As South Africa’s Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) enforce the new Joint Standard for IT Governance and Risk Management, the financial sector faces heightened scrutiny.
Effective from November 15, this regulatory milestone mandates banks, asset managers, and insurers to strengthen their IT risk management frameworks in line with global standards.
The regulation aims to improve resilience and ensure business continuity, with significant implications for South Africa’s financial services industry, where dependence on third-party software providers continues to grow.
With this mandate, financial institutions must not only identify and mitigate third-party IT risks but also adopt robust protocols for business continuity. Institutions failing to comply within a year may face severe consequences, including financial penalties or even the suspension of operating licences.
“The new regulation takes a comprehensive approach to managing supply chain vulnerabilities, emphasising the need for financial institutions to maintain a critical inventory of service providers and institute clear business continuity plans,” said Guy Krige, executive risk consultant at ESCROWSURE.
He notes that an essential element of compliance is the accessibility of critical software, even in cases where external providers may face operational disruptions. A practical compliance solution that has gained attention is software escrow, which involves depositing essential source code with a third-party provider.
This measure ensures that financial institutions can access vital applications even if a software vendor fails to meet obligations, securing operational continuity. Software escrow is widely mandated in countries like Singapore and India as a cornerstone of IT risk management.
“In South Africa, software escrow is emerging as a proactive compliance tool, enabling financial institutions to meet the new regulatory demands while securing an operational contingency against software supplier failure,” Krige explained.
Further regulatory challenges lie ahead, as South Africa's financial sector prepares for the upcoming Joint Standard on Cybersecurity and Cyber Resilience, set to be enforced in June 2025.
This regulation will bring a specific focus to cyber threats and third-party risk management, intensifying the importance of escrow agreements to safeguard continuity.
As Krige summarises, “Investing in escrow agreements not only ensures compliance with today’s IT governance standards but also positions companies to face the heightened cybersecurity challenges of 2025. Software escrow represents a strategic, cost-effective measure that bolsters operational resilience and protects critical IT assets.”
IOL