The Financial Intelligence Center (Centre) published guidance on information processing in relation to POPIA. In its communication, the Centre confirmed that privacy laws (like POPIA) do not prevent accountable institutions from reporting some personal information about their clients to the Centre to prevent criminals from abusing the South African financial system, fight crime and protect national security.
Obligations on accountable institutions
Accountable institutions must comply with the FIC Act and POPIA by:
- obtaining, assessing, and reporting certain client personal information and special personal information.
- considering the principles set out in data privacy laws to ensure that they do not contravene any such laws.
The Centre allows accountable institutions to process, analyse and escalate personal information and special personal information that it receives through reporting mechanisms to the Centre.
Risk-based approach
The Centre places further obligations on Accountable Institutions. For example, accountable institutions must apply a risk-based approach to combating money laundering, terrorist financing and proliferation financing (ML/TF/PF).
Accountable institutions can only further process personal information and special personal information if it is necessary to achieve the objectives of the FIC Act.
Client Due diligence
Accountable institutions must comply with the FIC Act during their business relationships. For example, accountable institutions must inform their clients that they are processing their personal or special personal information as part of their obligations to comply with the FIC Act. Clients can choose whether they want to continue working with an Accountable Institution in the long term or once off.
If clients refuse to provide personal information or special personal information to an accountable institution, the accountable institution must inform them of the consequences of not providing their personal or special personal information. If a client refuses to provide their personal or special personal information due to data protection concerns, the accountable institution must:
- not establish a business relationship or conduct a single transaction with that client.
- not conclude a transaction during the business relationship.
- end the existing business relationship with the client in accordance with its risk management and compliance programme.
- Consider filing a FIC section 29 report.
Accountable institutions must further:
- inform clients if their information is shared across group functions, including where this information is shared cross-border.
- consider applying for prior authorisation from the information regulator when they transfer personal and special personal information outside South Africa.
Reporting
The Centre confirmed that accountable institutions can process personal information and special personal information because it is required in terms of the FIC Act. Furthermore:
- An accountable institution may not disclose information relating to a regulatory report it filed with the Centre (unless as provided for in law.
- The accountable institution can collect personal information and special personal information from a third party where compliance with the requirement to collect directly from the client or other persons would prejudice the lawful purpose of the collection.
Records management
Accountable institutions can hold records of personal or special personal information for the purposes of combating ML/TF/PF. If the record retention period lapses, then the accountable institution cannot use personal and special personal information for purposes of the FIC Act.
Actions you can take
- Dive into the details of the Centre’s guidance by downloading the full document.
- Get a comprehensive overview of the FIC Act by reading Guidance Note 7.
- Submit your queries about the Guidance by contacting the Centre.
