The Financial Consumer Protection Act, 2022 (the “Act”) marks a significant development in the protection of personal data in Lesotho’s financial services industry. The Act reinforces the application of the Data Protection Act, 2011 (the “DPA”) to all financial institutions and introduces enhanced obligations for the secure handling of consumer information.
Data Protection Obligations for Financial Institutions
Under the Act, financial service providers are required to adopt robust measures to safeguard non-public consumer data. Section 43 of the Act clearly states that institutions must take full responsibility for the personal information they collect and must process such data in accordance with the DPA. This provision ensures that financial institutions are not only aware of their duties under the data privacy framework but are also held accountable for compliance.
Sector-Specific Legislation Takes Precedence
In alignment with the DPA, the Act affirms that where financial sector laws provide stronger protections for personal data than the general provisions of the DPA, the sector-specific requirements will prevail. This legal hierarchy ensures that consumers of financial products receive the highest possible level of data privacy protection.
Central Bank of Lesotho: The Key Enforcer
A notable feature of the Act is the empowerment of the Central Bank of Lesotho as the regulatory authority responsible for enforcing compliance. Given the current lack of an operational Data Protection Commission, the Central Bank fills a crucial gap by ensuring that financial service providers adhere to data privacy requirements under both the DPA and the Financial Consumer Protection Act.
Importantly, a breach of the DPA by a financial institution now constitutes a violation of the Act itself. This gives the Central Bank the legal authority to initiate enforcement action, including the imposition of administrative penalties, against non-compliant entities.
Compliance and Enforcement Measures
The Central Bank is granted wide-ranging powers under the Act, which include:
- Conducting compliance investigations;
- Imposing administrative fines for violations; and
- Taking direct regulatory action against errant financial institutions.
These measures signal a firm regulatory stance on data privacy and underscore the Central Bank’s commitment to consumer protection in Lesotho’s financial sector.
Conclusion
The Financial Consumer Protection Act, 2022 represents a progressive shift towards stronger data governance in Lesotho. By linking financial sector compliance with national data protection legislation and empowering the Central Bank as the enforcing body, the Act creates a comprehensive legal framework that enhances consumer rights, promotes trust in financial services, and aligns with global standards of data privacy and compliance.