Insurance brokers and intermediaries operate in one of the most data-intensive sectors in financial services. You collect detailed personal and financial information from clients to assess their risk profile, arrange appropriate cover, and handle claims. That information is subject to POPIA as well as to the regulatory requirements of the Financial Sector Conduct Authority (FSCA).
What POPIA Requires of FSPs
As a Financial Services Provider, your obligations under POPIA include:
- Processing client personal information only for the purpose of providing financial services (insurance intermediary services, advice, claims handling)
- Obtaining appropriate consent or establishing another lawful basis for processing special categories of information (health data in life and medical cover)
- Implementing security safeguards proportionate to the sensitivity of the information
- Entering into written data processing agreements with all third parties (insurers, underwriters, claims assessors, software providers) who access client information
- Maintaining records to demonstrate compliance
The FSCA Dimension
The FSCA’s Conduct of Business requirements under the Financial Advisory and Intermediary Services Act (FAIS) create additional record-keeping and client communication obligations that intersect with information governance:
- Brokers must retain client records for a minimum period specified by regulation
- Advice records (record of advice / ROA) must be kept and must be retrievable
- Claims records must be maintained and accessible to the insurer and regulator
- Client complaints records must be retained and managed
A disorganised document management system makes compliance with FSCA record-keeping requirements very difficult to demonstrate in the event of an audit or client dispute.
Personal Information Collected in the Insurance Context
Insurance brokers typically hold:
- Personal details: name, ID number, address, date of birth, contact information
- Financial information: income, assets, existing cover, claims history
- Health information (for life, disability and critical illness products) — special personal information under POPIA
- Vehicle and property details
- Business information for commercial clients
- Banking details for premium debit orders and claim payments
The breadth of this data makes insurance brokers high-value targets for data breaches and phishing attacks.
AI Tool Risks in Broker Practices
AI tools are being adopted in broker practices for drafting client communication, preparing ROAs, analysing client needs and summarising policy documents. The governance risks include:
- Uploading a client’s proposal form (containing personal and health information) to ChatGPT for processing — POPIA violation
- Using AI to draft a ROA using the client’s financial profile — processed for a new purpose without consent
- AI-generated advice that does not meet FAIS standards but is presented to the client as broker advice
The FSCA has not yet issued specific guidance on AI use by FSPs, but the combination of POPIA and FAIS obligations creates a framework that makes most consumer AI tool usage with client data problematic.
Client Communication Governance
Much broker-client communication happens via email and increasingly via WhatsApp. Both create governance challenges:
- Email: Policy documents, claims correspondence and financial advice sent via unencrypted email
- WhatsApp: Advice given informally via WhatsApp creates an unstructured advice record that is difficult to retrieve for compliance purposes
Implement a policy on how advice is documented and communicated, and ensure that all formal advice records are captured in your practice management system — not left in email inboxes or WhatsApp message histories.
Third-Party Data Sharing in the Insurance Chain
The insurance distribution chain involves multiple parties who access client data:
- Underwriters and insurers
- Claims assessors and loss adjusters
- Medical service providers (for health claims)
- Motor vehicle assessors
- Compliance officers and monitoring services
- CRM and broker management software vendors
Each of these is a potential operator under POPIA. Written data processing agreements should be in place before sharing client information with any of them.
Practical Steps for Insurance Broker Governance
- Appoint and register an Information Officer with the Information Regulator
- Conduct a data mapping exercise covering all client data flows (collection, storage, sharing)
- Implement a document naming and file management standard for client files
- Introduce an AI acceptable use policy with specific guidance on client information
- Review all third-party provider agreements and ensure data processing clauses are included
- Develop a data breach response procedure covering both POPIA and FSCA notification requirements
- Train all staff on POPIA obligations and the specific risks in an insurance intermediary context
- Implement a client privacy notice that meets POPIA transparency requirements
The Reputational Dimension
In the financial services sector, reputation is a core business asset. A data breach involving client financial or health information is not just a compliance event — it is potentially business-ending. Clients entrust brokers with deeply personal information and expect it to be protected. Demonstrating strong information governance practices is increasingly a differentiator in the broker market.
Find out where your business stands on this risk.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.