The Financial Consumer Protection Act, 2022 introduces a significant enhancement to Lesotho’s financial regulatory framework, particularly by reinforcing data privacy obligations for financial service providers. Building on the existing requirements of the Data Protection Act, 2011 (DPA), the new law clarifies and expands the responsibilities of financial institutions when it comes to the collection, use, and protection of consumer information. One of the most notable developments is the empowerment of the Central Bank of Lesotho to act as the regulator responsible for monitoring and enforcing compliance with these obligations.
Section 43 of the Act establishes that financial institutions must take full responsibility for any non-public personal data collected from their customers and are required to process this information in accordance with the DPA. This creates a binding obligation on service providers to ensure they adopt robust data protection measures aligned with national privacy standards. Importantly, the DPA recognises the authority of sector-specific legislation to impose more detailed or stringent protections. In such cases, the provisions of the more specific law, such as those contained in the Financial Consumer Protection Act, take precedence.
In the current legal environment, where the Data Protection Commission has yet to be constituted and the enforcement of the DPA is largely inactive, the Act fills a regulatory gap. It does so by granting the Central Bank of Lesotho the authority to enforce data protection requirements within the financial sector. This includes investigating breaches, applying administrative sanctions, and initiating regulatory actions against institutions that fail to meet their data obligations.
Non-compliance with any provision of the DPA, where such provision is mirrored or reinforced by the Financial Consumer Protection Act, is considered a violation of section 43 of the Act. This empowers the Central Bank to intervene directly in cases where consumer data has not been handled lawfully or securely. The regulator may impose fines or other penalties as provided for under the Act, creating a more structured and enforceable system of accountability for financial service providers.
This development is a major step forward in aligning Lesotho’s financial sector with international best practices in privacy and consumer protection. Financial institutions must now be proactive in evaluating and updating their data protection policies, implementing internal controls, and ensuring that staff are fully aware of the legal requirements under both the DPA and the Financial Consumer Protection Act. As enforcement mechanisms are now in place, institutions that fail to comply may face legal consequences, reputational harm, and the loss of consumer trust.
By bridging the gap between general data protection law and sector-specific oversight, the Financial Consumer Protection Act, 2022 plays a crucial role in safeguarding the personal data of consumers and elevating regulatory standards in Lesotho’s financial system.