South Africa came off the FATF grey list in October 2025 — and regulators were immediate that the reforms now become business-as-usual. Under the FIC Act, accountable institutions must train staff against a risk-based programme, keep records for years, and prove all of it. This is what the training duty actually requires.
A statutory training duty — staff trained on the FIC Act and the institution’s own RMCP, on an ongoing basis.
South Africa’s Financial Intelligence Centre Act (FIC Act, 38 of 2001) obliges accountable institutions — a category that includes many banks, PSPs and financial businesses — to run an anti-money-laundering and counter-terrorist-financing (AML/CFT) programme. Staff training is a named pillar of that programme, not an extra.
The training duty is anchored in the Risk Management and Compliance Programme (RMCP), which every accountable institution must have under section 42. The RMCP sets out how the institution does customer due diligence, record-keeping, reporting, the risk-based approach — and the ongoing training of employees on the FIC Act and on the RMCP itself.
The point is that controls only work if the people running them understand them. Training is how the obligations in the RMCP become behaviour at the counter, the onboarding screen and the transaction monitor.
Risk-based CDD, reporting and record-keeping — with training as the mechanism that operationalises all of it.
The RMCP applies effort in proportion to risk — higher-risk clients and products get enhanced due diligence; lower-risk ones, less. Training has to teach staff to tell the difference.
Identifying and verifying clients, understanding beneficial ownership, ongoing monitoring. The front-line application of the whole regime.
Suspicious and unusual transaction reports and other regulatory reports to the FIC. Staff must know what triggers a report and how to make one.
Provided to employees at the intervals the RMCP specifies — the institution sets the cadence, but it must be regular and evidenced.
The FIC Act sets hard record-keeping obligations. Records of client information and of transactions, plus regulatory reports filed with the FIC, must be kept for at least five years — measured from termination of the business relationship or from when a report was submitted, as applicable.
Training records sit inside this discipline. An institution that trained its staff but cannot prove it — who attended, when, on what content — has a gap a supervisor will find. In an inspection, “we do train” without dated, retained evidence is treated as not training. Keep the register.
South Africa exited the grey list on 24 October 2025 — and the compliance bar rose, it did not fall.
South Africa was placed on the FATF grey list in February 2023 and removed on 24 October 2025 after completing its action plan. That is a milestone — but the regulators’ consistent message into 2026 is that the reforms now have to become business-as-usual, not a project you close out.
Practically: expectations on accountable institutions are deepening, not relaxing. The RMCP, CDD discipline, reporting and training that were stood up to satisfy FATF are now the permanent baseline. Treating greylist exit as “we can ease off” is the exact misread supervisors are watching for.
For a payments business, that means the AML/CFT training programme is a standing cost of operating — reviewed, refreshed and evidenced every cycle, indefinitely.
The defensible programme is one where training traces to the RMCP: the risks you identified drive the content, the content reaches the right roles, and the attendance is recorded and retained. A generic “AML 101” deck unconnected to your actual risk assessment is the weakest possible position in front of the FIC.
Decide the cadence in the RMCP and then hold to it — onboarding training for new staff, refreshers at the stated interval, targeted training when products or risks change. The cost of getting it wrong is administrative sanction, supervisory findings, and in serious cases penalties; the post-greylist environment makes enforcement more, not less, likely.
For PSPs specifically: confirm whether you are an accountable institution at all (many are) before assuming you can skip this. Getting the scoping wrong is the most expensive error of the lot.
Training disconnected from your own RMCP and risk assessment is a finding waiting to happen. Tie content to identified risks.
No dated attendance record, no defensible training. Keep the register for the five-year horizon like any other FIC record.
Exit raised the baseline. Easing off your programme in 2026 reads as exactly the regression supervisors are looking for.