There were no significant environmental, social and/or governance-related incidents during 2024. These include incidents of legal non-compliance (whether under investigation, pending finalisation or finalised), directives, compliance notices, warnings, investigations and any public controversies.
No fines, settlements, penalties, or other monetary losses were suffered in relation to ESG incidents.
The Internal Risk and Compliance Committee (IRCC) oversees regulatory compliance responsibilities. The Committee monitors, assesses, researches and reports on the regulatory environment in which Blue Label operates. The IRCC reports to the Audit, Risk and Compliance Committee (ARCC).
The process of compliance management encompasses:
The risk of non-compliance is being managed through:
The regulatory environment changes constantly. We proactively contribute to and manage our regulatory environment by considering the interests of all our stakeholders and clients.
The Board is satisfied that Blue Label has complied with all relevant provisions of the Companies Act of South Africa and the JSE Listings Requirements and has operated in conformity with Blue Label's MOI during the year.
No substantial complaints have been received concerning breaches of customer privacy, as, categorised by complaints received from data subjects and complaints or requests for information from the Information Regulator.
Taxation is managed as part of the regulatory compliance process managed under the IRCC and overseen by the ARCC. There were no instances of significant penalties or disputes with the South African Revenue Service during the year under review. Expert advice is obtained in managing compliance with any complex areas of tax legislation. Blue Label does not have any significant foreign subsidiaries.
The total tax incurred by Blue Label in the current year amounted to R346.1 million. The total amount consists of the following categories of taxes:
| Category | 2024 R'000 |
2023 R'000 |
||
|---|---|---|---|---|
| Income taxes | 136 033 | 235 506 | ||
| Property taxes | 2 918 | 2 497 | ||
| Net (creditable)/non-creditable VAT | (18 919) | 74 588 | ||
| Employer-paid payroll tax | 224 676 | 177 839 | ||
| Other taxes | 1 343 | – |
The information below summarises how Blue Label has managed the requirements of two pieces of significant South African legislation:
POPIA gives effect to section 14 of the Constitution, which provides that everyone has the right to privacy. The Act promotes the protection of personal information processed by public and private bodies and seeks to balance the right to privacy against other rights such as access to information.
The following POPIA initiatives have been embedded to ensure compliance at 31 May 2024:
Blue Label operations rely heavily on technology platforms to facilitate service delivery, which increases the risk of cybercrime. Therefore, it is critical to maintain the integrity and stability of key IT systems to protect stakeholder interests against increasingly sophisticated targeted attempts at digitally assisted fraud, which is one of the main objectives of the Cybercrimes Act, 19 of 2020.
Cybersecurity threats remain a critical ongoing risk and cause a significant part of our technology investments. Stringent standards for information and infrastructure security controls are constantly being reviewed and reinforced to ensure our efforts continue strengthening our cybersecurity posture. We proactively assess our vulnerabilities and risk of exposure on an ongoing basis while driving cyber risk prevention, assessment and education programmes to maintain vigilance. Blue Label is embedding security as a core component within the platform delivery via governed development mechanisms and implemented detection capabilities and response processes in our environment.
The initial focus of our cybersecurity maturity journey was on the suite of NIST cybersecurity framework controls, in line with our approved strategy. The following has been accomplished:
| Initiative | Description | |
| Implementation of Security Operations Centre (SOC) services. | Our SOC has been fully implemented and is currently operational, which provides 24/7 cybersecurity monitoring for our environment. | |
| Security awareness training campaigns through the KnowBe4 platform. | Monthly security awareness training campaigns are rolled out to staff, covering various security domains. | |
| Designed and implemented cybercrimes and incident management processes. | Cybercrimes and incident management processes are still in effect. | |
| An annual review of the processes was conducted. | Internal audit performed reviews around processes supporting compliance with the Cyber Crimes Act. | |
| Developed incident response and incident response testing as well as scenario planning. | Incident response processes are still in place and scenario testing will be performed during 2024/25. | |
| Developed and implemented an Information Security Management Systems (ISMS) aligned to ISO 27001. | We have achieved certification against ISO 27001:2022 for our ISMS. Our core trading platform and environment operate stringent security controls to safeguard our customer and employee data. Maintenance of ISMS is ongoing. Surveillance audits will be conducted to ensure the maintenance of the certification. |
Blue Label Integrated Annual Report 2024
