Banks in South Africa (SA) remain rated as amongst the most sound globally. It is not surprising that many of SA's leading financial services providers, including major banks and insurers, are moving to the cloud. They recognise the significant benefits and competitive edge to be derived from cloud services, such as agility, scalability, cyber resilience, and secure access. Cloud is therefore driving a rapid transformation in the SA financial services sector as more institutions move to the cloud as part of the reassessment of their technology strategies, from testing and development of data analytics solutions through to communications, CRM, and business productivity applications.
Regulators appear comfortable with cloud usage provided certain risks are addressed. The Prudential Authority specifically permits a bank to move to the cloud but requires the bank to ensure that certain requirements are satisfied.1
MICROSOFT'S COMMITMENT TO THE SOUTH AFRICA FINANCIAL SERVICES SECTOR
We believe that no cloud services provider has more experience in delivering compliant solutions to financial institutions in SA than Microsoft. Having helped a number of financial institutions move to the cloud, Microsoft recognises that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution and where appropriate, with financial regulators. Through this process of collaboration over several years (with both customers and regulators), Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk, and security standards.
Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure and legally compliant manner.
From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with financial regulators in SA, Microsoft stands ready to support our financial services customers in SA. The Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 - offers enterprise-grade reliability and performance.
In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.
THE REGULATORY ENVIRONMENT
The Financial Sector Regulation Act 9 of 2017 ("FSR Act") which has been passed into law and which entered into partial effect in April 2018 aims to introduce a new "Twin Peaks" model of regulation. This will align regulation in the financial services industry by distinguishing between the prudential and market conduct activities of all financial services institutions.
Under the new FSR Act and subject to a transitional period, all financial institutions are regulated by the following two main regulators:
- The Prudential Authority housed in the SARB will have the objective of maintaining and enhancing the financial safety and soundness of financial institutions; and
- The Financial Sector Conduct Authority will bear responsibility for market conduct regulation and supervision of financial institutions and the protection of customers.
Yes, cloud services are in principle permitted.Banks are expressly permitted to move to the cloud, provided that they comply with certain requirements.2 While a move to cloud services is not outsourcing in the traditional sense, outsourcing regulations will also likely apply. For the outsourcing of certain functions and activities, a number of requirements must be fulfilled. In general, regulator approval is not required but prior notification to and/or approval by the regulator may be required for certain material functions and activities.3
Although cloud services are in principle permitted, specific aspects of the regulatory regime should always be carefully considered to ensure both cloud provider and cloud user compliance based on specific use cases and cloud architecture.
In relation to banks, the Prudential Authority has recently issued new rules which specifically permit banks to use cloud computing and to offshore data ("Cloud Rules").4 The Cloud Rules require each bank to adopt a principle-based and risk-based approach to cloud computing and data offshoring.
The Cloud Rules are designed to complement existing regulatory requirements and must be considered and observed in the context of a bank's overall legislative framework.
For a bank, its move to the cloud will therefore likely be regulated under:
- The Cloud Rules;5
- Outsourcing rules:6 Certain types of outsourcing are regulated, including outsourcing of material business activities or functions, and "offshoring";
- Cyber-resilience rules:8 A bank's cyber resilience will be reviewed against international best practice guidance9 for financial market infrastructures. This requires that a bank should implement appropriate risk-mitigation measures, either by means of outsourcing or third party agreements, or by internal resources which are available to it in-house without undue delay; and
- banker-client confidentiality: A bank must maintain client confidentiality in respect to customer information. Banking secrecy covers information relating to the customer's account, the customer's transactions with the bank, and information relating to the customer acquired through the keeping of his account. The duty to respect privacy and confidentiality is expressly recognised in the Code of Banking Practice.
For an insurer, Directive 159.A.i10 currently regulates outsourcing by long- and short-term insurers. With the advent of the FSR Act, it is expected that amended legislation and standards will regulate outsourcing.11
Furthermore, as ‘accountable institutions’,12 both banks and insurers must ensure that their ‘know-your-client records’ are retained on terms which permit them free and easy access to the records, and that the records are readily available to the relevant regulator.8 Such records may be kept in electronic form and must be capable of being reproduced in legible format.9
Under the current regime, a move to the cloud by a bank or insurer will be subject to the following key principles: (i) the financial institution remains responsible for the function (ii) the arrangement must not compromise the services provided to clients and (iii) the services must be regularly monitored.
While the new regime under the FSR Act has not yet been finalised, we expect similar rules to follow through to the new regime.
Generally, regulatory approval is not needed for a move to the cloud. However, if a move to the cloud amounts to outsourcing, then prior notification to and/or approval from the regulators may be required,depending largely on the materiality of the outsourced function or activity.19 A bank will be required to provide prior notification before it "offshores" any material20 activity.21 Similar rules also apply to insurers. the Prudential Authority) has indicated that, while it does not support the outsourcing by a bank of certain material functions, it may consider granting approval on a case-by-case basis.22
A bank outsourcing any material activity or function must be able at all times to provide the Registrar of Banks with necessary information and ensure the right of the Registrar of Banks to carry out its supervisory functions and objectives, including the right to access information and conduct on-site visits if the Registrar of Banks considers necessary.23The Cloud Rules specifically require a bank to ensure that the use of cloud computing does not prevent any regulatory mandated access to information, nor impacts on a regulator's ability to fulfil its duties.24
Similarly, an insurer outsourcing any control, management, or material function must appropriately assess, monitor, manage, and regularly review the performance of the outsourced service provider,26 and ensure that it has continued access to information27 and that the outsourced service provider permits the regulator access to its business and information relevant to the applicable function or activity.28 Indications are that similar rules will follow through to the new regime.29
The Cloud Rules impose no requirement for data to reside within South Africa. Instead, the Cloud Rules require a bank to implement a data strategy and governance framework, and to maintain an asset register of its information assets.30 The bank should also consider the impact of different jurisdictions in light of the bank's data strategy and data governance framework, and the potential impact on the role of the supervisor and access to data.31 The bank should ensure that data is not held in jurisdictions that may inhibit effective access to data for the bank's South African supervisors.32
Under the Protection of Personal Information Act (POPIA), personal information may be transferred out of SA provided the requirements of POPIA are met. POPIA33 permits the transfer of personal information to a third party who is in a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in POPIA or with the data subject's consent. Microsoft holds itself accountable to and is subject to laws of regions in which it maintains data centres, and has binding agreements which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.
- 1Directive 3/2018 (D3/2018), read in conjunction with Guidance Note 5/2018 (G5/2018) (considered more fully below).
- 2D3/2018, read in conjunction with G5/2018 (considered more fully below)
- 3See section below headed "Is approval needed?"
- 4Under D3/2018, read in conjunction with G5/2018 (both available at https://www.resbank.co.za/PrudentialAuthority/Pages/default.aspx)
- 5For more information on the Cloud Rules and how Microsoft's solutions are well-placed to assist banks to comply with the Cloud Rules, please see our White Paper on the Cloud Rules available here.
- 6Guidance Note on Outsourcing (G5/2014) issued by the Registrar of Banks (now the Prudential Authority) and regulation 39 of the regulations promulgated under the Banks Act
- 8Guidance Note on Cyber Resilience (G4/2017) issued by the Registrar of Banks (now the Prudential Authority)
- 9In particular, the Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016), issued by the Committee on Payments and Market Infrastructures and the Board of the International Organisation of Securities Commissions
- 10Dir 159.A.i, issued under the Long-term Insurance Act and Short-term Insurance Act
- 11Notably (i) draft Prudential Standard GOI 5 on Outsourcing by Insurer proposes requirements similar to the current Directive 159.A.i and (ii) draft Prudential Standard GOI 3 on Risk Management and Internal controls for Insurers which proposes cyber security measures and standards that must be adopted by insurers
- 12Under the Financial Intelligence Centre Act 38 of 2001 ("FICA")
- 13Section 24(1) of FICA
- 14Section 24(4) of FICA
- 19See Guidance Note G5/2014 and Dir 159.A.i
- 20Defined at para 3 of G5/2014 as "one that has the potential to have a significant impact on the bank's business operations or its ability to manage risks should it be disrupted", taking into account a range of factors such as impact of interruption, reputational impact and cost as a percentage of total expenses.
- 21Para 4.5 of G5/2014
- 22The Registrar of Banks (now the Prudential Authority) has indicated that it will not support a bank outsourcing its management oversight, governance and risk management functions (paras 4.2 of G5/2014). It also will not generally support the outsourcing of a bank's internal audit function, the bank's core banking IT systems or financial reporting IT system, but may consider applications for prior approval on a case-by-case basis (paras 4.3 and 4.4 of G5/2014). Outsourcing of any other material business activities or functions should be notified to the Prudential Authority prior to conclusion of the agreement (par 5.1k of G5/2014).
- 23Para 6.9.1 of G5/2014
- 24Para 2.2.9 of D3/2018, as read with paras 4.9 and 4.3.1(d) of G5/2018.
- 25As these terms are defined in para 5.1 of Dir 159.A.i
- 26Para 7.7.9 and paras 7.9 to 7.11 of Dir 159 A.i
- 27Para 7.7.10 of Dir 159.A.i
- 28Para 7.7.15 of Dir 159.A.i
- 29Draft Prudential Standard GOI 5 on Outsourcing by Insurer proposes requirements similar to those of Directive 159.A.i
- 30Para 2.2.1 D3/2018, as read with para 4.1 of G5/2018
- 31Para 4.5 of G5/2018
- 32Para 4.9.2(d) of G5/2018
- 33Section 72 of POPIA
WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES
Regulating the Use of Cloud Computing by Financial Institutions
Financial institutions (FIs) are increasingly turning to cloud computing technologies to help them meet their IT needs.LEARN MORE
Microsoft's Views on the Central Bank of Jordan Cloud Computing Guidelines.
Central Bank of Jordan Cloud Guidelines: A Microsoft CommentaryLEARN MORE
Cloud Computing and Data Offshoring for Banks
The Prudential Authority, an entity within the South African Reserve Bank (“SARB”) that works to ensure the safety and soundness of financial institutionsLEARN MORE
A compliance checklist for financial institutions in Nigeria
Microsoft is committed to providing a trusted set of cloud services to financial institutions in Nigeria. This checklist is aimed at financial institutions in Nigeria who want to use Microsoft cloud services.LEARN MORE
Trust In A Rapidly Changing Financial Services Market
Read on to find out how the adoption of cloud and knowledge of cloud regulations can help banks and financial institutions mitigate the disruptive influence of FinTech firms.LEARN MORE
Safe Cloud Principles for the Financial Services Industry
Learn more about the best practices that help financial institutions focus on and navigate through the relevant regulatory issues when moving to the cloud.LEARN MORE
Learn more about how Microsoft's Trusted Cloud can help banks and insurers meet their regulatory responsibilities.LEARN MORE
Financial Services, Banking and Capital Markets
Learn more about how Microsoft's cloud technology can help engage customers, empower employees, and optimise operations in the Financial Services, Banking, and Capital Markets industry.LEARN MORE
Data Sovereignty & the cloud – a Healthcare perspectiveLEARN MORE
Responding to the evolving cyber threat landscape in the healthcare sectorLEARN MORE
Microsoft Cloud for HealthLEARN MORE
Microsoft's Virtual Healthcare Information and Management Systems Society (HIMSS) BoothLEARN MORE
Democratizing AI in HealthLEARN MORE
Data Sovereignty - the Oil and Gas PerspectiveLEARN MORE
Responding to the evolving cyber threat landscape in the oil and gas sectorLEARN MORE
Microsoft Cloud for Oil & Gas and Mining Industry.LEARN MORE
Drill Deeper into Digital.
Accenture and Microsoft 2017 Upstream Oil and Gas Digital Trends Survey.LEARN MORE
Banco Angolano de Investimentos (BAI Group)
Innovative Angolan bank rethinks business with a cloud-first approach Read more…
goeasy improves productivity, increases employee satisfaction with Surface Book and Office 365 Read more…
International banking institution increases growth and market share through digital transformation Read more…
Towards a more secure digitized stock trading venue in Kuwait Read more…
Ecobank Ghana Limited
Microsoft Power BI solution helps boost Ecobank’s business performance Read more…
Digital payments company answers questions about using Azure Blockchain Workbench to help build a more prosperous Africa Read more…
The power of four: African bank embraces digitalization and increases efficiency with time-saving Microsoft Flow, PowerApps, Power BI, and SharePoint Read more…
Internet and mobile apps, move over. The new industry disrupter is bot technology. Nedbank, one of the major Read more…
Diamond Bank Plc
Diamond Bank is one of the 22 financial institutions operating in Nigeria, with a mission Read more…
ABN AMRO BANK
To prepare for its digital transformation, ABN Amro simplified and rationalized its IT Read more…
Kuwait Finance House
Islamic banking pioneer innovates again with digital banking shift Read more…
Société Générale Corporate & Investment Banking
This article is part of a series about customers who've worked closely with Microsoft on Service Fabric Read more…
I Choose Life Africa
Supported by cutting-edge Microsoft solutions, Kenyan nonprofit I Choose Life – Africa (ICL) is helping to grow and scale critical sustainable development initiatives across the country, affecting more than one million lives. Read more…
Kenya Red Cross
With solutions based on Microsoft Azure, Dynamics 365, Office 365, and Power BI, the Kenya Red Cross Society is now better equipped to provide key humanitarian aid. Read more…
James 127 Trust
Powered by Microsoft solutions like Azure, the James 1:27 Trust works to improve the quality and reach of care for some of Africa’s most vulnerable children, while supporting other NGOs across the continent Read more…
Based in South Africa, 2Enable is a leading nationwide digital education solution with roots in the Casterbridge Music Development Academy. Read more…
Human Development Foundation
Pakistan-based nonprofit the Human Development Foundation empowers marginalized communities through social capital development, quality education, healthcare, economic development, and sustainable environment initiatives. Read more…
The Citizens Foundation
By building schools in Pakistan’s impoverished areas and rural communities and providing training for principals and teachers, The Citizens Foundation is building a brighter future for all. Read more…
Lebanese Red Cross
With solutions based on Microsoft Azure, Dynamics 365, Office 365, and Power BI, the Lebanese Red Cross is moving toward real-time monitoring and response. Read more…
Qatar Computing Research Institute (QCRI)
Qatar research institute embraces the power of AI for global impact Read more…
Gauteng Provincial Government (GPG)
Youth unemployment in South Africa is 30 percent. Microsoft Services is helping change that. Read more…
Buffalo City Metropolitan Municipality
South African Eastern Cape residents benefit from digitally transformed services Read more…
Iconic London conference center revolutionizes workplace with Microsoft 365 Read more…
Abu Dhabi Global Market Courts
Pioneering digital transformation in the legal and justice system Read more…
Mobile APP on Azure launches for George. Read more…
Johannesburg Roads Agency
The Johannesburg Roads Agency (JRA) maintains roadways, bridges, and Read more…
Gauteng Provincial Legislature
Gauteng Provincial Legislature (GPL), the legislative arm of one of South Africa’s Read more…
Hollands Kroon has radically reimagined what it means to work in Read more…
University Puerto Rico Humacao
The University of Puerto Rico at Humacao wanted to reduce crime and improve compliance Read more…
Agrimetrics is one of four agritech centres set up using government funding with the Read more…
Business Sweden, an organization that helps Swedish companies to grow their global Read more…
New York’s largest healthcare provider streamlines patient care processes with Microsoft business applications Read more…
With Azure AD B2C, top UK healthcare provider now offers a secure web portal as user-friendly as its facilities Read more…
National Department of Health, South Africa
The South African government’s National Department of Health (NDoH) Read more…
Providence St. Joseph Health
Providence St. Joseph Health is moving beyond the typical Read more…
Varian Medical Systems is a leading radiotherapy company recognized for its advanced treatment Read more…
Medical Teams International, a nonprofit provider of health care and humanitarian aid Read more…
Opened in 2005, Soddo Christian Hospital is a 130-bed, full-service facility serving Wolayita Read more…
Transforming IT to create organizational value requires a change in outlook Read more…
Italian National Institute for Insurance Against Accidents at Work
The National Institute for Insurance Against Accidents at Work (INAIL) in Italy wanted to Read more…
365mc improves the efficiency and safety of Liposuction with data analysis Read more…
Scientific Drilling International
Scientific Drilling International uses Power BI to optimize operations Read more…
Chevron productivity climbs with security-enhancing Microsoft cloud services Read more…
Royal Dutch Shell mining oil gas office365
Employee engagement soars as Shell energizes internal communication with Office 365 Read more…
The global population today is approximately 7.4 billion today, and is projected to Watch video
Shell mining oil as azure databricks
Shell invests in safety with Azure, AI, and machine vision to better protect customers and service champions Read more…
Chevron Customer Video
Chevron Customer Video Watch customer video
Royal Dutch Shell
Shell gives developers freedom to create, reduces IT costs with dev-test solution in the cloud Read more…
BP deploys Microsoft 365 to improve user experience and security Read more…
Royal Dutch Shell
How AI is building better gas stations and transforming Shell’s global energy business Read more…
Qatar’s Oryx Gas-to-Liquids (GTL) runs world-leading industrial Read more…
Seadrill is the leading oil and gas deep-water driller, operating globally Read more…
Naas, Ireland–based Oilfield Solutions (OFS) seeks to be a “powerful partner” Read more…