By Hannes Geel, Masthead Compliance Officer

By 15 November of this year, financial institutions are expected to comply with the requirements set out in the Joint Standard on Information Technology (IT) Governance and Risk Management. Here are the key requirements financial institutions should take note of.

From streamlined operations to improved customer experiences, the rapid advancement in digital technology has resulted in numerous benefits for financial institutions and consumers. However, as with many things, with the good comes the bad. This surge in digitalisation has also ushered in a new era of cyberthreats to IT systems, posing significant challenges to the security and integrity of financial institutions. 

Recognising the importance of strong IT security strategies, regulatory bodies globally, including in South Africa, have enacted laws mandating institutions to implement measures to protect and manage these risks. One notable example is the Joint Standard 1 of 2023 on IT Governance and Risk Management issued by the Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA). Another key regulation, the Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience, will take effect on 1 June 2025. However, this article focuses on the IT Governance and Risk Management Standard. 

Managing IT Systems and Risks in the Financial Industry: Why the Joint Standard is Needed

The financial industry has experienced a major digital transformation, embracing online banking, customer portals, mobile apps and other tech resources. As IT systems and tools become central to delivering financial services, the associated risks from IT failures are becoming increasingly significant. Financial institutions handle vast amounts of valuable financial and personal information, making them prime targets for cybercriminals. In addition, the shift to remote work due to Covid-19 has expanded the potential IT entry points for attacks, further complicating security challenges. The critical role of IT means that any issues – whether from IT capacity challenges, cyberattacks or system failures – can have severe consequences.

Given these developments, it’s essential for institutions to have robust IT governance and risk management policies. These measures are critical for not only safeguarding against IT risks and system failures but also for establishing the necessary protocols to minimise the fallout from such risks.

To address these needs, the FSCA and PA have introduced the Joint Standard on IT Governance and Risk Management, effective 15 November 2024. This Standard aims to ensure that financial institutions implement strong IT governance and risk management practices tailored to their specific risk profiles, considering their size and complexity. The goal is to mitigate risks that could lead to operational disruptions, reputational damage, regulatory breaches and economic consequences.

The Standard’s main objectives are to:

• establish a robust IT risk management framework;
• integrate technology risk management into the overall management system; and
• incorporate IT risk oversight into governance and risk management structures.

It applies to a broad range of financial institutions, including:

• Discretionary and administrative financial service providers (FSPs)
• Banks and their branches (including foreign branches)
• Mutual banks
• Insurers and controlling companies of insurance groups
• Market infrastructures
• Managers of collective investment schemes
  

Compliance with the Joint Standard: What is Required from Financial Institutions

Tailored IT policies and processes: Financial intuitions subject to the Joint Standard must establish a comprehensive IT governance and risk management framework. It must be tailored to the business, taking into account its nature, scale, risk and the products and services of the institution’s operations. 

IT risk management framework: This framework should include:

• reporting procedures and asset safeguarding; 
• IT service management policies and incident response procedures,

policies and procedures to safeguard sensitive information and mitigate associated risks; and

• business impact assessments and disaster recovery planning.

Reviews: The governing body is also responsible for ensuring that the IT governance and risk management framework undergoes regular reviews (annually at the least), ensuring continued relevance and effectiveness. In addition, independent reviews must be done in relation to the handling of sensitive or confidential information which must be done periodically. 

Compliance is the responsibility of the governing body: An institution’s governing body is tasked with approving its IT strategy and overseeing the execution of internal controls and risk management practices by senior management. In other words, compliance with the Standard ultimately rests on the shoulders of the governing body. 

Integration into governance: IT risk management should be seamlessly integrated into the institution’s governance structures, with clear reporting lines to the governing body to ensure effective oversight. It should include change management, incident management and backup procedures to ensure smooth operations and resilience.

Customer protection measures: Financial institutions are expected to implement reasonable measures to protect IT users, including customers accessing online systems. And for added protection, institutions should implement customer awareness programmes that explain their security measures to their clients.

Reporting obligations: Any deviation from the Joint Standard must be promptly reported to the FSCA or PA. Financial institutions are advised to integrate reporting and notification obligations into their IT risk management protocols to ensure compliance.

Alignment with the Protection of Personal Information Act (POPIA): The Joint Standard explicitly references POPIA, emphasising the importance of aligning compliance efforts with existing data privacy legislation. This integration ensures comprehensive protection of personal information and technical measures in line with regulatory requirements.

Staff training: FSPs must have in place a comprehensive IT Governance and Risk management training programme, and it should include training for the governing body on IT risk management practices. Additionally, training should be seen as an ongoing process, and staff should undergo refresher training to address evolving risks. The training programme should also be reviewed regularly to determine if it’s still relevant in the ever-changing fintech landscape.

Beyond compliance: How robust IT governance and risk management frameworks benefit businesses

Investing in a robust framework goes beyond mere compliance; it serves as a proactive shield safeguarding both your business and your clients from data losses and system failures. It requires the implementation of controls and procedures that will lead to more mature IT risk management capabilities, which can benefit your business in several ways:

• Financial losses and business continuity: IT incidents can lead to financial losses, business disruptions and downtime. Financial institutions rely on continuous and secure operations to provide financial services; any disruption can have significant financial implications. By safeguarding against IT threats and minimising the risk of downtime, they can maintain operational efficiency and deliver uninterrupted services to clients.
• Reputation and customer trust: An IT breach or system crash can result in operational failures and reputational damage, affecting customer trust and confidence. In an industry built on trust, the loss of reputation can have long-term consequences for financial institutions. In addition, robust measures protect sensitive customer data from unauthorised access, ensuring confidentiality, integrity and privacy, and maintaining customer trust.
• Competitive advantage: Demonstrating a commitment to IT governance and risk management can enhance financial institutions’ competitive position in the market by fostering trust with customers, partners and stakeholders.
• Risk management and incident response: Having a well-defined IT framework enables financial institutions to effectively manage risks and respond swiftly and decisively to incidents, minimising their impact on operations and reputation.
• Mitigation of third-party risks: Financial institutions often collaborate with third-party vendors for various services. IT governance and risk management measures are crucial to managing the risks associated with these partnerships and ensuring the security of shared data and systems.
• Avoiding penalties and legal actions: Implementing robust IT safety measures not only ensure compliance with regulatory standards but also helps avoid potential penalties and legal repercussions.
• Protection of intellectual property and financial models: Financial institutions typically handle proprietary financial models, algorithms and other intellectual property critical to their competitiveness. IT governance and risk management is essential to prevent theft or compromise of these assets.
  

Be proactive and act now

As the deadline for compliance with the Joint Standard on IT Governance and Risk Management approaches, financial institutions should take the necessary steps now to beef up their IT security systems to align with the standard’s requirements.

It’s crucial that these institutions allow for enough time to review their current business operations, identify potential gaps and create and implement an IT security framework that is tailored to the nature of their operations. 

This can be a complex and laborious endeavour, but there is help available. For example, Masthead’s IT Risk Management and Cybersecurity Implementation Service can assist financial institutions with understanding the complexities of both the Joint Standard on IT Governance and Risk Management and the Joint Standard on Cybersecurity and Cyber Resilience.

By proactively embracing the measures in both Standards, financial institutions not only ensure compliance but also fortify their resilience against evolving risks, laying the foundation for sustainable growth and trust in an increasingly digitised world.

‍