A+ A A-

PoPI versus FATCA – information governance is critical when dealing with conflicting compliance legislation Featured

Rate this item
(0 votes)
PoPI versus FATCA – information governance is critical when dealing with conflicting compliance legislation

The Protection of Personal Information (PoPI) Act, due to come into effect next year, and the Foreign Account Tax Compliance Act (FATCA), which came into effect in 2010, are two top legislative governance priorities for financial services institutions this year. However, compliance with both of these laws can prove to be something of a challenge - PoPI, as the name suggests, espouses the protection of information, while FATCA requires that certain information to be disclosed. Non-compliance to either of these laws imposes penalties upon the organisation, and yet reconciling two apparently conflicting regulations is a difficult task. Financial services institutions need to examine compliance as a holistic practice, not in isolation to particular laws, and implement effective information governance to ensure effective compliance management.

PoPI is a comprehensive South African Act for the protection of personal third party information, setting stringent conditions for the processing of data. PoPI covers the complete use of personal information, from acquisition to destruction. The onus on organisations is to identify where personal information is held within the organisation and to ensure appropriate levels of access control. PoPI requires that personal information be protected unless for a specific purpose, and also governs the movement of personal information across the borders of South Africa. FATCA on the other hand is US legislation that requires foreign banks, insurance companies and other financial institutions to report on the taxable earnings of US citizens. Many countries, including South Africa, have already agreed to cooperate with FATCA, which requires participating financial institutions to prove that they have identified and are correctly reporting on the earning of US taxpayers earning more than a US$50 000 threshold.


Failure to comply with PoPI could result in fines of up to R10 million or 10 years in jail. For FATCA, non-compliance means a 30% withholding tax on any payments received from US entities, a penalty that could add up to hundreds of millions of Rands for some organisations. The consequences of non-compliance with these laws could have a detrimental impact on South African financial services institutions. However, with one piece of legislation requiring personal information to be carefully safeguarded, and another requiring that personal information be disclosed undercertain circumstances, compliance with both, as well as a host of other legislation and compliance requirements, has become a costly and complex exercise.


Although much of the focus of PoPI is on security, companies are also required to ensure data quality, as the Act states that personal information has to be complete and accurate, not misleading, and maintained up to date. PoPI also requires organisations to be able to provide, on request, a description of all personal information held about an individual or data subject, to that individual or data subject. Identifying where personal information is held and who has access to it, as well as ensuring the quality of this data across multiple systems, is quite the challenge.


With FATCA, poor customer data quality can make it difficult to identify US clients, as important identifying information can be missing or inaccurate. In addition, foreign financial institutions must create a linked profile of these clients in order to identify whether earnings meet the required threshold. Ensuring that reports disclosed to US revenue services are compliant with both PoPI and FATCA is a significant hurdle. By the conditions of PoPI, it is not acceptable to disclose earnings or other personal information of parties that have been wrongfully identified as US citizens, or to disclose the earnings of US citizens who do not reach the threshold of $50 000.


Poor quality data and the lack of a single view of the customer are critical to ensuring financial institutions do not fall foul of either piece of legislation. Information governance therefore lies at the heart of compliance with both PoPI and FATCA. Data governance principles, including defining data policies, identifying responsible persons, and measuring compliance to policy, need to be applied to ensure compliance with each act, while minimising the impact of compliance. By making use of a Data Governance Centre, financial institutions can not only ensure compliance, they can identify and manage conflicting and complementary policies appropriately. In addition, by taking a holistic view of compliance, rather than examining each piece of legislation in isolation, synergies can be leveraged to minimise conflict and risk while driving down the cost of compliance overall. 


Legislative conflict is nothing new in the compliance space, and planning for each regulation can cost tens of millions of Rands. The centralised governance of data allows you to identify information issues such as noncompliance to policy, measure the business impact, and prioritise remediation efforts. Ultimately, this saves money while reducing risk. By examining compliance as a whole, implementing standardised technology and leveraging a broader data governance framework, financial institutions can identify both synergies and conflicts for efficient, cost effective compliance.

Last modified on Monday, 11 August 2014 09:32
Gary Allemann

Gary Allemann

Gary Allemann is passionate about Information Communication Technology (ICT) and more specifically data quality, data management and data governance. His introduction to the field of ICT was cemented with the completion of a Bachelor of Science degree (Hons) at Rhodes University which saw him enter the workplace in 1993 where he secured a position at First National Bank as a programmer. In 1996, Gary moved on to Dimension Data where he began to be more intimately involved with master data management as a Dimension Data CRM specialist. In 2001, Gary moved onto ILC Lerumo, a company that provides asset management and logistics consulting services to the defence and manufacturing industries, as a sales and marketing manager. In 2003, armed with 10 years’ experience, Gary formed Master Data Management, a business that provides specialist solutions for data governance, data quality, big data and MDM. Leveraging the international expertise of its vendors including Harte Hanks Trillium Software, Collibra, Datameer and eLearningCurve, MDM has provided solutions for a range of clients in financial services, government, mining and telecommunications.

Website: www.masterdata.co.za

Social Profiles

Related items

Leave a comment

The SA Leader Magazine


In the September issue

Leadership in a changing context

Interview with one of SA’s Young Achievers

While you’re speaking, what’s your body saying?



Copyright © 2014 gdmc (Geoffrey Dean Marketing Corporation cc). All rights reserved. Material may not be published or reproduced in any form without prior written permission. Use of this site constitutes acceptance of our Terms & Conditions and Privacy Policy. External links are provided for reference purposes. SALeader.co.za is not responsible for the content of external Internet sites.

Login or Subscribe