National Payment System Act, 1998 (Act No. 78 of 1998)NoticesDirective in respect of Cybersecurity and Cyber-Resilience within the National Payment System2. Background |
2.1 | In terms of section 10(1)(c) of the South African Reserve Bank Act 90 of 1989, as amended (SARB Act), the South African Reserve Bank (SARB) is required to perform such functions, implement such rules and procedures, and, in general, take such steps as may be necessary to establish, conduct, monitor, regulate and supervise payment, clearing and settlement systems. Furthermore, the NPS Act provides for the management, administration, operation, regulation and supervision of payment, clearing and settlement systems in the Republic of South Africa, and for connected matters. The power to perform the functions as provided in the SARB Act and the NPS Act is performed by the National Payment System Department (NPSD) within the SARB. The SARB plays an important role in ensuring the safety, efficiency and resiliency of the national payment system (NPS). |
2.2 | The NPS encompasses the entire payment process, from payer to beneficiary, and includes settlement between banks. The process includes all the tools, systems, instruments, mechanisms, institutions, agreements, procedures, rules or laws applied or utilised to effect payment. The NPS is a primary component of the country’s monetary and financial system as it enables the circulation of money and assists transacting parties in making payments and exchanging value. |
2.3 | In terms of section 12 of the NPS Act, the SARB is empowered to issue directives, after consultation with the payment system management body(PSMB), to any person regarding a payment system or the application of the provisions of the NPS Act. Currently, in terms of section 3 of the NPS Act, the Payments Association of South Africa is recognised by the SARB as a PSMB to organise, regulate and manage its members in the payment system. |
2.4 | The payment landscape has evolved significantly over the past two decades, with digitisation, financial technology (fintech), automation and artificial intelligence (AI) changing the manner in which payments are effected. The rapid growth in digitisation and automation has introduced alternative payment solutions that are faster, more cost-effective and more efficient. However, these technologies also increase cyber-risk in the NPS as payment institutions become more dependent on computer networks and third-party IT service providers. This requires an increased level of resilience against cyber-incidents, as cyber-attacks on IT infrastructures, particularly those that are critical, could lead to a disruption that might develop into systemic events in the NPS, thus impacting negatively on the soundness, integrity, safety and efficiency of the NPS. |
2.5 | The cyber-environment exposes payment institutions, operators as well as payment, clearing and settlement systems to potential operational, legal and reputational risks, including business interruptions, data loss, fraud, breach of privacy and network failures, which may result in financial losses. Cybersecurity and cyber-resilience contribute positively to the operational resilience of payment institutions , operators, as well as payment, clearing and settlement systems and payment system FMIs, and further contribute to the overall resilience of the broader NPS. |
2.6 | The resilience of payment institutions, operators as well as payment, clearing and settlement systems will minimise disruptions within the NPS and contribute to maintaining the confidence of consumers in payment systems and services. Furthermore, it is vital that payment system FMIs, as essential platforms in the NPS, are also secure from, and resilient to, cyber-threats and cyber-attacks. A lack of security controls and recovery from cyber-attacks and cyber threats may lead to low levels of cybersecurity protection and the failure to settle obligations in the settlement system by the end-of-value date, trigger a systemic event and/or cause financial instability. |