Interesting Developments in Financial Technologies and Data Security in South Africa - A Three Part Series


People Capabilities In this section you can find Services Banking and Finance Competition, Trade and Foreign Investment Construction and Engineering Corporate and M&A Corporate Crime Data Privacy, Security and Technology Employment, Labor and Pensions Financial Services Regulation Insurance Intellectual Property Litigation & Dispute Resolution Litigation & Dispute Resolution overview Antitrust and Competition Litigation Energy Disputes Real Estate Disputes Private Client Real Estate and Planning Real Estate and Planning overview Planning and Environmental Strategic Contracts Tax Industries Consumer Consumer overview Hospitality and Leisure Luxury Energy Energy overview Clean Energy Energy Regulatory Financial Services Governments and Infrastructure Industrials Life Sciences and Healthcare Real Estate Real Estate overview Office and Industrial Retail and Mixed Use Technology & Digital Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity and inclusion Environmental sustainability Pro bono Reports Alumni News Careers Global careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Offices Slovakia Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English Interesting Developments in Financial Technologies and Data Security in South Africa - A Three Part Series - Part Three Home Resources Insights Home Resources Insights Interesting Developments in Financial Technologies and Data Security in South Africa - A Three Part Series Interesting Developments in Financial Technologies and Data Security in South Africa - A Three Part Series September 13, 2024 South Africa South Africa South Africa Part 3: Tech Related Cross Sector Joint Standards Published by the FSCA In the second publication of the three part series on Developments in Financial Technologies and Data Security, we discussed the publication of the 2024 FSCA 3-year Regulation Plan (2024 Regulation Plan) as it relates to open finance and other financial technologies. The article briefly touched on technology related cross-sector project deliverables in the form of joint standards. This third and final publication provides an overview of legislative intervention in the form of joint standards that have been issued or that are being considered by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority to meet the objectives of the 2024 Regulation Plan. 1. Joint Standard 1 of 2023– Information Technology governance and risk management The Joint Standards on Information Technology Governance and Risk Management (Joint Standard 1) established by the FSCA, and set to commence on 15 November 2024, outlines the principles and minimum requirements for Information Technology (IT) governance and risk management that financial institutions must follow. Joint Standard 1 emphasises the importance of sound practices and compliance with relevant financial sector laws. Additionally, it mandates that IT risk management policies and procedures, especially those involving sensitive or confidential information, undergo independent reviews. These reviews can be conducted by internal or external audit functions or another independent control function within the financial institution. The governing body, as defined in section 1 of the Financial Sector Regulation Act, 2017, must ensure that financial institutions comply with the following requirements set out in Joint Standard 1, when establishing a robust IT risk management framework, and clearly defined roles and responsibilities for IT risk oversight: IT Strategy: Financial institution must align its IT strategy with its business strategy, review it annually, establish and communicate action plans, monitor effectiveness, and notify authorities of any significant deviations. Develop and regularly review an IT strategy aligned with the business strategy. IT Risk Management Framework: Financial institutions must implement and regularly review IT risk management policies and procedures to safeguard IT assets and manage risks. Oversight of IT Risk Management: Financial institutions must integrate IT risk management oversight into governance and risk management structures. IT Operations: Financial institutions must develop a comprehensive IT service management framework, including governance for change, release, incident, problem, and capacity management. Handling of Sensitive Information: Financial institutions must implement measures to protect sensitive information, manage IT risks, enforce logical access control, prevent data theft and loss, ensure data accuracy, conduct independent compliance reviews, and adhere to relevant legislation. Risks Associated with Financial Products/Services: Financial institutions must identify IT risks, implement security controls and recovery capabilities, evaluate security requirements, monitor IT risks, plan capacity, guard against online attacks, and protect and inform customers using online systems. IT Programme/Project Management: Financial institutions must develop and maintain a comprehensive IT programme and project management framework, including governance, risk management, stakeholder engagement, and change control, with clearly defined policies, procedures, and roles. IT Resilience and Business Continuity: Financial institutions must establish IT resilience and disaster recovery plans, conduct business impact assessments, ensure physical security, and implement network redundancy to protect and recover critical systems and operations. IT Assurance: Financial institutions must ensure independent IT compliance reviews and objective assurance through control functions or external providers, establish IT assurance structures, assess changes in IT controls, and maintain an IT assurance plan. Notification and Reporting: Financial institutions must report significant IT incidents to authorities within the required timeframe. 2. Joint Standard 2 of 2024 - Cyber security and cyber resilience requirements The Joint Standard on cyber security and cyber resilience requirements (Joint Standard 2) sets out the requirements for practices and processes relating to cybersecurity and cyber resilience for financial institutions, and is set to commence on 1 June 2025. The governing body must ensure that financial institutions comply with the following requirements set out in Joint Standard 2 when establishing a cybersecurity and risk management framework to maintain a robust cybersecurity strategy and cyber resilience: Governance: Financial institutions must define roles and responsibilities for management functions and committees overseeing cyber risks, integrating cyber risk management into governance structures. Cybersecurity Strategy and Framework: Financial institutions must establish and maintain a cybersecurity strategy aligned with the business strategy, which must be reviewed annually, and supported by a framework with policies and procedures based on industry standards. Cybersecurity and cyber resilience fundamentals: Financial institutions must ensure that the cybersecurity strategy aligns with its risk management to manage cyber risks, safeguard IT systems, and ensure data security and resilience against cyber threats. Notifications and Regulatory Reporting: Financial institutions must notify the responsible authority of material cyber incidents or information security compromises, and report related information as determined by the authorities. 3. Joint Standard – Culture and Governance requirements for financial institutions: Although not yet published, the FSCA, in collaboration with the Prudential Authority, is considering integrating high-level governance principles related to Artificial Intelligence (AI) and Machine Learning (ML) into the Joint Standard for Culture and Governance requirements for financial institutions. This integration aims to ensure that financial institutions adhere to appropriate governance standards when using AI and ML. The FSCA will engage with stakeholders through targeted and formal consultation processes to discuss these topics further. Additionally, the FSCA may look at how existing frameworks, which are based on outcomes and principles, can be adapted to guide the application of AI and ML. Overall, the series highlighted the impact digital transformation has on the financial sector and the proactive steps taken by the FSCA to manage the risks arising from technology. These regulations and standards must be read and applied in conjunction with the relevant financial sector laws, taking into account the nature, size, complexity and risk profile of the financial institution. If you are a Fintech start-up or any other licensed financial services provider and want to know more about the topic or managing the data privacy risks associated with digital technology, you can get in touch with our Technology, Media, and Telecommunications team, who can assist you with any queries. The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Industries Technology & Digital Key contacts Tyron Fourie Managing Partner Johannesburg, South Africa Boitumelo Mohlapi Associate Johannesburg, South Africa Latest Insights legal updates legal updates legal updates legal updates Latest News client news firm news client news client news Latest Events virtual \| July 08, 2026 virtual \| September 10, 2026 in-person \| September 10, 2026 in-person \| September 17, 2026 Tabs Label legal updates June 26, 2026 legal updates June 25, 2026 legal updates June 25, 2026 legal updates June 24, 2026 Legal notices Terms & conditions Privacy notice Cookies LinkedIn YouTube Facebook Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Offices © Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website.

Part 3: Tech Related Cross Sector Joint Standards Published by the FSCA

In the second publication of the three part series on Developments in Financial Technologies and Data Security, we discussed the publication of the 2024 FSCA 3-year Regulation Plan (2024 Regulation Plan) as it relates to open finance and other financial technologies. The article briefly touched on technology related cross-sector project deliverables in the form of joint standards. This third and final publication provides an overview of legislative intervention in the form of joint standards that have been issued or that are being considered by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority to meet the objectives of the 2024 Regulation Plan.

1. Joint Standard 1 of 2023– Information Technology governance and risk management

The Joint Standards on Information Technology Governance and Risk Management (Joint Standard 1) established by the FSCA, and set to commence on 15 November 2024, outlines the principles and minimum requirements for Information Technology (IT) governance and risk management that financial institutions must follow. Joint Standard 1 emphasises the importance of sound practices and compliance with relevant financial sector laws. Additionally, it mandates that IT risk management policies and procedures, especially those involving sensitive or confidential information, undergo independent reviews. These reviews can be conducted by internal or external audit functions or another independent control function within the financial institution.

The governing body, as defined in section 1 of the Financial Sector Regulation Act, 2017, must ensure that financial institutions comply with the following requirements set out in Joint Standard 1, when establishing a robust IT risk management framework, and clearly defined roles and responsibilities for IT risk oversight:

IT Strategy: Financial institution must align its IT strategy with its business strategy, review it annually, establish and communicate action plans, monitor effectiveness, and notify authorities of any significant deviations. Develop and regularly review an IT strategy aligned with the business strategy.
IT Risk Management Framework: Financial institutions must implement and regularly review IT risk management policies and procedures to safeguard IT assets and manage risks.
Oversight of IT Risk Management: Financial institutions must integrate IT risk management oversight into governance and risk management structures.
IT Operations: Financial institutions must develop a comprehensive IT service management framework, including governance for change, release, incident, problem, and capacity management.
Handling of Sensitive Information: Financial institutions must implement measures to protect sensitive information, manage IT risks, enforce logical access control, prevent data theft and loss, ensure data accuracy, conduct independent compliance reviews, and adhere to relevant legislation.
Risks Associated with Financial Products/Services: Financial institutions must identify IT risks, implement security controls and recovery capabilities, evaluate security requirements, monitor IT risks, plan capacity, guard against online attacks, and protect and inform customers using online systems.
IT Programme/Project Management: Financial institutions must develop and maintain a comprehensive IT programme and project management framework, including governance, risk management, stakeholder engagement, and change control, with clearly defined policies, procedures, and roles.
IT Resilience and Business Continuity: Financial institutions must establish IT resilience and disaster recovery plans, conduct business impact assessments, ensure physical security, and implement network redundancy to protect and recover critical systems and operations.
IT Assurance: Financial institutions must ensure independent IT compliance reviews and objective assurance through control functions or external providers, establish IT assurance structures, assess changes in IT controls, and maintain an IT assurance plan.
Notification and Reporting: Financial institutions must report significant IT incidents to authorities within the required timeframe.

2. Joint Standard 2 of 2024 - Cyber security and cyber resilience requirements

The Joint Standard on cyber security and cyber resilience requirements (Joint Standard 2) sets out the requirements for practices and processes relating to cybersecurity and cyber resilience for financial institutions, and is set to commence on 1 June 2025.

The governing body must ensure that financial institutions comply with the following requirements set out in Joint Standard 2 when establishing a cybersecurity and risk management framework to maintain a robust cybersecurity strategy and cyber resilience:

Governance: Financial institutions must define roles and responsibilities for management functions and committees overseeing cyber risks, integrating cyber risk management into governance structures.
Cybersecurity Strategy and Framework: Financial institutions must establish and maintain a cybersecurity strategy aligned with the business strategy, which must be reviewed annually, and supported by a framework with policies and procedures based on industry standards.
Cybersecurity and cyber resilience fundamentals: Financial institutions must ensure that the cybersecurity strategy aligns with its risk management to manage cyber risks, safeguard IT systems, and ensure data security and resilience against cyber threats.
Notifications and Regulatory Reporting: Financial institutions must notify the responsible authority of material cyber incidents or information security compromises, and report related information as determined by the authorities.

3. Joint Standard – Culture and Governance requirements for financial institutions:

Although not yet published, the FSCA, in collaboration with the Prudential Authority, is considering integrating high-level governance principles related to Artificial Intelligence (AI) and Machine Learning (ML) into the Joint Standard for Culture and Governance requirements for financial institutions. This integration aims to ensure that financial institutions adhere to appropriate governance standards when using AI and ML.

The FSCA will engage with stakeholders through targeted and formal consultation processes to discuss these topics further. Additionally, the FSCA may look at how existing frameworks, which are based on outcomes and principles, can be adapted to guide the application of AI and ML.

Overall, the series highlighted the impact digital transformation has on the financial sector and the proactive steps taken by the FSCA to manage the risks arising from technology. These regulations and standards must be read and applied in conjunction with the relevant financial sector laws, taking into account the nature, size, complexity and risk profile of the financial institution.

If you are a Fintech start-up or any other licensed financial services provider and want to know more about the topic or managing the data privacy risks associated with digital technology, you can get in touch with our Technology, Media, and Telecommunications team, who can assist you with any queries.

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.