The Protection of Personal Information (POPI) Act is the most pertinent new compliance challenge for FSPs, key individuals, representatives and your employees.
Informed by South Africa’s constitutional right to privacy, the Act sets the minimum standards for and enforces the protection of personal information. It regulates how personal information should be responsibly processed and managed, and what your business can do with personal information.
Processing personal information includes collecting, storing, using or making available, as well as distributing and disseminating personal information data. Personal information includes a person’s name, ID number, address, phone number, marital status, biometrics, banking information and health-related information. Data related to economic status, as well as opinions linked to politics, culture or religion count as personally identifiable data. The Act also applies to the information of juristic persons, such as companies, organisations and government institutions.
Your FSP as a business and all your employees who collect, receive, record, organise, retrieve, use, disseminate, distribute or make such personal information available have certain responsibilities in terms of the Act. These include:
POPI Act compliance is about meeting the requirements of the Act, but also about reducing the risk of a breach. You will need to assess what controls are required and in place, and if these controls reduce the risk of a data breach.
The deadline to comply with the POPI Act is 1 July 2021. It is vital to fast track your compliance implementation, as failure to comply with the requirements may have dire consequences. Sections 59 and 100 – 106 of the POPI Act deal with instances where parties may be ‘guilty’ of an offence.
The most relevant of these offences are:
Section 107 of the Act details which penalties apply to respective offences, to be imposed by a Magistrates’ Court. The penalties for more serious offences is imprisonment for up to 10 years or a fine, or both. For less serious offences, the penalty is a fine or imprisonment for up to 12 months, or both.
Section 109 details administrative penalties the Regulator may impose through an infringement notice. These fines can run up to R10 million.
While it is important to comply with the POPI Act and its regulations to avoid harsh penalties, there are other risks involved too. Addressing a breach and related investigations is an administrative and legal nightmare. International statistics indicate it can cost a business millions to manage the consequences of a data breach. Up to 30% of small businesses go out of business as a result.
Secondly, the media loves reporting on data breaches. This can have significant reputational risk implications. Some of the data breaches that recently occurred locally and globally are:
The personal information of up to 24 million South Africans and nearly 800 000 businesses was compromised in 2020. Individuals’ personal information exposed included cell numbers, home and work phone numbers, employment details and identity numbers. The company information that was exposed included business names, contact details, VAT numbers and banking details.
According to Experian, the data was on a third-party data sharing site on the internet, hosted in Switzerland. The third party has disabled the links and the data has been removed. Experian informed the Regulator of the breach on 6 August. The breach was a result of a ‘fraudster’ approaching Experian as a representative of a legitimate client. Law enforcement was notified of the breach and an Anton Pillar order was executed. The ‘fraudster’s’ hardware was confiscated, and the data was deleted.
There was a security breach through hacking email client servers earlier in 2021. At least 60 000 Microsoft business accounts were breached in this cyber-attack. The victims included many small to medium size businesses, but also several large entities such as the European Banking Authority. Personal data related to the emails compromised may have been breached.
Marriott’s global guest reservation database was hacked in September 2018. It contained the personal information of more than 300 million people, including their credit card details, passport numbers and dates of birth. Marriott was given a proposed fine of $123 million.
Attackers exploited a vulnerability in Facebook’s code between July 2017 and September 2018 and stole the tokens of 30 million people. Personal information exposed included name and contact details, username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education and work. It also included the last 10 places the users checked into or were tagged in, their website, people or pages they follow, and their 15 most recent searches.
The US Treasury Department was breached and hackers may have broken into other government agencies as well. The hackers may have monitored staff emails at the agencies for months. The affected bureau at the Commerce Department was the National Telecommunications and Information Administration.
Gmail users were warned about a potential data breach after Google services went down for millions of people across the world. It was reported that hackers may have sabotaged Gmail, which has more than 1.5 billion global users.
Liberty had a server data breach in 2018, which could result in Liberty Holdings facing a civil lawsuit from its clients or even fines. Information Regulator chairperson Advocate Pansy Tlakula said the POPI Act, when finalised, would enable them to investigate the data breach.
An Absa employee unlawfully made selected customer data available to external parties in 2020. The bank has laid criminal charges against the employee.
Staggering amounts of data have been hacked during 2020, according to Security Magazine, which has reported the top 10 data breaches of 2020. Selling personal information can rake in a lot of money. Although large corporates are in the news for data breaches, the reality is that FSPs also have client information that can be sold on the dark web.
You will need to review and adapt your systems, processes and governance policies to comply with the requirements of the POPI Act. You can also aim to use the POPI Act to enhance your practices and gain the trust of clients and stakeholders.
By complying with the POPI Act, your business will demonstrate your adherence to Section 14 of the Constitution: the right to privacy. It will also show you are committed to protecting clients’ and stakeholders’ personal information and that you have implemented effective breach risk management. Ultimately it will reflect your business’s good corporate governance.
Masthead has developed a detailed methodology and various tools and templates to help you with your POPI Act compliance process. This will assist you to meet the Act’s requirements. Get in touch with us for more information.
On 17 May 2021, the Information Regulator announced that the online portal for the registration of Information Officers is now active and available on its website. To date there has been a high volume of registrations on the portal which is causing some delays. The office of the Information Regulator is aware of the technical issues and their technicians are working on resolving it.
Existing Responsible Parties may register until the end of June 2021 to ensure POPIA compliance.
On 24 May 2021, the Ministry of Finance released a media statement announcing the appointment of the first Ombud Council Board Members, as well as the Chief Ombud for the Council. This gives effect to the new Ombud system in terms of the Financial Sector Regulation Act No. 9 of 2017 (FSR Act).
The Ombud Council is established in terms of the FSR Act and the objective of the Ombud Council is to assist in ensuring that financial customers have access to, and are able to use affordable, effective, independent, and fair alternative dispute resolution processes for complaints about financial institutions in relation to financial products, financial services and services provided by financial infrastructures.
Ms Eileen Meyer has been appointed as a Chief Ombud for the Ombud Council as a transitional measure, so that the Ombud Council can commence operations, as well as to enable the Board to commence the process to appoint a full-time Chief Ombud. This follows the appointment of the first Board of Directors, which will be effective for a three-year term, and which commenced on the 1st of November 2020.
The Council consists of the following Board of Directors:
The Ombud Council will have oversight powers over both statutory and industry Ombuds, namely:
To read more about the Ombud Council appointments, click here.
A number of administrative sanctions were published during the past year which related to non-compliance with the provisions of the Financial Intelligence Centre Act (FICA). These administrative sanctions were meted out by supervisory bodies such as the Financial Sector Conduct Authority (FSCA) and the South African Reserve Bank (SARB).
Accountable and reporting institutions are required to comply with the provisions of FICA. The Financial Intelligence Centre, as well as any supervisory body may impose administrative sanctions on accountable or reporting institutions, where the institution is in contravention of the FIC Act, any order, determination, or directive made in terms of FICA.
An administrative sanction could be in the form of a caution not to repeat the conduct which led to the non-compliance, a reprimand, a directive to take remedial action, a restriction or suspension of certain specified business activities, to a financial penalty of up to R10 million for natural persons, and up to R50 million for any legal person.
The administrative sanctions imposed over the past year are a result of accountable institutions failing to comply with certain provisions of FICA, which the supervisory body identified during inspections conducted. The administrative sanctions imposed by the various supervisory bodies over the past year for non-compliance with FICA resulted in financial penalties ranging between R5000 to R20 million. Accountable institutions are therefore urged to ensure that they are FICA compliant.
Below, we look at some of the areas of non-compliance that were identified during April 2020 – April 2021 and offer guidance to avoid such:
Risk Management and Compliance Programme (RMCP)
Over the past year, 87% of all FICA administrative sanctions were as a result of non-compliance with the requirement to develop, document, maintain and implement an RMCP. During inspections, there were either instances where no RMCP was implemented at all, or where there was an RMCP, it was a generic document which was not customised to the institution’s business operations.
It is important to understand that the RMCP should not be treated as a “copy and paste” exercise and can therefore not be a generic document which is filed and forgotten about.
Accountable institutions must ensure that its RMCP incorporates the requirements of FICA which are applicable to the business entity and must be customised, as well as reviewed and maintained regularly, to ensure that it is relevant to its business operations.
There were 60% of instances in all FICA administrative sanctions where there was non-compliance with the requirement of training. The training requirements include the following elements:
1) Training must be ongoing
2) Training must be done on the FIC Act
3) Training must be done on the institutions RMCP
It is recommended that accountable institutions regularly train staff members in accordance with these requirements to enable them to comply with the provisions that are applicable to them, and to keep adequate records of such.
Customer Due Diligence (CDD)
Accountable institutions were found to be non-compliant with the CDD requirements in 53% of all administrative sanctions.
Accountable institutions are required to establish and verify the identity of a client in accordance with the processes and procedures as set out in its RMCP, and to keep records of same. Accountable institutions should use the findings from its risk rating assessment to decide on the appropriate level and type of CDD it will apply to a client.
Accountable institutions are required to keep CDD and transaction records for a period of at least five years from the date the business relationship was terminated, or a single transaction concluded.
In 13% of administrative sanctions, accountable institutions failed to submit Cash Threshold Reports to the Financial Intelligence Centre.
Where an accountable institution receives or pays out a cash amount in excess or R24 999.99, it is required to submit a report to the Financial Intelligence Centre as soon as possible, but no later than two days of becoming aware of the transaction, or series of transactions. It is recommended that accountable institutions do daily checks on bank statements in order to detect these transactions and file the necessary report as soon as possible.
GoAML log in credentials
In terms of Directive 02/2014 issued by the Financial Intelligence Centre on 9 April 2014, no person may share their goAML login credentials. In 20% of administrative sanctions, there were instances where the accountable institution’s goAML login credentials were shared with either members of the accountable institution such as personal assistants, or to external parties such as the external compliance officer.
We offer a wide range of services to all Accountable and Reporting Institutions including FICA training for your employees, hands-on assistance with the implementation of FICA requirements in your business and support services when preparing for a FIC Inspection.
Speak to your Masthead Compliance Officer or get in touch with us for more information on how Masthead can assist you to be compliant in terms of the FICA requirements.
The Financial Sector Conduct Authority (FSCA) recently published FSCA FAIS Notice 54 of 2021, which extends several exemptions relating to Private Equity Funds. The exemptions which are already in place and were set to expire on 30 June 2021, have now been extended until 30 June 2023.
1. Exemption of certain persons conducting financial services related business with private equity funds
Category II FSPs that render financial services to a private equity fund are exempt from section 5(1)(c) and 5(1)(j) of the Code of Conduct for Discretionary FSPs and section 48(2) and 48(3) of the Determination of Fit and Proper Requirements. These sections relate to some of the requirements in respect of a discretionary investment mandate and certain of the financial soundness requirements, in particular:
Any mandate that was entered into before 13 December 2012 does not have to contain a general statement pertaining to risks associated with investing in local and foreign financial products, with particular reference to any currency risks – as long as these investors were informed in writing, of these risks within six months of the publication of Board Notice 208 of 2012 (i.e. 13 June 2013). Although this exemption is still active, it only affects older mandates that were concluded before this date.
Any mandate that was concluded before 13 December 2012 is exempt from the requirement that the mandate must make provision for either party to the mandate to terminate the mandate after giving notice in writing of not more than 60 calendar days. Although this exemption is still active, it only affects older mandates that were concluded before this date.
Any mandate entered into after 13 December 2012 is exempt from the provision requiring a mandate to be able to be terminated upon 60 calendar days written notice, provided that clients, who in the aggregate have committed 75% of capital to the private equity fund, have the right to terminate the mandate for any reason whatsoever, after notice in writing of not more than 180 days.
A Category II FSP is exempt from meeting the liquidity requirement set out in the Determination of Fit and Proper Requirements of section 48(2) until 30 June 2023, provided it only manages private equity funds. In addition, the Category II FSP does not have to submit the Liquidity Calculation Declaration (Form A of Annexure six of Board Notice 194 of 2017) to the FSCA whilst this exemption applies.
Any Category II FSP that wishes to rely on the abovementioned exemptions, must register the exemption with the FSCA in the prescribed format and is required to notify the FSCA in writing, if there are any changes to the information that was submitted when registering the exemption, within 15 days after the change has taken place.
2. Exemption of certain FSPs conducting financial services related business with private equity funds from Section 13(1)(c) of the FAIS Act
Category II FSPs that render financial services to a private equity fund are exempt from section 13(1)(c) of the FAIS Act, which provides that a person may not render financial services or contract in respect of financial services, other than in the name of the FSP of which such person is a representative. The expiry date of this exemption has been extended to 30 June 2023.
An FSP that wishes to rely on this exemption, must register the exemption with the FSCA and must inform the FSCA if there are any changes to the information submitted, within 15 days after the change has taken place.
3. Exemption of certain Juristic Representatives from Liquidity Requirements
Juristic representatives of a Category II FSP that only renders financial services to private equity funds are exempt from meeting the liquidity requirements as set out in sections 48(2) and 48(4) of the Determination of Fit and Proper Requirements, until 30 June 2023. In addition, these juristic representatives do not have to submit the Liquidity Calculation Declaration (Form A of Annexure six of Board Notice 194 of 2017) to their FSPs whilst this exemption applies.
This exemption is subject to the juristic representative not becoming the subject of a decision, order or directive where the juristic representative is debarred, an administrative penalty is imposed on it or where it is removed from a specified position or function in or in relation to a financial institution. If this condition is not met, the exemption will no longer apply to that juristic representative.
The new CPD cycle started on 1 June 2021 and will end on 31 May 2022. FSPs, KIs, and Reps are required to prepare a CPD Training Plan. The CPD training plan must ensure that the type and combination of CPD activities undertaken are relevant, contribute to the knowledge, skills and ethical standards of the FSP, its KIs and Reps. The CPD training plan must also address any identified needs or gaps, while ensuring that the required CPD hours are obtained timeously.
FSPs must ensure that their Competence Register is updated with CPD activities within 30 days after the expiry of each CPD cycle ie. The FSP must ensure that their Competence Register is updated by 30 June 2021.
All entities must be fully compliant with the provisions of the Protection of Personal Information Act by 1 July 2021. This includes the registration of Information Officers.