Prudential Authority Guidance Note 2/2021 – Flavour of the Year on New Technologies

P O Box 427 Pretoria 0001 South Africa 370 Helen Joseph Street Pretoria 0002 +27 12 313 3911 / 0861 12 7272 www.resbank.co.za 1 Ref.: 15/8/2 G2/2021 To: All banks, controlling companies, branches of foreign institutions, eligible institutions and auditors of banks or controlling companies Guidance Note 2/2021 issued in terms of section 6(5) of the Banks Act 94 of 1990 Meetings to be held during the 2021 calendar year with the boards of directors of banks and controlling companies and executive management of smaller South African banks and representatives from branches of foreign institutions Executive summary This guidance note serves to inform all banks, controlling companies and branches of foreign institutions (hereinafter collectively referred to as ‘banks’) of the flavour￾of-the-year topics for the discussions to be held with the respective boards of directors and executive management of smaller South African banks and representatives from branches of foreign institutions during 2021. A. Meetings

1. Introduction In order to assist the Prudential Authority (the PA) to discharge its supervisory responsibilities, the scope of the meetings with the banks’ boards of directors (boards) and executive management of smaller South African banks and representatives from branches of foreign institutions to be held during the 2021 calendar year will consist of a discussion on the following flavour-of-the-year topic:
2. The impact of new technologies on regulated financial institutions 2.1 Background As with the great advances of the past, new technologies such as Artificial Intelligence (AI), Machine Learning (ML), Distributed Ledger Technology (DLT), Robotics, Internet of Things (IoT) and the use of “big data”, amongst others, bring about immense changes and potential risks, some of which were hard to imagine in the past. The future growth and survival of the financial services industry will be impacted by its ability to transform, automate and leverage off these new technologies. It has become evident that the accelerating pace of technological change is also increasing the risk exposure of the financial ecosystem, introducing known and unknown risks potentially creating unintended consequences. The financial services industry has traditionally employed the same relatively static, highly profitable business models, which have now been disrupted by innovators seeking to provide diversified financial services to customers.

2 Therefore, in this rapidly changing landscape, all relevant key players need to be thoughtful of the risks, opportunities and rewards that these changes bring about. Most importantly, banks need to duly consider how these new risks arise and where they exist, without disregarding the risks that have historically always been incurred by banks. A thorough understanding of these new technologies are critical to contemplate adequate risk management, sound governance, compliance and societal implications. Institutions therefore need to effectively monitor the potential impact on their end-to-end frameworks, policies, procedures and processes. 2.2 Format of discussion The chairperson of the capital and risk management subcommittee (or equivalent) is required to make a high-level presentation to the PA on the impact of new technologies on the bank. The duration of the presentation should be targeted at approximately 60 minutes. The PA requires a copy of the presentation to be provided at least three weeks prior to the executive committee meeting. Scope and objective: To consider partnerships, reliance and relationships between the regulated entities and fintech companies as well as the survival of regulated entities in response to the emerging competition introduced by fintech companies. As a minimum, the following aspects, as it relates to the involvement of the board / executive management / representatives, should be covered during the presentation: a. How the board / executive management / representatives are kept abreast of all the developments relating to the adoption of new technologies; b. How the board / executive management / representatives ensure that there is adequate governance, compliance and oversight relating to the adoption of new technologies such as AI, ML, DLT, Robotics, IoT and the use of big data, amongst others; c. How the institution assesses the following principles to determine responsible adoption: i. Soundness – reliability, accuracy and predictability. ii. Accountability – responsibility and operationalised accountability for applications throughout the organisation. iii. Fairness – trust by society and no inadvertent disadvantages to certain groups of customers. iv. Ethics – no violation of organisation’s ethical standards. v. Skills – adequate level of expertise at all ranks and how to address the scarcity. vi. Transparency – be able to explain usage in their business processes and reasonably understand how these applications function. d. The alignment between the approved business strategy and the business model for the adoption of new technologies as well as the distinction and reasoning for being an innovator, early adopter, early majority, late majority or laggard;

3 e. Identification and assessment of the risks (financial and non-financial) and the impact (quantitative and qualitative) of the new technologies; f. Consideration and appropriate challenge by all lines of defence; first line (business), second line of defence (i.e. risk and compliance), third line of defence (internal audit) and external lines (i.e. external audit and regulators); g. Heightened attention to the exposure and impact of cyber and information security brought about by new technologies considered by the organisation as well as the frequency of and the topics covered during those assessments; h. The institution’s approach, responsibility and accountability to managing increased and complex outsourcing and third party risks (including sub￾contracting) and third party vendor arrangements related to the introduction of new technologies; i. The institution’s approach in considering partnerships, including the reliance and relationships between the business and fintech companies; and j. The institution’s ability to adapt and respond for survival to the emerging competition introduced by fintech companies. B. Acknowledgement of receipt

1. Kindly ensure that a copy of this guidance note is made available to your institution’s independent auditors. The attached acknowledgement of receipt, duly completed and signed by both the chief executive officer of the institution and the said auditors, should be returned to the PA at the earliest convenience of the aforementioned signatories. Kuben Naidoo Deputy Governor and CEO: Prudential Authority Date: 11 February 2021 The previous guidance note issued was Banks Act Guidance Note 1/2021, dated 27 January 2021.