Guidance Note 2/2020: 2020 Board Meetings on New Technology Impacts for Banks and Controlling Companies

Ref.: 15/8/2 G2/2020 To: All banks, controlling companies, branches of foreign institutions and auditors of banks or controlling companies Guidance Note 2/2020 issued in terms of section 6(5) of the Banks Act 94 of 1990 Meetings to be held during the 2020 calendar year with the boards of directors of banks and controlling companies Executive summary This guidance note serves to inform all banks, controlling companies and branches of foreign institutions (hereinafter collectively referred to as ‘banks’) of the flavour￾of-the-year topics for the discussions to be held with the respective boards of directors during 2020. A. Meetings with boards of directors

1. Introduction In order to assist the Prudential Authority (PA) to discharge its supervisory responsibilities, the scope of the meetings with the banks’ boards of directors (boards) to be held during the 2020 calendar year will consist of a discussion on the following flavour-of-the-year topic:
2. The impact of new technologies on regulated financial institutions 2.1 Background As with the great advances of the past, new technologies such as Artificial Intelligence (AI), Machine Learning (ML), Distributed Ledger Technology (DLT), Robotics, Internet of Things (IoT) and the use of “big data”, amongst others, bring about immense changes. The future growth and survival of the financial services industry will be impacted by their ability to transform, automate and leverage of these new technologies. It has become evident that the accelerating pace of technological change is also increasing the risk exposure of the ecosystem, introducing known and unknown risks and sometimes creating unintended consequences. The financial services industry has traditionally employed the same relatively static, highly profitable business models, which have now been disrupted by innovators seeking to provide diversified financial services to customers.

2 Therefore, in this rapidly changing landscape, it is critically important for banks to duly consider the risks, opportunities and rewards that these changes bring about. Most importantly, banks should duly consider how these new risks arise and where they exist, without disregarding the risks that have historically always been incurred by banks. An understanding of these new technologies is critical to contemplate adequate risk management, sound governance, compliance and societal implications. Institutions should therefore effectively monitor the potential impact on their end-to-end frameworks, policies, procedures and processes. 2.2 Format of discussion The chairperson of the capital and risk management subcommittee of the board (or equivalent) is required to make a high-level presentation to the PA on the impact of new technologies on the bank. The duration of the presentation should be targeted at approximately 60 minutes. The PA also requires to be provided with a copy of the presentation at least three weeks prior to the executive committee meeting. As a minimum, the following aspects, as it relates to the involvement of the board, should be covered during the presentation: a. How the board ensures that there is adequate governance, compliance and oversight relating to the impact of adopting or not adopting new technologies such as AI, ML, DLT, Robotics, IoT and the use of big data, amongst others; b. How the institution assesses the following principles to determine responsible adoption and impact: i. Soundness – reliability, accuracy and predictability. ii. Accountability – responsibility and operationalised accountability for applications throughout the organisation. iii. Fairness – trust by society and no inadvertent disadvantages to certain groups of customers. iv. Ethics – no violation of organisation’s ethical standards. v. Skills – adequate level of expertise at all ranks and how to address the scarcity. vi. Transparency – be able to explain usage in their business processes and reasonably understand how these applications function. c. The alignment between the approved business strategy and the business model for adopting or not adopting new technologies as well as the distinction and reasoning for being an innovator, early adopter, early majority, late majority or laggard; d. Identification and assessment of the risks (financial and non-financial) and the impact (quantitative and qualitative) of the new technologies; e. Consideration and appropriate challenge by all lines of defence; first line (business), second line of defence (i.e. risk and compliance), third line of defence (internal audit); f. Heightened attention to the exposure and impact of cyber and information security brought about by new technologies considered by the organisation as well as the frequency of and the topics covered during those assessments; and