The High Risk Trap in RMCP Models
Many accounting firms implementing their Risk Management and Compliance Programme (RMCP) under the Financial Intelligence Centre Act (FIC Act) encounter the same practical problem. After designing a risk scoring model, they discover that almost every client ends up being classified as high risk.
This often happens when firms assign a high score to the nature of services provided, particularly where the practice performs services such as company formation, maintaining statutory registers, preparing shareholding documentation, or assisting with beneficial ownership filings.
Because these services fall within the scope of Trust and Company Service Provider (TCSP) activities, firms assume that the Financial Intelligence Centre (FIC) expects them to treat all clients as high risk.
This interpretation, however, misunderstands how the risk-based approach under the FIC Act is intended to operate.
The Difference Between Inherent Service Risk and Client Risk
Certain services are internationally recognised as presenting higher inherent money laundering risks. This is reflected in guidance issued by the Financial Intelligence Centre and global standards developed by the Financial Action Task Force (FATF).
Services such as:
• Company formation
• Share issuance and restructuring
• Corporate administration
• Maintaining statutory registers
• Filing beneficial ownership information
can potentially be misused to obscure the true ownership or control of a business entity.
For this reason, these services are generally considered higher inherent risk activities.
However, the existence of a higher-risk service does not automatically make every client high risk.
The FIC requires accountable institutions to apply a risk-based approach, which means risk must be assessed holistically across multiple factors, not based on a single element.
Risk Must Be Assessed Across Multiple Factors
An effective RMCP risk model typically considers several different categories of risk. These commonly include:
Nature of services provided
Certain services may carry higher inherent risk because of their potential misuse.
Client profile and ownership structure
Entities with complex ownership structures, nominee shareholders, or opaque control arrangements may present higher risk.
Geographic exposure
Clients operating in or connected to high-risk jurisdictions may increase money laundering risk.
Source of funds and business activities
Industries that involve large volumes of cash or cross-border transactions may present additional risks.
Delivery channel
Remote onboarding or non-face-to-face relationships may increase the risk of identity fraud or impersonation.
Client relationship and referral source
Long-standing relationships or referrals from trusted clients may reduce risk.
The purpose of combining these factors is to produce a balanced risk profile.
Why Many Firms Accidentally Classify Everyone as High Risk
When practices first design a scoring model, they often allocate a very high numerical score to the “nature of services” factor. If the model has narrow scoring thresholds, this single factor can push most clients into the high-risk category.
For example:
• Less than 10 points – Low Risk
• 10–15 points – Medium Risk
• 15 points and above – High Risk
If the nature of services already scores 12 or 15 points, almost every client will automatically be classified as high risk before other factors are even considered.
This outcome usually indicates a poorly calibrated scoring model, not that every client genuinely presents elevated money laundering risk.
Understanding the Typical Accounting Practice Client Base
Many small and medium accounting firms serve clients with relatively straightforward profiles. In practice, the typical characteristics of many accounting firm clients include:
• Directors who are also the sole shareholders of the company
• Simple ownership structures without nominee arrangements
• Small or medium enterprises with modest turnover
• Clients who are personally known to the firm or referred by existing clients
• Long-term accounting relationships that provide insight into the client’s operations
These characteristics often act as natural risk mitigators.
In many cases, accountants have significantly more visibility into their clients’ financial affairs than other service providers, which can reduce the risk of misuse.
Calibrating the Nature of Services Factor
Rather than assigning a single high score to all services, firms should differentiate between different types of engagements.
For example:
Lower risk services
• Bookkeeping
• Preparation of annual financial statements
• Tax compliance and submissions
• Payroll administration
Moderate risk services
• Maintaining company registers
• Filing beneficial ownership information
• Routine company secretarial services
Higher risk services
• Company formation
• Share restructuring or complex ownership arrangements
• Establishing layered corporate structures
This allows the scoring system to reflect the actual nature of the engagement, rather than treating all services as equally risky.
Ensuring the Model Remains Practical
An RMCP risk model must remain operationally workable.
If every client is classified as high risk, the firm will theoretically be required to apply Enhanced Due Diligence (EDD) to nearly all clients. This is not only impractical but also inconsistent with the intention of a risk-based system.
Enhanced Due Diligence should be reserved for situations where additional risk indicators exist, such as:
• Politically exposed persons (PEPs)
• Complex ownership structures
• Foreign beneficial owners
• Unusual transactions or unexplained wealth
• High-risk jurisdictions
In most straightforward SME engagements, Standard Due Diligence (CDD) will remain appropriate.
Documenting the Methodology in the RMCP
What matters most from a regulatory perspective is that the firm can explain and justify its methodology.
The RMCP should clearly describe:
• The risk factors used in the assessment
• How each factor is scored or weighted
• The thresholds for low, medium, and high risk
• The circumstances that trigger Enhanced Due Diligence
If the firm can demonstrate that the model is logical, documented, and consistently applied, it will generally meet the expectations of a risk-based framework.
Using a Practical RMCP Template
For many small and medium accounting practices, the most difficult part of implementing an RMCP is not understanding the concept of risk-based assessment, but translating it into a structured and practical document.
To support members, CIBA has developed a basic RMCP template that can serve as a starting point when designing or refining a firm’s risk management framework. The template helps firms document key elements such as risk categories, scoring methodology, due diligence requirements, and internal procedures.
Members can access the template here:
https://media.myciba.org/ciba/Working-Paper-Templates/CIBA-basic-RMCP-template.pdf
While the template provides a useful foundation, each firm should adapt it to reflect the nature of its services, client base, and operational processes. The goal is not to create a generic compliance document, but a practical tool that can be applied consistently during client onboarding and ongoing monitoring.
A Risk-Based Approach, Not a Maximum-Risk Approach
The Financial Intelligence Centre does not expect firms to treat every client as high risk simply because certain services are regulated.
Instead, accountable institutions are expected to apply professional judgement, supported by a structured and documented risk assessment process.
A well-designed RMCP should allow firms to identify genuinely higher-risk situations while still recognising that many clients, particularly simple owner-managed SMEs, present relatively low levels of money laundering risk.
The objective is not to produce the highest possible risk classification. The objective is to produce a reasonable, defensible, and practical assessment of risk that enables firms to apply the appropriate level of due diligence.
When firms understand this distinction, the RMCP becomes not just a compliance document, but a useful operational tool for managing risk in practice.
Case Study: Applying a Risk Rating Model in Practice
To ensure consistent risk assessments, a small accounting practice applies a numeric risk matrix in its RMCP.
Each of the four risk categories — client risk, service risk, geographic risk, and transaction risk — is assigned a score of:
• 1 = Low risk
• 2 = Medium risk
• 3 = High risk
The scores are then added together to determine the client’s overall risk rating. This rating guides the level of due diligence and monitoring required.
The practice is approached by GreenFields Landscaping (Pty) Ltd, a local landscaping business, for assistance with bookkeeping, payroll, annual financial statements, and tax compliance.
During onboarding the firm establishes that:
• The company operates only in South Africa.
• The owner is the sole director and shareholder.
• The business services local residential clients.
• Payments are received through standard bank transfers and EFTs.
• There are no foreign shareholders, trusts, or complex ownership structures.
• The client is not a Politically Exposed Person (PEP).
The firm applies its RMCP risk matrix:
Total Score: 4
According to the firm’s RMCP, a score between 4 and 5 is classified as low risk.
The client is therefore subject to:
• Standard Customer Due Diligence (CDD)
• Routine monitoring of the relationship
• Annual review of the client risk profile
Because no higher-risk indicators are present, enhanced due diligence is not required.
This example illustrates how a structured risk model helps firms apply the risk-based approach required by the FIC Act in a practical and defensible way. Instead of assuming that every client represents a high risk, the firm uses objective criteria to determine the appropriate level of scrutiny.