In the evolving global landscape of anti-money laundering (AML), counter-terrorism financing (CFT) and proliferation financing, the defining question for financial and legal institutions is no longer whether they comply, but how intelligently they do so.
For South African law firms and accountable institutions operating under the Financial Intelligence Centre Act (FICA), the regulatory paradigm has fundamentally shifted. Driven by recent regulatory directives—specifically the FIC’s Guidance Note 7A – the era of rigid, rules-based compliance is giving way to a Risk-Based Approach (RBA). Where strict, unyielding protocols once dominated, institutions are now expected to exercise discretion, professional skepticism, and, above all, accountability.
Nowhere is the tension of this transition more evident than in how institutions handle Politically Exposed Persons (PEPs) and navigate transactional or behavioral red flags.
The PEP problem: Risk vs reputation
A stubborn misconception persists in the market that a PEP classification is synonymous with a criminal one. It is not. A PEP is a risk indicator, not a reputational death sentence.
From both an ethical and regulatory standpoint, the objective is not to systematically exclude these individuals from the financial and legal systems, but to understand the enhanced risks they may introduce. These include potential exposure to corruption, state capture, complex corporate structures, and heightened reputational sensitivity.
The real challenge is not whether to onboard these clients, but how to do so responsibly. After all, a blanket refusal to engage with PEPs does not just protect an institution; it risks denying legitimate access to justice and financial infrastructure.
The three archetypes of compliance
Across South Africa’s law firms, banks, and financial intermediaries, institutions generally fall into one of three compliance archetypes when dealing with PEPs and red flags:
1. The exclusion model (fear-driven compliance)
- “When in doubt, opt out”
- These firms adopt a highly defensive posture, automatically rejecting domestic, foreign, or high-risk PEPs, or placing blanket restrictions on specific jurisdictions. While this minimises regulatory exposure and simplifies internal decision-making, it creates a dangerous environment of financial exclusion, particularly in emerging markets. This is compliance driven by fear, not risk-informed judgment.
2. The tick-box model (form over substance)
- “If the file is complete, the risk is managed”
- These institutions comply with the letter of the law but ignore its spirit. PEP status is noted on a system, but never meaningfully interrogated. Source-of-wealth declarations are accepted at face value without validation, and red flags are formally logged but rarely analysed. While highly scalable and efficient, this approach creates a false sense of security. It fails to detect sophisticated financial crime and exposes the institution to severe enforcement risks. It satisfies the process, but fails the purpose.
3. The risk-based model (contextual intelligence)
- “Understand the person, not just the profile”
- Market leaders are shifting to this calibrated approach, differentiating between high-, medium-, and low-risk PEPs by analysing contextual factors. They look at the individual’s specific level of influence, jurisdictional corruption indices, and the exact nature of the legal instructions.
Enhanced due diligence is applied selectively where the risk genuinely warrants it. This means conducting deep-dive analyses into the sources of wealth rather than relying on self-declarations, backing up adverse media screening with qualitative assessments, and replacing point-in-time verification with continuous monitoring. This model fulfills the true intent of FICA: it preserves client access while building a legally defensible framework before regulators.
Red flags as signals
PEPs represent only one dimension of modern risk. Equally critical is how institutions interpret behavioural red flags, such as unusual transaction patterns, opaque ownership structures, a reluctance to provide information, or the unjustified use of intermediaries.
Too often, institutions treat these red flags as binary, mechanical triggers: either escalate immediately or ignore them due to commercial pressure. In reality, red flags are signals requiring contextual interpretation. True risk management requires genuine sense-making.
Consider two clients who both utilise complex offshore vehicles. One may be engaged in legitimate, cross-border corporate restructuring; the other may be layering transactions to obscure ultimate beneficial ownership. The red flag is identical, but the underlying risk profiles are worlds apart. The ethical and regulatory obligation is to apply informed judgment – asking why the risk indicator exists and determining whether it aligns logically with the client’s legitimate business profile.
The unique burden of the legal sector
Unlike purely financial institutions, law firms operate in a unique risk environment. They hold a dual role as trusted advisors to their clients and vital gatekeepers to the financial system – a position that carries a heavy ethical weight.
While a bank can easily choose to exit a client relationship when risk escalates, law firms must often engage more deeply to properly evaluate the situation, particularly in high-risk areas like trust account management, property transfers, corporate structuring, and litigation funding.
A risk-based approach in a law firm demands a delicate balance: exercising deep professional skepticism without alienating clients, maintaining independent judgment in the face of commercial pressures, and implementing escalation frameworks that respect legal professional privilege without obscuring material risk.
Drawing the ethical line
Ultimately, a rules-based approach asks, “Have we complied?” A risk-based approach asks, “Have we understood?”
The ethical line is crossed when red flags are rationalised away rather than investigated, when PEPs are automatically blacklisted out of convenience, or conversely, when commercial interests override glaring risk indicators. When compliance shifts from an analytical exercise to a mechanical one, it fails.
To build a mature, defensible risk-based framework, accountable institutions must anchor themselves on five core pillars. In the first instance, risk differentiation must be recognised as not all PEPs or red flags carry equal weight. Secondly, it must be ensured that compliance files reflect active reasoning, not just ticked boxes. Thirdly, skilled human oversight in key and this takes the form of acknowledging that while technology identifies risk, only human intellect can interpret it. In the fourth instance, proportionality matters – this means aligning internal controls with the actual scale and nature of the risk. Lastly, risk management must be based on an ethical foundation whereby decision making can withstand the scrutiny of regulators, courts and public opinion.
The evolution from a rules-based foundation to a risk-based approach is more than a regulatory upgrade – it is a test of organisational integrity. Compliance is no longer a corporate shield against penalties; it is a mechanism for maintaining trust in our financial and legal systems. How South African institutions handle PEPs and red flags going forward will be the ultimate measure of that trust.
By Foster Tshiluvhu, Head of Compliance at CMS South Africa