The South African Joint Standards
The South African Joint Standard sets IT governance and risk management requirements, strengthening resilience whereby boards must demonstrate evidence of oversight, accountability, and compliance from 15 November 2024.
What are The South African Joint Standards?
The South African Joint Standards are legally binding regulatory instruments issued jointly by the Financial Sector Conduct Authority (FSCA) and the Prudential Authority. They are created under the authority of the Financial Sector Regulation Act, 2017 (FSR Act) and are used to impose uniform, cross-sector requirements on financial institutions where both conduct and prudential considerations are relevant. A Joint Standard therefore represents a coordinated regulatory position, rather than guidance or best practice, and compliance is mandatory for in-scope institutions.
From a legal perspective, a Joint Standard derives its force from sections 105 to 108 of the FSR Act, which empower the FSCA and the Prudential Authority to issue standards jointly where regulatory objectives overlap. Once published, a Joint Standard has the same enforceability as other subordinate financial sector legislation. Failure to comply may trigger supervisory action, enforcement measures, or administrative penalties, depending on the nature and severity of the breach.
In terms of scope, Joint Standards apply only to defined categories of “financial institutions” as set out in each individual standard. This typically includes banks, insurers, market infrastructures, pension funds, and certain financial services providers. Each Joint Standard specifies its own application criteria, commencement date, proportionality principles, and interaction with other financial sector laws, ensuring that requirements are applied in a manner consistent with the size, complexity, and risk profile of the institution.
Substantively, Joint Standards are used to regulate horizontal risk areas that affect the stability, integrity, and resilience of the financial sector as a whole. Recent examples include requirements for IT governance and risk management and for cybersecurity and cyber resilience. In this sense, a Joint Standard functions as a minimum regulatory baseline: institutions must implement governance frameworks, controls, and oversight mechanisms that meet the prescribed outcomes, while retaining flexibility in how those outcomes are achieved within their specific operating context.
Who must comply & what is expected
Who must comply
Compliance with a South African Joint Standard is mandatory for the categories of financial institutions explicitly defined in that standard. In practice, this includes banks, mutual banks, insurers, controlling companies, market infrastructures, pension funds, and specified categories of financial services providers, as set out under the Financial Sector Regulation Act, 2017. Joint Standards are issued jointly by the Financial Sector Conduct Authority and the Prudential Authority and apply on a consolidated basis, meaning that regulated entities must also account for risks arising from subsidiaries, branches, and juristic persons within their group structures, both locally and, where specified, internationally.
What is expected
Financial institutions subject to a Joint Standard are expected to implement the minimum principles, governance arrangements, and control requirements prescribed in the standard on a continuous basis. This typically includes governing-body accountability, formally approved strategies and frameworks, defined roles and responsibilities, effective risk identification and management processes, and regular review and assurance activities. The standards are explicitly outcomes-based and proportional, requiring institutions to demonstrate that their controls are appropriate to their nature, size, complexity, and risk profile, while remaining fully accountable for compliance. Joint Standards therefore establish a regulatory baseline that institutions must adhere to through supporting documentation, oversight, and ongoing operational practices.
How software escrow maps to the Joint Standard
Software escrow maps directly to the governance and risk management outcomes required under the South African Joint Standards by supporting a financial institution’s accountability for third-party and technology risk. Under Joint Standard 1 of 2023, governing bodies remain fully responsible for the management of IT risks, including those arising from outsourced and third-party software dependencies. Software escrow operationalises this responsibility by establishing a formally governed, contractually enforceable mechanism that ensures continued access to critical software assets if a vendor fails, becomes insolvent, or is otherwise unable to perform. This directly supports the requirement for effective IT governance, asset protection, and oversight of external dependencies.
From a risk management and resilience perspective, software escrow aligns with Joint Standard requirements relating to IT resilience, business continuity, and recoverability. The Joint Standards require financial institutions to identify critical IT assets, define recovery objectives, and implement measures that enable the continuation or restoration of services following disruption. Escrow arrangements support these outcomes by safeguarding source code, documentation, and deployment artefacts for systems that underpin important business services. When combined with verification and testing, escrow provides evidence that recovery plans are not theoretical but technically achievable, reinforcing compliance with minimum resilience and continuity expectations.
Finally, software escrow supports the assurance, evidence, and supervisory expectations embedded in the Joint Standards. Financial institutions are required to demonstrate, through documentation and independent review, that controls are effective and proportionate to their risk profile. Escrow agreements, deposit records, and verification reports form auditable artefacts that substantiate how third-party software risks are mitigated in practice. In this way, software escrow functions as an enabling control that helps institutions comply with Joint Standard requirements issued by the Financial Sector Conduct Authority and the Prudential Authority.
How ESCROWSURE make sure that you are compliant
ESCROWSURE ensures compliance with South Africa’s Joint Standard 1 of 2023 (IT Governance and Risk Management) and Joint Standard 2 of 2024 (Cybersecurity and Cyber Resilience) by embedding verifiable business continuity mechanisms through its escrow services. These services are built to satisfy regulatory expectations for operational resilience, including the requirement for tested business continuity and stressed exit plans. ESCROWSURE’s Full Verification process confirms that the deposited source code and associated technical documentation can be compiled, deployed, and maintained without the software vendor. This level of assurance aligns with Articles 13 and 14 of Joint Standard 1, which require financial institutions to establish continuity and IT assurance processes for all critical services.
In response to Joint Standard 2, ESCROWSURE ensures compliance with Joint Standard 2 of 2024 reflecting a proactive stance on cybersecurity, resilience and risk mitigation. The standard requires financial institutions to anticipate, withstand, and recover from cyber incidents, and ESCROWSURE supports this by ensuring that critical software assets are securely stored, regularly tested, and protected in accordance with ISO 27001:2022 and ISO 27017:2015 standards. This model safeguards the integrity, availability, and confidentiality of vital custom third-party information systems, directly addressing the governance and assurance requirements outlined in the standard.
The South African Joint Standards framework derives its legal authority from publication under the Financial Sector Regulation Act and becomes legally enforceable on the commencement dates specified in each individual standard. The first binding Joint Standard in this series, Joint Standard 1 of 2023: IT Governance and Risk Management, formally commenced on 15 November 2024. From this date, in-scope financial institutions became legally obligated to comply with its minimum requirements on a continuous basis, under the joint supervisory authority of the Financial Sector Conduct Authority and the Prudential Authority.
Update: Joint Standard 2 of 2024 – Cybersecurity and Cyber Resilience
Following Joint Standard 1, the regulators issued Joint Standard 2 of 2024, which expands the Joint Standard framework into dedicated cybersecurity and cyber-resilience requirements. This standard, formally commenced on 01 June 2025 and introduces explicit obligations relating to cyber governance, security controls, resilience capabilities, and regulatory reporting of cyber incidents. While distinct from Joint Standard 1, it is intended to be read and applied alongside it, strengthening the regulatory baseline for technology, cyber risk, and operational resilience across the financial sector.
Update: Progressive expansion of the Joint Standard framework
Taken together, Joint Standard 1 of 2023 and Joint Standard 2 of 2024 reflect a deliberate regulatory progression rather than isolated updates. The authorities have signalled, through the structure and sequencing of these standards, an ongoing move toward more granular and enforceable requirements for IT risk, third-party dependency management, and cyber resilience. As a result, this section should be treated as a living regulatory timeline, with future Joint Standards or amendments expected to build incrementally on the existing framework rather than replace it.
Frequently Asked Questions
Is the agreement customizable? How much customization do you allow?
Yes, absolutely. We believe that each escrow environment is unique and requires a customized approach. ESCROWSURE’s in-house legal counsel will craft a bespoke escrow agreement tailoring the provisions to meet the needs of your specific requirements.
What are the primary IT requirements of the Joint Standards?
The Joint Standards require financial institutions to establish and maintain formal IT governance, risk management, and resilience frameworks approved by the governing body. Core requirements include an IT strategy aligned to business objectives, a documented IT risk management framework, clear roles and responsibilities, identification and protection of IT and information assets, and effective oversight of outsourced and third-party IT dependencies. Institutions must also implement business continuity and disaster recovery capabilities with defined recovery objectives and ensure ongoing assurance through independent review, as mandated by the standards issued by the Financial Sector Conduct Authority and the Prudential Authority.
What are the requirements for handling confidential and sensitive information, including data encryption and access controls?
The Joint Standards require financial institutions to safeguard sensitive and confidential information against unauthorised access, disclosure, modification, or loss. This includes implementing appropriate access controls based on the principle of least privilege, ensuring the use of strong authentication mechanisms for privileged users, and applying cryptographic controls where necessary to protect data confidentiality and integrity. Institutions must also classify information assets according to criticality and sensitivity, monitor access to such information, and ensure that third-party service providers are contractually bound to equivalent information security and data protection controls.
Why do we need escrow for SaaS applications?
With SaaS applications, software is not accessed on a server located on the end users premises, but instead, is hosted remotely in the cloud by a hosting services provider usually paid for by the software vendor. This introduces an additional layer of risk as it adds to the supply chain dependencies.
In addition, the data generated by the application is hosted in the cloud too. This means that if the software Vendor were to stop answering the phone, both application and data could be beyond the reach of the end user immediately.
Some end users believe that a migration to a cloud service eliminates the need for an escrow arrangement.
But this is not true.
If anything, the need for escrow is greater for SaaS applications, because of the additional layer of risk which puts both the software and the data at risk if the worst should happen.
What are the expectations for ongoing threat monitoring and analysis, and what tools or processes should be implemented?
Financial institutions are expected to implement continuous monitoring processes to identify, assess, and respond to IT and cyber threats on an ongoing basis. This includes maintaining visibility over the attack surface, conducting regular vulnerability assessments and testing, monitoring security events, and analysing threat intelligence relevant to the institution’s operating environment. The standards do not mandate specific technologies, but require that monitoring tools, detection capabilities, and incident response processes are proportionate to the institution’s size, complexity, and risk profile, and are integrated into the broader enterprise risk management framework.
What is the process for conducting a gap analysis to assess readiness for compliance, and what are the steps for remediation?
A gap analysis involves systematically assessing existing IT governance, risk management, and cybersecurity practices against the minimum requirements set out in the applicable Joint Standards. Institutions should first map regulatory requirements to internal policies, controls, and processes, identify areas of partial or non-compliance, and assess the associated risk and materiality. Remediation then requires the development of formal action plans approved by senior management or the governing body, with defined owners, timelines, and success criteria. Progress must be monitored, documented, and independently reviewed to demonstrate that gaps have been effectively closed and that compliance is sustainable on a continuous basis.