We have, on multiple occasions, published articles on the Banking Association of South Africa’s (BASA) code of conduct. On 11 June 2021, the Information Regulator published a notice stating that it was in receipt of a code of conduct from BASA. This notice invited affected persons to provide comments to the code of conduct. Subsequently, a similar notice was issued by the Information Regulator on 24 June 2022 once again inviting affected persons to provide comments to the code of conduct. Interestingly, there had been no substantial changes to the code of conduct between the period 11 June 2021 and 24 June 2022.

After multiple rounds of comments and reissues of BASA’s code of conduct, the Information Regulator recently issued the approved and final version of the code of conduct. Although it remains substantively consistent with its earlier versions, the approved version does feature some changes. These include a bolstered description of BASA’s role and function within the banking industry. It also adds a description of some of the member banks’ processing activities that may be subject to the code of conduct. We detail below the core aspects of the updates to BASA’s code of conduct.

The “Accountability” section of the code of conduct has been bolstered to include an overview of the compliance functions of member banks in terms of the Banks Act 94 of 1990. These compliance functions are governed by compliance frameworks which consider the identification, management, monitoring and reporting of compliance risk. The member banks recognise that POPIA must be included in their regulatory risk universes and that adequate controls must be implemented to mitigate any risk of non‑compliance with POPIA.

The “Information Quality” section adds further requirements in terms of the King IV Code of Governance Principles, the King IV Report on Governance, BASEL Principles for effective risk data aggregation and risk reporting, and Select International Organisation for Standardisation standards.

The “Openness” section has been improved to add points on the use of personal information to detect, prevent and report fraud and other financial crime in compliance with various pieces of legislation including:

• Financial Intelligence Centre Act 38 of 2001 (FICA);
• The Prevention and Combatting of Corrupt Activities Act 12 of 2004;
• Prevention of Organised Crime Act 121 of 1998;
• Protection of Constitutional Democracy Against Terrorist and Related Activities Act 33 of 2004;
• Financial Action Task Force Recommendations; and
• Cybercrimes Act 19 of 2020.

Under the section dealing with notification of security compromises, the code of conduct adds that data subjects could take various steps to protect themselves against harm should their personal information form part of a security compromise. The various steps include:

Obtaining a free credit bureau report from a registered credit bureau to ensure that no unauthorised entries have been made on their credit bureau report.

Obtaining a report from the deeds office to establish if there are any titles or caveats registered against their name.

The “Automated Decision‑Making” section of the code of conduct adds further commitments from the banks which include undertakings that member banks will:

• Identify all of their processes that use automated decision making.
• Assess whether the identified processing is lawful in terms of POPIA and the code of conduct.
• Implement safeguards appropriate for the identified processes.
• Ensure that data subjects are informed of their rights in respect of automated decision making.
• Embed processes, that will be reviewed and amended where needed, to give effect to the data subject rights to make representation about an automated decision.
• Monitor automated decision making as part of our ongoing risk management frameworks.

The code of conduct sets out the responsibilities and functions of an independent adjudicator appointed by BASA to hear and decide on a complaint lodged by a data subject. It is noteworthy that complaints will be adjudicated in Johannesburg and in accordance with the rules of the Arbitration Foundation of Southern Africa’s domestic arbitration rules. Further, any adjudication of a complaint will be conducted in camera (i.e. in private) and parties involved will be required to treat it as confidential.

The independent Adjudicator will be required to apply the principles in section 44 of POPIA when determining any decision which relates to the unlawful processing of personal information. This includes having due regard to the conditions for the lawful processing of personal information. It also includes having due regard to the protection of all human rights and social interests that compete with privacy. Further, an Independent Adjudicator must take into account international obligations accepted by South Africa as well as consider any developing general international guidelines relevant to the better protection of individual privacy.

There is also an obligation on the Independent Adjudicator to submit a report to the Information Regulator annually detailing the complaints dealt with, with specific attention to the number and nature thereof.

Lastly, the code of conduct contains an annexure comprising a list of important websites relevant to the code of conduct.

It is noteworthy that the code of conduct secures an exemption for the member banks against obtaining prior authorisation as contemplated in section 57 of POPIA. Accordingly, member banks may process:

Any unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection and with the aim of linking the information together with information processed by other responsible parties such as a data subject’s bank account number. The code of conduct does not specify whether such other responsible parties include companies within the same group of companies as a member bank. Further, it does not specify the purposes for which the further processing of unique identifiers will be used for. Accordingly, this question is left open which makes it interesting to see whether it is or will be addressed in the member banks’ respective privacy policies.

Information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties which are also accountable institutions as contemplated under FICA. The purpose thereof is to ensure that such third parties which are also accountable institutions comply with customer due diligence and reporting obligations under FICA.

Information for the purposes of credit reporting given that member banks are also members of the South African Credit and Risk Reporting Agency.

The transfer of special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

Overall, BASA’s code of conduct echoes the prescripts of POPIA. It is an express commitment by the member banks of BASA to adhere to POPIA, with some examples of how that may look like practically. Without being too prescriptive, the code of conduct aims to establish privacy standards which the member banks must aspire to whilst leaving room for each member bank to assess how it can achieve compliance with the relevant aspects of POPIA as applicable to them. Given this approval by the Information Regulator, it will be interesting to note whether or not subsequent codes of conduct will follow the same structure and approach as BASA or whether the Information Regulator may look for something more or less depending on the context of the applicant. That notwithstanding, what is clear is the fact that a code of conduct should take the prescripts of POPIA and convey how a particular industry or sector intends to achieve the necessary compliance and maintain those standards.

Written by Ahmore Burger-Smidt, Head of Regulatory Practice and Nyiko Mathebula, Associate; Werksmans