Keep up to date on the most important Financial Services Regulation developments in South Africa during December 2021 to February 2022.
Financial Sector Laws Amendment Act
Parliament passed the Financial Sector Laws Amendment Act 23 of 2021 (the Act). The Act contains amendments to various financial sector statutes including the Banks Act 94 of 1990 and the Insolvency Act 24 of 1936, the South African Reserve Banks Act 90 of 1989, the Mutual Banks Act 124 of 1993, the Competition Act 89 of 1998 and the Financial Sector Regulation Act 9 of 2017. One of the changes the Act creates is the designation of the South African Reserve Bank (SARB) as the authority responsible for the resolution of all designated institutions and further provides the SARB with additional powers to ensure the orderly resolution of any designated institution.
The Act establishes a deposit insurance scheme, including a Deposit Insurance Fund (DIF) and Corporation for Deposit Insurance (CoDI) under the supervision of the SARB. The Act provides preference to covered depositors in liquidation.
CoDI will impose an administrative penalty of 5% of the premium due for the specific reporting month should a member not submit its deposit insurance submission during its allocated submission period and subsequently defaults after a 1-month period extension. CoDI will have the power to impose an administrative fee of 10% of the outstanding amount per day, accruing on a daily basis from the date on which the amount became due, if a member does not pay its compulsory financial contributions, such as, annual levies, monthly premiums, deposit adjustments or administrative penalties.
Discussion Paper on Operational Continuity during Resolution
The SARB published a discussion paper titled “Proposed arrangements to support operational continuity in resolution” which discusses the operational continuity in resolution (OCIR) proposals. OCIR is the capability of a designated institution in resolution to support the continuity of its essential services and maintain core business lines to enable its continued provision of critical functions to facilitate orderly resolution.
The paper focuses on operational activities that will support the continuation of essential services in resolution, such as, information technology infrastructure and software, human resources and personnel and procurement and facilities management. To maintain operational continuity, a designated institution will be required to, amongst other things, identify and assess risks to OCIR, put measures in place to be able to produce management information in a flexible manner, put in place arrangements to ensure that service providers cannot terminate, amend or suspend contracts and service level agreements that support the maintenance of core business lines and critical functions as a result of the designated institution’s entry into resolution, to include terms which make provision for transferring, assigning or novation of the contract to enable the essential services to be transferred by the essential service recipient or to be provided by a different service provider if necessary, where contracts and service level agreements are governed by non-South African law and put in place adequate contingency arrangements to support OCIR.
Prudential Standards for Financial Conglomerates
On 10 December 2021, the Prudential Authority (PA) published four draft prudential standards prescribing the minimum requirements that must be complied with by holding companies of financial conglomerates, namely:
- FC02 – Intragroup Transaction and Exposure Requirements for Financial Conglomerates;
- FC03 – Auditor Requirements for the Holding Companies of Financial Conglomerates;
- FC04 – Governance and Risk Management Requirements for Financial Conglomerates; and
- FC05 – Risk Concentration Requirements for Financial Conglomerates.
Section 160 of the Financial Sector Regulation Act 9 of 2017 (FSR Act) empowers the PA to designate members of a group of companies as a financial conglomerate. Designated financial conglomerates must include both an eligible financial institution and a holding company of the eligible financial institution, but need not include all the members of the group of companies.
Before designating members of a group of companies as a financial conglomerate, the PA must give the holding company of the eligible financial institution notice of the proposed designation and a statement of the purpose of and the reasons why the designation is proposed. Moreover, the holding company must be given a reasonable period in which to make submissions on the proposed designation.
As from 1 January 2022, members of a group of companies designated as a financial conglomerate will need to comply with the prudential standards. Briefly, each draft Standard requires the following:
- Prudential Standard FC02 – Intra-group transactions and exposures: requires that all material intra-group transactions and exposures are reported to the PA on a semi-annual basis, including the nature of the transaction regarded as significant and the counterparties involved.
- Prudential Standard FC03 – Auditor requirements for financial conglomerates: prescribes the PA’s requirements for approval to be an auditor of a financial conglomerate. This Standard also empowers the PA to require joint auditors for a financial conglomerate based on the nature, scale and complexity of the financial conglomerate.
- Prudential Standard FC04 – Governance and risk management requirements for financial conglomerates: prescribes the PA’s requirements and principles on governance and risk management for a financial conglomerate, including board composition, board committees, roles and responsibilities of the board and key persons, board performance, delegations and risk strategy.
- Prudential Standard FC05 – Risk concentration requirements for financial conglomerates: requires the financial conglomerate to have an internal policy to identify, measure and monitor risk concentration as well as imposing a reporting requirement on the conglomerate for each significant institution.
Capital Requirements for Financial Conglomerates
A fifth Draft Standard, Prudential Standard FC01 – Capital Requirements for Financial Conglomerates (Draft Capital Standard), was published on 28 January 2022, along with the accompanying regulatory reporting return (Return).
This Standard prescribes the PA's requirements in terms of capital and sets down the capital reporting requirements for financial conglomerates. It requires the holding company of a financial conglomerate to comply with the requirements regarding the calculation of available capital and required capital. The board of the holding company is responsible for ensuring that the financial conglomerate meets the requirements for capital on a continuous basis
The Draft Capital Standard and Return will be field tested with designated financial conglomerates and volunteers with effect from 1 February 2022. Volunteers are companies that have not been designated as financial conglomerates, but wish to participate in the field testing. It is envisaged that the field testing will be conducted over a minimum period of two years, whereafter formal consultation on the Draft Capital Standard will commence. The PA will use the field testing as an opportunity to gather information on the impact of the Draft Capital Standard on financial conglomerates. The information gathered will be used to amend or refine the Draft Capital Standard so that the version used for formal consultation is appropriate and relevant for financial conglomerates in the South African industry.
Joint Standard: Cybersecurity & Cyber Resilience Requirements
On 15 December 2021, the Financial Sector Conduct Authority and the Prudential Authority (Authorities) published the Joint Standard: Cybersecurity and Cyber Resilience Requirements (Joint Standard) for consultation.
The Joint Standard places several requirements regarding cybersecurity on financial institutions. Some of the most important requirements include:
- establishing and maintaining a cybersecurity strategy which must be reviewed annually;
- presenting annual cybersecurity awareness training to all users of the financial institution's information assets;
- clearly defining the roles and responsibilities of those overseeing cybersecurity risks;
- concluding non-disclosure or confidentiality agreements with users;
- ensuring the secure return or transfer of data when contracts are terminated and data must be returned, or, where return of data is impossible, implementing processes for the secure destruction of storage media that contains the financial institution’s information; and
- permanently deleting sensitive data from devices before those devices are disposed of or assigned to different users.
Financial institutions should keep governance and oversight of information security separate from cyber security operations to ensure an adequate division of duties as well as to avoid any potential conflicts of interest. While oversight of cyber risk management may be delegated to a third party, financial institutions must ensure that their information assets may only be accessed remotely on devices that have been secured in accordance with the financial institution’s security standards.
Furthermore, the Joint Standard addresses detection of security breaches and the incident response and reporting that must follow any such breach. Financial institutions must be capable of recognising signs of potential cyber incidents and detecting when cyber systems have already been compromised. Financial institutions are also required to establish effective incident management policies to enable them to quickly respond to and recover from cyber-attacks. Cyber incident response and management plans must specify how financial institutions intend to isolate and neutralise cyber threats in order to securely resume affected services. Such plans must also specify the procedures that a financial institution will take to investigate any cyber security breaches and identify how their systems were compromised.
Finally, unless a reporting obligation already exists in another financial sector law, a financial institution must notify the Authorities of any material systems failure, malfunction, delay, other disruptive event, or any cyber incident within 24 hours of classifying the event as material.