Wait, what? It’s almost the end of the year! We’ve gone from sitting at home endlessly to wandering around with no masks, and have nearly forgotten what sanitiser is!
Don’t let your compliance guard down, though. The regulators are renowned for getting things done during November and December, so expect some further changes to the legislation before the year is over.
There is already plenty to keep you (and us) busy in the next few months.
THE FINANCIAL SECTOR CONDUCT AUTHORITY (THE FSCA)
2022 levies
A reminder that the 2022 levies are due by 31 October – don’t let this invoice slide!
Crypto assets declared financial products
And there it is: the FSCA has officially declared crypto assets as financial products. This brings crypto traders, platform providers, and ‘brokers’ under the control of the FAIS Act and its regulations as of 19 October. (We did tell you! – Ed.)
Any such entity that is not already a registered Financial Services Provider (FSP) will need to submit a FAIS licence application between 1 June and 30 November 2023. That doesn’t allow a lot of lead time for the compilation of a complete application. We are ready to assist new applicants, so get in touch. Those entities already registered as FSPs will need to submit an application to add the category during the same window.
The FSCA does understand that the inclusion of these businesses and individuals will impose requirements on them that they are currently not able to meet, and has released draft exemption notices at the same time.
The draft exemptions will exempt Crypto Asset FSPs (CAs) (NB: only those entities solely providing this product) from the requirement to have Professional Indemnity and Fidelity Guarantee covers as well as Key Individuals and Representatives appointed for the category from the qualification, experience, and Regulatory Exam requirements until 19 April 2024.
However, Key Individuals and Representatives (those not under supervision) will need to complete six CPD hours as per the June to May annual cycle, and companies will need to have implemented procedures to comply with the FAIS General Code of Conduct by 1 December 2023.
Requirements relating to third party cell captive insurance business
The FSCA published Conduct Standard 2 of 2022 on 30 September, which set out the revised requirements for third party cell captive business, and came into effect on 1 October 2022.
The Conduct Standard is intended to facilitate appropriate governance and oversight measures by cell captive insurers. The requirements include:
- an oversight requirement for third party cell captive insurers to monitor the business being operated under their licences
- a specific requirement that the complaints review and escalation processes must allow for escalation to be made directly to the insurer, and includes the maintenance of a central complaints register
- minimum requirements for the due diligence process to be undertaken by insurers in respect of a cell owner
- ongoing oversight and governance requirements to ensure that products deliver Treating Customers Fairly (TCF) outcomes such as suitable product design and distribution, and that the premiums are fairly determined
- disclosure requirements by cell captive insurers to policyholders
- specific reporting requirements to the FSCA
- a limitation on ownership in cell structures where the cell owner is a non-mandated intermediary (NMI)
The Conduct Standard provides for a two-year transitional period for cell arrangements entered into before the effective date of the Conduct Standard. The Conduct Standard will apply immediately to cell structures entered into after 1 October 2022.
The FSCA has requested the Prudential Authority to remove the limitation on ownership of cell structures in the licence conditions of cell captive insurers as soon as possible, as the necessary requirements are encompassed in the Conduct Standard.
PRUDENTIAL AUTHORITY (PA)
Directives on Directors, Executives, and Beneficial Owners of Mutual Banks
Following on from the FSCA’s requirement for significant owners to meet the honesty, integrity, and good standing requirements imposed by the FAIS Fit and Proper Regulations, the PA issued Directives D1 and D2 to Mutual Banks on 20 September.
The Directives instruct Mutual Banks to identify the beneficial owners of their institutions, and to conduct criminal background checks on the beneficial owners directors and executives of the banks. The checks must be conducted periodically, and the results submitted to the PA.
Directives on Transfer Services
The PA also issued Directives D3 and D9 on 30 September’, noting that they come into effect on 1 November.
The Directives instruct banks and Mutual Banks to register all existing and future domestic money or value transfer service (MVTS) agency arrangements with the PA within 30 days of the agency being granted, as well as maintain an up-to-date register of MVTS arrangements, and submit MVTS agency returns to the PA bi-annually via this annexure by 31 January and 31 July.
The PA is to be notified of agencies currently in force via the same annexure by 30 November.
Selected insurance sector data
The PA provided its regular data regarding the insurance sector for March 2022 and June 2022.
It does seem like the insurance industry is recovering from the effects of the COVID-19 pandemic and the 2021 unrest.
FINANCIAL INTELLIGENCE CENTRE (FIC)
FIC Annual Report
The FIC released its annual report on 29 September.
The entity showed an operating surplus for the financial year, which it has attributed to enforcement of numerous penalties.
South Africa’s deficiencies in terms of combating money laundering and terrorist financing were noted with the concern they are due. We have noted various actions that are underway to address this over the year – let’s hope they make a difference!
Cash reporting threshold increased
The cash reporting threshold was quietly increased on 14 October. The limit that will need to be reported from 14 November is now R49,999.
The details of the person and the transaction will have to be provided to the FIC. The deadline for submission has also been extended to three days from two.
Accountable and Reporting Institutions will need to amend their systems and Risk Management and Compliance Plans, and will have to train their staff on the new requirements.
NATIONAL TREASURY
Leanne Jackson has been appointed as the Chief Ombud of the Ombud Council.
Jackson was instrumental in the development and rollout of the TCF framework, and drafting much of the current and upcoming legislation. We believe that she is perfectly suited to the position, and wish her well.
Acting Tax Ombud appointed
Professor Thabo Legwaila has been appointed as the acting Tax Ombud until 5 January 2023. He was previously the CEO of the Tax Ombud, and has been appointed because the previous Ombud Judge Bernard Ngoepe’s term of office ended.
INFORMATION REGULATOR (IR)
Codes of Conduct
The Codes of Conduct for the Credit Bureau Association (CBA) and Banking Association of South Africa were approved in terms of section 60 of POPIA after being initially lodged in December 2021 and June 2022.
These are available from here and here.
Our understanding is that there should also be a Code of Conduct for the insurance industry, but we’ve heard nothing of its development.
Cybersecurity Awareness Month
The IR launched its “Cybersecurity Awareness Month” campaign on 7 October. The main themes are “Online Security and Ransomware”, and are aimed at making companies and individuals consider best practices for keeping sensitive and personal information safe from ever-evolving cyber threats and attacks, and tips on how to guard against ransomware attacks:
- Don’t click on links on suspicious emails (hover to verify)
- Keep your system updated
- Avoid using unknown USB sticks/drives
- Never install or run unknown software
- Use antivirus software
Enforcement
While we wait for the outcome of the investigations related to recent data breaches, we have an example of an enforcement action taken by the UK ICO (Information Commissioner’s Office).
The UK ICO has warned that companies are leaving themselves open to cyber-attack by ignoring crucial measures such as updating software and training staff. The ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
John Edwards, UK Information Commissioner, said:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems, and fails to act on warnings or doesn’t update software, and fails to provide training to staff, you can expect a similar fine from my office.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
“Cyber-attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and National Cyber Security Centre already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
For the full article, click here.
Email encryption
Data privacy has become absolutely crucial for businesses. Some companies go to great lengths to protect their data, files, and communication.
Email encryption is the process and method of disguising the content of email communications to protect potentially sensitive information, and ensure only the intended recipients have access. The term refers to encryption of the email itself, the encryption of data stores that house emails, and the encryption of the communications channels used to send and receive emails.
Section 19 of the Protection of Personal Information Act states that organisations need to do what is reasonable and appropriate to prevent unauthorised access to the personal data in their care. POPIA doesn’t go as far as requiring implementation of email encryption, although the General Data Protection Regulation mentions encryption as a way of working towards compliance with the information security requirement. Therefore, while email encryption is not specifically required, it can help show compliance.
There are several cases in Europe where the authorities held that email was not an appropriate method of transferring significantly sensitive personal data, and the organisations in question should have used some sort of online portal or secure FTP server with an encrypted connection requiring the use of secure credentials to gain access.
Five key benefits of email encryption for a business are:
- Improving confidentiality
- Avoiding compromised accounts and identity theft
- Helping compliance and governance
- Boosting business efficiency
- Reducing the attack surface across the enterprise
COUNCIL FOR MEDICAL SCHEMES (CMS)
Low-Cost Benefit Option comment deadline extended
The CMS has further extended the deadline on the proposed Low-Cost Benefit Option Framework Report to 30 November 2022.
The original draft of the framework is available here should you still wish to comment.
Comments are to be sent to lcbo@medicalschemes.co.za.
THE FINANCIAL SERVICES TRIBUNAL (FST)
Dismissed debarment reconsiderations
Decision – Jabu Cedrick Shabangu v Old Mutual Finance (RF) (Pty) Ltd
This debarment reconsideration case deals with whether the debarment process was lawful, reasonable, and procedurally fair, and the tribunal found no grounds to interfere with the debarment decision of the applicant.
The FST found no basis that the process of debarment was procedurally unfair. The applicant was afforded a fair opportunity to make representations during the debarment enquiry. The debarment was not outside the prescribed six-month period, as the applicant resigned on 28 September 2021, the enquiry was set for 3 March 2022, and it was then postponed to 28 March 2022 in order to afford the applicant the opportunity to retain legal representation.
Decision – AK Arends and PSG Wealth Financial Planning (Pty) Ltd
The application for reconsideration of AK Arends’ debarment was dismissed because of the “lack of evidence of the applicant’s rehabilitation”. (Credit to them for giving it a go – Ed.)
