Public Compliance Communications 8
PCC 22A – Guidance on information processing in terms of the FIC Act
1 September 2023
Document
FIC
Financial Intelligence Centre
PUBLIC COMPLIANCE COMMUNICATION
PUBLIC COMPLIANCE COMMUNICATION
22A
GUIDANCE ON INFORMATION PROCESSING
IN TERMS OF THE FINANCIAL INTELLIGENCE
CENTRE ACT, 2001 (Act 38 OF 2001),
IN RELATION TO THE PROTECTION OF
PERSONAL INFORMATION ACT, 2013
(ACT 4 OF 2013)
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)
Page 2 of 10
PCC SUMMARY
Accountable institutions, in fulfilment of their compliance obligations with the Financial Intelligence Centre Act, 2001 (Act 38 of 2001) (FIC Act), are required to obtain, assess and report certain personal information and special personal information in relation to their clients. These obligations as set in the FIC Act cannot be circumvented, or limited owing to data privacy laws including the Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPI Act). Complying with the various obligations set out in the FIC Act constitute complying with obligations imposed, required and authorised by law. Accountable institutions should, however, consider the principles set out in data privacy laws to ensure that they do not contravene any such laws.
The processing, including analysis and escalation of information regarding personal information and special personal information, as received through reporting mechanisms to the Financial Intelligence Centre (Centre), is permissible by the Centre.
THE AUTHORITATIVE NATURE OF GUIDANCE
The Financial Intelligence Centre (Centre) provides the guidance contained in this PCC in terms of its statutory function in terms of section 4(c) of the FIC Act read together with Regulation 28 of the Money Laundering and Terrorist Financing Control Regulations (the Regulations) issued in terms of the FIC Act.
Section 4 (c) of the FIC Act empowers the Centre to provide guidance on a number of matters concerning compliance with obligations in terms of the FIC Act. Guidance provided by the Centre is the only form of guidance formally recognised in terms of the FIC Act and the Regulations issued in terms of the FIC Act. Accordingly, guidance provided by the Centre is authoritative in nature and must be considered when interpreting the provisions of the FIC Act or assessing compliance of an accountable or reporting institution with the obligations imposed on it by the FIC Act.
It is important to note that enforcement action may emanate as a result of non-compliance with the FIC Act in areas where there has been non-compliance with the guidance provided by the Centre. Where it is found that an accountable or reporting institution has not
followed guidance which the Centre has issued, the institution must be able to demonstrate that it has nonetheless complied with the relevant obligation under the FIC Act in an equivalent manner.
DISCLAIMER
The publication of a PCC concerning any particular issue, as with other forms of guidance which the Centre provides, does not relieve the user of the guidance from the responsibility to exercise their own skill and care in relation to the user's legal position. The Centre accepts no liability for any loss suffered as a result of reliance on this publication.
COPYRIGHT NOTICE
This PCC is copyright. The material in a PCC may be used and reproduced in an unaltered form only for personal and non-commercial use within your institution.
Apart from any use permitted under the Copyright Act 1978, (Act 98 of 1978) all other rights are reserved.
OBJECTIVE
The objective of this PCC is to clarify the interplay between the collection, assessment and reporting of client's personal information and special personal information in compliance with the FIC Act and POPI Act.
1. INTRODUCTION
1.1. An accountable institution must comply with the Financial Intelligence Centre Act 2001 (Act 38 of 2001) (FIC Act) when it establishes a business relationship or conducts a single transaction with a client. Chapter 3 of the FIC Act sets out the accountable institution's obligations which include but are not limited to conducting risk assessments, customer due diligence, account monitoring, scrutinising client information, reporting and record-keeping. In order to comply with the FIC Act obligations, the accountable institution is required to obtain, process and further process certain necessary personal information and special personal information.
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)
Page 3 of 10
1.2. The South African data privacy legislation is the Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPI Act). The POPI Act promotes the protection of personal information and special personal information processed by public and private bodies and sets conditions for obtaining, using and processing of such information.
1.3. The FIC Act applies in a mutually non-conflicting manner to the principles of the POPI Act. The FIC Act provides the necessary justification in law that accountable institutions and reporting institutions require to obtain, process and further process personal information and special personal information in terms of the POPI Act.
1.4. The Centre advises that accountable institutions take note of the below considerations in understanding their FIC Act obligations in light of client privacy concerns. It is advisable to first read Guidance Note 7 for a comprehensive view of FIC Act obligations, prior to these below considerations.
1.5. This PCC provides an overview of the application of the FIC Act in respect of data privacy legislation for accountable institutions.
2. RISK BASED APPROACH
2.1. Accountable institutions must apply a risk-based approach to combating money laundering, terrorist financing and proliferation financing (ML/TF/PF). The risk-based approach is founded on the principle of proportionality, the higher the ML/TF/PF risk, the more enhanced the measures that must be applied by the accountable institution for customer due diligence (CDD) and ongoing due diligence (ODD). The enhanced measures may include the collection of more information from clients.
2.2. The personal information and special personal information that the accountable institution obtains, uses and further processes must be necessary to achieve the objectives of the FIC Act.
2.3. The personal information and special personal information obtained about the client in terms of the FIC Act should be adequate, accurate, relevant, up to date and
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)
Page 4 of 10
proportionate to the ML/TF/PF risk level, for the purposes of complying with the obligations of the FIC Act, taking into account section 38 of the POPI Act.
2.4. Where the accountable institution obtains personal information and special personal information, that is not required and not necessary to achieve the purposes of the FIC Act, and which is not proportionate to the ML/TF/PF risk, this would amount to an excessive collection of information which is not aligned to the principles of data privacy. The harmony between the application of the FIC Act and the POPI Act lies in, and is achieved by, the accountable institution asking only for personal information and special personal information that is necessary to achieve the purposes of the FIC Act.
3. CUSTOMER DUE DILIGENCE
3.1. Upon establishing a business relationship or conducting a single transaction when collecting personal information or special personal information, the accountable institution is advised to inform or disclose to the client, that the accountable institution must comply with its obligations in terms of the FIC Act. In order to do so it has to obtain, use and further process certain personal information and special personal information.
3.2. Once the accountable institution has obtained the information for purposes as set out in the FIC Act, it may then use that personal information and special personal information for processing and further processing to comply with their obligations in terms of the FIC Act.
3.3. Clients have the freedom to choose whether to establish or continue with a business relationship or conduct a single transaction with the accountable institution. The accountable institution may advise a client on the consequences should the client refuse to provide personal information or special personal information, provided such information does not amount to tipping off.
3.4. Where the client does establish or opts to continue with a business relationship or conduct a single transaction, the accountable institution must comply with its
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)
Page 5 of 10
obligations in terms of the FIC Act. Where the client refuses to provide personal information or special personal information as required for purposes of complying with the FIC Act and bases the refusal on data privacy concerns or laws, the accountable institution:
3.4.1. May not establish a business relationship or conduct a single transaction with a client
3.4.2. May not conclude a transaction in the course of a business relationship, or perform any act to give effect to a single transaction
3.4.3. Must terminate an existing business relationship with a client in accordance with the accountable institution's risk management and compliance programme (RMCP $^1$ ), and
3.4.4. Consider filing a report in terms of section 29 of the FIC Act.
3.5. Where an accountable institution follows an approach of single client view, it is recommended that the client be notified that their information is shared across group functions, including where this information is shared cross-border. (see PCC 43 on the sharing of information).
3.6. Where required, accountable institutions should take note of section 57 and 58 of the POPI Act and should consider application for prior authorisation where personal information and special personal information is to be transferred outside of South Africa.
4. REPORTING
4.1. Conducting certain obligations in terms of the FIC Act amounts to processing in terms of the POPI Act which includes, but is not limited to, filing of FIC Act section 28, 28A and 29 regulatory reports with the Centre. The filing of reports as processing of personal information and special personal information is justified as it is an obligation imposed by the FIC Act.
4.2. An accountable institution may not disclose information relating to a regulatory report filed with the Centre in terms of section 29 of the FIC Act (unless as provided for in
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)
Page 6 of 10
law). The Centre strongly discourages the disclosing of information relation to a report filed with the Centre in terms of section 28, and section 28A of the FIC Act (unless as provided for in law). Further the accountable institution may not disclose information relating to requests for information in terms of section 27 and section 32 of the FIC Act.
4.3. Disclosing that a regulatory report was submitted to the Centre in terms of section 29 of the FIC Act, or the content of such a report other than as provided in terms of the FIC Act is regarded as a tipping off offence in terms of the FIC Act (section 29(4)).
4.4. The accountable institution can collect personal information and special personal information from a third party where compliance with the requirement to collect directly from the client or other persons would prejudice the lawful purpose of the collection. There is justification for the accountable institution to obtain such further information from a third party and not directly from the client or other person, as the collection of information directly from the client may amount to tipping off.
5. RECORD KEEPING
5.1. Records of personal information and special personal information being kept by the accountable institution or a third party on behalf of the accountable institution must be held for the purposes of combating money laundering, terrorist financing and proliferation financing, in accordance with the FIC Act and the Money Laundering Terrorist Financing Regulations, read together with the accountable institution's RMCP.
5.2. Where the period, as set out in the FIC Act read together with the accountable institution's RMCP lapses, the personal information and special personal information may not be used for purposes of the FIC Act.
6. USE OF THIRD PARTIES
6.1. Accountable institutions can either obtain personal information or special personal information directly from the client or through the use of a third party. Refer to PCC 12A for further information on the use of a third party. Where the accountable
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)
Page 7 of 10
institution does obtain personal information or special personal information from a third party, the accountable institution is advised to disclose to the client that it relies on third parties for obtaining certain personal information and special personal information (unless such disclosure would prejudice the lawful purpose of the collection disclosure is not required, as stated in paragraph 4.4. above).
7. INTERNATIONAL PRIVACY LEGISLATION AND STANDARDS
7.1. Any restrictions in terms of international privacy legislation or standards do not exempt an accountable institution from complying with their obligations in terms of the FIC Act.
7.2. Accountable institutions are advised to determine whether the data privacy legislation provides for the collection, use and further processing of data when required in terms of law. And if the FIC Act provides the legal justification upon which accountable institutions can collect, use and further process personal information and special personal information in a particular instance.
7.3. Sharing of information across a group allows for effective ML/TF/PF risk identification, mitigation, and management. Further, it enables enhanced screening and monitoring of transactional activity for suspicious and unusual transactions.
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)
Page 8 of 10
8. COMMUNICATION WITH THE CENTRE
8.1. The Centre has a dedicated compliance contact centre geared to assist accountable institutions to understand their compliance obligations in terms of the FIC Act. Please call the compliance contact centre on 012 641 6000 and select option 1.
8.2. Compliance queries may also be submitted online by clicking on: http://www.fic.gov.za/ContactUs/Pages/ComplianceQueries.aspx or visiting the Centre’s website and submitting an online compliance query.
Issued By:
The Director
Financial Intelligence Centre
30 November 2022
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)
Annexure A – Definition of personal information per POPI Act
see https://www.justice.gov.za/inforeg/
Personal information
This means information relating to an identifiable, living, natural person and where it is applicable, an identifiable existing juristic person including but not limited to:
a) Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical, or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of person.
b) Information relating to the education or the medical, financial criminal or employment history of the person.
c) Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person.
d) The biometric information of the person.
e) The persons opinions, views or preferences of the person.
f) Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
g) The views of opinions of another individual about the person. And
h) The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Annexure B – Definition of special personal information per POPI Act
see https://www.justice.gov.za/inforeg/
Special personal information includes:
a) The religious or philosophical; beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject or
b) The criminal behaviour of a data subject of any to the extent that such information relates to:
i) The alleged commission by a data subject of any offence, or
ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
Public Compliance Communication 22A guidance on information processing in terms of the Financial Intelligence Centre Act 38 of 2001, in relation to the Protection of Personal Information Act 2013 (Act 4 of 2013)