On 6 July 2022, the Financial Intelligence Centre (“FIC”) published a communication offering guidance on information processing in terms of the Financial Intelligence Centre Act, 2001 (“FICA”) in relation to data protection. This is to provide a framework on how the FICA regulations will be affected by the new privacy laws as a result of the Protection of Personal Information Act, 2013 (“POPIA”).

FICA sets out the requirements for an accountable institution when it establishes a business relationship or conducts a single transaction with a client. These requirements include:

  • conducting customer due diligence risk assessments;
  • account monitoring;
  • reporting to the FIC; and
  • keeping records of its clients' information.

As such in order to comply with these requirements, an accountable institution must obtain and process the necessary personal information and special personal information of its clients.

The POPIA is South Africa's main data privacy protection legislation, and set outs all the conditions for the lawful processing of personal information.

FICA requirements are complementary to the provisions of POPIA which lists the grounds of justification for processing personal information.  POPIA specifically states that personal information may be processed if this will comply with the requirements imposed by law on the responsible party.

FICA, therefore, provides the necessary justification that enables accountable institutions to process personal information under POPIA, provided they do so within the scope of the obligations imposed by FICA.

In order to comply with FICA and POPIA, accountable institutions must:

  • apply a risk-based approach based on the principle of proportionality when processing personal information for combatting activities like money laundering and terrorist financing. An accountable institution must only ask for personal information that is necessary to meet their obligations in terms of FICA 
  • inform clients that their information is shared across a group, including where this information is shared with entities in other countries;
  • inform clients of the consequences that they will face if they refuse to provide personal information, provided that this will not amount to tipping off (ie, informing a client that a suspicious transaction/activity report has been filed with the FIC);
  • if the client refuses to provide personal information that is required for purposes of complying with FICA, the accountable institution must consider filing a report in terms of FICA; and
  • apply for prior authorisation from the Information Regulator in accordance POPIA when required. An example where this may be required is where one entity in a group of companies does sanction screening on behalf of other entities and therefore may process personal information on criminal behaviour or objectionable conduct on behalf of such other entities.

When it comes to the collection of personal information, an accountable institution can collect it directly from the client or from a third party. The accountable institution is permitted to obtain information from a third party and not directly from the client if collecting the information directly from the client would amount to tipping off the client. When an accountable institution obtains personal information through a third party, they must disclose, to the client, that it relies on third parties for obtaining personal information about the client. This could be done in the accountable institution's privacy statement.

The communication is still in its draft form and interested parties are invited to submit comments on the communication by submitting written comments through the online comments submission  link. Any questions or requests regarding the draft can be sent via email to the FIC at consult@fic.gov.za. The deadline for submissions is Tuesday, 26 July 2022 by close of business.  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.