An article in FAIS Newsletter 20 titled Bulk transfers by FSPs and Insurers contains a section under the sub-heading: Protection of Personal Information Act:
Furthermore the FSPs are required to comply with Protection of Personal Information (“POPI”) Act, which demands identifying Personal Information and taking reasonable measures to protect the data. This will likely reduce the risk of data breaches and the associated public relations and legal ramifications for the organisation.
The purpose of the POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way.
Section 12c of the General Code states that a provider, excluding a representative, must, without limiting the generality of section 11, structure the internal control procedures concerned so as to provide reasonable assurance that all applicable laws are complied with. Therefore non-compliance with POPI will result in the FSP’s failure to comply with the provisions of the FAIS Act.
The article concludes:
FSPs who do not comply with the requirements of the General Code will be in contravention of the FAIS Act and regulatory action will ensue.
Furthermore non-compliance with the POPI Act could expose the Responsible Party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases the penalty for non-compliance could be a fine and / or imprisonment of up 10 years.
A bright-eyed and bushy-tailed Moonstone reader commented on this as follows:
I’m a little confused by an aspect of the FAIS Newsletter about the bulk transfers.
It refers to POPI as if it is in force and enforceable. As I understand it, the Act is promulgated, but not in force. While it may be good business practice to be fastidiously protecting client’s information, the requirements as set out in the Act are not yet a legal requirement.
Assuming that insurer/underwriting manager and policy does not change, the implications for Brokers who wish to merge their businesses with other Brokers or to sell their books to other Brokers are extremely onerous.
We referred the matter to the FSB who responded as follows:
The reference to POPI in the article is not properly captured as it gives the impression that the Act is already in operation. The sanctions will only apply after the effective date of the POPI Act. We will rectify the article.
I have noted the concerns of the reader with regards to the onerous implications for brokers when merging or selling their books but it is a requirement that clients must be informed and give consent to the move to another broker.
Data Security
This issue will play an extremely important role under Twin Peaks as part of the Market Conduct Regulator’s intention of acting in a pro-active and pre-emptive manner to avoid risk exposure for clients. We advise readers to familiarise themselves with the contents of POPI and start gearing their businesses in this direction in anticipation of the appointment by the Regulator.
Keeping clients informed
The FSB recently conducted investigations into allegations of the moving of books of policies between brokers and/or between insurers without the consent and/or knowledge of policyholders. According to the findings, in most cases the policyholders were merely notified of the movement of their policies without being provided with the option of whether to move or not. In many instances, no consent was obtained from the policyholders prior to the transfers. In other cases, policyholders did not receive any notifications nor did they provide consent to transfer their policies.
Onerous as it is, the law is the law, and has to be obeyed.
Please make sure you read the article in FAIS Newsletter 20 carefully. It will be time wisely spent.