https://www.polity.org.za
Deepening Democracy through Access to Information
Home / Legal Briefs / All Legal Briefs RSS ← Back
Design|Financial|Screen|Screening|Service|Services
Design|Financial|Screen|Screening|Service|Services
design|financial|screen|screening|service|services
Close

Email this article

separate emails by commas, maximum limit of 4 addresses

Sponsored by

Close

Article Enquiry

A POPIA perspective on the Financial Intelligence Centre’s Directive 8


Close

Embed Video

A POPIA perspective on the Financial Intelligence Centre’s Directive 8

Webber Wentzel

25th April 2023

ARTICLE ENQUIRY      SAVE THIS ARTICLE      EMAIL THIS ARTICLE

Font size: -+

The FIC’s Directive 8, requiring accountable institutions to screen employees, should be applied while complying with POPIA’s restrictions on processing personal information.

The Financial Intelligence Centre (FIC) recently published Directive 8 of 2023: Screening of employees for competence and integrity and scrutinising of employee information against targeted financial sanctions lists as money laundering, terrorist financing and proliferation financing control measures.

Advertisement

Directive 8 requires accountable institutions to screen prospective and current employees for competence and integrity, periodically and in a risk-based manner.  Accountable institutions are also required to screen employees against targeted financial sanctions lists. 

The screening process

Advertisement

Accountable institutions must determine and record how the screening for competence, integrity and against financial sanctions lists will be conducted.  They have to keep a record of the manner and outcomes of any employee screenings they have undertaken. The FIC, the Director of the FIC and supervisory bodies which regulate or supervise accountable institutions may from time-to-time request access to an accountable institution’s records on employee screenings.  

In addition, the FIC has published Public Compliance Communication 55 (PCC 55) to provide practical guidance on implementing and complying with Directive 8.  

In terms of PCC 55, all accountable institutions must screen prospective and current employees for competence and integrity, which must be done periodically, using a risk-based approach.

Screening for competency means "determining whether an employee has the necessary skills, knowledge and expertise to perform their functions effectively."  This will involve considering an employee's previous employment history, employment references, qualifications, and relevant accreditations. 

Screening for integrity "relates to the honesty and moral principles of an employee." This will involve determining whether an employee has a criminal record or not, particularly related to crimes of dishonesty, money laundering or financial crimes.  Employers should consider the relationship employees may have with high-risk domestic politically exposed persons or foreign politically exposed persons and whether the person or their locality is identified as a high-risk terrorist financing or proliferation financing area.

PCC 55 does not prescribe how screening should be carried out and accountable institutions are free to determine the manner and methods used to screen employees, provided the screening uses a risk-based approach. A risk-based approach requires an accountable institution to determine the level of risk in an employee's role and ensure that the screening is proportionate. The screening of employees in roles with higher risks should be more stringent.  

Screening for competency and integrity must be done before appointing employees, and periodically after that. Aligned with a risk-based approach, employees whose roles are categorised as higher risk will need to be screened more frequently than employees who are in medium or lower risk roles. 

PCC 55 requires accountable institutions to scrutinise all prospective and current employes against targeted financial sanctions lists. This is not a new requirement per se, as the FIC Act prohibits any person from providing economic support, financial assistance, or other services to any person on a targeted financial sanction list. 

The Role of POPIA

Since the obligation to screen prospective and current employees necessitates processing employees’ personal information, it may raise some alarm about potential infringements of the provisions of the Protection of Personal Information Act 4 of 2013 (POPIA).  

POPIA places various responsibilities on employers in processing their employees’ and prospective employees' personal information. Personal information may only be collected and subsequently processed for a specific, explicitly defined and lawful purpose. When collecting personal information or processing it, accountable institutions should ensure that any processing is done in accordance with a specifically defined, lawful purpose and that the specific purpose is recorded.  Employers should ensure that any collection of personal information or any subsequent processing does not extend beyond its original defined purpose.  

Employers are required to ensure that both prospective and current employees are advised of the purpose for which their personal information will be collected and processed. Employees should be told:

  • the particular law authorising or requiring the collection of the information;
  • whether their personal information will be transferred to a foreign country and the level of protection afforded to the personal information by that country; and
  • their rights to access their personal information, as well as whether their personal information will be shared with third parties (service providers who assist in the screening) and the identity of those third parties.

Directive 8 requires accountable institutions to retain records of the manner and outcomes of any employee screening.  In terms of POPIA, personal information may only be retained as long as is necessary to achieve the purpose for which the information was collected in the first place. However, personal information may be retained longer if it is required or authorised by law. Directive 8 only applies to current and prospective employees. Therefore, when an employee leaves an accountable institution, it should ensure that the employee's personal information is deleted.

Accountable institutions have to ensure that the integrity and confidentiality of any personal information in their possession is maintained by taking appropriate, reasonable technical and organisational measures to prevent unauthorised access or damage to, or destruction of personal information.  

While Directive 8 does not expressly mention POPIA, accountable institutions should be aware that compliance with Directive 8 will trigger certain POPIA concerns and obligations, and that these obligations and POPIA need to be complied with throughout any contemplated screening activities. 

Accountable institutions are encouraged to adopt a 'privacy-by-design' approach when developing a screening methodology, to ensure that POPIA compliance is always front of mind.  This will ensure that they comfortably comply with the requirements of Directive 8 while respecting and adhering to the provisions of POPIA.

Written by Prineil Padayachy, Senior Associate & Peter Grealy, Partner at Webber Wentzel

 

EMAIL THIS ARTICLE      SAVE THIS ARTICLE ARTICLE ENQUIRY

To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here

Comment Guidelines

About

Polity.org.za is a product of Creamer Media.
www.creamermedia.co.za

Other Creamer Media Products include:
Engineering News
Mining Weekly
Research Channel Africa

Read more

Subscriptions

We offer a variety of subscriptions to our Magazine, Website, PDF Reports and our photo library.

Subscriptions are available via the Creamer Media Store.

View store

Advertise

Advertising on Polity.org.za is an effective way to build and consolidate a company's profile among clients and prospective clients. Email advertising@creamermedia.co.za

View options

Email Registration Success

Thank you, you have successfully subscribed to one or more of Creamer Media’s email newsletters. You should start receiving the email newsletters in due course.

Our email newsletters may land in your junk or spam folder. To prevent this, kindly add newsletters@creamermedia.co.za to your address book or safe sender list. If you experience any issues with the receipt of our email newsletters, please email subscriptions@creamermedia.co.za