Foreign Hires, Local Risks: The Compliance Rules You Can’t Afford to Miss

Written By Heynes Kotze

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

Hiring talent from abroad? Great, just make sure your compliance files are ready before the regulator is.

The global edge comes with local risk

Bringing international talent into your accounting practice can be a smart business move. New skills, global insights, even access to cross-border clients.

But here’s the truth: Every foreign hire isn’t just a new employee. It’s a financial crime risk event, and if it’s not documented properly, it can expose your firm to scrutiny you didn’t plan for.

“If it’s not written down, it doesn’t exist. Regulators don’t care what you remember, they care what you can prove.”

In post-greylist South Africa, accountants are being asked to show not just what they do for clients, but who is doing it and whether those people have been verified, screened, and trained.

It’s no longer enough to keep clean books, your practice itself must be squeaky clean.

Every foreign hire is a risk event

Think of a foreign appointment like taking on a new client. You wouldn’t onboard a client without checking who they are, right? The same principle applies here.

When hiring, verify, document, and risk-rate the person before they start. This isn’t about suspicion, it’s about control. A single missed check can lead to reputational damage, client concern, or even regulatory findings.

Start with real verification

A passport photocopy isn’t due diligence. Here’s what proper verification looks like:

  • Confirm identity using the passport and, if possible, a national ID. Keep certified copies.

  • Verify immigration status and right to work. Check visa type, expiry date, and employer permissions.

  • Validate qualifications and professional history.

  • Obtain local and (where relevant) international criminal record checks.

  • Record every verification step, including who did it, when, and how.

Pro tip: Use official databases (like Home Affairs) or reputable verification services where possible. Keep all the evidence, not just the result.

Sanctions screening and risk rating

Screen your hire against UN and South African sanctions lists. Record the date, the database used, and the outcome.

Then, assign a risk rating: low, medium, or high.

  • Country of origin high on international risk lists? Escalate.

  • Sensitive role (like payroll or client funds)? Escalate.

  • Inconsistent history or gaps? Escalate.

If the risk isn’t clearly low, get Compliance Officer approval before onboarding.

When to dig deeper

Not all hires are equal. Some require enhanced background checks, especially when they come from high-risk jurisdictions, handle client funds, or are onboarded remotely.

That means you should procure:

  • Independent third-party verification beyond certified copies

  • Additional employment and qualification checks

  • Documented reasoning for access rights and role assignment

This is your “extra mile” and it shows regulators you apply judgment, not templates.

5. Update your RMCP now

Your Risk Management and Compliance Programme (RMCP) is your firm’s playbook. But many practices forget to include staff in it.

If your RMCP doesn’t explain how you handle employee verification, sanctions checks, or recordkeeping you’re already out of date.

It should clearly describe:

  • Hiring and screening procedures

  • When to escalate risk to compliance

  • Access control standards

  • Record retention timelines (at least five years after termination)

  • Review and training requirements

A missing paragraph here could cost you more than an afternoon’s update.

Train everyone, not just compliance

Every new employee must receive onboarding training on:

  • Recognising suspicious activity

  • Internal reporting processes

  • How to protect client and company data

Keep proof: signed attendance registers, training slides, and refresher schedules.

“Culture beats policy. If your team knows why compliance matters, they’ll protect your practice without being told.”

Schedule annual refreshers, especially for staff who handle payments, records, or client files.

Re-screen, review, repeat

Compliance is never a one-and-done exercise. Add all employees to your ongoing screening cycle.

Re-check:

  • Sanctions and watchlists (annually or when roles change)

  • Visa and work permit expiries

  • Risk ratings and access levels

  • Training compliance

Every time an employee’s responsibilities grow, re-assess their risk. A promotion is not just a pay change, it’s a compliance event.

Keep your records audit-ready

When regulators or auditors visit, you’ll need to show your homework. Maintain one complete, secure file per employee containing:

  • Identity and immigration records

  • Sanctions and background checks

  • Risk assessments and ratings

  • Proof of training

  • Compliance approvals and notes

Keep all records for five years after employment ends. A solid file shows professionalism and can save your practice hours in future inspections.

Watch for politically exposed connections

If your new hire is a politically exposed person (PEP) or closely related to one, take note. This doesn’t make the hire illegal, but it does increase your reputational risk.

Document how you manage the potential for influence or conflict.
For example:

  • Restrict system access

  • Use independent oversight for sensitive roles

  • Schedule periodic reviews

Transparency is key. If there’s ever a question later, you’ll have the evidence that you acted responsibly.

Write it into your policies

Add clear compliance clauses to your HR documents and RMCP, such as:

Screening: “All prospective employees will undergo verification and integrity checks prior to appointment. Results will be retained.”
Escalation: “Any hire deemed medium or high risk requires compliance approval.”
Access Control: “Data and system access will be assigned on a least-privilege basis and reviewed annually.”
Retention: “Employee records will be kept for five years after termination.”

And don’t skip your POPIA and confidentiality clauses. Data protection is part of compliance.

Talk about compliance, don’t hide it

Compliance shouldn’t live in a binder on the top shelf. Share it. Let employees see that financial crime controls are there to protect them, too.

Make your RMCP accessible. Encourage questions. Build a culture where compliance is part of daily business, not a last-minute panic.

“The best-run practices are the ones where compliance is everyone’s business, not just the compliance officer’s.”

The bottom line

Hiring foreign nationals is 100% lawful but it’s also a responsibility. Each hire introduces risk that must be managed, documented, and reviewed.

Doing this properly:

  • Keeps your firm credible with banks and regulators

  • Builds trust with clients

  • Protects your professional designation

  • Shows leadership in a compliance-driven market

Financial crime controls aren’t about fear, they’re about confidence. They prove that your firm operates with integrity and foresight.

So before you issue that next employment contract, ask yourself: If the regulator called tomorrow, could we prove our process?

If not, now’s the time to fix it.

Join CIBA — and we’ll show you how to turn compliance into confidence.

 

 

Trending

Featured
Why Advisory Services Are the Future of Accounting
Homeowners Are Warned: Electrical Certificates Must Be Legit
Did SA Make Its Mark? How the G20 Finance Track Delivered for Africa

Latest Podcast

Featured
LinkedIn Live Audio - Edward James
Mar 26
LinkedIn Live Audio - Edward James
Heynes Kotze
Next

Relationships Drive Results