Joint Communication 2 of 2025 on Cloud Computing and Data Offshoring

1 Financial Sector Regulation Act, 2017 (Act No. 9 of 2017) Joint Communication 2 of 2025 Cloud computing and data offshoring

1. PURPOSE The purpose of this Joint Communication is to: 1.1 inform financial institutions of measures that may be considered in terms of risk mitigation in the utilisation of cloud computing and/or the offshoring of data (i.e., managing the risks associated with cloud computing and/or offshoring of data in terms of appropriate governance, strategy, resilience and risk management practices); 1.2 highlight the important role of boards of directors and senior management of financial institutions in the consideration of cloud computing and/or offshoring of data from a risk management and risk mitigation perspective; and 1.3 inform financial institutions that the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) (together referred to as the ‘Authorities’) intend to issue a regulatory instrument focused on introducing requirements pertaining to the use of cloud computing and data offshoring by financial institutions.
2. APPLICATION 2.1 This Joint Communication is applicable to financial institutions as defined in the Financial Sector Regulation Act, 2017 (Act No. 9 of 2017), with the exception of Lloyd’s and branches of foreign reinsurers. 2.2 This Joint Communication must be read in conjunction with applicable financial sector laws.
3. INTRODUCTION 3.1 Through supervisory activities, the Authorities are aware that some financial institutions may already be using cloud computing and/or data offshoring services through outsourcing arrangements, either with cloud service providers and/or through insourcing arrangements with a parent organisation. 3.2 Given these arrangements and the potential risks associated with cloud computing and/or data offshoring, the Authorities are considering whether policy interventions are necessary to mitigate risks in this environment. 3.3 To date, the only regulatory framework-related instruments/documents focused on cloud computing that have been published were issued by the PA and relate to banks being: 3.3.1 Directive 3 of 2018 – Cloud computing and the offshoring of data;1 and 1 Issued by the PA and available at: https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential￾authority/pa-deposit-takers/banks-directives/2018/8749

2 3.3.2 Guidance Note 5 of 2018 – Cloud computing and the offshoring of data.2 3.4 However, the Authorities have commenced a process of formulating a regulatory instrument focused on introducing requirements pertaining to the use of cloud computing and data offshoring by financial institutions.3 The draft regulatory instrument will be published for public consultation in due course. 3.5 In the interim, the Authorities seek to clarify expectations insofar as they relate to financial institutions utilising cloud computing and/or the offshoring of data. 3.6 For the purpose of this Joint Communication: 3.6.1 cloud computing is considered a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage facilities, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction; and 3.6.2 the offshoring of data is the storage and/or processing of data outside the borders of South Africa. 4. RECOMMENDED BEST PRACTICE REGARDING CLOUD COMPUTING AND DATA OFFSHORING 4.1 Cloud computing models implemented by financial institutions are managed either internally, externally and/or through a combination of both. When implementing any cloud computing and/or data offshoring solution, financial institutions should follow a risk-based approach that is aligned with the financial institution’s risk appetite, based on the nature, size and complexity of its operations. 4.2 Financial institutions should consider implementing appropriate governance structures, processes, and procedures to oversee the use of cloud computing. These could include, for example, formulating a defined policy, board-approved data strategy and data governance framework that addresses the financial institution’s risk appetite for cloud computing and/or data offshoring. To this end financial institutions should take all reasonable measures to ensure the confidentiality, integrity and availability of their data, information technology applications or systems. 4.3 In addition, financial institutions should give due consideration to contractual and other legal requirements for these services and the enforceability of rights and obligations arising from these contractual arrangements. 4.4 When making strategic investments in the use of cloud computing and/or data offshoring, financial institutions are expected to exercise appropriate due diligence before concluding such strategic investments. 5. WAY FORWARD 5.1 The Authorities will continue to advance cloud computing and/or data offshoring risk management initiatives through regulatory and supervisory activities, which are geared towards enhancing the Authorities’ regulatory and supervisory frameworks and practices. 5.2 The Authorities are in the process of developing a cloud computing and/or data offshoring Joint Standard. The scope of financial institutions that will be subject to the Joint Standard is 2 Issued by the PA and available at: https://www.resbank.co.za/en/home/publications/publication-detail￾pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2018/8747 3 In this regard, please also refer to paragraph 4.5.4 of the 2024 FSCA 3-Year Regulation Plan of July 2024, available at: https://www.fsca.co.za/Regulatory%20Frameworks/Regulatory%20Frameworks%20Documents/2024%20FSCA%203- year%20Regulation%20Plan.pdf

3 still under consideration, but the intention is to ensure alignment and uniformity across the financial sector as far as possible. The Joint Standard will be published for public consultation in due course. 5.3 The Authorities will augment their supervisory capability of cloud computing and/or data offshoring risks in 2025 and 2026 through business-as-usual supervision across the financial sector. To this end, the Authorities will continue to monitor how financial institutions have approached the integration of cloud computing and/or data offshoring risks into their governance, risk management and reporting processes. 6. ENQUIRIES 6.1 Enquiries on this communication may be directed as follows: 6.1.1 for financial institutions registered in terms of the Banks Act, 1990 (Act No. 94 of 1990), the Mutual Banks Act, 1993 (Act No. 124 of 1993), the Co-operative Banks Act, 2007 (Act No. 40 of 2007) and the Insurance Act, 2017 (Act No. 18 of 2017) to the relevant PA frontline supervisors and copy SARB-PA-ITRISK@resbank.co.za. 6.1.2 for all other financial institutions, to the FSCA at FSCA.RFDRegulatorySupport@fsca.co.za, for the attention of Andile Mjadu. Unathi Kamlana Fundi Tshazibana Commissioner: Chief Executive Officer: FINANCIAL SECTOR CONDUCT AUTHORITY PRUDENTIAL AUTHORITY Date: 25/07/25 Date: