South African legends like Gerrie Coetzee, Brian MItchell and “Baby Jake” Matlala stand out from a long list, while Joe Louis , Mike Tyson, Sugar Ray Robinson and Muhammad Ali are some of the better known Americans.
The conflict between local and international regulations is like a boxing match between these greats
POPI versus FATCA: The line up.
In the South African corner, POPI (the Protection of Personal Information bill) passed to restrict access to personal data.
In the US corner, FATCA (the Foreign Accounts Tax Compliance Act) passed to force access to personal data. Who will win this thrilling contest?
Round 1: International Impact
POPI is South African legislation voted into law in November 2013. POPI seeks to ensure that South African business comply with all major international privacy bills – including those of major trading partners such as Europe, the United States and the United Kingdom. As such, it is one of the most comprehensive bills for the protection of data to be found on any statute.
FATCA is US legislation, passed in 2010, that impacts foreign financial institutions (FFIs). It requires foreign banks, insurance companies and similar financial institutions to report the taxable earning of US citizens to the IRS.
Numerous countries, including France, Germany, the United Kingdom, Switzerland and South Africa have already agreed to cooperate with FATCA. A number of countries are rumoured to be implementing their own variation of FATCA, and it is likely that this will increase the burden of FATCA over the next decade.
Judges decision: FATCA is a narrow winner on points
Round 2: Penalties
Business’ that fail to comply with POPI can face fines of up to R10million or face 10 years in jail per breach. Click to tweet
As such, POPI is the first South African legislation to have real teeth to enforce compliance.
For FFIs the consequences of non-compliance with FATCA are to face a 30% withholding tax on any payments received from US entities. While this could run into hundreds of millions for some organisations, the impact on most South African companies is light.
Judges decision: POPI wins a tight round
Round 3: Difficulty of compliance
Chapter 8 of POPI details eight pillars covering the complete use of personal information, from acquisition to destruction. The onus on organisations is to identify where personal information is held with in the organisation and to ensure appropriate levels of access control. Although much of the focus is on security companies are also required to ensure data quality – “personal information [must be] complete, accurate, not misleading and updated when necessary.” POPI also requires that the organisation be capable of providing, upon request, a description of all personal information held to the data subject. POPI, then, may require a major overall for many South African firms. It is not sufficient merely to identify where personal information is held, and who has access to it, in itself a not insignificant challenge. Companies must also take steps to ensure the quality of personal information held in multiple systems.
FATCA requires participating financial institutions to prove that they have identified and are correctly reporting on the earning of US taxpayers earning more than a US$50 000 threshold. Poor customer data quality can make it difficult to identify US clients, as important identifying information can be missing or inaccurate. In addition, FFIs must create a linked profile of these clients in order to identify whether earnings meet the required threshold.
Both Acts require significant enhancements to existing data management practices. Tweet this.
Due to its broader reach, POPI wins this round.
Round 4: Conflicting requirements
Where FATCA requires FFIs to report on the earnings of US taxpayers, POPI requires that personal information is protected unless for a specific purpose. In particular, Chapter 9 of POPI governs the movement of personal data across the South African border.
The difficulty for a FFI will be in ensuring that the report disclosed to the IRS is compliant with both FATCA and POPI. In terms of POPI it is not acceptable to disclose the earings, or other personal information, or parties that have been wrongly identified as US taxpayers, nor is it acceptable to disclose the earnings of US citizens that do not reach the $50000 threshold.
Poor data quality, and the lack of a single view of the customer, are significant hurdles that must be overcome in order to comply with both pieces of legislation.
Judges decision: POPI, once again, wins this round.
At the end of the bout, information governance is the winner. Tweet this
In each case, poor quality information and, in particular, the lack of a centralised customer view can be significant challenges that must be overcome.
Common sense suggests that data governance principles be applied to ensure that your business is compliant with each relevant act, while minimising the impact of compliance.
Data governance means defining your data policies, identifying responsible persons, and measuring compliance to policy. A Data Governance center ensures reuse of these assets across the organisation, and ensures that conflicting or complementary policies can be identified and managed appropriately.
The centralised governance of data allows you to identify information issues (noncompliance to policy), measure the business impact, and prioritise remediation efforts. Ultimately, this saves money while reducing risk.
Contact us for more information about how we can help.