Male bank worker in navy blue suit, smiling and leaning over desk to shake hands with female bank customer in financial office.

South Africa: Cloud in Financial Services

An Interactive Guide for Legal and Compliance
Professionals

DOWNLOAD OUR WHITEPAPER : Regulating the Use of Cloud Computing by
Financial Institutions

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

Banks in South Africa (SA) remain rated as amongst the most sound globally. It is not surprising that many of SA's leading financial services providers, including major banks and insurers, are moving to the cloud. They recognise the significant benefits and competitive edge to be derived from cloud services, such as agility, scalability, cyber resilience, and secure access. Cloud is therefore driving a rapid transformation in the SA financial services sector as more institutions move to the cloud as part of the reassessment of their technology strategies, from testing and development of data analytics solutions through to communications, CRM, and business productivity applications.

Regulators appear comfortable with cloud usage provided certain risks are addressed. The Prudential Authority specifically permits a bank to move to the cloud but requires the bank to ensure that certain requirements are satisfied.

MICROSOFT'S COMMITMENT TO THE SOUTH AFRICA FINANCIAL SERVICES SECTOR

We believe that no cloud services provider has more experience in delivering compliant solutions to financial institutions in SA than Microsoft. Having helped a number of financial institutions move to the cloud, Microsoft recognises that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution and where appropriate, with financial regulators. Through this process of collaboration over several years (with both customers and regulators), Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk, and security standards.

Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure and legally compliant manner.

From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with financial regulators in SA, Microsoft stands ready to support our financial services customers in SA. The Microsoft Cloud - including Microsoft Azure, Office 365, and Dynamics 365 - offers enterprise-grade reliability and performance.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

The Financial Sector Regulation Act 9 of 2017 ("FSR Act") which has been passed into law and which entered into partial effect in April 2018 aims to introduce a new "Twin Peaks" model of regulation. This will align regulation in the financial services industry by distinguishing between the prudential and market conduct activities of all financial services institutions.

  • Under the new FSR Act and subject to a transitional period, all financial institutions are regulated by the following two main regulators:

    • The Prudential Authority housed in the SARB will have the objective of maintaining and enhancing the financial safety and soundness of financial institutions; and
    • The Financial Sector Conduct Authority will bear responsibility for market conduct regulation and supervision of financial institutions and the protection of customers.

  • Yes, cloud services are in principle permitted.Banks are expressly permitted to move to the cloud, provided that they comply with certain requirements.2 While a move to cloud services is not outsourcing in the traditional sense, outsourcing regulations will also likely apply. For the outsourcing of certain functions and activities, a number of requirements must be fulfilled. In general, regulator approval is not required but prior notification to and/or approval by the regulator may be required for certain material functions and activities.3

    Although cloud services are in principle permitted, specific aspects of the regulatory regime should always be carefully considered to ensure both cloud provider and cloud user compliance based on specific use cases and cloud architecture.

  • In relation to banks, the Prudential Authority has recently issued new rules which specifically permit banks to use cloud computing and to offshore data ("Cloud Rules").4 The Cloud Rules require each bank to adopt a principle-based and risk-based approach to cloud computing and data offshoring.
    The Cloud Rules are designed to complement existing regulatory requirements and must be considered and observed in the context of a bank's overall legislative framework.

    For a bank, its move to the cloud will therefore likely be regulated under:

    • The Cloud Rules;5
    • Outsourcing rules:6 Certain types of outsourcing are regulated, including outsourcing of material business activities or functions, and "offshoring";
    • Cyber-resilience rules:8 A bank's cyber resilience will be reviewed against international best practice guidance9 for financial market infrastructures. This requires that a bank should implement appropriate risk-mitigation measures, either by means of outsourcing or third party agreements, or by internal resources which are available to it in-house without undue delay; and
    • banker-client confidentiality: A bank must maintain client confidentiality in respect to customer information. Banking secrecy covers information relating to the customer's account, the customer's transactions with the bank, and information relating to the customer acquired through the keeping of his account. The duty to respect privacy and confidentiality is expressly recognised in the Code of Banking Practice.

    For an insurer, Directive 159.A.i10 currently regulates outsourcing by long- and short-term insurers. With the advent of the FSR Act, it is expected that amended legislation and standards will regulate outsourcing.11

    Furthermore, as ‘accountable institutions’,12 both banks and insurers must ensure that their ‘know-your-client records’ are retained on terms which permit them free and easy access to the records, and that the records are readily available to the relevant regulator.8 Such records may be kept in electronic form and must be capable of being reproduced in legible format.9

    Under the current regime, a move to the cloud by a bank or insurer will be subject to the following key principles: (i) the financial institution remains responsible for the function (ii) the arrangement must not compromise the services provided to clients and (iii) the services must be regularly monitored.

    While the new regime under the FSR Act has not yet been finalised, we expect similar rules to follow through to the new regime.

  • Generally, regulatory approval is not needed for a move to the cloud. However, if a move to the cloud amounts to outsourcing, then prior notification to and/or approval from the regulators may be required,depending largely on the materiality of the outsourced function or activity.19 A bank will be required to provide prior notification before it "offshores" any material20 activity.21 Similar rules also apply to insurers. the Prudential Authority) has indicated that, while it does not support the outsourcing by a bank of certain material functions, it may consider granting approval on a case-by-case basis.22

  • A bank outsourcing any material activity or function must be able at all times to provide the Registrar of Banks with necessary information and ensure the right of the Registrar of Banks to carry out its supervisory functions and objectives, including the right to access information and conduct on-site visits if the Registrar of Banks considers necessary.23The Cloud Rules specifically require a bank to ensure that the use of cloud computing does not prevent any regulatory mandated access to information, nor impacts on a regulator's ability to fulfil its duties.24

    Similarly, an insurer outsourcing any control, management, or material function must appropriately assess, monitor, manage, and regularly review the performance of the outsourced service provider,26 and ensure that it has continued access to information27 and that the outsourced service provider permits the regulator access to its business and information relevant to the applicable function or activity.28 Indications are that similar rules will follow through to the new regime.29

  • The Cloud Rules impose no requirement for data to reside within South Africa. Instead, the Cloud Rules require a bank to implement a data strategy and governance framework, and to maintain an asset register of its information assets.30 The bank should also consider the impact of different jurisdictions in light of the bank's data strategy and data governance framework, and the potential impact on the role of the supervisor and access to data.31 The bank should ensure that data is not held in jurisdictions that may inhibit effective access to data for the bank's South African supervisors.32

    Under the Protection of Personal Information Act (POPIA), personal information may be transferred out of SA provided the requirements of POPIA are met. POPIA33 permits the transfer of personal information to a third party who is in a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in POPIA or with the data subject's consent. Microsoft holds itself accountable to and is subject to laws of regions in which it maintains data centres, and has binding agreements which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

  • 1Directive 3/2018 (D3/2018), read in conjunction with Guidance Note 5/2018 (G5/2018) (considered more fully below).
    2D3/2018, read in conjunction with G5/2018 (considered more fully below)
    3See section below headed "Is approval needed?"
    4Under D3/2018, read in conjunction with G5/2018 (both available at South african reserve bank)
    5For more information on the Cloud Rules and how Microsoft's solutions are well-placed to assist banks to comply with the Cloud Rules, please see our White Paper on the Cloud Rules available here.
    6Guidance Note on Outsourcing (G5/2014) issued by the Registrar of Banks (now the Prudential Authority) and regulation 39 of the regulations promulgated under the Banks Act
    8Guidance Note on Cyber Resilience (G4/2017) issued by the Registrar of Banks (now the Prudential Authority)
    9In particular, the Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016), issued by the Committee on Payments and Market Infrastructures and the Board of the International Organisation of Securities Commissions
    10Dir 159.A.i, issued under the Long-term Insurance Act and Short-term Insurance Act
    11Notably (i) draft Prudential Standard GOI 5 on Outsourcing by Insurer proposes requirements similar to the current Directive 159.A.i and (ii) draft Prudential Standard GOI 3 on Risk Management and Internal controls for Insurers which proposes cyber security measures and standards that must be adopted by insurers
    12Under the Financial Intelligence Centre Act 38 of 2001 ("FICA")
    13Section 24(1) of FICA
    14Section 24(4) of FICA
    19See Guidance Note G5/2014 and Dir 159.A.i
    20Defined at para 3 of G5/2014 as "one that has the potential to have a significant impact on the bank's business operations or its ability to manage risks should it be disrupted", taking into account a range of factors such as impact of interruption, reputational impact and cost as a percentage of total expenses.
    21Para 4.5 of G5/2014
    22The Registrar of Banks (now the Prudential Authority) has indicated that it will not support a bank outsourcing its management oversight, governance and risk management functions (paras 4.2 of G5/2014). It also will not generally support the outsourcing of a bank's internal audit function, the bank's core banking IT systems or financial reporting IT system, but may consider applications for prior approval on a case-by-case basis (paras 4.3 and 4.4 of G5/2014). Outsourcing of any other material business activities or functions should be notified to the Prudential Authority prior to conclusion of the agreement (par 5.1k of G5/2014).
    23Para 6.9.1 of G5/2014
    24Para 2.2.9 of D3/2018, as read with paras 4.9 and 4.3.1(d) of G5/2018.
    25As these terms are defined in para 5.1 of Dir 159.A.i
    26Para 7.7.9 and paras 7.9 to 7.11 of Dir 159 A.i
    27Para 7.7.10 of Dir 159.A.i
    28Para 7.7.15 of Dir 159.A.i
    29Draft Prudential Standard GOI 5 on Outsourcing by Insurer proposes requirements similar to those of Directive 159.A.i
    30Para 2.2.1 D3/2018, as read with para 4.1 of G5/2018
    31Para 4.5 of G5/2018
    32Para 4.9.2(d) of G5/2018
    33Section 72 of POPIA

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Learn more

Privacy

Our policies and processes help keep your data private and in your control

Learn more

Compliance

We provide industry-verified conformity with global standards

Learn more

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

Responding to the evolving cyber threat landscape in the financial services sector.

With the threats of cyberattacks becoming an ever-increasing problem in today’s financial landscape, the need for cybersecurity and protection of data and information has become of utmost importance. Find out what you can do to improve your security stance against cyberattacks.

DOWNLOAD NOW
Close up shot of man‘s hands using Dell convertible laptop as tablet in café restaurant setting. Screen shows charts of TD Bank sales, savings, and checking accounts.
Slide %{start} of %{total}. %{slideTitle}
A close up of a woman with line illustrations on the left-hand side

AI in Africa

Download the full whitepaper to learn more about the future of AI in Africa.

Learn more
A man and a woman using Microsoft HoloLens

The Future Computed

Artificial Intelligence and its role in society

Read more Download the book
Global network security illustration with tablet and stylus in background

GDPR

Safeguard individual privacy with the Microsoft Cloud

Take GDPR assessment
Highway lights blur to depict fast digital connection

Digital Transformation in the Cloud

Partnering with Microsoft helps your organization transform into a digital company by developing new capabilities.

Read more Download the book
Microsoft Cyber Defense Operations Center

Cloud for Global Good

A roadmap to a trusted, responsible, and inclusive cloud

Read more Download the book

CUSTOMER STORIES

Anglo-Gulf Trade Bank (AGTB) Logo

Anglo-Gulf Trade Bank (AGTB)

Trade finance has become an option for the few―mostly large multinationals―leaving a trade-financing gap of around 1.5 trillion dollars worldwide. This gap implies a tremendous loss of economic growth potential for many countries.

Read more
Atura Logo

Atura

Robotic chat advisor Atura takes advantage of artificial intelligence (AI) to offer powerful sales, onboarding, customer support, and transactional chatbot services, which improve customer experiences while reducing fees.

Read more
Bank of Beirut Logo

Bank of Beirut

Today’s customers want speed and personalization in all services. That’s why Bank of Beirut optimized its processes to improve customer experience and interaction with the bank by developing the DiGi BoB chatbot on the Microsoft Azure Bot Framework.

Read more
GHL Bank Ltd. Logo

GHL Bank Ltd.

GHL Bank, 2018 Best Mortgage Company of the Year, was established in December 2017 in Ghana. As a digital bank, GHL used Microsoft Office 365 and Microsoft Azure to deeply integrate branches and increase employee productivity.
Read more
Mashreq Bank - we make possible Logo

Mashreq Bank

International banking institution increases growth and market share through digital transformation

Read more
Redwood Bank Logo

Redwood Bank

Redwood Bank puts business customers first with Microsoft Azure

Read more
Banco Angolano de Investimentos (BAI Group) Logo

Banco Angolano de Investimentos (BAI Group)

Innovative Angolan bank rethinks business with a cloud-first approach

Read more
goeasy Ltd. Logo

goeasy Ltd.

Goeasy improves productivity, increases employee satisfaction with Surface Book and Office 365

Read more
Mashreq Bank - we make possible Logo

Mashreq Bank

International banking institution increases growth and market share through digital transformation

Read more
Boursa Kuwait Logo

Boursa Kuwait

Towards a more secure digitized stock trading venue in Kuwait

Read more
Ecobank The Pan African Bank Logo

Ecobank Ghana Limited

Microsoft Power BI solution helps boost Ecobank’s business performance

Read more
Interswitch Logo

Interswitch

Digital payments company answers questions about using Azure Blockchain Workbench to help build a more prosperous Africa

Read more
Standard Bank Logo

Standard Bank

The power of four: African bank embraces digitalization and increases efficiency with time-saving Microsoft Flow, PowerApps, Power BI, and SharePoint

Read more
NEDBANK Logo

NEDBANK

Internet and mobile apps, move over. The new industry disrupter is bot technology. Nedbank, one of the major...

Read more
Diamond Your Bank Logo

Diamond Bank Plc

Diamond Bank is one of the 22 financial institutions operating in Nigeria, with a mission

Read more
ABN AMRO BANK Logo

ABN AMRO BANK

To prepare for its digital transformation, ABN Amro simplified and rationalized its IT...

Read more
Kuwait Finance House Logo

Kuwait Finance House

Islamic banking pioneer innovates again with digital banking shift

Read more
Societe Generale Qarnot computing Logo

Société Générale Corporate & Investment Banking

This article is part of a series about customers who've worked closely with Microsoft on Service Fabric

Read more
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.