Omega Compliance Solutions
October 2020
NATIONAL TREASURY
Conduct of Financial Institutions Bill (COFI)
On 29 September, National Treasury (Treasury) released a second draft of the COFI Bill for further public comment.
It’s been nearly two years since the first draft was provided for comment, and Treasury has said that it expects this round of comments to be the last before finalising the Bill and submitting it to Cabinet.
Despite the inclusion of the TCF (Treating Customers Fairly) principles in the Financial Advisory and Intermediary Services (FAIS) and Insurance Acts’ subordinate legislation, Treasury is still dissatisfied and aims to entrench the principles in legislation. Note that the scope of the legislation is much broader than the insurance sectors, and this action will include sectors currently excluded from the requirements.
The key changes to the Bill are as follows:
- Application of the COFI Bill in relation to existing legislation: Amendments have been made to align the COFI Bill with the Financial Sector Regulation (FSR) Act and other applicable legislation.
- Approach to Conduct Standards: The ability to create Conduct Standards has been encompassed in the FSR Act, and the ability to issue Conduct Standards has been removed from the COFI Bill. This will still leave the ability to issue standards with the Financial Sector Conduct Authority (FSCA).
- Refined approach to licensing: The COFI Bill has been aligned to work in tandem with the FSR Act in terms of licensing. So, a licence would be issued under the COFI Act but under the provisions of the FSR Act.
- Focusing transformation on tangible targets: The COFI Bill aims to have financial institutions have transformation policies, but has now been amended to include a requirement for the policies to have tangible targets. In addition, the draft will allow the FSCA to issue directives in this regard as well as include transformation in its supervisory and enforcement capacity.
- Approach to medical schemes sector: There is currently a task team investigating a suitable approach to the inclusion of medical schemes and medical scheme administrators under the conduct legislation. References to medical schemes and medical scheme administrators have been removed until the task team has concluded its work.
- Alignment to financial markets review: Activities defined in the Licensing Schedule (Schedule 1 of the Bill) have been amended to capture activities that will be regulated under the proposed Financial Markets Act (FMA). (Note that the FMA is still in development.)
- Application to the non-retail market: After a series of engagements with industry, a ‘lending’ licence category has been included. The category intends to deal with corporate advisory services such as the arrangement of debt and equity issues, advisory services (e.g. in mergers and acquisitions), and on- and off-balance sheet financing of transactions. This category does not include agreements that are included under the National Credit Act.
Industry was given a ridiculously short period of one month to submit comments to marketconduct@treasury.gov.za by 30 October 2020. Should you wish to make comments, we can incorporate them with our submission through our industry body – our deadline is 16 November.
Click here for a copy of the draft bill.
and here for the response document.
THE FSCA
On 7 October, the FSCA released Communications 49 and 50. Both are consultation documents on the draft Conduct Standards for Securities Lending for Pension Funds and draft Conduct Standard – Advertising, Marketing, and Information Disclosure Requirements for Collective Investment Schemes respectively.
On 10 October, Communications 51 and 52 were released. These are also consultation documents on prescribing conditions for investments in hedge funds and conditions for Smoothed Bonus Policies to form part of Default Investment Portfolio policies.
In keeping with the FSCA’s mandate, the Conduct Standards are aimed at client protection.
The draft Pension Funds Conduct Standard prescribes conditions on the delegation of administration of securities, and applies to both local and offshore securities.
Similarly, the draft CIS Conduct Standard aims to bring about fair treatment of investors, and sets out requirements in terms of contracting with clients as well as minimum disclosure standards and record keeping.
The Hedge Fund Conduct Standard aims to prescribe the conditions that a fund needs to comply with in order to invest in hedge funds. This includes only investing with registered managers, disclosing whether the fund’s exposure to embedded derivatives exceeds 100% of those derivatives, and require fund boards with insufficient expertise in hedge funds to obtain professional advice.
The Smoothed Bonus Conduct Standard prescribes the (quite technical) conditions with which a smoothed bonus must comply to meet the definition of “default investment portfolio”.
For the full notices and comments templates click here, and here, and here, and here.
FSCA Awarded Judgement pertaining to Public Protector’s Flawed Report
The High Court provided its judgement on the Report of the Public Protector (46 of 2018/19) following a complaint by the Economic Freedom Fighters (EFF).
The report was set aside as constitutionally invalid and unlawful as it fell outside the Public Protector’s jurisdiction. The Public Protector was ordered to pay the FSCA’s costs.
The original report investigated allegations of maladministration, abuse of power, and improper conduct by Advocate Dube Tshidi in his capacity as executive officer of the (then) Financial Services Board.
Read the full judgement here.
INFORMATION REGULATOR – POPIA (PROTECTION OF PERSONAL INFORMATION ACT)
From 1 November 2020, organisations will have just eight months left in which to achieve POPIA compliance.
At this stage, these are the things that you should have already achieved or assessed:
- Whether your organisation must comply with POPIA.
- An understanding or awareness of POPIA.
- Who the right people are to be the information officer and/or deputy information officer of your organisation.
- Your organisation’s internal and external stakeholders.
- The resources and a budget for your POPIA compliance (consultants, cyber liability cover, network security enhancements, and ethical hacking programmes, etc.).
- Your organisation’s privacy mission for the achievement of the organisation’s POPIA compliance programme.
- Your organisation’s detailed Readiness Assessment.
- Your lawful basis for processing assessments (completed, or in the process of completing and/or documenting).
- Your data inventory and mapping exercises of functional areas/business units, and related processing activities.
- Your record of processing activities derived from the data inventory and mapping exercise.
Keep in mind that the privacy notice or policy that you post on your website, or have available for inspection where applicable, must be based on your findings from the abovementioned exercises.
Data Breaches
Lombard Insurance Company Limited data breach – the correct way to manage an incident
Lombard issued a security notice on 16 July confirming that it had been the victim of a data breach. The following day, the managing director issued a statement confirming that it had been the victim of a cyber-attack.
The last update was provided on 25 September, which stated that Lombard’s data was “exploited through a vulnerability on our infrastructure service provider.” Here we refer to sections 20(b) and 21 of POPIA, which state:
“20. An operator or anyone processing personal information on behalf of a responsible party or an operator, must—
(a) process such information only with the knowledge or authorisation of the responsible party; and
(b) treat personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.
…21. (1) A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19.
(2) The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.”
We believe that a data inventory exercise would have assisted with identifying whether any potential risks existed, where the data inventory exercise is undertaken by the responsible party (controller) and the operator (processor), since the identified vulnerability was attributed to Lombard’s infrastructure service provider.
Section 17 of POPIA states, “a responsible party must maintain the documentation of all processing operations under its responsibility as referred to in section 14 or 51 of the Promotion of Access to Information Act.” The data inventory and record of processing activities is not a walk in the park, as we can attest, but it reveals a significant amount of detail with regard to who has access to an organisation’s personal data, the type of personal data, its location, and a number of other important parameters.
The Information Regulator suggested that this type of exercise should be undertaken by way of “a personal information impact assessment”. Regulation 4(1)(b): “(b) a personal information impact assessment (PIIA) is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information…”. We believe that, while a PIIA has its benefits, particularly when changing, adding, or updating a processing activity, the data inventory provides a more holistic view of an organisation’s processing activities, be they internal or outsourced.
The Lombard forensic investigation lasted slightly less than two and a half months. What’s not clear is the categories of data that were accessed. It would be safe to presume that, at a minimum, data would have included names, surnames, ID numbers and/or passport numbers, addresses, and other identifying data.
We think it’s important to note that the Information Regulator did not have to release a media statement regarding the Lombard breach given its handling of the situation.
For the Lombard media statements click here.
For further reading on both data incidents from the media, click here, and here.
FINANCIAL INTELLIGENCE CENTRE (FIC)
The FIC, through the inspection activities of the FSCA, has issued administrative sanctions against five FSPs.
Once again, the FSPs did not have adequate Risk Management and Compliance Plans in place, or didn’t follow them, were not reporting transactions, conducting Client Due Diligence, or keeping adequate records of this process.
In one instance, the FSP has not responded to the regulators or paid its fine, and risks serious action by the regulators.
It should be noted that in some cases the financial components of the sanctions or portions of them were suspended for three years. This is dependent on the FSPs now meeting the requirements.
We remind all Accountable Institutions to ensure that their anti-money laundering programmes are documented and running smoothly.
The various notices can be found here, and here, and here, and here, and here.
FINANCIAL SERVICES TRIBUNAL
Debarments
L Everson V Econorisk (Pty) Ltd
This case had an interesting result: procedurally everything was handled correctly by the FSP, but the Tribunal found that there was insufficient substance to the case for debarment, and it was overturned. Read more here.
N Ravhuhali; RC Maja, and M Mukhuba V NBC Holdings (Pty) Ltd
This case revolves around the loss of a service provider agreement and the debarment of the applicants and their appeal for suspension of the debarment. The Tribunal found that the allegations did not establish the lack of the qualities of integrity and honesty, findings based on what should have been known or suspected.
The debarments were set aside, and NBC Holdings was given the opinion of pursuing its debarment under section 153 of the Financial Section Regulation Act, 2017. Read more here.
LL Faku V Oneplan Insurance
The debarment in this case was overturned because the Tribunal found that the employer’s findings that the representative failed the test of the qualities or honesty and integrity were borderline.
Read more here.
FROM A-PROOFED
How to write a sincere corporate apology
So you (or someone in your company) have messed up. Badly. We all make mistakes! Nobody’s perfect, and it’s often easy to forget that companies—even the biggest ones—get it wrong sometimes. Nowadays, because social media makes it easy for us to voice our opinions, mistakes or complaints are there for all to see, loud and clear!
How do you explain your company’s booboo to the public?
The proper thing to do is not to sweep mistakes or complaints under the carpet, and hope they go away. Instead, you should analyse the problem, reflect on it, address it, and quickly issue a written apology. The perfect apology can do more than just mend fences; it can also make an irate client forgive you, and will help clear up any misunderstanding. Apologising in the right way and at the right time can turn a negative into a positive for any company.
Timing
Write the apology as soon as you hear of the complaint. Not responding quickly enough can end up requiring two apologies; one for the issue itself, and the other for the time it took to respond. The timing makes the situation worse, and can have more severe implications on your business than the original issue itself.
Apologise!
If the client is furious with you personally, take responsibility for the situation. Without offering excuses, and without emotive language, let them know that you understand that the event and your actions caused them harm.
Actions
Rather than focusing on the damage you’ve caused, write about things you’ll do to fix the situation, and the steps you’ll take to prevent it from happening again. Agree with the truth in the complaint, and stick to the facts when responding. Be as specific as possible and focus your apology on the particular event.
Blame
Take responsibility for what happened. Don’t blame clients—or anyone else—in any way.
Length of your apology
Keep your apology short and to the point. Flowery language could have a negative effect.
Keep them in the loop
While you’re looking into the problem, send an email to say: “Just a quick note to let you know that I’m looking into this matter. I’m sorry to hear that you haven’t been getting the service you deserve. I will deal with this urgently, and personally, for you.” You might even offer a deadline for a full response; just remember to meet it!
Sincerity
No one wants to read overly emotive language. Choose your words carefully, and express yourself clearly and simply. Above all, be honest.
Tone
Remember that you’re trying to repair a damaged relationship. Don’t be too defensive; this will add to the problem. Use tact and diplomacy, and be sensitive of the complainant’s opinions, beliefs, ideas, and feelings.
Give the client a choice of possible resolutions
How can you make this right? Negotiate a way that works for both of you. Sometimes just fixing the problem is enough. At other times, the client is looking for something else.
Follow-up
After you’ve written the apology, make some time to apologise in person, and if you think it’s necessary, send a gift basket.
Who should sign the apology?
It’s preferable to have a senior executive sign the apology. The client will appreciate him/her taking the time to apologise personally while thanking them for bringing it to their attention.
What will all of this do for your company?
The client’s faith in the company will be restored, and might be even stronger than it was before. They’re able to put the issue aside, and know that should a problem arise in the future, it will be quickly resolved. All of this will demonstrate that the company wants to hear both the good and the bad from clients, as a valuable source of information for improving their services.
Remember that if a client has a good experience with a company, he or she will tell two or three people at most. However, if it was a bad experience, he/she will tell anyone who will listen. The right apology will not only help you retain your clients, but may even improve the relationship that you already have with them, and potentially increase the loyalty they feel towards your company.
And if you need help, remember that I’m here to help you make your work look good. Call me.
Kim Hatchuel
083 657 3377 | kim@a-proofed.co.za
www.a-proofed.co.za
