Lize de la Harpe, Senior Legal Advisor: Sanlam Life & Savings: Regulatory Unit

Background

It is quite common for financial institutions to utilise cloud computing and/or data offshoring services through outsourcing arrangements, either directly with cloud service providers and/or through insourcing arrangements within a group.

As set out in the 2024 FSCA 3-year Regulation Plan, international standard setting bodies have over the past few years re-emphasised the critical importance of managing operational risk and highlighted the need to consider regulatory and supervisory implications of cloud computing.

The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) (the Authorities) have thus commenced with assessing the extent to which the current regulatory framework requires strengthening to ensure financial institutions manage operational risk effectively and that the regulatory framework appropriately deals with these emerging risks.

First things first

Let’s first get the IT jargon out of the way.

“Cloud computing” refers to a model for enabling on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage facilities, etc) that can be accessed on-demand with minimal management effort or service provider interaction. “Offshoring of data” is the storage and/or processing of data outside the borders of South Africa.

Recommended best practice

On 25 July 2025 the Authorities published Joint Communication 2 of 2025 informing financial institutions that they intend to publish a draft a Joint Standard setting out requirements for the use of cloud computing and data offshoring. It also highlights the important role that boards of directors and senior management play when considering cloud computing and/or offshoring of data from a risk management perspective.

The Joint Communication proposes that, when implementing any cloud computing and/or data offshoring solution, financial institutions should:

1. Follow a risk-based approach based on the nature, size and complexity of its business.

2. Consider implementing appropriate governance structures, processes, and procedures to oversee the use of cloud computing, such as a defined policy, a data strategy and a data governance framework that addresses the financial institution’s risk appetite.

3. Take all reasonable steps to ensure the confidentiality and integrity of their data, IT applications and/or systems.

4. Give due consideration to contractual and other legal requirements for these services and the enforceability of rights and obligations arising from these contractual arrangements.

5. Exercise appropriate due diligence before concluding strategic investments in the use of cloud computing and/or data offshoring.

Conclusion

The scope of financial institutions that will be subject to the proposed Joint Standard is still under consideration, but the intention is to ensure alignment across the financial sector. It is expected that the Joint Standard will be published for public consultation in due course. In the meantime, the Authorities will increase their supervisory capability of cloud computing and/or data offshoring risks in 2025 and 2026 through business-as-usual supervision across the financial sector.

ENDS