The recent case of Nedbank Limited v Houtbosplaas (Pty) Ltd and Another raises interesting considerations for accountable institutions aiming to comply with their obligations under the Financial Intelligence Centre Act, 2001 (“FICA”).

We discuss the case in detail below, asking:

  • is there a danger in an accountable institution asking for more than they strictly require in terms of FICA?
  • do customers have an obligation to provide verification documentation to accountable institutions upon request?
  • as an accountable institution has an ongoing due diligence obligation to verify the identity of a customer with whom it has established a relationship, may an accountable institution refuse to act on an instruction (implementing a transaction) if due diligence requests have not been met by a customer?

FICA is aimed at the identification of the proceeds of unlawful activities, combatting money laundering and combatting the financing of terrorist and related activities. To give effect to these objectives, FICA creates a legal framework for the effective identification and verification of clients. Regulations issued under FICA set out a number of procedural elements that financial institutions ought to give effect to, in order to implement FICA.

The Pretoria High Court in Houtbosplaas (Pty) Limited and another v Nedbank held that customers of banks are under no statutory obligation under FICA to provide documents to a bank for verification purposes, upon request from a bank. Nedbank applied for leave to appeal to the Pretoria High Court, but this was dismissed. Nedbank subsequently applied for leave to appeal to the Supreme Court of Appeal ("SCA"), which was granted.

The dispute at the heart of this case arose as a result of Nedbank refusing to close the bank accounts of Houtbosplaas and TBS Alpha (“the companies”) pursuant to their written instructions.

The relevant facts in this matter were:

  1. Houtbosplaas and TBS Alpha had a longstanding relationship with Nedbank. Four trusts each held one preference share and ordinary shares in the companies.
  2. In 2016, Nedbank requested certain information from the companies pursuant to the provisions of FICA. Some of the information was provided but the companies contended that the request constituted an unjustifiable intrusion into the trusts’ right to privacy.
  3. A dispute arose between Nedbank and the companies’ representative in respect of the request for information, which ultimately led to the companies giving written notice to Nedbank in January 2017 to close their accounts and transfer the credit balances of those accounts to Absa Bank Limited.
  4. Nedbank refused to close the accounts on the basis that the companies failed to comply with Nedbank’s request and consequently, the accounts were restricted based on FICA.
  5. In July 2017, the accounts were closed after Nedbank received the outstanding information it requested from Houtbosplaas and TBS Alpha.

The companies viewed Nedbank’s conduct as unjustifiable and unlawful and instituted proceedings to claim damages in the amount of ZAR181 103.31, together with interest and costs.

In determining the question of whether Nedbank was entitled to the requested documents, specifically the trust deeds, the SCA had regard to various provisions in FICA.

Section 21(2) of FICA, prior to its amendment, read as follows:

“If an accountable institution had established a business relationship with a client before this Act took effect, the accountable institution may not conclude a transaction in the course of that business relationship, unless the accountable institution has taken the prescribed steps–

(b) to establish and verify the identity of the client”

The SCA held that section 21(2) of FICA applied to existing clients of an accountable institution who had already established a business relationship before FICA took effect. At the inception of FICA, Nedbank was required to comply with the prescripts and once this had occurred, it was not necessary for Nedbank to verify the companies in respect of each and every transaction concluded during the relationship, provided that there is an ongoing obligation to ensure that the verification information is up to date.

Similarly, the SCA found that regulation 7 which, at the relevant time required financial institutions to obtain various particulars of trusts holding 25% or more of the voting rights at a general meeting of a company, only applies when an accountable institution is establishing a business relationship or concluding a single transaction.

The SCA held that the preference shareholders had untrammelled voting rights and consequently, would have every right to vote at general meetings of the companies. Consequently, each trust that held shares in the companies held less than 25% of the voting rights.

The SCA dismissed Nedbank’s appeal and held that there was no basis for Nedbank concluding that it was justified in refusing to give effect to the companies’ instructions to close the bank accounts, given that in accordance with the law at the time, Nedbank was not required to verify the identity of the trusts as they did not hold more than 25% of the voting rights.

The SCA concluded that the refusal by Nedbank to give effect to the instructions to close the bank accounts shortly after receiving the instruction from the companies constituted Nedbank breaching its obligations to act in accordance with instructions from its customer. Consequently, the SCA held that the Pretoria High Court was correct in also awarding mora interest in favour of the companies from 20 January 2017 (being the date of demand) to 10 July 2017 (being the date on which Nedbank closed the accounts of the companies and transferred the funds in the accounts to Absa).

The Pretoria High Court’s statement that customers of a bank are not obliged under FICA to provide the bank, upon request, with documents to verify their identity is surprising, but must be considered in light of regulation 7. Regulation 7 (prior to it being repealed), referred to a 25% threshold for triggering identification and verification. On application of this rule, Nedbank was not obliged to request documents from the trusts and the trusts were within their rights to refuse providing the information.

However, in our view, this should not be read as suggesting that in terms of current legislation an accountable institution would be precluded from, in terms of their risk management and compliance programme (“RMCP”), noting a customer as high-risk or non-compliant if that customer refused to provide information which had been requested by the bank in accordance with its RMCP, whether that information was requested in establishing a relationship, or pursuant to that accountable institution’s ongoing due diligence obligations. We do not believe that a customer would be entitled to raise as a defence that the information could be obtained from a third party and an accountable institution would be permitted to initiate its high-risk policy should a customer refuse to provide requested information.

This judgment does however highlight the importance of an accountable institution only requesting information that it is entitled to under FICA and its RMCP. Bearing in mind the principle of minimality, as set out in section 10 of the Protection of Personal Information Act (“POPIA”), an accountable institution may only request (and subsequently process) information if it is adequate, relevant and not excessive. Asking for too much information, or information not required in terms of FICA or the RMCP, creates a risk because failure to provide information not strictly required does not found a basis for refusing to act on the instruction of a customer. Failure to act in accordance with the terms and conditions applicable to a particular customer, such as refusing to implement an instruction when not strictly entitled to do so, could expose a financial institution to a claim for interest, or possibly an offence under the Financial Institutions (Protection of Funds Act). Bearing the provisions of POPIA in mind, a bank may also expose itself to proceedings that arise as a result of a breach of POPIA.

Financial sector laws are rapidly evolving as regulators seek to ensure fair outcomes for customers while ensuring financial stability and the integrity of the South African financial markets. It can be difficult for financial institutions to ensure that their operations remain compliant. Case law such as this demonstrates this difficulty, and also serves as a caution to financial institutions to continuously review and reconsider their procedures and policies with their advisors in light of developments.