Cloud computing and data offshoring: Guidance for financial institutions

Overview of the Joint Communication 2 of 2025

The Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) have released a joint communication to guide financial institutions on managing the risks of cloud computing and/or the offshoring of data. This move forms part of their ongoing efforts to strengthen governance, resilience and compliance within the financial sector. This joint communication applies to financial institutions as defined in the Financial Sector Regulation Act, 2017, with the exception of Lloyd’s and branches of foreign reinsurers.

Purpose

Firstly, it seeks to inform financial institutions of the measures that may be considered to mitigate risks associated with the use of cloud computing and the storage or processing of data outside South Africa. Secondly, it highlights the important role of boards of directors and senior management in overseeing these activities from both a risk management and risk mitigation perspective. Finally, it serves to announce the FSCA and PA’s intention to issue a regulatory instrument that will introduce requirements for the use of cloud computing and data offshoring by financial institutions.

Current use of cloud computing and offshoring services

Many institutions are already making use of cloud services and/or data offshoring services through outsourcing arrangements, either with cloud service providers and/or through insourcing with a parent organisation. Until now, regulatory oversight in this area has been limited to banks, under Directive 3 of 2018 and Guidance Note 5 of 2018, but the Authorities have now begun developing a Joint Standard that will extend across the broader financial sector.

Interim guidance for institutions

While the formal regulatory instrument is being prepared, the Authorities have set out their interim expectations. Institutions are encouraged to adopt a risk-based approach that aligns with their risk appetite, based on nature, size and operational complexity. They should consider putting in place appropriate governance structures, processes and procedures to oversee the use of cloud computing and should take all reasonable measures to ensure the confidentiality, integrity and availability of their data, information technology applications or systems. Legal and contractual considerations should be carefully addressed, and due diligence undertaken before concluding such strategic investments.

What next?

Looking ahead, the Authorities will continue to advance cloud computing and/or data offshoring risk management initiatives through regulatory and supervisory activities aimed at enhancing their regulatory and supervisory frameworks and practices. They are in the process of developing a cloud computing and/or data offshoring Joint Standard, with the scope of financial institutions to be covered still under consideration, but with the intention of ensuring alignment and uniformity across the financial sector.

The Joint Standard will be published for public consultation in due course. In 2025 and 2026, the Authorities will augment their supervisory capability in this area through business-as-usual supervision across the financial sector, continuing to monitor how financial institutions integrate cloud computing and/or data offshoring risks into their governance, risk management and reporting processes.