July 2021 Legislative Update

July 2021 Legislative Update

We trust by now that many of you have had your first vaccine ‘jab’, or are even finished the process. It seems that the 35-49 cohort understand the science and are keen to get “normal life” back on track as soon as possible because they showed the highest and fastest vaccine registration.

As if the COVID-19 pandemic wasn’t enough, the recent civil unrest firmly put the brakes on much of South Africa’s positive attitude. South Africans are a resilient bunch, and we’ve learnt to celebrate our differences – together we will overcome this too.

Here’s a great Money Marketing article by Izak Odendaal and Dave Mohr from Old Mutual Wealth on our collective next steps (and some investment advice).

Subscription Notice

In the aftermath of the Protection of Personal Information Act (POPIA) madness, we updated our privacy statement and mailing lists. Kim Hatchuel from A-Proofed assisted us, and we’re thrilled with the result. If you’re a new recipient to this Legislative Update, you’re probably a contract client who we’ve noticed hasn’t been receiving it. Your contract with us means that we’re supposed to send it to you, but if for some strange reason you want to unsubscribe, just click on “Unsubscribe” at the bottom of the email (provided that’s how you got here).

If you find the information useful and think we should add someone, please let us know what their mail address is (provided you have their permission of course). You can forward the mail or share the link if you find something someone else may be interested in.

THE FINANCIAL SECTOR CONDUCT AUTHORITY (THE FSCA)

2021 Levies

Remember that the 2021 annual levies payable to the FSCA and FAIS Ombud will be calculated based on the number of Key Individuals (KIs) and Representatives noted on financial service providers’ (FSPs’) registers as at 31 August. Now is the time to make sure your records and the FSCA’s match.

Let us know what changes we need to make.

Use of Electronic Signatures and Prepopulated Documents

The FSCA released a communication regarding the use of electronic signatures by FSPs, citing a concern for their misuse.

The changes the financial services sector has implemented in response to the COVID-19 pandemic have necessitated the use of electronic solutions. As we know, the intention of a signature is to signify acceptance of the terms of some agreement.

The misuse involves situations where the client is not the originator of the signature (i.e. the client is not actually aware of the document or has allowed the intermediary to ‘sign’ on their behalf somehow), and where intermediaries ‘paste’ scanned signatures onto forms. Product providers are potentially unsure of the sequence of events and cannot be certain the forms were completed prior to the signatures being affixed. Rule 9 of the Policyholder Protection Rules requires that providers do not permit clients to sign blank or incomplete documents.

Provided there is a suitable (electronic) paper trail, this can be clarified. We recommend that intermediaries apply the same sequence of events to their client interactions as they did when obtaining physical copies.

FSCA imposes administrative sanctions on Momentum Wealth (Pty) Ltd and Momentum Collective Investments RF (Pty) Ltd

This is another case of entities not meeting their obligations in terms of FICA, in particular not reporting cash transactions and conducting due diligence on potential clients.

The fines were R100,000 and R11,100,000, which are in proportion to the size of the organisations. But don’t be fooled, the same happening to your FSP could be disastrous. If you need a FICA or AML (anti-money laundering) health check, please get in touch.

The full notices are available here and here.

Suspension of a KI

In the sad and disturbing civil unrest in South Africa recently, the CEO of an FSP was alleged to have taken part in the looting. Consequently, the FSP’s board suspended him from his duties. He is the only KI registered on the FSP’s licence. But what happens to an FSP where the KI cannot take up their role?

As usual, due process must be followed: as such the conditions applicable to their appointment as an employee/executive must be followed. The suspension alone doesn’t constitute a reason for debarment of a KI. There must be proof that individuals are in breach of the fit and proper, honesty, integrity, and good standing requirements of the FAIS Fit and Proper regulations via a formal hearing. Any result that negatively affects the KI should then be presented to the FSCA.

However, in this case suspension of the CEO means that he isn’t able to act as a KI for the FSP as he doesn’t have the operational ability or authority to do so. It follows that as the FSP no longer has a KI to manage it, it is required to halt trading and its licence should be suspended.

As mentioned, the shareholders and compliance officers have a duty to report this to the FSCA as a material irregularity, as the business is unable to continue providing financial services and clients will be negatively affected.

We would hope that the FSP’s Business Continuity Plan (BCP) includes a suitable remedy to this situation to ensure that clients are treated fairly.

There are other situations that could reach the same point. How does your BCP hold up?

FINANCIAL INTELLIGENCE CENTRE (FIC)

Public-private partnership approach to fighting financial crime

On 24 June 2021, the FICA released a notice of a partnership with members of the banking community and the sector’s regulatory and supervisory authorities. The partnership aims to target and disrupt financial crime through a financial information sharing partnership, called SAMLIT (South African Anti-Money Laundering Integrated Task Force).

The banking sector is at the coalface of financial transactions, and their relationship with regulators and supervisors assists in maintaining the integrity of the financial system, including combating money laundering and terrorist financing.

SAMLIT aims to increase the understanding of the nature of financial crime. The information SAMLIT provides to law enforcement is intended to assist in the disruption of financial crime.

Read the full press release here.

INFORMATION REGULATOR – POPIA (PROTECTION OF PERSONAL INFORMATION ACT)

Promotion of Access to Information (PAIA)

The updated PAIA manual guidance for private bodies wasn’t available at the time of writing. As soon as it has been published, we will advise accordingly.

To recap, all private bodies will be required to publish their PAIA manuals with no exceptions or extensions beyond the 31 December 2021 deadline.

Processing of Special Personal Information (SPI) Authorisation Requirements

SPI is classified as: religious beliefs, philosophical beliefs, race, ethnic origin, trade union membership, political persuasion, health life, sex life, biometric information, and alleged criminal behaviour. Section 26 of POPIA prohibits the processing of SPI unless there is an applicable exception as per section 27(1).

The purpose of the Information Regulator’s (IR) guidance is to guide responsible parties that are required to obtain authorisation from the IR to process SPI as per section 27(2) of POPIA.

The prohibition on processing SPI doesn’t apply where:

• The responsible party has obtained the consent of the data subject.
• Processing is necessary for the establishment, exercise, or defence of a right or obligation in law.
• Processing is necessary to comply with an international public law.
• The SPI has been made public by the data subject or the processing is for historical, statistical, or research purposes which serves a public interest.

Authorisation to process SPI will be authorised by the IR if it is satisfied that the processing is:

• In the public interest, and
• Appropriate safeguards have been put in place to protect the SPI of the data subject.

The caveat is that the responsible party must take reasonable measures to identify all reasonably foreseeable internal and external risks to the SPI in its processing.

The only way to identity foreseeable internal and external risks, we believe, would be by way of a Personal Information Impact Assessment (PIIA), and we suspect that a PIIA will be required to be submitted together with the authorisation application.

Other questions on the form are along the following lines:

• Explain how the processing of the SPI is in the public interest.
• Is the processing of selected SPI in compliance with the eight conditions for lawful processing of personal information?
• Indicate if the responsible party in the Republic intends to transfer the SPI to a third party in a foreign country.
• Specify the appropriate security measures to be implemented by the responsible party to ensure the protection of the SPI of the data subject.

It should be noted that the Regulator may “impose reasonable conditions in respect of any authorisation granted” which will be decided on a case-by-case basis.

For the full guidance and application forms, click here and here.

Processing of Child Personal Information (CPI) Authorisation Requirements

This guidance is similar to that for authorisation for SPI.

Responsible parties are prohibited from processing CPI as per section 34 of POPIA and subject to section 35(1).

The prohibition does not apply where the processing of CPI is:

• Carried out with the prior consent of a competent person.
• Necessary for the establishment, exercise, or defence of a right or obligation in law.
• Necessary to comply with international public law obligations.
• Available for historical, statistical, or research purposes, which must be in the public interest or where it would be impossible or involve disproportionate efforts to ask for consent and sufficient guarantees are provided to ensure that the processing doesn’t adversely affect the privacy of the child disproportionately.
• Already public knowledge with the consent of a competent person.

Authorisation to process CPI will be authorised by the Regulator if it is satisfied that the processing is:

• In the public interest, and
• Appropriate safeguards have been put in place to protect the CPI of the data subject.

The safeguards for CPI are just as onerous on responsible parties as those for SPI:

• Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control (PIIA).
• Establish and maintain appropriate safeguards against the risks identified.
• Regularly verify that the safeguards are effectively implemented.
• Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

The IR may “impose reasonable conditions in respect of any authorisation granted” which will be decided on a case-by-case basis and may include:

How a responsible party must:

• Upon request of a competent person, provide a reasonable means for that person to:
• review the processing of the personal information of children
• refuse to permit its further processing of personal information of the child.
• Provide notice:
• regarding the nature of the personal information of children that is processed
• how such information is processed
• regarding any further processing practices.
• Refrain from any action that is intended to encourage or persuade a child to disclose more personal information about himself or herself than is reasonably necessary given the purpose for which it is intended.
• Establish and maintain reasonable procedures to protect the integrity and confidentiality of the personal information collected from children.

Responsible parties are required to provide detailed responses on the following:

• Detail the description of the categories of CPI or categories of information relating thereto, which the responsible party intends to process.
• Explain how the processing of the CPI is in the public interest.
• Whether the processing of the CPI is in compliance with the eight conditions for lawful processing of personal information.
• Whether the responsible party in the Republic intends to transfer CPI to a third party who is in a foreign country.
• Specify the appropriate security measures to be implemented by the responsible party to ensure appropriate protection of the CPI.

For the full guidance and application forms, click here.

Encryption and Password Protection

The 1 July effective date of POPIA has created uncertainty as to what to do with policy schedules, emails, and documents between product suppliers, intermediaries, and policyholders.

Some responsible parties such as product suppliers require intermediaries to password protect documents or use encrypted emails. A number of Cyber Insurance Liability policies list encryption as one of many requirements for obtaining cover.

Obviously, encryption of personal data makes it possible to reduce the probability of a data breach, and thus reduce the risk of fines.

The processing of personal data is naturally associated with a certain degree of risk. Nowadays, cyber-attacks are nearly unavoidable for companies above a given size. Therefore, risk management plays an ever-larger role in IT security and data encryption is suited, among other means, to these companies.

In general, encryption refers to the procedure that converts clear text into a hashed code using a key, where the outgoing information only becomes readable again by using the correct key. This minimises the risk of an incident during data processing, as encrypted contents are basically unreadable for third parties who do not have the correct key.

Encryption is the best way to protect data during transfer, and one way to secure stored personal data. It also reduces the risk of abuse within a company, as access is limited only to authorised people with the right key.

Encryption of personal data has additional benefits: for example, the loss of an encrypted mobile storage medium which holds personal data isn’t necessarily considered a data breach, and may not have to be reported to the IR. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether and what amount of fine is imposed.

POPIA requires that the responsible party must take reasonable measures to:

• Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.
• Establish and maintain appropriate safeguards against the risks identified.
• Regularly verify that the safeguards are effectively implemented.
• Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Simply put: the higher the risks involved in the data processing and the more likely these are to manifest, the stronger the security measures must be and the more measures must be taken.

We would suggest that you review the types of personal information, SPI, and CPI that you process and risk rate the personal information. Then discuss this with your IT Consultant or service provider and consider the available options, costs, and benefits. You’ll need to be prepared to spend on updating your software, password protection, anti-virus, firewalls, remote wiping of devices, and encryption. You’ll also have to make it affordable, functional, and not affecting productivity, all the while considering the size and complexity of your business.

NATIONAL TREASURY

Increase of Withdrawal Amounts from RA Funds and UIF Ceiling

On 28 May 2021, National Treasury published gazette changes to the minimum de-minimus (i.e. the ‘inconsequential’) withdrawal amount from paid-up retirement annuity funds, as well as the UIF contribution ceiling.

This comes as no surprise as it was in the National Budget Review earlier this year.

The changes will allow members with paid-up annuities to make withdrawals from retirement savings from R7,000 to R15,000, and increases the UIF contribution ceiling from R14,872 to R17,712 per month.

The respective gazettes are available here and here.

OMBUDS

Commencement of the Ombud Council

The Ombud Council officially started its work on 26 May 2021 during its first board meeting.

The meeting confirmed that the current financial sector industry ombud schemes will continue to be recognised up to 1 November 2021, and that the FAIS Ombud will continue to address complaints.

Subsequent to the meeting, the Ombud Council is now developing an operational plan to establish its office and fulfil its functions.

Read the official media statement here.

A-PROOFED

Email pet peeves

We all know how many emails we get every day (both internal and external). Most of us spend a good deal of our working day reading and replying to emails. Emails have trumped pretty much every form of communication. Now that most of us are working from home, it’s easier for Nicole from accounts to send an email, since she can’t get up and walk the seven meters to your desk and have the conversation there.

So what are the most common pet peeves? By pet peeves, I mean things that slow you down, drive you nuts, and clog your inbox. Everyone has theirs when it comes to written communication, and here’s a brief list (yes, there are definitely more) of the absolute worst things you can do when writing an email or letter:

1. Misspelled words and incorrect grammar (nothing ruins an email more than this).
2. Missing punctuation and punctuation errors. (Remember that good punctuation makes for clear understanding.)
3. Acronyms and abbreviations that aren’t clear.
4. Not enough—or too much—detail.
5. Repetition
6. Requested information not provided.
7. Incomplete sentences.
8. Too long (please get to the point in the first paragraph).
9. Excessively long paragraphs.
10. Symbols, like smiley faces and other emoticons (they aren’t cute and they’re definitely not professional).
11. Backgrounds and colour (makes messages hard to read).
12. Fancy fonts (rather stick to Calibri or Arial and make it black). Avoid Comic Sans at all costs!
13. ALL CAPS (this is a definite no-no – you don’t want to look like you’re shouting).
14. Text speak (leave this to the kids on their smartphones).
15. Overly affectionate (keep the affection for your loved ones).
16. Multiple questions scattered throughout the email (makes it difficult to answer them).
17. No subject line or subject unclear (people generally open an email based on the subject line).
18. Writing the entire message in the Subject box.
19. No salutation (remember to make it professional and not too informal).
20. No clear purpose or desired outcome.
21. Unclear deadlines.
22. Using the wrong name, or spelling the person’s name incorrectly.
23. Using Reply all instead of Reply (this is the biggest cardinal sin).
24. Careless use of BCC (blind copy). This is a topic which has spawned much debate.
25. Clicking on Forward when you actually should be replying.
26. Using the recall option (emails can’t be recalled – all the recipient will see is another email saying that you wish to recall the email).
27. Unnecessary or large attachments.
28. Repetition
29. Not checking the message before hitting Send.

Bear in mind that there’s no sure way to convey meaning or emotion in an email. The recipient might easily misinterpret something that doesn’t read clearly and concisely. If you keep your communication short, and to the point, you could possibly avoid an unpleasant situation.

I’m going to stop here because I could go on forever! Remember that if you need assistance with this and other communication/proofreading assistance, you can get in touch with me.

Do you have a pet peeve that I haven’t mentioned? Why don’t you email me and we can chat about it.

Kim Hatchuel

083 657 3377 | kim@a-proofed.co.za

www.a-proofed.co.za