On 6 July 2022, the Financial Intelligence Centre (“FIC”) published a communication offering guidance on information processing in terms of the Financial Intelligence Centre Act, 2001 (“FICA”) in relation to data protection. This is to provide a framework on how the FICA regulations will be affected by the new privacy laws as a result of the Protection of Personal Information Act, 2013 (“POPIA”).
FICA sets out the requirements for an accountable institution when it establishes a business relationship or conducts a single transaction with a client. These requirements include:
- conducting customer due diligence risk assessments;
- account monitoring;
- reporting to the FIC; and
- keeping records of its clients’ information.
As such in order to comply with these requirements, an accountable institution must obtain and process the necessary personal information and special personal information of its clients.
The POPIA is South Africa’s main data privacy protection legislation, and set outs all the conditions for the lawful processing of personal information.
FICA requirements are complementary to the provisions of POPIA which lists the grounds of justification for processing personal information. POPIA specifically states that personal information may be processed if this will comply with the requirements imposed by law on the responsible party.
FICA, therefore, provides the necessary justification that enables accountable institutions to process personal information under POPIA, provided they do so within the scope of the obligations imposed by FICA.
In order to comply with FICA and POPIA, accountable institutions must:
- apply a risk-based approach based on the principle of proportionality when processing personal information for combatting activities like money laundering and terrorist financing. An accountable institution must only ask for personal information that is necessary to meet their obligations in terms of FICA
- inform clients that their information is shared across a group, including where this information is shared with entities in other countries;
- inform clients of the consequences that they will face if they refuse to provide personal information, provided that this will not amount to tipping off (ie, informing a client that a suspicious transaction/activity report has been filed with the FIC);
- if the client refuses to provide personal information that is required for purposes of complying with FICA, the accountable institution must consider filing a report in terms of FICA; and
- apply for prior authorisation from the Information Regulator in accordance POPIA when required. An example where this may be required is where one entity in a group of companies does sanction screening on behalf of other entities and therefore may process personal information on criminal behaviour or objectionable conduct on behalf of such other entities.
When it comes to the collection of personal information, an accountable institution can collect it directly from the client or from a third party. The accountable institution is permitted to obtain information from a third party and not directly from the client if collecting the information directly from the client would amount to tipping off the client. When an accountable institution obtains personal information through a third party, they must disclose, to the client, that it relies on third parties for obtaining personal information about the client. This could be done in the accountable institution’s privacy statement.
The communication is still in its draft form and interested parties are invited to submit comments on the communication by submitting written comments through the online comments submission link. Any questions or requests regarding the draft can be sent via email to the FIC at email@example.com. The deadline for submissions is Tuesday, 26 July 2022 by close of business.
This article was first published by ENSafrica (www.ENSafrica.com) on 12 July 2022.
No information provided herein may in any way be construed as legal advice from ENSafrica and/or any of its personnel. Professional advice must be sought from ENSafrica before any action is taken based on the information provided herein, and consent must be obtained from ENSafrica before the information provided herein is reproduced in any way. ENSafrica disclaims any responsibility for positions taken without due consultation and/or information reproduced without due consent, and no person shall have any claim of any nature whatsoever arising out of, or in connection with, the information provided herein against ENSafrica and/or any of its personnel. Any values, such as currency (and their indicators), and/or dates provided herein are indicative and for information purposes only, and ENSafrica does not warrant the correctness, completeness or accuracy of the information provided herein in any way.