Financial institutions in South Africa could soon face new regulations on the use of cloud computing and data offshoring, as the country’s regulators have warned that directors and senior managers are responsible for managing risk in those areas.

South Africa’s financial regulators have clarified their stance on cloud computing and data offshoring, warning financial institutions that they intend to regulate those practices, and that senior managers are responsible for risk management.

A 25 July joint communication from the Reserve Bank of South Africa and the Financial Sector Conduct Authority (FSCA) noted “that some financial institutions may already be using cloud computing and/or data offshoring services through outsourcing arrangements, either with cloud service providers and/or through insourcing arrangements with a parent organisation”.

Currently the only regulation in this space in South Africa is a 2018 directive and guidance note. Now the regulators “are considering whether policy interventions are necessary to mitigate risks in this environment” and “have commenced a process of formulating a regulatory instrument focused on introducing requirements pertaining to the use of cloud computing and data offshoring by financial institutions”, to be published for public consultation “in due course”.

RISK-BASED APPROACH

Founded in 2018 and headquartered in Pretoria, the FSCA is the principal regulator for financial institutions in South Africa, while the Reserve Bank is responsible for the country’s monetary policy and financial services supervision, which it does through the Prudential Authority.

They recommended that each institution take a risk-based approach aligned with its “risk appetite, based on the nature, size and complexity of its operations”.

Specific measures include “appropriate governance structures, processes, and procedures to oversee the use of cloud computing”, such as formal policies, data strategies and governance frameworks, as well as contractual and other legal requirements, and “appropriate due diligence”.

FUTURE REGULATION

The authorities also warned that they will take further regulatory and supervisory actions, including a joint standard on cloud computing and data offshoring. Regular day-to-day supervision of the financial sector, including data and computing matters will also continue, they added.

FSCA’s three-year regulation plan, published in July 2024, proposed stricter risk management standards, amid concerns that it had fallen behind other jurisdictions. The agency previously regulated crypto assets in 2022 by declaring them a financial product.