With effect from 15 November 2024, the Joint Standard of the Prudential Authority and the FSCA establishes comprehensive IT governance and risk management protocols for financial institutions including insurance companies and discretionary and administrative FSPs.

The Standard primarily focuses on the governance and risk management aspects of IT within the institution.  The emphasis is on establishing a robust IT strategy, a risk management framework and ensuring the continuous oversight of IT operations. The company must develop and communicate action plans to achieve its IT strategy and review them at least quarterly for relevance. Processes must be implemented to monitor and measure the effectiveness of the IT strategy. If there are any deviations from the IT strategy that may violate financial sector laws affecting the institution, these must be notified to the Authority.

The IT risk management framework must incorporate policies, standards and procedures for managing the risks, identifying and prioritizing IT assets and implementing risk mitigation strategies. System recovery and business resumption priorities with established disaster recovery sites are important. When employing IT staff and service providers and contractors, the institution must ensure careful screening and selection, ensure that they are fit and proper and have the requisite technical knowledge and that they are contractually required to protect sensitive or confidential information. Regular updated training is necessary.

As always with Standards, overall responsibility for compliance is assigned to the board, but it is up to senior management to ensure the establishment and maintenance of a sound IT risk management framework and strategy. It is the responsibility of every employee involved to ensure that the framework is complied with.

This is part of an international recognition by the financial services industry and its regulators that information technology is moving fast but so are the risks.

The Joint Standard was introduced in 2023 and financial institutions will presumably have been focused on complying with the requirements by the commencement date.

Financial institutions must not overlook Joint Standard 2 of 2024 that comes into effect in June 2025. This Standard aims to bolster cybersecurity and cyber resilience measures. Cybersecurity is rated worldwide as one of the major risks of financial and other institutions.

And don’t forget that the new Standard on outsourcing (Joint Standard 1 of 2024) comes into operation on 1 December 2024.

Patrick Bracher
Norton Rose Fulbright South Africa
November 2024