Directive on Operational Resilience (D4-2023)

CONFIDENTIAL P O Box 427 Pretoria 0001 South Africa 370 Helen Joseph Street Pretoria 0002 +27 12 313 3911 / 0861 12 7272 www.resbank.co.za 1 CONFIDENTIAL Ref.: 15/8/1/3 D4/2023 To: All banks, branches of foreign institutions, controlling companies, eligible institutions and auditors of banks or controlling companies. Directive issued in terms of section 6(6) of the Banks Act, 1990 Principles for operational resilience Executive summary Emerging, complex and inter-connected business models expose organisations to new and evolving risks. Recent events such as natural disasters, pandemics, technology failures and cyber-attacks have demonstrated the consequences of operational failures in a more connected world. Banks, controlling companies and branches of foreign institutions (hereinafter collectively referred to as 'banks') are required to have in place an enterprise-wide and systematic approach to operational resilience in order to adapt to the changing environment and to sustain core business services. In March 2021 the Basel Committee on Banking Supervision (BCBS) issued a paper on principles for operational resilience.1 The principles aim to strengthen banks' ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets. The principles contained in the BCBS paper must not be considered in isolation, but rather be integrated into a bank’s enterprise-wide risk management framework. The Prudential Authority (PA) published Directive 10 of 2021 on 14 December 2021. Based on developments in the local and international regulatory environment as well as the need for alignment on implementation timelines with other jurisdictions, the PA decided to extend the previously determined date for compliance. This directive serves to direct banks to consider the adequacy and robustness of the banks’ current policies, processes and practices related to operational resilience, against the best practices contained in the BCBS paper on principles for operational resilience.

1. Introduction 1.1 In March 2021, the BCBS issued a paper on principles for operational resilience. 1 Available online at: https://www.bis.org/bcbs/publ/d516.htm

CONFIDENTIAL 2 CONFIDENTIAL 1.2 The paper outlines principles that are organised across the following seven categories: 1.2.1 governance; 1.2.2 operational risk management; 1.2.3 business continuity planning and testing; 1.2.4 mapping of interconnections and interdependencies of critical operations; 1.2.5 third-party dependency management; 1.2.6 incident management; and 1.2.7 resilient information and communication technology (ICT), including cyber security. 1.3 The principles are required to be applied on a consolidated basis and also form an integral part of a bank’s forward-looking operational resilience approach in line with its operational risk appetite and tolerance for disruption. 1.4 The PA published Directive 10 of 2021 on 14 December 2021, stating that banks must comply with the respective requirements envisaged in the directive within 18 months of the publication date, which effectively translated to 30 June 2023.Based on developments in the local and international regulatory environment as well as the need for alignment on implementation timelines with other jurisdictions, the PA has decided to extend the previously determined date for compliance. 1.5 Regulation 39 of the Regulations relating to Banks (the Regulations) requires all banks to establish and maintain a robust process of corporate governance that is consistent with the nature, complexity and risk inherent in the bank's on-balance sheet and off-balance sheet activities and that responds to changes in the bank's environment and conditions. This process includes the maintenance of effective risk management and capital management by the bank. In order to achieve the objective relating to the maintenance of effective risk management and capital management, every bank is required to have in place comprehensive risk management processes, practices and procedures, and board-approved policies. 1.6 Consequently, operational resilience must form an integral part of the enterprise risk management processes, practices and procedures, and board-approved policies of banks. 1.7 Regulation 38(4) of the Regulations states that when the PA is of the opinion that a bank’s policies, processes and procedures relating to operational resilience are inadequate, the PA, among other things, may require the said bank to: 1.7.1 maintain additional capital, calculated in such a manner and subject to such conditions as may be specified in writing by the PA; 1.7.2 duly align the bank’s operational resilience policies, processes, or procedures with the bank’s relevant exposure to risk. 1.8 The PA decided that the principles, as set out in the BCBS paper, need to be implemented by banks. 1.9 This directive replaces Directive 10 of 2021.

CONFIDENTIAL 3 CONFIDENTIAL 2. Directive 2.1 Based on the aforesaid, and in accordance with the provisions of section 6(6) of the Banks Act 94 of 1990, banks are hereby directed as follows: 2.1.1 Banks must assess the adequacy and robustness of their current policies, processes and practices against the principles for operational resilience issued by the BCBS. 2.1.2 All operational resilience controls implemented by the bank must follow a risk- based approach that is aligned with the bank's risk appetite, based on the nature, size and complexity of its operations. 2.1.3 Banks must ensure that all principles contained in the BCBS paper are addressed either through internal resources or by means of outsourcing/third party agreements without undue delay. 2.1.4 Existing risk management frameworks, business continuity plans and third-party dependency management must be implemented consistently within the bank. 2.1.5 Banks must consider whether its operational resilience approach is appropriately harmonised with the stated actions, organisational mappings, and definitions of critical functions and critical shared services contained in its recovery and resolution plans. 2.2 All banks must comply with the respective requirements specified in this directive on or before 31 December 2024. 3. Acknowledgement of receipt Kindly ensure that a copy of this Directive is made available to your institution’s external auditors. In addition, the attached acknowledgement of receipt, duly completed and signed by both the Chief Executive Officer of the institution and the said auditors, should be returned to the PA at the earliest convenience of the signatories. Fundi Tshazibana Chief Executive Officer Date: The previous Directive issued was Directive 3/2023, dated 17 May 2023