Keep up to date on key Financial Services Regulation developments in South Africa during December 2022 and January 2023.
Commencement of the General Laws (Anti-Money Laundering and Combating Terrorism Financing) Amendment Act.
On 22 December 2022, the President signed the General Laws (Anti-Money Laundering and Combating Terrorism Financing) Amendment Act, 2022 (Amendment Act) into law. Commencement was gazetted on 31 December 2022.
A detailed analysis of the amendments and cascading commencement dates can be found here.
Prudential Authority Directive on Information on Beneficiaries of Life Insurance Policies and Money Laundering and Terrorist Financing Risks
The Prudential Authority issued this directive on 15 December 2022, and it came into effect on the date of publication, which was 19 December 2022 (the Directive).
The Directive directs all life insurers to undertake specific activities in relation to certain aspects of the customer due diligence (CDD) and money laundering/terrorist financing (ML/TF) risk assessment where they relate to beneficiaries of life insurance policies. In addition to the CDD measure that life insurers must undertake in terms of the Financial Intelligence Centre Act 38 of 2001 (FIC Act), they must also now obtain the particulars of the beneficiaries of life insurance policies as soon as the beneficiary is:
- identified;
- designated; or
- amended by the client of the life insurer.
The Directive provides that a life insurer must take reasonable steps to determine whether a beneficiary and/ or, where required, the beneficial owner of the beneficiary is a domestic prominent influential person (DPIP) or foreign public prominent official (FPPO). If higher risks are identified, life insurers should consider making a suspicious transaction report to the Financial Intelligence Centre.
A life insurer must also consider taking reasonable steps to determine whether a beneficiary and/ or the beneficial owner of the beneficiary is not a person on the financial sanctions list in sections 28A and 26B of the FIC Act.
Draft Joint Standard – Cybersecurity and Cyber Resilience Requirements for Financial Institutions, 2023
The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) issued a revised draft Joint Standard on Cybersecurity and Cyber Resilience Requirements on 13 December 2022 (Standard).
The Standard applies to:
- banks;
- mutual banks;
- insurers;
- managers as defined in the Collective Investment Schemes Control Act;
- market infrastructure as defined in the Financial Markets Act;
- financial services providers;
- Over-the-Counter derivative providers;
- administrators approved in terms of the Pension Funds Act; and
- registered credit ratings agencies.
The Standard provides that governing bodies of financial institutions are ultimately responsible for oversight of cyber risk management. They may delegate primary oversight activities to an existing or new committee and must ensure that a sound and robust cybersecurity strategy and framework is established, implemented and maintained.
Governing bodies must ensure that roles and responsibilities for security are clearly defined in the contact or service level agreements with third-party service providers.
Cybersecurity strategy and framework
Financial institutions are required to review their cybersecurity strategy regularly, but at least annually, to address changes in the cyber threat landscape, allocate resources, identify and remediate gaps and incorporate any lessons learnt during that period. The cybersecurity framework must clearly articulate how a financial institution will identify cyber risks and determine the controls to keep those risks within acceptable limits.
Cybersecurity and cyber-resilience fundamentals
A financial institution will be required to identify business processes and information assets that support business and delivery of services, including those managed by third-party service providers.
Appropriate and effective cyber resilience capabilities and cybersecurity practices must be implemented to prevent, limit and/ or contain the impact of a potential cyber event or cyber incident.
A security-by-design approach must be implemented which refers to building security in every phase of software development to minimise system vulnerabilities and reduce the attack surface.
The Standard requires all financial institutions to install network security devices to secure the network between the financial institution and the internet, as well as connections with third-party service providers, and deploy network detection or prevention systems to detect and block any malicious traffic.
If a financial institution uses cryptography, it must establish cryptographic key management policies, standards and procedures covering key generation, distribution, installation, renewal, revocation, recovery and expiry.
Comprehensive cybersecurity awareness training programmes should be implemented to maintain a high level of awareness among all users in the financial institution.
Cybersecurity hygiene practices
Financial institutions will be required to establish a security access control policy, enforce strong password protocols and ensure that multi-factor authentication is applied to users with access to critical system functions.
The Standard also requires a financial institution to notify the responsible authority for the financial sector law in terms of which the financial institution is licensed or registered after classifying a cyber incident or an information security compromise as material.
Comments on the Standard are due on or before 28 February 2023. Any queries about the Standard can be addressed to FSCA.RFDStandards@fsca.co.za for the attention of Mr Andile Mjadu and PA-Standards@resbank.co.za for the attention of Ms Kalai Naidoo.
Land Bank Insurance Company SOC Limited v The Prudential Authority (Case No: PA1/2022); and Land Bank Life Insurance Company SOC Limited v The Prudential Authority (Case No: PA2/2022)
The Financial Services Tribunal (FST) heard these two reconsideration applications together as the applicants are related and there was an overlap of issues. The applications were brought pursuant to the Prudential Authority (PA) imposing financial penalties in terms of section 167(1) of the Financial Sector Regulation Act 9 of 2017.
The PA imposed administrative penalties for contraventions of:
- the now-repealed section 23(1)(a) of the Short-Term Insurance Act (STIA);
- section 14(1) of the Insurance Act, 2017; and
- section 16(1) of the Insurance Act, 2017.
In relation to the Land Bank Insurance Company SOC Limited (Insurance Company), the PA made the following findings:
On 2 December 2015 it amended its memorandum of incorporation and, among other amendments, changed the capital structure. This resulted in an increase in the authorized shares without the requisite approval required in terms of section 23(1(a) of the STIA in force at the time;
The Insurance Company appointed various directors to its board of directors without the requisite approval from the PA as required by section 14(1) of the Insurance Act; and
It effected terminations of directors without the requisite notifications to the PA as required by section 16(1) of the Insurance Act.
In relation to the Land Bank Life Insurance Company SOC Limited (Life Company), the PA held that it too contravened sections 14(1) and 16(1) of the Insurance Act.
The FST held that, since the PA granted the Insurance and the Life Company retrospective approval for the appointment of directors, the PA undermined their contention that prior approval was necessary. The FST held that there was accordingly no contravention of section 14(1).
In respect of the section 16(1) contravention, the Insurance and Life company did not seek a reconsideration of the decision, but objected to the penalty amount. The FST held that there was no indication that the PA, the Company, its shareholders or policyholders were in any way affected by the breach and that the penalty was excessive. The FST replaced the initial penalty imposed and reduced it to ZAR 250 000.00 each. Half of this penalty is suspended on condition that the Insurance and Life Company do not commit similar offences during a period of three years.
The FST also held that the PA could not introduce a penalty for contravening section 23 of the STIA, since the STIA contained no provision for such a penalty. The FST therefore held that the PA could not have competently imposed a penalty on the Insurance Company for the contravention.
