FirstRand Cookie Notice
1. Overview of the Firstrand group
FirstRand Limited and its subsidiary companies (FirstRand or the group) is a portfolio of integrated financial services businesses operating in South Africa, certain markets in sub-Saharan Africa and in the UK. FirstRand executes its strategy through a portfolio of leading financial services businesses comprising FNB, RMB, WesBank, Ashburton Investments and Aldermore and provides a universal set of transactional, lending, investment and insurance products and services.
A simplified group structure can be found on FirstRand’s website and provides an overview of the various businesses/entities that form part of the FirstRand group: https://www.firstrand.co.za/the-group/ownership-and-legal-structure/
Privacy is important to the group. This cookie notice applies to all websites that belong to the group which are applicable to South Africa, e.g. www.fnb.co.za, www.rmb.co.za and www.wesbank.co.za, (hereinafter, “websites”) and which are authorised on behalf of the group. This cookie notice is available on FirstRand’s website.
This cookie notice applies to the group’s South Africa-based websites. Please refer to the group customer privacy notice for details of the entities that form part of the group, and the manner in which the group uses personal information. The group privacy notice is available at https://www.firstrand.co.za/investors/esgresource- hub/policies-and-practices/.
3. What is a cookie?
A cookie is a small piece of data that is sent (usually in the form of a text file) from a website to the user’s device, such as a computer, smartphone or tablet. The purpose of a cookie is to provide a reliable mechanism to “remember” user behaviour and/or stateful information (i.e. information which enables the site to keep track of previous actions), e.g. remembering the contents of an online shopping cart, and actions the user performed whilst browsing when not signed up or logged into their online account.
The group does not necessarily know the identity of the user of the device but does see the behaviour recorded on the device. Multiple users of the same device would not necessarily be distinguishable from one another. Cookies could, however, be used to identify the device and, if the device is linked to a specific user, the user would also be identifiable. For example, cookies collected from a device registered to an app (FNB, WesBank, RMB, etc.) will be linked to the user.
4. Which cookies can be found on Firstrand group websites?
First- and third-party cookies refer to the website or domain using the cookie. Cookies are set by the website that the user is visiting.
First-party cookies are directly stored by the website (or domain) visited by a user. These cookies allow website owners to collect analytics, data, remember language settings or perform other useful functions that provide a good user experience.
Third-party cookies are also set by the website visited but are sent when the user visits the third-party site. Thirdparty cookies are created by domains separate/different from the website (or domain) that the user is visiting. These cookies are usually used for online advertising, cross-site tracking; and are accessible on any website that loads the third party’s server code, e.g. when a user visits a site and clicks a “like” button, this could be stored in a cookie and, upon visiting the third-party site, the cookie will be used to action the request.
Another example is when a user browses online for a specific product, finds an advert of interest, clicks the advert and thereafter closes their browser. Several hours later, the user notices advertising of the same product that they were browsing for earlier.
When a user visits a group website, the group may include any of the cookies listed in the table below. The table explains what the cookies are used for and the time period for which the cookie could remain valid. Where cookies are only valid for a single session, the cookie will be erased when the user closes their browser. Where cookies persist, the cookie will be stored by the user’s browser until deleted by the user.
Types of cookies are outlined in the table below.
|Enable the group to identify the device/browser.||Persist beyond a single session.|
|Authentication||Upon logging into a web server, a cookie will be returned that identifies the user has been successfully logged in.||Only valid for the single session.|
|First- and third-party cookies||Analytics||To collect information about how visitors, use group websites. This can provide the group with insight on website performance and metrics.||Persist beyond a single session.|
|Third-party cookies||Marketing and other||Used for tracking and online advertising and marketing purposes.||Persist beyond a single session.|
|HTTPONLY||Makes the cookie secure by ensuring the cookie is only sent over HTTP protocol.HTTP here only refers to the protocol and communicates clear text as http or https over an encrypted channel. This prevents attackers from secretly extracting it.|
|Same-site cookie||Makes the cookie secure by limiting the sites to which the cookie is allowed to be sent.|
|Expiry||Sets the duration a cookie will last for before it expires.|
|Secure||Makes a cookie secure by ensuring it is only sent over a securely encrypted channel.|
|Path||Helps to protect a cookie by restricting the location where it is allowed to be sent.|
The group will only process cookies which identify users for lawful purposes:
- if a user has consented thereto;
- if a person legally authorised by the user, the law or a court, has consented thereto on the user’s behalf;
- if it is necessary to conclude or perform under a contract that the group has with the user;
- if the law requires or permits it;
- if it is required to protect or pursue the user’s, the group’s or a third party’s legitimate interest (e.g. for fraud prevention); or
- if the user is a child and a competent person (like a parent) has consented thereto on the child’s behalf.
- fraud, financial crime and other crime prevention, detection or reporting;
- managing and improving security for the group and users (for example to prevent fraudulent use of login details);
- various analytical reasons, e.g. how group websites are used so that improvements can be made, such as when users click on an advert for a specific product, the number of users interested in such product can be noted;
- marketing and advertising, for example to decide which solutions (goods, products, services or rewards) users may be interested in and to customise marketing on various applications and websites, such as when a user clicks on an advert for a current account on the FNB website and such a user interacts with the FNB page, the group will be able to identify that the user is interested in the current account and the user will therefore be shown more current account advertisements; and/or
- recognition of users of group websites, or devices which return to group websites.
6. What happens if a user does not want cookies?
All browsers allow users to refuse to accept cookies and to remove current cookies. The methods for doing so vary between different browsers and versions. Users can block cookies on group websites, if desired. Blocking certain cookies may have a negative impact upon the usability of group websites. For example, the group requires cookies to allow users to log in. By removing first-party cookies, a user’s banking experience may be affected as they may be prevented from logging into the online banking platform.
7. How can cookies be managed
Should the option be available, users can locate cookie preferences under the legal section of the relevant site.
8. Further Information about cookies
- Users’ browsers store cookies and group websites cannot access any data on a user’s device.
- As cookies are stored in text files, they cannot be used to distribute viruses to a device.
- On a single device with multiple users the experience of group websites would be customised based on the behaviour of all users using the device and not just an individual user.
- If users disable cookies, previous cookies collected will not be deleted, however, this will prevent the creation of new cookies. Expired cookies will be removed automatically.
- A user may delete historically collected cookies via the browser.