WHAT ARE THE COMPLIANCE DRIVERS FOR THIRD PARTY RISK MANAGEMENT IN SOUTH AFRICA
The world has officially arrived in the age of information, with an ever-increasing amount of company, client and customer data at our fingertips. The increasing amounts of available information raises the need for organisations to take more responsibility for protecting their data.
Responsibility is not left unchecked; In fact, when we speak about “responsibility” we are referring to the obligation that organisations have to comply with the requirements set out within their applicable industry regulations, e.g. the Protection of Personal Information act (POPIA).
Larger organisations have various compliance initiatives, one of which is a Third Party Risk Management (TPRM) program, to ensure that their confidential information is securely and safely stored, managed and processed by their third parties. Many organisations host their customer information at third party facilities or allow their third parties to have some degree of access to customer information in order to perform a service.
When comparing Third Party Risk Management (TPRM) with various regulatory requirements it becomes increasingly clear that the function of TPRM helps an organisation achieve compliance towards several regulations.
There is are common trends within several compliance regulations in South Africa (POPIA, FAIS, NCA and FICA), encouraging organisations to implement a greater degree of due diligence regarding the storage, management and processing of client records.
Here are the common requirements within the POPIA, FAIS, NCA and FICA regulations specifically relating to the management of client records (the retrieval, retention and safekeeping):
The Protection of Personal Information Act (POPIA) ensures the following:
Only essential client information is collected and stored.
The information collected, should only serve the purpose for which it was collected.
Security measures on the integrity, confidentiality and availability of personal information are in place and up to standard.
The responsible party remains ultimately accountable for ensuring that POPIA is complied with by all third parties processing information on their behalf.
All relevant stakeholders are notified in the event of a data breach.
The Financial Advisory and Intermediary Service (FAIS) warrants:
The appropriate Management of client records (retrieval, retention, safe keeping).
That there is appropriate consent for data shared with third parties.
The National Credit Act (NCA) guarantees:
The appropriate retention periods for credit bureau information is adhered to.
Organisations retain only what client information is required to perform the service or provide the product offered to the customer.
Credit information is appropriately maintained by third parties, as stipulated in POPIA.
Policies and controls are in place to prevent unlawful access by third parties to consumer credit information.
Only the required content is used for advertising practices.
The Financial Intelligence Centre Act ensures:
The appropriate measures are in place to protect personal information in an organisations possession.
That there is a program in place to promote compliance towards various risk management initiatives (e.g. anti-money laundering).
That the prescribed particulars of a third party that performs duties on behalf of the organisation are known and able to be provided to the supervisory body upon request.
Organisations can leverage their existing TPRM initiatives to help assess, manage and achieve compliance to various regulatory requirements; In this case, the management of client records (the retrieval, retention and safe keeping).