Male bank worker in navy blue suit, smiling and leaning over desk to shake hands with female bank customer in financial office.
South Africa: Cloud in financial services

South Africa: Cloud in Financial Services

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER : Regulating the Use of Cloud Computing by Financial Institutions

Download now

REGULATORY OVERVIEW

Banks in South Africa (SA) remain rated as amongst the most sound globally. It is not surprising that many of SA's leading financial services providers, including major banks and insurers, are moving to the cloud. They recognise the significant benefits and competitive edge to be derived from cloud services, such as agility, scalability, cyber resilience, and secure access. Cloud is therefore driving a rapid transformation in the SA financial services sector as more institutions move to the cloud as part of the reassessment of their technology strategies, from testing and development of data analytics solutions through to communications, CRM, and business productivity applications.

Regulators appear comfortable with cloud usage provided certain risks are addressed. The Prudential Authority specifically permits a bank to move to the cloud but requires the bank to ensure that certain requirements are satisfied.1

MICROSOFT'S COMMITMENT TO THE SOUTH AFRICA FINANCIAL SERVICES SECTOR

We believe that no cloud services provider has more experience in delivering compliant solutions to financial institutions in SA than Microsoft. Having helped a number of financial institutions move to the cloud, Microsoft recognises that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution and where appropriate, with financial regulators. Through this process of collaboration over several years (with both customers and regulators), Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk, and security standards.

Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure and legally compliant manner.

From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with financial regulators in SA, Microsoft stands ready to support our financial services customers in SA. The Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 - offers enterprise-grade reliability and performance.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

The Financial Sector Regulation Act 9 of 2017 ("FSR Act") which has been passed into law and which entered into partial effect in April 2018 aims to introduce a new "Twin Peaks" model of regulation. This will align regulation in the financial services industry by distinguishing between the prudential and market conduct activities of all financial services institutions.

  • Under the new FSR Act and subject to a transitional period, all financial institutions are regulated by the following two main regulators:

    • The Prudential Authority housed in the SARB will have the objective of maintaining and enhancing the financial safety and soundness of financial institutions; and
    • The Financial Sector Conduct Authority will bear responsibility for market conduct regulation and supervision of financial institutions and the protection of customers.
  • Yes, cloud services are in principle permitted.Banks are expressly permitted to move to the cloud, provided that they comply with certain requirements.2 While a move to cloud services is not outsourcing in the traditional sense, outsourcing regulations will also likely apply. For the outsourcing of certain functions and activities, a number of requirements must be fulfilled. In general, regulator approval is not required but prior notification to and/or approval by the regulator may be required for certain material functions and activities.3

    Although cloud services are in principle permitted, specific aspects of the regulatory regime should always be carefully considered to ensure both cloud provider and cloud user compliance based on specific use cases and cloud architecture.

  • In relation to banks, the Prudential Authority has recently issued new rules which specifically permit banks to use cloud computing and to offshore data ("Cloud Rules").4 The Cloud Rules require each bank to adopt a principle-based and risk-based approach to cloud computing and data offshoring.
    The Cloud Rules are designed to complement existing regulatory requirements and must be considered and observed in the context of a bank's overall legislative framework.

    For a bank, its move to the cloud will therefore likely be regulated under:

    • The Cloud Rules;5
    • Outsourcing rules:6 Certain types of outsourcing are regulated, including outsourcing of material business activities or functions, and "offshoring";
    • Cyber-resilience rules:8 A bank's cyber resilience will be reviewed against international best practice guidance9 for financial market infrastructures. This requires that a bank should implement appropriate risk-mitigation measures, either by means of outsourcing or third party agreements, or by internal resources which are available to it in-house without undue delay; and
    • banker-client confidentiality: A bank must maintain client confidentiality in respect to customer information. Banking secrecy covers information relating to the customer's account, the customer's transactions with the bank, and information relating to the customer acquired through the keeping of his account. The duty to respect privacy and confidentiality is expressly recognised in the Code of Banking Practice.

    For an insurer, Directive 159.A.i10 currently regulates outsourcing by long- and short-term insurers. With the advent of the FSR Act, it is expected that amended legislation and standards will regulate outsourcing.11

    Furthermore, as ‘accountable institutions’,12 both banks and insurers must ensure that their ‘know-your-client records’ are retained on terms which permit them free and easy access to the records, and that the records are readily available to the relevant regulator.8 Such records may be kept in electronic form and must be capable of being reproduced in legible format.9

    Under the current regime, a move to the cloud by a bank or insurer will be subject to the following key principles: (i) the financial institution remains responsible for the function (ii) the arrangement must not compromise the services provided to clients and (iii) the services must be regularly monitored.

    While the new regime under the FSR Act has not yet been finalised, we expect similar rules to follow through to the new regime.

  • Generally, regulatory approval is not needed for a move to the cloud. However, if a move to the cloud amounts to outsourcing, then prior notification to and/or approval from the regulators may be required,depending largely on the materiality of the outsourced function or activity.19 A bank will be required to provide prior notification before it "offshores" any material20 activity.21 Similar rules also apply to insurers. the Prudential Authority) has indicated that, while it does not support the outsourcing by a bank of certain material functions, it may consider granting approval on a case-by-case basis.22

  • A bank outsourcing any material activity or function must be able at all times to provide the Registrar of Banks with necessary information and ensure the right of the Registrar of Banks to carry out its supervisory functions and objectives, including the right to access information and conduct on-site visits if the Registrar of Banks considers necessary.23The Cloud Rules specifically require a bank to ensure that the use of cloud computing does not prevent any regulatory mandated access to information, nor impacts on a regulator's ability to fulfil its duties.24

    Similarly, an insurer outsourcing any control, management, or material function must appropriately assess, monitor, manage, and regularly review the performance of the outsourced service provider,26 and ensure that it has continued access to information27 and that the outsourced service provider permits the regulator access to its business and information relevant to the applicable function or activity.28 Indications are that similar rules will follow through to the new regime.29

  • The Cloud Rules impose no requirement for data to reside within South Africa. Instead, the Cloud Rules require a bank to implement a data strategy and governance framework, and to maintain an asset register of its information assets.30 The bank should also consider the impact of different jurisdictions in light of the bank's data strategy and data governance framework, and the potential impact on the role of the supervisor and access to data.31 The bank should ensure that data is not held in jurisdictions that may inhibit effective access to data for the bank's South African supervisors.32

    Under the Protection of Personal Information Act (POPIA), personal information may be transferred out of SA provided the requirements of POPIA are met. POPIA33 permits the transfer of personal information to a third party who is in a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in POPIA or with the data subject's consent. Microsoft holds itself accountable to and is subject to laws of regions in which it maintains data centres, and has binding agreements which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

    • 1Directive 3/2018 (D3/2018), read in conjunction with Guidance Note 5/2018 (G5/2018) (considered more fully below).
    • 2D3/2018, read in conjunction with G5/2018 (considered more fully below)
    • 3See section below headed "Is approval needed?"
    • 4Under D3/2018, read in conjunction with G5/2018 (both available at https://www.resbank.co.za/PrudentialAuthority/Pages/default.aspx)
    • 5For more information on the Cloud Rules and how Microsoft's solutions are well-placed to assist banks to comply with the Cloud Rules, please see our White Paper on the Cloud Rules available here.
    • 6Guidance Note on Outsourcing (G5/2014) issued by the Registrar of Banks (now the Prudential Authority) and regulation 39 of the regulations promulgated under the Banks Act
    • 8Guidance Note on Cyber Resilience (G4/2017) issued by the Registrar of Banks (now the Prudential Authority)
    • 9In particular, the Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016), issued by the Committee on Payments and Market Infrastructures and the Board of the International Organisation of Securities Commissions
    • 10Dir 159.A.i, issued under the Long-term Insurance Act and Short-term Insurance Act
    • 11Notably (i) draft Prudential Standard GOI 5 on Outsourcing by Insurer proposes requirements similar to the current Directive 159.A.i and (ii) draft Prudential Standard GOI 3 on Risk Management and Internal controls for Insurers which proposes cyber security measures and standards that must be adopted by insurers
    • 12Under the Financial Intelligence Centre Act 38 of 2001 ("FICA")
    • 13Section 24(1) of FICA
    • 14Section 24(4) of FICA
    • 19See Guidance Note G5/2014 and Dir 159.A.i
    • 20Defined at para 3 of G5/2014 as "one that has the potential to have a significant impact on the bank's business operations or its ability to manage risks should it be disrupted", taking into account a range of factors such as impact of interruption, reputational impact and cost as a percentage of total expenses.
    • 21Para 4.5 of G5/2014
    • 22The Registrar of Banks (now the Prudential Authority) has indicated that it will not support a bank outsourcing its management oversight, governance and risk management functions (paras 4.2 of G5/2014). It also will not generally support the outsourcing of a bank's internal audit function, the bank's core banking IT systems or financial reporting IT system, but may consider applications for prior approval on a case-by-case basis (paras 4.3 and 4.4 of G5/2014). Outsourcing of any other material business activities or functions should be notified to the Prudential Authority prior to conclusion of the agreement (par 5.1k of G5/2014).
    • 23Para 6.9.1 of G5/2014
    • 24Para 2.2.9 of D3/2018, as read with paras 4.9 and 4.3.1(d) of G5/2018.
    • 25As these terms are defined in para 5.1 of Dir 159.A.i
    • 26Para 7.7.9 and paras 7.9 to 7.11 of Dir 159 A.i
    • 27Para 7.7.10 of Dir 159.A.i
    • 28Para 7.7.15 of Dir 159.A.i
    • 29Draft Prudential Standard GOI 5 on Outsourcing by Insurer proposes requirements similar to those of Directive 159.A.i
    • 30Para 2.2.1 D3/2018, as read with para 4.1 of G5/2018
    • 31Para 4.5 of G5/2018
    • 32Para 4.9.2(d) of G5/2018
    • 33Section 72 of POPIA

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

Security

We build our services from the ground up to help safeguard your data

Learn more
Privacy

Privacy

Our policies and processes help keep your data private and in your control

Learn more
Compliance

Compliance

We provide industry-verified conformity with global standards

Learn more
Transparency

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

RECOMMENDED RESOURCES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.