Contributed By A&O Shearman
Banking Regulation
The South African Reserve Bank (SARB), which is South Africa’s central bank, was established by the South African Reserve Bank Act, 1989, and is the primary regulator of banking in South Africa. The SARB administers the Banks Act, 1990 (the “Banks Act”), which is the primary statute governing banking. Subsidiary legislation promulgated under the Banks Act, including the Regulations Relating to Banks, 2012 (the “Bank Regulations”), set out a comprehensive framework of prudential regulation of banking activities. The SARB additionally regulates mutual banks, which are owned by their depositors, in accordance with the Mutual Banks Act, 1993, and co-operative banks in accordance with the Co-operative Banks Act, 2007, but these entities are not the focus of this chapter.
The Prudential Authority (PA) operates within the administration of the SARB and is the direct licensing authority and supervisor of the domestic activities of South African banks and their foreign branches, as well as representative offices and domestic branches of foreign banks. It was formed as the first peak of the Twin Peaks reform, splitting bank and financial services regulation into prudential and conduct regulation. The PA is tasked with ensuring the financial stability and soundness of banks in South Africa and ensures the application of international regulatory and supervisory standards. To that end, the SARB is designated as the resolution authority in respect of the resolution of designated financial institutions, including banks, under Chapter 12A of the Financial Sector Regulation Act, 2017 (FSRA).
The National Treasury Department of the Republic of South Africa (“Treasury”) is vested with responsibility for a system of exchange controls founded in the Currency and Exchanges Act, 1933, and the exchange control regulations thereunder (the “Exchange Control Regulations”). Treasury has delegated that responsibility to the SARB. The Financial Surveillance Department of the SARB (FinSurv) is responsible for the day-to-day administration of the Exchange Control Regulations, which are practically implemented by banks that have been designated as “Authorised Dealers” under the Exchange Control Regulations.
Company Legislation
The Companies Act, 2008 (the “Companies Act”), will apply to a registered bank in South Africa because a bank must be a public company. The Companies and Intellectual Property Commission (CIPC), together with the Takeover Regulation Panel (TRP) in respect of mergers and other changes in control, are the regulators tasked with enforcing the Companies Act. In practice, most often the public company (being the bank itself or the controlling company of the bank) will be listed, and therefore the Listing Requirements and Equities Rules of the main board of the exchange operated by JSE Limited, known as the Johannesburg Stock Exchange (JSE), will also apply to the bank, particularly in respect of questions of corporate governance.
AML and CFT
The Financial Intelligence Centre (FIC) regulates, inter alia, banks as accountable institutions, ensuring compliance with the Financial Intelligence Centre Act, 2001 (FICA). The Prevention of Organised Crime Act, 1998 (POCA), the Prevention and Combating of Corrupt Activities Act, 2004, and the Protection of Constitutional Democracy against Terrorist and Related Activities Act, 2004 (POCDATARA), also form part of the AML/CFT regime applicable to banks.
Market Conduct
The FSRA also established the Financial Sector Conduct Authority (FSCA), which is the dedicated market conduct regulator for the financial services sector. The FSCA administers the Financial Advisory and Intermediary Services Act, 2002 (FAIS), which regulates the provision of advice and intermediary services in relation to financial products, including deposits. Banks must be authorised under the FAIS to market deposits or other financial products in South Africa, and compliance with the FAIS is overseen by the FSCA.
Retail Credit
The National Credit Act, 2005 (NCA), established the National Credit Regulator (NCR), which is the primary regulator of South African credit providers. The NCR oversees the registration and conduct of credit providers, credit bureaus and debt counsellors.
Data Protection
The Protection of Personal Information Act, 2013 (POPIA), established the Information Regulator (Information Regulator), which is responsible for ensuring compliance by public and private bodies, including banks, with data protection rules in South Africa.
Licenses, Activities
Conducting the business of a bank may only be undertaken by a public company (incorporated under the Companies Act) that is registered/licensed as a bank under the Banks Act or a branch of a foreign bank registered under section 18A of the Banks Act. Possession of a registration certificate entitles the bank or branch of a foreign bank to conduct the business of a bank in South Africa – in particular to solicit for and conduct deposit-taking activities and to use deposits to grant loans, for investment or to finance business activities.
A foreign bank can alternatively register a representative office, but a representative office cannot conduct the business of a bank.
Conditions for Authorisation
A prospective bank may, but is not required to, initiate the application process by setting up a meeting with the PA to discuss business plans, the licensing process and the application requirements. The first requirement for any prospective new bank is to apply to the PA for authorisation to establish a bank. As mentioned in 1.1 Key Laws and Regulations, only a public company may register as a bank. However, the CIPC cannot register a company’s memorandum of incorporation (MOI) unless the application for registration is accompanied by the PA’s approval.
Process for Authorisation
An application to the PA for authorisation to establish a bank must be made in the required form and contain the information prescribed by the Bank Regulations and any further information the PA requires. The PA grants such approval if it believes that the prospective bank is likely to be eligible for registration as a bank.
The prospective bank can apply for registration as a bank during the 12 months after the date of the authorisation. Again, the application must be made in the required form, and contain the information required in Section 16(2) of the Banks Act and any further information deemed necessary by the PA. The PA can revoke authorisation if any false or misleading information is found to have been provided, or the bank is not formed within 12 months of the date of the authorisation.
The PA can grant, refuse, or conditionally grant registration as a bank. The PA will only grant registration if the criteria in Sections 13(2) and 17(1) of the Banks Act have been met, including that:
Finally, an applicant must also prove compliance with the minimum share capital and unimpaired reserved funds requirements of the Banks Act relating to the specific business that the bank conducts. The calculation formulas differ depending on the bank’s activities. For example, Section 70 of the Banks Act distinguishes between banks that trade solely in financial instruments, banks that trade in financial instruments as part of their business, and banks that do not trade in financial instruments.
Obtaining registration as a bank generally entails significant interaction with the PA and is likely to take between 10 and 16 months from the date of application to receipt of a certificate of registration. Once a license is obtained, it must be renewed annually.
To obtain authorisation as a branch, the applicant must under Section 18A of the Banks Act submit a completed form (as prescribed by the PA) accompanied by the prescribed fee. The PA can request such further information and documentation as it deems necessary. A foreign bank establishing a branch must meet several criteria, including that the foreign bank must:
The PA will also consider certain aspects of the foreign bank’s regulatory regime and its compatibility with the PA’s requirements. In addition, the branch will be required, inter alia, to have capital exceeding certain thresholds, maintain a minimum reserve balance with the SARB, and comply with the minimum liquid assets requirement in the Banks Act.
Application fees and annual license fees are payable.
Change in Control
The Banks Act prohibits any person (other than the bank’s controlling company) from acquiring (including with concert parties) shares in a bank or controlling company amounting to more than 15% of the total value or voting rights of the bank’s issued shares without permission of the PA or the Minister of Finance (MoF). This includes an acquisition which, together with shares already held by that person or an associate of that person, amounts to more than 15% of the total nominal value or total voting rights of the bank’s issued shares.
The PA can authorise a person who has for 12 months, or any shorter period the PA determines:
The MoF, acting through the PA, can authorise a person who has for 12 months, or any shorter period the MoF determines:
The above rules also apply to foreign ownership of banks.
To grant authorisation, the PA and/or the MoF must be satisfied that the proposed acquisition is not contrary to the interests of the public or the bank, its depositors, or its controlling company.
Further, the Banks Act prohibits any person other than a registered bank controlling company, bank or an institution approved by the PA and conducting a business like the business of a bank in a country other than South Africa from exercising control over a bank.
The Companies Act
In addition to the above, the Companies Act requires that a shareholder report to an issuer if it acquires or disposes of shares such that the shareholder’s holding crosses, up or down, the 5% threshold or any multiple of 5%. The issuer in turn must report the information on the JSE’s Stock Exchange News Service (SENS). Entitlements to a bank’s shares (for example convertibles and options) must be counted, but not synthetic exposure to a bank’s shares.
Statutory Requirements
The Banks Act requires that a bank’s board of directors and executive officers must establish and maintain an adequate and effective process of corporate governance aimed at achieving the bank’s strategic and business objectives efficiently, effectively, ethically, and equitably within acceptable risk parameters. The board and officers must also ensure compliance with all applicable laws and corporate behaviour that is universally recognised as correct and proper. The board and officers must establish mechanisms and procedures to minimise potential conflicts of interest between the bank and the personal interests of directors and officers. The board must retain control over the strategic and business direction of the bank, while allowing executives to manage operations and achievement of objectives.
The Bank Regulations additionally make the board of directors responsible for ensuring that governance includes the maintenance of effective risk management and capital management. The maintenance process must be consistent with the nature, complexity and risk inherent in the bank’s on-balance sheet and off-balance sheet activities, and the board must ensure that the bank’s risk management and capital management are able to respond to changes in the bank’s environment and conditions. The board can appoint supporting committees.
In addition, the PA publishes Guidance Notes, which may provide guidance with respect to corporate governance requirements.
Voluntary Codes
The King Code applies to all organisations in South Africa, including banks. It is voluntary, but companies listed on the JSE (such as banks, which are public companies) must report on their compliance with the King Code. The latest iteration “King IV” is a collection of 16 principles (plus one that applies only to institutional investors) promoting “the exercise of ethical and effective leadership by the governing body”. Some of the aspects of governance addressed in King IV are risk governance, audit committee disclosures, performance evaluations of the governing body, and delegation to management and committees.
Regulatory Approvals
The Banks Act requires that the chief executive officer of a bank (or in relation to the appointment of the chief executive officer, a director designated by the board) must, at least 30 days prior to the proposed date of appointment, give written notice to the PA of any person to be appointed as chief executive officer, director or executive officer. The PA may object (and must provide the grounds for the objection) to the proposed appointment within 20 working days of receipt of the notice. The PA can object to the appointment or continued employment of a chief executive officer, director or executive officer if the PA reasonably believes that the person is not, or is no longer, a fit and proper person to hold the relevant office or if it is not in the public interest for the person to hold or continue to hold the relevant office. Each chief executive officer, director and executive officer of a bank owes towards the bank the duties set out in the Banks Act (including to act bona fide for the benefit of the bank and to avoid conflicts of interest), and the Companies Act. The information to be submitted is found in the Bank Regulations, including form BA 020 together with a curriculum vitae and a criminal background check report.
The majority of the directors of a bank must not be employees of that bank, its subsidiary or controlling company. Directors who are employees must not together be entitled to exercise more than 49% of the total vote on the board of the bank.
Roles and Accountability
Directors, the chief executive officer, and the executive officers of a bank owe a duty to the bank to act bona fide for the benefit of the bank, avoid conflicts of interest, possess and maintain the knowledge and skill reasonably expected of a person holding a similar role, and exercise care in the carrying out of functions as may reasonably be expected of a diligent person holding the same appointment.
The Banks Act requires a bank’s board of directors to establish a remuneration committee consisting only of non-executive directors. It must assist the board to, inter alia:
In addition, the Bank Regulations require that the board must ensure effective governance with respect to remuneration policies by actively overseeing the design of such policies. The board must monitor the operation of the policies and ensure the policies are aligned with the board-approved tolerance for risk. In particular, the board must ensure that:
FICA is the primary AML/CFT statute in South Africa, and it applies to banks as accountable institutions. Among other things, FICA requires banks and other accountable institutions to:
Banks must take a risk-based approach to their AML policies and adjust their procedures to assess and mitigate specific risks. Recently, the FIC imposed new requirements to screen employees in high-risk roles for competence and integrity prior to their appointment and at least annually during employment. Such screening involves, inter alia, checking for criminal records, particularly in relation to crimes of dishonesty, past AML/CFT failures while the employee was in a senior decision-making role and screening for domestic or foreign politically exposed persons.
POCA creates two main money-laundering offences. POCA makes it a crime to, inter alia, assist any person to avoid prosecution or to knowingly enter into a transaction that is likely to have the effect of concealing or disguising the nature, source, location or movement of property. POCA also addresses racketeering by making it a crime to keep any property produced as a result of a pattern of racketeering or, knowing the racketeering origin of property, acquire any interest in the establishment, operation or activities of an enterprise. POCA empowers South African high courts to make orders of forfeiture of property that constitutes the proceeds of unlawful activity.
South Africa’s deposit protection regime is newly established and not all aspects have yet come into effect.
Administrator
The Corporation for Deposit Insurance (CoDI) was established as a subsidiary of SARB on 24 March 2023 and is governed by the FSRA. The sections of the FSRA dealing with deposits into the deposit insurance fund (DIF), investment of the DIF’s funds, etc, have not yet been declared effective by the MoF. Subsidiary legislation will be passed in the coming years supplying detailed rules relating to the procedural and administrative matters relating to CoDI and the DIF. It is expected that the DIF will become operational in April 2024.
Qualifying Deposits and Limits
Qualifying deposits exclude deposits held by a depositor in the capacity of a “financial institution”, which is defined in the FSRA as a financial product provider, a financial service provider, a market infrastructure, a holding company of a financial conglomerate or a person licensed or required to be licensed in terms of a financial sector law. The deposits of non-financial corporates will be qualifying deposits. Although it is yet to be published in subsidiary legislation, the expectation is that ZAR100,000 will be covered per qualifying deposit.
Once operating, CoDI will be able to use the DIF in one of two ways to give covered depositors reasonable access to their funds:
Funding
Funding for the DIF will come from a deposit insurance levy, which will be calculated and payable by banks as a percentage of covered deposits as at the end of each financial year.
There are various sources of South African law relating to a bank’s duty of secrecy. These comprise a combination of common law, legislation and contract.
Constitution
Broadly speaking, the South African Constitution of 1996 provides every person with a right to privacy. This right is without regard to specific relationships between banks and their clients.
Code of Banking Practice
The Code of Banking Practice, 2012 (the “Code”) is a non-binding set of minimum standards established to promote good banking practices. It aims to increase transparency for customers, promote open and fair banking relationships and promote confidence in the banking sector. The Code requires a bank to treat all customer persona information as private and confidential unless, inter alia:
The Code also requires banks to commit to informing customers when their telephone conversations will be recorded.
The South African Protection of Personal Information Act (POPIA)
POPIA provides bank customers with statutory protection of personal information. It gives effect to the right to privacy in the South African Constitution of 1996 and clarifies that the right to privacy includes protection against the unlawful collection, retention, dissemination or use of personal information. Personal information includes, inter alia, information relating to:
POPIA regulates what is done with personal information, how personal information is processed, whom personal information is shared with, what types of personal information is processed and for what purpose, and it ensures that individuals and legal entities are aware of what is being done with their private information.
POPIA established the Information Regulator to ensure compliance with POPIA’s requirements. Under POPIA, banks are required to identify risks to personal information, establish and maintain safeguards against such risks, regularly verify that the safeguards are effectively implemented and ensure that the safeguards are continually updated.
Code of Conduct for the Processing of Personal Information by the Banking Industry
Finally, in terms of POPIA, the Banking Association of South Africa (BASA) and the Information Regulator have published a Code of Conduct for the Processing of Personal Information by the Banking Industry (the “BASA Code”). The BASA Code aims to ensure compliance with POPIA, and requires BASA members to establish agreements with third parties for the processing of personal information. The BASA Code will be enforced against BASA members by BASA.
The BASA Code also elaborates on conditions for the lawful processing of personal information, including a bank’s compliance with international standards and industry best practices like the King Code and Basel principles.
South Africa has generally implemented the Basel III risk-based capital regulations consistent with international practice. Elements of Basel III are still coming into effect through 2025.
The Bank Regulations contemplate that the business of a bank entails the management of risks, and the Bank Regulations therefore require banks to develop comprehensive risk-management processes and board-approved policies and procedures to address risks.
A bank’s management must ensure that the risks are managed prudently and appropriately by:
Management must also conduct stress tests to identify events or changes in market conditions that may have an adverse impact on the bank.
South Africa has adopted International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. The directors of a bank must make annual reports to the PA addressing, among other things, the integrity of internal controls, the maintenance of ethical standards and material malfunctions of controls.
The Banks Act sets out the prudential requirements for a bank, depending on whether the bank’s business includes trading of financial instruments, consists solely of trading in financial instruments or excludes the trading of financial instruments. The Banks Act imposes different minimum requirements for the share capital and unimpaired reserve funds of each of the above scenarios. In addition, the Banks Act sets certain minimum requirements for the capital and reserve funds of a bank controlling company, and any regulated entity included in a banking group and structured under the controlling company must comply with the requirements of its relevant regulator.
In addition to the above prudential requirements, the Banks Act limits the investments, loans, advances or other credits that a bank, controlling company, or branch of a foreign bank can undertake, and in particular:
Accordingly, an entity must report any investment in or loans, advances or other credit exposure to a specific industry, sector or geographical area, which alone or together with any previous such transactions result in it being exposed to that industry, sector or geographical area, in an amount exceeding the prescribed percentage of capital and reserve funds.
Banks must build up capital buffers outside periods of stress, which may be drawn upon as losses are incurred during periods of stress specified in writing by the PA. If a bank operates within the capital conservation buffer range, the PA imposes restrictions on capital distributions until such time as the minimum capital adequacy ratio is restored.
Banks are subject to a large exposure framework (LEX) designed to specifically protect banks from material losses resulting from the non-performance of a single counterparty or group of connected counterparties.
Banks must hold liquid assets in South Africa to a value that is at least 20% of their prescribed liabilities. Further, a bank cannot pledge or otherwise encumber any assets that are held by it in compliance with this liquidity requirement, unless the PA has provided an exemption.
Under the Basel III framework, the SARB introduced a leverage ratio to serve as a backstop to the risk-based capital requirement, and to prevent build-up of excessive leverage in the financial system. The Bank Regulations provide that every bank and every controlling company must calculate a leverage ratio in accordance with the relevant ratio formula, to supplement the bank or controlling company’s relevant risk-based capital requirements.
LEX requirements for D-SIBs permit lower concentration limits than for other banks.
Resolution and Key Attributes of Effective Resolution Regimes
A framework for resolution of banks became law in South Africa on 1 June 2023, implementing South Africa’s agreement to adopt the FSB’s Key Attributes of Effective Resolution Regimes. The relevant provisions are contained in the FSRA. The FSRA requires the SARB, based on a risk analysis, to plan for the potential need for the orderly resolution of each bank.
The FSRA creates a point of resolution, which is deemed to be the point when a designated institution is or will probably be unable to meet its obligations (including regulatory requirements), and it is necessary to trigger resolution to protect or maintain financial stability. The SARB is the resolution authority; it can recommend to the MoF that a bank enters resolution if the triggers have been met and the SARB believes that recovery actions have failed or will not be successful. If the MoF agrees, the resolution process and resolution powers will be invoked.
The resolution framework introduces a number of powers to support an orderly resolution of a designated institution. The most significant of these powers is statutory bail-in, under which the SARB is empowered to take one or more of the following actions in relation to a designated institution in resolution:
Statutory bail-in enables the SARB to recapitalise a designated institution at the point of entry into resolution. Banks must maintain a specified level of liabilities that are designated for bail-in in resolution, enabling the SARB to assign first losses to shareholders and creditors with sufficient capacity to also restore the capital of a bank in resolution.
Statutory bail-in can only be applied in resolution and must strictly follow the statutory credit hierarchy and safeguards set out in the relevant provisions of the FSRA.
Additionally, the SARB as resolution authority can transfer assets and liabilities of a bank in resolution, establish a bridge institution, institute temporary moratoria on certain proceedings and the exercise of early termination rights and suspend obligations of the bank in resolution.
Provisions in certain contracts that provide for acceleration and early termination on entry into resolution or the taking of resolution action are not effective in respect of a bank in resolution. The PA has mandated a contractual recognition approach in this regard, requiring amendments to banks’ agreements that are governed by foreign law.
Creditors are protected by implementation of the “No Creditor Worse Off Rule” and the requirement that claims follow the insolvency hierarchy of claims, while allowing for some flexibility.
Depositor Preference Rules
The FSRA also contains a simple depositor preference regime, which applies only to covered deposits and any bank in respect of which insolvency proceedings are commenced. The regime requires that in insolvency, covered deposits should be paid out of the estate of an institution in resolution before concurrent claims, regulatory capital instruments and shareholders. The FSRA provides that “covered deposits”, together with interest thereon, must be paid after payment of any preferred creditors (including secured creditors, the South African Revenue Services, the salaries and wages of employees, costs of liquidation, costs of execution and special notarial bonds) provided for in the Insolvency Act, but before payment of any other unsecured creditors.
Although relevant sections of the FSRA became effective from 1 June 2023, no deposits will be “covered deposits” until the DIF becomes operational. Preferred deposits will rank pari passu amongst themselves.
There are a number of upcoming regulatory developments that may have an impact on South African banks.
Proposed Guidance Note
The South African bank regulatory regime does not currently include any duty to supply disclosures on ESG matters; however, the SARB released a proposed guidance note (the “Proposed ESG GN”) earlier this year relating to climate-related disclosures for banks. The purpose of the Proposed ESG GN will be to supply guidance to banks regarding climate-related disclosures, taking into consideration recommendations of the Taskforce for Climate-Related Financial Disclosures (TCFD) and the International Sustainability Standards Board (ISSB), under the four thematic areas of governance, strategy, risk management, and metrics and targets.
The Proposed ESG GN sets out a list of overarching requirements to fulfil when disclosing climate-related risks and opportunities. The SARB will expect banks to produce climate-related disclosures and reports that, at a minimum, fulfil the following principles:
Additionally, the board should ensure that a bank annually discloses, inter alia, its practices in maintaining oversight and the role of senior management in relation to climate-related risks and opportunities.
From a strategic point of view, a bank should disclose annually the current and expected impacts of climate-related risks and opportunities on the bank’s business, strategy and financial planning.
A bank should describe its risk management policies, processes and controls for identifying, assessing and managing climate-related risks, and managing these risks into the bank’s overall risk management.
A bank should disclose metrics and targets that enable stakeholders to evaluate the bank’s exposure, measurement and management of climate-related risk.
Initially, banks’ ESG disclosures will not be subject to independent external assurance.
It is not clear when the Proposed ESG GN will become effective.
6th Floor
90 Grayston
90 Grayston Drive
Sandton
Johannesburg 2196
South Africa
+27(0) 10 597 9850
Reception.Johannesburg@AllenOvery.com www.allenovery.com