The Cybercrimes Act places strict legal obligations on financial institutions. For example, financial institutions must report cybercrimes to the police, and store evidence about cybercrimes that someone may have committed. The Act imposes steep penalties on financial institutions that do not comply. In this post, we highlight the impact of the Cybercrimes Act on financial institutions.
Who falls within the definition of a financial institution?
The Cybercrimes Act does not explicitly define a financial institution. The Act points readers to the Financial Sector Regulation Act, 2017 (FSRA). The FSRA defines a financial institution as a –
- Financial product provider;
- Financial service provider;
- Market infrastructure;
- Holding company of a financial conglomerate; or
- Person licensed or required to be licensed in terms of a financial sector law.
You will notice that the definition excludes a financial services representative.
How does the Cybercrimes Act impact financial institutions?
Render assistance during investigations
A financial institution (or anyone else who is in control of data, networks, or computers) must provide law enforcement with the necessary technical or other assistance to search for, access or seize any data or computer that may be linked to a cybercrime. (Section 34)
The Cybercrimes Act does not specify what sort of assistance is required, but you would have to keep the data or computer for as long as the law enforcement member needs it.
Reporting obligations
Section 54 of the Cybercrimes Act creates certain reporting obligations on financial institutions. However, section 54 of the Act is not in operation yet. It will come into effect on a future date.
Once section 54 commences, financial institutions (including electronic communications service providers or ECSPs) will have to report cybercrimes to the police within 72 hours. For example, if the financial institution finds out that someone is using their network or system to commit a cybercrime, they will have to report it.
The financial sector regulator will not have any reporting obligations in terms of section 54 even though they regulate financial institutions. Similarly, a function performed by the South African Reserve Bank is also excluded from the obligations listed under section 54.
Data storage obligations
When section 54 of the Act commences, a financial institution must preserve any information which may help the police in investigating a cybercrime. (Section 54 (1)(b)).
The moment a financial institution (or ECSP) is aware or becomes aware that someone is using their network or system to commit a cybercrime, they must keep data for an unspecified amount of time to help the police catch the cyber-criminal.
Penalties for non-compliance
The Act imposes harsh penalties on financial instructions for non-compliance with their obligations. For example:
An ECSP or financial institution does not comply with their obligations to keep data, they will be guilty of an offence and may face a fine of up to R50000.
Actions you could take
- Understand how the Act impacts you by attending our half day online workshop on the Cybercrimes Act.
- Ask us to help you determine the impact of cybercrimes on your organisation and the next steps by doing the online Cybercrimes impact assessment.
- Receive future updates or alerts about the Cybercrimes Act and our events by subscribing to the Michalsons newsletter.
- Dive into the details of the Act by reading the web-based version of it.
- Know how the law applies to you specifically by asking us for a legal opinion or interpretation of the law.
- Brief your board on the Cybercrimes Act and the legal implications for your organisation by asking us to present an executive briefing to them.
- Find out what other actions you can take related to cybercrime by visiting our main cybercrime law page.