Interesting Developments in Financial Technologies and Data Security in South Africa - A Three Part Series

Part 3: Tech Related Cross Sector Joint Standards Published by the FSCA

In the second publication of the three part series on Developments in Financial Technologies and Data Security, we discussed the publication of the 2024 FSCA 3-year Regulation Plan (2024 Regulation Plan) as it relates to open finance and other financial technologies. The article briefly touched on technology related cross-sector project deliverables in the form of joint standards. This third and final publication provides an overview of legislative intervention in the form of joint standards that have been issued or that are being considered by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority to meet the objectives of the 2024 Regulation Plan.

1. Joint Standard 1 of 2023– Information Technology governance and risk management

The Joint Standards on Information Technology Governance and Risk Management (Joint Standard 1) established by the FSCA, and set to commence on 15 November 2024, outlines the principles and minimum requirements for Information Technology (IT) governance and risk management that financial institutions must follow. Joint Standard 1 emphasises the importance of sound practices and compliance with relevant financial sector laws. Additionally, it mandates that IT risk management policies and procedures, especially those involving sensitive or confidential information, undergo independent reviews. These reviews can be conducted by internal or external audit functions or another independent control function within the financial institution.

The governing body, as defined in section 1 of the Financial Sector Regulation Act, 2017, must ensure that financial institutions comply with the following requirements set out in Joint Standard 1, when establishing a robust IT risk management framework, and clearly defined roles and responsibilities for IT risk oversight:

• IT Strategy: Financial institution must align its IT strategy with its business strategy, review it annually, establish and communicate action plans, monitor effectiveness, and notify authorities of any significant deviations. Develop and regularly review an IT strategy aligned with the business strategy.
• IT Risk Management Framework: Financial institutions must implement and regularly review IT risk management policies and procedures to safeguard IT assets and manage risks.
• Oversight of IT Risk Management: Financial institutions must integrate IT risk management oversight into governance and risk management structures.
• IT Operations: Financial institutions must develop a comprehensive IT service management framework, including governance for change, release, incident, problem, and capacity management.
• Handling of Sensitive Information: Financial institutions must implement measures to protect sensitive information, manage IT risks, enforce logical access control, prevent data theft and loss, ensure data accuracy, conduct independent compliance reviews, and adhere to relevant legislation.
• Risks Associated with Financial Products/Services: Financial institutions must identify IT risks, implement security controls and recovery capabilities, evaluate security requirements, monitor IT risks, plan capacity, guard against online attacks, and protect and inform customers using online systems.
• IT Programme/Project Management: Financial institutions must develop and maintain a comprehensive IT programme and project management framework, including governance, risk management, stakeholder engagement, and change control, with clearly defined policies, procedures, and roles.
• IT Resilience and Business Continuity: Financial institutions must establish IT resilience and disaster recovery plans, conduct business impact assessments, ensure physical security, and implement network redundancy to protect and recover critical systems and operations.
• IT Assurance: Financial institutions must ensure independent IT compliance reviews and objective assurance through control functions or external providers, establish IT assurance structures, assess changes in IT controls, and maintain an IT assurance plan.
• Notification and Reporting: Financial institutions must report significant IT incidents to authorities within the required timeframe.

2. Joint Standard 2 of 2024 - Cyber security and cyber resilience requirements

The Joint Standard on cyber security and cyber resilience requirements (Joint Standard 2) sets out the requirements for practices and processes relating to cybersecurity and cyber resilience for financial institutions, and is set to commence on 1 June 2025.

The governing body must ensure that financial institutions comply with the following requirements set out in Joint Standard 2 when establishing a cybersecurity and risk management framework to maintain a robust cybersecurity strategy and cyber resilience:

• Governance: Financial institutions must define roles and responsibilities for management functions and committees overseeing cyber risks, integrating cyber risk management into governance structures.
• Cybersecurity Strategy and Framework: Financial institutions must establish and maintain a cybersecurity strategy aligned with the business strategy, which must be reviewed annually, and supported by a framework with policies and procedures based on industry standards.
• Cybersecurity and cyber resilience fundamentals: Financial institutions must ensure that the cybersecurity strategy aligns with its risk management to manage cyber risks, safeguard IT systems, and ensure data security and resilience against cyber threats.
• Notifications and Regulatory Reporting: Financial institutions must notify the responsible authority of material cyber incidents or information security compromises, and report related information as determined by the authorities.

3. Joint Standard – Culture and Governance requirements for financial institutions:

Although not yet published, the FSCA, in collaboration with the Prudential Authority, is considering integrating high-level governance principles related to Artificial Intelligence (AI) and Machine Learning (ML) into the Joint Standard for Culture and Governance requirements for financial institutions. This integration aims to ensure that financial institutions adhere to appropriate governance standards when using AI and ML.

The FSCA will engage with stakeholders through targeted and formal consultation processes to discuss these topics further. Additionally, the FSCA may look at how existing frameworks, which are based on outcomes and principles, can be adapted to guide the application of AI and ML.

Overall, the series highlighted the impact digital transformation has on the financial sector and the proactive steps taken by the FSCA to manage the risks arising from technology. These regulations and standards must be read and applied in conjunction with the relevant financial sector laws, taking into account the nature, size, complexity and risk profile of the financial institution.

If you are a Fintech start-up or any other licensed financial services provider and want to know more about the topic or managing the data privacy risks associated with digital technology, you can get in touch with our Technology, Media, and Telecommunications team, who can assist you with any queries.