Financial advisors and Financial Services Providers (FSPs) sit at the intersection of two demanding regulatory frameworks: the Financial Advisory and Intermediary Services Act (FAIS) and the Protection of Personal Information Act (POPIA). Both place obligations on how you collect, use, and protect your clients' personal information — and the overlap is significant.
This article walks through the key POPIA concepts most relevant to FSPs and their Key Individuals (KIs), with references to published Information Regulator guidance where available.
---
> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.
---
Why FSPs Face Heightened POPIA Obligations
Financial advisors routinely process personal information that qualifies as special personal information under POPIA — information about financial history, health status (relevant to life and disability cover), and in some cases criminal behaviour (relevant to fraud screening). POPIA section 26 prohibits the processing of special personal information as a general rule. Section 27 sets out limited authorisations that permit it — for example, where the processing is necessary to establish, exercise, or defend a right or obligation in law. This means FSPs need a deliberate, documented basis before touching this category of data, not just a general client consent.
Beyond special information, every client engagement involves a stream of ordinary personal information: identity numbers, contact details, employment records, income figures, tax numbers, and beneficiary details. POPIA's eight conditions for lawful processing (section 8) apply to all of it.
The Eight Conditions in an FSP Context
Section 8 of POPIA provides the overarching framework. In practice, the conditions most FSPs need to think about carefully are:
1. Lawful basis (section 11) Most FSP–client data processing will be justified on one of three grounds: the client's consent, the performance of a contract to which the client is a party (your mandate or engagement letter), or compliance with a legal obligation (FAIS recordkeeping rules, FICA due diligence requirements). Section 11(3) also gives clients the right to object to processing based on legitimate interest — worth noting if you use client data for marketing or business development.
2. Purpose limitation (sections 13 and 15) POPIA requires that personal information be collected for a specific, defined purpose (section 13). Section 15 adds that any further processing must be compatible with that original purpose. Collecting a client's income details to perform a needs analysis is clearly within scope; using those same details to profile them for a third-party product campaign is a different matter and may require fresh justification.
3. Retention (section 14) Records may not be kept indefinitely. Under section 14, personal information must be destroyed or de-identified once it is no longer needed for the purpose for which it was collected — subject to any legal or regulatory minimum retention period. FAIS imposes its own recordkeeping requirements (the FSCA publishes guidance on minimum retention periods at fsca.co.za); POPIA does not override these, but it does mean you need a documented retention schedule that reconciles both frameworks.
4. Security safeguards (section 19) You are required to take reasonable technical and organisational measures to prevent loss, damage, unauthorised access, or unlawful processing of personal information. For FSPs, this includes securing client portals, encrypting sensitive documents, and ensuring that support staff and representatives handle data appropriately.
5. Breach notification (section 22) If a security compromise is reasonably likely to affect a client, POPIA requires that both the Information Regulator and the affected data subjects be notified. The Information Regulator publishes its notification process at inforegulator.org.za. FSPs should have an incident response procedure in place before a breach occurs, not after.
Telling Clients What You Are Doing With Their Data (Section 18)
Section 18 of POPIA requires that when you collect personal information from a data subject, you notify them of — among other things — the purpose of the collection, whether it is voluntary or mandatory, the consequences of not providing it, and any third parties to whom it may be passed.
For FSPs, this means your onboarding process (whether paper-based or digital) should include a clear, plain-language privacy notice. A long, legalistic clause buried in a mandate agreement is unlikely to satisfy the spirit of the notification requirement. The Information Regulator's published guidance on privacy notices is available at inforegulator.org.za.
The Role of the Information Officer
Under POPIA section 55, every responsible party — including every FSP — must have a designated Information Officer. For a sole-practitioner FSP, this is typically the Key Individual. For larger practices, the KI or practice principal is most commonly appointed. The Information Officer's duties include ensuring POPIA compliance, handling data subject access requests (section 23) and correction requests (section 24), and liaising with the Information Regulator.
Information Officers are required to be registered with the Information Regulator. The registration portal is at inforegulator.org.za.
Third Parties: Outsourcing and Data Sharing
Many FSPs use third-party platforms — CRMs, financial planning tools, cloud storage, or administration outsourcers. Where a third party processes personal information on your behalf, POPIA treats you as the responsible party and the third party as an operator. You remain accountable for what they do with your clients' data. Operator agreements (sometimes called data processing agreements) should be in place, setting out the scope of processing, security obligations, and what happens to data at the end of the relationship.
If you transfer client data to a product provider, fund manager, or administrator outside South Africa, section 72 of POPIA imposes additional conditions on cross-border transfers.
Direct Marketing to Clients and Prospects
Section 69 of POPIA governs direct marketing by electronic communication (email, SMS, and similar channels). The default position is opt-in: you need the data subject's consent before sending unsolicited electronic marketing. There is a limited exception for existing clients where you are marketing similar products or services and the client has not opted out — but this exception has conditions and should be applied carefully.
FSPs building prospect lists or running email marketing campaigns should ensure their practices align with section 69 before sending.
Where FAIS and POPIA Intersect
FAIS obligations around recordkeeping, disclosure, and fit-and-proper requirements are set by the FSCA. POPIA does not repeal or override these — they operate in parallel. In practice, this means:
- Minimum retention periods required by FAIS rules persist even if POPIA would otherwise require deletion.
- Disclosure obligations under FAIS (what you must tell a client about yourself and the product) complement but do not substitute for POPIA's notification requirements.
- FICA due diligence (know-your-client processes) provides a legal obligation that can serve as a lawful basis under POPIA section 11 — but the data collected for FICA purposes should not automatically flow into your marketing database without a separate basis.
For FICA requirements, refer to the Financial Intelligence Centre at fic.gov.za.
Practical Starting Points for FSP Compliance
- Appoint and register your Information Officer with the Information Regulator.
- Audit what personal information you hold, where it came from, and why you still have it.
- Update your onboarding documentation to include a compliant section 18 privacy notice.
- Review your operator agreements with technology providers and administrators.
- Document your retention schedule to reconcile FAIS minimum periods with POPIA's purpose-limitation principle.
- Put a breach response procedure in place so you can meet section 22 notification obligations if the need arises.
---
> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — particularly where special personal information, cross-border transfers, or complex multi-party arrangements are involved — consult a qualified attorney.
*Primary sources: Information Regulator (South Africa) | FSCA | Financial Intelligence Centre*