Non-financial legislation adds to compliance burden
Stakeholders in the financial services industry are beset by legislation. Financial advisers have a particularly tough time ensuring they comply with the myriad laws applicable to the product they sell, the advice they give, and how they interact with con
Top of the non-financial laws brigade (in terms of impact) is the recently enacted Consumer Protection Act (CPA). Although the insurance sectors received exemption from the CPA this was conditional on the relevant industry legislation being updated to reflect its intentions. It was also clear that any conflict between the insurance Acts and the CPA would be interpreted (in court) to the consumer’s benefit. There is another non-financial bill that will have a massive impact on the financial services sector. The Protection of Public Information Bill (POPI) is relevant to all companies – including independent financial intermediaries – that deal with personal information.
The A, B, C of POPI
POPI is making steady progress on its way to passing into South African law. When it goes “live” it will have significant implications for ordinary citizens and the myriad companies and public bodies that store and process their personal information. Should financial advisers be concerned? The short answer is yes! Zaid Gardner, Senior Associate at ENS (Edward Nathan Sonnenbergs) says that one of the most significant effects of POPI will be the introduction of comprehensive and dedicated data protection legislation to South Africa. The legislation will impose significant compliance burdens on South African companies and public bodies alike. “Data protection has been around for some time in the developed world, but it is a relatively new concept for South Africa and will take some getting used to,” he says.
Financial services intermediaries are intricately involved in the collection, processing and storing of consumer data. Each and every time you request an insurance quotation – each bit of new business you write for a client – and each request you make to an insurer to change the terms and conditions on a policy – involve consumer data. POPI aims to promote the protection of personal information processed in this way. “The lawmaker has sought to balance the right of privacy that is recognised by the Constitution with various needs and interests, such as the need for economic and social progress within the context of the information society, and the interest in a free flow of information, both domestically and internationally,” says Gardner.
The legislation will cover a broad range of activities. Indeed the definition of“processing”includes every conceivable action from collecting information, receiving it, storing it, updating it, modifying it, disseminating it and even destroying it.“The term ‘personal information’ is as broadly defined,” he says. “It covers, for example, information relating to the race, sex, pregnancy, marital status, ethnicity, colour, sexual orientation, age, health, religion, language and education of a person”.
Every fact you can imagine is “covered”
“It covers medical, financial, criminal and employment histories. It covers ID numbers, addresses, telephone numbers and blood types. It covers personal opinions, the private correspondence of a person, and the views that other people have of a person. It even includes the mere name of a person, if the name appears together with other personal information. A ‘record’ is defined to include recorded information in any form that is in the possession or control of a company or public body, irrespective of whether or not it created it”.
There are a number of exemptions, two of which could prove useful in the financial services space. POPI does not affect the processing of personal information in the event it has been specifically exempted or in cases where other legislation regulates the processing of that information. What can financial advisers expect going forward?
New terminology to wrap your tongue around...
In terms of POPI the company or public body that is responsible for processing information is referred to as the ‘responsible party’. The individual, or indeed company, whose information is being processed, is referred to as the ‘data subject’. POPI will also tie in closely with the Promotion of Access to Information (PAIA) Act. The latter requires that each company appoints a person – or Information Protection Officer – to ensure compliance with its principles.
Forget the Financial Services Board, its enforcement committee and the FAIS Ombud. Going forward you will also have to keep your nose clean with the National Credit Regulator, Competition Commissioner, National Consumer Commission and – coming soon – the Information Protection Regulator (IPR). The IPR will have powers to investigate complaints and draft industry-specific codes for data handling. Financial services professionals will have to brace for yet another round of codes and regulation!
Editor’s thoughts: Objections to the sheer volume of financial services legislation are brushed aside by the pro-regulation crowd. They say that you can stay ‘in the clear’ by simply treating your customers fairly. They could be missing the point, because the cost of compliance increases with each new body of law, whether you treat customers fairly or not… Is your financial services practice coping with the 21st Century regulatory deluge? Please add your comment or send it to gareth@fanews.co.za
Comments