Is your CRM system compliant?

CRM systems are the lifeblood of an adviser’s business. But they are also a potential compliance concern with risks such as data loss and theft as well as unauthorised access to information. We asked the experts at Masthead for some guidelines on how to make CRM systems compliant.

Keeping CRM systems compliant at client contact points

Information is exchanged and records created, such as an FNA, when meeting clients. These records have to meet POPIA, the FAIS Act and General Code of Conduct requirements. These are the most important points advisers need to keep in mind and follow.

New clients

“Advisers must be open and clear about how the client’s personal information will be used but they do not need to go into technical detail about their CRM system,” says Cedric Baker Effendi, Masthead Cape Town Area Manager and Senior Practice Management Consultant.

He says advisers need to:

• Explain what information is being collected and why, such as ID and financial information so that advice can be given and legal requirements such as FICA met.
• Explain whether providing the information is mandatory or voluntary as well as what happens if the client does not provide it. For example, being unable to process a transaction until a required information is shared.
• Tell the client who will have access to their information. This is mainly types or categories of parties such as insurers, investment managers and compliance staff.
• Explain that the client’s information will be stored securely, usually on an electronic system like a CRM, and that only authorised people will have access to it.
• Inform the client of their rights, such as the right to access their information, correct it, or object to certain uses, such as marketing.

Existing clients

Advisers do not need to repeat the full POPIA disclosure every time they meet an existing client. However, Baker Effendi says there must be disclosure if something changes, such as a new system is implemented, or new third parties involved in the transaction such as a new investment manager.

“If nothing has changed, you can simply remind or refer to it, not repeat everything. POPIA allows this practical approach.”

Prospects who don’t become clients

If you have a potential client who you advise and recommend plans and products to, but who doesn’t follow your advice or take up products, you still need to keep records.

“The obligation to keep records is based on whether advice was given not whether a transaction took place,” says Baker Effendi.

At the end of a client relationship

Client information must be stored securely and confidentially until it is no longer needed.

Mathilda Meyer, Masthead Compliance Officer, says that advisers are required to retain records of advice and client interactions for at least five years according to the FAIS Act and the General Code of Conduct. “In addition, the FIC Act may require longer retention in certain cases, particularly where client identification and transaction records are concerned.”

Voice recordings and compliance

Recording conversations and meetings on your phone is easy, quick and everybody is doing it. But when the recording contains personal details, financial information and client instructions, is it compliant?

“Recording conversations with clients on a phone is not necessarily a compliance issue, it’s how those recordings are handled afterwards that creates the risk,” says Meyer.

Meyer says that a mobile phone, on its own, is not considered a compliant storage environment.

“Phones are easily lost or stolen, are not centrally controlled and typically lack proper audit trails, access controls and backup mechanisms. This creates a clear risk from both a POPIA and cybersecurity perspective, particularly when viewed alongside the expectations set out in the IT Joint Standards on governance and cyber resilience.”

Meyer says if a conversation is recorded for a valid business reason the regulators expect that:

• the adviser must inform the client of the recording,
• ensure there is a lawful basis for the recording, and
• transfer that recording to a secure system, such as a CRM or controlled cloud environment, as soon as possible.

“The recording should form part of the official client record, be properly protected and remain accessible if needed for complaints, disputes or regulatory requests.”

Use caution when communicating via mobile devices or platforms such as WhatsApp, and ensure that appropriate security, storage and record-keeping controls are in place.

“These environments are not designed for compliance and can expose both the adviser and the client to unnecessary risk,” says Meyer.

Moving to a new CRM system or selling your business

Meyer says the key principle here is that client data must remain secure, accessible when required and compliant with legislation, regardless of what happens to the system itself.

“Even if a CRM system is no longer in use, the data within it must still be retained and be retrievable.”

• Retain records of advice and client interactions for at least 5 years (FAIS, General Code of Conduct).
• Check if client identification and transaction records need to be retained longer under the FIC Act.
• Ensure the personal information is protected against loss, unauthorised access or breaches (POPIA). “If a system is decommissioned, the data must either be securely archived or properly migrated, not left sitting in an unsecured or unmanaged environment,” Meyer says.
• Ensure data is transferred securely, completely, and only to an authorised and compliant party.
• Ensure there is access. “Advisers must still be able to respond to client queries, complaints, or regulatory requests. From a regulatory perspective, “we no longer have access to the old system would not be considered an acceptable explanation,” says Meyer.
• Decommission old systems only when you are satisfied that all data has been properly retained, migrated and is accessible. Meyer says this is the point at which any remaining data should be securely and permanently destroyed in line with POPIA requirements.

“In practice, the biggest risks arise where advisers lose access to historical records, fail to migrate data completely or overlook data protection requirements during system changes. These are all areas that regulators are increasingly focused on,” Meyer says.

CRM and other systems

Many CRM and other systems are interconnected and share information, creating another potential compliance and security risk.

Jeanine de Swardt-Breeds, Masthead Johannesburg Area Manager and Compliance Officer, says that advisers should always consider CRM integration from a compliance aspect, not just from an IT perspective.

“If the CRM system shares client personal information with any other system, the FSP remains responsible for ensuring that the sharing of information is lawful, limited and secure. The FSP must make sure that the information shared with these systems providers, referred to as operators, is maintained by having a written agreement in place in terms of the POPI Act.”

She says that advisers should:

• Map what personal information leaves the CRM
• Check that the minimum necessary information is shared
• Confirm who the recipient is
• Ask where the data is stored

“If integration is used for email or SMS marketing campaigns, POPI’s direct marketing rules also apply.”

Cybersecurity

Don’t rely on the CRM vendor’s built-in security, says De Swardt-Breeds.

“The POPI Act places a duty on the responsible party, the adviser/FSP, to secure personal information with appropriate, reasonable technical and organisational measures. The Act specifically says that the FSP must identify reasonably foreseeable risks, maintain safeguards and regularly verify that they are working.”

“In practice, this means that the vendor’s controls are only one layer. The adviser still needs sound access control, user permissions, secure authentication, oversight of who can export data and working backup and recovery processes.”

Act quickly if there is a breach, says De Swardt-Breeds. Notify the Information Regulator and, subject to the Act, the affected data subject, such as your client or product provider.

“The Act says this must happen as soon as reasonably possible after discovery. The Information Regulator’s guidance makes the same point clearly: you do not wait for the investigation to be fully completed before reporting, and if the breach happened at an operator, the operator must notify the responsible party immediately.”

Train staff on your CRM system

De Swardt-Breeds says staff should be trained on:

• What information must be obtained and captured
• What should not be captured
• Who may access which records
• How marketing permissions work
• How to recognise and escalate suspicious activity
• How to respond to a possible security incident

“The practical standard should be role-based training at onboarding, refresher training during the year and evidence that it actually happened.” She says that it is also worth training people on misuse, not just use, such as downloading client lists to personal devices, sharing logins, exporting data without authority or using CRM notes for informal comments as these can all become compliance problems very quickly.

Checking that your CRM system is compliant

“A CRM system is effectively the central evidence of how the adviser conducts business,” says Meyer. “It’s where all client information, advice records and interactions live, so the question is not just whether it “works”, but whether it can stand up to regulatory scrutiny.”

Meyer says there are a few key areas advisers need to get right.

Record keeping

Advisers are required to maintain proper records of advice, client communication and supporting documentation. These records must be complete, accurate and retained for at least 5 years.

Accessibility

Advisers must be able to retrieve information quickly and in a usable format. This applies not only to FSCA requests, but also to client queries, complaints or Ombud matters. The FIC Act reinforces this by requiring that certain records be both retained and readily accessible.

Data protection

Your CRM must have appropriate security safeguards in place such as controlled access, password protection and protection against loss or unauthorised access.

IT governance and cybersecurity standards

Under the IT Joint Standards, a CRM is treated as a critical information system. Advisers are expected to understand where their data is stored, what risks exist, such as data loss, system failure, or cyber threats, and to have controls in place, including backups and secure environments.

Auditability

A compliant CRM should be able to show what advice was given, when it was given and how client interactions evolved over time. This aligns with broader conduct expectations under the Financial Sector Regulation framework where the focus is increasingly on being able to demonstrate fair client outcomes.

Be aware of data fragmentation

Meyer says that in practice, some of the biggest compliance gaps arise where data is fragmented. For example, where information is stored partly in a CRM, partly on laptops, or in emails and WhatsApp messages. This makes it difficult to ensure completeness, security and accessibility.

“The bottom line is that CRM compliance is not just about having a system in place. It’s about ensuring that the system can store the right information, protect it, retrieve it when needed and demonstrate that the adviser has met their obligations. If it cannot do all of those things, then from a regulatory perspective, it is not compliant.”

Take care of compliance and your CRM system will help your business

Compliance is onerous but a must have and essential to ensure the integrity of client relationships and client data. Check your CRM system against the guidelines above and check with your compliance officer that it meets requirements and your business needs. When it does both, annual compliance checks will be quick and your CRM system will help you manage and grow your business.