Article by Dawn Julyan, 07 April 2026
Why Staff Training Is a Compliance Control, Not an HR Exercise
In a recent enforcement action, the Prudential Authority imposed administrative sanctions on Discovery Bank Limited for non-compliance with the Financial Intelligence Centre Act (FICA).
One of the key findings was inadequate staff training, which resulted in a R1 million administrative penalty.
The bank failed to provide training in accordance with its Risk Management and Compliance Programme (RMCP).
The findings were specific and measurable:
Regulators assess implementation, not intention and the key compliance failure was that the bank did not follow its own RMCP.
If your RMCP says staff will be trained within a certain period, you must be able to prove that this is happening.
Ongoing Obligation
Section 43 of the FIC Act requires accountable institutions to provide ongoing training to employees.
Training must enable employees to comply with FICA and with the institution’s RMCP. This means training must be practical, role-based, and aligned with your internal procedures and risks.
Training should therefore not be a once-off event but aligned to the requirements of the role.
It is essential that your RMCP specifies training frequency.
In practice, regulators generally expect:
Is there a “30 Days” Requirement?
FICA does not explicitly state “30 days” in the Act.
The requirement comes from a combination of what your RMCP states as well as Regulatory expectations and inspection practice.
Supervisory bodies expect employees to be trained before or shortly after they start performing duties that trigger FICA obligations and many enforcement actions (including the Discovery Bank matter) specifically refer to training not taking place within 30 days, which has become an accepted regulatory benchmark.
Train employees before they work with clients, client funds, or client information.
If your RMCP states 30 days, then that becomes your legal standard and you will be measured against it.
Role-based Training
One of the biggest mistakes institutions make is providing generic FICA training to everyone.
Training must be role-specific, risk-based, and practical, and must enable employees, management, the MLCO, and the Board to perform their duties in terms of the RMCP and FICA.
Role-based training may include the following:
Operational Staff (Sales, Admin, Finance, F&I, Onboarding)
Training for operational staff should focus on what they must do in practice, including:
Ongoing Due Diligence
Training should also cover topics such as:
Ultimate Beneficial Owner (UBO) and Complex Structures
Staff dealing with companies, trusts, and partnerships must be trained on:
Practical training idea:
Use case studies relevant to your business, for example:
Staff must be trained on what to do, not just what FICA is.
Specialised Training for the MLCO (Money Laundering Compliance Officer)
The MLCO requires advanced, technical training, not general awareness training.
The MLCO is responsible for oversight, reporting, investigations, and regulatory engagement.
Include:
Practical training ideas for MLCOs:
The MLCO should attend specialised AML/CFT training at least annually, and more frequently where regulatory changes occur.
Specialised Training for the Board and Senior Management
The Board/ Governing Body does not need operational FICA training, but they do need governance, risk, and oversight training.
Regulators increasingly hold Boards accountable for FICA failures because of lack of oversight.
Board training should include:
A very effective approach is to provide the Board with a FICA Risk Dashboard, and train them on how to interpret information such as:
This moves the Board from passive approval to active oversight, which is what regulators expect.
Practical training ideas for Boards:
Record Keeping: If It Isn’t Documented, It Didn’t Happen
During inspections, regulators will ask for proof of training.
You must keep records of:
These records must be kept for at least five years.
Inspectors will typically request:
Failure to produce records can result in a finding of non-compliance even if training actually took place.
Practical Tips
Final Thought
For accountable institutions, this case demonstrates that training is a compliance control and must be managed like any other compliance risk.