance to the principles articulated in the general notes at the end of each of the CDD tables contained in Schedule 1.

Governmental Authority

Means any public authority, and includes (without limitation):

the South African Revenue Service; and
the Commission for Intellectual Property and Companies; and
any organ of state

ID

Means any document issued by a Governmental Authority that describes and identifies a natural person by his or her personal attributes, and which attributes must at least include his or her (i) forename and middle name (or initials), (ii) surname, (iii) unique identifying number, (iv) date of birth, and (vi) facial image. ID includes any of the following:

green, bar-coded South African identity document;
South African identity card;
South African passport;
South African driver's licence; and
foreign passport

Prospective Client

Means a person who approaches the Firm to enlist the Firm's services, but that person or its Counter-Party:

is not yet likely, in the discretion of the Risk Officer, to transfer any Value to the Firm; or
has not yet firmly indicated that it would like or is ready to transfer Value to the Firm

Interpretation

In this RMCP:

Whenever a duty is imposed on the Firm in the context of a given single Transaction or a Business Relationship, then that same duty must be read as applying in equal measure to the Employee responsible for that single Transaction or Business Relationship, and vice versa;
Whenever a document is required to be certified, it must have been certified:
- no longer than 3 (three) months before its initial presentation to the Firm; and
- by a Commissioner of Oaths in South Africa, where "Commissioner of Oaths" includes (without limitation) an attorney or any other person who is legally entitled to certify copies as true copies of an original document;
Any reference to a "person" denotes, depending on the context, a natural person, legal person or trust.

3. Risk Officer

MJ Kotze Inc. has appointed a Risk Officer in terms of section 42(3) of the Act.

3.1 Responsibilities

The Risk Officer is responsible for:

Overseeing compliance with the Act and Regulations
Implementing and maintaining this RMCP
Ensuring that all employees are aware of their obligations under the Act
Arranging training for employees on money laundering and terrorist financing matters
Monitoring compliance with this RMCP
Reporting suspicious and unusual transactions to the Financial Intelligence Centre (FIC)
Maintaining records as required by the Act
Liaising with the FIC and other regulatory authorities
Reviewing and updating this RMCP on a regular basis

3.2 Contact Details

Risk Officer: MJ Kotze

Email: martin@mjkinc.co.za

4. The Firm's Approach to Risk

4.1 Business-Level Risk Assessment

MJ Kotze Inc. has conducted a comprehensive business-level risk assessment to understand the ML/TF/PF risks the firm faces as an entity. The firm's overall ML/TF/PF risk exposure is assessed as MEDIUM, based on the following factors:

Risk Factors Considered:

Types of legal services offered: Conveyancing, trust administration, and property transactions present moderate ML risk due to potential for real estate money laundering
Client demographics: Primarily South African residents and entities, with occasional foreign nationals
Geographic areas served: South Africa only, with no cross-border operations
Transaction volumes and values: Moderate to high-value property transactions typical of legal practice
Cash handling: Limited cash transactions due to nature of legal services
Regulatory environment: Subject to FICA obligations and LSSA supervision

Mitigating Factors:

Robust CDD procedures implemented
Single location with direct oversight
Established client base with long-term relationships
Professional indemnity insurance requirements
LSSA regulatory oversight

This business-level risk assessment is reviewed annually and updated when the business model changes materially.

4.2 Binary Risk Approach for Clients

For client-level risk assessment, the Firm's approach is not to seek to quantify the metrics used to measure risk. Rather, a binary approach is adopted, which distinguishes between high risk and low risk, doing so on a qualitative basis.

4.3 High-Risk Client

A high-risk Client is any Client:

4.3.1 whose single Transaction or Business Relationship will be financed through a Cash payment of R49,999.99 (forty-nine thousand nine hundred and ninety-nine rand and ninety-nine cents) or more, as opposed to through a bond or similar arrangement from a financial institution that is duly registered as such; or

Note: Cash threshold updated from R25,000 to R49,999.99 effective November 2022.

4.3.2 who is a natural person, but is not a citizen or permanent resident of South Africa; or

4.3.3 that is a partnership, trust, company or close corporation, regardless of whether or not it was formed in South Africa:

4.3.3.1 that has no operations or business premises in South Africa; and

4.3.3.2 that cannot produce the letter and documents / records referred to in paragraph 6.2.1.4, which letter and documents must be from a Secondary Accountable Institution based in an FATF Member State; or

4.3.4 who is an FPPO; or

4.3.5 who is suspect, whether or not they fit into any of the categories listed under paragraphs 4.3.1 to 4.3.3. A Client may, in the Risk Officer's discretion, be regarded as suspect for any reason relating to the Client's conduct in the context of a single Transaction or Business Relationship, which conduct includes (without limitation):

4.3.5.1 a reluctance or refusal to provide information; or

4.3.5.2 an unusual or inexplicable preference for dealing with the Firm via correspondence or via electronic media, as opposed to in person, particularly for the purposes of the CDD;

4.3.5.3 a patent lack of concern or disregard for the costs involved; or

4.3.5.4 deliberate evasiveness or vagueness when providing information; or

4.3.5.5 any other conduct or circumstances that, when viewed objectively, and when considered in light of all of the relevant factors taken as a whole, should be regarded with suspicion.

4.4 Low-Risk Client

A low-risk Client is any Client who is not mentioned under paragraph 4.3.

4.5 Proliferation Financing Risk Factors

In addition to money laundering and terrorist financing risks, MJ Kotze Inc. identifies and assesses proliferation financing (PF) risks. Clients may pose elevated PF risk if they:

Operate in or have connections to jurisdictions subject to UN sanctions related to weapons of mass destruction programs (e.g., North Korea, Iran)
Deal in dual-use goods or technologies that could be used for WMD programs
Have business relationships with entities known to be involved in proliferation activities
Engage in complex corporate structures involving high-risk jurisdictions
Request services involving transactions with designated persons or entities on UN proliferation sanctions lists

Treatment: Clients identified with PF risk factors are automatically classified as high-risk and subject to enhanced due diligence and ongoing monitoring.

4.6 New Products and Services Risk Assessment

Before introducing new legal services or significantly changing existing service offerings, the Risk Officer must conduct an ML/TF/PF risk assessment of the proposed service.

Assessment Process:

Identify the nature of the new service and its characteristics
Assess inherent ML/TF/PF risks considering: client anonymity potential, cash payment possibilities, cross-border elements, involvement of high-risk jurisdictions or sectors, and complexity of transactions
Document risk factors identified
Determine appropriate CDD level (standard or enhanced)
Design specific controls and monitoring procedures
Obtain senior management approval for high-risk services
Update this RMCP if necessary to reflect new procedures

Documentation of new service risk assessments is maintained for at least 5 years.

5. Client Due Diligence (CDD) Procedures

MJ Kotze Inc. conducts client due diligence in accordance with the Act and Regulations. The level of CDD applied depends on the assessed risk level of the client and business relationship.

5.1 When CDD is Required

CDD must be conducted:

When establishing a business relationship
When conducting a single transaction above the threshold of R100,000
When there is a suspicion of money laundering or terrorist financing
When there are doubts about the veracity of previously obtained identification data

5.2 CDD Measures

Standard CDD

For medium-risk clients, we conduct the following CDD measures:

Identify the client and verify identity using reliable, independent documentation
Identify beneficial owners and take reasonable measures to verify their identity
Obtain information on the purpose and intended nature of the business relationship
Conduct ongoing monitoring of the business relationship

Simplified CDD

For low-risk clients, simplified CDD measures may be applied, which may include:

Verifying identity using fewer documents
Reduced frequency of client identification updates
Less frequent monitoring of transactions

Enhanced CDD

For high-risk clients, enhanced CDD measures must be applied, which include:

Obtaining additional information on the client and beneficial owners
Obtaining information on the source of funds and source of wealth
Obtaining senior management approval for establishing or continuing the business relationship
Conducting enhanced ongoing monitoring
For FPPOs and DPIPs: establishing the source of wealth and funds, and obtaining senior management approval

5.3 CDD Documentation Requirements

The following table sets out the documentation required for different types of clients:

Table 1: Natural Persons

Information Required	Method of Obtaining Information	Method of Verification
Information Required	Method of Obtaining Information	Low-Risk Client	High-Risk Client
Name of Client	Questionnaire completed by Client	Copy of Client's ID	Original or certified copy of Client's ID
Name of Principal	Questionnaire completed by Client	Copy of Principal's ID	Original or certified copy of Principal's ID
Client's authority to act on behalf of Principal	Questionnaire completed by Client	Copy of authorisation letter	Original or certified copy of authorisation letter
Name of the Representative	Questionnaire completed by Client	Copy of Representative's ID	Original or certified copy of Representative's ID
Representative's authority to act on behalf of Client	Questionnaire completed by Client	Copy of authorisation letter	Original or certified copy of authorisation letter
Nature and purpose of, and source of funding for Business Relationship	Questionnaire completed by Client
Source of wealth (only for FPPOs and high-risk DPIPs)	Questionnaire completed by Client

Table 2: Private Companies and Close Corporations

Information Required	Method of Obtaining Information	Method of Verification
Information Required	Method of Obtaining Information	Low-Risk Client	High-Risk Client
Name and registration number of Client	Questionnaire completed by Representative	Copy of CIPC certificate	Certified copy of CIPC certificate
Name of Principal¹	Questionnaire completed by Representative	Copy of Principal's ID	Original or certified copy of Principal's ID
Company or close corporation's authority to act on behalf of Principal²	Questionnaire completed by Representative	Copy of resolution	Original or certified copy of resolution
Name of Representative³	Questionnaire completed by Representative	Copy of Representative's ID	Original or certified copy of Representative's ID
Representative's authority to act on behalf of company or close corporation	Questionnaire completed by Representative	Copy of authorising letter / resolution	Original or certified copy of authorising letter / resolution
Nature and purpose of, and source of funding for the Business Relationship⁴	Questionnaire completed by Representative
Nature of company or close corporation's business	Questionnaire completed by Representative
Ownership and control structure of the company or close corporation⁵	Questionnaire completed by Representative
Identity of ultimate beneficial owners (Methods 1, 2, or 3 as appropriate)	Questionnaire completed by Representative	Affidavit from company or close corporation's accounting officer, auditor, company secretary, legal officer, senior manager or managing director together with a copy of the ID of the person/s identified in accordance with the relevant methods

¹ Note: this row applies when the company or close corporation is acting for another person.

² Note: this row applies when the company or close corporation is acting on behalf of another person.

³ Note: the Representative is the person completing the form.

⁴ Note: this row only applies if a business relationship is going to be established and does not apply to once-off transactions.

⁵ Note: this refers to the persons or entities that directly own and control the company or close corporation.

Table 3: Partnerships

Information Required	Method of Obtaining Information	Method of Verification
Information Required	Method of Obtaining Information	Low-Risk Client	High-Risk Client
Identifying name of partnership (e.g. trading name)	Questionnaire completed by Representative
Name of Principal⁶	Questionnaire completed by Representative	Copy of Principal's ID	Original or certified copy of Principal's ID
Partnership's authority to act on behalf of Principal	Questionnaire completed by Representative	Copy of authorising letter	Original or certified copy of authorising letter
Name of Representative	Questionnaire completed by Representative	Copy of Representative's ID	Original or certified copy of Representative's ID
Representative's authority to act on behalf of partnership	Questionnaire completed by Representative	Copy of authorising letter	Original or certified copy of authorising letter
Nature and purpose of, and source of funding for Business Relationship⁷	Questionnaire completed by Representative
Nature of partnership's business	Questionnaire completed by Representative
Partnership's ownership and control structure	Questionnaire completed by Representative
Name of every partner	Questionnaire completed by Representative	Affidavit from partnership's accounting officer, auditor, company secretary, legal officer, senior manager or managing partner together with a copy of the ID/s of the person/s identified
Name of partnership's executive controllers⁸	Questionnaire completed by Representative	Affidavit from partnership's accounting officer, auditor, company secretary, legal officer, senior manager or managing partner together with a copy of the ID/s of the person/s identified

⁶ Note: this row applies when the partnership is acting for another person.

⁷ Note: this row only applies if a business relationship is going to be established and does not apply to once-off transactions.

⁸ Note: these are the partners who control the day-to-day operations of the partnership.

Table 4: Trusts

Information Required	Method of Obtaining Information	Method of Verification
Information Required	Method of Obtaining Information	Low-Risk Client	High-Risk Client
Name and Master's reference number of trust as well as the address of the Master of the High Court where the trust is registered	Questionnaire completed by Representative	Copy of letter of authority	Certified Copy of letter of authority
Name of Principal⁹	Questionnaire completed by Representative	Copy of Principal's ID	Original or certified copy of Principal's ID
Trust's authority to act on behalf of Principal	Questionnaire completed by Representative	Copy of authorisation letter / resolution	Original or certified copy of authorisation letter / resolution
Name of Representative	Questionnaire completed by Representative	Copy of Representative's ID	Original or certified copy of Representative's ID
Representative's authority to act on behalf of trust	Questionnaire completed by Representative	Copy of authorisation letter / resolution	Original or certified copy of authorisation letter / resolution
Nature and purpose of, and source of funding for Business Relationship¹⁰	Questionnaire completed by Representative
Nature of trust's business	Questionnaire completed by Representative
Ownership and control structure¹¹	Questionnaire completed by Representative	Master involved
Name of founder	Questionnaire completed by Representative	Affidavit from trust's accounting officer, auditor, company secretary, legal officer, senior manager or managing trustee together with a copy of the ID of the person identified
Names of trustees	Questionnaire completed by Representative	Copy of letters of authority together with a copy of the ID/s of the person/s identified	Copy of letters of authority together with a copy of the ID/s of the person/s identified
Names of beneficiaries, named or how beneficiaries are determined	Questionnaire completed by Representative	Affidavit from trust's accounting officer, auditor, company secretary, legal officer, senior manager or managing trustee together with a copy of the ID/s of the person/s identified

⁹ Note: this row applies when the trust is acting for another person.

¹⁰ Note: this row only applies if a business relationship is going to be established and does not apply to once-off transactions.

¹¹ Note: in most cases, the assets of a trust are both owned and controlled by the trustees, albeit not for their own benefit, but for that of the beneficiaries.

5.4 Anonymous or Fictitious Clients

The Firm is strictly prohibited from dealing with anonymous persons, or persons who have fictitious names.

The Firm must, by adhering to the provisions of this RMCP, ward against the risk of:

dealing with an anonymous person by refusing to on-board as a Client anybody who appears to desire or expresses a desire to transact with the Firm anonymously;
dealing with a fictitiously named person by subjecting all Prospective Clients to the CDD procedures described in this RMCP, which procedures are aimed at ensuring, amongst other things, that the Firm only deals with persons who exist.

5.5 Abbreviated CDD Procedures

The abbreviated CDD procedures detailed in this section apply (subject to an assessment that a Prospective Client is of low risk as per section 4.3) only if at least 1 (one) of the circumstances described below are present, failing which the full CDD procedures detailed in the tables above will be applicable.

5.5.1 Co-operation with other Accountable Institutions

Where the Firm has a Client in common with a Secondary Accountable Institution that agrees to furnish the Firm with a compliance letter and copies of the relevant CDD documents, the Firm may rely on those instead of applying the full CDD provisions. The term "Secondary Accountable Institution" includes analogous institutions based outside South Africa in FATF Member States.

5.5.2 Listed Companies

When dealing with a listed company, verification may be dispensed with if proof of listing, a copy of the Representative's ID, and a copy of the authorising letter or resolution are provided instead.

5.5.3 Professional Partnerships

If all partners are attorneys, public accountants, auditors, professional engineers, quantity surveyors, pharmacists, stockbrokers or practitioners in the medical professions, the Firm may elect to establish and verify only the managing partner's identity.

5.5.4 Single Transactions of Low Value

The CDD procedures do not apply to a once-off transaction in which the Firm will receive less than R10,000.00. However, the prohibition against anonymous persons applies, and the Firm must still record the full name, identity number and contact number of the person.

5.6 Ongoing CDD for Business Relationships

The Firm must compare each Transaction under a Business Relationship against the information provided by the Client in the Questionnaire pertaining to the nature, purpose, and source of funds of the Business Relationship, and must update such information and any other documents originally forming part of the CDD where necessary.

5.7 Doubts About the Accuracy of Existing Information

Where an Employee has doubts about information previously obtained from an existing Client, it must take reasonable steps to satisfy itself as to that information's accuracy, which may include requesting original documents, more recently certified copies, or documents from a Governmental Authority or other independent person.

5.8 Terminating a Business Relationship

The Risk Officer must terminate a Business Relationship with a Client in respect of whom a CDD or ongoing CDD cannot be conducted. The Risk Officer must advise the Client of the termination and the reason, and shall, where practically possible, do so in writing.

5.9 Business Relationship with a Client who is an FPPO or DPIP

If the Client is an FPPO, or a high-risk DPIP looking to establish a Business Relationship, in addition to the prescribed CDD procedures, the Employee must only on-board the Client with the approval of the Risk Officer, establish the Client's source of wealth, and monitor the Business Relationship more closely.

6. Client Questionnaires

MJ Kotze Inc. uses standardized questionnaires as set out in Schedule 2 of the RMCP to obtain the information required for client due diligence. These questionnaires must be completed by or on behalf of the client and form part of the CDD process.

The questionnaires are tailored to different client types and follow the structure mandated by FICA. Employees must ensure that the appropriate questionnaire is used for each client category.

7. How and Where FICA Records are to be Kept

7.1 CDD Records

In respect of each Client, the Firm must keep CDD records that reflect the following information:

the name of the Client; and
the means through which the Client's name was established; and
the documents by which the Client's name was verified; and
the Employee who established and verified the Client's name.

7.2 Transaction Records

In respect of each Transaction, the Employee must keep records of the:

amount and currency involved; and
date; and
parties involved; and
nature of the Transaction; and
underlying Firm correspondence.

7.3 Storage and Retention Requirements

The Risk Officer must ensure that all records kept in terms of this RMCP are stored for at least 5 (five) years following the conclusion of a single Transaction or the termination of a Business Relationship, in such a manner that:

they are readily retrievable should they be requested by the FIC or any other person legally entitled to them; and
they are protected, through physical and other controls, against unauthorised access thereto; and
back-up records / copies of the records are stored separately from the original records.

8. Training and Awareness

All employees and associates of MJ Kotze Inc. receive comprehensive training on anti-money laundering, counter-terrorist financing, and counter-proliferation financing (AML/CTF/CPF) matters in accordance with section 42(2)(s) and section 43 of FICA.

8.1 Training Schedule and Intervals

Training is provided at the following intervals:

Initial Training: Within 30 days of employment commencement or engagement with the firm
Annual Refresher Training: All employees receive refresher training annually (typically in January/February each year)
Ad-hoc Training: When legislative changes occur or when material updates are made to this RMCP
Role-Specific Training: Additional training for employees with specific FICA-related responsibilities (e.g., Risk Officer, front-line staff)

8.2 Training Content and Curriculum

Training covers the following topics:

Core Topics

FICA obligations and requirements
Money laundering typologies and red flags
Terrorist financing indicators
Proliferation financing risks
Understanding this RMCP

Practical Procedures

Conducting customer due diligence (CDD)
Identifying FPPOs and DPIPs
Targeted financial sanctions screening
Recognizing suspicious transactions
Internal reporting procedures

Compliance Obligations

Record keeping requirements
STR/CTR/TPR reporting obligations
Tipping-off prohibition
Client profiling requirements
Ongoing monitoring duties

Consequences and Case Studies

Consequences of non-compliance
Administrative sanctions by FIC
Criminal liability under FICA
Real-world case studies
FATF grey-listing implications

8.3 Training Delivery and Facilitation

Training is facilitated by:

The Risk Officer (MJ Kotze)
External compliance consultants or legal professionals (where appropriate)
FIC-hosted webinars and training sessions
Law Society of South Africa (LSSA) CPD accredited courses

8.4 Training Assessment and Competency

To ensure training effectiveness, employees are subject to:

Knowledge Assessment: Written tests or questionnaires after training sessions
Practical Scenarios: Case study exercises to test application of knowledge
Competency Verification: Risk Officer verifies understanding through spot checks and file reviews
Remedial Training: Additional training provided where gaps are identified

8.5 Training Records and Evidence

The following training records are maintained:

Training Attendance Registers: Signed attendance registers for all training sessions
Training Materials: Copies of presentations, handouts, and training manuals
Assessment Results: Copies of completed tests and assessments
FIC Event Confirmations: Certificates of attendance for FIC webinars and events
CPD Certificates: LSSA CPD certificates for compliance training
Training Schedule: Annual training calendar and completion tracking

All training records are maintained for a minimum of 5 years and are available for inspection by the FIC or supervisory body.

Continuous Improvement

The training programme is reviewed and updated annually to reflect changes in legislation, emerging ML/TF/PF trends, and lessons learned from the firm's own compliance monitoring.

9. Compliance Breach Escalation and Remediation

MJ Kotze Inc. maintains a formal process for identifying, escalating, and remediating any breaches or deficiencies in compliance with this RMCP or FICA obligations.

9.1 Identification of Non-Compliance

Non-compliance may be identified through:

Self-reporting: Employees who become aware of potential breaches
Internal monitoring: Risk Officer file reviews and compliance checks
Client complaints: Complaints relating to FICA procedures
FIC inspections: Findings from FIC compliance inspections
LSSA inspections: Findings from Law Society inspections
External audits: Audit findings relating to FICA compliance

9.2 Immediate Escalation Requirements

Any employee who becomes aware of a potential breach of this RMCP or FICA obligations must immediately escalate the matter to the Risk Officer.

Material Breaches Include:

Failure to conduct CDD before establishing a business relationship
Failure to file an STR/SAR when required
Failure to freeze assets when required by TFS obligations
Late filing or failure to file a Cash Threshold Report (CTR)
Tipping off a client about an STR/SAR or FIC investigation
Processing transactions for clients on sanctions lists
Failure to maintain required FICA records
Multiple instances of minor non-compliance indicating systemic issues

9.3 Breach Reporting and Documentation Process

When a breach is identified, the following process must be followed:

Step 1

Immediate Notification: Employee discovering the breach immediately notifies the Risk Officer (orally or in writing)

Step 2

Breach Report Form: Risk Officer completes a written Compliance Breach Report containing date/time, nature of breach, FICA provisions breached, root cause analysis, and immediate actions taken

Step 3

Escalation to Senior Management: Risk Officer submits Breach Report within 24 hours for material breaches, within 5 business days for minor breaches

Step 4

Senior Management Review and Decision: Senior management reviews breach report and determines required remediation actions

Step 5

Documentation: All breach reports and remediation actions documented and retained for at least 5 years

9.4 Remediation Measures

Immediate Corrective Action

Rectify the specific breach (e.g., conduct overdue CDD, file overdue CTR, freeze assets retrospectively if possible)

Client Matter Review

Review all other matters involving the same client to check for similar breaches

Procedural Review

Review relevant section of RMCP to identify procedural gaps or ambiguities

RMCP Updates

Update RMCP procedures if systemic weaknesses identified

Additional Training

Provide targeted training to employees on the specific compliance area where breach occurred

Disciplinary Action

Where breach resulted from willful non-compliance or negligence, consider disciplinary measures

Regulatory Notification

If breach is material and cannot be remediated, consider voluntary disclosure to FIC or LSSA

9.5 Breach Register

The Risk Officer maintains a Compliance Breach Register recording all identified breaches, remediation actions, and outcomes. The Breach Register is reviewed as part of the annual RMCP review process to identify patterns or systemic issues requiring attention.

9.6 No Retaliation Policy

MJ Kotze Inc. prohibits any form of retaliation against employees who report potential compliance breaches in good faith.

Employees are encouraged to report concerns without fear of negative consequences. Any retaliation against a reporting employee will be treated as serious misconduct.

10. Reportable Information

10.1 Employee Reporting Duty

An Employee must immediately provide a written report to the Risk Officer if the Employee knows or reasonably suspects that:

10.1.1 the Firm received, or is about to receive the proceeds of crime, or property associated with the financing of Terrorist Activities; or

10.1.2 the Firm is party to transactions that facilitated or will facilitate the transfer of proceeds of crime, are complex or involve abnormally large amounts, do not appear to serve any legal purpose, or are associated with the financing of Terrorist Activities; or

10.1.3 the Firm has been, or is about to be, used for MLFT in any manner whatsoever; or

10.1.4 there has been a Transaction involving the payment of R49,999.99 or more in Cash (including aggregated payments within 24 hours). Note: Cash threshold updated from R25,000 to R49,999.99 effective November 2022.

10.1.5 there has been a Transaction involving an EFT payment equal to or more than the amount gazetted from time to time, made or received by the Firm on another person's behalf; or

10.1.6 there has been a remittance of Cash to or from South Africa, where the amount equals or exceeds the amount gazetted from time to time.

10.2 Unsuccessful Attempts

An Employee must immediately provide the Risk Officer with a written report if the Employee knows or suspects an unsuccessful attempt to do anything that, if done successfully, would have resulted in any of the consequences contemplated in paragraphs 10.1.1 to 10.1.3.

10.3 Terrorist Property

An Employee must immediately provide the Risk Officer with a written report if the Employee knows (as opposed to merely suspects) that the Firm is in possession or control of property associated with any person or entity listed on List 1267, or any person or entity involved in Terrorist Activities.

10.4 Risk Officer's Reporting Duty to FIC

The Risk Officer must, in turn, report to the FIC:

within 5 (five) days for a report about terrorist property;
within 15 (fifteen) days for suspicious transaction reports;
within 3 (three) days for Cash Threshold Reports;
within the gazetted number of days for EFT and cross-border Cash remittance reports.

10.5 No Monetary Threshold for STRs

Save for the reports made under paragraphs 10.1.4 to 10.1.6, there is no monetary threshold applicable to the duty to make a report under this section.

Important: Tipping Off Prohibition

It is a criminal offence to disclose to a client or any other person that a suspicious transaction report has been made or that an investigation is being conducted. This is known as "tipping off" and can result in criminal prosecution under section 37 of FICA.

10.6 Risk and Compliance Returns

In accordance with FIC Directive 6 of 2023, MJ Kotze Inc. submits an annual Risk and Compliance Return to the FIC via the goAML system. Failure to submit the return or submitting inaccurate information may result in administrative sanctions by the FIC.

11. Freezing of Assets versus Continuation of Reported Matters

11.1 Freezing of Terrorist Property

If an Employee makes a report under section 10.3 (Terrorist Property), the Risk Officer must, before submitting a report to the FIC, freeze the property and cease any further dealings with that property. The Risk Officer must, within 5 (five) days after the report was made to the FIC, apply to a High Court for an order confirming the freezing of the property.

11.2 Continuation of Other Reported Matters

Save for section 11.1, the Firm may continue to deal with the Client even after making a report under section 10, provided that the continuation does not contravene any law and does not involve the Firm in Terrorist Activities or other criminal conduct.

Critical: Immediate Action Required

Terrorist property must be frozen immediately upon identification. Failure to freeze such property and report it to the FIC within the prescribed timeframe constitutes a criminal offence under FICA and POCDATARA.

12. Ongoing Monitoring

MJ Kotze Inc. conducts ongoing monitoring of business relationships to ensure that transactions are consistent with knowledge of the client, the source of funds is legitimate, client information remains current, and the risk assessment remains appropriate.

12.1 Monitoring Activities

Scrutiny of transactions to ensure they are consistent with knowledge of the client
Regular reviews of client information and documentation
Updating client information when circumstances change
Conducting periodic reviews of higher-risk clients

12.2 Review Frequency

Low risk: Review every 3-5 years or when circumstances change
Medium risk: Review every 2-3 years or when circumstances change
High risk: Review annually or more frequently if warranted

12.3 Complex, Unusual, or Suspiciously Large Transactions

All transactions that are complex, unusual in nature, or suspiciously large must be subjected to enhanced scrutiny and examination.

Indicators of Complex/Unusual Transactions:

Transaction structure: Unnecessarily complex structures involving multiple entities, jurisdictions, or intermediaries
Transaction size: Values significantly larger than expected for the client's profile
Transaction frequency: Unusually high frequency inconsistent with client profile
Jurisdictions: Involvement of high-risk jurisdictions with no apparent business rationale
Cash component: Large cash components without reasonable explanation
Urgency: Unusual urgency or pressure to complete transaction quickly
Economic purpose: Transaction lacks clear legitimate economic purpose

12.4 Examination Process for Complex Transactions

When a complex, unusual, or suspiciously large transaction is identified, the following process must be followed:

Step 1

Flag Transaction for Review: Employee handling the matter immediately flags the transaction and notifies the Risk Officer

Step 2

Background and Purpose Investigation: Risk Officer investigates the background, purpose, source and destination of funds, and business rationale

Step 3

Enhanced Client Questioning: Request additional information from client in writing about the unusual elements

Step 4

Document Review and Verification: Review all transaction documentation, contracts, invoices, and supporting documents

Step 5

Risk Officer Assessment: Prepare written assessment documenting why the transaction was flagged, information obtained, and recommendation

Step 6

Decision and Action: Proceed if satisfactory explanation obtained, file STR/SAR if suspicious, or decline the transaction

12.5 Documentation of Monitoring Activities

All ongoing monitoring activities must be properly documented and retained for at least 5 years, including periodic review records, transaction monitoring records, complex transaction assessments, and enhanced monitoring logs for high-risk clients.

13. Internal Rules and Controls

13.1 Responsibilities

All employees are responsible for:

Complying with this RMCP
Conducting appropriate client due diligence
Identifying and reporting suspicious transactions
Maintaining accurate records
Attending training on AML/CFT matters

13.2 Compliance Monitoring

The Risk Officer monitors compliance with this RMCP by conducting periodic reviews of client files, testing compliance with CDD procedures, reviewing transaction records, and identifying areas for improvement.

13.3 Consequences of Non-Compliance

Non-compliance with this RMCP may result in:

Disciplinary action against employees
Administrative sanctions by the FIC
Criminal prosecution
Reputational damage to the firm

14. Targeted Financial Sanctions (TFS)

MJ Kotze Inc. complies with South Africa's targeted financial sanctions framework to combat money laundering, terrorist financing, and proliferation financing in accordance with sections 26A, 26B, and 26C of the Act.

Critical Compliance Obligation

South Africa was grey-listed by the FATF in February 2023 due to deficiencies in combating money laundering, terrorist financing, and proliferation financing. Enhanced vigilance and strict compliance with TFS obligations are essential.

14.1 What are Targeted Financial Sanctions?

Targeted Financial Sanctions are measures imposed by the United Nations Security Council to prevent terrorist financing, prevent proliferation financing, and restrict designated persons and entities from accessing financial services.

14.2 Screening Procedures

MJ Kotze Inc. screens all clients and parties to transactions against UN sanctions lists when establishing a business relationship, before conducting any transaction, periodically for existing clients, and when there are changes to UN sanctions lists.

Sanctions Lists to Check

UN Security Council Consolidated List: All individuals and entities subject to UN sanctions
UN 1267/1989/2253 ISIL (Da'esh) and Al-Qaida Sanctions List: Terrorist financing sanctions
UN Proliferation Financing Lists: North Korea (DPRK) and Iran sanctions
FIC Sanctions Search: Available through the FIC website and goAML portal

14.3 Freezing Actions

Immediate Actions Required:

Immediately freeze all assets, funds, and economic resources related to the designated person or entity
Do not proceed with any transaction or provide any services
Do not inform the client that they have been identified as a match (tipping off prohibition applies)
Immediately report to the Risk Officer for verification and reporting

14.4 Reporting Requirements

If a true positive match is confirmed, the Risk Officer must immediately report to the Financial Intelligence Centre (FIC) via goAML, and to the South African Police Service (SAPS).

14.5 Record Keeping

MJ Kotze Inc. maintains comprehensive records of all TFS compliance activities, including screening results, match verification processes, asset freezing actions, and reports submitted. All TFS records are retained for at least 5 years.

Resources

FIC Sanctions Search: www.fic.gov.za
UN Consolidated Sanctions List: www.un.org/securitycouncil/sanctions
PCC 44A: FIC guidance on targeted financial sanctions (February 2024)
goAML Portal: Online reporting system for accountable institutions

15. Review and Update of RMCP

This RMCP is reviewed and updated regularly to ensure it remains effective and compliant with current legislation.

15.1 Annual Review Schedule

This RMCP is subject to a comprehensive annual review to be conducted in October of each year.

Scheduled Annual Review Dates:

2025 Review: Completed October 2025
2026 Review: October 2026
2027 Review: October 2027
Subsequent Reviews: October of each subsequent year

15.2 Additional Review Triggers

In addition to the scheduled annual review, this RMCP must be reviewed whenever:

Legislative changes: When there are amendments to FICA, regulations, or FIC directives
Business changes: When MJ Kotze Inc. introduces new services, enters new markets, or significantly changes its business model
Risk profile changes: When the firm's ML/TF/PF risk assessment identifies material changes in risk exposure
Deficiencies identified: When internal audits, external inspections, or incidents reveal gaps or weaknesses
FIC guidance: When the FIC issues new Public Compliance Communications or guidance affecting DNFBPs

15.3 Review Process

The RMCP review process involves the following steps:

Risk Officer Assessment: Comprehensive assessment of the RMCP's effectiveness
Legislative Review: Review all relevant legislative amendments and FIC guidance
Business Activity Review: Assess whether actual business activities align with the RMCP
Incident and Deficiency Analysis: Review STR/SAR filings, CTRs, compliance breaches, or identified deficiencies
Draft Updates: Risk Officer drafts necessary updates
Senior Management Approval: Submit updated RMCP to senior management for review and approval
Documentation: Maintain records of review date, changes made, and approval
Communication: Communicate changes to all staff and provide necessary training

Version Information

Version: 2.0

Last Updated: 20 October 2025

Next Review: October 2026

Key Updates in Version 2.0:

Updated cash threshold to R49,999.99 (effective November 2022)
Updated CTR reporting timeline to 3 days
Updated references from Attorneys Act to Legal Practice Act 28 of 2014
Added comprehensive Targeted Financial Sanctions procedures
Added FIC Directive 6 compliance return requirements
Enhanced beneficial ownership procedures for trusts
Added FATF grey-listing context and implications

Schedules

The following schedules form part of this RMCP and provide additional reference information:

Note: Schedule 1 (CDD Tables) and Schedule 2 (Questionnaires) are integrated into Sections 5 and 6 respectively.

Questions About Our RMCP?

If you have any questions about our Risk Management and Compliance Programme or FICA requirements, please contact our Risk Officer.

Risk Officer: MJ Kotze

Email: martin@mjkinc.co.za