South Africa: FSCA And PA Publish Joint Standard 1 Of 2023 Aimed At Safeguarding Financial Institutions Through Robust IT Governance And Risk Management

On 15 November 2023, the Financial Sector Conduct Authority (“FSCA”) and the Prudential Authority (“PA”), published the Joint Standard 1 of 2023: Information Technology Governance and Risk Management Requirements for Financial Institution (“Joint Standard”).

The purpose of the Joint Standard is to ensure that financial institutions, including insurers, have the necessary governance and risk management structures, as well as processes and procedures related to IT risk management in place. The governing body of a financial institution is ultimately responsible for ensuring that the financial institution meets the requirements set out in this Joint Standard on a continuous basis.

The Joint Standard prescribes a number of frameworks that must be implemented in a financial institution, which include an:

• IT risk management framework;
• IT service management framework; and
• IT programme and/or project management framework.

The Joint Standard also requires financial institutions to develop an IT strategy that aligns with the financial institution's overall business strategy. The IT strategy must be reviewed regularly, at least annually, and consider market trends, industry, technology, and other relevant developments.

When developing and implementing the IT strategy as well as the mandatory frameworks, financial institutions must consider and incorporate processes for the following:

• Handling confidential and sensitive information;
• Identifying and mitigating risks associated with financial services and products;
• Testing IT resilience, backup systems and business continuity plans; and
• Maintaining control over services that have been outsourced.

Financial institutions must promptly notify the relevant regulatory authority of any systems failure, malfunction, delay, or other disruptive event. The timeframes for reporting the incidents will vary case by case. However, the expected timeframes will be determined based on when the financial institution confirms the incident was a material event. Additionally, financial institutions may be requested to provide specific information or regulatory reports, along with assurances of compliance with the Joint Standard.

The Joint Standard will come into force on 15 November 2024. Financial institutions have a one-year grace period in which they must comply with the Joint Standard.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.