In recent years, South Africa has experienced an increase in cybercrimes, cyberattacks, and security breaches, with banks and financial institutions being prime targets. Stolen or compromised credentials and phishing scams are the primary attack vectors used to perform cybercrimes.

Consequently, there is an imminent need for the financial sector to reassess security strategies, safeguard financial data, increase cyber resilience and manage and mitigate the potential risks associated with personal and confidential information.

In response to these potential threats to the financial sector, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the “Joint Standard 1 of 2023: Information Technology Governance and Risk Management Requirements for Financial Institution”.

The Joint Standard aims to ensure that financial institutions, including insurers, have the necessary governance and risk management structures, as well as processes and procedures related to IT risk management in place. Additionally, it ensures that financial institutions regularly conduct risk assessments, identify potential threats, and implement mitigation measures.

Read more in Daily Maverick: Catastrophic global cyber event predicted as SA government faces increasing attacks — experts

We have been inundated with queries from organisations regarding the Joint Standard and have put together a comprehensive Q&A:

To whom does the Joint Standard apply?

The Joint Standard will apply to your organisation if it constitutes any of the following:

• A bank, a branch, a branch of a bank or a bank controlling company defined in Section 1 of the Banks Act, 1990;
• A mutual bank as defined in section 1 of the Mutual Banks Act, 1993;
• An insurer and a controlling company of an insurer as defined in Section 1 of the Insurance Act, 2017;
• A manager as defined in Section 1 of the Collective Investment Scheme Control Act, 2002;
• A market infrastructure as defined in Section 1 of the Financial Markets Act, 2012;
• A discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003; and/or
• An administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003.

Is the Joint Standard already effective?

No.  The Joint Standard commences on 15 November 2024, giving financial institutions sufficient time to ensure that they are compliant.

Who is responsible for ensuring that my organisation complies with the Joint Standard?

The governing body (as defined in the Financial Sector Regulation Act, 2017) of the financial institution is ultimately responsible for ensuring that the requirements of the Joint Standard are continuously met. The “governing body” is the board of directors of the organisation.

What does my organisation need to do to become compliant with the Joint Standard?

The Joint Standard focuses on various areas of compliance, specifically:

• IT strategy;
• IT risk management;
• IT operations;
• Handling of sensitive or confidential information;
• Risks associated with financial products/services;
• IT programme and/or project management;
• IT resilience and business continuity; and
• The Joint Standard prescribes governance, documents, processes and policies that need to be implemented in each of these areas.

The minimum requirements and principles set out in this Joint Standard are for the sound practices and processes of IT governance and risk management and must be implemented to reflect the nature, size, complexity and risk profile of the relevant organisation.

What is the penalty for non-compliance with the Joint Standard?

The Joint Standard does not specify any separate penalties for non-compliance with its requirements.  The authorities may, through ongoing supervisory review and evaluation processes, request specific information or regulatory reports as well as assurance in terms of compliance with the Joint Standard. The authorities’ powers are quite wide under the respective financial sector laws, and non-compliance may depend on the financial sector law in terms of which the relevant financial institution is licensed or registered.

Who is the regulatory authority overseeing compliance with the Joint Standard?

Both the FSCA and the PA.

My organisation already has IT governance and policies. Do we still need to comply with the Joint Standard?

Yes. The Joint Standard is quite prescriptive on what governance, documents, policies and processes need to be implemented. To the extent that your organisation has these in place already, it is a great start to ensuring compliance with the Joint Standard and your organisation will likely need to align such documents with the requirements of the Joint Standard. This may mean updating or supplementing existing processes and policies, and/or implementing new processes and policies.

Are any organisations exempt from complying with the Joint Standard?

No, unless directed otherwise by the FSCA and the PA.

Who do I need to consult with to ensure my organisation is compliant with the Joint Standard?

Your board of directors is ultimately accountable for ensuring that the organisation complies with the Joint Standard. Your board should therefore be made aware and even trained on the Joint Standard and all the relevant documents and processes that you have in place to be compliant.

Your legal team both internally and externally should work with your IT team to devise a gap analysis and compliance programme and implement any remediations identified to ensure compliance by 15 November 2024.

Considering the amount of time and effort required to ensure compliance with the Joint Standard, it is recommended that financial institutions prioritise their Joint Standard compliance journey sooner rather than later. DM

Ridwaan Boda is Executive in the Technology, Media and Telecommunications Department of law firm ENSafrica. Kayla Casillo and Priyanka Naidoo are Senior Associates in the department.