Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Regulatory issues

Regulatory approach

How would you describe the regulatory policy for fintech products and services in your jurisdiction?

South African regulators have adopted a pro-innovation stance. The South African Reserve Bank (SARB) set the tone in 2009 by issuing a position paper on electronic money, stating that it welcomed innovative new technological developments, wished to familiarise itself with these and would continue to assess the benefits and use of such innovations to enhance financial access and efficiency. This was followed by a media statement in February 2018 in which SARB set out its approach to fintech innovations. In its statement, SARB indicated that it is taking a balanced approach to technological innovations in light of potential benefits and risks. SARB has recently established the FinTech Programme to strategically assess the emergence of fintech in a structured and organised manner and consider its regulatory implications. The main goal of the programme is to track and analyse fintech developments and assist policymakers in formulating frameworks in response to these emerging innovations. According to the media statement issued by SARB on February 13 2018, the programme will focus on three primary objectives:

  • review the SARB’s position on private cryptocurrencies to inform an appropriate policy framework and regulatory regime;
  • investigate and decide on the applicability of innovation facilitators for SARB; and
  • launch Project Khokha, which will experiment with distributed ledger technologies.

Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?

There are currently no fintech-specific laws.

Regulatory authorities

Which government authorities regulate the provision of fintech products and services?

SARB, the Financial Services Board (which is to be replaced by the Financial Sector Conduct Authority) and the Financial Intelligence Centre have jurisdiction over different aspects of fintech-based products. However, these regulators have confirmed that they do not currently regulate digital currencies. In early 2018, the government established a multi-agency working group to engage the industry on various aspects of digital financial innovation, particularly cryptocurrency.

Financial regulatory framework

Which laws and regulations governing the provision of financial services apply to fintech businesses?

South African financial services legislation is wide enough to apply to most fintech products and services providers. The insurance acts already have broad deeming provisions that allow the regulator to require licensing. In the credit lending environment, the National Credit Act 2005 applies to credit transactions having an effect within South Africa. However, this does not mean that fintech businesses and products will be caught in all instances. For example, a cryptocurrency lending platform will not trigger any registration requirements under the National Credit Act.

Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?

No licensing requirements apply specifically to fintech businesses in South Africa. Under the current framework, they must be licensed only if they provide fintech-based products or services essentially similar to regulated financial products or services. Examples are the insurance, financial services and credit lending industries.

Are any fintech products or services prohibited in your jurisdiction?

No, but South African regulators have warned the public about investing or transacting in perceived risky instruments such as digital currencies. On September 18 2014 SARB, the Financial Services Board and the Financial Intelligence Centre warned that as there are no specific laws or regulations on virtual currencies, there is no legal protection for users. This was echoed in a December 2014 position paper in which SARB pointed out that digital currency is unregulated and, therefore, participants engage in it at their own risk.

Data protection and cybersecurity

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The Protection of Personal Information Act 4/2013 will govern this. Certain provisions of the act are already in effect, but not the operative provisions on when and how personal information may be lawfully processed. These are expected to come into effect during 2018. That said, it is already common practice for businesses in South Africa to comply given common law and constitutional rights protecting personal information.

Anyone processing personal data will be bound by the Protection of Personal Information Act, including fintech providers. For example, personal information may be collected only for a specific, explicitly defined and lawful purpose, and kept only until that purpose has been served. There are restrictions on using data collected for electronic data marketing, including via email and text.

Data subjects have the right to know who is processing their personal information and why, and to prevent it from being used for direct marketing.

The Protection of Personal Information Act specifically prohibits the transfer of personal data to a third party in a foreign country unless that country has ‘adequate’ protections.

What cybersecurity regulations or standards apply to fintech businesses?

South Africa does not have a single, overarching legal and regulatory framework for cybersecurity. Cybersecurity is dealt with in various pieces of legislation, some with overlapping mandates.

This may change once the Cybercrimes and Cybersecurity Bill is passed. It was first tabled in Parliament in February 2017, but enactment has been delayed partly as a result of public and academic criticism that the bill is too broad. It will likely be enacted later in 2018, with far-reaching implications for individuals and organisations that process data, including fintech businesses.

Financial crime

What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?

No anti-fraud, anti-money laundering or other financial crime regulations specifically govern fintech products and services in South Africa. However, a fintech business may have to register as an accountable institution under the Financial Intelligence Centre Act 2001, South Africa’s chief anti-money laundering (AML) legislation. An example is where a particular fintech-based product meets the definition of a ‘financial product’ under the Financial Advisory and Intermediary Services Act 2002.

Other acts that govern financial crime in South Africa include:

  • the Prevention and Combating of Corrupt Activities Act 2004;
  • the Prevention of Organised Crime Act 1998; and
  • the Protection of Constitutional Democracy Against Terrorist and Related Activities 2004.

South Africa also belongs to the Financial Action Task Group and the Eastern and Southern Africa Anti-money Laundering Group.

No single law enforcement agency is charged with the investigation of financial crime in South Africa. Agencies with investigation powers include the South African Police Service, the National Prosecuting Authority and Asset Forfeiture Unit, the Public Protector and the Special Investigations Unit. The circumstances of each case determine who investigates it.

What precautions should fintech businesses take to ensure compliance with these provisions?

Fintech businesses should model their businesses on the regulatory regime that applies to similar, non-fintech businesses and products. For example, the Financial Intelligence Centre Act calls for certain know your client exercises and client verification procedures before conducting any transactions with clients. It also compels companies to report suspicious activity on clients’ accounts or transactions.

Fintech companies should be aware of how the compliance provisions of the Cybercrimes and Cybersecurity Bill will affect them.

They should have employees with AML expertise or access to specialist external AML advisers to ensure that new products and services comply with AML requirements.

Companies should also be aware of mandatory reporting obligations for certain frauds.

Consumer protection

What consumer protection laws and regulations apply to the provision of fintech products and services?

Just as the Consumer Protection Act 2008 applies to certain banking and financial service, it also applies to relevant fintech services. Its purpose is to promote fair business practices and protect consumers from trade practices that are unconscionable, unfair, unreasonable, unjust, deceptive, misleading or fraudulent.

Among other things, the Consumer Protection Act regulates unwanted direct marketing, the marketing of goods and services and the right to safe, good-quality goods.


Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?

No, generally speaking, fintech can be viewed as pro-competitive in the financial services market.  One area where the Competition Act 1998 could conceivably affect fintech companies is merger control, such as when existing players acquire or merge with a fintech company or create a fintech joint venture with one or more other companies. The Competition Commission must be notified about a merger that exceeds certain financial thresholds and involves economic activity that has an effect within South Africa.

Cross-border regulation

Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?

There may be certain tax and exchange control implications where fintech products and services are provided into South Africa on a cross-border basis. Payments for such products and services would require certain tax and exchange control approvals from the South African Revenue Services and the South Africa Reserve Bank (SARB), respectively. Assets (including cash and securities) cannot be transferred out of South Africa without SARB’s prior approval. Therefore, the buying of cryptocurrencies from offshore exchanges or the purchase of goods and services using cryptocurrencies may raise tax, foreign exchange control and money laundering concerns from the authorities.

Click here to view the full article.