Banking Regulation

The South African Reserve Bank (SARB), which is South Africa’s central bank, was established by the South African Reserve Bank Act, 1989, and is the primary regulator of banking in South Africa. The SARB administers the Banks Act, 1990 (“Banks Act”), which is the primary statute governing banking. Subsidiary legislation promulgated under the Banks Act, including the Regulations Relating to Banks, 2012 (“Bank Regulations”), set out a comprehensive framework of prudential regulation of banking activities. The SARB additionally regulates mutual banks, which are owned by their depositors, in accordance with the Mutual Banks Act, 1993, and co-operative banks in accordance with the Co-operative Banks Act, 2007, but these entities are not the focus of this chapter.

The Prudential Authority (PA) operates within the administration of the SARB and is the direct licensing authority and supervisor of the domestic activities of South African banks and their foreign branches, as well as representative offices and domestic branches of foreign banks. It was formed as the first peak of the “Twin Peaks” reform, splitting bank and financial services regulation into prudential and conduct regulation. The PA is tasked with ensuring the financial stability and soundness of banks in South Africa and ensures the application of international regulatory and supervisory standards. To that end, the SARB is designated as the resolution authority in respect of the resolution of designated financial institutions, including banks, under Chapter 12A of the Financial Sector Regulation Act, 2017 (FSRA).

The National Treasury Department of the Republic of South Africa (“Treasury”) is vested with responsibility for a system of exchange controls founded in the Currency and Exchanges Act, 1933, and the exchange control regulations thereunder (“Exchange Control Regulations”). The Treasury has delegated that responsibility to the SARB. The Financial Surveillance Department of the SARB (FinSurv) is responsible for the day-to-day administration of the Exchange Control Regulations, which are implemented in practice by banks that have been designated as “Authorised Dealers” under the Exchange Control Regulations.

Company Legislation

The Companies Act, 2008 (“Companies Act”), will apply to a registered bank in South Africa because a bank must be a public company. The Companies and Intellectual Property Commission (CIPC), together with the Takeover Regulation Panel in respect of mergers and other changes in control, are the regulators tasked with enforcing the Companies Act. In practice, most often the public company (being the bank itself or the controlling company of the bank) will be listed, and therefore the Listing Requirements and Equities Rules of the Main Board of the exchange operated by JSE Limited, known as the Johannesburg Stock Exchange (JSE), will also apply to the bank, particularly in respect of questions of corporate governance.

AML and CFT

The Financial Intelligence Centre (FIC) regulates, inter alia, banks as accountable institutions, ensuring compliance with the Financial Intelligence Centre Act, 2001 (FICA). The Prevention of Organised Crime Act, 1998 (POCA), the Prevention and Combating of Corrupt Activities Act, 2004, and the Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004, also form part of the AML/CFT regime applicable to banks.

Market Conduct

The FSRA also established the Financial Sector Conduct Authority (FSCA), which is the dedicated market conduct regulator for the financial services sector. The FSCA administers the Financial Advisory and Intermediary Services Act, 2002 (FAIS), which regulates the provision of advice and intermediary services in relation to financial products, including deposits. Banks must be authorised under the FAIS to market deposits or other financial products in South Africa, and compliance with the FAIS is overseen by the FSCA.

Retail Credit

The National Credit Act, 2005, established the National Credit Regulator (NCR), which is the primary regulator of South African credit providers. The NCR oversees the registration and conduct of credit providers, credit bureaus and debt counsellors.

Data Protection

The Protection of Personal Information Act, 2013 (POPIA), established the Information Regulator (Information Regulator), which is responsible for ensuring compliance by public and private bodies, including banks, with data protection rules in South Africa.

Licences, Activities

Conducting the business of a bank may only be undertaken by a public company (incorporated under the Companies Act) that is registered/licensed as a bank under the Banks Act or a branch of a foreign bank registered under Section 18A of the Banks Act. Possession of a registration certificate entitles the bank or branch of a foreign bank to conduct the business of a bank in South Africa – in particular to solicit for and conduct deposit-taking activities and to use deposits to grant loans, for investment or to finance business activities.

A foreign bank can alternatively register a representative office, but a representative office cannot conduct the business of a bank.

Conditions for Authorisation

A prospective bank may, but is not required to, initiate the application process by setting up a meeting with the PA to discuss business plans, the licensing process and the application requirements. The first requirement for any prospective new bank is to apply to the PA for authorisation to establish a bank. As mentioned in 1.1 Key Laws and Regulations, only a public company may register as a bank. However, the CIPC cannot register a company’s memorandum of incorporation (MOI) unless the application for registration is accompanied by the PA’s approval.

Process for Authorisation

An application to the PA for authorisation to establish a bank must be made in the required form and contain the information prescribed by the Bank Regulations and any further information the PA requires. The PA grants such approval if it believes that the prospective bank is likely to be eligible for registration as a bank.

The prospective bank can apply for registration as a bank during the 12 months after the date of the authorisation. Again, the application must be made in the required form, and contain the information required in Section 16(2) of the Banks Act and any further information deemed necessary by the PA. The PA can revoke authorisation if any false or misleading information is found to have been provided, or the bank is not formed within 12 months of the date of the authorisation.

The PA can grant, refuse or conditionally grant registration as a bank. The PA will only grant registration if the criteria in Sections 13(2) and 17(1) of the Banks Act have been met, including that:

• the establishment of the prospective bank is in the public interest;
• the proposed business of the prospective bank is the business of a bank, to be conducted in a prudent manner and as a public company incorporated and registered under the Companies Act with an MOI consistent with the Banks Act; and
• the applicant will be able to successfully establish itself as a bank, with the means to comply with the Banks Act, and does not propose any undesirable business methods.

Finally, an applicant must also prove compliance with the minimum share capital and unimpaired reserved funds requirements of the Banks Act relating to the specific business that the bank conducts. The calculation formulas differ depending on the bank’s activities. For example, Section 70 of the Banks Act distinguishes between banks that trade solely in financial instruments, banks that trade in financial instruments as part of their business, and banks that do not trade in financial instruments.

Obtaining registration as a bank generally entails significant interaction with the PA and is likely to take between ten and 16 months from the date of application to receipt of a certificate of registration. Once a licence is obtained, it must be renewed annually.

Licensed Activities and Restrictions

A banking licence permits its holder to engage in ‘the business of a bank’, as that term is defined in the Banks Act. Such business includes, inter alia, soliciting and accepting deposits from the general public, issuing notes, using money accepted by way of deposit or the issuance of notes for granting loans, investing and/or financing others’ business activities. Section 78 of the Banks Act lists a number of ‘undesirable practices’, in which a bank must refrain from participating. The undesirable practices include, inter alia, holding shares in its parent, lending money against security of its own (or its parent’s) shares and entering into repurchase agreements in respect of assets created by simulated transactions.

Ancillary Activities and Required Authorisations

In South Africa, licensed banks participate in the financial markets in various capacities for which additional permissions are required.

• Authorisation from the Payment Association of South Africa is required for a bank to participate in the national payment system.
• Appointment by the SARB is required for a bank to become an authorised dealer for exchange control purposes.
• Appointment by the Treasury is required for a bank to act as a primary dealer in government debt securities.
• Authorisation from the FSCA to act as a financial services provider is required for a bank to provide advice and intermediary services in respect of financial products.
• Authorisation from the FSCA and the PA to act as an over-the-counter derivatives provider (ODP) is required for a bank to sell, originate or make a market in over-the-counter derivatives.
• Authorisation from the FSCA and the PA is required for a bank to provide long-term or short-term insurance.
• A bank must become a registered credit provider with the NCR in order to engage in retail lending.

Branches and Cross-border Services

South Africa does not recognise European Union passporting for banks or financial services. For a foreign bank to obtain authorisation to operate a branch, the applicant must submit a completed form accompanied by the prescribed fee. The PA can request such further information and documentation as it deems necessary. A foreign bank establishing a branch must meet several criteria, including that the foreign bank must:

• hold assets above a certain amount for the 18 months prior to the application;
• have an acceptable long-term investment-grade debt rating; and
• lawfully conduct the business of a bank in a foreign jurisdiction.

The PA will also consider certain aspects of the foreign bank’s regulatory regime and its compatibility with the PA’s requirements. In addition, the branch will be required, inter alia, to have capital exceeding certain thresholds, maintain a minimum reserve balance with the SARB, and comply with the minimum liquid assets requirement in the Banks Act.

Application fees and annual licence fees are payable.

Change in Control

The Banks Act prohibits any person (other than the bank’s controlling company) from acquiring (including with concert parties) shares in a bank or controlling company amounting to more than 15% of the total value or voting rights of the bank’s issued shares without permission of the PA or the Minister of Finance (MoF). This includes an acquisition which, together with shares already held by that person or an associate of that person, amounts to more than 15% of the total nominal value or total voting rights of the bank’s issued shares.

The PA can authorise a person who has for 12 months, or any shorter period the PA determines:

• held 15% of shares or voting rights in respect of issued shares, to acquire more than 15% but no more than 24% of the shares or voting rights in a bank or controlling company; or
• held 24% of shares or voting rights in respect of a bank’s issued shares, to acquire more than 24% but no more than 49% of those shares or voting rights.

The MoF, acting through the PA, can authorise a person who has for 12 months, or any shorter period the MoF determines:

• held 49% of those shares or voting rights in respect of a bank’s issued shares, to acquire more than 49% but no more than 74% of those shares or voting rights; or
• held 74% of the shares or voting rights in respect of a bank’s issued shares, to acquire more than 74% of those shares or voting rights.

The above rules also apply to foreign ownership of banks.

To grant authorisation, the PA and/or the MoF must be satisfied that the proposed acquisition is not contrary to the interests of the public or the bank, its depositors or its controlling company.

Further, the Banks Act prohibits any person other than a registered bank controlling company, a bank or an institution approved by the PA and conducting a business like the business of a bank in a country other than South Africa from exercising control over a bank.

The Companies Act

In addition to the above, the Companies Act requires that a shareholder must report to an issuer if it acquires or disposes of shares such that the shareholder’s holding crosses, up or down, the 5% threshold or any multiple of 5%. The issuer in turn must report the information on the JSE’s Stock Exchange News Service. Entitlements to a bank’s shares (for example, convertibles and options) must be counted, but not synthetic exposure to a bank’s shares.

Ongoing Obligations

‘Significant owners’ (which generally involves holding at least a 15% stake or having 15% control) in a bank are subject to various fitness and propriety requirements that are set by the FSCA and PA in Joint Standard 1 of 2020, titled ‘Fitness, Propriety and other Matters Related to Significant Owners’. The Joint Standard lists a number of circumstances that may indicate that a natural or juristic significant owner is not fit and proper, such as, inter alia, conviction for a financial crime, being the subject of a civil judgment for theft, fraud, forgery or other acts of dishonesty, removal from an office of trust, or sequestration or liquidation. A significant owner and the relevant bank are obliged to notify the FSCA and the PA of the occurrence of any such circumstances.

Statutory Requirements

The Banks Act requires that a bank’s board of directors and executive officers must establish and maintain an adequate and effective process of corporate governance aimed at achieving the bank’s strategic and business objectives efficiently, effectively, ethically and equitably within acceptable risk parameters. The board and officers must also ensure compliance with all applicable laws and corporate behaviour that is universally recognised as correct and proper. The board and officers must establish mechanisms and procedures to minimise potential conflicts of interest between the bank and the personal interests of directors and officers. The board must retain control over the strategic and business direction of the bank, while allowing executives to manage operations and achievement of objectives.

The Bank Regulations additionally make the board of directors responsible for ensuring that governance includes the maintenance of effective risk management and capital management. The maintenance process must be consistent with the nature, complexity and risk inherent in the bank’s on-balance sheet and off-balance sheet activities, and the board must ensure that the bank’s risk management and capital management are able to respond to changes in the bank’s environment and conditions. The board can appoint supporting committees.

In addition, the PA publishes Guidance Notes, which may provide guidance with respect to corporate governance requirements.

Voluntary Codes

The King Code applies to all organisations in South Africa, including banks. It is voluntary, but companies listed on the JSE (such as banks, which are public companies) must report on their compliance with the King Code. The latest iteration, “King IV”, is a collection of 16 principles (plus one that applies only to institutional investors) promoting “the exercise of ethical and effective leadership by the governing body”. Some of the aspects of governance addressed in King IV are risk governance, audit committee disclosures, performance evaluations of the governing body, and delegation to management and committees.

The Code of Banking Practice, 2012, is a non-binding set of minimum standards established to promote good banking practices. It aims to increase transparency for customers, promote open and fair banking relationships and promote confidence in the banking sector.

Diversity

The Broad-based Black Economic Empowerment Act, 2003 (“BEE Act”), seeks to transform the South African economy by, inter alia, increasing the participation of historically categorised black African, Coloured and Indian South Africans in ownership and management structures. Although the BEE Act does not place legal obligations on banks, the sector codes score businesses based on their contributions to black economic empowerment and places an obligation on organs of state and public entities to conduct procurement in favour of BEE Act compliant businesses.

Code of Conduct

In terms of POPIA, the Banking Association of South Africa (BASA) and the Information Regulator have published a Code of Conduct for the Processing of Personal Information by the Banking Industry (“BASA Code”). The BASA Code aims to ensure compliance with POPIA, and requires BASA members to establish agreements with third parties for the processing of personal information. The BASA Code will be enforced against BASA members by BASA.

Regulatory Approvals

The Banks Act requires that the chief executive officer of a bank (or in relation to the appointment of the chief executive officer, a director designated by the board) must, at least 30 days prior to the proposed date of appointment, give written notice to the PA of any person to be appointed as chief executive officer, director or executive officer. The PA may object (and must provide the grounds for the objection) to the proposed appointment within 20 working days of receipt of the notice. The PA can object to the appointment or continued employment of a chief executive officer, director or executive officer if the PA reasonably believes that the person is not, or is no longer, a fit and proper person to hold the relevant office or if it is not in the public interest for the person to hold or continue to hold the relevant office. Each chief executive officer, director and executive officer of a bank owes towards the bank the duties set out in the Banks Act (including to act bona fide for the benefit of the bank and to avoid conflicts of interest) and the Companies Act. The information to be submitted is found in the Bank Regulations, including form BA 020 together with a curriculum vitae and a criminal background check report.

The majority of the directors of a bank must not be employees of that bank, its subsidiary or its controlling company. Directors who are employees must not together be entitled to exercise more than 49% of the total vote on the board of the bank.

Roles and Accountability

Directors, the chief executive officer and the executive officers of a bank owe a duty to the bank to act bona fide for the benefit of the bank, avoid conflicts of interest, possess and maintain the knowledge and skill reasonably expected of a person holding a similar role, and exercise care in the carrying out of functions as may reasonably be expected of a diligent person holding the same appointment.

The Banks Act requires a bank’s board of directors to establish a remuneration committee consisting only of non-executive directors. It must assist the board to, inter alia:

• oversee the compensation system’s design;
• exercise independent judgement on compensation policies and incentives created for managing risk, capital and liquidity;
• ensure that the system complies with the Bank Regulations;
• conduct an annual review of the compensation system; and
• consult with shareholders.

In addition, the Bank Regulations require that the board must ensure effective governance with respect to remuneration policies by actively overseeing the design of such policies. The board must monitor the operation of the policies and ensure the policies are aligned with the board-approved tolerance for risk. In particular, the board must ensure that:

• compensation outcomes are in line with risk outcomes;
• remuneration payout schedules are sensitive to time horizons of risk;
• risk and reward related to all relevant transactions concluded by executive directors and officers are considered;
• the remuneration policies support and promote the bank’s other policies and the long-term safety of the bank; and
• the remuneration policies are subject to appropriate audit.

FICA is the primary AML/CFT statute in South Africa, and it applies to banks as accountable institutions. Among other things, FICA requires banks and other accountable institutions to:

• register with the FIC;
• appoint an AML/CFT compliance officer with sufficient competence and seniority to ensure an effective compliance function;
• develop a risk management compliance programme, which must be continuously reviewed and updated to ensure its effectiveness;
• comply with KYC procedures, including verifying customers’ identities, businesses and beneficial owners, checking data against third-party sources, identifying sources of funds and checking sanctions lists;
• report suspicious transactions and cash transactions in excess of ZAR49,999;
• notify authorities if they are aware of any illegal financial activities;
• screen for domestic and foreign politically exposed persons;
• keep paper trails of transactions for five years after a client’s last transaction or the date that a client ceases to be a client of the bank; and
• train staff in AML/CFT policies and procedures and ensure that staff comply with such policies.

Banks must take a risk-based approach to their AML policies and adjust their procedures to assess and mitigate specific risks. Recently, the FIC imposed new requirements to screen employees in high-risk roles for competence and integrity prior to their appointment and at least annually during employment. Such screening involves, inter alia, checking for criminal records, particularly in relation to crimes of dishonesty, and past AML/CFT failures while the employee was in a senior decision-making role, and screening for domestic or foreign politically exposed persons.

POCA creates two main money-laundering offences. POCA makes it a crime to, inter alia, assist any person to avoid prosecution or to knowingly enter into a transaction that is likely to have the effect of concealing or disguising the nature, source, location or movement of property. POCA also addresses racketeering by making it a crime to keep any property produced as a result of a pattern of racketeering or, knowing the racketeering origin of property, acquire any interest in the establishment, operation or activities of an enterprise. POCA empowers South African high courts to make orders of forfeiture of property that constitutes the proceeds of unlawful activity.

Requirements

South Africa’s deposit protection regime was recently established and became operational on 1 April 2024. It requires all licensed banks in South Africa to become members of the Corporation for Deposit Insurance (CoDI) and pay an annual levy and monthly premiums into the deposit insurance fund (DIF).

Administrator

CoDI was established as a subsidiary of the SARB on 24 March 2023 and is governed by the FSRA.

Qualifying Deposits and Limits

Qualifying deposits exclude deposits held by a depositor in the capacity of a “financial institution”, which is defined in the FSRA as a financial product provider, a financial service provider, a market infrastructure, a holding company of a financial conglomerate or a person licensed or required to be licensed in terms of a financial sector law. The deposits of non-financial corporates will be qualifying deposits. The DIF will cover each qualifying deposit up to ZAR100,000.

CoDI is able to use the DIF in one of two ways to give covered depositors reasonable access to their funds:

• CoDI can reimburse depositors for their covered deposit balance (ie, qualifying deposit); or
• CoDI can make payments under an agreement relating to a resolution action for a bank in resolution, subject to conditions to protect the DIF.

Funding

Funding for the DIF comes from a deposit insurance levy, which will be calculated and payable by banks as a percentage of covered deposits as at the end of each financial year.

South Africa has generally implemented the Basel III risk-based capital regulations consistent with international practice. Elements of Basel III are still coming into effect through 2025.

The Bank Regulations contemplate that the business of a bank entails the management of risks, and the Bank Regulations therefore require banks to develop comprehensive risk-management processes and board-approved policies and procedures to address risks.

A bank’s management must ensure that the risks are managed prudently and appropriately by:

• setting capital targets commensurate with the bank’s risk profile and control environment;
• implementing robust and effective risk management and internal control processes; and
• developing and maintaining strategies for the bank’s maintenance of adequate capital and an internal capital assessment process that responds to changes in the business cycle.

Management must also conduct stress tests to identify events or changes in market conditions that may have an adverse impact on the bank.

South Africa has adopted International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. The directors of a bank must make annual reports to the PA addressing, among other things, the integrity of internal controls, the maintenance of ethical standards and material malfunctions of controls.

The Banks Act sets out the prudential requirements for a bank, depending on whether the bank’s business includes trading of financial instruments, consists solely of trading in financial instruments or excludes the trading of financial instruments. The Banks Act imposes different minimum requirements for the share capital and unimpaired reserve funds in each of the above scenarios. In addition, the Banks Act sets certain minimum requirements for the capital and reserve funds of a bank controlling company, and any regulated entity included in a banking group and structured under the controlling company must comply with the requirements of its relevant regulator.

In addition to the above prudential requirements, the Banks Act limits the investments, loans, advances or other credits that a bank, controlling company or branch of a foreign bank can undertake, and in particular:

• A bank cannot make investments with or grant loans to a person exceeding 10% of its prescribed capital and reserves without the prior approval of the board or a committee specifically appointed for such purpose.
• If a bank’s investments and loans contemplated above and relating to any private sector non-bank person exceeds, in aggregate, 800% of the bank’s prescribed capital and reserves, the PA will prescribe additional capital requirements for the bank.
• A bank cannot make investments with or grant loans, advances or other credit to a private sector non-bank person if the transaction, alone or together with previous transactions with the person, results in it being exposed to the person to an amount exceeding 25% of the prescribed amount, without the prior written approval of the PA. If the PA gives approval, the bank can be subject to additional capital requirements. If a bank enters into such a transaction with any person other than a private sector non-bank person, it must report this to the PA.
• A bank can be subject to additional capital and reserve fund requirements if it is exposed to an industry, sector or geographical area in an amount that exceeds the prescribed amount. Accordingly, an entity must report any investment in or loans, advances or other credit exposure to a specific industry, sector or geographical area, which alone or together with any previous such transactions result in it being exposed to that industry, sector or geographical area, in an amount exceeding the prescribed percentage of capital and reserve funds.

Banks must build up capital buffers outside periods of stress, which may be drawn upon as losses are incurred during periods of stress specified in writing by the PA. If a bank operates within the capital conservation buffer range, the PA imposes restrictions on capital distributions until such time as the minimum capital adequacy ratio is restored.

Banks are subject to a large exposure framework (LEX) designed to specifically protect banks from material losses resulting from the non-performance of a single counterparty or group of connected counterparties.

Banks must hold liquid assets in South Africa to a value that is at least 20% of their prescribed liabilities. Further, a bank cannot pledge or otherwise encumber any assets that are held by it in compliance with this liquidity requirement, unless the PA has provided an exemption.

Under the Basel III framework, the SARB introduced a leverage ratio to serve as a backstop to the risk-based capital requirement and to prevent build-up of excessive leverage in the financial system. The Bank Regulations provide that every bank and every controlling company must calculate a leverage ratio in accordance with the relevant ratio formula, to supplement the bank or controlling company’s relevant risk-based capital requirements.

LEX requirements for Domestic Systematically Important Banks (D-SIBs) permit lower concentration limits than for other banks.

With effect from 2024, banks must disclose information related to interest rate risk in the banking book (IRRBB) in line with the Basel Committee on Banking Supervision’s (BCBS) consolidated disclosure requirements in the Basel framework.

Resolution and Key Attributes of Effective Resolution Regimes

A framework for resolution of banks became law in South Africa on 1 June 2023, implementing South Africa’s agreement to adopt the Financial Stability Board’s Key Attributes of Effective Resolution Regimes for Financial Institutions. The relevant provisions are contained in the FSRA. The FSRA requires the SARB, based on a risk analysis, to plan for the potential need for the orderly resolution of each bank.

The FSRA creates a point of resolution, which is deemed to be the point when a designated institution is or will probably be unable to meet its obligations (including regulatory requirements) and it is necessary to trigger resolution to protect or maintain financial stability. The SARB is the resolution authority; it can recommend to the MoF that a bank enters resolution if the triggers have been met and the SARB believes that recovery actions have failed or will not be successful. If the MoF agrees, the resolution process and resolution powers will be invoked.

The resolution framework introduces a number of powers to support an orderly resolution of a designated institution. The most significant of these powers is statutory bail-in, under which the SARB is empowered to take one or more of the following actions in relation to a designated institution in resolution:

• write down or issue new shares in the designated institution;
• write down, subject to exclusions, liabilities of the designated institution; and/or
• convert debt instruments into equity.

Statutory bail-in enables the SARB to recapitalise a designated institution at the point of entry into resolution. Banks must maintain a specified level of liabilities that are designated for bail-in in resolution, enabling the SARB to assign first losses to shareholders and creditors with sufficient capacity to also restore the capital of a bank in resolution.

Statutory bail-in can only be applied in resolution and must strictly follow the statutory credit hierarchy and safeguards set out in the relevant provisions of the FSRA.

Additionally, the SARB as resolution authority can transfer assets and liabilities of a bank in resolution, establish a bridge institution, institute temporary moratoria on certain proceedings and the exercise of early termination rights, and suspend obligations of the bank in resolution.

Provisions in certain contracts that provide for acceleration and early termination on entry into resolution or the taking of resolution action are not effective in respect of a bank in resolution. The PA has mandated a contractual recognition approach in this regard, requiring amendments to banks’ agreements that are governed by foreign law.

Creditors are protected by implementation of the “No Creditor Worse Off Rule” and the requirement that claims follow the insolvency hierarchy of claims, while allowing for some flexibility.

Depositor Preference Rules

The FSRA also contains a simple depositor preference regime, which applies only to covered deposits and any bank in respect of which insolvency proceedings are commenced. The regime requires that in insolvency, covered deposits should be paid out of the estate of an institution in resolution before concurrent claims, regulatory capital instruments and shareholders. The FSRA provides that “covered deposits”, together with interest thereon, must be paid after payment of any preferred creditors (including secured creditors, the South African Revenue Services, the salaries and wages of employees, costs of liquidation, costs of execution and special notarial bonds) provided for in the Insolvency Act, but before payment of any other unsecured creditors.

Although relevant sections of the FSRA became effective from 1 June 2023, no deposits will be covered deposits until the DIF becomes operational. Preferred deposits will rank pari passu among themselves.

Guidance Note

In May 2024, the PA published a guidance note (ESG Risk GN) titled ‘Guidance on climate-related governance and risk practices for banks’. The purpose of the ESG Risk GN is to supply guidance to banks regarding climate-related risk management, under the four thematic areas of governance, risk management, and metrics and targets.

Through the ESG Risk GN, the SARB makes a bank’s board of directors responsible for the effective and successful oversight and management of climate-related risks. To do this, the board of directors and senior management should clearly identify and assign responsibilities throughout the bank’s organisation structure for managing climate-related risks.

From a risk management perspective, a bank should be able to demonstrate that climate-related risks have been considered under relevant traditional risk categories such as credit, market, operational and liquidity. A bank’s compliance function should ensure that climate-related risks are identified and accounted for in the compliance management framework. A bank’s internal audit function should review the risk management process for climate-related risks to ensure the adequacy and effectiveness of the process. A bank should ensure that business continuity plans account for physical risks and climate-related risks, both of the bank and of any outsourcing service providers.

A bank should develop key risk indicators and metrics to quantify exposures to climate-related risks, and be able to identify relevant climate-related risk drivers that may materially impair financial conditions. Stress-testing and scenario analysis can be used to assist with risk identification, monitoring and assessment.

A bank’s internal capital adequacy assessment process should explain, inter alia:

• methodologies used to identify, assess, monitor and report climate-related risks;
• climate-related risks identified including their transmission channels and correlation among risks;
• potential impact of climate-related risks on the determination of total internal capital;
• type and nature of scenario analyses and stress tests adopted by the bank; and
• risk management and mitigation strategies, as well as contingency plans.

Also in May 2024, the SARB published a guidance note relating to climate-related disclosures for banks (ESG Disclosure GN). The purpose of the ESG Disclosure GN is to supply guidance to banks regarding climate-related disclosures, taking into consideration recommendations of the Task Force on Climate-Related Financial Disclosures and the International Sustainability Standards Board, under the four thematic areas of governance, strategy, risk management, and metrics and targets.

The ESG Disclosure GN sets out a list of overarching requirements to fulfil when disclosing climate-related risks and opportunities. The SARB will expect banks to produce climate-related disclosures and reports that, at a minimum, fulfil the following principles:

• completeness of information – limitations of the data, assumptions and estimations should be declared;
• being clear, balanced, and understandable to a wide audience;
• comparability between sectors, industries or portfolios and institution reporting periods;
• comparability of methodologies and approaches;
• consistency over time, with descriptions of changes in approach;
• focus on relevant material issues;
• reliability and objectivity; and
• timeliness – disclosure should supply information relevant to current decisions and be future-focused.

Additionally, the board should ensure that a bank annually discloses, inter alia, its practices in maintaining oversight and the role of senior management in relation to climate-related risks and opportunities.

From a strategic point of view, a bank should disclose annually the current and expected impacts of climate-related risks and opportunities on the bank’s business, strategy and financial planning.

A bank should describe its risk management policies, processes and controls for identifying, assessing and managing climate-related risks, and incorporating these risks into the bank’s overall risk management.

A bank should disclose metrics and targets that enable stakeholders to evaluate the bank’s exposure to, and measurement and management of, climate-related risk.

There are no hard deadlines for disclosures prescribed in the ESG Disclosure GN, but the PA expects banks to be proactive and not be compliance driven. Mandatory disclosure will rather be determined by, inter alia, non-financial sector disclosure requirements and international standard-setting bodies.

OR Directive

In line with the BCBS paper on principles for operational resilience issued in March 2021 (“BCBS OR Paper”), the PA published the first directive relating to operational resilience in December 2021 with an intended compliance date in June 2023. Then, in June 2023, the PA published a replacement directive (“OR Directive”) titled ‘Principles for operational resilience’. In the introduction, the OR Directive notes that the Bank Regulations require banks to establish and maintain robust processes of corporate governance, including the maintenance of effective risk management and capital management. Operational resilience forms an integral part of the enterprise risk management processes, practices and procedures. According to the Bank Regulations, if the PA determines that a bank’s policies, processes and procedures relating to operational resilience are inadequate, the PA may, inter alia, require the bank to maintain additional capital.

The OR Directive requires banks to do the following on or before 31 December 2024:

• assess the adequacy of current policies, processes and practices against the BCBS OR Paper and ensure that all principles are addressed (internally or by means of outsourcing);
• ensure that operational resilience controls follow a risk-based approach that is aligned with the bank’s risk appetite, based on the nature, size and complexity of its operations;
• ensure that existing risk management frameworks, business continuity plans and third-party dependency management are implemented consistently within the bank; and
• consider whether operational resilience approaches are appropriately harmonised with stated actions, organisational mappings and definitions of critical functions and shared services contained in recovery and resolution plans.

Cyber Joint Standard

In June 2024, the FSCA and the PA published Joint Standard 2 of 2024 titled ‘Cybersecurity and cyber resilience requirements for financial institutions’ (Cyber Joint Standard), which will become effective on 1 June 2025.

The Cyber Joint Standard provides detailed guidelines for certain institutions, including banks, to manage and mitigate cybersecurity risk. Under the Cyber Joint Standard, banks must, inter alia:

• maintain and keep updated a cybersecurity strategy;
• implement appropriate practices to prevent the impact of potential cyber threats;
• develop data loss prevention policies and measures;
• maintain effective cyber resilience capabilities to monitor, detect, respond to and recover from cyberattacks; and
• notify responsible authorities of material incidents involving cyber and information security.

There are a number of upcoming regulatory developments that may have an impact on South African banks.

• The SARB has announced that South Africa will transition away from the commonly used Johannesburg Interbank Average Rate (JIBAR) to a risk-free interest rate called the South African Rand Overnight Index Average (ZARONIA). Banks are currently grappling with the impacts that the transition will have on their clients, systems, etc, and are expected to continue working through the change up until the SARB announces the cessation of JIBAR (expected towards the end of 2025).
• The Conduct of Financial Institutions Bill, 2020 (CoFI), will be the second peak of the Twin Peaks reform. CoFI will overhaul conduct regulation of, inter alia, banks. CoFI is set to replace all or a significant part of FAIS, with a customer-focused regulatory framework that formalises the application of Treating Customers Fairly. Its aim will be to promote financial inclusion, while ensuring fair treatment and protection of customers and trust and confidence in the financial sector. CoFI will also increase compliance and governance burdens. Although some aspects of CoFI will be aimed at improving operational processes and working capital at non-bank financial service providers, CoFI will also give the FSCA meaningful power to effect transformation in the financial services industry. It will require financial services providers of a certain size to meet concrete transformation goals and give the FSCA the tools to enforce those goals.

• As mentioned in 9.1 ESG Requirements, banks will ultimately be required to prepare climate-related risk disclosure reports in accordance with standards and principles issued by the SARB.
• In 2024, the first two bank ODPs came into scope for regulatory initial margin (IM). It is expected in September 2025 that a number of other banks will come into scope. At the same time, the FSCA and the PA are expected to expand the eligible collateral types beyond gold, cash and rated South African government bonds to satisfy IM. The current proposal is to include government bonds issued by the USA, the European Central Bank and the UK.
• Although substantive reporting is not expected to be affected, the SARB has announced its intention to do away with the printed forms (called ‘BA Returns’) from the Bank Regulations and to issue all BA Returns and related instructions for completion in the form of directives or other regulator determinations in Prudential Standards.
• In October 2024, the SARB released a draft directive aimed at implementing the remaining components of the Basel III post-crisis regulatory reforms. When effective, the draft directive will make certain revisions to the standardised approach for credit risk and the use of internally modelled internal ratings-based approaches for credit risk, to the operational risk framework, to the leverage ratio framework and to the output floor. The proposed implementation date for the changes is 1 July 2025.