Article by Dawn Julyan, 07 April 2026  


Why Staff Training Is a Compliance Control, Not an HR Exercise

In a recent enforcement action, the Prudential Authority imposed administrative sanctions on Discovery Bank Limited for non-compliance with the Financial Intelligence Centre Act (FICA).

One of the key findings was inadequate staff training, which resulted in a R1 million administrative penalty.

The bank failed to provide training in accordance with its Risk Management and Compliance Programme (RMCP).

The findings were specific and measurable:

  • 84 of 155 new employees were not trained within 30 days of appointment
  • 47 of 109 employees did not receive annual refresher training
  • 2 of 6 senior managers were not timeously trained

Regulators assess implementation, not intention and the key compliance failure was that the bank did not follow its own RMCP.

If your RMCP says staff will be trained within a certain period, you must be able to prove that this is happening.

 

 

Ongoing Obligation

Section 43 of the FIC Act requires accountable institutions to provide ongoing training to employees.

Training must enable employees to comply with FICA and with the institution’s RMCP. This means training must be practical, role-based, and aligned with your internal procedures and risks.

Training should therefore not be a once-off event but aligned to the requirements of the role.

It is essential that your RMCP specifies training frequency.

In practice, regulators generally expect:

  • New employee training shortly after appointment
  • Annual refresher training for all staff
  • More frequent training for higher-risk roles
 
 

Is there a “30 Days” Requirement?

FICA does not explicitly state “30 days” in the Act.

The requirement comes from a combination of what your RMCP states as well as Regulatory expectations and inspection practice.

Supervisory bodies expect employees to be trained before or shortly after they start performing duties that trigger FICA obligations and many enforcement actions (including the Discovery Bank matter) specifically refer to training not taking place within 30 days, which has become an accepted regulatory benchmark.

  • Train employees before they work with clients, client funds, or client information.

  • If your RMCP states 30 days, then that becomes your legal standard and you will be measured against it.

 

Role-based Training

One of the biggest mistakes institutions make is providing generic FICA training to everyone.

Training must be role-specific, risk-based, and practical, and must enable employees, management, the MLCO, and the Board to perform their duties in terms of the RMCP and FICA.

Role-based training may include the following:

 

Operational Staff (Sales, Admin, Finance, F&I, Onboarding)

Training for operational staff should focus on what they must do in practice, including:

  • How to identify and verify clients properly
  • How to identify suspicious behaviour and red flags
  • What to do when a red flag is identified (internal escalation process)
  • What documents are acceptable and what documents are not
  • How to identify possible document fraud or tampering
  • When to update KYC information
  • Record keeping requirements
  • The prohibition on tipping off a client
  • Basic sanctions awareness and what a sanctions match means

 

Ongoing Due Diligence

Training should also cover topics such as:

  • When KYC must be updated
  • Trigger events (change in ownership, change in directors, unusual transactions)
  • Risk-based review periods
  • Updating client risk ratings

 

Ultimate Beneficial Owner (UBO) and Complex Structures

Staff dealing with companies, trusts, and partnerships must be trained on:

  • Identifying Ultimate Beneficial Owners
  • Understanding ownership structures
  • Looking through trusts and holding companies
  • Identifying control vs ownership
  • Enhanced Due Diligence for high-risk structures

 

Practical training idea:

Use case studies relevant to your business, for example:

  • A client wants to pay a vehicle deposit in cash
  • A company purchases a vehicle but the person paying is not a director
  • A trust wants to open an investment but cannot clearly explain the source of funds
  • A client is in a hurry and does not want to provide proof of address
  • A client’s name appears to match a sanctions list

Staff must be trained on what to do, not just what FICA is.

 

Specialised Training for the MLCO (Money Laundering Compliance Officer)

The MLCO requires advanced, technical training, not general awareness training.

The MLCO is responsible for oversight, reporting, investigations, and regulatory engagement.

Include:

  • How to investigate and manage suspicious activities and transactions
  • How to compile and submit Suspicious and Unusual Transaction Reports (STRs/SARs)
  • How to monitor ongoing due diligence
  • How to test compliance with the RMCP
  • How to conduct compliance monitoring and reviews
  • Asset freeze procedures
  • How to handle a positive sanctions match
  • How to engage with the Financial Intelligence Centre during inspections
  • How to report to the Board and senior management
  • Administrative sanctions and enforcement trends
  • How to update and implement the RMCP

 

Practical training ideas for MLCOs:

  • Workshop on how to complete an STR step-by-step
  • How to investigate an internal report
  • How to identify compliance failures
  • How to compile a MLCO report to the Board
  • How to prepare for a FIC inspection
  • Sanctions simulation: what to do if a client appears on a sanctions list
  • UBO investigation workshop (complex structures, trusts, layered ownership)

The MLCO should attend specialised AML/CFT training at least annually, and more frequently where regulatory changes occur.

 

Specialised Training for the Board and Senior Management

The Board/ Governing Body does not need operational FICA training, but they do need governance, risk, and oversight training.

Regulators increasingly hold Boards accountable for FICA failures because of lack of oversight.

Board training should include:

  • Legal responsibility in terms of FICA
  • Approval and oversight of the RMCP
  • Understanding the institution’s money laundering and terrorist financing risks
  • Understanding sanctions risk and asset freeze obligations
  • Management information and what to do with it
  • Enforcement actions and regulatory penalties
  • Personal liability of directors
  • Reputational risk and business risk of non-compliance
  • The importance of compliance culture and tone from the top

 

A very effective approach is to provide the Board with a FICA Risk Dashboard, and train them on how to interpret information such as:

  • Number of high-risk clients
  • Overdue KYC reviews
  • STRs submitted
  • Sanctions matches
  • Training completion rates
  • Compliance monitoring findings

This moves the Board from passive approval to active oversight, which is what regulators expect.

 

Practical training ideas for Boards:

  • Annual FICA risk workshop
  • Case study training using real enforcement actions
  • Sanctions breach scenario: what would happen to the business?
  • Dashboard training: how to read compliance and risk reports
  • What questions the Board should be asking the MLCO
  • How to approve and review the RMCP
  • Understanding the institutions risk

 

Record Keeping: If It Isn’t Documented, It Didn’t Happen
During inspections, regulators will ask for proof of training.

You must keep records of:

  • Who was trained
  • When the training took place
  • What content was covered
  • Evidence of completion (attendance register, certificate, assessment results)

These records must be kept for at least five years.

Inspectors will typically request:

  • Your training programme
  • Attendance registers
  • Training certificates
  • Assessment results
  • Your RMCP training schedule
  • Evidence that training content aligns with FICA and your internal processes

Failure to produce records can result in a finding of non-compliance even if training actually took place.

 

Practical Tips

  • Make FICA training part of onboarding. Do not provide system access before training is complete.
  • Keep a training register with due dates and refresher dates.
  • Provide role-based training, not generic training.
  • Test staff knowledge through short assessments.
  • Report training statistics to management regularly.
  • Make sure your RMCP states when training must happen and how often refresher training is required.
  • If you outsource training, keep the certificates and training content outline as evidence.

 

Final Thought

For accountable institutions, this case demonstrates that training is a compliance control and must be managed like any other compliance risk.