Keep up to date on key Financial Services Regulation developments in South Africa during October 2022.
FSCA Conduct Standard on third party cell captive insurance business
On 30 September the FSCA published its Conduct Standard, setting out the requirements for a third-party cell captive insurance business in terms of the Financial Sector Regulation Act, 2017 (FSR Act).
The Conduct Standard sets out key requirements for cell captive insurers:
- Governance and oversight;
- Disclosure;
- Reporting; and
- Additional requirements for ownership.
Governance and oversight requirements
Cell captive insurers must undertake comprehensive due diligence assessments of the business of a cell owner prior to entering into any cell structure. The detailed assessment of the cell structure which is required under the due diligence is set out in the Conduct Standards.
Disclosure requirements
Before entering into a policy, a cell captive insurer must provide a potential policyholder with details of:
- the nature of the relationship between the cell captive insurer and the cell owner;
- the remuneration arrangements between the cell owner and the cell captive insurer, where the cell owner is a non-mandated intermediary; and
- fees or charges payable by the policyholder to the cell owner.
Any changes to these details must be disclosed to the policyholder at the earliest reasonable opportunity.
Reporting requirements
A cell captive insurer is required to notify the FSCA in writing at least 30 days before entering into any cell structure. The FSCA may raise objections to the cell structure agreement and instruct the cell captive insurer to resolve them or amend any of the terms and conditions of the cell structure. At least 60 days prior to termination of the cell structure, the cell captive insurer must inform the FSCA in writing of the details of the termination.
Additional requirements for ownership of cell structures by non-mandated intermediaries
The Conduct Standard lists requirements for a cell captive insurer to have a cell structure with a cell owner that is a non-mandated intermediary. It also lists the steps which must be taken to avoid risks in relation to cell structures with non-mandated intermediaries as cell owners.
The Conduct Standard came into operation on 1 October 2022. Any cell structure entered into before this date must, within two years, comply with the requirements of the Conduct Standard.
Lebashe Financial Services (Pty) Ltd v The Prudential Authority and Others (Case no. 346/2021) [2022] ZASCA 141
On 24 October 2022 the SCA dismissed this appeal against the decision of the Gauteng Division of the High Court (the high court)
On 6 November 2018, the Prudential Authority (the PA) obtained orders in the high court placing Bophelo Life Insurance Company Limited (Bophelo) and Nzalo Insurance Services Limited (Nzalo) (collectively the insurers) into provisional curatorship in terms of section 54(1) of the Insurance Act 18 of 2017. While these orders were in force, the insurers were also provisionally wound up and eventually put into final liquidation.
Lebashe Financial Services (Pty) Ltd (Lebashe), an intervening party in the high court, appealed to the SCA to have the liquidation orders overturned and the curatorships reinstated. This appeal revolved around whether Lebashe had standing in the appeal and, if it did, whether section 54(5) of the Act and the provisional curatorship orders precluded final liquidation orders in respect of the insurers. Lastly, there was a question whether the curator was required to seek or effect the recapitalisation of the insurers.
The SCA found that Lebashe did not have sufficient interest in the matter and therefore lacked locus standi. On whether the provisional curatorship orders precluded final liquidation orders in respect of the insurers, the SCA said the high court ended the curatorship when it issued an order for the final winding-up of the insurers. The SCA said that curatorship was only a means to an end - a temporary measure before possible liquidation. It was never meant to rescue the insurers’ business.
"It follows that the liquidation applications could be proceeded with once the curatorships came to an end. That, in effect, was what happened in the court a quo," wrote Judge Christiaan van der Merwe.
On the question whether the curator was required to seek or effect the recapitalisation of the insurers, the court held that it was not.
The SCA thus disagreed with Lebashe that the liquidation of the insurers was premature and dismissed the appeal with costs.
FSCA Zurich Insurance Company South Africa Ltd v Gauteng Provincial Government (Case no. 734/2021) [2022] ZASCA 127
On 28 September the Supreme Court of Appeal (SCA) dismissed this appeal against the decision of the Gauteng Local Division of the High Court.
The Gauteng Provincial Government (the province) granted a private entity (Bombela) a concession to design, construct, partially finance, operate, maintain, and generate income from the Gautrain Rapid Rail System. When the province submitted a claim for damage to parts of the Gautrain’s tunnel system, its insurer (Zurich) repudiated liability. The province issued summons and the High Court declared Zurich liable to indemnify the province in relation to damage to the tunnels, subject to ‘all the terms and conditions of the policy’. The High Court granted leave to appeal on limited grounds, namely prescription of the province’s claim, whether the rock mass surrounding the void of the tunnels formed part of the property insured, and the enforceability of the court order.
On appeal, the SCA considered Zurich’s contention that prescription began to run on the dates that the tunnels were completed (in 2009) and prescribed before service of summons (in February 2015). It also considered Zurich’s contention that the province must have been aware of the damage that it alleged prior to 2014 because it had a support team in place to monitor the construction of the tunnels.
The court found that the province acquired actual knowledge of damage in 2014. It was not possible to have known about it earlier because of the specialised knowledge and expertise necessary to establish that damage had occurred. It was only when the expert in rock mechanics deduced what damage had been caused and established such damage as fact that the province had a ‘complete cause of action’. Therefore, the province’s claim had not prescribed.
Considering whether the rock mass surrounding the tunnels was ‘property insured’, the court examined the terms of and descriptions in the insurance contract, the dictionary meaning of ‘tunnel’, and the expert evidence. It was held that property insured by the policy included the rock mass surrounding the void created by the process of excavation.
The appeal was dismissed with costs, on the basis that the order of the High Court gives effect to the finding that the damage alleged by the province fell within the terms of the policy.
Department of Trade, Industry and Competition Guidelines on the Exchange of Competitively Sensitive Information between Competitors
On 23 September 2022 the Department of Trade, Industry and Competition (DTIC) published its guidelines on the exchange of competitively-sensitive information between competitors in terms of section 79(1) of the Competition Act, 1998 (the Competition Act).
The Guidelines present the general approach that the Commission will follow in determining whether an exchange of information between firms that are competitors amounts to a contravention of section 4 of the Competition Act.
Factors to be considered in evaluating the harm caused by the exchange of competitively-sensitive information include:
- Market characteristics
The features of a market where competitors operate is an important consideration when evaluating information exchange between competitors. Generally, the higher the concentration and the less the degree of product differentiation in a specific market, the more likely it is that competitively-sensitive information exchanged between competitors may facilitate co-ordinated outcomes in the market and the higher the risk of an infringement of the Competition Act.
- The availability of the information exchange
Competitively-sensitive information shared among competitors to the exclusion of the public may be considered by the Competition Commission (the Commission) as evidence of a likely contravention of the Competition Act. It enables participating firms to achieve co-ordinated outcomes to the detriment of consumers in that market
- The indispensability of competitively-sensitive information, given the purpose of the exchange
The exchange of competitively-sensitive information will be condoned if it leads to efficiency gains that will be beneficial to society. A mechanism of exchange must be created to achieve the objective. The type of information, its aggregation, age, and confidentiality, as well as the frequency of the exchange, must carry the lowest risks to competition and must be indispensable for creating any efficiency gains that firms claim as a result of the exchange.
- Whether the competitively-sensitive information is historical or relates to current or future activities
A firm that provides competitively-sensitive information to competitors about the future, such as its intentions regarding future conduct, or what it anticipates or expects from its competitors’ future conduct, is anti-competitive, because it could constitute or facilitate a collusive understanding among firms.
The Guidelines are not exhaustive. The Commission and/or the Tribunal will still exercise discretion when considering matters concerning the exchange of information, taking into account the market circumstances and the nature of the information exchanged.
Protection of Personal Information Act 4 of 2013 – Codes of Conduct in terms of Chapter 7
On 7 October 2022, in terms of section 62(1) of POPIA, the Information Regulator of South Africa (Information Regulation) published a notice on the proposed codes of conduct by the Banking Association of South Africa (BASA) and the Credit Bureau Association (CBA).
The Information Regulator considered these codes in terms of section 60 of POPIA and approved them.
A code of conduct issued under section 60 of POPIA will come into force on the 28th day after the date of its notification in the Gazette.
The Purpose of the Codes of Conduct are to:
- Promote appropriate practices by members of BASA/ CBA in processing personal information in terms of POPIA;
- Encourage appropriate agreements between members of BASA/ CBA and third parties, regulating the processing of personal information as required by POPIA and dictated by good business practice;
- Establish procedures for members of BASA/ CBA to be guided in their interpretation, principally of POPIA, but also other laws or practices governing the processing of personal information, allowing for complaints against credit bureaux to be considered and remedial action, where appropriate, to be taken.
The Codes of Conduct govern:
- The processing of personal information (including consumer credit information) by credit bureaus that are members of BASA/ CBA in compliance with POPIA and The Banks Act 94 of 1990/ The National Credit Act 34 of 2005;
- Where appropriate, agreements that may be required between members of BASA/ CBA and third parties promoting, and to the extent possible ensuring, that personal information is processed in compliance with POPIA; and
- The enforcement by BASA/ CBA of the provisions of the codes of conduct.
Code of Conduct for the processing of personal information by the banking industry (“Banking Industry Code”)
- The Banking Industry Code proposes processing personal information lawfully and in a reasonable manner that does not infringe on the right to privacy, only if, given the purpose for which it is processed, it is:
- Adequate: Sufficient to properly fulfill the stated purpose.
- Relevant: Personal information has a rational link to that purpose.
- Not Excessive: Ensuring that the processor holds no more personal information than is needed for the stated purpose.
- Participants in the banking industry should ensure that they have a lawful basis for processing that personal information, which may include one of the following:
- Consent by the data subject to the processing;
- The processing is necessary to carry out actions for the conclusion or performance of a contract to which the client is a party;
- The processing complies with an obligation imposed by law;
- The processing protects the client’s legitimate interest;
- The processing is necessary for the proper performance of a public law duty by a public body; or
- It is necessary to pursue the legitimate interests of the responsible party or a third party to whom the information is supplied.
Retention and restriction of records
Participants should not retain records of personal information any longer than is necessary for achieving the purpose for which the information was collected, unless:
- It is required or authorized by law;
- The record is required for lawful purposes related to their functions and activities;
- Retention of the record is required in terms of a contract between the parties; and
- The data subject or a competent person, where the data subject is a child, has consented to the retention of the personal information.
Information quality and security safeguards
Member banks will need to take reasonably practicable steps to ensure that a client’s personal information is complete, accurate, not misleading and updated where necessary.
Code of Conduct – Lawful Processing of Personal Information by Credit Bureaux in South Africa (“Credit Bureau Code”)
All members of the CBA will adopt this Credit Bureau Code and apply its principles to the processing of consumer credit information and personal information.
Unless stated otherwise in the Credit Bureau Code, the definitions set out in POPIA and the NCA will apply.
Lawfulness of Processing
When acting as a responsible party, credit bureaux must ensure personal information is processed lawfully and in a reasonable manner that does not infringe upon the privacy of data subjects. To facilitate processing, bureaux must implement and maintain a data privacy policy requiring the lawful processing of personal information, as provided for in POPIA and elaborated further in the Credit Bureau Code.
Minimality
Credit bureaux will only process personal information if, given the purpose for which the information is processed, the categories and volumes of Information are adequate, relevant and not excessive.
Consent, Justification and Objection
Credit bureaux only process personal information based on one of the acceptable grounds for lawful processing, which are similar to the lawful grounds in BASA’s Code of Conduct.
Collection for a specific purpose
If credit bureaux collect personal information directly from a data subject, they must ensure that the data subject is aware of the specific, explicitly defined, and lawful purpose related to the function and activity of the credit bureau in processing this personal information e.g. where personal information is collected for dispute resolution.
Further processing to be compatible with purpose of collection
The NCA provides a clear definition of the purposes for, and the parameters within which, consumer credit information must be processed. Credit bureaux must apply reasonable commercial and organisational measures to ensure that the processing of personal information complies with the purposes defined in the NCA and prescribed in the NCA Regulations.
Security measures on integrity and confidentiality of personal information
POPIA requires that a responsible party must, in establishing appropriate technical and organisational safeguards to protect personal information, conform to generally accepted information security practices and procedures. If it does not, the bureau could not fulfil its obligations in terms of the NCA and NCA Regulations.
Due to the nature of the information processed by a credit bureau, credit bureaux are required to apply robust information security controls to all processing.
Notification of security compromises
In terms of POPIA, a data subject has the right to know if the security of their personal information has been compromised. Data subjects are in the best position to protect themselves against the abuse of their personal information but, unless they know it has been compromised, they are deprived of this right.
To ensure that credit bureaux comply with their obligations as a responsible party in this regard, they have developed a Compromise Response Guideline that applies to credit bureaux. It describes the processes to be followed in the event of a security compromise as defined by POPIA. The guideline ensures timeous notification of security compromises to the Information Regulator and the data subject, where appropriate.
This summary is not intended to, and does not, constitute legal advice, and may not be relied upon. For further information or tailored advice, please contact Lerato Lamola-Oguntoye or your usual Webber Wentzel contact.