In a rapidly digitalising financial landscape, cloud computing and the offshoring of data have become powerful enablers of innovation, flexibility, and cost-efficiency. However, their adoption is not without material risks and regulatory considerations. Recognising the growing use of these technologies across South Africa’s financial sector, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) jointly issued a pivotal communication – Joint Communication 2 of 2025 – to provide interim guidance and signal their intention for further regulatory developments. It builds upon previous regulatory efforts, notably Directive 3 and Guidance Note 5 of 2018, which focused primarily on banking institutions.
Joint Communication 2 of 2025 aims to highlight Risk Mitigation Expectations by outlining the regulators intention to issue a new regulatory instrument (Joint Standard) for cloud computing and data offshoring activities, formalising the governance, strategy, resilience, and risk management measures that financial institutions should adopt when using cloud computing or offshoring data.
The Joint Communication indicates that future obligations will apply broadly to all financial institutions as defined in the Financial Sector Regulation Act of 2017, with the exception of Lloyd’s and branches of foreign reinsurers.
The Joint Communication acknowledges the increasing use of cloud services through both outsourcing (via third-party providers) and insourcing (via parent companies) across the financial ecosystem. It aims to reinforce accountability by placing a strong emphasis on the importance of Governance and clarity the role of boards and senior management in driving risk-informed decisions related to cloud adoption.
While the future Joint Standard will formalise specific obligations, financial institutions, including FSPs, are already expected to align with best practices when making strategic investments in the use of cloud computing and/or data offshoring, including exercising appropriate due diligence before concluding strategic investments into solutions. Key expectations include adopting a risk-based approach in that cloud and offshoring decisions must be proportionate to an institution’s risk appetite, scale, and complexity.
Financial institutions will be required to conduct a context-sensitive risk assessment to establish cloud governance structures, including a board-approved cloud and data strategies, a robust data governance framework and documented policies and procedures that define roles, responsibilities, and accountability. These structures must ensure data confidentiality, integrity, and availability.
While the scope of the developing Joint Standard is still under review, the aim is to ensure uniform application of cloud-related rules across all financial institutions. The draft Joint Standard will be released for public consultation in due course. Supervisory activities will increase from 2025 onward, with regulators actively monitoring cloud and data offshoring strategies during routine engagements.
Cloud computing and data offshoring present undeniable benefits for financial innovation. However, these must be balanced with sound risk management, regulatory awareness, and board-level oversight. Joint Communication 2 of 2025 is a crucial step in shaping a safer, more resilient digital financial sector – and FSPs must act now to stay ahead of the regulatory curve.