How accountable institutions should meet their Fica obligations in the context of Popia

Posted on 1 Comment

The Financial Intelligence Centre (FIC) has set out the principles that accountable institutions should consider when collecting, assessing and reporting on clients’ personal information and special personal information.

The Financial Intelligence Centre Act (Fica) provides the legal justification for accountable institutions and reporting institutions to obtain, process and further process personal information and special personal information in terms of the Protection of Personal Information Act (Popia), the FIC’s recently published Public Compliance Communication 22A says.

It says the harmony between the application of Fica and Popia lies in an accountable institution asking only for personal information and special personal information that is necessary to achieve the purposes of Fica.

Any restrictions in terms of international privacy legislation or standards do not exempt accountable institutions from complying with their Fica obligations.

Process only what is necessary

PCC 22A reminds accountable institutions that they must apply a risk-based (proportional) approach to combating money laundering, terrorist financing and proliferation financing (ML/TF/PF). In other words, the higher the ML/TF/PF risk, the more enhanced the customer due diligence. In this context, the principles for data processing include:

  • The personal information and special personal information that an accountable institution obtains, uses and further processes must be necessary to achieve the objectives of Fica.
  • The personal information and special personal information obtained about the client should be adequate, accurate, relevant, up to date and proportionate to the ML/TF/PF risk level.
  • Where an accountable institution obtains personal information and special personal information that is not required and not necessary to achieve the purposes of Fica and is not proportionate to the ML/TF/PF risk, this would amount to an excessive collection of information that is not aligned to the principles of data privacy.

Customer due diligence

When establishing a business relationship or conducting a single transaction, accountable institutions are advised to inform the client that the accountable institution must comply with its obligations in terms of Fica. To do so, it must obtain, use and further process certain personal information and special personal information.

Clients have the freedom to choose whether to establish or continue with a business relationship or conduct a single transaction with the accountable institution. The accountable institution may advise a client of the consequences if the client refuses to provide personal information or special personal information, provided this does not amount to tipping off.

Where the client establishes or opts to continue with a business relationship or conduct a single transaction, the accountable institution must comply with its obligations in terms of Fica.

Where the client refuses to provide personal information or special personal information as required for purposes of complying with Fica and bases the refusal on data privacy concerns or laws, the accountable institution:

  • May not establish a business relationship or conduct a single transaction with a client;
  • May not conclude a transaction in the course of a business relationship, or perform any act to give effect to a single transaction;
  • Must terminate an existing business relationship with a client in accordance with the accountable institution’s risk management and compliance programme (RMCP); and
  • Must consider filing a report in terms of section 29 of Fica.

Reporting obligations

Regarding accountable institutions’ reporting obligations, the PCC states:

  • An accountable institution may not disclose information relating to a regulatory report filed with the FIC in terms of section 29 of Fica (unless as provided for in law).
  • The accountable institution may not disclose information relating to requests for information in terms of section 27 and section 32 of Fica.

Record-keeping

Records of personal information and special personal information being kept by the accountable institution or a third party on behalf of the accountable institution must be held for the purposes of combating ML/TF/PF, in accordance with Fica and the Money Laundering Terrorist Financing Regulations, read together with the accountable institution’s RMCP.

Where the period, as set out in Fica read together with the accountable institution’s RMCP lapses, the personal information and special personal information may not be used for purposes of Fica.

Use of third parties

Accountable institutions can either obtain personal information or special personal information directly from the client or by using a third party (refer to PCC 12A for further information on the use of a third party).

Where an accountable institution obtains personal information or special personal information from a third party, the accountable institution is advised to disclose to the client that it relies on third parties for obtaining certain personal information and special personal information (unless such disclosure would prejudice the lawful purpose of the collection).

Click here to download PCC 22A

1 thought on “How accountable institutions should meet their Fica obligations in the context of Popia

  1. Good Day
    It would have been helpful if the article also addressed the reporting and related PoPIA implications for non-accountable Institutions in order to comply with s29 requirements.

Comments are closed.