Financial crime risk is often described as a compliance responsibility. In the South African context, that description is too narrow. The Financial Intelligence Centre Act places obligations on accountable institutions, but the risks that those obligations seek to control arise in the business itself. They arise when customers are accepted, products are designed, transactions are processed, counterparties are appointed, assets are bought or sold, and operational controls are executed.
This is why the question “Who owns financial crime risk?” matters. If the answer is simply “Compliance”, the organisation is already starting from a weak governance position. Compliance is essential, but it should not become the default owner of business risk.
The FIC Act and related guidance require accountable institutions to understand and manage their exposure to money laundering, terrorist financing and proliferation financing risks. That risk-based approach is not a documentation exercise. It requires the institution to understand where risk arises and to embed controls into the business processes that create or manage that risk.
The risk is created in the business
Financial crime risk is generated through customers, products, services, delivery channels, transaction flows, geographic exposure, intermediaries, technology, data and third-party relationships. Those are not Compliance-owned activities. They sit across client-facing teams, product teams, operations, payments, procurement, technology, legal, finance and executive management.
This does not reduce the importance of Compliance. It clarifies it. Compliance should advise, interpret obligations, monitor adherence, challenge management, escalate issues and report weaknesses. The AML Compliance Officer or MLRO should have appropriate authority, access to information and escalation rights. But these roles should not be used to absorb accountability that properly belongs to business and operational management.
The practical lines of responsibility
The first line owns and manages the risk. This includes business units, operations, product owners, onboarding teams, payments teams, technology functions and other control operators. These teams must apply customer due diligence, maintain records, operate screening and monitoring controls, identify unusual activity, escalate concerns and remediate control weaknesses.
The second line provides oversight and challenge. This includes Compliance, financial crime compliance, AML Compliance Officers, MLROs and, depending on the institution’s model, risk management functions. Their role is to advise, monitor, challenge and report, not to become the permanent operational owner of controls that the business should execute.
The third line provides independent assurance. Internal Audit, or another suitably independent assurance provider, should assess whether governance, risk management and controls are designed and operating effectively.
External Audit and regulators play important roles, but they do not run the institution’s control environment. Regulators supervise and enforce. External auditors perform work within the scope of their mandate. Their involvement does not remove the need for internal accountability.
Why this matters for South African accountable institutions
South African accountable institutions operate in an environment where financial crime obligations are increasingly judged by evidence of implementation. A Risk Management and Compliance Programme must not only exist; it must be capable of being implemented, evidenced, monitored and improved. That requires role clarity.
For banks, insurers and investment managers, the challenge is often not the absence of formal structures. It is the risk that responsibilities are spread across committees and functions without clear accountability. For fintechs, the challenge may be that governance structures lag behind growth, transaction velocity and technology dependence. For DNFBPs, the challenge may be limited capacity, double-hatting or a misunderstanding that non-financial classification means lower governance expectations.
The practical test is simple: can the institution demonstrate who owns the risk, who operates the controls, who challenges the business, who provides assurance, who receives escalation and who is accountable for remediation?
If those answers are unclear, the issue is not only a governance concern. It is a financial crime compliance concern.
For access to the full FCRMC white paper on financial crime role clarity and the lines of defence, contact us directly.