Accountable institutions are required to obtain, assess and report certain personal information and special personal information pertaining to their clients in terms of the Financial Intelligence Centre Act (FIC Act). However, complying with these obligations can sometimes lead to grey areas due to data privacy laws which promotes the protection of personal information that is processed, such as the Protection of Personal Information Act (POPI Act). The Financial Intelligence Centre’s PCC 22A provides guidance on information processing and clarifies the interplay between the collection, assessment and reporting of clients personal and special personal information in respect of ensuring compliance with both the FIC and POPI Acts.
When establishing a business relationship or conducting a single transaction with a client, the FIC Act requires that an accountable institution must comply with obligations such as conducting risk assessments, customer due diligence, account monitoring, scrutinising client information, reporting and record-keeping. In complying with these requirements, the accountable institution must ensure that there is harmony between the application of both the FIC Act and POPI Act which can be achieved by accountable institutions asking only for personal information and special personal information that is necessary to achieve the purposes of the FIC Act.
The personal information and special personal information that the accountable institution obtains, uses and further processes should not amount to an excessive collection of information. Furthermore, the information should be adequate, accurate, relevant, up to date and proportionate to the risk level e.g. enhanced measures of customer due diligence may include the collection of more information when dealing with higher risk clients.
The FIC’s PCC 22A advises accountable institutions to disclose to clients, that the accountable institution must comply with its obligations in terms of the FIC Act and in order to do so it has to obtain, use and further process certain personal information and special personal information of the client. Where a client refuses to provide personal information or special personal information, the accountable institution may advise the client on the consequences of such refusal provided such information does not amount to tipping off.
Consequences of a client’s refusal to provide personal information or special personal information may include:
- not establishing a business relationship or conducting a single transaction with the client.
- not concluding a transaction in the course of a business relationship or performing any act to give effect to a single transaction.
In such instances the accountable institution must terminate an existing business relationship with a client in accordance with the accountable institution’s risk management and compliance programme (RMCP) and consider filing a report in terms of section 29 of the FIC Act.
Record keeping requirements under the FIC Act must also consider the requirements of the POPI Act. Records must be held for the purposes of combating money laundering, terrorist financing and proliferation financing, in accordance with the FIC Act, related regulations, and the accountable institution’s RMCP. Where the period in which the records are required to be kept lapses, the personal information and special personal information may not be used for purposes of the FIC Act.