The Financial Sector Conduct Authority and the Prudential Authority are developing a Joint Standard to regulate financial institutions’ use of cloud computing and data offshoring, the Authorities said in a communication published this week.
The Authorities also published the best practices regarding cloud computing and data offering they recommend financial institutions adopt in the interim. The purpose of these measures is to mitigate the risks associated with cloud computing and data offshoring.
The Authorities’ Joint Communication 2 of 2025 applies to financial institutions as defined in the Financial Sector Regulation Act, with the exception of Lloyd’s and the branches of foreign reinsurers.
It defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage facilities, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.
The offshoring of data is described as “the storage and/or processing of data outside the borders of South Africa”.
To date, the PA has published two regulatory frameworks on cloud computing and data offshoring, both of which apply to the banks. These are Directive 3 of 2018: Cloud computing and the offshoring of data and the accompanying Guidance Note 5 of 2018.
The Authorities have not decided on the scope of the financial institutions that will be subject to the Joint Standard, “but the intention is to ensure alignment and uniformity across the financial sector as far as possible”.
The Joint Standard will be published for public consultation in due course.
In the interim, the Authorities recommend that financial institutions adopt the following best practices:
- When implementing any cloud computing and/or data offshoring solution, a financial institution should follow a risk-based approach that is aligned with its risk appetite, based on the nature, size, and complexity of its operations. This risk-based approach should apply whether the cloud computing model is managed internally or externally, or through a combination of both.
- Financial institutions should consider implementing appropriate governance structures, processes, and procedures to oversee the use of cloud computing. These could include, for example, formulating a defined policy, board-approved data strategy, and data governance framework that addresses the financial institution’s risk appetite for cloud computing and/or data offshoring. To this end, financial institutions should take all reasonable measures to ensure the confidentiality, integrity, and availability of their data, information technology applications, or systems.
- Financial institutions should give due consideration to contractual and other legal requirements for these services and the enforceability of rights and obligations arising from these contractual arrangements.
- Financial institutions are expected to exercise appropriate due diligence before concluding strategic investments in the use of cloud computing and/or data offshoring.
The FSCA and the PA said they will augment their supervision of cloud computing and/or data offshoring risks across the financial sector. “To this end, the Authorities will continue to monitor how financial institutions have approached the integration of cloud computing and/or data offshoring risks into their governance, risk management, and reporting processes.”
Enquiries regarding Joint Communication 2 of 2025 may be directed as follows:
- For financial institutions registered in terms of the Banks Act, the Mutual Banks Act, the Co-operative Banks Act, and the Insurance Act to the relevant PA frontline supervisors and copy SARB-PA-ITRISK@resbank.co.za.
- For all other financial institutions, to the FSCA at RFDRegulatorySupport@fsca.co.za, for the attention of Andile Mjadu.
