Run on numbers: CIPC found lacking in security matters

The Companies Act of 2008 intends to make business easier. File photo.

The Companies Act of 2008 intends to make business easier. File photo.

Published Apr 8, 2024


The Companies Act of 2008 intends to make business easier. But in practice, the opposite is happening through mismanagement and endless red tape.

1. On January 26 an inaugural meeting was held of the members of the Professional Company Secretarial Practitioners Organisation (PCSPO) still to be formed. Approximately 250 members have joined the organisation, and that membership is expected to grow. The chairperson welcomed the members and explained the need for the incorporation of such an organisation. He noted that he hoped it would achieve a better service delivery for the secretarial body, in terms of both the Companies and Intellectual Property Commission (CIPC), as well as the Master of the High Court.

The chairperson, Mark Silbermann, said that an action plan was suggested, and the organisation would formulate an engagement to deal with the current failure of the CIPC delivery system. He went on to state that an evaluation of the cost of a new system would be done, as the current system did not seem to be functional. He noted that “the key motivation of the 2008 Companies Act was to make business easier, but the exact opposite is currently being experienced through mismanagement and endless red tape”. The chairperson further noted the challenge of verification of foreigners and the challenges facing practitioners with the underperformance of the Department of Home Affairs.

2. In Notice 20 of 2024, the CIPC announced that a cybersecurity breach was discovered at the institution. As soon as the breach became known, the CIPC proceeded to comply with all requirements in terms of the Protection of Personal Information Act, 4 of 2013, by notifying the Information Regulator, the SAPS, and the State Security Agency of the security compromise and publishing a media statement to that effect. The CIPC stated that every reasonable step was being taken to ensure that the CIPC systems and platforms were protected from unlawful and/or unauthorised access and abuse and remained available to their clients for transacting.

The CIPC further stated: “The recent events have necessitated the CIPC to remind our clients of the content of section 187(4)(c) of the Companies Act, 71 of 2008, which states: –

“(4) The Commission must make the information in those registers efficiently and effectively available to the public and other organs of the state.

“In terms of our governing legislation, the information contained on the CIPC registers forms part of the public domain and can be accessed by any person when legal and lawful processes are followed.”

This statement is not entirely true as there is only limited access to information. In a recent search, I was unable to verify the identification number of a person who formed a new company late last year. The authorities assume the person to be in jail in Brazil, yet it seems as if he has opened new companies in South Africa. The specific person is to be extradited to South Africa but is also sought in various other jurisdictions across the world. If his identification number as the director of the company was available to be seen by the general public, one could raise an alarm.

In the current year, the CIPC has already deregistered 647 853 companies. An application for reinstatement is not an automatic procedure. If for instance, a company did not have an active bank account at the time of final deregistration, the CIPC will require the company to approach the High Court for an instruction to have the company reinstated. The cost could exceed R30 000. A company may have a pending case in the High Court for damages and would not be able to proceed. Such deregistration is not conducive to making business easier.

3. According to “MyBroadband” magazine, “Shortly after its announcement, the hackers who claimed responsibility for the attack contacted MyBroadband and accused the CIPC of covering up the data breach’s severity.” They had breached the security system as far back as 2021 and had assumed that the security was rectified. “However, nearly three years later, they found they could still get into the CIPC’s systems using the same vulnerability they had exploited before.”

As proof they were who they claimed, the hackers provided confidential information from the CIPC database MyBroadband would recognise. They also pointed to a post on Pastebin as proof of their claim. The data sample contained several people’s full names, ID numbers, physical addresses, phone numbers, email addresses, and CIPC passwords. The post was dated 2021. “Not only that but this time, the attackers found unencrypted credit card information while probing the CIPC’s systems.”

It is ironic that Trade, Industry and Competition Minister Ebrahim Patel proudly announced: “The CIPC was awarded the Most Innovative Public Service Entity of the Year for 2020 as well as the effective use of digitised services award, throughout all tiers of government, for their Bizportal online registration system.” He also called for scrapping the necessity for smaller companies to be required to complete the annual financial statements. His department never implemented his request and instead deregistered hundreds of thousands of smaller companies.

4. 2023 gazetted regulations broadened third-party reporting requirements for trusts. With these changes, all South African trusts are required to comply with updated regulations set by the South African Revenue Service (Sars) regarding beneficial ownership declarations.

The disclosure of the following details has been mandated:

• demographic data of the reporting trust

• demographic information of trustees and beneficiaries

• taxable amounts that have been distributed and vested in beneficiaries

• details concerning non-taxable income distribution

• financial flows within the trust.

  • September 15, 2023 – Enhancements to Trust Beneficial Ownership information
  • Sars aims to record all beneficial owners of registered Trusts to comply with the Financial Action Task Force (FATF) requirements. In this regard, certain information must be submitted via e-filing. These documents may include, but are not necessarily limited to, the following:
  • an organogram, illustrative, or schematic diagram depicting effective control of the Trust. Where the Beneficial Ownership is in the form of other legal arrangements or legal entities, this should be provided in a separate attachment.
  • an Excel spreadsheet containing the above information or
  • such other document(s), which will elaborate on Beneficial Ownership of the Trust.

When capturing the beneficial ownership information, it is mandatory for the current year’s return that at least one document be submitted that relates to beneficial ownership information. In the event there are more than 20 beneficial owners, the taxpayer must upload a supporting document that reflects the additional beneficial owner(s). All minutes, excluding those dealing with internal trustee governance arrangements and/or administrative matters, must be submitted.

5. The latest requirement relating to beneficial ownership is a step in the right direction, but it is of limited value if only the regulators can have insight thereto. The system would be much more valuable if the public and or companies trading with one another could have access to this information. The backbone of the “Know Your Client” concept is for banks to be able to guard against money laundering and fronting organisations.

This matter should be transparent to banks and financial institutions and all other individuals and legal entities. Anyone who can transact should have this information at their disposal. Recently, Ashburton Asset Managers, a subsidiary of FirstRand, was penalised R16 million by the Financial Sector Conduct Authority (FSCA) for shortcomings in its administrative compliance responsibility related to the Financial Intelligence Centre (FIC) Act.

“The asset management activities of the group are represented by Ashburton Investments, which was launched in 2013 as part of FirstRand’s strategy to access broader financial services profit pools.”

I expect the compliance officer of the fund will get a small performance-related bonus at the end of the year. Perhaps they will find it much easier to comply with these regulations if the beneficial ownership records are also available to them.

* Kruger is an independent analyst.