17 August 2023

Data Protection and Cybersecurity in the Open Finance space

Submitted by: Teresa Settas

By Karl Blom, Partner & Lerato Lamola, Associate Director from Webber Wentzel

The FSCA has published a draft paper addressing the risks and possible remedies arising from data sharing in Open Finance, on which it is seeking public comment

The future of financial services is digitisation. As with all digital applications, data is a critical component, and it has immense commercial value in the financial services industry.

In June 2023, the Financial Sector Conduct Authority (FSCA) published a draft paper on Open Finance. The draft paper refers to Open Finance as "the practice of consent-based financial data sharing and payment initiation, with suitably authorised third parties, safely and ethically".

Open Finance is seen as a beneficial tool in addressing financial inclusion, as it will allow financial institutions to create financial products and services that will meet the needs of consumers. The draft position paper highlights five use cases for Open Finance that leverage consumer financial data to offer personalised financial services and products. These are: (1) account aggregation, (2) financial management, (3) payment initiation, (4) alternative lending and (5) insurance.

The FSCA notes it is important to cater for new risks, particularly where a consumer's financial data is concerned. These risks include: (1) privacy and protection of personal data, (2) misconduct, (3) operations and cybersecurity, and (4) fraud.

Cyber security and data protection

Each participant in the Open Finance space faces unique risks and challenges, and the FSCA has noted that some remedies can be utilised to mitigate these risks:

Participant Risk Remedy
Customer Potential data leak or unauthorised use. Implement adequate standards of protection and safeguards. Ensure that a customer provides explicit consent and has a full understanding of the scope of authorisation given to third parties.
TPPs Operational, cybersecurity risk and contagion risk.

Unethical employees use/sell customer data to unscrupulous parties.

Prioritisation of cybersecurity and information security management.

Third-party Payment Service Providers ("TPPs") brought within the regulatory net.

Financial Institutions Reputational risk, where fraudulent or rogue TPPs obtain access to the system. Implement a suitable regulatory and risk management framework for TPPs. Requirement to have strong governance in place when partnering with or outsourcing to TPPs. 

It is important to assess the suitability of Open Finance in South Africa, taking into consideration the existing privacy and data protection regulatory frameworks and the possible need for developments in the regulatory space, given that Application Programming Interfaces (APIs) and TPPs lie outside the current framework. The FSCA acknowledges that South Africa has existing regulatory frameworks to deal with data protection, privacy and cybersecurity. The intention is not to create a new regime for Open Finance but to amplify existing frameworks. The existing frameworks discussed were as follows:

  • Protection of Personal Information Act, 4 of 2013 (POPIA), which provides for sharing information through voluntary, specific and informed consent;
  • Cybercrimes Act 19 of 2020, which criminalises certain cyber-related acts, including the disclosure of data messages which are harmful; and
  • Draft Joint Standard for Cybersecurity and Cyber Resilience Requirements (draft Cyber Joint Standard), which sets out the minimum standards for sound practices and processes to ensure that financial institutions are equipped to respond, react, and recover from cyber-attacks.

Regulatory Proposals

The Draft Position Paper makes several proposals, including:

image003_copy_copy.png

The draft paper is open for public comment until mid-August. The FSCA intends to use the submissions from the industry to finalise its policy positions around Open Finance. 

Given the ever-increasing risks associated with cybersecurity and privacy (including frequent ransomware attacks and the sale of user credentials), any responses to the draft paper (and hopefully any outcomes arising from it), should align with the existing cybersecurity and privacy principles set out in our law. In our view, a consolidated approach between regulators and industry sectors on these cybersecurity and privacy principles remains the desired outcome. We believe that specific requirements on these items should only be imposed where it is strictly necessary to achieve a desired outcome. This will increase harmonisation across sectors and reduce barriers to entry for new participants.