January 2022 Legislative Update
Welcome back after what we hope was a good break and time to recharge.
This year is likely to have many changes to the legislative frameworks of the financial services industry. We’ll keep you up to date and guide you through them.
All the best for the year ahead.
THE FINANCIAL SECTOR CONDUCT AUTHORITY (THE FSCA)
Regulatory Strategy
To close off the year, the FSCA released its Regulatory Strategy which addresses its regulatory and supervisory strategies for the next three years, detailing the key outcomes and guiding principles.
Readers may recall the original strategy published in 2018. This updated version updates the supervisory principles to:
- pre-emptive and proactive
- intensive and intrusive
- risk-based and proportional
- transparent and consultative
- outcomes-based
- comprehensive and consistent
- a credible deterrent
- aligned with applicable international standards
The Regulator plans to include financial benchmark providers, debt collectors, registered credit providers, payment service providers, authorised dealers, and authorised dealers with limited authority under its supervisory control, so we can expect a few busy years.
Personal lines claims information request
The FSCA issued a request for personal lines claims information from all non-life insurers that subscribe to the Ombud for Short-Term Insurance.
The claims information is for the calendar year of 1 January to 31 December 2021, and must be submitted in the format provided in the link by 28 February 2022.
Conduct of Business Return development update
FSCA Communication 22 of 2021 provided an update on the progress of the development of the cross-sectoral Conduct of Business Return (Omni-CBR); essentially confirming that the Omni-CBR should be available for comment this year.
PRUDENTIAL AUTHORITY (PA)
Prudential standards on audit requirements for insurers
On 8 December 2021, the PA published prudential standards on audit requirements for insurers and controlling companies which came into effect on 1 January 2022.
The prudential standards set out the information for supervisory purposes that insurers and controlling companies must have audited, reviewed, and reported on by their auditors, and prescribes the period within which audited annual financial statements and audited information on security held in trust (in the case of Lloyd’s and branches of foreign reinsurers) must be submitted to the PA and disclosed to the public.
The PA has also published Guidance Notice 5 of 2021 to assist insurers and controlling companies in complying with the requirements outlined in the prudential standards.
Insurer licence confirmation convention
The PA and the FSCA released Joint Communication 7 of 2021 on 17 December 2021.
The Communication details the PA’s and the FSCA’s expectation of insurers and controlling companies when disclosing their licence status.
It states that they are not prescriptive, but do supply examples of what they recommend be used in respect of insurers:
“Insurer licensed to conduct life insurance business”
“Insurer licensed to conduct non-life insurance business” or
“Reinsurer licensed to conduct life insurance business”
“Reinsurer licensed to conduct non-life insurance business”
“Reinsurer licensed to conduct composite insurance business or
“Microinsurer licensed to conduct life microinsurance business”
“Microinsurer licensed to conduct non-life microinsurance business”
“Microinsurer licensed to conduct composite microinsurance business”
and in respect of controlling companies:
“XYZ Limited a licensed controlling company”
“XYZ Limited a licensed insurer conducting life/non-life insurance business and a licensed controlling company”.
It may be time to change your letterheads and branding (again).
Regulatory reporting returns for financial conglomerates
The PA published the following prudential standards which came into effect on 1 January 2022:
- FC02 – Intragroup Transaction and Exposure Requirements for Financial Conglomerates (prudential standard FC02)
- FC03 – Auditor Requirements for the Holding Companies of Financial Conglomerates (prudential standard FC03)
- FC04 – Governance and Risk Management Requirements for Financial Conglomerates (prudential standard FC04)
- FC05 – Risk Concentration Requirements for Financial Conglomerates (prudential standard FC05)
The regulatory reporting returns must be completed for the reporting periods:
- January to June, and
- July to December.
The regulatory returns must be submitted by the holding company of the financial conglomerate within a period of two months after the end of the reporting period, the latest being the end of August and February, for the January to June and July to December reporting periods, respectively.
The full standards are available here.
Cybersecurity and cyber resilience requirements
On 15 December, the FSCA and the PA released Joint Communication 6 of 2021 which detailed proposed standards on banks, insurers, CIS managers, market infrastructures, administrative and discretionary financial service providers (FSPs), pension funds, and over-the-counter (OTC) derivative providers.
The draft Joint Standard does not provide overly specific requirements on these institutions, but rather requires that frameworks be developed that are suitable to their activities. The frameworks will have to encompass the following requirements: data, application, system and network security; cryptography; awareness and training; detection, response, recovery and incident management methodologies; information sharing; effectiveness, vulnerability, penetration, simulation and application security testing methodologies; remediation management; a learning feedback mechanism; access management; and access defence mechanisms.
There is also a 24-hour incident reporting requirement, rather than the fairly loose Promotion of Access to Information Act requirements.
With the rapid move to online and remote working and the commensurate increase in cybercrime, this standard clearly aims to protect consumers.
Comments are due by 15 February 2022.
Directive on operational resilience for banks
The PA released Directive 10 of 2021 on 14 December 2021.
The Directive instructs banks to consider the adequacy and robustness of their current policies, processes, and practices related to operational resilience against the best practices contained in the Basel Committee on Banking Supervision paper on principles for operational resilience.
A copy of the Directive is to be provided to institutions’ external auditors, and the acknowledgement of receipt duly completed and signed by both the chief executive officers of the institutions and the auditors should be returned to the PA.
Proposed banking directive: requirements for conducting the business of a representative office in and outside South Africa
The PA also released a draft Directive on 14 December 2021.
The PA requires representative offices of foreign banking institutions operating in South Africa and representative offices of South African banks operating outside South Africa to establish and maintain an internal control system in line with the nature, complexity, and risk inherent in the representative office’s activities. This process includes the maintenance of effective risk management by the representative office. The proposed Directive sets out the requirements of the PA in this regard in order to ensure the consistent application of the requirements.
Comments are due by 31 January 2022.
PA funding model: fees and levies
The PA released the details of its proposed funding model envisaged to come into effect on 1 April 2022.
Entities affected are the “supervised entities”, i.e. insurers, financial conglomerates, market infrastructures, co-operative financial institutions, and banks.
The hybrid funding model sees partial funding from the South African Reserve Bank (SARB), and the remainder made up in collections from supervised entities. Levies will be calculated via a formula applicable to each type of supervised entity, and are proportional to the size of the entities.
Two special levies will be charged to cover initial costs.
Initially entities will complete the necessary details via an online form, and their levy will be determined. Future levies will be determined from information in the returns to the PA.
Fees will be charged for the PA to perform certain functions which will allow for the removal of annual licence fees payable to the PA.
SOUTH AFRICAN RESERVE BANK (SARB)
The Corporation for Deposit Insurance (CoDI) has made significant progress in implementing its mandate since the draft Financial Sector and Deposit Insurance Levies Bill was released in 2021.
Since then, CoDI is in the process of being set up as a subsidiary of the SARB, and plans are underway to develop an information technology system.
In case you missed it last year, the purpose of CoDI is to reimburse depositors at banks with up to R100,000 per depositor should the SARB choose to close and liquidate a failing bank. This discussion document provides the full details.
The Bill was introduced to the National Assembly on 21 January 2022.
FINANCIAL INTELLIGENCE CENTRE (FIC)
Guidance on domestic prominent influential persons and foreign prominent public officials
The FIC issued Public Compliance Communication (PCC) 51 on 3 December 2021 which provides further guidance on domestic prominent influential persons (DPIP), foreign prominent influential persons (FPPO), their immediate family members, and known close associates. The PCC was adapted following industry comments, and the responses are available here.
The PCC provides guidance on how to handle scenarios where persons are no longer DPIPs or FPPOs, and to assist accountable institutions with potential indicators that may aid in the determination of money laundering (ML) risk that DPIP clients pose.
Not all DPIPs pose an inherent high ML risk. However, FPPOs are considered to pose an inherent high ML risk, and the business relationship with an FPPO is always deemed high risk. Even though a person may no longer meet the definition of holding either a DPIP or FPPO position, the risk factors relating to having been a DPIP or FPPO may still be relevant in determining the ML risk associated with the client.
When establishing a business relationship with DPIPs rated as a high ML risk, and/or FPPOs, their immediate family members or known close associates, the accountable institution must conduct enhanced due diligence as part of their customer due diligence and fulfil the requirements as set out in the applicable sections of the FIC Act (specifically sections 21F, 21G, and 21H).
The PCC provides updates regarding sources of information on DPIPs and FPPOs, as well as indicators of heightened ML risk it, but should be read in conjunction with Guidance Note 7.
It is also reiterated that ongoing due diligence is important as the client’s and other person’s DPIP or FPPO status can change.
Reading between the lines, it seems that the FIC laboured the point that any person who is ever categorised as a DPIP or FPPO will always require suitable extra scrutiny in terms of their ML and terrorist financing risk, as their influence can never be considered to have ended.
Once again, accountable institutions will need to revise their Risk Management and Compliance Plans (RMCPs) to ensure that the requirements are met. Should you need assistance in assessing and updating your RMCP, please contact us.
FAIS OMBUD
The FAIS Ombud has moved offices to: Menlyn Central Office Building, 125 Dallas Avenue, Waterkloof Glen, Pretoria, 0010.
FSPs whose disclosure documentation includes the physical address information will have to update this document (yet again).
However, because of COVID-19 restrictions, the FAIS Ombud is still not conducting meetings at its premises.
INFORMATION REGULATOR (IR)
2021 matric results
The department of education changed the way it disseminated the 2021 matric results in an attempt to comply with the Protection of Personal Information Act and safeguard the personal information of matriculants. The proposal was to do away with the publication of the matric results in newspapers as in the past, and have matriculants access their results via the department of basic education’s website. In the past, a matriculant would identify their results by way of their identity number.
The High Court in Pretoria granted an application by matric student Anlé Spies, lobby group AfriForum, and Maroela Media to have the results published in newspapers as per previous years. The court ordered that personal details, like the first and last names of the students, were not to be published. The court suggested that results in newspapers and online platforms publish only the matriculants’ individual exam numbers.
The above is a good example of the technique of anonymisation or pseudonymisation. Anonymisation is the data processing technique that removes or modifies personally identifiable information, while pseudonymisation is the technique of replacing any information which could be used to identify an individual with a pseudonym or a value which does not allow the individual to be directly identified.
Entity and information officer registration
In brief: registration continues to be manual because of the continued unavailability of the online portal. We recommend that this method be followed as there is no definite date when the portal will be activated.
FROM A-PROOFED
We’re all educated, right? Maybe. Even after years of school, college, and university, there are things that some people still mess up. For me, it’s maths (sorry, Mom!). For others, it’s who has right of way in a traffic circle. And for many, it’s spelling and grammar.
Words and phrases that sound fine in your head can look like nonsense when written down, or on your screen. That is, if you even realise you’ve made a mistake in the first place. It’s easy for little typos to appear in your perfectly-worded email.
But how do you prevent these sorts of mistakes if you’re not even aware you’re making them?
You can start today. Read this article to see which common oopsies resonate with you the most. Make a mental note to avoid that one in the future, or save this somewhere and refer to it when you need to remind yourself. You can also contact me to assist.
Alot / A lot
I hate to break it to all of you “alot” fans out there, but “alot” is not a word. If you’re trying to say that someone has many things, you’d say they have a lot of things. I like it a lot.
You wouldn’t say “apeach”, or “aglass”, would you?
It is never, and I repeat never, alot!
Referring to a brand or an entity as “they”
Someone I respect a lot helped me with this one, and it’s stuck. She told me to remember that a company isn’t plural; it’s one entity. So, that means that it can’t be “they”. It has to be “it”.
Who / that
When you’re describing a person, be sure to use “who”. So, you’d say, “Anke is a blogger who likes ice cream.” When you’re describing an object, use “that.” For example, you’d say, “Her computer is the one that overheats all the time.” It’s pretty simple, but often overlooked.
Me / I
Most people understand the difference, until it’s time to use this in a sentence. They’ll say something like, “When you’ve written the monthly legislative update, please send it to Kim and I.” But that’s wrong. Try taking Kim out of that sentence, and read it out loud. You’d never ask someone to send something to “I”.
“When you’ve written the monthly legislative update, please send it to me.”
Much better.
Of / have
I have a bad habit of overusing the phrase, “Shoulda, woulda, coulda.” No need to explain what it means; we all know. If we look at the words on their own, they all sound like the shortened version of “should of”, “would of”, and “could of”. But that’s wrong. I should have, or I would have, or I could have.
So next time, instead of saying, “shoulda, woulda, coulda,” I should probably say, “should’ve, would’ve, could’ve.”
Everyday / every day
If you do something seven days a week, you do it every day. Two words.
Meanwhile, everyday as a single word is an adjective that means commonplace or routine. So, no, you don’t brush your teeth everyday. That doesn’t make sense. Tooth-brushing is, however, an everyday occurrence.
Who’s / whose
Who’s is the shortened form of who is: “Who’s speaking at the conference today?”
Whose is usually before a noun to state (or ask) to whom it belongs: “Whose chocolate is this?”
Its / it’s
This one tends to confuse even the best of writers. “Its” is possessive and “it’s” is a contraction of “it is”. People get tripped up because it’s has an ’s after it, which normally means something is possessive. But in this case, it’s actually a contraction. The best way to test for the correct use is to replace “it’s” with “it is” or “it has”. If the substitution doesn’t sound right, you should use “its”.
I’d love to hear from you if you have other examples, or if you need help with words that you may get wrong.
I can help you make sure that you’re using the right words. Please get in touch with me to find out how I can make your work—and you—look great.
Kim Hatchuel
083 657 3377 | kim@a-proofed.co.za
www.a-proofed.co.za