IN CONVERSATION WITH FRANCOIS GROEPE
In 2016 alone, the South African Reserve Bank (SARB) processed payments to the value of R140-trillion – 30 times the gross domestic product (GDP) of South Africa. Significant change has occurred in the financial services space recently, attracting much interest in these innovations. The Deputy Governor of the SARB responsible for financial stability shares his views
MANY SOUTH AFRICANS ARE AWARE THAT THE SARB PRINTS MONEY, BUT NOT MANY KNOW ABOUT THE NATIONAL PAYMENT SYSTEM. WHAT IS THE SARB’S ROLE IN THE SYSTEM AND HOW IS IT LINKED TO ITS MANDATE TO PROTECT THE VALUE OF THE CURRENCY?
The SARB is responsible for establishing, conducting, monitoring, regulating, and supervising all the payment, clearing, and settlement systems in South Africa. It executes this mandate through its National Payment System Department (NPSD). NPSD is the owner and operator of South Africa’s real-time gross settlement system, better known as the South African Multiple Option Settlement (SAMOS) system. SAMOS allows all interbank transactions to be settled in central-bank money and ensures that all interbank payments become final and irrevocable; it concludes economic transactions between parties, thus ensuring that legal certainty is achieved.
South Africa’s national payment system is made up of various payment streams within the large-value payment systems and the more familiar retail payment systems. These payment streams include cheques, cards, and electronic fund transfers such as Internet payments and debit orders.
The SARB plays an important role in ensuring that the payments financial market infrastructure remains efficient and safe, thus supporting the SARB’s role in maintaining financial stability and ensuring the public’s confidence in the financial system.
TECHNOLOGY IS DISRUPTING LIFE AS WE KNOW IT ON A DAILY BASIS. HOW IS THE SARB, IN ITS MULTIPLE ROLES IN THE FINANCIAL SECTOR, ENSURING THAT THE BANKING SYSTEM IS CYBER-SECURE?
The SARB addresses cybersecurity through the microprudential supervision of banks, the macroprudential regulation of the financial system, and oversight of the financial market infrastructure.
The SARB is responsible for the regulation and supervision of banks in South Africa. One of its functions is promoting the soundness of the banking system and contributing to financial stability.
An Information Technology (IT) Risk Division was established in 2012 with the primary responsibility of looking at IT risks for the banking industry. While conducting on-site visits to banks, this division has addressed various IT governance topics, including information security and cybersecurity.
In 2013, the SARB assessed mobile-devices and Internet-banking fraud in the South African banking industry. No significant findings were made, other than the need for a more collaborative approach between the banks and other industry players, including critical infrastructure providers. Also in 2013, a short IT survey was issued to the industry, touching on some aspects of information security. In 2015, a more substantive survey was issued, covering both information security and enterprise architecture management. Neither survey highlighted any material weaknesses, although the need to be constantly aware of new modi operandi in the cybersecurity space was emphasised. Cybersecurity was subsequently added as a topic for discussion with banks’ boards of directors.
From a regulatory perspective, the SARB applies international principles, such as those in the Basel frameworks, to the South African context. In 2016, the Committee on Payments and Market Infrastructures as well as the International Organization of Securities Commissions, issued cyber-resilience guidance for financial market infrastructures. The SARB issued these guidelines as a guidance note to the banking industry.
Maintaining payment security is required of all entities that store, process, or transmit cardholder data. In terms of retail payment systems, the SARB, through the Payments Association of South Africa, requires all banks, system operators, and certain merchants who store, process or transmit card information to adhere to the Payment Card Industry Data Security Standards. Cross-functional working groups within the SARB are currently considering how to make the financial system more cyber-secure. This includes looking at regulation, incident reporting, and responding to incidents. The SARB also collaborates with role players such as the South African Banking Risk Information Centre on their cybersecurity initiatives, and engages with financial industry computer security incident response teams.
As part of its responsibility to protect and enhance financial stability, the SARB also manages cyber-risk through the Financial Sector Contingency Forum (FSCF), which has become a statutory body in terms of the newly enacted Financial Sector Regulation (FSR). The FSCF comprises key financial sector decision-makers, including the SARB, National Treasury, other financial-sector regulators, financial market infrastructures, and financial industry associations.
The FSCF was established to help coordinate the process of financial sector contingency planning and crisis management. In terms of the FSR Act, the forum’s objectives include the identification of potential threats to the stability of the South African financial system as well as the development and coordination of appropriate plans, mechanisms, and structures to mitigate these threats.
Excerpt from an article published in the 9the dition of Top 500: South Africa’s Best Managed Companies.