AML/CFT is the discipline of detecting and reporting the movement of criminal and terrorist funds through the financial system. It is risk-based, never perfect, and intensely jurisdictional. Here is the FATF baseline, how monitoring and reporting actually work, and where South Africa now stands after its October 2025 greylist exit.
You are not graded on a perfect record. You are graded on whether your programme is risk-based, documented, and actually operated.
AML (anti-money-laundering) targets making criminal proceeds appear legitimate — the classic placement → layering → integration cycle. CFT (counter-financing of terrorism) targets funding terrorism, where the money may be perfectly clean in origin but illicit in destination — which is why detection logic differs.
The global standard-setter is the Financial Action Task Force (FATF). FATF makes no law itself; it issues 40 Recommendations that member jurisdictions transpose into national legislation and then get assessed against. Your direct obligations come from your national regime — in South Africa the FIC Act; in the EU the AML directives / the new AML Regulation and AMLA.
The honest framing: AML/CFT is a reasonable-effort, risk-based reporting regime. Regulators do not expect you to catch every launderer. They expect a defensible, documented, risk-calibrated programme — and they penalise the absence of one far more than they penalise a single transaction that slipped through.
Most regimes require a named, accountable compliance officer (in SA, the AML Compliance Officer / MLRO equivalent) with real authority and board reporting lines. Token appointments are a classic enforcement target.
| Pillar | What it means |
|---|---|
| Risk-based approach (RBA) | Assess and document the ML/TF risk of your products, customers, channels and geographies; apply controls proportionate to that risk. |
| CDD / KYC | Know who your customer is, verify it, and understand the purpose of the relationship. EDD for higher-risk cases. See the KYC/CDD leaf. |
| Sanctions screening | Screen customers and transactions against sanctions and watch lists. See the sanctions leaf. |
| Transaction monitoring | Detect unusual or suspicious activity across the relationship on an ongoing basis. |
| Reporting | File SARs/STRs and threshold reports (e.g. cash) to the national Financial Intelligence Unit. |
| Governance & training | A named compliance officer, board oversight, independent audit, record-keeping, and staff training. |
// the monitoring-to-report pipeline activity → rules / models → ALERT | analyst investigation / \ clear (document) escalate | file SAR/STR to the FIU // + tipping-off ban
Transaction monitoring runs rules and (increasingly) models over activity to flag anomalies — structuring/smurfing (breaking sums below thresholds), rapid in-out movement, mismatch with the customer’s profile, high-risk corridors, mule-account patterns. Flags become alerts, which analysts investigate and either clear or escalate.
The single most common enforcement finding. A monitoring system that generates more alerts than the team can work creates a documented record of suspicions you never investigated. Tune for workable volumes, then resource them.
Filing SARs on everything to "be safe" degrades the FIU’s signal and is itself a finding — it shows your monitoring cannot distinguish risk. Quality of suspicion beats quantity.
A risk assessment that never changes your controls is theatre. Regulators check that your stated high-risk segments actually receive EDD and tighter monitoring in practice.
Launderers adapt; static thresholds from three years ago miss current typologies and drown analysts in noise. Above/below-the-line testing and model validation are expected, not optional.
In bank-fintech (BaaS) arrangements, ambiguity over who owns monitoring is where money actually moves. Several large enforcement actions have turned on exactly this seam.
South Africa’s AML/CFT regime is the Financial Intelligence Centre Act (FIC Act), administered by the Financial Intelligence Centre (FIC), with the SARB and other supervisors overseeing their sectors. Obliged entities are "accountable institutions" listed in Schedule 1 — banks, PSPs, certain fintechs, attorneys, estate agents, crypto asset service providers, and more.
Practical reads of the FIC Act: a documented Risk Management and Compliance Programme (RMCP) is mandatory; the FIC issues directives and can impose administrative sanctions; and reporting flows (STR, CTR, TPR, IFTR) go to the FIC’s goAML portal.
South Africa was placed on the FATF greylist in February 2023 after the 2021 mutual evaluation found significant gaps. It addressed the 22-item action plan and exited the greylist on 24 October 2025. So the correct present-tense statement is: South Africa is no longer greylisted.
But the reforms it made to get off the list — beneficial-ownership registers, tougher supervision, more enforcement — are permanent. The compliance bar did not drop when the listing did. SA faces a fresh FATF review round expected from late 2026, so accountable institutions should treat the elevated standard as the new normal, not a phase that has passed.
AML cost scales with risk appetite and product mix, not headcount targets. Calibrate deliberately — both under- and over-building are findings.
Map products × customers × channels × geographies to ML/TF risk. This document drives everything — thresholds, EDD triggers, screening frequency. If you cannot show it, you do not have a risk-based programme.
Better to run fewer, well-tuned rules you fully investigate than a vendor’s full rule-pack generating an un-worked backlog. Resource the alert queue before you widen the net.
If you are a sponsor bank or a fintech on one, document precisely who screens, who monitors, who files. Regulators read the contract and the practice. Ambiguity is liability.
Keep the post-greylist bar. Maintain the RMCP, BO data quality and goAML reporting discipline through the 2026 review cycle. The cost of slipping back onto the list — correspondent-banking friction, FX delays, reputational drag — dwarfs the cost of sustaining the programme.
AML failures draw the largest financial-crime penalties of any compliance domain — and personal liability for officers in many regimes. A weak programme is also the fastest way to lose correspondent and acquiring relationships outright.