In this next instalment of our platform economy series, we delve into regulatory requirements and what platform providers and developers should consider when launching their platforms.
For certain types of apps, particularly those in more regulated industries such as banking, developers need to ensure that their apps comply with specific industry laws and regulations. However, in some instances, the platform provider itself needs to be compliant. Developers and platform providers must perform a careful risk assessment before launching their apps to ensure that they do not fall foul of any legislative or regulatory requirements. Doing so can result in significant financial loss and reputational damage. This is particularly so where a regulator is involved, as penalties and fines may be imposed, which may lead to public criticism, lack of trust and reputational risk.
Below, we deal with three broad areas: legislation, outsourcing directives issued by the South African Reserve Bank ("SARB"), and open banking and open finance.
There are a number of laws that might apply to your app.
- Privacy laws: Customer data drives the
platform economy and the impact of privacy laws is unavoidable. In
South Africa, this means compliance with the Protection of Personal
Information Act, 2013 ("POPIA").
Platform providers and developers must ensure that:
- they are cognisant of and compliant with data privacy laws at an organisational level;
- the app is developed with privacy laws in mind (privacy by design);
- the platform is configured in such a way so as not to violate privacy laws; and
If data is shared with third parties or transmitted to other countries, additional risks arise and proportionate measures must be implemented. Direct marketing by electronic means is also stringently regulated.
- Consumer Protection Act: Consumer trust is key
to the success of a platform. Maintaining the highest security and
consumer-centric standards builds confidence when using apps and
similar services. In South Africa, compliance with the Consumer
Protection Act, 2008 ("CPA") is crucial
in the platform economy. The scope and application of the CPA are
extremely wide. Subject to certain exemptions, the CPA applies to:
- the promotion of goods and services;
- all transactions for the supply of goods and services concluded in the ordinary course of business (and for consideration); and
- the goods and services themselves once the transaction has been concluded.
"Goods", in terms of the CPA, includes any literature, information, data, software, code or other intangible product written or encoded on any medium, or a licence to use any such intangible product. A "service" regulated under the CPA, includes the provision of any information, advice or consultation, and any banking services, or related or similar financial services, unless these services are regulated under the Financial Advisory and Intermediary Services Act, 2002 ("FAIS").
Imagine buying a product, say a cell phone, online and making payment via an app. When the cell phone arrives, it is defective and explodes, causing harm to consumers or their property. The strict liability provisions in respect of defective products under the CPA hold that a "supplier of services who, in conjunction with the performance of those services, applies, supplies, installs or provides access to any goods, must be regarded as a supplier of those goods to the consumer, for the purposes of this section". Would the consumer have a claim against the platform provider or developer in terms of these provisions?
Similarly, if the payment for the cell phone is intercepted by a cyber-attacker and diverted to a fraudulent account, could the consumer claim that the service provided by the payment provider lacked necessary security measures and "the performance of the services [were not] in a manner and quality that persons are generally entitled to expect" in violation of the CPA?
Can platform providers and developers contract out of liability for, or protect themselves against, such claims? In addition, providing terms and conditions and disclaimers in plain language and in compliance with the requirements for such notices under the CPA should also be considered.
Consideration of the CPA issues when designing apps and the like is therefore essential.
- National Credit Act: Subject to certain exceptions, the National Credit Act, 2005 ("NCA") applies to "credit agreements". Broadly speaking, a credit agreement is one involving a deferral of payment or a prepayment and interest, a fee or a charge is levied or discount given for a prepayment. Credit providers are required to register as such with the National Credit Regulator if the total principal debt owed to them under all outstanding credit agreements, other than incidental credit agreements, which are subject to the NCA exceeds a threshold of zero within 30 days of meeting the threshold. Peer-to-peer lending platforms and credit provision via apps may trigger the application of the NCA and in turn, the Financial Intelligence Centre Act, 2001 ("FICA").
- Financial Intelligence Centre Act: FICA and the Money Laundering and Terrorist Financing Control Regulations place rigorous compliance obligations on "accountable institutions", including customer due diligence, recordkeeping and reporting. "Accountable institutions" are defined in Schedule 1 to FICA and include, among others, banks, money and value transfer providers, property practitioners, certain credit providers, some crypto asset services providers and dealers in high-value goods. It is important to note that section 29 of FICA is more widely cast than the majority of the provisions in FICA. In terms of this provision, any person who carries on business in South Africa (not only accountable institutions) must report unusual and suspicious transactions (as described in that section) to the Financial Intelligence Centre ("FIC"). All platform providers operating within the South Africa are therefore obliged to report certain transactions to the FIC.
- Financial Advisory and Intermediary Services Act ("FAIS"): FAIS governs the rendering of financial services, (i.e. advice and/or intermediary services in respect of financial products, such as a share, debenture, note or other security, and a "deposit", as that term is defined in section 1(1) of the Banks Act, 1990) in South Africa. A person rendering financial services, including via an online platform, must be registered as a financial services provider ("FSP") with the Financial Services Conduct Authority; or be a "representative" of an FSP, as defined in FAIS.
- National Payment Systems Act ("NPS"): The NPS encompasses the entire payment process from payer to beneficiary and includes settlement between banks. The process includes all the tools, systems, mechanisms, institutions, agreements, procedures, rules or laws applied or utilised to effect payment. The NPS enables the circulation of money, and thus enables transacting parties to exchange value.
In terms of the National Payment Systems Act, 1998 ("NPS Act"), the SARB may issue directives to any person regarding a payment system or the application of the provisions of the NPS Act, after consultation with the Payments Association of South Africa. The SARB has accordingly issued a number of these Directives, including one regulating non-banks (such as fintechs) which provide services in relation to payment instructions.
Platform providers and developers must consider these various Directives when designing their offerings.
SARB's rules on outsourcing
When the platform provider is a bank, consideration must be given to the directives and guidance notes published by the SARB in relation to outsourcing and cloud computing (namely, SARB Guidance Note 5/2014 – Outsourcing of Functions within Banks, SARB Directive 3/2018 – Cloud Computing and Offshoring of Data, and SARB Guidance Note 5/2018 – Cloud Computing and Offshoring of Data). These SARB directives and guidance notes prescribe, among others, the security measures and contractual obligations that the bank must require of any third party it engages to provide material outsourced services and/or cloud services. This is especially relevant where a platform provider uses third parties to create, develop, maintain and/or support the platform. These SARB directives and guidance notes will not always be applicable – the platform provider will need to consider things like the classification of data, materiality of the outsourced activity or process, level of risk involved, model of cloud computing and/or the offshoring of data used.
Open banking and open finance
In a nutshell, Open Banking involves sharing the data of current or transaction accounts with third parties, enabling them to develop applications or services around such data, including payment mechanisms.
Open Finance is a framework based on consent-driven data sharing that can empower banks to offer a broader range of possibilities to their clients specifically suited to their needs. Open Finance involves home loan providers, consumer credit providers, investment and pension funds, as well as general insurers and intermediaries. Open Finance enables banks to collaborate with various providers to deliver a wider variety of offerings to consumers including private mortgages, savings systems, pension funds, credit, insurance and the like at reduced cost.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.