The Wars between the Laws: POPIA v FICA
06 Oct 2023
We often receive questions regarding the intersection between the Financial Intelligence Centre Act (FICA) and the Protection of Personal Information Act (POPIA). At first glance, their nature appears to be at odds with one another: FICA encompasses collecting and verifying client’s personal information, documents and disclosures whereas POPIA is designed to give effect to the constitutional right to privacy and to provide safeguards for the collection, storage and processing of, and the securing of the integrity and confidentiality of, personal information and special personal information.
Contextually in terms of the POPIA, personal information includes for example, a persons (natural or juristic) identifying number, physical address and location information. Special personal information includes information relating to race or ethnic origin, biometric information or any criminal behaviour of a person.
However, the two Acts are not dissimilar in as much as there are comprehensive mechanisms to safeguard such personal, private information. For example, personal information can only be processed for the specific, lawful purpose for which it was gathered. FICA therefore provides the relevant legal rationale and justification for such processing as through the FICA obligation of Customer Due Diligence, Accountable Institutions are mandated to obtain documents and disclosures aimed at getting to know your natural or legal person client, including identity and registration documents respectively, as well as proof of address documents.
We often have situations where clients of Accountable Institutions refuse to provide FICA documents based on their right to privacy and securing their confidential information. However, FICA is quite explicit in this regard. Section 1A provides that “if any conflict, relating to the matters dealt within this Act, arises between this Act and the provisions of any other law existing at the commencement of this Act, save the Constitution, the provisions of this Act prevail”.
Therefore, only the Constitution, the supreme law of the land, trumps FICA if there is a conflict of laws. In addition, any restrictions in terms of international privacy legislation or standards does not absolve an Accountable Institution from complying with its FICA obligations.
Public Compliance Communication 22A specifically deals with the uncertainty between FICA and POPIA and reiterates the above, providing that “the FIC Act applies in a mutually non-conflicting manner to the principles of the POPI Act”. The FICA applies the principle of proportionality in terms of its risk-based approach. This allows enhanced measures to be taken where the money laundering, terrorist and proliferation financing risks are higher, and more simplified measures where those risks are lower.
Effectively, this means in terms of POPIA, that additional personal information may be requested for higher-risk relationships with the caveat being that the personal information must be necessary to achieve the purposes of the FICA, in other words to get to Know Your Client (KYC) through performing adequate and comprehensive CDD.
It is always important to communicate to your clients that in order to comply with FICA, their personal information is required to be collected and processed in accordance with POPIA. This communication is typically done in terms of your onboarding form/mandate letter.
Should your clients be unwilling or refuse to provide you with identity information and documents, the FIC Act is quite strict in this sense, preventing you from entering into a single transaction/business relationship or having to terminate an existing business relationship if you cannot identify your client and to consider logging a report with the Financial Intelligence Centre.
If there are suspicions around the reasons a client is refusing to provide information, then the filing of a suspicious activity report to the FIC which contains details of your client’s refusal would be justifiable.
It should be remembered that an Accountable Institution cannot communicate with its clients that a report regarding them is being logged, or will be if they do not provide such personal information, as this would amount to “tipping off” and would lead to the FICA being contravened resulting in a possible administrative sanction.
In summary, although clients of Accountable Institutions may refuse to provide you with their personal information, citing POPIA as a reference, FICA provides the justification for such disclosures and documents to be collected, stored and processed. This is why communicating to your clients the necessity of collecting their personal information, through the lens and purpose of FICA, therefore providing the necessary rationale for such collection, storage and processing, is of utmost importance.
- Five reasons why you should automate your FICA process
- Significant developments in reporting beneficial ownership
- Risk and compliance reporting: Legal practitioners not above the law
- POPIA – Who is your information officer?