When Power Becomes Risk: Why Every Accountant Must Understand PEPs

Written By Heynes Kotze

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

That new client with government links? Before you invoice them, you may already have triggered FICA’s toughest test.

The quiet trap in your client list

You’re racing through tax season when a well-connected business owner walks in, a cousin of a cabinet adviser, maybe a director of a state contractor. Great client, solid fees. But to the Financial Intelligence Centre (FIC), that person might not just be “influential.” They could be a Politically Exposed Person (PEP) and that changes everything.

For many small practices, this is where compliance starts to bite. The rules aren’t new, but the enforcement is. The FIC’s Guidance Note 7A now expects even small firms (from bookkeepers to auditors) to prove they’ve applied enhanced due diligence (EDD) when dealing with anyone linked to political power.

Fail that test, and it’s not just a slap on the wrist. It’s administrative sanctions, public naming, and even possible criminal prosecution.

The law that won’t look away

Under the Financial Intelligence Centre Act 38 of 2001 (FICA), every “accountable institution” must apply a risk-based approach to clients. And when it comes to politically connected people, that risk is automatically higher.

The Act now splits PEPs into three categories:

  • Domestic Politically Exposed Persons (DPEPs) – South Africans who hold (or held) senior public offices such as President, Minister, Premier, MEC, executive mayor, judge, ambassador, general or senior official of a public entity.

  • Foreign Politically Exposed Persons (FPEPs) – similar roles abroad. These are always treated as high risk.

  • Prominent Influential Persons (PIPs) – private-sector figures (think CFOs or board chairs of major state contractors) whose companies do business with government above a minister-set threshold.

Family and close associates count too. If your client’s spouse, child, or business partner fits one of those categories, your risk radar must light up.

Why it matters to small practices

Big banks have teams of compliance analysts. You have maybe one staffer or just yourself. But the law doesn’t scale down for firm size.

If you are a CBAP who handles client funds or provides regulated financial services you may very well qualify as an accountable institution. That means you must have a written, board-approved (or owner-approved) Risk Management and Compliance Programme (RMCP) that shows how you:

  1. Identify and verify clients and their beneficial owners.

  2. Detect whether they are DPEPs, FPEPs or PIPs.

  3. Apply enhanced due diligence where needed.

  4. Keep records for five years.

  5. File reports to the FIC when you suspect anything shady.

It’s no longer enough to tick a “PEP screening” box on your onboarding form. Inspectors now ask to see evidence of the thought process confirming what sources you checked, what decisions management approved, and how you monitored transactions afterward.

Enhanced due diligence: what it really means

The minute you identify a client as a PEP (or linked to one), you must step up your checks.

  • Senior-management approval: You, as the owner or partner, must personally sign off before taking on the client, no delegation to a junior or outsourced service.

  • Source-of-wealth and funds verification: Go beyond “where does the money come from?” Document how you verified it.

  • Ongoing monitoring: Review their transactions more frequently and flag anything inconsistent with the client’s profile.

  • Record-keeping: Keep all proof (screening results, approvals, correspondence) ready for inspection.

These requirements come straight from FICA’s sections 21A-21H and are fleshed out in Guidance Notes 7 and 7A plus several Public Compliance Communications (PCCs).

Where accountants stumble

Let’s be honest, most compliance breaches aren’t because someone wanted to launder money. They happen because busy practitioners cut corners. Common traps include:

  • Relying solely on a commercial database and assuming it’s accurate.

  • Forgetting to re-screen existing clients who later become politically exposed.

  • Keeping no paper trail of senior-management sign-off.

  • Failing to verify the real source of funds.

  • Ignoring family or business associates who should also trigger EDD.

Oversight has teeth

Several regulators share the job of enforcing FICA:

  • Prudential Authority (for banks),

  • FSCA (for financial services providers),

  • Law societies and estate-agent boards, and

  • The FIC itself.

Under section 45C, the FIC can impose administrative sanctions for non-compliance (which range from reprimands to fines that reach into the millions). In Harlyn Trading International (Pty) Ltd v FIC (2021), the High Court confirmed the FIC’s sanctioning power, warning that a weak RMCP or missing documentation offers no defence.

South Africa and the world’s watchdog

Behind all this sits the Financial Action Task Force (FATF), the global body that sets anti-money-laundering standards. Its Recommendations 12 and 22 require extra scrutiny for PEPs because history shows how public power and corruption often travel together.

South Africa’s 2023 FATF “grey-listing” jolted regulators into tightening supervision. The new Schedules 3A-3C and Guidance Note 7A are part of that response. The message is clear: prove you can manage political-exposure risk, or expect attention from the supervisors.

How to make it work in real life

A. Build it into your RMCP

Spell out, in plain language:

  • How you’ll identify PEPs (which databases, public lists, declarations).

  • When EDD kicks in.

  • Who signs off at senior level.

  • How often clients are re-screened.

  • What red-flags trigger suspicious-transaction reports (STRs).

B. Mix your data sources

Use at least two sources: a reputable PEP database plus open-source checks (news, government sites, company registers). Remember: false positives are common, which means you should document how you resolved them.

C. Ask the right questions

When onboarding a potentially connected client, explain that FICA requires these checks. Transparency builds trust and covers you if scrutiny later follows.

D. Keep it POPIA-proof

You’re allowed to collect personal data for anti-money-laundering compliance, but store it securely and only for as long as the law allows.

E. Train your team

Even your admin assistant who captures client details should know what a PEP flag means and when to escalate.

8. Practical checklist for the next inspection

✅ Review your RMCP: make sure Guidance Note 7A is referenced.
✅ Audit existing PEP clients: do files show senior-management approval and proof of source-of-funds checks?
✅ Set up a PEP register and escalation log.
✅ Document your screening process: what tools, how often, who signs off.
✅ Train staff on “tipping-off” prohibitions: never tell a client you’ve filed a suspicious-transaction report.
✅ Keep all records for at least five years.

Do these six things, and you’re inspection-ready.

The thin line between power and exposure

PEPs aren’t villains by default. Many are respected professionals, public servants or entrepreneurs. But because corruption often follows proximity to power, regulators expect accountants to act as the first line of defence.

That expectation lands squarely on your desk. And while it may feel like another layer of red tape, it’s also an opportunity. Mastering PEP compliance signals to clients (and regulators) that your practice is serious, credible and capable of handling complex, high-value work.

The courtroom lessons

Although few South African cases deal directly with “who counts as a PEP,” courts have weighed in on how compliance is enforced. Harlyn Trading confirmed that documentation and proactive remediation can mitigate penalties. SARB v Bank of Baroda (2019) underscored that failure to apply FICA obligations carries real consequences.

The takeaway? When in doubt, document every check, approval, and rationale.

What to do now

  1. Update your RMCP to reflect the 2025 Guidance Note 7A requirements.

  2. Conduct a PEP file audit: check approvals, EDD evidence, monitoring logs.

  3. Set a policy review date every six months.

  4. Train your staff with case studies: real examples stick.

  5. Engage CIBA for templates, workshops and guidance on building a defensible RMCP.

The bottom line

PEP compliance isn’t just for banks anymore. Every accountable institution is part of South Africa’s anti-money-laundering frontline.

The FIC has made it clear: “We’re watching how you watch the powerful.”

So, whether your next client is a mayor’s cousin or a government contractor’s CFO, take a breath, pull out your RMCP, and follow the process. Because when power becomes risk, compliance is your only shield.

Join CIBA — and we’ll show you how to bulletproof your RMCP, impress inspectors, and protect your practice from penalties.

 

Trending

Featured
Budget Blues Ahead? What We Need to Know Before the MTBPS Drops
Global Private Equity Investment Hits $1.5 trillion
A Smarter Way to Help Your Clients: New Tool from IFAC

Latest Podcast

Featured
LinkedIn Live Audio - Edward James
Mar 26
LinkedIn Live Audio - Edward James
Heynes Kotze
Next

From Red Flags to Revenue: Mastering Advanced Risk Advisory