Commercial crime is a rapidly growing risk for organisations in South Africa and yet many are left unprepared when an incident has been discovered or is suspected to have taken place.
Finding out that a crime has been committed within your organisation can be an extremely stressful and worrying experience, leading organisations to panic, act rashly, or not think very carefully about the actions they need to take to effectively manage the situation. There are a number of things that organisations need to consider when an incident of fraud, corruption, money laundering, or a cybercrime has been uncovered, including whether an investigation is warranted, how they’re going to investigate the incident, who is involved, and what the exact incident is.
But, what most often falls through the cracks when an incident of commercial crime is discovered are the reporting obligations organisations need to comply with, which are laid out in various pieces of legislation. Many organisations, particularly those without dedicated compliance teams or functions, like small to medium-sized businesses, are likely unaware of the different legal obligations they have in reporting commercial crimes.
Additionally, non-compliance to these legal requirements can compound the negative impact of the commercial crime incident, especially as some of these pieces of legislation have specific time periods in which a report must be made to the relevant authority on the threat of penalty.
So, as we have just come out of International Fraud Week, here is an outline of the four key pieces of legislation which organisations need to be cognisant of when responding to fraud or corruption.
1. Prevention and Combating of Corrupt Activities Act
This piece of legislation requires any offences of theft, fraud, corruption, forgery, or extortion involving an amount of R100 000 or more to be reported directly to the Directorate of Priority Crime Investigation, more commonly known as the Hawks.
The obligation to report these incidents to the Hawks lies on any person in authority (such as the director of a company, manager, CEO, or director-general of a government department) who knows or suspects that any of these offences have been committed.
While there is no time limit laid out in the Act for when the report needs to be made, the general rule is that it should be submitted within a reasonable amount of time. However, if an organisation is going to conduct an investigation into the incident, I would advise they wait for the investigation to conclude before reporting the incident in order to present a much more comprehensive report to the authorities.
2. Protection of Personal Information Act (POPI)
POPIA requires any incidents of a data breach where personal data is reasonably believed to have been compromised, to be reported to the Information Regulator of South Africa, as well as to the subject of that data.
Fortunately, POPIA doesn’t have a particular time frame within which the report must be made, but the Act does specifically state that this report must be made as soon as reasonably possible after the discovery of the breach. As such, time is definitely of the essence when it comes to notifying the regulator of a data breach. However, an organisation is able to justify a delay in doing so if the legitimate needs of law enforcement to determine the scope of the breach and restore the integrity of the business’ information system, call for it. The Act also notes that an organisation can delay letting the data subject know about the breach if a public body that is responsible for the prevention, detection, or investigation of offences (or the Information Regulator) determines that doing so will impede a criminal investigation.
It’s important to note that POPIA speaks to the data privacy requirements within South Africa and any business which operates where they must abide by international data laws such as the European Union’s General Data Protection Regulation (GDPR) must be cognisant of the requirements thereof. For example, the GDPR requires businesses to report any incident of a data breach not later than 72 hours after having become aware of said breach.
3. Financial Intelligence Centre Act (FICA)
This piece of legislation is one that most often goes under the radar as most businesses don’t need to comply with the bulk of the obligations laid out within it. However, it is crucial that organisations become aware of the obligation to report suspicious and unusual transactions required by FICA, even if they are not necessarily subject to FICA as a whole.
Under the Act, any person who knows or should know or has suspected that the organisation has received the proceeds of unlawful activities or has facilitated transactions related to the financing of terrorist activities, must report this to the Financial Intelligence Centre. The same is required when there is knowledge or suspicion of tax evasion or
money laundering which must be filed with the FIC under the specific sections of the Act which have been contravened.
A report must be made to the FIC within 15 days of the discovery of the incident. Non-compliance is not an option as it could lead to a public reprimand, a remediation directive, the restriction or suspension of certain business activities, and a financial penalty of up to R10 million for a natural person or up to R50 million for a legal person.
4. Cybercrimes Act
The reporting obligation in this legislation only applies to electronic communication service providers and financial institutions such as telcos and banks and requires these organisations to report cybercrime incidents to the South African Police Service within 72 hours of becoming aware of the use of their information systems to commit a cybercrime. The penalty for not doing so in time is R50 000.
Although the specific reporting obligation an organisation must comply with depends on the specific criminal incident that has occurred, these offences are often interrelated, which can make ignorance of these obligations even more costly for a business or institution.
For example, when there is an instance of corruption or fraud it is usually related to monetary gain and this money then needs to be laundered in order to avoid raising suspicion. Because of this, an organisation might be beholden to more than one piece of legislation as it relates to reporting one specific incident of commercial crime. This is why organisations must ensure they are both aware of and compliant with all of these pieces of legislation when dealing with commercial crime, or they might find themselves falling foul of their legal