PRIVACY AND DATA PROTECTION IN TANZANIA (PART 2)

Customer confidentiality has historically been one of the cornerstones of the banking industry worldwide. The advent of information age technology, enabling banking transactions to be made at lightning speed across multiple borders, has amplified the importance of having regulations that balance customers’ rights and the prevention of unlawful activity.

The banker’s duty of confidentiality is founded on the contract between banks and their customers, and is one of the pillars governing the banker-customer relationship in Tanzania. The banks have the obligation to keep information concerning their customers’ affairs confidential. The law permits the duty of confidentiality to be lifted in certain specific situations including where information related to customers’ transaction is required to prevent or control illicit activities such as money laundering, terrorism, drug trafficking and corruption or to facilitate the conduct of legal proceedings in courts.

The banker-customer relationship

Section 3 of the Banking and Financial Institutions Act, 2006 and Section 3 of the Bank of Tanzania Act, 2006 defines the business of a bank as being to receive money deposits from customers and to use these for loans or investments or any other authorised activities recognised as customary banking practice.

There is no statutory definition under Tanzanian law of the term ‘customer of a bank’.  According to the English common law, in the case of Great Western Railway Co. V. London & County Banking Company Limited (1901) AC 414, a person is not a customer of a bank unless s/he has ‘some sort of an account, either a deposit or current account or similar relation’ with the bank.

Banker’s duty of confidentiality to customer

The Banking and Financial Institutions Act provides for the bank’s duty of confidentiality to its customers. Section 48 (1) provides that a bank shall not disclose information relating to its customers or their affairs except in circumstances in which it is necessary or appropriate for the bank to reveal such information. The Act also provides that before assuming his/her position and discharging his/her duties, a director, member of a committee, auditor, advisor, manager, officer or employee of a bank shall make a written declaration of fidelity. The chief executive officer or the secretary of a bank shall witness the signing of these declarations.

Certain provisions of the law require the central bank, the Bank of Tanzania (BoT), to observe the banking confidentiality principle. Section 16 of the Bank of Tanzania Act provides that, except for the purposes of performing his or her lawful and authorised functions, no member of the Board or staff of the BoT shall disclose any information about the Bank, any transaction or customer if that information was acquired in the course of employment or in discharging their duties. Moreover, the Banking and Financial Institutions Act requires the BoT to observe confidentiality with regard to customer information obtained from commercial banks through its supervisory functions.

The Act provides that the only time the BoT may disclose the financial affairs of a bank’s customer is when the BoT has first obtained written consent from the customer.

The law in Tanzania prescribes penalties and imposes sanctions on bank officers or banks for breaching the banker’s duty of confidentiality. Under the Banking and Financial Institutions Act, it is a criminal offence for an officer of a bank to breach customer confidentiality. The penalty on conviction is a fine not exceeding 20 million Tanzanian Shillings or imprisonment for a term not exceeding three years or both fine and imprisonment.

Where a customer fears that his/her bank is about to infringe on, or has already breached the duty of confidentiality, there are two remedies against the bank. First, the customer may sue the bank and recover damages for loss arising from the disclosure of information relating to his/her affairs. The court can then order the bank to pay the customer loss of profits caused by disclosure. Second, the customer may apply for an injunction to restrain the bank from making further disclosure or repeating the previous disclosure. In Tanzania, a customer may apply the procedures provided for under the Civil Procedure Code to obtain civil reliefs against a bank for breaching the banking confidentiality.

When can customers affairs be disclosed?

The rules of confidentiality and prohibitions against disclosure of data provided under Tanzania’s banking laws do not apply to law enforcement officers carrying out their duties while investigating or searching for information for purposes of criminal prosecution.

Banks or banking staff may be compelled to make disclosures under statutory law or by a court order.  Several statutes in Tanzania impose a duty on banks to disclose information about affairs of their customers, namely the Prevention of Terrorism Act, 2002, the Anti-Money Laundering Act, 2006, the Cybercrimes Act, 2015, and the Electronic and Postal Communications (Investigation) Regulations, 2017.

The Prevention of Terrorism Act, 2002

Section 41(2) of this Act provides for mandatory reporting requirements for banks to enable law enforcement agencies to detect and prevent financing of terrorist acts.

The Act requires a bank to report to the police and to the authority mandated to supervise and regulate activities of commercial banks that such a bank is not in possession or control of a property owned or controlled by or held for terrorists. The reports, which should be submitted every three months, must indicate particulars of the persons, accounts and transactions involved and the total value of the property involved.

Further, the Act provides that a responsible officer of a bank shall report a transaction to a police officer where there are reasonable grounds to suspect that the transaction is related to or associated with the commission of terrorism. If the designated officer of a bank fails to make a disclosure or submit a report about a suspicious transaction to the police, the penalty on conviction is imprisonment for a term not less than 12 months. An officer of a bank who, in good faith, makes a disclosure or submits a report to the authorities about a customer’s suspicious transactions linked to terrorism shall not be liable for criminal or civil proceedings for taking such action.

The Anti-Money Laundering Act, 2006

The purpose of the Anti-Money Laundering Act is to take pre-emptive measures to safeguard against money laundering and illegal financial transactions.  Therefore, every person engaged in business that involve money transactions, such as banks and financial institutions, accountants, attorneys, real estate agents, etc, are categorised as ‘reporting persons’. They are required to collect and keep personal information of all persons with whom they engage before entering into a business relationship with them. The reporting persons are required to keep records of all business transactions and report any suspicious transaction to the Financial Intelligence Unit (FIU). This type of reporting does not require the consent of the customer whose information is being reported.

Section 17(1) (a) and (b) of the Act provides that where a reporting officer suspects that funds or property held by a customer are proceeds of crime, or are linked to, or to be used to commit money laundering or its predicate offences, the person must take the required action within 24 hours and, wherever possible, before any transaction is carried out. These measures are to: (i) take reasonable measures to ascertain the purpose of the transaction, the origin and destination of the funds or property involved, and the identity and address of any beneficiary of the funds or property; (ii) prepare a report about the transaction; and (iii) submit such report to the FIU to initiate an investigation.

A reporting person who fails to report a suspicious money laundering transaction to the FIU shall be guilty of an offence and be liable to pay a fine not exceeding five million Tanzanian Shillings or be imprisoned for a term not exceeding five years.

Where a body corporate has failed to ensure that the report is submitted, it shall be liable to pay a fine not exceeding 10 million Tanzanian Shillings or three times the market value of the funds or property involved, whichever amount is greater.

The Act provides for the granting of immunity to the reporting persons for reporting money laundering suspicious transactions to the authorities.

Cybercrimes Act, 2015

The disclosure of data for the purposes of a criminal investigation or the prosecution of an offence is also dealt with in Section 32 of the Cybercrimes Act. In such instances, a police officer in charge of a police station or a law enforcement officer of a similar rank may issue an order to any person in possession of such data compelling him or her to disclose it.  It may happen, however, that there is resistance from the party holding data of evidential value. Similarly, it may be impossible to obtain the data without the use of force. In these circumstances, the law enforcement officer may apply to court for an order of disclosure or preservation.

Section 22 of the Cybercrimes Act makes it an offence to intentionally and unlawfully prevent the execution of an order under the Act, as well as to fail to comply with such an order. On conviction, the penalty is a fine of not less than three million Tanzanian Shillings or imprisonment for not less than one year, or both fine and imprisonment. This power was recently invoked against the directors of JamiiForums blog, an online forum where people engage in discussions on a wide variety of issues, including politics, while remaining anonymous. The JamiiForums directors were arrested and charged with an offence under section 22(2) for obstructing investigations after failing to comply with an order from a Zonal Crimes Officer to disclose information about offensive material used on the blog.

Electronic and Postal Communications (Investigation) Regulations, 2017

In terms of these Regulations, law enforcement officers have a mandate to obtain access to and intercept personal communication.  Rule 5 of these Regulations provides that the interception may be done by the Director-General of Tanzanian Intelligence and Security Service, or the Director of Criminal Investigations, upon obtaining a warrant from the Inspector General of Police. This warrant will serve as a disclosure order against any person with access to encrypted or protected information. 

Apart from these two officials, any other person is allowed to intercept communication under Rule 5 of the Investigation Regulations under the following circumstances: if the person is a party to the communications; has the consent of the person who is sending it, is the person to whom the communication is sent; is authorised by law; or is a bona fide interception of communications for purposes of provision, installation, maintenance or repair of the communications service.

Conclusion

The legal compulsion to disclose affairs of a bank customer in Tanzania is moving towards a point that undermines banking confidentiality. There is a need for the Government of Tanzania to reform the law in order to establish a legal framework that strikes a balance between protecting the legitimate interests of bank customers and the necessity to curb or combat unlawful activities committed through banking activities.