The South African Reserve Bank’s (SARB’s) Prudential Authority (PA) is racing to catch-up with fast-evolving technologies reshaping the financial sector.
There are several new frameworks in the pipeline targeting crypto assets, artificial intelligence (AI) and cloud computing.
The regulator has highlighted these areas as critical focus points, as it moves to better understand and supervise emerging tech that is already being widely adopted in the financial services space. A new standard on crypto exposure, an AI survey and interim cloud guidance form part of its strategy, according to its recently released 2024/25 annual report.
Mark Walker, IDC VP of data and analytics for Middle East, Turkey and Africa, and MD of IDC South Africa, says: “It’s great that they are doing this, it’s necessary that they are doing this; there’s got to be some sort of national standard.”
However, he notes the PA is “coming to the game late” and has “a lot of catching up to do”.
In his foreword to the report, SARB governor and PA chairman Lesetja Kganyago says during the year under review, the PA “focused on several measures to strengthen South Africa’s financial system”.
These included guarding against “ever-more sophisticated cyber attacks” − a growing threat in an increasingly digitised financial ecosystem.
PA CEO and SARB deputy governor Nomfundo Tshazibana adds that “cyber risk and operational resilience remain areas of focus, especially in relation to third-party risks”. While new technologies lower barriers to entry, she cautions that “they also bring about unique risks”.
The regulator, formed in 2018 following the collapse of African Bank and the shift to the “Twin Peaks” regulatory model, is now moving to close the gaps created by disruptive digital innovation.
Veteran ICT commentator Adrian Schofield notes: “The challenge for SARB is to move fast enough. Taking time to establish frameworks of principles suggests delayed implementation of actual preventative measures.”
Walker says the central bank will require expert input to ensure it can successfully navigate regulations around the latest technology.
Among the initiatives the authority is busy with is a standard dealing with banks’ exposure to crypto assets, which is in draft and expected to be published towards the end of 2026. This follows changes to the Basel Committee on Banking Supervision’s framework published last year, which includes provisions for managing cyber and IT risks as part of its core principles for effective banking supervision.
Crypto regulation has become increasingly important given its uptake and dated laws. Recently, a court ruled that apartheid-era exchange control regulations cannot be used to govern crypto transactions. SARB is appealing the decision to retain more than R16.4 million it seized from a defunct company it says breached forex rules.
Cloud computing and data offshoring are also under review. Earlier this year, the PA issued interim guidance to banks and insurers, calling for a risk- and principle-based approach that promotes innovation without compromising operational security. This guidance serves as a framework while it develops policy.
Walker notes that data sovereignty has become a big issue lately.
At the same time, the authority is working on a survey on AI adoption in the banking sector. The results, expected later this year, will address safety, soundness, consumer protection and financial stability.
The PA has also finalised a cross-sectoral framework for cyber security risk management and recovery. This aligns with 2022 recommendations from the International Monetary Fund, which urged SARB to intensify oversight through more frequent and in-depth inspections.
SARB’s unit is also “developing cross-sectoral regulatory instruments for harmonising requirements across different industries”. To this end, a framework setting out principles for financial institutions to manage and recover from cyber risks was developed. The Joint Standard on Cyber Security and Cyber Resilience was approved by Parliament on 1 June.
Last month, SARB warned “the financial sector could fall victim to a situation where a single [cyber] disruption could simultaneously impair multiple institutions, triggering a systemic event”.
Share