This month’s update highlights developments from both the Financial Sector Conduct Authority (FSCA) and the Information Regulator (IR). From the FSCA’s alignment with the forthcoming COFI Bill to rising attention on AI adoption and investment scams, and from telemarketing under POPIA to ongoing enforcement cases, these developments reinforce the importance of staying informed, maintaining strong compliance frameworks, and proactively managing emerging risks.
FSCA aligning supervisory approach to COFI principles.
Moonstone recently reported that the FSCA has begun aligning its supervisory and regulatory approach to the principles of the Conduct of Financial Institutions (COFI) Bill, despite the Bill not yet being enacted.
Commentary by the FSCA at the Financial Planning Institute of Southern Africa’s annual convention indicated that the Authority has taken a strategic decision to move towards a more outcomes-focused, activity-based approach in anticipation of COFI.
The FSCA has furthermore established internal working groups focusing on areas such as governance, culture, competency frameworks, and risk management, applying elements of COFI through existing regulatory instruments where possible.
Source:
FSCA is aligning its work with COFI before the Bill becomes law – Moonstone
https://www.moonstone.co.za/fsca-is-aligning-its-work-with-cofi-before-the-bill-becomes-law/
Artificial intelligence in South Africa’s financial sector: Key insights
The Financial Sector Conduct Authority (FSCA) and Prudential Authority (PA) have published a comprehensive report on the adoption of artificial intelligence in South Africa’s financial sector. According to the report, Artificial Intelligence in the South African Financial Sector (November 2025), banking institutions are leading the way, with more than half already using AI, while payments providers follow closely. Insurance and lending remain cautious, reflecting slower uptake.
Investment patterns show a clear divide: banks are committing significant resources, with nearly half planning to invest more than R30 million in AI initiatives, while insurers and investment firms generally limit their spend to under R1 million. Traditional AI applications are concentrated in fraud detection, operational efficiency, and compliance, while generative AI is gaining traction in marketing, internal automation, and policy drafting. Institutions cite improved data analytics, productivity gains, and enhanced cybersecurity as the most notable benefits.
However, the report underscores critical risks, including data privacy and protection under POPIA, cybersecurity vulnerabilities, algorithmic bias, and systemic dependencies on third-party providers. Talent shortages and challenges around transparency and explainability remain significant barriers to broader adoption. Regulatory frameworks such as POPIA, the FAIS Act, and the forthcoming Conduct of Financial Institutions Bill will play a pivotal role in shaping responsible AI deployment, alongside global influences like the EU AI Act.
For compliance teams, the implications are clear: robust governance frameworks are needed to manage data quality, validate models, and oversee AI risks. Explainability techniques such as Shapley Additive explanations (SHAP) and Local Interpretable Model-Agnostic Explanations (LIME) should be implemented to ensure transparency in AI-driven decisions, and institutions must provide clear disclosure when AI influences consumer outcomes such as credit scoring or insurance pricing. Ethical standards and enhanced oversight will be essential to mitigate bias and maintain consumer trust as the sector moves toward a more AI-driven future.
Source:
FSCA & Prudential Authority, Artificial Intelligence in the South African Financial Sector (Nov 2025)
South Africans urged to stay vigilant amid rising social media investment scams
The Financial Sector Conduct Authority (FSCA) has issued numerous warnings following a surge in fraudulent investment schemes and impersonation scams circulating on platforms such as WhatsApp and Telegram. The regulator confirmed that these schemes often masquerade as legitimate operations, making it harder for consumers to identify the risks.
According to the FSCA, millions of rands are lost annually to fraudsters, and the trend continues to escalate. The Authority’s advice is clear: exercise caution, verify before you invest, and avoid rushing into offers that seem too good to be true.
Source:
FSCA Media Releases
https://www.fsca.co.za/Latest-News/
Telemarketing and POPIA: IR moves to clarify legal position
The Information Regulator (IR) is pursuing a court test case to determine whether telemarketing constitutes "electronic communication" under section 69 of the Protection of Personal Information Act (POPIA). The IR’s Guidance Note on Direct Marketing, issued in December 2024, treats telephone calls as electronic communications under section 69 of POPIA. At a media briefing on 13 November 2025, Advocate Pansy Tlakula, the IR chairperson, acknowledged that the direct marketing sector disputes this interpretation.
The IR has received multiple complaints about telemarketing and is pursuing a case to have the matter tested in court. Section 69 prohibits sending unsolicited marketing communications unless the recipient has consented or is an existing customer who has been given the opportunity to object. The outcome of the test case is expected to clarify how POPIA applies to telephone-based marketing.
Source:
The Information Regulator briefs members of the media on key POPIA and PAIA matters
Media briefing: Key POPIA and PAIA Matters
On 13 November 2025, Advocate Pansy Tlakula, Chairperson of the Information Regulator (IR), addressed the media on key developments under the Protection of Personal Information Act (POPIA), the Promotion of Access to Information Act (PAIA), and other legislative matters. Highlighting the IR’s dual mandate, she outlined ongoing litigation and enforcement actions that continue to shape data privacy and access-to-information practices in South Africa.
Litigation Matters
High-profile cases currently before the courts include the IR’s action against the Department of Basic Education over the publication of matric results, litigation involving the Department of Justice and Constitutional Development following a security breach, and the recently resolved case with WhatsApp LLC. Ongoing PAIA-related matters, such as Swartkops Sea Salt (Pty) Ltd and Another v Information Regulator and Others, also remain under review.
POPIA Matters
The IR has issued several Infringement Notices for non-compliance with POPIA, including Blouberg Municipality (R500,000), Lancet Laboratories (R100,000, paid), and FT Rams Consulting (R100,000, court proceedings ongoing). Security compromise incidents continue to rise, with 1,947 breaches reported since April 2025—a 40% increase compared to the previous year. Amended POPIA regulations, effective April 2025, introduce stricter requirements for direct marketing, data subject objection handling, and overall compliance frameworks.
PAIA Matters
Enforcement under PAIA remains active for both public and private bodies. Notable cases include Organisation Undoing Tax Abuse v Road Traffic Management Corporation, Pieter-Louis Myburgh v The State Security Agency (SSA), Kudung CPA, and Nigel Lawrence, Samuel Williams and Michel Consalves v Oceana Empowerment Trust. The IR is also addressing jurisdictional challenges with multinational platforms such as Google LLC and Meta Inc., affirming that PAIA applies to entities doing business in South Africa even if they are domiciled abroad. Compliance assessments show improvements in annual report submissions, though challenges persist, especially among TVET colleges and municipalities.
Digitisation of the Regulator’s Service Platforms
To improve efficiency and public accessibility, the IR has launched several digital platforms, including iSupport for query management, a Security Compromise Reporting System, and a POPIA Complaints Submission System, with plans to extend similar functionality to PAIA complaints. These initiatives streamline processes, enhance transparency, and have earned recognition through awards for ICT leadership, digital governance, and service innovation.
Source:
The Information Regulator briefs members of the media on key POPIA and PAIA matters.
Conclusion
November’s developments show that both the FSCA and the Information Regulator are actively shaping the way South Africa’s financial and data-protection sectors operate. From preparing for COFI, addressing AI risks, and monitoring social-media scams, to enforcing POPIA and PAIA compliance, regulators are clearly signalling higher expectations for governance and accountability. For businesses and compliance teams, the message is simple: stay informed, strengthen controls, and be ready to adapt as the regulatory landscape continues to evolve.
