Since the beginning of South Africa’s regulation of Over-The-Counter Derivatives Providers (ODPs) in 2018, when such providers required licensing under the Financial Markets Act 2012 Regulations, there have been a significant number of license applications and only a few approvals in relation.
Obtaining an ODP license can be a long and arduous process. The standard licensing requirements appear in the Financial Markets Act 19 of 2012 (“FMA”) Conduct Standards and associated Application Indexes. In Conduct Standard 1 of 2018 – Criteria for Authorisation of OTC Derivatives Providers (the Criteria), the requirements include operational capital requirements, fit and proper requirements, authentic risk management and governance controls. Our engagements with the Financial Services Conduct Authority (“FSCA”) during licensing applications have revealed that certain requirements in the conduct standards and indexes do not always provide sufficient detail to guide the preparation of an FSCA adequate application item. The fact that requirement specifics will vary depending on the size and complexity of the applicant ODP further exacerbates the matter.
Two examples of the application requirements that do not provide guidance on preparation for submission are the approved IT Framework, policies and governance structures in item 6(vi) of the Application Index 2 to be Completed by all Over-The-Counter Derivative Providers (ODP) Applicants (Non-Banks) and Business Continuity Planning in paragraph 4.5 of the Criteria.
The financial sector recognises cybersecurity as a risk that weighs heavily on modern business infrastructure. Consequently, a Cybersecurity Policy is a standard part of the approved IT Framework. On a basic level, the policy should include detail about the controls of the enterprise to mitigate such risk. The Regulator has however insisted that some applicants expand further and explain how the Cybersecurity controls operate in practice. This explanation is expected in part in the form of a “Penetration Test Report”. Penetration testing is a form of authorised ethical hacking. The objective is to allow cyberattacks by an authorised person on the IT network of an applicant ODP in order to evaluate the strength of the system security and the ability to resist unauthorised entry. The results of the network attack, including any shortcomings and recommendations for improvement, would reflect in the Penetration Test Report.
Under the large umbrella of disaster recovery, business continuity plans are a common request in licence applications. The Regulator expects that when disasters eventually occur, such as the COVID-19 pandemic that severely impacted enterprises and the national economy at large, applicant ODPs are fully prepared to maintain operations with minimal to no interruption. Of course, even smaller events are capable of stifling business operations. The human element that necessarily forms part of every enterprise creates an ever-changing landscape of uncertainty and risk. Resignation, illness and death are only the inevitable risks that accompany every human resource. Employees provide skills, knowledge and expertise to the enterprise. Consequently, a common item requested in the ODP application feedback by the Regulator is the applicant’s “Succession Plan.” The Succession Plan presents the details of the individuals selected to take up the mantle of crucial business positions. Readiness indicators, training and skills development schedules are common features of the Plan that the Regulator expects to see.
Again, the level of detail to be included in items such as the Penetration Testing Report and Succession Plan will depend heavily on the applicant ODP’s intended business model, and the scale and the complexity thereof. Recognising this, the FSCA has expressly reserved the right to “request any additional information deemed necessary” for the application in the Notice of FSCA Instructions for ODP Applications published on 15 March 2019. Applicant and operational ODPs would do well to thoroughly consider each requirement through the lens of risk rather than as part of a tick-box-like compliance exercise. This will significantly streamline the application and license maintenance processes.