August 2022 Legislative Update
On 1 September it will be three years since Omega Compliance Solutions was born. We and our clients have endured some tough times and have all grown considerably along the way. Thank you for being part of our journey!
THE FINANCIAL SECTOR CONDUCT AUTHORITY (THE FSCA)
Fit and Proper Exemption for FSPs’ Significant Owners may be removed
The FSCA released a draft change to the exemption of FSPs from the Significant Owners requirements imposed under Joint Standard 1 of 2020.
Significant Owners are parties that can influence the business or strategy of the entity. The proposed change will impose the Fit and Proper requirements on Significant Owners of FSPs.
The draft change would require FSPs – and by inference the FSCA – to verify that Significant Owners meet the Honesty and Integrity requirements. However, the FSCA is cognisant of the onerous financial responsibilities on FSPs, and the draft change excludes the requirement for Significant Owners to have the financial standing to support the business.
We have already noted that the FSCA now requires criminal checks for new applications for Key Individuals, shareholders, and directors.
Request for Information – Significant Owners
The FSCA released another Request for Information (RFI) on 12 August.
This RFI focuses on ownership issues, and is clearly aimed at informing changes to the Fit and Proper standards in the article above, as well as enhancing the anti-money laundering information of the Financial Intelligence Centre (FIC) by adding to its database.
The information that needs to be submitted relates to the first level of direct ownership of the entities as well as the potential next level above that, or indirect ownership, but does not extend further.
The RFI will not affect: banks; insurers; FSPs registered solely for short-term insurance and health services benefits; sole proprietors; and partnerships.
Submissions are to be made through the FSCA’s e-portal system, and need to be completed by 30 September 2022.
The FSCA notes that it may conduct criminal background checks based on the results of the submissions.
We will complete the submissions for our retainer clients that are affected, and will be in contact should we need any information. If you have any questions or want us to assist, please get in touch.
PRUDENTIAL AUTHORITY (PA)
Directives on Beneficial Owners and Executives
In a similar vein to the FSCA’s RFI, the PA issued Directive 6 and Directive 7.
Directive 6 requires banks to submit criminal background check reports (CBCRs) to the PA for each of their Beneficial Owners (BOs) at the written request of the PA.
They are also instructed to ensure that they provide the PA with an organogram depicting the ownership structure showing the percentages and explaining how the BOs were identified.
The PA will require banks to submit CBCRs periodically. Banks will be required to re-screen their BOs on a periodic basis, and provide the results of such screenings to the PA within 30 days.
Directive 7 requires banks to submit CBCRs of their existing, interim, and prospective directors and executive officers at the written request of the PA, and must submit CBCRs in support of new applications for these positions as of 1 September 2022.
As usual, the PA requires written acknowledgment of the Directives from the banks’ CEOs and their auditors.
Suspension of Constantia Insurance Company Limited (CICL) licence
The PA announced the suspension of the insurance licence of CICL as of 29 July 2022.
The conditions of the suspension state that CICL may not enter into new insurance policies, but must continue to conduct the insurance business for policies already issued.
The prohibition is a direct result of CICL’s failure to maintain its business in a financially sound condition by not meeting the minimum capital requirement and solvency capital requirement.
In reading the affidavit appointing the curators, it seems much of the cause can be attributed to the writing off of premiums lost in the Insure Group Managers collapse.
CICL is cash solvent, and will be able to meet its claims obligations while the curators attempt to recapitalise it.
Banking and Life Insurance sector reports
The PA released two reports on 26 July: one on Banking, and the other on the Life Insurance sector.
The reports give detailed information on the risks faced by the sectors, but had a definite focus on the money laundering and terrorist financing risks faced by the sectors.
Any entities with exposure to these risks will be in line for scrutiny. We can assist with a review or update of your anti-money laundering controls should you need it.
Guidance Note on Anti-Money Laundering (AML) for crypto assets
The PA released a Guidance Note to banks on the controls required to manage the money laundering and terrorist financing risks posed by crypto assets and crypto asset service providers.
The guidelines are comprehensive, and only further confirm the regulators’ intentions to get to grips with the crypto asset industry.
The requirements read along the same lines as any other AML guideline with certain specific points relevant to the type of business.
SOUTH AFRICAN RESERVE BANK (SARB)
Position Paper on Emergency Liquidity Assistance (ELA) to banks
The SARB released a position paper on ELA to banks.
The document provides an overview of the policy framework, as well as the criteria the SARB will consider when approached for assistance.
NATIONAL TREASURY
Draft legislation for the “two-pot” system
National Treasury published draft legislation on 31 July on the “two-pot” retirement legislation reform.
The draft has a proposed effective date of 1 March 2023, but the press release noted this was unlikely as retirement funds will have to change their rules and systems, and the South African Revenue Service will have to develop methods to cater for the new retirement “pots” and withdrawals. There is also the employee and fund member training and awareness process to be undertaken.
Once passed into law, pension funds, pension preservation funds, provident funds, provident preservation funds, and retirement annuity funds will have to allocate new contributions from the commencement date of the new law to a “retirement pot” and a “savings pot”.
Contributions and growth that accumulate before the commencement date (labelled the “vested pot”) will operate under the fund rules that were in place before the legislation was amended.
Under the revised legislation, up to one-third of contributions will go to the “savings pot”, while the remainder will go to the “retirement pot”. The “savings pot” will be subject to the funds’ rules, and members can opt to not contribute to the “savings pot”.
Pre-retirement withdrawals
Members will be able to withdraw from the “vested pot”, which will be taxed through the applicable pre-retirement lump sum table.
Members will also be able to make a R2,000 minimum withdrawal from the “savings pot” once in any 12-month period. Withdrawals from the “savings pot” will be considered as taxable income, and will be taxed at the members’ marginal tax rate.
Retirement withdrawals
Amounts contributed to the “retirement pot” cannot be accessed before retirement. At retirement date, the total value must be paid in the form of an annuity (including a living annuity). The current minimum amount for purchasing an annuity (R167,500) will apply to the “retirement pot”.
Any funds available in the “savings pot” at retirement or death can either be withdrawn in full or transferred to the “retirement pot”. Where the member withdraws funds from the “savings pot” as a lump sum on retirement, the available balance will be taxed according to the retirement lump sum table.
Change of tax residence
Full withdrawals from the “retirement”, “savings”, and “vested pots” can take place if an individual ceases to be tax resident for a period of at least three years.
Transfers
Transfers will remain tax free. However, members cannot transfer amounts out of the “retirement pot”. They can transfer amounts into the “retirement pot” from other pots, or from one “retirement pot” to another “retirement pot”.
No transfers can be made into the “savings pot” unless they are from another “savings pot”, and are subject to the fund’s rules.
“Retirement pots” and “savings pots” cannot be split between funds, i.e. it’s not permissible to transfer a “savings pot” to another fund without transferring the coinciding “retirement pot” to the same fund.
FINANCIAL INTELLIGENCE CENTRE
Draft Directive on employee screening
The FIC released draft Directive 6 of 2022 on 29 July.
The Directive would require Accountable Institutions to screen employees for competence and integrity, and also scrutinise employee information against the targeted financial sanctions lists. The draft Public Compliance Communication 116 provides guidance on how to comply with this last part.
Draft guidance on Property Practitioners
The FIC released draft Public Compliance Communication 117 on 29 July.
The aim is to clarify which individuals and entities that are now classified as Property Practitioners are governed under the FIC Act. It proposes that only those entities that are still acting as “estate agents” are still governed as Accountable Institutions.
INFORMATION REGULATOR (IR)
How to monitor for data breaches
Last month we reported on the IR’s media briefing, and established that the gloves are off with regard to enforcement actions.
This then raises the questions of what to look for, what should be regarded as a data breach, and what should be reported as a data breach to data subjects and the IR.
We’ve summarised the eight most common causes of data breaches, and what to do to prevent them.
Weak and stolen credentials, i.e. passwords
Hacking attacks may well be the most common cause of a data breach, but it is often a weak or lost password that is the vulnerability being exploited by the opportunist hacker. Statistics show that four in five breaches classified as a “hack” in 2012 were in part caused by weak or lost (stolen) passwords.
Solution: Use complex passwords and never share them.
Back doors and application vulnerabilities
Why bother breaking the door down when it’s already open? Hackers love to exploit poorly written software applications or poorly designed or implemented network systems. These things leave holes that they can crawl straight through to get directly to your data.
Solution: Keep all software and hardware solutions fully patched and up to date.
Malware
The use of direct and indirect malware is on the rise. Malware is malicious software loaded without intention that opens up access for a hacker to exploit a system and potentially other connected systems.
Solution: Be wary of accessing websites which aren’t what they seem, or opening emails where you are suspicious of their origin, both of which are popular methods of spreading malware.
Social engineering
As a hacker, why go to the hassle of creating your own access point to exploit when you can persuade others with a more legitimate claim to the data to create it for you?
Solution: If it looks too good to be true, then it probably is. If you were going to bequeath $10 million to someone you had never met, would you send them an email?
Too many permissions
Overly complex access permissions are a gift to a hacker. Businesses that don’t keep a tight rein on who has access to what within their organisation are likely to have either given the wrong permissions to the wrong people, or have left out of date permissions around for a hacker to exploit.
Solution: Keep it simple.
Insider threats
The phrase “keep your friends close and your enemies closer” applies here. The rogue employee, the disgruntled contractor, or simply those not bright enough to know better have already been given permission to access your data. What’s stopping them from copying, altering, or stealing it?
Solution: Know who you’re dealing with, act swiftly when there’s a hint of a problem, and cover everything with process and procedure backed up with training. In fact, we can’t emphasise the training enough!
Physical attacks
Is your building safe and secure? Hackers don’t just sit in backrooms in far off lands; they have high visibility jackets and an ability to create a plausible reason to enable them to work their way into your building and onto your computer systems.
Solution: Be vigilant, look out for anything suspicious, and report it.
Improper configuration and user error
Mistakes happen and errors are made.
Solution: Use the right professionals to secure your data, and develop robust processes and procedures to prevent user error. Mistakes and errors can be kept to a minimum and kept to those areas where they are less likely to lead to a major data breach.
Guidelines on notification of security compromises
The IR published the form to be used and the guidelines for completing the “Section 22 – Security Compromise Notification Form”.
The “Form SCN1” is now the standard for submitting security compromise notifications to the IR, and isn’t too complicated.
Should you require a copy of the guidance and form, please contact us.
Enforcement committee
On 4 August, the IR announced that it has established its Enforcement Committee (EC) which will be chaired by Advocate Helen Fourie SC. Simonè Margadie will serve as the alternate chairperson.
The EC is comprised of 14 independent experts from the following professional backgrounds: law; information security; education; finance and accounting; auditing; actuarial science; forensics; and criminal investigations.
At the induction ceremony for the EC, Advocate Pansy Tlakula, the chairperson of the IR, said, “the inauguration of the EC means that for the first time since its establishment in 2016, the Regulator will be able to enforce its powers and provide an effective remedy to the complainants whose right to privacy and the right of access to information have been infringed.”
Click here for the full media statement.