The FIC’s Directive 8, requiring accountable institutions to screen employees, should be applied while complying with POPIA’s restrictions on processing personal information.
The Financial Intelligence Centre (FIC) recently published Directive 8 of 2023: Screening of employees for competence and integrity and scrutinising of employee information against targeted financial sanctions lists as money laundering, terrorist financing and proliferation financing control measures.
Directive 8 requires accountable institutions to screen prospective and current employees for competence and integrity, periodically and in a risk-based manner. Accountable institutions are also required to screen employees against targeted financial sanctions lists.
The screening process
Accountable institutions must determine and record how the screening for competence, integrity and against financial sanctions lists will be conducted. They have to keep a record of the manner and outcomes of any employee screenings they have undertaken. The FIC, the Director of the FIC and supervisory bodies which regulate or supervise accountable institutions may from time-to-time request access to an accountable institution’s records on employee screenings.
In addition, the FIC has published Public Compliance Communication 55 (PCC 55) to provide practical guidance on implementing and complying with Directive 8.
In terms of PCC 55, all accountable institutions must screen prospective and current employees for competence and integrity, which must be done periodically, using a risk-based approach.
Screening for competency means "determining whether an employee has the necessary skills, knowledge and expertise to perform their functions effectively." This will involve considering an employee's previous employment history, employment references, qualifications and relevant accreditations.
Screening for integrity "relates to the honesty and moral principles of an employee." This will involve determining whether an employee has a criminal record or not, particularly related to crimes of dishonesty, money laundering or financial crimes. Employers should consider the relationship employees may have with high-risk domestic politically-exposed persons or foreign politically-exposed persons and whether the person or their locality is identified as a high-risk terrorist financing or proliferation financing area.
PCC 55 does not prescribe how screening should be carried out and accountable institutions are free to determine the manner and methods used to screen employees, provided the screening uses a risk-based approach. A risk-based approach requires an accountable institution to determine the level of risk in an employee's role and ensure that the screening is proportionate. The screening of employees in roles with higher risks should be more stringent.
Screening for competency and integrity must be done before appointing employees, and periodically after that. Aligned with a risk-based approach, employees whose roles are categorised as higher risk will need to be screened more frequently than employees who are in medium or lower risk roles.
PCC 55 requires accountable institutions to scrutinise all prospective and current employes against targeted financial sanctions lists. This is not a new requirement per se, as the FIC Act prohibits any person from providing economic support, financial assistance, or other services to any person on a targeted financial sanction list.
The Role of POPIA
Since the obligation to screen prospective and current employees necessitates processing employees’ personal information, it may raise some alarm about potential infringements of the provisions of the Protection of Personal Information Act 4 of 2013 (POPIA).
POPIA places various responsibilities on employers in processing their employees’ and prospective employees' personal information. Personal information may only be collected and subsequently processed for a specific, explicitly-defined and lawful purpose. When collecting personal information or processing it, accountable institutions should ensure that any processing is done in accordance with a specifically-defined, lawful purpose and that the specific purpose is recorded. Employers should ensure that any collection of personal information or any subsequent processing does not extend beyond its original defined purpose.
Employers are required to ensure that both prospective and current employees are advised of the purpose for which their personal information will be collected and processed. Employees should be told:
- the particular law authorising or requiring the collection of the information;
- whether their personal information will be transferred to a foreign country and the level of protection afforded to the personal information by that country; and
- their rights to access their personal information, as well as whether their personal information will be shared with third parties (service providers who assist in the screening) and the identity of those third parties.
Directive 8 requires accountable institutions to retain records of the manner and outcomes of any employee screening. In terms of POPIA, personal information may only be retained as long as is necessary to achieve the purpose for which the information was collected in the first place. However, personal information may be retained longer if it is required or authorised by law. Directive 8 only applies to current and prospective employees. Therefore, when an employee leaves an accountable institution, it should ensure that the employee's personal information is deleted.
Accountable institutions have to ensure that the integrity and confidentiality of any personal information in their possession is maintained by taking appropriate, reasonable technical and organisational measures to prevent unauthorised access or damage to, or destruction of personal information.
While Directive 8 does not expressly mention POPIA, accountable institutions should be aware that compliance with Directive 8 will trigger certain POPIA concerns and obligations, and that these obligations and POPIA need to be complied with throughout any contemplated screening activities.
Accountable institutions are encouraged to adopt a 'privacy-by-design' approach when developing a screening methodology, to ensure that POPIA compliance is always front of mind. This will ensure that they comfortably comply with the requirements of Directive 8 while respecting and adhering to the provisions of POPIA.