Act no: N/A

Type: Principle-based

Purpose: Establishes principles and minimum requirements for effective IT governance and risk management within financial institutions. Notes: Issued jointly by the FSCA and Prudential Authority under the Financial Sector Regulation Act 9 of 2017

1.  a bank, a branch (commonly referred to as a ‘branch of a foreign institution’), a branch of a bank or a bank controlling company defined in section 1 of the Banks Act, 1990 (Act No. 94 of 1990);
2.  a mutual bank as defined in section 1 of the Mutual Banks Act, 1993 (Act No. 24 of 1993);
3.  an insurer and a controlling company of an insurer as defined in section 1 of the Insurance Act, 2017 (Act No. 18 of 2017);
4. a manager as defined in section 1 of the Collective Investment Scheme Control Act, 2002 (Act No. F45 of 2002);
5. a market infrastructure as defined in section 1 of the Financial Markets Act 2012 (Act No. 19 of 2012);
6. a discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 [Explanatory note: (Category II)]; and
7. an administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003 [Explanatory note: (Category III)].

Please note: We’ve added “explanatory notes” to this section to help readers understand the different stakeholders better. The explanatory notes are not part of the draft Joint Standard.

Banks, Insurers, Investment Managers, Market Infrastructures, IT Service Providers for Financial Institutions.

• IT Risk Framework: Institutions must establish, implement, and regularly review a comprehensive IT risk management framework [Clause 7].
• Asset Protection: IT assets must be identified, prioritised, and safeguarded from unauthorised access or misuse [Clause 7.3(e)].
• Threat & Vulnerability Analysis: Institutions must assess the likelihood and impact of IT threats and establish mitigation controls [Clause 7.3(f)].
• Access Controls: Logical access to sensitive systems and data must be tightly controlled, enforced, and monitored [Clause 10.2(a)].
• Incident Notification: Material IT incidents must be reported to the responsible authority within the defined timeframe [Clause 15.1].
• Business Continuity & Resilience: Institutions must define recovery priorities and maintain tested IT resilience plans [Clause 13.1].
• Confidentiality Protections: Sensitive or personal data must be processed per POPIA and safeguarded against loss or theft [Clause 10.2(e)].
• Online Services Risk: Financial institutions must evaluate and mitigate IT risks specific to internet-facing services [Clause 11.1].

Administrative penalties imposed for contraventions of joint standards [Section 267 – Financial Sector Regulation Act].

N/A

Potential licence revocation, directives, or other enforcement actions [Section 144 – Financial Sector Regulation Act].

Specific information or assurance may be requested by FSCA or Prudential Authority [Clause 15.2]

The loss of trust and damage to reputation can have long-term consequences for an FSP, including decreased customer loyalty, reduced business opportunities, and potentially higher costs associated with rebuilding trus

CyberProfiler: Your External Vulnerability Scan

Performs a safe, external scan of your public digital footprint to detect security weaknesses visible to attackers.

• Threat & Vulnerability Analysis: Identifies current and emerging threats in external systems [Clause 7.3(f)]
• Online Services Risk: Assesses risks and security gaps in systems offering online financial services [Clause 11.1]

DMARC: Stop Email Spoofing and Protect Your Brand

Enforces domain-based email authentication to block spoofing, stop phishing, and boost email deliverability.

• Confidentiality Protections: Helps prevent data leaks and phishing attacks via email spoofing [Clause 10.2(e)]
• Access Controls: Aids in enforcing domain-level communication controls [Clause 10.2(a)]

• South African Reserve Bank (PA): Prudential Authority Publications
• Michalsons: Joint Standard Summary

(Links verified and active as of May 2025)

Where appropriate, we link to Michalsons’ expertly maintained legal resources and plain-language explanations. We gratefully acknowledge their role in making South African legislation more accessible and understandable.