How Should the Legal Practice Council deal with FICA as amended going forward?  – By Nkateko Nkhwashu

 

Significant changes are being ushered in by the Legal Practice Act 28 of 2014 (LPA). Most of these will take effect towards the end of 2018 when other provisions of the LPA officially come into effect. Amongst the key changes to be introduced under the LPA includes the constitution and establishment of the Legal Practice Council (LPC) together with relevant Provincial Councils (PC). The LPC is said to, amongst others, have its sight set on the regulation of the profession. In effect both the LPC and PCs will take on some of the functions which previously fell within the purview of the Law Society of South Africa (LSSA) as well as the provincial law societies. With regard to the latter and for the purposes of this article being the four regional law societies(RLS) as envisaged under Section 56 of the Attorneys Act 53 of 1979.

Brief background on the profession’ supervision of FICA

Perhaps before getting deeper into some of the key developments which impacts on the profession it is important to take a step back and look at one of the key function shared by the LSSA and the four RLS. This relates to the supervisory as well as enforcement role of or related to the Financial Intelligence Centre Act 38 of 2001 (FICA). In terms of FICA the LSSA is designated as the supervisor for the profession in terms of Schedule 2. However, since the LSSA is or was more focused on educational related initiatives of the profession the four RLS played a significant role, albeit limited, in this space. For example, the former provided extensive anti-money laundering and counter terrorist financing education to the profession via its LEAD programmes and the latter on the other hand, provided guidelines as well as manuals on how to develop internal controls as required under FICA, amongst others.

Under FICA, which was premised on the rules-based or ‘tick-box’ approach it was easier for either the LSSA and the RLS to issue manuals, guidance and or guidelines. FICA has however since underwent a significant change in that it now introduces what is called a Risk-Based Approach (RBA) to customer identification and verification. This has been introduced via the Financial Intelligence Centre Amendment Act 1 of 2017 (FIC Amendment Act). The essence of the new RBA is that it does away with the one-size fits all approach and as a result each institution, irrespective of sector, will individually have to assess its own risk exposure to money laundering and terrorist financing and as a result respond accordingly. This new change impacts both the accountable as well as the supervisory and regulatory authorities including, in the near future, the LPC and its various PCs. This then raise a question as to how should both deal with FICA as amended going forward?

Prior looking at what should be done for the profession going forward its worth reflecting on some of the concerns raised by the Financial Action Task Force (FATF) in its mutual evaluation report of South Africa, 2009. First, it was noted that the RLS did not have specific powers to impose sanctions in accordance with FICA. More often than not, the contraventions or breaches which were picked up by the RLS related mostly to or came about as a result of probing allegations around attorneys’ trust accounts. What this then shows is that previously much focus was given by the RLS to issues related to trust accounts than anything. Perhaps this is one area in which the LPC and PCs should improve upon.

The possibility of lack of AML/CFT skills and resources by the RLS was also noted by the FATF. In such cases, it was suggested and noted that the profession could tap into the resources of the Financial Intelligence Centre (the Centre) when conducting inspections. Thus, the LPC and PCs can also tap into this in order to enhance skills, expertise and leverage on the Centre’s resources during inspections.

The afore-mentioned concerns and suggestions, amongst others, demonstrated how immature the supervision of FICA was and continues to be for the legal profession. The FATF report played a significant role on the amendments to FICA as a whole. Furthermore, it triggered other developments within the legal framework pertinent to the legal profession. One key such being the proposed amendments to the Schedules of FICA. This came at an opportune moment as the LPA which amends the Attorneys Act 53 of 1979 and the Admission of Advocate Act 74 of 1964, amongst others, was set to take effect. Thus, the substitution of the Attorneys Act (name) from the Schedules (Schedule 1) for that of the LPA will be easy to effect.

Additionally, there was, previously, proposals by the legal profession that the names of all four RLS be specified in the Schedules and as a result these become designated supervisory bodies. The process to amend the Schedules is currently underway and should be mindful or married to the developments within the LPA wherein we now have the LPC and its various PCs as regulators of the profession. Should the LPC and PCs be designated as FICA supervisory bodies then there will be a need to increase their resources substantially to meet their new supervisory and enforcement roles. This is noted and supported in the 2009 FATF report.

These are just some of the concerns which were noted in relation to the legal profession. As already alluded to elsewhere in this article, the FIC Amendment Act introduces significant changes which will need a fresh approach by the LPC and PCs. Evident from the comments and submissions by the LSSA during the consultation period on the FIC Amendment Act was the fact that the profession stands in a unique position compared to other accountable institutions with regard to its legal obligations in terms of FICA. Regard was also had as to how the majority of the law firms were comprised. This then led to a repeated call by the LSSA to have the profession regulated separately from the rest. There was also a call to leave certain exemptions intact, however under the RBA this is not possible as each decision or measure employed to counter risks have to be documented and substantiated on to the supervisory authorities. Higher risk scenarios will be met by enhanced due diligence measures and lower risks by simplified measures. There is no room for complete exemption.

As alluded to before the RBA differs from the rules-based or tick box approach. Under the latter approach rules or prescribed list of requirements and how to go about comply with the same was spelt out in law. Thus, it was easier for the LSSA or either of the law societies to draw from that an issue manuals, guidelines, etc. Now under the RBA firms’ risk responses and appetites will differ one from the other. This then presents a challenge for the supervisors (i.e. LPC and PCs) on how to go about monitor compliance with the law. Furthermore, this then takes us back to the question, how should the LPC and PCs deal with the new requirements of the FIC Amendment Act going forward?

How should the LPC and PCs deal with FICA going forward?

Under the RBA wherein the discretion to choose control measures to deal with identified risks is on the hands of the accountable institutions (i.e. law firms) there are very few key things which the LPC and PCs should do and focus on. The first key important thing to do is ensure that the call for separate regulation of the profession is maintained. This should be done through, for instance, a sector-specific high-level Guidance Note for the profession. The recently issued Guidance Note 7 on the implementation of various aspects of the Financial Intelligence Centre, 2001, is too generic and financial-sector-focused and as a result it does very little justice to the interests of the profession. In any case, it is also acknowledged within that guidance that the regulatory authorities are open to issuing other industry specific guidance notes.

Secondly, and most importantly the RBA hinges on what is called a Risk Management and Compliance Programme (RMCP) as envisaged under Section 42 of the FIC Amendment Act. The RMCP is said to be the foundation and core basis towards an effective implementation of the RBA. It calls for documentation of all efforts as well as reasoning or justification behind all risks-related decisions taken. This is one key section which I submit should occupy and consume the attention of the LPC and PCs. I suggest that both should strive towards coming up with sector specific high-level guiding principles of an RMCP (or its content). These can also be taught and inculcated on legal practitioners via the now proposed Practical Vocational Training (PVT).

Thirdly, it is widely acknowledged that most practices comprise of a minimum of two practitioners at most. In such situations, there might be an issue of lack of risk management skills in general. It should be remembered that the RBA rest upon continuous risk assessments. As also acknowledged previously by the LSSA, provision should be made for risk matrix templates specific to the profession. This can be done by the regulatory authorities or alternatively by the LPC and PCs. Such matrixes are going to be instrumental and helpful to smaller firms when assessing individual risks and threats.

Finally, pursuant to the FIC Amendment Act all exemptions applicable to the legal profession has now been withdrawn. The scope of compliance for the profession has, as a result, been widen. Newer onerous provisions have to be applied by the profession as well, for example, identifying and verifying beneficial owners, Prominent Influential Persons, Legal Entities and Arrangements, continuous risk assessment and the maintenance of RMCPs, etc. The LPC and its PCs will to come up with outreach and or educational initiatives specific to the profession on these. These will require resource and expertise for the LPC and various PCs alike. Again, the regulatory authorities might be helpful in this regard.

Conclusion

In a nutshell, the above background as well as some of the few key suggestions outlined above are intended to get the LPC and PCs started on how to deal with the FIC Amendment Act. The profession’s approach to FICA or AML/CFT was and is still in its infancy and the focus is still much more on the regulation of legal professionals as against the public. Furthermore, the fact that its key supervisors lack enforcement and sanctioning ability adds to its challenges. It should however be noted that there are develops underway which might change this position. The formal RBA, flexible and arguably effective as it is, is still fairly new within SA’s regulatory framework and many lessons will still be learned along the way. Finally, with regard to the RBA, the devil is literally in the details which are not to entertained since risk profiles and appetites will vary, thus the reason why my suggestions are ‘high-level’.

 Bibliography

Attorneys Act 56 of 1979

Admissions of Advocates Act 74 of 1964

Financial Intelligence Centre Act 38 of 2001

Financial Intelligence Centre Amendment Act 1 of 2017

Legal Practice Act 28 of 2014

Guidance Note 7 on the implementation of various provisions of the Financial Intelligence Centre Act, 2001

South Africa’s 2009 Mutual Evaluation Report by the Financial Action Task Force

Out with the Old and In with the New – Understanding the Legal Practice Actby Etienne Barnard, 28 October 2015 (De Rebus)

 

 

 

Advertisements

The difference between the Cybercrimes & Cybersecurity Bill and the Critical Information Infrastructure Protection Bill is the thickness of a ‘critical information infrastructure’ wall – By Nkateko Nkhwashu

Introduction

The past few years has seen policy uncertainty being pronounced or taking center stage on the affairs of various countries. This happened across borders. Take, for example, the unthinkable election of Mr. Donald Trump as the president of the United States of America. Further, look at the havoc wreaked on the economic outlook of South Africa (SA) by, inter alia, credit ratings downgrades. Everywhere, domestically or internationally, challenges attributed to policy uncertainty sprung up. This, inter alia, led to a trust deficit between the citizenry as against the government of the day. Amongst the tiny bits of positives to emerge out of these uncertain times is the collective power of the people or rather the strong voice of civil society groups (in influencing policy direction).

The afore-mentioned trust deficit between government and various stakeholders is still prevalent even to this day in SA. All the above about policy uncertainty and trust deficit is meant for the purpose of or meant to be a prelude to a discussion about some of the challenges which surrounded or attendant to certain two key (and) topical pieces of legislation currently before the parliament of SA. These being: The Cybercrimes and Cybersecurity Bill [B-2017] (Cybercrimes Bill) and the Critical Information Infrastructure Protection Bill [B-2015]. The discussion and clarification herein will draw substantially from the Cybercrimes Bill.

Around 2015 it was recognized that cybercrime and threats were on the rise in SA. For instance, it was statistically reported that cybercrime had become the 4th most reported economic crime. This happened regardless of the fact that SA had or has many legislations dealing with various parts or instances related to cybercrime and threats. As a result, it was then resolved that a draft Bill be put in place, to amongst others, harmonize and consolidate the existing pieces of legislation into one. The result of this being the Cybercrimes Bill (which went through rigorous public consultation processes and) is currently before parliament. The proposed Cybercrimes Bill coincided with the proposed amendments to the National Key Points Areas Act (No. 120 of 1980) by the Critical Information Infrastructure Protection Bill [2016].

Both bills, in certain respects (are or) were almost identically to each other. Thus, one cannot be faulted for querying the separation of the two from each other. Or seeking to know the difference therefrom. This emerged from one of the roundtables on the Cybercrimes Bill hosted by a certain financial institution. In certain jurisdictions, there is no such distinction between the two. One of the key and hotly contested provision of both bills is the one which talks to issues of being deemed a ‘Critical Information Infrastructure’ for the purposes of complying or falling within the purview of both bills. This provision has risen tempers, especially in the private sector, as being deemed as such (Critical Information infrastructure) then mean that you will be under the supervision of the State Security Agency (State Security). For various reasons the credibility of State Security is not as it used to be or simply questionable at most.

The banking sector or banks rather, which of lately has allege to be under siege from various fronts including politicians, also falls under the Cybercrimes Bill and thus can be deemed as a Critical Information Infrastructure for the purposes of the Bill. Fortunately for the sector, prior 2016 its capable representation understood the technicalities as well as the unintended consequences of the Bill and constantly fought for the best interests of the sector by pushing for banks to continue being regulated by the South African Reserve Bank with respect to cyber-related matters. The South African Banking Risk Information Centre (SABRIC) and the Right2Know Campaign civil society group also played an important role in this regard. The latter (Right2Know) was and is still critical of both Bills as it deems the same to still be lacking in various material respects (See Right2Know Campaign submission on the Cybercrimes and Cybersecurity Bill, 10 August 2017). For more information on some these relevant efforts see the case of The Right2Know Campaign and others v The Minister of Police & The National Deputy Information Office of the South African Police Services [Case No: 2013/32512].

Beside some of the above concerns, the banking sector, SABRIC and Righ2Know are supportive of the principle of both pieces of legislation. A refined draft of the Cybercrimes Bill was published for public comments around August 2017 by the Portfolio Committee of Justice and Correctional Services. In this version, it seems as if though the concerns of the private sector (particularly banks) with regard to the procedure of deeming certain institutions Critical Information Infrastructure have been addressed or at most a very useful appeal mechanism has been provided for therein. Such an appeal mechanism is (very consultative in nature and) inclusive of all the key stakeholders and thus I submit that it will not be open to abuse. Before we look at this provision it is key to note that central to the private sector’s concern or understanding rather was the fact that ideally institution which are prone to cyber warfare or in need to be deemed critical are state or government institutions (and such are protected by the National Key Points Areas Act or by the proposed Critical Information Infrastructure Protection Bill which amongst others aims to “provide for the identification and declaration of infrastructure as critical infrastructure.”).

As already stated elsewhere in this article, the current version of the Cybercrimes Bill brings forth a certain measure of comfort and reassurance to the private sector (in relation to the objectivity of the process of deeming certain institutions as Critical Information Infrastructure). I submit that this is evident from the wording of Chapter 11 (Critical Information Infrastructure Protection) as well as its various provisions. For instances, in terms of Section 57(1)(a) – (3)(h), prior deeming a certain infrastructure as Critical Information Infrastructure, the cabinet member responsible (or State Security) for doing such is required to consult all the relevant stakeholders and affected parties. Furthermore, financial institutions are also afforded an “opportunity to make written representations” on any aspects relating to the cabinet member’s intention to declare such an institution (see Section 57(3)(h). Lastly, such institutions have the right to have their representation considered and thereafter be supplied with written reasons on the outcome or decision.

In addition to both the rights to make presentations and thereafter be furnished with a written decision, the affected parties under Chapter 11, has an added right to dispute such a decision. If this was then to happen, then at the initiative of the cabinet member (State Security) involved and working with the affected party and or regulator, has to try and settle the dispute by reaching a consensus within a given period (30 days). Should this not yield the desired results then such a dispute can be taken for arbitration before an experienced arbitrator (see Section 57(7)(f). Again, if either party is not satisfied with the outcome of the arbitration then such a party can then appeal to the High Court. Due to the consultative mechanism built on the entire processes under this chapter up until the appeal mechanism at the end thereof, I submit that the Cybercrimes Bill is not easily opened to abuse for whatever reasons.

Regardless of the above, there is still some lingering sense of uncertainty and questions regarding both Bills or the need therefore. In response to this and in an attempt to further educate the relevant stakeholders as well as the general public, both the Department of Justice and Constitutional Development (DoJ) as well as the Civilian Secretariat for Police Services (Civilian Secretariat) has initiated various processes and or roadshows in an attempt to quell such uncertainty and provide clarity where needed. In one of these roadshows held at the Financial Services Board some time in 2017, a question was raised, after a presentation by the Civilian Secretariat on both Bills, as to the difference between the Cybercrimes Bill and the Critical Information Infrastructure Protection Bill. The response, in short, was to the effect that the latter aims at protecting the physical integrity of the Critical Information infrastructure as opposed to data or information housed within the same which is then to be protected by the former.

Conclusion

In short, and as evident from the above discussion, both the Cybercrimes Bill and Critical Information Infrastructure Protection Bill are very similar to each other in that both deals with issues around declaration of the status of Critical Information Infrastructure as well as the protection thereof. In that regard both bills are set to work in parallel with each other (as well as the legislation which deals with disaster areas’ management). Although with respect to the previous as well as current version of the Cybercrimes Bill concerns have been raised and noted, I submit that such are not necessarily material especially when one has regard and appreciation of the content of Chapter 11 and its various provisions.

Sources Consulted

 Cybercrimes and Related Matters Bill – Consultation Document (February 2015)

Cybercrimes and Cybersecurity Bill [B-2017]

Critical Information Infrastructure Bill [B-2015]

National Key Points Act 102 of 1980

Right2Know Campaign submission on the Cybercrimes and Cybersecurity, 10 August 2017

The Right2Know Campaign and Others v The Minister of Police & The National Deputy Information Office of the South African Police Services [Case No: 2013/32512]