PPI: Significant implications for brokers
In its current form, the PPI Bill will have a huge cost impact on brokerages and independent financial advisors.
The Protection of Personal Information Bill (PPI) was published in the Government Gazette in August 2009. It will have a significant impact on brokers and financial advisers in terms of their IT systems, training of staff, HR practices, security policies and business processes from a compliance control perspective.
Protecting privacy
The Bill gives effect to the constitutional right to privacy, regulates theprocessing of personal information, provides rights and remedies to protect personal information from processing and establishes an information protection regulator.
In terms of the PPI Bill, the insured or policyholder is the “data subject”, defined as the person to whom personal information relates.
Collecting and processing data
The rendering of financial services involves the collection of data and information from the insured. This fact finding process is an essential step in the required FAIS advisory process to determine a potential insured’s financial needs and risk profile to enable the broker or advisor to recommend a suitable financial product.
The PPI Bill defines “processing” as any operation or activity or any set of operations, whether or not by automatic means, concerning personal information and this includes collection, receipt, recording, storage and dissemination. Chapter 3 of the PPI Bill stipulates that (i) before data is processed, the consent of the ‘data subject’ is required, (ii) data can only be collected directly from a ‘data subject’, (iii) data must be collected for a specific purpose of which the ‘data subject’ must be made aware and data must not be retained for any longer than is necessary for achieving the purpose.
Implications
This effectively means that a broker must obtain personal information directly from the insured. The broker must also obtain permission from the insured where the insured’s personal information is required and make the insured aware of the specific purpose of the data which is collected. This permission from the insured must be provided in writing or if verbal, must be recorded.
Brokerages will therefore have to cement robust IT systems and enhance staff training to ensure that these specific disclosures are included in all communications, whether written or verbal.
Cross-selling
The PPI Bill specifically addresses the use of client databases to cross-sell products to existing clients. Principle 4 of Chapter 3 of the Bill disapproves such use of data if the further processing cannot be linked to the original purpose of the data collection. This effectively means that each time when a different product is sold to the same client of the same product supplier, the 3 step process of (i) permission, (ii) awareness and (iii) disclosure, will have to be undertaken again.
Compliance issue
Brokerages and independent financial advisors will have to review their current risk management framework to accommodate the requirements of the PPI Bill. They will be forced to undertake a comprehensive and focused assessment of the potential risks for their businesses as a consequence of this Bill, specifically in terms of IT, HR practises and security.
The IT management programme of the organisation will have to ensure the safe transfer of and access to personal information of the insured. HR policies and security controls will have to be adapted to ensure that employees are authorised to access personal information.
However, the cost of non-compliance far outweighs the cost of compliance to implement or align business processes to cater for the requirements of the PPI Bill.
