The Protection of Personal Information Act (POPI) applies to all industries, but some industries will be more affected than others. Financial services is one of them. Why? Firstly, FSPs collect very sensitive information. Secondly, when an FSP’s security fails, the breach can have dire consequences for customers. Lastly, the Information Regulator has indicated that financial services will be its focus initially, because 85% of the complaints already reported stem from financial services providers.
A real-life example
Want to see a real life example of what can happen when things go wrong at an FSP? Here is an excellent blog about the risk management failures at Wells Fargo, which led to a leak of personal identifiable information of over 50 000 customer records.
However, in my opinion, information security is not the biggest issue for FSPs. Sure, it is important, but it doesn’t really change business as usual. There are two issues which will have far larger repercussions:
It will be very difficult post-POPI to buy and sell leads.
The rules about direct marketing is changing.
Buying and selling leads
The practice of buying and selling leads is an established practice in the financial services industry. POPI doesn’t make it illegal, but it will be very difficult to do so in future. The main problem is that prospective customers will have to be informed that their information will be shared with third parties. We know, because we tested it, that consumers care deeply about who their information will be shared with and do not trust companies who do share their information.
The primary reason why businesses purchase leads is to do direct marketing, or ‘cold canvassing’, as it is also known. POPI contains new rules on direct marketing which will make it compulsory to obtain a person’s consent before their details are used for direct marketing. This will definitely apply to sms and e-mail. Whether it applies to telemarketing is unclear. I am of the view that it doesn’t, but there are attorneys who disagree with me.
The Information Regulator has indicated to us that this consent will have to be acquired in the form of an ‘opt in’. The consent must be voluntary, informed and specific. So, no default consents or statements such us ‘by giving us your personal information you consent to us processing it as we deem fit’. It would have to be something like:
‘¨ I consent to my information being sold to other FSPs
¨ I consent to direct marketing.’
Not many people who will consent to a company profiting from sharing their personal information. This means that FSPs will have to find ways to convince customers that the buying and selling of their information is in their interest and that they want to receive direct marketing.
Want to read more about this topic? The UK Information Commissioner’s Office, who enforces legislation which is very similar to POPI, has written a direct marketing code of conduct. Our Information Regulator is visiting the ICO, so this Code is as close as we can get to a crystal ball.
Training and awareness is a large component of any POPI compliance campaign. Or, in the absence of a campaign, it is a good start. Why? Training raises awareness, exposes risk and changes behaviour. More so than with many other pieces of legislation, the risks created by POPI can often be cured through small adjustments in behaviour rather than wholesale changes to a business’ structure or services.