Data Protection and Cybersecurity in the Open Finance Space

​​​​​​​​​​​​​​​​​​​​The FSCA has published a draft paper addressing the risks and possible remedies arising from data sharing in Open Finance, on which it is seeking public comment.

The future of financial services is digitisation. As with all digital applications, data is a critical component, and it has immense commercial value in the financial services industry.

In June 2023, the Financial Sector Conduct Authority (FSCA) published a draft paper on Open Finance. The draft paper refers to Open Finance as "the practice of consent-based financial data sharing and payment initiation, with suitably authorised third parties, safely and ethically".

Open Finance is seen as a beneficial tool in addressing financial inclusion, as it will allow financial institutions to create financial products and services that will meet the needs of consumers. The draft position paper highlights five use cases for Open Finance that leverage consumer financial data to offer personalised financial services and products. These are: (1) account aggregation, (2) financial management, (3) payment initiation, (4) alternative lending and (5) insurance.

Cyber security and data protection

Each participant in the Open Finance space faces unique risks and challenges, and the FSCA has noted that some remedies can be utilised to mitigate these risks:

Participant Risk Remedy



Financial Institutions

Implement adequate standards of protection and safeguards. Ensure that a customer provides explicit consent and has a full understanding of the scope of authorisation given to third parties.

Prioritisation of cybersecurity and information security management. Third-party Payment Service Providers ("TPPs") brought within the regulatory net.

Implement a suitable regulatory and risk management framework for TPPs. Requirement to have strong governance in place when partnering with or outsourcing to TPPs.

It is important to assess the suitability of Open Finance in South Africa, taking into consideration the existing privacy and data protection regulatory frameworks and the possible need for developments in the regulatory space, given that Application Programming Interfaces (APIs) and TPPs lie outside the current framework. The FSCA acknowledges that South Africa has existing regulatory frameworks to deal with data protection, privacy and cybersecurity. The intention is not to create a new regime for Open Finance but to amplify existing frameworks. The existing frameworks discussed were as follows:

  • Protection of Personal Information Act, 4 of 2013 (POPIA), which provides for sharing information through voluntary, specific and informed consent;
  • Cybercrimes Act 19 of 2020, which criminalises certain cyber-related acts, including the disclosure of data messages which are harmful; and
  • Draft Joint Standard for Cybersecurity and Cyber Resilience Requirements (draft Cyber Joint Standard), which sets out the minimum standards for sound practices and processes to ensure that financial institutions are equipped to respond, react and recover from cyber-attacks.

Regulatory Proposals

The Draft Position Paper makes a number of proposals, including:


The draft paper is open for public comment until mid-August. The FSCA intends to use the submissions from the industry to finalise its policy positions around Open Finance.

Given the ever-increasing risks associated with cybersecurity and privacy (including frequent ransomware attacks and the sale of user credentials), any responses to the draft paper (and hopefully any outcomes arising from it), should align with the existing cybersecurity and privacy principles set out in our law. In our view, a consolidated approach between regulators and industry sectors on these cybersecurity and privacy principles remains the desired outcome. We believe that specific requirements on these items should only be imposed where it is strictly necessary to achieve a desired outcome. This will increase harmonisation across sectors and reduce barriers to entry for new participants.




These materials are provided for general information purposes only and do not constitute legal or other professional advice. While every effort is made to update the information regularly and to offer the most current, correct and accurate information, we accept no liability or responsibility whatsoever if any information is, for whatever reason, incorrect, inaccurate or dated. We accept no responsibility for any loss or damage, whether direct, indirect or consequential, which may arise from access to or reliance on the information contained herein.

© Copyright Webber Wentzel. All Rights reserved.

Webber Wentzel > News > Data Protection and Cybersecurity in the Open Finance Space
Johannesburg +27 (0) 11 530 5000
Cape Town +27 (0) 21 431 7000
Validating email against database, please wait...
Validating email: please wait...
Email verified: Please click the confirmation link sent to your mailbox, also check junk/spam folder. If you no longer have access to this email address or haven't received the verification email then email
Email verified: You are being redirected to manage your subscription
Email could not be verified: Please wait while you are redirected to the Subscription Form
Unanticipated error: Saving your CRM information Subscription Form