Lenee Green and Wendy Tembedza, Partners at Webber Wentzel

Are digital advisors regulated in South Africa? What are finfluencers? What are the potential data risks from both an advisor’s and a consumer’s perspective?

From TikTok stock tips to robo-advice chatbots, “finfluencers” and digital advisors are now part of how many South Africans make money decisions. But, when does a ‘hot take’ become regulated advice under the FAIS Act – and what happens when algorithms and POPIA meet? This article explains the line between hype and licensed financial services, and the data-risk guardrails that should sit behind the screen.

Digital advisors

A digital advisor typically provides ‘digital advice’ or ‘automated advice’. This is regulated in South Africa only if the advice provided to clients relates to a financial product (as defined in the Financial Advisory and Intermediary Services Act, 2002, (FAIS Act)).

A financial product includes, among others, securities and instruments such as shares, debentures and securitised debt, money-market instruments, a participatory interest in a collective investment scheme, insurance policies, pension fund benefits, deposit as defined in the Banks Act, foreign currency denominated investment instruments, and a health service benefit.

If a person (or automated system) provides advice on any of the above products, then that person and/or owner of the automated system is required to hold a financial services provider licence in terms of the FAIS Act. A person holding such a licence is referred to as a financial services provider (FSP).

Advice given by a digital advisor in respect of a financial product is essentially ‘automated advice’, which refers to “furnishing of advice through an electronic medium that uses algorithms and technology without the direct involvement of a natural person”. (The Determination of Fit and Proper Requirements for financial services providers, 2017 published under Board Notice 194 (“Fit and Proper Requirements”)).

The FAIS Act defines ‘advice’ as any recommendation, guidance or proposal of a financial nature furnished “by any means or medium” to any client or group of clients. This explicitly encompasses automated platforms and relates to the purchase and/or investment in ‘financial products’. Advice can also relate to the conclusion of a transaction aimed at acquiring a right or benefit in respect of financial product or to the variation of a term or condition applying to a financial product.

Finfluencers

There has been an increase in ‘finfluencers’. A finfluencer is “a person who, by virtue of their popularity or cultural status, can influence the financial decision-making process of others through promotions or recommendations on social media” or an influencer who gives advice on financial investments.

The rise of the finfluencer does beg the question; “Are they regulated?”

Financial services comprise of advice and/or intermediary services. In South Africa, a financial service is regulated under the FAIS Act and only licenced FSPs may render financial services. If the advice is given to the general public and not to a person or group of persons who is or may become the specific recipient of a financial service rendered intentionally, it is likely not a regulated act under the FAIS Act.

If a consumer engages with a digital advisor and obtains ‘automated advice’ or receives advice from a finfluencer, it must be assessed whether the advice relates to a financial product. If so, the consumer should ask if the person is regulated under the FAIS Act.

Where the advice is automated and relates to financial products, the FSP details should be clearly indicated on the platform where the advice is accessed by the consumer.

If the advice (automated or not) does not relate to financial products as defined, the service and/or advice provided is not regulated under the FAIS Act and the consumer will not be protected by the usual safeguards contained in legislation (consumer protection laws may, however, still apply).

Entities that render financial services, whether a digital advisor or finfluencer, must comply with fit and proper requirements applicable to the category of FSP.

In addition, an FSP offering automated advice must meet additional requirements set out in the fit and proper requirements, such as having adequate and appropriate human resources with the required competence to:

• Understand the technology and algorithms used to provide the automated advice;
• Understand the methodological approaches, including assumptions, embedded in the algorithms;
• Understand the preferences or biases that exist in the approaches;
• Understand the risks and rules underpinning the algorithms;
• Identify the risks to clients arising from the automated advice; and
• Monitor and review the automated advice generated by algorithms to ensure quality and suitability of the advice and compliance with the Act.

An FSP must also be aware of the restrictions around automated decision-making under POPIA. POPIA prohibits an FSP from making a decision about a consumer where the decision has legal consequences for the consumer, or where it affects the consumer to a substantial degree, except in very limited circumstances. Notably, POPIA expressly refers to decisions regarding credit worthiness as falling within the scope of decisions that cannot be made through automation without appropriate guardrails in place. It is likely that any decisions made regarding financial products, as contemplated in the Fais Act, will also fall to be regulate under this provision.

Data

The standard compliance principles set out in POPIA for data management continue to apply to financial services provided by both digital advisors and finfluencers. An intentional approach to compliance with POPIA becomes that much more important where automated systems, capable of storing large volumes of data and processing it in various ways for varying multiple purposes, are an integral part of the data processing activities.

In relation to managing data risks and exposures in the context of financial services (Joint Standard 2 of 2024 (Cybersecurity and Cyber Resilience Requirements)), FSPs must:

• Have appropriate processes for managing any changes to an algorithm or filters, including security arrangements to monitor and prevent unauthorised access to the algorithms.
• Be able to control, monitor and reconstruct any changes to algorithms or filters.
• Have systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, including: (aa) electronic data security and internal and external cybersecurity; (bb) physical security of assets and records; (cc) system application testing; (dd) back-up and disaster recovery plans and procedures for systems and electronic data.
• Have systems and processes to ensure the accurate, complete and timely processing of data, reporting of information and assurance of data integrity.

An advisor that falls outside the scope of the FAIS Act is not required to comply with the various fit and proper requirements imposed by the FAIS Act, such as continuous development, understanding the product and assessing whether products are suitable for the consumer etc.

Note that the FAIS Act will be repealed in its entirety by the Conduct of Financial Institutions Bill, which will significantly change the regulatory landscape in the near future and broaden the scope of advice.

ENDS