Joint Communication 3 of 2021 – Draft Joint Standard on Information Technology Risk Management

1 Financial Sector Regulation Act, 2017 Joint Communication 3 of 2021 Publication of draft Joint Standard – Information technology risk management The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA), today publish the draft Joint Standard – Information technology risk management for public consultation, for a period of six weeks. The main objective of the Joint Standard is to prescribe the requirements that a financial institution must comply with in relation to information technology risk management. The draft Joint Standard is to be made under section 107, read with sections 105, 106 and 108 of the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017) (FSR Act) and is intended to apply to: • a bank, a branch of a foreign institution or a bank controlling company registered or authorised under the Banks Act, 1990 (Act No. 94 of 1990); • a mutual bank registered under the Mutual Banks Act, 1993 (Act No. 24 of 1993); • an insurer licensed under the Insurance Act, 2017 (Act No. 18 of 2017); • a manager of a collective investment scheme registered under the Collective Investment Scheme Control Act, 2002 (Act No. 45 of 2002); • a market infrastructure registered in terms of the Financial Markets Act 2012 (Act No. 19 of 2012); • a discretionary financial services provider (FSP), as contemplated in the Code of Conduct for Administrative and Discretionary FSPs, 2003; and • an administrative FSP, as contemplated in the Code of Conduct for Administrative and Discretionary FSPs, 2003. The legislative process employed by the PA and the FSCA in making a regulatory instrument follows the prescripts of section 98 of the FSR Act. In compliance with section 98 of the FSR Act, kindly find attached hereto the following documents for:

1. a notice inviting submissions in relation to the draft joint standard, stating where, how and by when submissions are to be made – Annexure A;
2. statement explaining the need for, the expected impact of, and the intended operation of the draft Joint Standard – Annexure B;
3. the draft Joint Standard: IT Risk Management – Annexure C; and
4. a comments submission template – Annexure D. Submissions on the attached documentation must be made by 26 July 2021 using the submission template attached hereto. Please e-mail any submissions to PA-Standards@resbank.co.za for the attention of Mrs Kalai Naidoo. Requests for further information about the joint communication or Joint Standard may be submitted via e-mail to FSCA.RFDStandards@fsca.co.za for the attention of Mr Andile Mjadu and PA-Standards@resbank.co.za for the attention of Mrs Kalai Naidoo. FINANCIAL SECTOR CONDUCT AUTHORITY PRUDENTIAL AUTHORITY DATE: 9/6/2021 DATE: 2021-06-09