May 2022 Legislative Update
It has been a slow month in terms of legislative changes. We’ll keep you informed on anything new, but it seems a good time get into those projects you’ve been planning since January.
THE FINANCIAL SECTOR CONDUCT AUTHORITY (THE FSCA)
Warnings on crypto traders
The FSCA released two warnings regarding entities purporting to be crypto traders on 25 April 2022. The first warned consumers about Bitminer Blockchain Core trading as Bitminer Limited. The second about Cryptosatrade.
Bitminer was illegally using the financial service provider (FSP) number of Wingfield Motors (45332), and putting themselves out to be an authorised FSP offering daily returns of 11%.
Cryptosatrade trades cryptocurrencies on behalf of the public offering large returns which never materialise. Other than not being a registered FSP, Cryptosatrade is not responding to the Regulator’s queries.
It’s the Wild West out there in the cryptoverse!
Annual compliance reports
Well this is simple – there are none (again) this year! The FSCA is still working on the Conduct of Business Report which will only be released once the Conduct of Financial Institutions Act is promulgated.
There are also no handover reports for FSPs changing compliance officers, but irregularity reports are still necessary should a compliance officer find that an FSP is in breach of the FAIS Act or regulations.
Read the full notice here.
Exemption of credit life and funeral policy Key Individuals (KIs) and Representatives (Reps)
In our March 2022 update, we discussed the FSCA’s concerns regarding the effect of the changes to licence categories in 2017 to align the credit life and funeral benefits correctly under the Short-term and Long-term Insurance Acts. The change had resulted in KIs and Reps being prejudiced in terms of their fit and proper requirements.
A notice (rather than a communication) has been released to exempt all KIs and Reps affected.
The effective difference between the February and April documents is the addition of sub-categories B1-A and B2-A to the list of licence categories, as this is where many of these products fall.
Affected FSPs must notify the FSCA and request the correct categories be added by 31 August 2022. Three months after the amendment to the categories is made, FSPs must submit a revised representative register. No fees will be levied for the changes.
Should you need any assistance with an application, please contact us.
Continuous Professional Development (CPD) deadline
A reminder that the deadline for Reps and KIs to achieve CPD is 31 May. Please ensure that you are up to date, and that it is recorded in your Competence Register.
RE1 and RE5 preparation guide
The FSCA released another upgrade to the RE1 and RE5 preparation guide. Always make sure to reference this against your learning material if you’re going to be writing one of the exams.
Vehicle and asset finance introductory commissions request for information (RFI)
The FSCA released (yet another) RFI on Friday 13 May.
This RFI is quite extensive, comprising 134 questions, and is aimed at FSPs and institutions providing vehicle and asset financing (specifically banks, credit providers dealing in vehicle asset finance, and motor dealers). The intent is to allow the FSCA and Prudential Authority (PA) to better understand the environment and practices around dealer introductory commissions.
We will liaise with those of our FSPs that are required to submit and ensure the return is completed by the 30 June 2022 deadline. We’re happy to assist anyone who needs to respond, so get in touch if you need help.
SOUTH AFRICAN RESERVE BANK (SARB)
Ubank placed under curatorship
The SARB had no choice but to place Ubank Limited (Ubank) under curatorship during May.
Ubank provides basic financial services to mine workers and their families. It was placed under curatorship due to the PA’s concerns regarding: corporate governance, internal control weaknesses, and the prolonged period it has taken to secure the injection of sufficient capital to comply with the minimum capital requirements and diversify the bank’s business model. Resolving these issues will ultimately ensure the future sustainability of the bank.
The Minister of Finance has appointed KPMG South Africa as the curator, with Zola Beseti as the representative. Beseti is a director at KPMG, a member of KPMG’s policy board, and is based in Johannesburg.
According to the PA, Ubank remains highly liquid. It is confident that depositors will have continued access to their money and other banking services offered by the bank in the ordinary course of business.
The curatorship also prompted the FSCA to release a statement to Ubank customers confirming that their deposits remain safe, and urging them to not withdraw their money.
We certainly hope this intervention has been made in time: those affected are likely the least able to endure yet another financial setback.
Corporation for deposit insurance
It seems no coincidence given the above article that the SARB released a discussion paper on the approach to deposit insurance communication and public awareness requirements for banks in relation to the tabled Corporation for Deposit Insurance (CoDI).
The paper aims to clarify how CoDI will collaborate with financial sector participants in informing depositors of the benefits and limitations of the protection it offers. The paper also discusses the role of member banks in deposit insurance public awareness.
This certainly makes it clear that the SARB will be pushing ahead with CoDI. The paper requests comments be submitted by 24 June 2022.
NATIONAL TREASURY
S&P Global Ratings
Some good news at last! S&P has revised South Africa’s credit rating outlook to positive from stable.
The upgraded rating can be attributed to favourable terms of trade in the global market, a large net external asset position, flexible currency, and deep domestic capital markets. The agency expects South Africa to post a current account surplus in 2022. S&P also notes some improvement on the implementation of key reform targets under Operation Vulindlela.
COUNCIL FOR MEDICAL SCHEMES (CMS)
In order to comply with POPIA, the CMS has removed access to the portal used to check on the accreditation status of health services benefits advisors and brokers.
This information will have to be obtained directly from the organisations and brokers in future.
INFORMATION REGULATOR
It just seems to be raining and pouring data breaches in Mzansi; you have to wonder how vulnerable these hacker syndicates consider us, as well as how much money they think we have!
We have all heard about the Dis-Chem data breach that was announced on 11 May 2022.
In short, Dis-Chem said its investigation so far showed that the hacker gained access to first names, surnames, email addresses, and cell phone numbers belonging to more than 3.6 million people.
Dis-Chem said it came to its attention on 1 May that an unauthorised party had managed to access the third-party database containing personal information related to the managed services offered by Dis-Chem, which suffered a data breach on 28 April (a Dis-Chem third-party service provider).
As of 24 May 2022, there has not been an official media statement from the Information Regulator.
We did some research to ascertain whether there is a common theme. The table below provides a summary of the data breaches from 1 July 2020 to date that have been officially announced.
| Responsible party | Third-party service provider / authorised user access | Date of breach | Technique used | Types of personal information affected | Impact of the data breach |
| Lombard Insurance | Unknown | July 2020 | Unknown | Not disclosed by Lombard. | Unknown. |
| Experian South Africa | No | August 2020 | Social engineering tactics | ID numbers, physical addresses, contact details, occupation, and job history, business data including company turnover values, business registration, credit, and financial information. | Reputational damage. |
| Absa Bank | No | November 2020 | Absa revealed that the leak was caused by an employee.
The employee had unlawfully made selected customer data available to a small number of external parties. |
Personal information linked to 200,000 accounts, including identity, cellular and account numbers. | Unknown, but potential reputational damage. |
| South Africa insurance industry | Yes – Qsure a third-party service provider – collection agents for collection and premium handling services for the South Africa insurance industry. Its clients include big insurance companies and insurance brokers. | June 2021 | Preliminary investigations indicated that the compromised data had been “exfiltrated” from the company’s servers. | Data relating only to policyholders who are clients of QSure’s customers (insurers and brokers), and includes banking details, limited to the account holder name, bank account numbers, and bank branch codes. | Reputational damage – increased risk of fraud and other identity crimes associated with the information being in the hands of cybercriminals. |
| Transnet | No | July 2021 | Possibly “Death Kitty” ransomware. | Allegedly, personal data, financial reports and other documents. | Crippled IT systems and impacted operations on the ground, including the processing of cargo imports and exports. |
| Department of Justice and Constitutional Development (DOJ and CD) | No | September 2021 | Ransomware attack. More details are still awaited, but suspected denial of service. | Full names, banking information, and contact details of those who used services of the DOJ and CD, including the IRSA’s Information Officer registration exercise PI. | All information systems encrypted and unavailable to internal employees as well as members of the public, the Information Regulator. |
| Standard Bank and property firm Lightstone | LookSee online platform a Standard Bank home services platform | December 2021 | Awaiting details on whether the breach was a hack or an unauthorised third-party accessing the data. | Personal information of some property owners, including individual names, identity numbers, entity registration numbers, marital status and physical addresses may have been exposed. | Reputational damage for the time being. |
| FNB, Absa, Standard Bank and African Bank | Yes –
Debt-IN Consultants |
September 2021 | Ransomware attack. | Consumer and employee personal information. | Confidential consumer data and voice recordings of calls between Debt-IN debt recovery agents and financial services customers have been posted on the dark web. |
| TransUnion | Misuse of an authorised client’s credentials | March 2022 | Ransomware attack. Further details awaited. | Name; ID number; date of birth; gender; contact details; marital status and information; identity of employer and duration of employment; vehicle finance contract number; VIN numbers. | Reputational damage and potential fines. |
| Dis-Chem | Yes –
Dis-Chem third-party service provider |
May 2022 | Reported as an unauthorised access of customer information. | First names and surnames; email addresses and cell phone numbers. Further details awaited. | Reputational damage and potential fines. |
These are the data breaches that we are aware of. In December 2021, the Information Regulator indicated that 139 South African organisations had reported that they have suffered a data breach since POPIA was enforced.
What can we learn? Ensure that any operator processing personal information on behalf of a responsible party must do so only with the knowledge or authorisation of the responsible party under a written contract. Then make sure that the third-party service provider has adequate security measures in place, and ask them what they have done to ensure POPIA compliance. Remember, the responsible party is responsible for POPIA compliance, but it’s your reputation on the line.
In future, the potential penalties imposed by the Information Regulator will be published via a page dedicated to “enforcement notices” that has been recently added to the Information Regulator South Africa’s website.
What is the cost of data breaches in South Africa? According to the “IBM Security Cost of a Data Breach Report”, the average cost was $3.21 million (about R53 million at the time of writing) – the highest in the southern hemisphere.
Data breaches are not limited to big organisations. The fact is that any organisation is vulnerable to cybercrime, and needs to have the necessary measures in place to adequately protect its business and customers.
THE FINANCIAL SERVICES TRIBUNAL
Decision – Tarryn Pillay v FSCA and Sanlam Life Insurance Ltd
This case revolves around the procedural issues of a debarment carried out by the Regulator, which debarred the Representative for a period of five years. The case illustrates how to effect a debarment where the facts only come to light after the Representative has left the employ of the FSP and been removed from its register.
The details were as follows: the applicant resigned from Sanlam in the middle of 2019 where she was employed as a Representative remunerated on a commission basis. After her resignation, Sanlam discovered that the applicant had earned nearly R200,000 in commission on lapsed policies, where the first premiums were not paid.
Since the discovery of the ill-gotten commission earnings was discovered at a later stage, Sanlam was unable to institute debarment proceedings against the applicant due to the expiry of the time limits set in section 14 of the FAIS Act 37 of 2002, and thus submitted its report to FSCA.
The Tribunal determined that the debarment was justified, and dismissed the application for reconsideration since the applicant contravened the requirement to maintain personal character qualities of honesty, integrity and good standing.
