September 2020
OUR FIRST ANNIVERSARY!
It was just over a year ago that we started trading as Omega Compliance Solutions. And what a crazy year it’s been! In a bizarre turn of events, we’ve spent half the year working from home, and celebrated spring day in a virtual meeting. (In keeping with tradition, at least it was freezing cold – Ed.)
Over the year, we’ve assisted six new Financial Services Providers (FSPs) to obtain FAIS licence approval, seen POPIA (the Protection of Personal Information Act) go from “some privacy Act that’s going to happen” to “we need to get this done by July!”, and have had so many financial services legislation changes that we’ve stopped counting. The impact of COVID-19 in terms of consumer and financial industry participants has been noted by the regulators, and they’re sure to take a strong stance as we approach the release of the Conduct of Financial Institutions Bill. Over this next year we’ll be assisting everyone to meet the new requirements, and preparing for the next legislative onslaught.
We’re incredibly thankful to our loyal clients and suppliers, and glad to be part of your journey!
OUR NEW WEBSITE
Another thing we did this year was to develop and launch our website which went live on 1 September 2020. We’ll be posting these Legislative Updates there as well should you miss any.
Click here, and let us know what you think.
BUSINESS INTERRUPTION – UK HIGH COURT JUDGEMENT
On 15 September, the UK High Court handed down a judgement which included direction that COVID-19 – and the subsequent action by government and the public response – should be considered as the proximate cause of policyholders’ losses.
This will obviously affect everyone globally, and more so in South Africa as our courts and regulators closely follow the UK judgements and Regulator (the Financial Conduct Authority – FCA).
It’s definitely not “all over bar the shouting” though – there’s always the possibility of an appeal, and each claim will be reviewed by insurers. The UK High Court’s methodology involved reviewing insurer policy wordings and then coming to a generalised conclusion, which leaves much room for debate.
It seems that the intention of the judgement is to serve as guidance for insurers. Let’s hope we see this resolved in an equitable manner as soon as possible.
Read more of the Daily Maverick’s view here.
And the FSCA’s comments here.
INFORMATION REGULATOR – POPIA
We’ve been writing about POPIA for some time now to prepare everyone for the change. There are now only nine months to conduct your assessment and implement the necessary controls and plans.
As such, we cannot over-emphasise the amount of effort required to get this exercise done properly. If you haven’t started the process yet, please give us a call to get things underway.
Registration of POPIA Information Officers (IOs)
At the time of writing, we have been unable to obtain comment from the Information Regulator’s office regarding the finalisation of the Guidelines on the Registration of IOs. This is because the Regulator is still processing comments on the proposed Code of Conduct guidelines.
We anticipate that the final guidelines will be published in December or January, while those for the Codes of Conduct will be finalised between October and December this year.
Until then, it’s expected that registration of IOs and DIOs (Deputy Information Officers) will commence on 3 March 2021 and end on or before 31 March 2021.
Data Breaches
In last month’s legislative update, we mentioned the Experian data breach. The Information Regulator has released several media statements on this case. Of interest is the allegation that a whistle-blower informed the Information Regulator that data had found its way to the “Dark Web”. The personal information includes cell phone, home, and work numbers; employment details; identity numbers of natural persons; names of companies; contact details; VAT numbers; and banking details of juristic persons. That’s a lot of sensitive information or special personal information.
Even though the transitional period commenced on 1 July 2020, the Information Regulator advised that the grace period does not release responsible parties from their legal obligations, and stated the following:
“Whilst the Regulator appreciates the prompt response and cooperation it has received from Experian, it is concerned that the personal information of data subjects continues to be vulnerable, and Experian seems to be struggling to secure the protection of personal information of millions of South Africans. The Regulator is mindful of the fact that POPIA gives responsible parties up to 1 July 2021 to ensure that all processing of personal information conforms with the Act.
However, the Regulator would like to advise the public that the grace period provided for in POPIA does not absolve responsible parties from the legal obligation of ensuring that they process personal information in accordance with POPIA. The information which Experian has provided to the Regulator so far raises serious concerns, insofar as protection of personal information is concerned”.
The Regulator is undertaking an independent review into the case at Experian and, since the site is hosted in Switzerland, it has informed the regulatory counterpart there of the breach.
The Regulator is concerned that Experian has not notified the affected data subjects as per section 22(1)(b). POPIA requires notification to be made “as soon as reasonably possible after the discovery of the compromise”. The breach was discovered in May, and the Information Regulator was only advised on 6 August.
We foresee an amendment to section 22(2), or the time frame being reduced to 72 hours if guidance for data breaches is published by the Regulator as this aligns with the GDPR [the European General Data Protection Regulation].
Remember, this kind of thing could happen to anyone! Earlier this year we heard a story of a small family-run brokerage that was breached and was asked to pay a R1.5 million ransom in Bitcoin!
Data protection for any modern business is essential in the 21st century. Even if the security measures are good, if a data breach occurs the ability to respond quickly to mitigate risk to both the data subject and the processor is simply good business practice.
To read the Information Regulator media statements, click here and here.
Ethical hacking
Ethical hacking, also called penetration testing, is the practice of testing a computer system, network, or web application to find security vulnerabilities that an attacker could exploit. Testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in – either virtually or for real – and reporting back on the findings.
The main objective of testing is to identify security weaknesses, and can also be used to test an organisation’s security policy, adherence to compliance requirements, employees’ security awareness, and the organisation’s ability to identify and respond to security incidents.
Contact us to arrange an appointment with our service provider should you require such a service.
Readiness Plan for the Implementation of POPIA
Last month we provided a snapshot of the Information Regulator’s Operational Readiness Plan.
- Below is an update, with particular attention to developments of sections 40(1)(g) and 72(1)(a) as a result of the Experian breach and the issue of ascertaining where data resides in cloud solutions:
PROVISION OF POPIA | ACTION UNDERTAKEN/TO BE UNDERTAKEN | CURRENT STATUS | TIME FRAME |
(Section that requires critical action for the implementation of POPIA) | (The action required by the provision) | (Projected timeframe for completion of the Action) |
|
Section 40(1)(g) Powers and duties of the Regulator | Develop Guidelines on trans-border information flow. | First draft of Guidelines completed | 31 August 2020 |
22. Notification of security compromises – Condition 7 – Security safeguards | Provide guidance on the manner in which data subjects must be notified of unauthorised access or acquisition of their personal information as provided for in section 22(4)(e). Provide guidance on the manner in which the responsible party must publicise any compromise to the integrity or confidentiality of personal information if such compromise would protect a data subject who may be affected by the compromise as provided for in section 22(6). | None | 31 March 2021 |
Section 55 and 56 Information Officers | Development of a Guideline for the registration of IOs and designation and delegation of DIOs. Development of an electronic register of IOs. Development of an electronic portal enabling access to the register of IOs. | Unable to confirm the date for finalisation of the Guidelines as the Regulator is currently processing comments on the Guidelines for Codes of Conduct | 3 March 2021 |
72(1)(a) Transfer of personal information outside the Republic | Development of guidelines on trans-border information flows. | In development stage | 30 December 2020 |
FINANCIAL SECTOR CONDUCT AUTHORITY (FSCA)
Levy invoices
FSPs and financial institutions should have received their levy invoices from the FSCA by now. If you haven’t, it’s necessary to follow up to ensure that your entity pays the correct amount. Let us know if you need assistance in obtaining an invoice from the FSCA.
Remember that they’re due for payment by 31 October 2020.
Download the FSCA notices here.
FINANCIAL INTELLIGENCE CENTRE (FIC)
During August, the FIC announced that FIC director, Advocate Xolisile Khanyile has been appointed as a deputy vice-chair to the Egmont Group of Financial Intelligence Units.
The Egmont Group is an international group of 164 financial intelligence units that share expertise in combating money laundering and terrorist financing.
That’s quite a feather in the cap for our Regulator, and we wish Advocate Khanyile well in her role.
Read more here.
FINANCIAL SERVICES TRIBUNAL
Debarments
Decision: Margo Davidson v ABSA Bank Limited – Fair debarment process
This is an interesting case that deals with the requirements for initiating a debarment.
The Tribunal reiterated that the grounds for debarment must have occurred or become known to the FSP while the person is a representative of the FSP. Should the person cease to be a representative of the FSP, the debarment process must commence no longer than six months from the date that the person ceased to be a representative of the FSP.
So, as per the first requirement, when the reason for debarment has only become known after the person ceased to be a representative of the FSP, the matter must be referred to the FSCA and the FSP may not debar the person. The second requirement allows an FSP to proceed with the debarment, notwithstanding the fact that the person was no longer a representative of the FSP.
The Tribunal once again describes the correct debarment process and what is required for a debarment to be justified in terms of section 13(2)(a) of the FAIS Act. Contravention or failure to comply with a provision of the FAIS Act must be “material”.
Since there was a failure to conduct an enquiry into the fit and proper status and the lack of a finding of dishonesty of the applicant, the Tribunal deemed the debarment to be unfair, unreasonable, and unjustified.
Read more here.
Decision: A S Cassim and FNB
The Cassim case provides a great example of an enquiry into a representative’s fit and proper status and material justification for debarment. Section 9(1) of Board Notice 194 of 2017 is referred to, which provides a list that indicates when a person is not honest or lacks integrity or good standing.
Cassim was clearly found to have contravened several requirements listed in section 9(1)(a)(ii) of Board Notice 194 of 2017.
Read more here.
COUNCIL FOR MEDICAL SCHEMES (CMS)
Bank Account Scam
It could happen to anyone, but it appears a syndicate is attempting to defraud medical schemes, administrators, managed care organisations, and brokers by trying to convince them that they could get a 5% discount by paying their CMS levies in advance.
As with all such scams, the bank details are not those of the CMS. Our immediate thought was: under what circumstances would any regulator offer a discount? If it sounds too good to be true…
Click here for the official press release.
KeyHealth Medical Scheme – Provisional Curatorship
The CMS advised that KeyHealth was placed under provisional curatorship by the Pretoria High Court on 16 September 2020. This was as a result of a CMS-commissioned inspection report revealing certain corporate governance irregularities.
Brokers are advised to not cause a run on the scheme, and continue to act in line with the principles of good advice and in the best interests of KeyHealth members.
Click here for the official press release.
FROM A-PROOFED
Phrases that should be banned from business emails
Take a look at the next four or five emails that you receive. Are they clear and precise, or do they sound as if they were written by a lawyer in a Charles Dickens novel? Worse yet, do they sound like they were written by a lawyer in your own company?
Don’t get me wrong, lawyers are there to protect you, to dot the i’s and to cross the t’s; but it’s your job to deal with clients, and part of that means writing in such a way that you come across as human, caring, up to date, and personal.
By eliminating certain phrases, you can make your correspondence significantly more professional. Also, you’ll improve the image of your company, settle claims more amicably, sell policies more easily, get information quicker, and cut out thousands of wasted words.
Here are some phrases that you can either delete or find substitutes for:
Enclosed please find
This one goes back to the days when documents were delivered in envelopes, and a ‘covering letter’ was required. It makes no sense in electronic communication. After all, what do you have to “find”?
That reminds me of a joke. A guy goes into a restaurant and orders a steak dinner. Later, the waiter walks over to the table, smiles at him and asks “How did you find your steak?” The guy looks at the waiter and says, “I just moved the mashed potatoes – and there it was!”
Enough said! There’s nothing to “find”. Use “Attached is” or “I’ve attached” or even “Here is”
FYI
This is rude and can easily become a tool in passive aggressive communication when forwarding an email from someone else. It doesn’t take that long to write a short message such as “This is the email I was telling you about.”
I hope you’re well
This is a hollow formality, and the person reading your email will immediately recognise it as one. You aren’t that invested in them. They’re not the centre of your world. You don’t go to bed at night worrying about their well-being. This statement is nothing but filler.
Even worse is “I hope this email finds you well.” It’s not a treasure hunt, and emails don’t find anything!
Keep in mind that you’re writing a business email, and that the message needs to be concise, polite, and professional. Also, remember that the reader will most likely regard that opening remark as insincere. Leave the filler out, and approach the subject directly, in a business-like manner.
Just
If you’re using this word as a sentence filler, it quickly loses its meaning. Many people use it in phrases like “I just wanted to reach out” and end up sounding apologetic for contacting the recipient. By removing “just”, you’ll add more gravity to your words and sound more excited about the communication.
You can also lose the phrase “reach out”. You can’t extend your arm that far, and the phrase is yet another filler. Start the message simply, with something pertinent to the topic.
Kindly
“Please” works better than this old-fashioned word.
Please be advised
This is a lawyer-like phrase that is completely superfluous. The mere fact that you’re writing an email means that you’re telling them something. Instead of writing “Please be advised that your premium is overdue”, rather write “Your premium is now overdue.” Instead of “I advised him to call me tomorrow,” it would be better to write “I asked him to call me tomorrow.”
Please do not hesitate to contact me
I’ll refrain from writing, “If I had a Rand for every time I see this phrase used…” because then I’d be using a cliché to criticise a cliché! Think about it: if someone wants something from you, they won’t hesitate to ask. Give them your contact information and tell them how you want them to use it.
Please note that
This is another “Please be advised” and completely unnecessary. Rather leave it out.
Not only does eliminating overused phrases make your emails more professional and direct, it may also help your messages avoid being intercepted by spam filters. There’s nothing wrong with eliminating clichéd jargon in favour of using your own unique voice when sending an email.
And if you need help, remember that I can assist.
Kim Hatchuel
083 657 3377 | kim@a-proofed.co.za
www.a-proofed.co.za