South African financial institutions are bracing for comprehensive new regulations governing cloud computing and data offshoring practices, as the country’s regulators move to address mounting concerns about risk management in an increasingly digital financial sector.
In a joint communication issued in July 2025, the Reserve Bank of South Africa and the Financial Sector Conduct Authority (FSCA) signaled their intention to formulate a dedicated regulatory instrument focused on cloud computing and data offshoring requirements. The announcement marks a significant evolution from the country’s current 2018 directive and guidance note, which regulators now view as insufficient for managing contemporary cloud-related risks.
Table of Contents
Why New Regulation Is Necessary
The regulatory intervention comes at a critical juncture for South Africa’s financial sector. Many institutions have already embraced cloud computing services through various outsourcing arrangements with cloud service providers or through internal arrangements with parent organizations. However, this rapid adoption has outpaced the regulatory framework designed to govern it.
South Africa’s financial regulators have recognized that their oversight has fallen behind other jurisdictions in managing the unique risks posed by cloud computing and data offshoring. The FSCA’s three-year regulation plan, published in July 2024, explicitly proposed stricter risk management standards to close this gap and bring South African financial regulation in line with international best practices.
The regulatory push reflects a broader concern that without proper oversight, the financial sector’s increasing reliance on cloud infrastructure could expose the economy to systemic risks. As financial institutions migrate critical operations and sensitive data to cloud environments, the potential impact of security breaches, service disruptions, or data sovereignty issues grows exponentially.
The regulators have made clear that directors and senior managers bear ultimate responsibility for managing these risks, emphasizing that cloud adoption is not merely a technical decision but a governance imperative requiring board-level attention.
Risks the Regulation Aims to Address
The forthcoming regulations target several critical risk categories that have emerged as financial institutions increasingly depend on cloud infrastructure.
Data Sovereignty and Security: When financial institutions offshore data to cloud providers with servers in foreign jurisdictions, questions arise about data protection, privacy compliance, and regulatory access. South African authorities need assurance that sensitive financial data remains appropriately protected and accessible for supervisory purposes, regardless of where it physically resides.
Operational Resilience: Heavy reliance on third-party cloud providers creates concentration risk. If a major cloud service experiences an outage or security breach, multiple financial institutions could be affected simultaneously, potentially threatening financial stability. Regulators want to ensure institutions have robust contingency plans and don’t create single points of failure.
Vendor Management and Due Diligence: The complexity of cloud service agreements and the technical expertise required to evaluate cloud providers means many financial institutions may not fully understand the risks embedded in their cloud arrangements. Inadequate vendor oversight could expose institutions to unexpected vulnerabilities or contractual obligations that conflict with regulatory requirements.
Transparency and Oversight: Cloud computing arrangements can obscure exactly where data resides, how it’s processed, and who has access to it. This opacity makes regulatory supervision more challenging and increases the risk that institutions inadvertently violate data protection or financial regulations.
Exit Strategy and Lock-in: Financial institutions need credible plans for migrating away from cloud providers if relationships deteriorate or requirements change. Without proper exit strategies, institutions could find themselves trapped in unsuitable arrangements with significant switching costs.
Cross-border Regulatory Complexity: When South African financial institutions use cloud services spanning multiple jurisdictions, they must navigate overlapping and sometimes conflicting regulatory requirements. The new regulations aim to clarify expectations and ensure institutions adequately address this complexity.
Compliance Requirements for Financial Institutions
While the full regulatory instrument awaits public consultation and formal publication, regulators have already outlined the framework institutions must begin implementing.
Risk-Based Approach: Financial institutions must adopt a risk-based methodology aligned with their specific risk appetite, considering the nature, size, and complexity of their operations. This means smaller institutions with straightforward cloud usage will face different expectations than large banks with complex, multi-cloud architectures. Each institution must assess its unique risk profile and implement proportionate controls.
Governance Structures: Institutions must establish appropriate governance structures, processes, and procedures specifically focused on overseeing cloud computing usage. This includes creating formal policies that define acceptable cloud usage, establish approval processes for cloud adoption, and assign clear accountability for cloud-related decisions.
Data Strategy and Governance Frameworks: Regulators expect institutions to develop comprehensive data strategies that address how data is classified, protected, stored, and accessed within cloud environments. Governance frameworks must establish clear lines of responsibility and decision-making authority for data management across cloud platforms.
Contractual and Legal Requirements: Cloud service agreements must be structured to meet regulatory expectations, including provisions for data access by regulators, audit rights, service level agreements, data residency requirements, and exit procedures. Legal teams will need to carefully review and negotiate cloud contracts to ensure compliance with both current and forthcoming requirements.
Due Diligence Processes: Before engaging cloud service providers, institutions must conduct thorough due diligence assessing the provider’s financial stability, security capabilities, compliance track record, and operational resilience. This due diligence should be documented and reviewed regularly, not treated as a one-time exercise.
Ongoing Monitoring and Supervision: Compliance doesn’t end once cloud services are implemented. Regulators expect continuous monitoring of cloud provider performance, regular risk assessments, and periodic reviews of cloud strategies. Institutions must be prepared for supervisory examinations that include scrutiny of their cloud computing arrangements.
Senior Management Accountability: The regulators have explicitly placed responsibility on directors and senior managers for cloud-related risk management. This means board-level oversight, regular reporting on cloud risks, and personal accountability for compliance failures. Senior leaders can no longer treat cloud computing as purely a technical matter delegated to IT departments.
Looking Ahead And Remaining Complaint
The regulators plan to publish their proposed regulatory instrument for public consultation before finalizing requirements. This consultation process will give financial institutions and cloud service providers an opportunity to provide input on the practicality and impact of proposed rules.
In the meantime, South African financial institutions should begin preparing by reviewing their current cloud arrangements, identifying gaps in governance and oversight, and developing remediation plans. Waiting for the final regulations to be published could leave institutions scrambling to achieve compliance within potentially tight deadlines.
The shift also signals that South Africa is joining a growing number of jurisdictions taking a more prescriptive approach to cloud computing in the financial sector. Financial institutions operating across multiple African markets should anticipate similar regulatory developments in other countries as regulators coordinate their approaches to cross-border cloud computing risks.
For South African financial institutions, the message is clear: cloud computing offers significant benefits but requires sophisticated risk management, robust governance, and senior-level accountability. The era of informal cloud adoption is ending, replaced by a regime of regulatory oversight designed to protect both individual institutions and the broader financial system.
