In depth

On 25 July 2025, the Financial Sector Conduct Authority and the Prudential Authority (collectively, "Authorities") issued Joint Communication 2 of 2025 ("Joint Communication") in respect of cloud computing and data offshoring in South Africa's financial sector.

The Joint Communication applies to financial institutions as defined in terms of the Financial Sector Regulation Act, 2017, being:

1. A financial product provider;
2. A financial service provider;
3. A market infrastructure;
4. A holding company of a financial conglomerate; or
5. A person licensed or required to be licensed in terms of a financial sector law. 

The purpose of the Joint Communication is to clarify expectations insofar as they relate to financial institutions utilising cloud computing and/or the offshoring of data as many financial institutions are currently using cloud computing and/or data offshoring services through outsourcing arrangements. While the Prudential Authority has issued two Guidance Notes in 2018 in relation to cloud computing and banks, to date, no instruments have been issued in respect of non-bank financial institutions. 

Best practice

The Joint Communication recommends these best practices be followed by financial institutions when using cloud computing and data offshoring:

• When implementing any cloud computing and/or data offshoring solution, financial institutions should follow a risk-based approach that is aligned with the financial institution's risk appetite, based on the nature, size and complexity of its operations;
• Financial institutions should consider implementing appropriate governance structures, processes, and procedures to oversee the use of cloud computing. These could include, for example, formulating a defined policy, board-approved data strategy and data governance framework that addresses the financial institution's risk appetite for cloud computing and/or data offshoring. To this end financial institutions should take all reasonable measures to ensure the confidentiality, integrity and availability of their data, information technology applications or systems;
• Financial institutions should give due consideration to contractual and other legal requirements for these services and the enforceability of rights and obligations arising from these contractual arrangements; and
• When making strategic investments in the use of cloud computing and/or data offshoring, financial institutions are expected to exercise appropriate due diligence before concluding such strategic investments.

The way forward

The Authorities have begun formulating a regulatory instrument focused on introducing requirements pertaining to the use of cloud computing and data offshoring by financial institutions, which will be published for public comment in due course. In addition, the Authorities are in the process of developing a cloud computing and/or data offshoring Joint Standard. The scope of financial institutions that will be subject to the Joint Standard is still under consideration, but the current stated intention is to ensure alignment and uniformity across the financial sector, as far as possible. The Authorities have indicated that this Joint Standard will also be published for public consultation in due course.

In the interim, the Joint Communication highlights that the Authorities will continue to advance cloud computing and/or data offshoring risk management initiatives through regulatory and supervisory activities, which are geared towards enhancing the Authorities' regulatory and supervisory frameworks and practices. 

The Authorities are expected to augment their supervisory capability of cloud computing and/or data offshoring risks in 2025 and 2026 through business-as-usual supervision across the financial sector. To this end, the Authorities have stated that they will continue to monitor how financial institutions have approached the integration of cloud computing and/or data offshoring risks into their governance, risk management and reporting processes. 

Financial institutions operating in South Africa should therefore expect heightened supervision of their cloud computing and data offshoring practices from the Authorities going forward, and should actively be engaging in internal assessments as to whether the relevant IT functions and procurement are undergoing targeted risk assessment and that strategies are in place to develop governance models, processes, and procedures that meet the standard of market best practice.