The FSCA recently sent out a notification informing financial institutions – “data subjects” in the parlance of POPIA – that it will “continue taking necessary measures to safeguard the personal information it processes to ensure compliance to relevant sections of POPIA”.
As those who have undergone the FSCA’s licensing process well know, the FSCA holds extensive information about FSPs and their employees.
The notice points out that the FSCA is a responsible party as defined in POPIA and must ensure that the processing of personal information throughout its lifecycle is done in a manner consistent with the Financial Sector Regulation Act (FSRA) and POPIA.
The privacy policy on the FSCA’s website outlines not only the type of information it collects, but also the circumstances under which it will share data subjects’ information with third parties.
These circumstances are in keeping with the provisions of POPIA and the FSRA, which devotes an entire section to information sharing.
Section 6(1)(c)(ii) of POPIA exempts the processing of personal information by or on behalf of a public body – in this case the FSCA – for the purpose of:
- Preventing or detecting unlawful activities (including assistance in identifying the proceeds of unlawful activities and combating money laundering activities),
- Investigating or the proof of offences,
- The prosecution of offenders or the execution of sentences or security measures,
“to the extent that adequate safeguards have been established in legislation for the protection of such personal information”.
It is unclear how broad or narrow the application of terms such as “preventing”, “detecting” and “investigating” is.
What the FSRA allows
This section of POPIA should be read in conjunction with section 251 of the FSRA, where information processing has a wider scope than preventing, investigating or prosecuting unlawful activities.
Sub-section (1)(b) requires a financial sector regulator or the Reserve Bank to collect and use information, including personal information as defined in POPIA, to the extent that the regulator or the Reserve Bank determines is necessary to properly perform the obligations and duties referred to in paragraph (a).
Paragraph (a) tells us that those “obligations and duties” are to:
- Achieve its objective as set out in this Act (these are listed in section 7);
- Achieve the objectives of financial sector laws; and
- Perform its functions, including its supervisory functions, in terms of financial sector laws and the Financial Intelligence Centre Act.
That covers quite a bit of ground.
The FSRA not only allows the FSCA to disclose the information referred to sub-section (1)(b) but requires that it does so if it determines that this is necessary to comply with its obligations. These obligations are set out in sub-section (2) and include:
- Performing functions in terms of, or enabled by, the financial sector laws;
- Relating to legal proceedings or other proceedings;
- Warning financial customers against conducting business with a financial institution or a person conducting activities in contravention of the financial sector laws;
- Informing financial customers of actions taken against a financial institution in terms of the financial sector laws;
- Alerting financial customers to activities carried out by a financial institution that a financial sector regulator or the Reserve Bank believes to constitute a risk to financial customers;
- Protecting the public interest;
- Deterring, preventing, detecting, reporting and remedying fraud or other criminal activity in relation to financial products or financial services; or
- Relating to anti-money laundering and combating the financing of terrorism.
It is an offence for a financial sector regulator or the Reserve Bank to share or disclose information for purposes not authorised by sub-sections (1) or (2).
Sharing with third parties
Sub-section (3) empowers the FSCA to enter into agreement with “designated authorities”, including those in foreign countries, for the purposes of information sharing.
In its privacy policy, the FSCA says the third parties with which it shares personal information include FSCA service providers, other regulators (including foreign regulators), law enforcement agencies and verification agents.
The FSCA says it will only disclose your personal information if:
- It is necessary to fulfil its legislative mandate as provided for in the FSR Act;
- For business purposes;
- The law requires it;
- It has a public duty to disclose the information;
- Your legitimate interests require disclosure; or
- You have provided consent for it to disclose your information.
The privacy policy goes on to say: “Where applicable, we request the third parties with whom we share information to take adequate measures and comply with applicable data protection laws and protect the information we are disclosing to them. We do this through contractual arrangements with these third parties. We also take internal measures to ensure that the third parties we appoint have appropriate measures to protect the information we provide to them.”
This is in keeping with the provisions of sub-section 4 of the FSRA, which, among other things, state that:
- Information may only be disclosed by a financial sector regulator or the Reserve Bank to a designated authority if, before disclosing the information, the financial sector regulator or the Reserve Bank is satisfied that the designated authority that receives the information has proper and effective safeguards in place to protect the information, which safeguards are similar to those provided for in this section.
- A financial sector regulator or the Reserve Bank may only consent to information that is provided to a designated authority being made available to third parties if it is satisfied that the third parties have proper safeguards in place to protect the information received, which safeguards are similar to those provided for in this section.
Sub-section (5) states that sharing information in manner that does not meet the requirements of sub-sections (3) or (4) is an offence.
Only authorised persons can share information
A financial regulator and the Reserve Bank are required to have written processes and procedures that govern who in the organisation is authorised to share or disclose information and ensure it is done in way that meets the requirements of the FSRA and POPIA.
Sub-section (6)(c) states that only officials and employees who have “an appropriate degree of seniority” may share or disclose information on behalf of the regulator or Reserve Bank.
Penalties
As noted above, it is an offence – in terms of section 272 of the FSRA – for a financial regulator or the Reserve Bank to share information for purposes not authorised by section 251, or to do so in way that does not meet the requirements of that section.
Indeed, in terms of section 272(1), not only an official or employee who shared the information without authorisation commits an offence, but also the regulator on whose behalf information was shared.
A regulator that shares information for unauthorised purposes, or that shares information without meeting the requirements of section 251 can be fined up to R5 million, while an official or employee can be fined up to R5m or imprisoned for up to five years, or both.