March 2022 Legislative Update
There’s a lot of compliance planning and preparation underway for the financial services industry at the moment. We’ve summarised this months’ most important issues.
South African regulation of crypto assets
As long ago as January 2019, the South African financial services regulators (i.e. the Financial Sector Conduct Authority, South Africa Revenue Services (SARS), South African Reserve Bank (SARB), National Credit Regulator, National Treasury, Competition Commission, and Financial Intelligence Centre) were developing a system to regulate crypto assets. The entities even set up a joint working group, the Intergovernmental Fintech Working Group (IFWG), to this end.
We mentioned it in June 2021, but it has been made clear that the intention is to include crypto traders, exchanges, trading platforms, advisors, brokers, and potentially miners under the structures of the Conduct of Financial Institutions (COFI) Bill once it is enacted. The proposed interventions are a proactive approach to protect consumers and the South African fiscus.
The FSCA is likely to declare crypto assets a financial product in terms of the Financial Advisory and Intermediary Services (FAIS) Act (2002) as early as this year, in an effort to protect consumers. This will require any person providing advice or intermediary services related to crypto assets to register as a financial services provider (FSP) well before the COFI Bill requirements come into force.
Crypto asset service providers will likely also have to register as accountable institutions (AIs) under the Financial Intelligence Centre Act, 2001. This is to address concerns around money laundering and terror financing through crypto assets and meet the standards set by the Financial Action Task Force (FATF) regarding virtual assets and service providers. The amendments are also expected to be finalised in 2022.
SARS is developing controls to enhance the monitoring and reporting of crypto asset transactions to comply with the Exchange Control Regulations 1961, as well as Capital Gains Tax regulations.
We specialise in ensuring that entities are properly and efficiently registered as FSPs and AIs, as well as continuing management of their license and compliance requirements. We’d recommend you contact us to assess the requirements to start getting your applications and registration in line and underway.
THE FINANCIAL SECTOR CONDUCT AUTHORITY (THE FSCA)
Draft Financial Sector Transformation Strategy
The FSCA released its draft Financial Sector Transformation Strategy for comment on 28 February.
The COFI Bill aims to empower the FSCA in relation to financial sector transformation. The FSCA’s new powers will allow it to issue conduct standards regarding transformation. At present, it only proposes requiring institutions to draw up transformation plans, and will then police their achievement.
Comments are due by 29 April, and are to be submitted using this format.
It’s a fait accompli that this will go ahead, but it seems a stretch to argue the responsibility falls under the FSCA’s role to ensure fair outcomes for clients.
Specific exemption from the competence requirements for credit life and funeral product reps
On 28 February, the FSCA released Communication 4 of 2022 which (once decoded – Ed.) provided an exemption to persons affected by the changes in the insurance classes and sub-classes introduced through the Insurance Act, 2017 (where credit life policies were previously short-term policies and are now long-term category B1 or B2) as well as those where funeral products that were written under the assistance business class under the Long-term Insurance Act was classified as long-term insurance subcategory A.
The conditions stipulate that affected FSPs must notify the FSCA and request the correct categories be added by 31 August 2022. Three months after the amendment to the categories is made, FSPs must submit a revised representative register. No fees will be levied for the changes.
The FSCA has also seen fit to exempt representatives under supervision from meeting ‘new’ requirements in terms of the class of business, experience, and qualification requirements.
Should you need any assistance with an application, please contact us.
Intermediaries to dodge clawbacks on voided policies
The FSCA notified the short-term insurance industry of its intention to allow intermediaries to retain the full commission should a policy be voided by an insurer (see Communication 9 of 2022).
The FSCA is of the opinion that the ‘clawback’ of commission is unfair to intermediaries, and has proposed an exemption to Regulation 5.4 of the Short-term Insurance Act, 1998. The exemption would be subject to the following conditions:
- The policy must have been entered into 12 months or more before the policy was voided.
- The intermediary must demonstrate that it engaged with the policyholder during the term of the policy no less than once every six months.
- The intermediary must satisfy the insurer that it was not aware, or could not reasonably have been expected to be aware, of the material misrepresentation or non-disclosure by the policyholder that resulted in the policy being voided.
Comments are due by 22 April.
FSCA complaints management survey
The FSCA requested some intermediaries, retirement funds, and retirement fund administrators to complete a survey on complaints received over the 2021 calendar year. The ‘request’ requires the survey to be completed by 8 April.
If you have implemented a complaints policy, procedures, and register as per our recommendations and are participating, this is a good opportunity to test your systems.
If you’re still working on an ‘old’ complaints policy (i.e. pre 1 April 2018), or are not comfortable that your systems are operating properly, please contact us.
FSCA grants Sovereign Africa Ratings (Pty) Ltd credit rating agency license
The FSCA approved the license application of Sovereign Africa Ratings (Pty) Ltd (SAR) to operate as a credit rating agency from 8 March 2022.
FSCA revises penalty amounts
The FSCA revised the penalty amounts for failing to furnish returns or other information in terms of the Long-term and Short-term Insurance Acts.
The penalty now stands at R7 250 per day that the information is not supplied.
PRUDENTIAL AUTHORITY (PA)
Benchmark Conduct Standard
The PA released a draft Conduct Standard relating to the provision of a benchmark under FSCA Communication 5 of 2022 on 28 February.
The draft Conduct Standard aims to create a regulatory framework for relevant benchmarks. Accordingly, new and existing benchmark administrators will be required to apply for a license in terms of the Financial Sector Regulation Act and evidence compliance with the requirements in the draft Conduct Standard.
Comments are to be submitted to FSCA.RFDStandards@fsca.co.za by 12 April.
Rotation of the deputy governors of the SARB and appointment of Fundi Tshazibana as the Chief Executive Officer of the PA
SARB Governor Lesetja Kganyago advised the SARB board of directors in November 2021 of his decision to rotate the three deputy governors (DGs) into different portfolios. This is being done in line with global best management practice, aiming to develop a pipeline of well-rounded central bankers.
The governor has appointed Fundi Tshazibana as the new Chief Executive Officer (CEO) of the PA.
DG Rashad Cassim will now oversee the financial markets and international cluster responsible for financial markets, international economic relations and policy, and legal services.
DG Kuben Naidoo will oversee the SARB’s Financial Stability and Currency Cluster.
All changes will be effective from 1 April 2022.
The full press release is available here.
PA 2022 insurer monitoring focus
Communication 6 of 2022 detailed the PA’s monitoring focus area on insurers for 2022. Simply put, it’s “Succession Planning” but that is quite simplistic.
The PA will base its monitoring on the governance standards encapsulated in the Governance and Operational Standards for Insurers together with the Governance and Operational Standards for Insurance Groups including the Governance and Operational Standard for Microinsurers, issued in terms of the Insurance Act 18 of 2017 (Insurance Act), the King Code (King IV) on Corporate Governance, and other corporate governance best practices.
As usual, insurers’ CEOs and auditors are required to provide written acknowledgement to their FSCA team.
We’re sure that this will have a knock-on effect in the intermediary market as well, and would recommend that underwriters, administrators, and intermediaries start reviewing their succession and continuity plans.
The PA also plans on monitoring anti-money laundering (AML) activities
The PA released a draft directive applicable to AIs, but limited to those that the PA has direct jurisdiction over, namely banks and long-term insurers.
If finalised, the directive will require these AIs to submit AML and counter-financing of terrorism risk returns to the PA on a quarterly basis.
This is on the back of the poor report South Africa received from the FATF. The PA is of the opinion that it should involve itself in the monitoring of AML and terrorist financing in addition to the activities of the FIC. This will no doubt result in duplication of tasks at affected institutions.
Comments are to be submitted to localbank.riskreturn@resbank.co.za by 12 April.
NATIONAL TREASURY
Top-up retail savings bond launched
The RSA Retail Bonds unit of National Treasury will be launching a new Bond – the RSA Retail Savings Top-Up Bond on 1 April.
The product is targeted at younger investors and only requires a minimum of R500 initial investment and minimum R100 investments thereafter.
The press release is available here.
FINANCIAL INTELLIGENCE CENTRE (FIC)
Jurisdictions under increased monitoring
Two advisory releases were made by the FIC on 8 March. One noting the requirement to increase monitoring of the following jurisdictions: Albania, Barbados, Burkina Faso, Cambodia, Cayman Islands, Haiti, Jamaica, Jordan, Mali, Malta, Morocco, Myanmar, Nicaragua, Pakistan, Panama, Philippines, Senegal, South Sudan, Syria, Turkey, Uganda, United Arab Emirates, and Yemen, as well as the removal of Zimbabwe from the high-risk list.
The other far more strongly noting that AIs should sever ties with institutions in the Democratic People’s Republic of Korea and continue to treat the Islamic Republic of Iran as a high-risk jurisdiction – requiring increased vigilance by AIs.
AIs will need to amend their Risk Management and Compliance Plans (RMCPs) accordingly and make their staff and contractors aware.
The situation in Ukraine
South Africa is a member nation of the FATF. The FATF issued a statement that expressed its concern that Russia’s aggression against Ukraine will impact on the money laundering, terrorist financing, and proliferation financing risk environment as well as the integrity of the financial system, the broader economy, and safety and security.
The FATF noted that all jurisdictions should be vigilant to the possibility of emerging risks from circumvention of measures taken in order to protect the international financial system from the money laundering, terrorist financing, and proliferation financing risks.
AIs should review their RMCPs and make their staff and contractors aware of any alterations to risk profiling standards or methodologies.
FIC imposes administrative penalties
On 10 March, the FIC released a notification that it had imposed administrative penalties on seven motor dealerships and one Kruger Rand dealer.
All eight sanctions were imposed for late or non-reporting of transactions above the R24,999.99 threshold. One included a penalty for delayed notification of a suspicious and unusual transaction.
All the sanctioned parties were also told to ‘pull up their socks’. Get in touch with us if you’re concerned that your procedures and the monitoring of your AML controls need to be checked, or you would like a general review.
Money laundering risk reports
The FIC released three reports on the risks posed by legal practitioners, Kruger Rand dealers, and estate agents on 17 March.
All three types of entities were advised of the methods criminals use to exploit the vulnerabilities in their sectors.
It’s worth noting that the financial services industry was not given a report as it appears there’s a better understanding of the risks in this space.
The reports are clear and comprehensive, and will assist entities to properly structure and update their RMCPs. However, if you need some advice or assistance please contact us.
COUNCIL FOR MEDICAL SCHEMES (CMS)
Maximum amount payable increased
The CMS confirmed that the maximum amount payable to brokers was approved by the Minister of Health, Dr Joe Phaahla. The revised amount is now R106.19 plus VAT. The 3% commission value remains unchanged.
CMS suspends Glopin Health Consultants (Pty) Ltd
The accreditation of Glopin Health Consultants (Pty) Ltd (ORG726) as a healthcare brokerage was suspended for a period of 12 months with effect from 25 February 2022.
The suspension of Glopin’s accreditation followed a complaint lodged by KeyHealth Medical Scheme for circulating personal information of KeyHealth members to candidates campaigning to be trustees of KeyHealth in the 2018 Annual General Meeting. This is in contravention of the Department of Health Notice 943 of 2017, which states that an irregular or undesirable practice occurs when a broker approaches or persuades any person to stand as a candidate for election to be a member of the board of trustees of the relevant medical scheme.
For a copy of the CMS press release, click here.
INFORMATION REGULATOR (IR)
TransUnion data breach
Here we go again! Hopefully, these hackers will be Robin Hoods with our credit scores!
Initial reports are that a criminal hacking group known as N4aughtysecTU claimed that it accessed the personal information of 54 million consumers. According to TransUnion, access was obtained via the misuse of an authorised client’s credentials.
N4aughtysecTU claim that the information it has includes anything from credit scores, banking details, and ID numbers. As reported, the group alleges that TransUnion’s IT systems are so weak that the password used was the word “password”, in addition to breaching TransUnion as far back as 2012 without being detected.
From the brashness of the hackers, it’s safe to assume that the compromised data wasn’t encrypted. Despite the fact that encryption is not specifically mentioned in POPIA, section 19 (1) requires responsible parties to secure the integrity and confidentiality of personal information by taking “appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction”.
Media reports have speculated that TransUnion could be faced with the maximum penalty of R10 million if its safeguards are found to be insufficient. In addition, the IR gave TransUnion a deadline of 22 March to submit details of the hacking incident, such as the number of affected parties and TransUnion’s plan to notify affected data subjects.
While TransUnion is compiling the information for the IR, data subjects should be on the alert for phishing attempts and impersonators via text message, email, or telephonically, and shouldn’t share passwords or one-time PIN codes with anyone.
As at 25 March, the hackers had not been paid and had made further threats.
TransUnion has announced that at least three million South Africans have been impacted by the recent data hack. The stolen data includes names, ID numbers, dates of birth, gender, contact details, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and VIN numbers.
In isolated circumstances, spouse information, passport numbers, and credit or insurance scores may be impacted.
The IR has ordered TransUnion to publicise details of the information hackers have stolen in newspaper and television adverts and on all radio channels using all of South Africa’s official languages.
The extent of the breach means banks and insurers are also at risk as criminals can use the leaked data to pass security checks that aim to verify customers’ identity. This means that South African banks and insurers may have to modify the internal verification systems they use to detect fraud.
By combining data sets of previously stolen ID numbers, home addresses, and phone numbers with the new credit information, the hackers have the ability to create detailed records.
The regulator says it will conduct an assessment of TransUnion’s security systems. It ordered TransUnion to provide confirmation that a criminal case has been opened with the police.
THE FINANCIAL SERVICES TRIBUNAL
Decision – Tawuya Dzinopana Rogers Nhongo v Brough Capital Proprietary Limited
This case revolves around the procedural issues of a debarment under section 14 of the FAIS Act.
Section 14(3)(a) states that an FSP must, before debarring a person:
- give adequate notice in writing to the person stating its intention to debar the person;
- provide the grounds and reasons for the debarment;
- provide any terms attached to the debarment, including, in relation to unconcluded business, measures for the protection of the interests of clients;
- provide the person with a copy of the FSP’s written policy and procedures governing the debarment process; and
- give the person a reasonable opportunity to make a submission in response.
The respondent FSP didn’t deal with the requirements of items (iii) or (iv) above, which led to the non-compliance and as a consequence non-compliance with section 14(3)(c) which states that the FSP must, “immediately after making the decision notify the person in writing of:
- the FSP’s decision;
- the persons’ rights in terms of Chapter 15 of the Financial Sector Regulation Act; and
- any formal requirements in respect of proceedings for the reconsideration of the decision by the Tribunal.”
The Tribunal determined that the debarment proceedings were procedurally irregular and unfair, and set the debarment aside.
PROPERTY PRACTIONERS REGULATORY AUTHORITY
Property Practitioners Continuing Professional Development (CPD)
The Property Practitioners Act, 22 of 2019 commenced on 1 February 2022.
Other than the operational, governance, and consumer protection requirements (which FSPs should be au fait with), the Act imposes a requirement for practitioners to achieve CPD.
There is no mention of reciprocal CPD across industries; in fact, it seems all CPD in this sphere must be obtained through an approved body. However, that’s not to say that well-chosen topics may not be registered for FAIS purposes.
At present, the Property Practitioner CPD runs on a three year cycle where practitioners must complete a total of 12 modules and a minimum of four per year. CPD providers are limited to those approved by the Property Practitioners Regulatory Authority.
FROM A-PROOFED
No extra reading as Kim Hatchuel is recovering from retina surgery earlier in March.
If there’s anything you’d like Kim to write about for the April Legislative Update, please send her an email (kim@a-proofed.co.za)