This blog was co-authored with Julian Scholtz, Candidate Attorney.
While the Protection of Personal Information Act, 2013 (POPIA) is widely accepted as the primary legislation dealing with the processing of personal information, it is important for financial service providers (FSPs) to take note of their duties in the Financial Advisory and Intermediary Services Act, 2002 (FAIS Act).
An FSP that collects information from its clients will fall under the definition of ‘responsible party’ in terms of POPIA. Board Notice 194 of 2007 and POPIA requires FSP’s to secure the integrity and confidentiality of personal information processed by it by taking appropriate measures and establishing a governance framework to safeguard against unlawful access to personal information.
Additionally, the General Code of Conduct for Authorised Financial Services Providers requires FSP’s to have appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible the risk that clients and other FSPs will suffer through, amongst other things, fraud, negligence or professional misconduct.
The FAIS Act stipulates that compliance officers and auditors have to inform the Financial Sector Conduct Authority (FSCA) in writing of any irregularity or suspected irregularity of which the compliance officer and auditor become aware in performing their functions and which, in their discretion, is material.
The FSCA and the Prudential Authority issued a draft revised joint standard on cybersecurity and cyber resilience (Joint Standard) for public comment in December 2022 (see Joint Communication 4 of 2022). Although the Joint Standard is still in draft stage, it usefully sets out sound practices for specified financial institutions, including FSP’s that are required by industry standards to manage cyber risks.
While the FAIS Act does not impose specific time frames within which the compliance officer of an FSP must report a material irregularity (such as a data breach), it is recommended that any such irregularity should not be delayed. Any delay may lead to a significant adverse impact on the FSP and may have an adverse impact on its clients.
The Joint Standard obliges FSPs to notify the FSCA of a material incident if it is a cyber incident or an information security compromise. According to the Joint Standard, a cyber incident is defined as “a cyber event that jeopardizes the cybersecurity of an IT system or the information processed, stored or transmitted by the system; or violates the security policies, security procedures or acceptable use policies, whether resulting from malicious activity or not”. In the interim, it is advisable that FSPs immediately report material data breaches to the FSCA. Section 22(2) of POPIA requires any compromise to be notified to the Information Regulator as soon as reasonably possible. The FSCA should be notified at the same time. In an attempt to recover any information lost in a data breach, the financial institution must establish data backup strategy so that data can be recovered in the event of a disruption or when data is corrupted.
These requirements align with the security requirements in POPIA to a large extent. However, it is important for FSPs to be mindful of the double regulation of these aspects when engaging with regulators and reviewing its information security measures.
