The information regulator published the final BASA Code of Conduct for the Banking Industry in South Africa. The code places certain obligations on the banking sector to process personal information in line with the conditions for the lawful processing of personal information. The conditions for the lawful processing of personal information are set out under Chapter 3 of the Protection of Personal Information Act (POPIA). In this post, we highlight some of the changes in the revised code since the period for comments on the draft version closed on 8 July 2022.

When does the BASA Code of Conduct for the Banking Industry come into effect?

In terms of section 62(2) of POPIA, the code must come into effect 28 days after the regulator publishes the notice in the Gazette. The regulator published the notice in the Gazette on 7 October 2022, so the code will come into effect on 4 November 2022.

The BASA Code of Conduct came into effect on 4 November 2022.

Purpose

The BASA Code of Conduct ensures that banks comply with POPIA in all respects. The code also aims to:

  • promote appropriate practices by BASA members when they process personal information;
  • encourage BASA members to establish appropriate agreements with third parties regulating the processing of personal information; and
  • establish procedures for BASA members to guide their interpretations of POPIA provisions and other laws. The procedures will allow people to lodge complaints against credit bureaus.

Governance matters

These provisions have remained the same as in the draft version. BASA will enforce the provisions of the BASA code of conduct.  Additionally:

  • banks who are BASA members process personal information (including consumers’ information) in compliance with POPIA and the Banks Act 94 of 1990, and
  • BASA members and third parties must conclude agreements with each other to process personal information in compliance with POPIA.

What else does the BASA code of conduct cover?

Here are some of the changes in the final version we think you need to know about.

The regulator condensed the revised version of the code. The BASA Code of Code is now 25 pages long compared to the previous version containing 33 pages.

The scope of the code has been expanded (Important!):

  • POPIA will prevail if there is any conflict between POPIA and the code.
  • If a member bank transfers personal information to a third party in a foreign country, the member bank must ensure that binding corporate rules, which would govern the conditions for the lawful processing of the personal information of data subject within the group, is in place.
  • The Code applies to certain processing activities by member banks like:
    • financial services processing activities which enable the provision of transactional, investment, lending and insurance products and services;
    • employee related processing activities which enable the provision of the member’s human capital resources or employee management activities; and
    • Supplier and business partner related processing activities, including the member’s procurement related activities.
  • All terms used in the code share the same definition as in POPIA and its regulations.

The regulator made significant additions to the terms under the conditions for lawful processing. For example, the code now contains measures for compliance with international standards and industry best practice like King IV and the BASEL Principles for effective risk data aggregation and risk reporting. (See Section A of the Code for detailed information)

Each member bank will monitor compliance with the code (and relevant provisions of POPIA) in terms of authorisations for processing:

  • unique identifiers of data subjects;
  • information on criminal behaviour;
  • information for the purposes of credit reporting; or
  • the transfer of special personal information.

There’s a list of relevant websites at the end of the code.

Code of Conduct for the Processing of Personal Information by the Banking Industry

This is the full name of the code that the regulator published.

Actions you can take

  • Read the full version of the code of conduct by downloading it.
  • Keep updated with further developments from the information regulator by following our Insights page.