According to the site Malaphor, quandrum is a word combining ‘quandary’ (dilemma) and ‘conundrum’ (a puzzle).¹ When finding a workable solution between customer due diligence (CDD) requirements, the General Data Protection Regulation (GDPR) and the Protection of Personal Information Act (POPIA), compliance becomes a puzzle and a dilemma at the same time, a quandrum.

Compliance can be a puzzle due to the number of legislations pertaining to privacy rights combined with the obligations put on banking institutions regarding CDD requirements. It is counter-intuitive to comply with CDD requirements, GDPR and POPIA legislations simultaneously. On the one hand, there is a legal restriction to obtain privacy information and on the other, there is an obligation to do so, which creates a dilemma. However, CDD and privacy data management under GDPR and POPIA should form an integral part of a robust money laundering and terrorist financing risk management system.

Legal Requirements in South Africa (POPIA) and Europe (GDPR) to Safeguard Personal Information in Relation to CDD

There is a general misconception that a controller is GDPR and POPIA compliant when that institution safeguards privacy information from being illegally accessed or hacked. Accordingly, accountable institutions put great emphasis on cybersecurity to safeguard privacy information. This emphasis on cybersecurity is of great importance. However, Cybersecurity is the endgame of South Africa’s POPIA and Europe’s GDPR in compliance, not the opening move. The European Data Protection Board (EDPB) states the following in its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default:²

‘Safeguards act as a second tier to secure data subjects’ rights and freedoms in the processing… enabling data subjects to intervene in the processing, providing automatic and repeated information about what personal data is being stored, or having a retention reminder in a data repository may be examples of necessary safeguards. Another may be implementation of a malware detection system on a computer network or storage system in addition to training employees about phishing and basic “cyber hygiene”.’

GDPR compliance starts with lawfully ‘processing’ privacy information. Processing³ as defined by the GDPR, would include the ‘collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ of personal information.

Article 6 (1) of the GDPR⁴ stipulates the following six requirements that must be met to process personal data lawfully and states as follows:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Section 11 (1) of POPIA⁵ also stipulates six requirements that must be met to process personal data lawfully and states as follows:

1. The data subject or a competent person where the data subject is a child consents to the processing.
2. Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
3. Processing complies with an obligation imposed by law on the responsible party.
4. Processing protects a legitimate interest of the data subject.
5. Processing is necessary for the proper performance of a public law duty by a public body.
6. Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

Data Protection by Design and by Default: The Umbrella Clause

Data protection by design and by default (DPbDD) under Article 25 of the GDPR requires data protection, and therefore compliance, to occur ‘both at the time of the determination of the means for processing and at the time of the processing itself.’⁶ Under POPIA Section 18 (2)(a), only when data is collected directly from the data subject must it be informed before collection takes place. POPIA Section 18 (2)(b) further stipulates that in other cases where data is collected from a data subject, the data subject must be informed ‘before the information is collected or as soon as reasonably practicable after it has been collected.’

The EDPB describes the core obligation of DPbDD as 'the effective implementation of the data protection principles and data subjects' rights and freedoms by design and by default.’⁷ Article 6 of the GDPR stipulates the ‘rights and freedoms’ of a data subject.

DPbDD stipulates compliance must be the outcome by default. Such compliance must have been provided when procedures and the need for processing were established. The EDPB describes, inter alia, two key design and default elements namely predetermination—'the legal basis shall be established before the processing takes place’―and cessation—'when the legal basis ceases to apply, the processing shall cease accordingly.’

The consequence of DPbDD is that the requirements of Article 6 (and all other relevant GDPR regulations) must first be met before lawful processing may take place. Therefore, the relevant compliance with Article 6 must occur during processing i.e. consent must be given before or at the time of processing, a contract must already exist binding a legal obligation at the time of processing, etc.

CDD in South Africa

South Africa has three anti-money laundering (AML) and anti-terrorism legislations: the Prevention of Organised Crime Act, 1998 (POCA), the Financial Intelligence Centre Act, 2001 (FICA) and the Protection of Constitutional Democracy Against Terrorist and Related Activities Act, 2004 (POCDATARA). POCA and POCDATARA criminalise money laundering and terrorist financing. FICA regulates and prescribes CDD measures to combat money laundering and terrorist financing and ensures information sharing to support these investigations.⁸

The Financial Intelligence Centre Amendment Act, 2017 (FIC Amendment Act) shifted compliance from a rule-based approach to a risk-based approach. The amended act still maintains some rule-based aspects under Section 21(1) by requiring the identification and verification of clients of accountable institutions and ‘in instances where the client acts on behalf of another person or where another person acts on behalf of a client.’⁹

However, the FIC Amendment Act introduces two fundamental principles that are directly linear to the requirements of the GDPR and POPIA. Under FIC Amendment Act Section 21(1), compliance must occur ‘in the course of concluding that single transaction or establishing that business relationship’ and in accordance with the accounting institution's Risk Management and Compliance Programme (RMCP).

DPbDD requires that compliance must occur at the time of processing and must take effect by default. Such compliance must have been provided during the processing procedures and the need for processing were established.

The RMCP is comprised of the policy documents, procedures, systems and controls that must be implemented within the institution with regards to CDD. By definition, it complies with the principles described by DPbDD.

The FIC Amendment Act ‘requires accountable institutions to apply a risk-based approach when carrying out customer due diligence measures’¹⁰ and Section 42 ‘places an obligation on accountable institutions to develop, document, maintain and implement an RMCP.’¹¹

In a robust money laundering and terrorist financing risk management system, the ‘accountable institution must be able to demonstrate how they contextualise the concepts of "ML/TF risk" within their particular businesses as having an impact on their operational, line management and strategic objectives’ as it is defined by Guidance Note 7.¹²

The following diagram demonstrates the application of risk management systems and controls:

‘The application of risk management systems and controls must be commensurate with the extent of assessed risks.’¹³

DPbDD and CDD Requirements: How to Build the Puzzle and Crack the Code?

The compliancy quandrum is not the result of the relevant legislation's incompatibility but rather how to fit together the different pieces of compliance requirements. The GDPR and POPIA do not prohibit obtaining privacy information data as required by CDD regulations, but instead, they stipulate the legal obligations on how to do so. It is how accountable institutions comply with these regulatory requirements that will dictate the legality of data gathering.

Furthermore, under the GDPR, Article 5(1) and Sections 13 and 14 of POPIA, accountable institutions may only collect privacy information for the specified, explicit and legitimate purpose for which it was collected and may not further process the data ‘in a manner that is incompatible with the purposes for which they were collected.’

Therefore, processing regimes must be shaped by the purposes for which data is collected. DPbDD requires financial institutions to categorically and clearly design processing regimes that specifically provide for CDD requirements. These processing regimes must be fully incorporated into the RMCP.

Legal Basis Under GDPR and POPA to Obtain CDD Data

There are three legal grounds under Article 6 of the GDPR and Section 11 of POPIA by which an accountable institution may obtain CDD data:

• Consent by the data subject
• Processing to comply with the controller’s legal obligations
• Processing for the controller's legitimate purpose or by a third party

Consent would be the easiest and most straightforward way for an accountable institution to obtain CDD information. However, consent comes with several pitfalls. Consent can be withdrawn, and the data would then be potentially subject to data privacy rights, such as the right to be forgotten (data erasure). For instance, inadequate DPbDD frameworks that fail to clearly and effectively frame the collection of CDD information would force the accountable institution to comply with such requests legally.

CDD requirements are undeniably a legal obligation for banking institutions and as controllers, they are subject to the relevant AML legislation. Therefore, an accountable institution may legally obtain CDD information from its clients without consent.

It is mandatory for clients to provide all CDD information. Refusal of service is a legal obligation―not a choice―under the FIC Amendment Act when clients refuse to provide personal information required for CDD purposes. The following are the consequences for institutions when a client refuses to provide such information, stipulated by the FIC Amendment Act, Section 21E:

The institution:

• May not establish a business relationship or conclude a single transaction with a client
• May not conclude a transaction in the course of a business relationship, or perform any act to give effect to a single transaction, or
• Must terminate, in accordance with its risk management and compliance programme, an existing business relationship with a client

An accountable institution can obtain CDD information with a legitimate interest. Getting CDD information is a legitimate interest pursued by the controller under the GDPR.¹⁴ Recital 47 EU GDPR clarifies that ‘the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned’ and Recital 71 EU GDPR allows profiling for the purposes of fraud prevention under certain circumstances.

Conclusion

Unravelling the compliance dilemma and putting the puzzle together begins with a well-thought out RMCP that incorporates the principles of DPbDD. This would entail the detailed definition of CDD requirements, as stipulated by AML legislation, and compiling the procedures and processes to gather privacy information before implementation. Thereafter, strict adherence to the RMCP must follow to allow accountable institutions to obtain information in accordance with their legal obligations.

Gideon Petrus Bouwer, information technology law attorney, Cyberlawforensics, Pretoria, South Africa, gideon@cyberlawforensics.co.za

1. David Malaphor, “I have a quandrum,” The Malaphor King, August 16, 2016, https://malaphors.com/2016/08/16/i-have-a-quandrum/
2. “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default,” European Data Protection Board , 13 November 2019, https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201904_dataprotection_by_design_and_by_default.pdf
3. ‘Processing’ means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. “Art.6 GDPR Lawfulness of processing,” Intersoft Consulting, https://gdpr-info.eu/art-6-gdpr/
5. “Section 11 Consent, justification and objection,” popia.co.za, https://popia.co.za/section-11-consent-justification-and-objection/
6. “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default,” European Data Protection Board , 13 November 2019, pg. 10 par. 32, https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201904_dataprotection_by_design_and_by_default.pdf
7. “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default,” European Data Protection Board, 13 November 2019, https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_201904_dataprotection_by_design_and_by_default.pdf
8. “Draft Guidance on The Implementation of New Measures to be Introduced by the Financial Intelligence Centre Amendment Act, 2017,” Financial Intelligence Centre, https://www.fic.gov.za/Documents/DRAFT%20GUIDANCE%20ON%20THE%20IMPLEMENTATION%20OF%20THE%20AMENDMENT%20ACT%20as%20of%2014%20June%202017.pdf
9. “Customer Due Diligence Under the FIC Amendment Act,” Consumer Profile Bureau , 19 September 2017, https://www.consumerprofilebureau.com/customer-due-diligence-under-the-fic-amendment-act/
10. Ibid.
11. Ibid. See par. 166.
12. “Guidance Note 7 On the Implementation of Various Aspects of the Financial Intelligence Centre Act, 2001 (Act 38 of 2001),” Financial Intelligence Centre , page 10 par. 20, https://www.fic.gov.za/Documents/171002_FIC%20Guidance%20Note%2007.pdf
13. “Draft Guidance on The Implementation of New Measures to be Introduced by the Financial Intelligence Centre Amendment Act, 2017,” Financial Intelligence Centre , https://www.fic.gov.za/Documents/DRAFT%20GUIDANCE%20ON%20THE%20IMPLEMENTATION%20OF%20THE%20AMENDMENT%20ACT%20as%20of%2014%20June%202017.pdf
14. “Recital 47 EU GDPR,” PRIVAZYPLAN, http://www.privacy-regulation.eu/en/r47.htm