GDPR: DATA PROCESSING AGREEMENTS AND BINDING CORPORATE RULES

GDPR: DATA PROCESSING AGREEMENTS AND BINDING CORPORATE RULES

The General Data Protection Regulation (EU) 2016/679 (“GDPR“) became effective on 25 May 2018 and has a substantial impact on anyone who processes personal data of data subjects (individuals). The scope of the GDPR extends beyond the borders of the European Union (“EU“) and is therefore something that likely impacts most businesses that have an international footprint or clientele in the EU.

The GDPR requires certain rules to be complied with when personal data is processed in order for the security of the personal data to be maintained and for the protection of the fundamental right to privacy. These rules must be implemented by the data controller (the party that determines the purposes for which and how data is processed) throughout the stages of processing and requires the data controller to ensure that any third party processing the data on behalf of the controller (referred to as data processors) comply with the rules relevant to them as well.

In any given scenario, there may be multiple parties that act as data controllers and data processors in respect of the same personal data – commonly referred to as joint-controllers and joint-processors. All these parties must still comply with the GDPR and the two most common manners in which this is done is through data processing agreements and binding corporate rules. In this post, we look at these two mechanisms and discuss the differences between them and when each should be used.

Data processing agreements (“DPAs”)

Data processing agreements (“DPAs“) are most commonly used where a data controller appoints a third party to process personal data on behalf of and for the benefit of the controller. The processor is only authorised to process the data on the instructions of the controller and is limited from using the personal data for its own purposes. Processors are usually third party companies that provide a service to the controller and don’t form part of the group of companies that the controller is part of.

The appointment of data processors is subject to the controller and processor complying with the relevant requirements of the GDPR. The GDPR sets out express requirements that must be met by controllers when appointing processors, including that the processor must be appointed in terms of a written agreement (the DPA) and which agreement must include provisions relating to the further requirements that processors must comply with. Some of these include:

  • the purposes for which the data may be processed;
  • the duration of the agreement;
  • limitation of processing to the written instructions of the controller;
  • a duty of confidentiality on the processor in respect of the personal data;
  • duty to take appropriate organisational and technical security measures;
  • the rules regarding the appointment of sub-processors; and
  • liability of the processor in respect of the personal data.

Binding Corporate Rules (“BCRs”)

Binding corporate rules (“BCRs” or “Rules“), although similar to DPAs, regulate the processing of personal data between companies within a group of companies. They are like a code of conduct, allowing multinational companies to transfer data internationally to members of the group that are located in countries that may be considered to not provide an adequate level of data protection. Although some countries in which the members of the group conducts business may  have their own data protection laws and requirements in respect of processing personal information,  the BCRs aim to ensure that all the companies within a group meet, at a minimum, the standards required by the GDPR (and which will result in the companies falling within the GDPR’s ambit, complying with their legislative obligations).

Article 47 of the GDPR sets out the requirements regarding what BCRs must specify and the Rules that a group of companies develops must be approved by an EU regulatory authority. In brief, BCRs must further be legally binding and apply to all members of a group of companies, they must include provisions about the enforceable rights that data subjects have in respect of the processing of their personal data and must meet the further requirements of article 47, including:

  • the details of the group of companies;
  • information regarding the data that is transferred, the type of processing that is carried out and the purposes for such processing, and the third countries to which the data is transferred;
  • the data processing and protection principles that are applicable and the rights of data subjects in regard to the processing and protection principles;
  • the duties and tasks of the data protection officer who oversees the group’s compliance with the rules and the GDPR;
  • the complaint process that data subjects may use;
  • how the group of companies trains its employees in respect of the GDPR; and
  • the various requirements in respect of enforcing the rules, reporting on compliance with the rules and cooperation with the various regulatory authorities.

Conclusion

Binding Corporate Rules and Data Processing Agreements have the same broad goal: to ensure compliance with the GDPR when processing personal information where the processing is carried out by more companies than just the data controller. The application of these mechanisms depends on who is carrying out the processing. The territory in which the processing is being done will further impact the substance of these agreements.

It is important, from both a GDPR and POPI perspective, that data protection requirements are adhered to and that businesses make use of the various tools available to them to ensure that they comply with these rules.

DISPLAYED PRICES DIFFERING FROM ACTUAL PRICE – WHICH MUST I PAY?

DISPLAYED PRICES DIFFERING FROM ACTUAL PRICE – WHICH MUST I PAY?

Recently we have noticed a few retailers displaying notices in their stores stating that even where shelf prices have not been updated to reflect the updated value added tax (“VAT“) rate on certain products (now being 15%), and the shelf display price still reflects VAT to be 14% on that product, consumers will be charged for those products at the new VAT rate of 15% at the till point. In practice it means that the price on display may be R114 but at till point the price would be R115. From a Consumer Protection Act (“CPA“) point of view, this raised a few concerns, the biggest being whether a consumer can be legally obligated to pay a higher price than the price displayed.

The VAT rate increase

For the first time in many years, the VAT rate was increased from 14% to 15% on all taxable goods or services supplied by VAT registered vendors, effective from 1 April 2018. Although the increase is only 1% (which seems like a negligible amount), this will have a large impact on consumers and businesses alike, and according to estimates, will ultimately bring in an estimated R22,9 billion for government.

The VAT increase started to apply on1 April 2018, and you can expect to pay VAT at the new rate on any invoices issued or payments made from 1 April 2018. However, if goods were supplied or services rendered before 1 April 2018, you will not be required to pay VAT at 15% on those goods or services, even if only paying for them after 1 April. Therefore, where you are paying for services in arrears or purchased goods on credit during the interim period (22 February 2018 – 31 March 2018), make sure that you are paying the correct VAT rate for those goods and services, even if you are only paying for them after 1 April 2018.

The CPA provisions on prices

The CPA, in section 23(3), requires suppliers to display the price in relation to any goods that are displayed for sale. Further on in section 23(6), the CPA states that a supplier must not require a consumer to pay a price that is higher than the displayed price or, where more than one price is displayed for the same good/service, the supplier must not require the consumer to pay the higher of the two (or more) prices.

Therefore, suppliers are required to display the price that the consumer will pay for goods/services when displaying goods/services for sale and must not require consumers to pay more than this displayed price – “the price you see is the price you pay”.

However, section 23(7) states that subsection (6) does not apply where the price of any goods or services are determined by or in accordance with public regulation.

Applicability in practice

When reading the CPA, it is clear that, as a consumer, you should only be required to pay the actual price displayed and the lowest price displayed where there are multiple displayed prices. However, section 23(7) of the CPA “throws a spanner in the works” with the VAT rate increase and the requirement to pay a price that is more than the displayed price.

The VAT Act is “public regulation” for purposes of section 23(7) of the CPA, and where suppliers are VAT vendors, VAT will be added to goods and services and VAT will therefore be a determining factor used to calculate the price of goods and services. So, the rule that the supplier may not charge an amount higher than the price displayed will not apply in the scenario where the displayed price differs to the amount charged due to the VAT increase.

Further to this exception in section 23(7) of the CPA, the commissioner for SARS granted permission, in terms of proviso (iii) of section 65 of the VAT Act, for suppliers to require consumers to pay the increased VAT rate on goods and services despite the displayed price still indicating that VAT is included at 14% PROVIDED that the supplier prominently displays notices at the entrances to the premises and at all points where payments are made (i.e. consumers must be aware of these notices when in the store).

Conclusion

Generally speaking, consumers do not have to pay a higher price than the price displayed and where there are two prices for the same product displayed, the consumer can insist on paying the lower price.

Regarding the VAT increase, this CPA “right” is not available where the supplier has adequately notified consumers that the displayed prices may differ from prices at till point – due to the VAT increase. Suppliers have until 31 May 2018 to ensure that their shelf display prices have been updated to account for the VAT increase and to remove the notices in store that shelf and till prices may differ.

TREATING CUSTOMERS FAIRLY – A REQUIREMENT IN TERMS OF FAIS

TREATING CUSTOMERS FAIRLY – A REQUIREMENT IN TERMS OF FAIS

In terms of the Financial Advisory and Intermediary Services Act 37 of 2002 (“FAIS“), The Financial Services Board (“FSB“) published the Treating Customers Fairly (“TCF“) outcomes as the foundation of the FSB’s objectives for consumer protection and market conduct. The need for these outcomes is because of the imbalances previously experienced between financial services consumers and regulated financial entities, rendering consumers vulnerable to market conduct abuse. As financial products are complex, poor decision making and bad advice in respect of these products can lead to unintended consequences being experienced and suffered by a consumer a long time after the transaction was entered into.

The aim of TCF

The TCF outcomes are aimed at reducing market conduct risks and protecting consumers of financial products. The outcomes must be delivered to consumers throughout the product life cycle and at all stages of the relationship with the consumer. The TCF outcomes must be incorporated throughout the company so that everyone understands what TCF is and so that they can apply it.

The TCF outcomes address certain issues that are common in all industries. The outcomes may assist companies and consumers in instances where consumers have unrealistic expectations about the financial products/services being offered by companies even where the consumer was treated fairly; and on the other hand, where a consumer with a low level of understanding about the product/service is satisfied with the service received from the company but is unaware that he/she has been treated unfairly.

The key principles

TCF focuses on two key principles:

  1. ensuring that consumers understand the risks and benefits of the financial products/services they are investing in; and
  2. minimising the sale of unsuitable products/services to consumers.

What TCF is not

TCF is not about creating satisfied consumers at all costs. A satisfied consumer can still be treated unfairly and not know that he/she was treated unfairly.

TCF does not absolve consumers from making decisions and taking responsibility for such decisions – consumers still have a responsibility to know what they are getting into and to take responsibility for their decisions.

It also does not mean that all companies must do business in an identical manner – as long as business is done fairly and transparently, TCF requirements will be met.

The 6 TCF outcomes

  1. Culture: consumers should be confident that they are dealing with companies where TCF is central to the corporate culture;
  2. Products and services: products and services marketed and sold in the retail market should be designed to meet the needs of identified consumer groups and should be targeted according to such identified groups;
  3. Clear and appropriate information: consumers must be provided with clear information and kept appropriately informed before, during and after point of sale (i.e. throughout the product/service’s life-cycle);
  4. Consumer advice: where advice is given, it must be suitable and should take account of the consumer’s circumstances;
  5. Product performance expectations: products should perform in the way that consumers have been led to expect and service must similarly be of an expected acceptable standard; and
  6. Post-sale barriers: consumers must not face unreasonable post-sale barriers imposed by companies when they want to change products, switch providers, submit a claim or make a complaint.

Conclusion

The TCF outcomes were created to ensure that the fair treatment of consumers is imbedded in the culture of companies operating in the financial services industry. The outcomes must be implemented throughout the life-cycle of the product/service, meaning that financial service providers have a duty to continuously ensure that consumers are treated accordingly.

Enforcement of the TCF outcomes will occur through a range of deterrents with the objective of preventing unfair treatment of consumers, and may be penalised through mechanisms such as intensive and intrusive supervision, naming and shaming of offenders, and financial penalties.

Essentially, the ultimate goal of TCF is to ensure that the financial needs of consumers are suitably met through a sustainable industry. If a financial services provider aims to achieve the outcomes, the direct effects should be appropriate financial products and services and heightened transparency in the industry.

POPIA: RESPONSIBLE PARTIES AND OPERATORS

POPIA: RESPONSIBLE PARTIES AND OPERATORS

Our previous POPIA articles have examined various aspects of the Protection of Personal Information Act 4 of 2013 (“POPIA“) at length, most notably, the various conditions for processing personal information.  In this post, we will examine the roles of “responsible party” and “operator” in terms of POPIA and what each of these roles entails, along with the rights and responsibilities of the roles.

The main purpose of POPIA is to regulate the use of personal information (as defined by POPIA and summarised below) and to provide for adequate security measures to protect personal information, and the different parties in a relationship will have to comply with these measures in certain ways. Therefore, these roles are important to consider as they have a profound impact on the relationships between responsible parties and operators and also affect the way in which information is processed and used.

What do these terms mean?

  • responsible party” means the party who determines the purpose of and means for processing personal information. This decision may be made alone or in conjunction with another party.
  • operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, but does not come under the direct authority or control of the responsible party.
  • processing” means any activity (including automatic means) concerning personal information, and includes the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, distribution by means of transmission, distribution or making available in any other form or merging, linking, and restriction, degradation, erasure or destruction of information.
  • personal information” is information relating to an identifiable, living person and is not limited to information relating to race, gender, marital status, pregnancy, ethnicity, age, health, disability, religion, language, culture, education and employment, criminal history, identity number, contact details, biometric information, personal opinion, etc.

What is the difference between a responsible party and an operator?

As set out above, responsible parties determine the purpose for processing information, what information is processed, for how long and how it is processed. Where an operator is involved, the responsible party will still determine the purpose for processing etc, but will outsource the processing of the information to the operator. The responsible party therefore still makes all decisions in relation to the information and the operator acts in accordance with these decisions and on the instructions from the responsible party.

The responsible party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all operators providing services to the responsible party. The outsourcing or sub-contracting of any processing activities to operators does not absolve the responsible party from liability. If the operator contravenes POPIA, the responsible party will still be held liable by the Information Regulator.

The importance of contracts when appointing an operator

As with many other relationships, a contractual agreement between a responsible party and operator will prove very useful and high highly recommended in order to definitively address and govern the roles of each party and the boundaries of the relationship.

An agreement between the responsible party and operator should address, at the least, the following points:

  • That the operator only acts within the ambit of the agreement/mandate with the responsible party;
  • The purpose for processing of the information;
  • What information may be processed by the operator;
  • What the operator may or may not do with the information outside of the processing mandate;
  • A duty to protect the information received, not share it with third parties without consent, to keep the information received confidential and to otherwise act within the ambit of POPIA;
  • Limit the operator from appointing further operators without the responsible party’s knowledge or consent; and
  • Liability for the operator*.

Liability for the operator

As mentioned above, the responsible party will be held ultimately liable by the Information Regulator for a breach of POPIA by the operator. The Information Regulator will impose this liability on the responsible party where the breach occurred within the scope of the mandate agreement between the responsible party and the operator and will not be diverted to the operator where the breach is as a result of the operator’s failure to uphold the principles of POPIA.

Therefore, the agreement between the responsible party and the operator is extremely important for the responsible party as this agreement can result in the responsible party holding the operator liable for any claims that the Information Regulator and/or data subjects (the people whose personal information is being processed) bring against the responsible party as a result of a breach of POPIA by the operator. A liability clause will allow the responsible party to bring a claim for any loss suffered by the responsible party as a result of the operator’s negligence or breach of POPIA.

Some relief for a responsible party in this regard is where an operator breaches POPIA where the operator has exceeded its mandate. In these circumstances, the operator is seen to be acting as a responsible party in regard to the personal information as the operator is determining the purposes and means of processing.

Conclusion

We cannot emphasise the importance of an agreement between a responsible party and operator enough as such an agreement sets out the important details of the relationship between the operator and responsible party and aims to protect not only the responsible party, but also the operator by detailing the extent of the processing and other responsibilities that the operator undertakes.

Make sure that you know when you act as a responsible party and when you are acting as an operator as your responsibilities will differ along with your liability.

Conversations and agreements – when are they binding?

Conversations and agreements – when are they binding?

Introduction

A major cause of disputes occurs over the content of agreements. Sometimes these disputes are a result of poorly drafted contracts; content and deliverables not being adequately described; or as a result of variations to the original contract. Another source of dispute is verbal contracts and conversations where the parties dispute the content of what was agreed upon.

Both verbal and written contracts are, in general, legally binding. However, sometimes writing is unavoidable and is a formality for the contract to be valid, for example: the sale of immovable property, antenuptial contracts, wills and executory donations. Along with the preceding list, all documents that have to be submitted to and registered with the Deeds Office must also be set out in writing.

Written contracts have various advantages, among others, they:

  • ensure that both parties are fully aware of the contents of their agreement;
  • create transparency between the parties;
  • create and maintain trust between parties;
  • can stipulate formalities that must be met for validity; and
  • serve to avoid unnecessary disputes.

Electronic communication

The Electronic Communications and Transactions Act 25 of 2002 (“ECTA“) recognises electronic messages (or “data messages“) as the functional equivalent of writing, meaning that data messages have the same legal validity as content written on paper. This results in any formality requiring writing to be met when the information is in the form of a data message. ECTA, however, imposes a requirement of accessibility to accompany data messages by requiring data messages to be easily accessible to the parties thereto.

The validity of electronic messages was confirmed by the Supreme Court of Appeal (“SCA“) in November 2014 in the case of Spring Forest Trading v Wilberry (Pty) Ltd. The court held that variations to an agreement between the parties made via email were binding – the arguments put forth were that the variation to the agreement was required to be made in writing and signed by both parties in order for it to be valid and that this requirement had not been met because the variations were only discussed and agreed to via email. The court stated that the email signatures at the bottom of the emails amount to signatures and that the email messages constituted writing in terms of ECTA.

Conclusion

Written contracts are always recommended. The rationale being that oral agreements offer no objective or clear record of the details of the agreement and the specific terms are often difficult to establish when a dispute arises. Well drafted agreements should include useful information and guidance to the parties to ensure a fair and smooth resolution of disputes or disagreements. The guidance information should address when parties may cancel the agreement, what constitutes breach and how the breach should be remedied.

Written agreements should also set out that any changes to the agreement are not valid if they are not in writing (and signed by both parties) – which prevents disputes over any amended terms of the agreement. This also prevents quarrels of a “he said, she said” nature as everything has been recorded. As set out above, this can be done via email or other electronic messages, including Whatsapp, for example, however, the name of the sender must be signed at the end of the message for it to be valid.

It is important to understand that following the abovementioned judgment, parties to a contract should specifically refer to an “advanced electronic signature” – which is a special signature provided for in ECTA – being required to amend the agreement if the intention is for the usual email type correspondence not to effect an amendment to the agreement.

Remember, you could be bound to a contract where you have willingly signed it even if you have not yet read it.

Important take-aways

  • electronic communication is legally binding and is the equivalent of writing;
  • some agreements can only be altered if the variation is in writing and signed by both parties;
  • some agreements must be in writing and signed (and sometimes commissioned or notarised) in order to be valid and binding; and
  • oral agreements are binding (but not advised!).
Website terms – purpose, importance and consequences

Website terms – purpose, importance and consequences

Nowadays, websites almost always contain policies and terms that govern your use of the site. Sometimes these policies will appear as banners on the site (which you have to “agree” to in order to make them disappear), links in the page footer (like we have on our website) or as a statement along with a tick box saying that you have “read and agree with” the terms (usually when transacting online).

The questions on peoples’ minds are firstly, why do I need all these different sets of terms and, secondly, are these policies binding.

Why do we need all of these terms?

The website terms which we feel are important are browser terms, privacy policies and commercial/transactional terms. Each one of these deals with specific aspects of the website’s use, including, for example, the collection of personal information, social media integration, payment methods and your rights as a user of the website. Below we discuss each policy and its importance. These policies also protect your rights and interests in your website and can allow for you to have a claim in law against people who infringe your rights.

Browser terms

Although browser terms are not a legal requirement, they are useful to ensure that the “web surfer” understands and agrees to certain key points. Browser terms should be used to inform the surfer that:

  1. you, as the website owner, owe them no responsibilities;
  2. they get no rights to any services or IP merely by browsing;
  3. they are required to respect your website and the content thereof; and
  4. you comply with all necessary legal disclosure requirements.

Browser terms are “agreed” to through the surfer continuing to browse the website. These types of agreements are called “web-wrap” agreements. More on this below.

Privacy policies

Privacy policies are essential whenever the website collects or makes use of personal information. Personal information is often collected through cookies as well as when browsers become users of a website by creating an account or by integrating their social media accounts with the website.

The Protection of Personal Information Act 4 of 2013 (“POPI”) sets conditions for the lawful processing of personal information. Included in POPI’s ambit will be the mere storage of personal information when it is collected by cookies. POPI also requires that companies make certain information available to users when they collect their personal information. This can be achieved through a privacy policy. Privacy policies therefore also assist the website owner to comply with legal requirements

Privacy policies usually include the following important aspects:

  1. the use of cookies to collect certain information;
  2. the purposes for the processing of the personal information;
  3. the sharing of personal information by the website owner with certain select third parties;
  4. the storage of personal information, including the security measures taken and whether cross-border storage will occur; and
  5. the user’s rights in relation to his/her personal information and the recourse that he/she has.

Privacy policies are, like browser terms, usually agreed to by browsing, however, a recent trend has been to display the fact that cookies are used as a banner on a website requiring a “click-wrap” agreement to be entered into in order to remove the banner.

Commercial/transactional terms

As the name suggests, the commercial terms become applicable where the website enables users to transact with the website owner through the website. These terms serve as the terms of the contract which you conclude with the user when the user becomes a customer. The important aspects that this policy should govern includes:

  1. a general explanation of the service or product being offered by the website;
  2. the fees that are payable, which may be a once off purchase price or a subscription fee, as well as the fees relating to delivery costs, insurance and VAT;
  3. the terms applicable to returns;
  4. limitation of liability, which will be subject to the Consumer Protection Act 68 of 2008 (if it applies);
  5. the applicability of promotional codes and vouchers; and
  6. acceptable use policies, however, this is more applicable where the website offers a service and not a product.

The Electronic Communications and Transactions Act 25 of 2002 (“ECTA“) requires certain disclosures in terms of section 43 by the website owner when goods or services are offered for sale or hire through an electronic transaction. Some of the disclosures required include:

  1. company name, registration number and contact number;
  2. addresses, including physical, website and e-mail;
  3. a description of the main characteristics of the goods/services offered (which fulfils the requirement of informed consent;
  4. the full price of the goods, including transport costs, taxes and any other and all costs;
  5. the manners of payment accepted, such as EFT, cash on delivery or credit card, as well as alternative manners of payment such as loyalty points;
  6. the time within which delivery will take place;
  7. any terms of agreement, including guarantees, that will apply to the transaction and how those terms may be accessed, stored and reproduced electronically by consumers;
  8. all security procedures and privacy policy in respect of payment, payment information and personal information; and
  9. the rights of the consumer in terms of section 44 of ECTA.

ECTA also requires that the customer must have an opportunity to review the transaction, correct any mistakes and withdraw from the transaction without penalty before finally concluding the transaction. ECTA non-compliance gives the consumer the opportunity to cancel the order and demand a full refund.

Additional requirements are placed on suppliers transacting online regarding payment systems. The payment system used must be sufficiently secure in terms of current accepted technological standards. Failure to comply with these security standards can render the website owner liable for any damages suffered due to the payment system not being adequately secure.

Are these policies binding?

Essentially, yes, website terms will be binding based on the principles of contract law. Website users must be made aware of the terms that apply to their use of the website and you should always ensure that you include wording to the effect that by anyone continuing to use the website they agree to the terms.

To this effect, web-wrap and click-wrap agreements come into play.

Web-wrap agreements

Web-wrap agreements (also referred to as browse-wrap agreements) are used to acknowledge the terms of use of a website by continuing to use the website. The user indicates acceptance of the terms by using the website and does not expressly indicate acceptance of the terms. Such agreements are usually used in browser terms and privacy policies.

Click-wrap agreements

Click-wrap agreements require the user of a website to indicate their agreement with the terms through positive action – usually by clicking “I accept” before proceeding with their activity on the website. These agreements are usually used for more important agreements, such as when installing new software on your computer or when entering into online transactions.

Conclusion

Even though all of these policies may seem excessive, they are worth having. Yes, copying and pasting clauses from other policies will get the job done, but you may leave yourself vulnerable to certain consequences that you haven’t thought about. These consequences may be even worse when it comes to commercial terms. Contact us for a free quote and ensure that your online business is fully protected!

Pyramid schemes and other related practices: what you need to know.

Introduction

In terms of our law, a pyramid scheme is an unlawful practice in terms whereof the newest members fund the “investments” of the existing members. The return on “investment” is usually too good to be true and not at all market related. As soon as new members stop joining the scheme, it falls apart resulting in the newest members losing the most.

The law

The Consumer Protection Act 68 of 2008 (“CPA” or the “Act”) defines a pyramid scheme along with the other related schemes falling within the ambit of the CPA. The general prohibition on these schemes is found in section 43(2) of the Act, and includes multiplication schemes and chain letter schemes.

“(2)      A person must not directly or indirectly promote, or knowingly join, enter or participate in—

  1. a) a multiplication scheme, as described in subsection (3);
  2. b) a pyramid scheme, as described in subsection (4);
  3. c) a chain letter scheme, as described in subsection (5); or
  4. d) any other scheme declared by the Minister in terms of subsection (6), or cause any other person to do so.”

Let’s look at these schemes in more detail:

Pyramid scheme

A pyramid scheme is a system into which people buy in exchange for a pay-out at a later stage when new members are introduced into the system. One normally pays a “joining” or “admin” fee to become a member of the scheme. The people who recruit the new members are paid out from the new members’ joining and admin fees. In some instances the scheme will involve the new members purchasing a product; however the product is of very low value and is a distraction from the main objective of the scheme.

The new money coming into the scheme is not used to derive profits but is merely used in order to pay out the existing members of the scheme: repayments are paid from new capital and not from profits generated. As soon as people stop joining the scheme it will start to fail and eventually collapse.

In terms of the CPA a pyramid scheme is defined as follows:

“(4)      An arrangement, agreement, practice or scheme is a pyramid scheme if—

  1. a) participants in the scheme receive compensation derived primarily from their respective recruitment of other persons as participants, rather than from the sale of any goods or services; or
  2. b) the emphasis in the promotion of the scheme indicates an arrangement or practice contemplated in paragraph (a).”

Multiplication scheme

A multiplication scheme is different to a pyramid scheme in that the CPA clearly states that it will only occur when the return on investment is 20% above the REPO rate at the date when the person invested into the scheme. A multiplication scheme occurs as soon as the investor is offered, promised or guaranteed returns that are 20% above the repo rate. Multiplication schemes do not have a hierarchical structure like pyramid schemes but generate revenue through repeated or once-off investments of varying amounts by members. The investments are then used to finance the interest pay-outs owed on investments made at an earlier date.

In terms of the CPA a multiplication scheme is defined as follows:

“(3)      A multiplication scheme exists when a person offers, promises or guarantees to any consumer, investor or participant an effective annual interest rate, as calculated in the prescribed manner, that is at least 20 per cent above the REPO Rate determined by the South African Reserve Bank as at the date of investment or commencement of participation, irrespective of whether the consumer, investor or participant becomes a member of the lending party.”

Chain letter scheme

Chan letter schemes require participants to continually recruit more participants in order to start receiving pay outs from their investment. The investment made is a joining fee of sorts. Each new participant joins at the lowest level in the scheme and “move up” by recruiting new members below them. Once a participant reaches the highest level of the scheme they are removed from the scheme.

In terms of the CPA a chain letter scheme is defined as follows:

“(5)      An arrangement, agreement, practice or scheme is a chain letter scheme if—

  1. a) it has various levels of participation;
  2. b) existing participants canvass and recruit new participants; or
  3. c) each successive newly recruited participant—
  4. i) upon joining—
  5. aa) is required to pay certain consideration, which is distributed to one, some or all of the previously existing participants, irrespective of whether the new participant receives any goods or services in exchange for that consideration; and
  6. bb) is assigned to the lowest level of participation in the scheme; and
  7. ii) upon recruiting further new participants, or upon those new participants recruiting further new participants, and so on in continual succession—
  8. aa) may participate in the distribution of the consideration paid by any such new recruit; and
  9. bb) moves to a higher level within the scheme, until being removed from the scheme after reaching the highest level.”

Characteristics of these schemes

The characteristics of these schemes include:

  • No product or product of little value being purchased by new participants.
  • A hierarchical, pyramid shaped structure where the members at the top benefit the most and the members nearer the bottom only benefit after the “top dogs” have been paid.
  • The incentive to recruit members is to ensure that a pay-out to the existing member recruiting and not in order to sell them a product of value.
  • The main source of income generated is from the introduction of new members and not through investment or other forms of wealth creation.

Outcomes of these schemes

  • The possible outcomes to these schemes:
    • The founding member or principal of the scheme gathers as much money from the scheme as possible and disappear with the funds.
    • The scheme collapses due to its “weight”. The scheme starts to lose speed as fewer members join resulting in a lack of funds available for existing members.
    • The scheme is unveiled as a pyramid or other prohibited scheme and authorities put a stop to the scheme.

Can members claim money back?

It is possible for the investors in pyramid schemes to attempt to claim their money back once the scheme collapses, however, chances of successfully retrieving all the funds you have invested are slim. Once the schemes collapse they are liquidated, as the scheme is declared insolvent. The liquidators will ensure that they receive their fee along with as many creditors of the scheme getting paid at least a portion of their outstanding debts leaving little to nothing for the victims of the scheme.

Prosecuting pyramid and related schemes along with their founding members is a major concern and problem faced by the South African Reserve Bank. Investigations into the schemes can take years to complete, depending on the complexity of the scheme. Another catalyst to the extended investigation period is the fact that the initiators of the schemes tend to disappear with investor funds as soon as the scheme starts showing signs of collapsing or gains too much attention from authorities.

The Companies Act, 2008, provides a mechanism for placing financially distressed businesses under “business rescue proceedings”. These proceedings are also often a barrier to investigation by the Reserve Bank and further prosecution.

Consequences for the person starting the scheme

Charges that could be laid against the founders of such schemes, as well as any persons involved in the schemes who should have noticed that fraudulent schemes were taking place include: theft, fraud, reckless trading, forgery and uttering, tax evasion, contravention of the Gambling Act, contravention of the Companies Act and contravention of the Banking Act.

Things to look out for

  • Interest rates that are “too good to be true” and much higher than interest rates offered by established institutions, such as banks and investment portfolios.
  • Promises of a guaranteed return on investment in a short amount of time.
  • The requirement to recruit additional members.
  • No link to established organisations.
  • When the investment does not disclose how returns are made.
  • The institution running the scheme is not licensed as a financial services provider with the Financial Services Board.
  • Where there is little or no information or an official mandate or documentation relating to the scheme.

Recent developments

The National Consumer Commission (NCC) have over the last 6 months launched investigations into the business practices of various companies, based on suspected pyramid scheme practices and other prohibited practices in terms of the CPA.

One example is the DiPESA scheme that was investigated earlier this year, but the investigation indicated that the business was in fact legitimate as it did not meet all the characteristics of any of the prohibited schemes in terms of the CPA.

Conclusion

In economically distressed times, companies may consider and initiate different kinds of business opportunities. It is important to understand that when considering your business model, prohibited practice in terms of consumer laws like the CPA, should be considered as a first step.

When considering pyramid and other related schemes it is also important to also take into account section 38 of the CPA, which regulates referral selling. The prohibited referral selling model aims to protect consumers against “unfair” marketing practices in terms whereof the consumer would agree to enter into an agreement (and pay for) goods or services on the basis that the consumer could possibly receive a benefit after entering into the agreement.