Joint Standard | IT Governance and Risk Management for Financial Institutions, 2023

In November 2023, The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) published the Joint Standard: Information Technology (IT) Governance and Risk Management for Financial Institutions.

The Joint Standard sets out the principles for information technology (IT) risk management that financial institutions must comply with to achieve sound practices and processes in managing IT risks.

The Joint Standard is prepared and published in terms of section 105(1), 106 (1), 107 and 108 of the FSRA (Financial Sector Regulation Act 9 of 2017).

Financial institutions have until 15 November 2024 to comply with the Joint Standard.

Principle-based
CyberProfiler scan

DMARC

The objectives of the Joint Standard are to:

  • Ensure that financial institutions establish a sound and robust IT risk management framework.
  • Assist financial institutions in integrating technology risk management into their overall management system.
  • Ensure that financial institutions implement information security controls for the information held on IT systems.

Act’ in this Joint Standard means the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017);

Authorities’ means the Prudential Authority as established in terms of section 32 of the Act and the Financial Sector Conduct Authority as established in terms of section 56 of the Act;

governing body’ means ‘governing body’ as defined in section 1 of the Act;

hardware’ means physical components of a computer system;

IT’ means information technology;

IT asset’ means an asset including software, hardware, internal and external facing network system that are found in the business environment;

IT environment’ means the IT components which comprise the IT assets, operations and human elements of a financial institution;

IT programme and project’ means any project or programme, or part thereof, where IT systems and services are changed, replaced, dismissed or implemented. IT projects can be part of wider IT or business transformation projects or programmes;

IT system’ means the integration of IT assets within the IT environment;

material incident’ means a disruption of a business activity, process or function which has, or is likely to have, a severe and widespread impact on the financial institution’s operations, services to its customers, or the broader financial system and economy;

risk identification’ means the determination of the threats and vulnerabilities to a financial institution’s IT environment;

software’ means’ means a set of programs and supporting documentation that enable and facilitate use of any computing device such as computers and hand-held devices;

The Joint Standard applies to:

  1. a bank, a branch (commonly referred to as a ‘branch of a foreign institution’), a branch of a bank or a bank controlling company defined in section 1 of the Banks Act, 1990 (Act No. 94 of 1990);
  2. a mutual bank as defined in section 1 of the Mutual Banks Act, 1993 (Act No. 24 of 1993);
  3. an insurer and a controlling company of an insurer as defined in section 1 of the Insurance Act, 2017 (Act No. 18 of 2017);
  4. a manager as defined in section 1 of the Collective Investment Scheme Control Act, 2002 (Act No. F45 of 2002);
  5. a market infrastructure as defined in section 1 of the Financial Markets Act 2012 (Act No. 19 of 2012);
  6. a discretionary FSP as defined in Chapter II of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003
    [Explanatory note: (Category II)]; and
  7. an administrative FSP as defined in Chapter I of the Notice on Codes of Conduct for Administrative and Discretionary FSPs, 2003
    [Explanatory note: (Category III)].

Please note: We’ve added “explanatory notes” to this section to help readers understand the different stakeholders better. The explanatory notes are not part of the draft Joint Standard.

Governing bodies at financial institutions are responsible for complying with the Joint Standard. The Joint Standard places several obligations on financial institutions to ensure that they:

  • Establish a sound and robust IT risk management framework.
  • Integrate technology risk management into their overall management system.
  • Implement information security controls for the information held on IT systems.

The minimum requirements and principles set out in this Joint Standard must be implemented to reflect the nature, size, complexity and risk profile of a financial institution.

Please Note: We’ve extracted ‘relevant sections’ and these do not represent the entirety of sections listed in the Joint Standard. We’ve furthermore summarised certain key aspects for ease of interpretation.

A financial institution must ensure that it has an approved IT strategy approved by the governing body which is aligned with its over business strategy. This strategy must be reviewed regularly, but at least annually, keeping in mind various the developments, in the market, industry and technology. A financial institution must:

  • Establish a set of action plans containing measures to achieve its IT strategy;
  • Establish processes to monitor how effectively the IT strategy is implemented; and
  • Notify the responsible authority for the financial sector in terms of which law the financial institution is registered or licensed under when it deviates from its IT strategy and said deviation could contravene the joint Standard or any other financial sector law relating to IT risk management.

A financial institution must establish an IT risk management framework to manage IT risks in a systematic and consistent manner. The governing body must approve of and review the framework regularly, but at least once a year.

A financial institution’s IT risk management framework must have the following attributes:

  • Policies, standards, and procedures in managing IT risks and safeguarding IT assets in the financial institution;
  • The ability to identify, assess and manage all material risks, taking into consideration the principle of proportionality;
  • Policies, standards and procedures must be independently reviewed and updated to take into account changes in the security environment;
  • The assignment of roles and responsibilities in managing IT risks to ensure effective internal controls and risk management practices are implemented to achieve security, reliability, resiliency and recoverability;
  • The identification and prioritisation of IT assets, and protecting them from unauthorised access, misuse or fraudulent modification;
  • The identification and assessment of impact and likelihood of current and emerging threats, risks and vulnerabilities;
  • The implementation of appropriate practices and controls to manage risks;
  • Theperiodic update and monitoring of risk assessments and assigning priority to the highest risks;
  • The management of people including the careful screening of staff and service providers, ensuring they are of good standing and have the necessary expertise, and that all staff have the relevant training programmes and materials.

Financial institutions must conduct independent reviews, annually, to assess compliance with its privacy policies. In addition, independent reviews may be used to identify vulnerabilities in compliance processes that can undermine confidential and sensitive information on its systems.

Financial institutions must define, document and implement appropriate measures to, among others,:

  • protect sensitive or confidential information such as customer personal account and transaction data which are stored and processed in systems; and
  • mitigate IT risks and protect information assets in accordance with its sensitivity classification;
  • ensure that all personal information is processed in accordance with the requirements of all applicable legislation, including the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).

Financial institutions must notify the Authorities of any systems failure, malfunction, delay or other disruptive event, within the determined timeframe, after classifying the event as a material incident.

The Authorities may, through ongoing supervisory review and evaluation processes, request specific information or regulatory reports as well as assurance in terms of compliance with this Joint Standard.

Financial institutions run the risk of having their licenses suspended if they do not comply with the requirements of the Joint Standard. Depending on the severity of the non-compliance, financial institutions could also be liable for administrative penalties.

By obtaining and/or implementing the products provided by ARMD.digital., financial institutions can help demonstrate compliance with the Joint Standard.

Obtaining a CyberProfiler scan and implementing the remediation recommendations provided in its report can help institutions:

 

IT Risk Management Framework

  • Identify, assess and manage material risks associated to the IT environment;
  • Identify and prioritise IT assets in order to protect them cyber threats;
  • Configure IT systems with security settings that are consistent with the expected level of protection;
  • Periodically assess and monitor risks.

Handling of sensitive or confidential information

  • Identify and mitigate against vulnerabilities in order to protect sensitive and/or confidential information.

Notification and reporting

  • Provide assurance in terms of compliance by providing a copy of the CyberProfiler scan report along with the remediation recommendations which have been implemented.

Implementing DMARC on the company’s email domain helps institutions to:

 

IT Risk Management Framework

  • Determine and implement IT policies, standards, and procedures to manage the IT risks related to e-mail security;
  • Enable the ability to identify, assess and manage material risks associated to e-mail spoofing and phishing;
  • Ensure that effective internal controls and risk management practices are implemented to achieve security, reliability, and resiliency;
  • Configure IT systems with security settings that are consistent with the expected level of protection;

Handling of sensitive or confidential information

  • Affirm compliance with its privacy policy related to protecting confidential and sensitive information by obtaining a DMARC Certificate of Compliance.

Notification and reporting

  • Provide confirmation of compliance in regard to its e-mail application by providing a copy of your DMARC Certificate of Compliance;
  • Provide a detailed analysis report on their e-mail domain.
  • The Joint Standard: IT Governance and Risk Management for Financial Institutions, 2023 is  available on the Reserve Bank’s website.

Explore More Regulations

The Protection of Personal Information Act (POPIA)

The main purpose of POPIA is to protect people from harm by protecting their personal information.

The Financial Advisory And Intermediary Services Act (FAIS)

The FAIS Act regulates and guides how Financial Service Providers (FSPs) should conduct their business activities and everyday relations with their customers.

Joint Standard | Cybersecurity and Cyber Resilience Requirements For Financial Institutions

The Joint Standard sets out the minimum standards for financial institutions to implement best practices

The King IV Report and King Code

The King IV Report and King Code (King IV) is an important instrument that governs the leadership of an organisation through principles of ethics and good governance.

The Cybercrimes Act

The Act is a criminal law which aims to reduce and prevent cybercrime in South Africa.

Back To Top
This site is registered on wpml.org as a development site.