Impact of the Cybercrimes Act on Financial Institutions

Jashmine Desai | Compliance Department  

South Africa has been excessively targeted by cybercriminals due to lack of enforcement and awareness of cybersecurity in the country. However, with the partial commencement of the new Cybercrimes Act 19 of 2020 (“Act”) on 1 December 2021, South African internet users and organisations can now rest easier as the Act aims to combat and prosecute cybercrime. 

This legislation is the first in South Africa to consider cybercrimes explicitly, and forms part of South Africa's growing legislative framework on data management. Legal authorities and the judiciary will now have more concrete legal grounds on which to investigate and prosecute cybercrimes than ever before. 

The Cybercrimes Act obliges organisations to reconsider their data processing practices and requires them to adapt their processes to prevent the offences defined in the Cybercrimes Act. 

The impact of the Cybercrimes Act on financial institutions  

Reporting obligations 

Reporting obligations are imposed on financial institutions in terms of Section 54 of the Cybercrimes Act. However, section 54 of the Act is not in operation yet.  

Once section 54 commences, it will compel financial institutions including electronic communications service providers (ECSPs) to report cybercrimes to the South African Police Service within 72 hours of becoming aware of the offence. 

The Act does not require financial institutions (or ECSPs) to monitor the data that the institutions transmit or store on their systems. Further it is not required for institutions to actively look for situations that indicate unlawful activity.  

The Financial Sector Conduct Authority and the South African Reserve Bank are excluded from the reporting obligations imposed in terms of section 54.  

Rendering assistance during investigations 

A financial institution is required to provide law enforcement with the necessary technical or other assistance to search for, access or seize any data or computer that may be linked to a cybercrime. 

The Act does not state the type of assistance that is required to be provided however it is necessary for the institution to retain the data or computer for as long as required by law enforcement. 

Data storage obligations 

Once section 54 of the Act commences, financial institutions will be required to conserve any information which may assist the South African Police Service in investigating a cybercrime. 

The instant a financial institution (or ECSP) is aware or becomes aware that a person is utilising the institution’s network or system to commit a cybercrime, the institution is required to retain the data for an unspecified time-period in order to assist the police service in their investigations.  

Penalties for non-compliance 

The Act imposes severe penalties on financial institutions (and ECSPs) for non-compliance with the obligations. Financial institutions who fail to comply with the obligations imposed by the Act will be liable for a fine of up to R50 000. An additional consequence that financial institutions may face for non-compliance is the potential reputational harm and damage to the institution, which may have a lasting effect. 

Point of contact 

The Cybercrimes Act provides the South African Police Service with substantial powers to investigate, search, access and seize any computer, database, or network on condition that they possess a search warrant. 

The Minister of Police has a responsibility to establish a point of contact for cyber-crimes, and maintain the capacity to detect, prevent and investigate cybercrimes. Any person or institution that has fallen victim to a cybercrime or can provide information/assistance relating to a cybercrime, may approach the designated point of contact for assistance.  

Conclusion 

The inclusion of the Cybercrimes Act within the South African legislative framework is an imperative step towards the enforcement of data protection in South Africa. While the Cybercrimes Act has been signed into law, certain provisions, such as the reporting obligation by institutions, are yet to become enforceable. Institutions should start preparing for the implementation of the Cybercrimes Act and requirements such as the reporting obligations within their institution. Institutions should also commence with training programmes to make staff aware of these requirements and to better understand the cybersecurity space.