South African Fintech Regulation Post-2024

Date: 2026-05-31 Type: Research Status: Tier-D landscape sweep; ~30 primary sources; FATF exit, NPS Bill, COFI Bill, CASP licensing, stablecoin/e-money, Excon SBSA judgment, POPIA, joint standards, two-pot, BNPL, CBDC. Sources: south-african-fintech-regulation-post-2024-landscape-2026-05-31.sources.json

TL;DR

South Africa's fintech regulatory posture between 1 January 2024 and 31 May 2026 shifted from "preparing for Twin Peaks maturity" to active rebuild of the National Payment System (NPS) on activity-based licensing, a FATF grey-list exit on 24 October 2025, a CASP regime now supervising ~310 licensed crypto firms, and a legislatively unfinished but operationally advanced Conduct of Financial Institutions (COFI) framework. Three regulators (SARB Prudential Authority, FSCA, NCR) plus FIC, Information Regulator, NT and FinSurv are converging on the IFWG as the inter-agency clearing house — most live policy work for stablecoins, open finance, exchange control over crypto, and BNPL is being staged there before legislation lands.

The dominant theme is transition under temporary instruments: with COFI Bill and NPS Bill both pre-Parliament, regulators are bridging via Joint Standards (FSR Act), Draft Directives and Exemption Notices (Banks Act / NPS Act), and Conduct Standards — creating a thick, often overlapping compliance layer that fintechs must navigate without final-form primary legislation.

1. Architecture: Twin Peaks Maturing Under Temporary Instruments

The Twin Peaks model split prudential (SARB Prudential Authority) from conduct (FSCA) under the Financial Sector Regulation Act 9 of 2017. Post-2024, both peaks moved beyond establishment into supervision intensification:

FSCA published its 2025–2028 Regulation Plan (March 2025), making open finance, crypto supervision, COFI transition, sustainable finance, and retirement reform strategic priorities. Frameworks will be issued under existing FSR Act powers pending COFI Bill enactment.
FSCA established a COFI Transition Working Group to begin themed-framework informal consultations through 2025/26 — explicitly a contingency strategy because the COFI Bill has slipped its 2024 and early-2025 tabling targets.
The IFWG (Treasury, SARB, PA, FSCA, FIC, NCR, SARS, Competition Commission) is now the de-facto policy coordinator for crypto, stablecoins, open finance, BNPL, and exchange control over digital assets.

This means fintechs face a layered rulebook: FSR Act + sector laws (FAIS, NCA, Banks Act, NPS Act) + Joint Standards + Conduct Standards + Directives + Exemption Notices — with COFI repealing/consolidating large parts once enacted.

2. Conduct of Financial Institutions (COFI) Bill

Status (May 2026): Not yet tabled in the National Assembly.

The Bill underwent two rounds of public consultation pre-2024. Treasury reported in the March 2025 Budget Review that the final draft was awaiting certification by the Chief State Law Adviser. By mid-2025, additional amendments were still being addressed. Treasury expected Cabinet submission by end-2025; tabling timeline beyond that uncertain.
Once enacted, COFI will repeal FAIS and apply an activity-based conduct framework across the financial sector. All FSPs will require re-licensing.
Implication for fintechs: FAIS Cat I/II licences (including crypto CASPs) will migrate to activity-based licences. FSCA expects a phased licensing overhaul. The FSCA is using FSR Act powers in the interim to push themed frameworks (advice, intermediation, product disclosure, crypto, payments-adjacent conduct).

Parallel track: NPS Act amendments were originally consolidated into the COFI Bill but have been separated into a standalone NPS Bill to allow concurrent progress (Treasury, 2025 Budget Review).

⚠ low-confidence: precise tabling dates for COFI / NPS Bills remain officially uncommitted as of May 2026. Avoid taking 2025–2026 forecasts at face value.

3. National Payment System Modernisation (SARB)

Largest single regulatory change for SA fintech in the post-2024 period.

3.1 PEM Programme replaces Vision 2025

In September 2025 the SARB formally launched the Payments Ecosystem Modernisation (PEM) Programme, succeeding Vision 2025. PEM's leadership posture is materially different — SARB took an active role rather than relying on industry collaboration. Components:

Upgrade of the high-value RTGS system (handles SA GDP every ~12 days).
Expansion of faster payment systems including PayShap.
Creation of a national QR code standard ("QR+") to replace fragmented bank/PSP QR codes.
Acquisition by SARB of a 50% stake in PayInc (formerly BankservAfrica) in November 2025 — turning the national payments operator into a public-private utility.
Publication of Vision 2030+ for consultation.

3.2 PayShap (Rapid Payments Programme)

Launched 2023 by BankservAfrica + PASA + big banks under SARB's RPP.
Mid-2025: R100bn+ processed, 136m+ transactions, 4.5m+ ShapIDs.
December 2025: 461m transactions worth R403bn (Slant/Finch analysis).
Mid-2026: 905m transactions, 6m+ registered users since launch — near-doubling in ~5 months (PayInc, PayShap Accelerate Acceptance Conference).
Bank-by-bank reach (June 2025, Slant analysis of 228k consumer accounts): Absa 68%, Discovery 64%, Standard Bank 57%, Capitec 35% of customers used PayShap at least once a month — yet PayShap share of debit transactions stayed in single digits (2–7%).
PayShap Request (request-to-pay) launched July 2025; Ozow among first merchant integrations.
Adoption lagged Vision 2025 ambitions: only the big four live at launch; cash still dominant (76% of social-grant recipients withdraw entire grant in cash).
3-year mark (March 2026): PayInc formally pivoted from P2P to merchant payments, e-commerce, mobile, ecosystem enablement.
April 2026: SARB hosted first PEM Industry Dialogue 2026; demonstrated PEMKey (interoperable trusted credentials) + ongoing QR+ work.
PEM explicitly addresses PayShap parity issues (transaction limits, proxy registration, pricing transparency, P2M flows).

3.3 Draft Authorisation Framework + Exemption Notice (Mar 2025 → Nov 2025 → Jun 2026 third draft)

The SARB's National Payment System Department published an Authorisation Framework Directive (under NPS Act) and the Prudential Authority published a Specific Payment Activities Exemption Notice (under Banks Act):

First draft: 3 March 2025.
Second (revised) draft: 14 November 2025; comments closed 5 December 2025.
Third draft: 2026, with public comment closing 15 June 2026.

The framework introduces seven (Nov 2025 draft) / eight (alternative counts) activity categories including: e-money issuance, payment instrument issuance, payment acquiring, third-party services, remittances, clearing & settlement, and payment accounts. Non-banks performing exempted activities are carved out of "the business of a bank" under the Banks Act, conditional on SARB authorisation/registration.

Non-bank requirements (modelled on EU PSD2):

Activity-based minimum capital.
Segregated client-fund trust accounts at regulated banks.
100% liquidity buffer on the e-money float.
AML/CFT compliance.
Fit-and-proper for key persons.
Tiered limits — Tier 1 e-money issuers (monthly volumes >R5m) face stricter requirements.

E-money definition shift (Nov 2025 draft): the November draft dropped the "generally accepted as a means of payment" qualifier that previously kept stablecoins outside e-money. E-money is now "a store-of-value product that is a digital representation of fiat currency, is a claim on the issuer and is redeemable at face value on demand." Fiat-pegged stablecoins offering par redemption are now likely inside the e-money perimeter with full licensing, prudential, safeguarding, clearing/settlement and compliance obligations.

3.4 NPS Bill (still pending)

The standalone NPS Bill intends to permanently embed non-bank participation in clearing and settlement, replacing the temporary directive-and-exemption stack. Parliamentary officials confirmed in 2025 it had not been introduced in either House. Tabling was targeted late-2025; enactment mid-2026 was speculative; current expectation slipped further.

3.5 Project Khokha / CBDC

Project Khokha 1 (2018) — proof-of-concept interbank tokenised rand.
Project Khokha 2 (2021–2023) — wholesale CBDC + wToken (bank-issued stablecoin) for debenture trading; SARB found results inconclusive for full wCBDC rollout but useful for legal/regulatory insight. Multiple PoCs explored cross-border stablecoin, domestic bank stablecoin, trade finance, asset tokenisation.
Project Khokha 2x (PK2x) — focus on commercial-bank-issued stablecoins for regional (SADC) cross-border payments plus a two-year domestic stablecoin sandbox. Wholesale CBDC use cases include collateral and smart-contract letters of credit.
Retail CBDC: SARB published a position paper on retail CBDC necessity in November 2025. Retail CBDC remains in controlled exploration; no commitment to issue.

4. Crypto Asset Service Providers (CASPs) — FSCA Licensing & Supervision

CASPs were declared a "financial product" under FAIS in October 2022. Licensing went live 1 June 2023 with applications due by 30 November 2023.

4.1 Licensing scoreboard (as at 31 March 2026)

Metric	Total
Applications received	533
Approved	310
Declined	17
Withdrawn (post-engagement)	124
Under consideration	balance

Decline reasons: failure of operational ability (business plan, business-model clarity) and competency (lack of demonstrated crypto knowledge/experience) under the FAIS fit-and-proper requirements.

4.2 Regulatory Examinations (REs)

Exemption from FAIS REs (Board Notice 194 of 2017, Chapter 3 Part 4) was extended to 30 June 2025 — no further extensions. Licensed CASPs and their key individuals must now hold REs; failure attracts suspension/withdrawal under FAIS s9.

4.3 Supervisory cycle

Jan–Mar 2025: first round of 10 on-site supervisory inspections.
Apr 2025–Mar 2026: 30 inspections planned, 21 completed.
Inspection focus: governance, risk management programmes, business risk assessments, AML/CFT/CFP under FICA.
August 2025: Crypto Asset Supervisory Engagement Forum (CASEF) established for industry-regulator coordination.

4.4 Unlicensed CASPs

81 investigations opened; 25 closed (entities ceased/dormant); 56 ongoing. Administrative penalty ceiling: R10 million per contravention under FAIS (standard) — but headline enforcement actions in 2025 (see §4.6) show penalties far above the per-contravention cap when stacked.

4.5 Public list

FSCA publishes and updates an authorised-CASP list (latest available version: 18 December 2024 PDF on www2.fsca.co.za; subsequent updates on the live FSCA portal).

4.6 FSCA Enforcement Posture 2024/25 — Record Year

The FSCA's 2024/25 integrated report shows a step-change in enforcement intensity:

Metric	2024/25
Investigations finalised	633 (up from 418 in 2023/24)
New cases opened	767 (up from 483)
Ongoing investigations	494
Debarment orders issued	131
Licences withdrawn	382
Fines / penalties collected	R119m
AML/CFT financial penalties	R27.1m (up 127% from R11.9m 2021)
AML/CFT non-financial sanctions	19 (up 533% from 3)
Licences granted	779 (incl. 264 CASPs)

Headline 2025 cases:

Banxso (Pty) Ltd (CFD platform; FSP licence 37699): licence provisionally withdrawn 4 July 2025 (alongside linked AfriMarkets); Western Cape High Court provisional liquidation August 2025; R2 billion administrative penalty announced 9 December 2025 — the largest in SA financial regulatory history — jointly and severally against Banxso and directors Harel Adam Sekler and Warwick David Sneider; a further R16m on Banxso for other contraventions; R20m on director Manuel de Andrade; R10m on Mohammed Bux; R5m on Henry James Simpson; 30-year debarments for Sekler, Sneider, de Andrade and Bux; 10-year debarment for Simpson; referred to SAPS and Hawks. ~7,000 reported clients with losses potentially in the billions.
Bhaca Green (Pty) Ltd (Dec 2025): R9m penalty + 20-year debarment of director Songeziwe Mbalo for unauthorised forex; R50k penalty on Lungile Mgilane; matter referred to SAPS.
African Bank (March 2025): R700k admin penalty (R500k payable + R200k suspended 2 years) for misleading "#KeFestive" social-media campaign breaching Conduct Standard 3 of 2020 ss6(1), 6(3)(a), 6(3)(b).

The R2bn Banxso penalty resets expectations of upside enforcement risk for fintechs and CASPs.

5. Stablecoins

Stablecoins moved from niche to systemic concern over 2024–2025.

Trading volumes: USD-pegged stablecoins on SA platforms grew from <R4bn in 2022 to ~R80bn YTD October 2025 (SARB FSR Nov 2025) — now the dominant trading pair on Luno/VALR/Ovex, displacing Bitcoin.
Custody: combined Luno/VALR/Ovex crypto custody grew from <R10bn (early 2023) to R25.3bn end-2024; registered users on those three platforms ≈ 7.8m at end-July 2025.
Domestic supply: six rand-backed/rand-pegged stablecoin arrangements existed in 2025 with more planned.
FSB jurisdictional review (Oct 2025): SA assessed as "no framework" for global stablecoins, "partial regulations" for crypto.

Three parallel SA stablecoin workstreams

IFWG / Crypto Asset Regulatory Working Group (CAR WG): published the 2025 South African Stablecoin Landscape Diagnostic and committed to a discussion paper on rand-pegged stablecoins for public consultation in Q1 2026 (FX-pegged stablecoin work follows).
SARB FSR (November 2025): added "tech-enabled financial innovation" as a new risk category — flagged crypto and stablecoins as sub-risks. Governor Kganyago publicly: "the truth of the matter is that these things could break apart."
SARB Draft Authorisation Framework (Nov 2025): e-money redefinition (see §3.3) likely captures fiat-backed stablecoin issuers.

Implication: stablecoin issuers targeting SA should plan for dual capture — under FAIS (CASP) for advice/intermediation/exchange roles AND under the NPS/Banks Act e-money perimeter for issuance.

6. AML/CFT — FIC Amendment Act, Beneficial Ownership, FATF Exit

6.1 FIC Amendment Act / General Laws (AML/CFT) Amendment Act 22 of 2022

Enacted late 2022; FIC Act + Companies Act + Trust Property Control Act + NPO Act + FAIS amendments came into force from 1 April 2023.
Added legal persons to client identification (s21B) and beneficial-ownership establishment, proliferation financing, expanded list of Accountable and Reporting Institutions (Schedule 1) — includes Trust Services Providers, High-Value Goods Dealers and CASPs.
FIC PCC59 published 8 August 2024 — operational guidance on beneficial ownership establishment for legal persons, trusts, partnerships.

6.2 Beneficial ownership filings

CIPC operationalised the beneficial-ownership register; first deadline 1 October 2023; ongoing obligation to file within 30 days of anniversary date and 10 days of any change.
Hard-stop on CIPC annual returns active from 1 July 2024 — no AR without a BO filing in the same calendar year.
January 2025: CIPC Customer Notice 4 of 2025 published a list of non-compliant entities with 7-day deadline.
Trusts side: the Master oversees Trust BO under the Trust Property Control Act amendments.

6.3 FATF grey-list exit — 24 October 2025

SA grey-listed February 2023 (deficient in 20 of 40 FATF Recommendations per 2021 MER).
22 action items across 8 strategic deficiencies; substantial completion by June 2025.
On-site Africa Joint Group visit: end-July 2025 — confirmed sustainability of reforms.
FATF Plenary 22–24 October 2025 (Paris): SA, Nigeria, Mozambique, Burkina Faso all removed.
Market response muted — removal had been largely priced in through 2024–2025.
Next steps:
Next full mutual evaluation begins H1 2026; report adoption October 2027 under new methodology.
Treasury and SARS warned that staying off-list requires sustained measurable AML/CFT outcomes (successful investigations, prosecutions, sanctions).

Fintech implications of exit

Easier correspondent banking; fewer EDD blocks on cross-border SA flows.
Reduced compliance friction for cross-border KYC and onboarding (per Stitch analysis).
Continued strict expectations on CASP AML programmes — exit does not soften the FIC supervisory direction.

7. Privacy — POPIA Enforcement & 2025 Regulations Amendment

7.1 2025 Regulations amendment

April 2025: Information Regulator published POPIA Regulations amendments under Government Notice 6126, in force immediately.
Key changes:
Streamlined data-subject objection/correction/deletion processes.
Modernised direct-marketing consent mechanics.
Installment-based payment of administrative fines — proportionality without softening deterrence.
New information-officer responsibilities.
Multi-channel data-subject rights operations.

7.2 Enforcement posture

2024: three enforcement notices on security compromises/breach notifications; first administrative fine on the Department of Justice; one notice against a social-media platform for differential ZA terms.
WhatsApp/Meta enforcement notice — 60-day compliance window; potential R10m fine and/or 10 years imprisonment for breaches.
Information Regulator's 2025/2026 plan prioritises POPIA enforcement + complaint resolution.
IR intends to seek Parliamentary amendment to POPIA/PAIA to expand enforcement powers.
Direct marketing and breach notification (72-hour expectation) flagged as high-frequency enforcement targets.
Financial services explicitly identified as a top-priority enforcement sector.

Penalty ceiling for serious offences: R10m fine and/or 10 years imprisonment.

8. Credit & BNPL — National Credit Act (NCR)

8.1 BNPL — still grey

Providers (PayJustNow, Payflex, Mobicred) argue their interest-/fee-free structures sit outside the NCA definition of credit agreement.
s8(4)(f) — a credit facility exists where the provider undertakes to defer payment and charges are imposed on the deferred amount; BNPL structurally avoids the fee/interest leg.
IFWG view: BNPL is in a regulatory void; NCR enforcement limited, FSCA no clear guidance.
Reform proposals: amend "credit agreement" in NCA to capture interest-free BNPL; clarify NCR vs FSCA jurisdiction.

8.2 NCA Regulations draft (August 2025)

Government Gazette 53154, 13 August 2025 — DTIC opened comment on amendments to Regulations 18, 19 and 23A.
Reg 23A: strengthens affordability assessments — credit providers must assess discretionary income, financial means, reasonable revenue flows, validate gross income, and apply a minimum-expense-norms table by income bracket.
Regs 18/19: tighten credit-bureau data submission, retention, and consumer-identification standards.
Comments closed 13 September 2025.

The Aug 2025 regulations do not directly capture BNPL but raise the affordability-assessment bar across registered credit providers, narrowing the practical gap.

8.3 International benchmarks fintechs should track

Australia: ASIC RG 281 (May 2025) under the Treasury Laws Amendment (Responsible BNPL and Other Measures) Act 2024 — effective 10 June 2025.
UK: FCA-regulated DPC/BNPL from 15 July 2026 (Regulation Day).

9. Open Finance / Open Banking

2020: FSCA consultation/research paper on regulating Open Finance.
March 2024: FSCA Open Finance Policy Recommendations.
FSCA Draft Position Paper on Open Finance — defines Open Finance as consent-based financial data sharing and payment initiation to licensed third parties, covering five use cases: account aggregation, financial management, payment initiation, alternative lending, insurance.
Final position paper was anticipated 2025.
FSCA 2025–2028 Regulation Plan (March 2025): open finance positioned as a strategic focus area, not a formal framework intervention — full regulatory intervention expected within the three-year plan window.
Phased approach: voluntary first, then phased mandatory participation for relevant financial institutions.
Open API standards advisory group targeted for establishment in March 2025 — industry + academia + NGOs.
TPPs currently outside the FSCA regulatory perimeter — closing this licensing gap is a core open-finance policy aim.
Inter-regulator collaboration: FSCA + PA + SARB + Information Regulator + IFWG.

Market: 200+ fintechs; Nedbank, Investec, Capitec, FNB, Standard Bank operate API marketplaces or data-sharing facilities.

10. Operational Resilience — Joint Standards (FSCA + PA)

Three Joint Standards published 2024 are now in force or about to commence — they apply across banks, insurers, retirement funds, CIS managers, market infrastructures, and licensed FSPs (including CASPs to the extent applicable):

Joint Standard	Topic	Effective
JS 1 of 2024	Outsourcing by Insurers	1 December 2024
Joint Standard on IT Governance and Risk Management	IT governance, IT strategy, risk-management framework, oversight	15 November 2024
JS 2 of 2024	Cybersecurity and Cyber Resilience Requirements	1 June 2025

JS 2 minimums include: cybersecurity strategy + framework, asset criticality classification, security risk assessments, access controls, threat-intelligence management, breach readiness, mandatory material-incident notification, annual board-level cybersecurity awareness training, controls assurance via regular exercises. Explicit alignment with POPIA on personal-information safeguards.

Non-compliance → administrative penalties and reputational exposure.

11. Crypto + Exchange Control — The SBSA v SARB Earthquake

15 May 2025: Pretoria High Court (Standard Bank v SARB [2025] ZAGPPHC 481) held that cryptocurrencies are neither "currency" nor "capital" under the Exchange Control Regulations of 1961. Bitcoin transfers (4,405.97 BTC ≈ R556m) to offshore exchanges therefore did not contravene Reg 3(1)(c) or 10(1)(c). Court invoked Oilwell (2011): Excon Regs are interpreted restrictively; new categories need legislative change.
2 June 2025: SARB filed appeal — suspends operation of the ruling pending SCA/Constitutional Court determination.
25 February 2026 Budget Speech: Minister of Finance announced Treasury will publish draft amendments under the Currency and Exchanges Act 1933 to bring crypto explicitly into exchange control.
3 March 2026: FinSurv Exchange Control Circular No. 3/2026 confirmed the policy direction.

Expected CASP impact: integration into the authorised-dealer architecture; CASPs to administer client exchange-control allowances for crypto transfers and report to FinSurv. CASPs need to map cross-border crypto flows, upgrade transaction monitoring/record-keeping, and refresh RMCPs, FAIS+FICA compliance, client agreements, vendor contracts, and privacy notices ahead of go-live.

⚠ low-confidence: precise scope and format of FinSurv crypto reporting only known once draft regs publish. Avoid building specific reporting infrastructure until the draft is on the table.

12. Two-Pot Retirement System (1 September 2024)

Effective 1 September 2024 via the Revenue Laws Amendment Act:

3 components: vested (pre-1-Sep-2024 savings), savings (one withdrawal per tax year, R2,000 minimum), retirement (preserved until retirement).
Seed capital: once-off 10% of pre-existing retirement savings (capped R30,000) moved to the savings component on 31 August 2024.
New contributions split: one-third savings / two-thirds retirement.
SARS integration:
Tax directive required for every savings-component withdrawal.
Tax at marginal rates; withholding mechanism.
IBIR-006 Tax Directives Interface v6.706 updated; trade testing extended through 30 August 2024.
Fintech implications: digital onboarding, ID verification, OTP/SMS infrastructure, FSCA rules approval, settlement, anti-fraud — large operational lift for fund administrators and adjacent fintechs.
Treasury projected ~R5bn in additional 2024/25 tax revenue from withdrawals.
Members 55+ on 1 March 2021 are not auto-included.

13. Innovation Layer — IFWG Innovation Hub

Launched 2020 (relaunched as Innovation Hub in 2022) by IFWG members.
Three avenues: Regulatory Guidance Unit, Regulatory Sandbox, Innovation Accelerator.
Rolling applications, no fixed annual cohorts. 6-month testing window. No fee. No funding.
Originally received 54 applications from 49 entities in the 2020 cohort.
2025 Africa Sandboxes Outlook cited IFWG as a regional case study for responsible sandbox design.
Cross-border testing supported subject to home-jurisdiction good standing.

14. What Fintechs Need to Do Now (Operational Compact)

Theme	Action
Payments	Map activities against the 7-category Authorisation Framework; engage SARB pre-licensing dialogue; budget for activity-based capital + 100% e-money liquidity buffer + segregated trust accounts.
Stablecoins	Plan for dual capture (FAIS CASP + e-money under NPS/Banks). Watch IFWG rand-pegged consultation Q1 2026.
CASPs	Close RE compliance (deadline 30 June 2025 lapsed); prepare for FSCA inspection cycle; engage CASEF; tighten AML programmes; map cross-border flows for inbound Excon regime.
Conduct	Track COFI Bill themed-framework consultations; map current FAIS licences to anticipated activity-based licences.
AML	BO filings at CIPC current; FIC PCC59 implementation in client onboarding; align Risk Management & Compliance Programme.
Privacy	Direct-marketing audit; 72-hour breach notification; appoint/refresh Information Officer; integrate POPIA + JS 2 of 2024 cyber requirements.
Cyber/Ops	JS 2 of 2024 minimum framework, board awareness training, material-incident notification process.
Credit/BNPL	Even if outside NCA today, model Reg 23A affordability standards; watch for explicit BNPL inclusion.
Retirement	If servicing two-pot withdrawals, verify SARS interface + ID/OTP infrastructure stable.
Innovation	Use IFWG Sandbox for novel propositions; rolling applications.

Stage 6: GAP_ANALYSIS

gaps:
Exact post-October-2025 changes to FATF action items: which residual recommendations remained unscored after the on-site visit?
Quantified enforcement data: FSCA admin penalties on CASPs (numbers, amounts) between Jan 2024 – May 2026.
National Treasury intention on whether the post-SBSA Excon crypto reforms will operate prospectively only or retroactively to in-flight investigations.
threads:
SARB acquisition of 50% PayInc — competition/governance consequences for non-bank PSPs.
Two-pot withdrawal aggregate stats post-Sep 2024 — what proportion of members actually withdrew, and what was the macro impact vs. SARB's August 2024 modelling?
PEM Programme RFP/procurement activity (RTGS upgrade vendor environment).
contradictions:
Gemini CLI draft listed PayShap at "R450bn annually" by May 2026 vs Techpoint/SARB-cited "R100bn cumulative since launch + 136m txns" mid-2025 — Gemini figure unverified; treat as hallucinated and exclude.
Gemini CLI asserted COFI "approved by Cabinet late 2025" — contradicts ENS / FIA / Moonstone reporting that the Bill remained in pre-Cabinet certification through mid-2025 with no Cabinet decision reported.
Gemini CLI asserted NCR directive "early 2026" classifying BNPL as credit agreements — no corroborating source found. Treated as unverified and excluded; only the Aug 2025 NCA Regulations draft (affordability) is confirmed.

Iterate once to address the most load-bearing gap (CASP enforcement quantitative data) and clear the PayShap-figure contradiction with a fresh source.

Stage 7: ITERATE round 1

Targeted gap retrievals delivered:

FSCA enforcement quantitative data (now folded into §4.6) — Moonstone coverage of FSCA 2024/25 Integrated Report; TechFinancials reporting on Bhaca Green; FAnews on Banxso R2bn penalty.
PayShap freshest stats (now folded into §3.2) — TechCentral 3-year retrospective; PayInc data: 905m transactions, 6m+ users mid-2026; Slant adoption breakdown.

Stage 6 re-run after iteration:

gaps: SBSA v SARB appeal hearing date in the SCA — not yet listed in publicly available diaries; carry as open thread.
threads: PEMKey technical spec; QR+ technical interoperability standards; BNPL providers' lobbying responses to NCA Reg 23A draft.
contradictions: none material remaining; Gemini hallucinations isolated and excluded.

Stopping iteration (one round used; major gaps closed; remaining threads non-load-bearing).

Stage 7.5: RED-TEAM CRITIQUE

Three personas applied against the post-iteration draft.

Skeptical Practitioner

Is "fintech regulation" too broad a frame? The report mixes prudential, conduct, AML, consumer credit, payments, privacy, and exchange control. A fintech actor seeing this for the first time may struggle to map the rules to its own activity. The §14 operational compact partially mitigates this, but a clearer "which rule applies to which activity" matrix (lending vs. payments vs. crypto vs. wealth) would sharpen utility.
Twin Peaks "maturation" framing assumes COFI is the natural endpoint. That assumption deserves explicit challenge: if COFI keeps slipping, the contingency stack of Joint Standards + Conduct Standards + Directives may become the de facto end state.

Adversarial Reviewer

Date discipline. Several events are still moving (NPS Bill not tabled; Excon-for-crypto regulations not yet published; COFI Bill awaiting certification through mid-2025). The report should flag every "expected in" statement with a calendar boundary.
Survivorship bias in CASP licensing data. 533 applications received hides what the underlying market size was — implicit base rate. The "300 approved" headline conceals that 124 withdrawals were "post-engagement", which may reflect FSCA gatekeeping rather than market readiness.
SBSA v SARB material risk. The report correctly notes the appeal suspends the ruling, but does not explicitly state that any business currently relying on the May 2025 judgment for cross-border crypto bears reversal risk. That belongs in the operational compact.
Joint Standard scope clarity. §10 should note that JS 2 of 2024 explicitly does not automatically apply to entities not regulated under FSR — e.g. unlicensed payments adjacencies.

Implementation Engineer

Costs and timelines absent. Capital quanta for activity-based PSPs (the actual rand amounts per tier) are not in the public draft yet — flag as a watch-item with comment-period closing 15 June 2026.
Operating reality of CASP RE compliance. The 30 June 2025 RE deadline lapsed; for fintechs still onboarding key individuals, the practical question is the FSCA's tolerance window for late compliance — anecdote vs. policy not addressed.
PEMKey demo (April 2026) and QR+ standard create new integration requirements for wallets, acquirers, and POS systems. The report should highlight that PEM is producing technical standards (not just regulation) that fintechs must build to.
Two-pot withdrawal infrastructure — actual administrator failures during September–November 2024 (delayed payments, OTP failures) deserve at least a sentence on operational risk.

Load-bearing claims flagged for additional sourcing

"Stablecoin trading volumes grew from <R4bn (2022) to ~R80bn YTD October 2025" — single-source (SARB FSR Nov 2025 via Moonstone/Bloomberg). Acceptable: two corroborating reports of the same SARB number is journalistic redundancy, not independent verification, but the SARB is the source-of-record.
"Banxso R2 billion penalty Dec 2025" — confirmed in FAnews; further corroboration desirable.
"PayShap 905m transactions / 6m users mid-2026" — single-source (TechCentral via PayInc conference). PayInc/SARB primary number; treat as authoritative but cross-check at next PEM dialogue.

Stage 7.6: CRITIQUE LOOP-BACK

Load-bearing claim source counts:

Stablecoin growth R4bn→R80bn: 2 sources (Moonstone, Bloomberg) both citing SARB FSR Nov 2025 → effectively 1 primary. <3 distinct → loop-back triggered.
Banxso R2bn penalty: 1 source (FAnews) → <3 distinct → loop-back triggered.

Single loop-back round permitted (Tier 1 providers only).

Loop-back round executed via the search call below in this stage. If still <3 sources after one round, the claim stays flagged inline as low-confidence.

Loop-back result:

Stablecoin growth claim: now corroborated by Moneyweb, BusinessDay, Crypto Daily, Cryptonews.com.au, FXStreet, BitcoinEthereumNews and Coinpaprika all citing SARB FSR 25 Nov 2025. Sourced ✅.
Banxso R2bn claim: now corroborated by Daily Maverick, IOL, Moneyweb, FAnews, EBnet, BizNews, Moonstone and Central News, with the FSCA's December 2025 press release as primary. Sourced ✅. Additional precision recovered: 30-year (not 20) debarments for four directors; individual fines on de Andrade (R20m), Bux (R10m), Simpson (R5m, 10-yr debarment); +R16m on Banxso for other contraventions; AfriMarkets co-licensed withdrawal 4 July 2025; provisional liquidation August 2025; criminal referral to SAPS + Hawks. §4.6 amended.

No further loop-back rounds needed.

Counterpoints

The framework is not yet binding. A reader could overestimate how much has actually changed in primary law. The COFI Bill is not enacted; the NPS Bill is not tabled; the Excon-for-crypto regulations were announced (Feb–Mar 2026) but draft amendments are pending. Counterpoint: most "regulation" cited in this report is sub-legislative (Directives, Notices, Joint Standards, Conduct Standards, IFWG papers). A change in Treasury or SARB leadership, a Cabinet reshuffle, or a court challenge could materially reshape any one of these. Build for the rules that are in force; treat the rest as planning intelligence.
FATF exit may be reversed at the next mutual evaluation. Treasury and SARS explicitly warned post-exit that staying off-list requires sustained measurable outcomes — investigations, prosecutions, sanctions. SA's enforcement track record in financial crime (asset forfeiture, NPA prosecutions) has historically been thin. The 2026 mutual evaluation begins in H1 2026 with adoption Oct 2027 under the new FATF methodology; a finding that the reforms were paper-only could trigger re-listing.
SBSA v SARB on appeal — operational risk for crypto remitters. Anyone designing cross-border crypto flows on the basis that "the High Court said crypto is not capital" carries reversal risk. SARB's appeal suspends the ruling and Treasury has announced legislative reversal. The "regulatory sandbox" the judgment temporarily created is closing.
PEM Programme governance concerns. SARB's 50% stake in PayInc (the national clearing operator) creates a fundamental conflict-of-interest critique — central bank as both regulator and shareholder of the critical national infrastructure. Industry commentators (TechCentral) have flagged this. Whether this accelerates modernisation or entrenches the big-four banks' grip is contested.
PayShap network-effect optimism may be misplaced. Despite 905m transactions and 6m users by mid-2026, PayShap's share of debit transactions per bank stays in single digits. The slow shift away from cash and cards is structural — fees, fraud perception, lack of merchant acceptance. A vendor or fintech betting business model viability on rapid PayShap displacement of cards should plan downside.
Open Finance gap risk. TPPs are currently unregulated; the FSCA has stated a phased mandatory regime is likely, but the timeline is open. Fintechs offering data-aggregation or payment-initiation today operate without explicit licensing — but in a phased mandatory regime, they may face retro-fit obligations, capital requirements, or even market exclusion if they fail to qualify for the new licence category.
Two-pot operational reality vs. policy ambition. Despite seamless-sounding policy descriptions, September–November 2024 saw real administrator queues, OTP failures, delayed payouts, and consumer complaints. Any fintech entering retirement servicing should not underestimate the SARS-integration + ID/OTP infrastructure investment required.

Key Sources

Full annotated list in companion file: south-african-fintech-regulation-post-2024-landscape-2026-05-31.sources.json (claim-mapped).

Top primary references:

Stage Tally

Stage 0: sources.json initialised; appended ~50 sources across rounds.
Stage 1: 11 Claude WebSearch calls + Gemini CLI background; Codex CLI dropped (model error).
Stage 2/3: in-line evaluation; high-authority sources prioritised (regulator + Tier-1 SA legal/news).
Stage 4: synthesis above.
Stage 6: gap analysis run; 3 gaps identified.
Stage 7: 1 iteration round; CASP enforcement + PayShap stats backfilled.
Stage 7.5: red-team critique (3 personas + load-bearing-claim audit) run inline (gemini-CLI persona script not invoked; Claude-as-personas used, recorded here).
Stage 7.6: loop-back round; both load-bearing claims now ≥3 sources; Banxso details corrected.
Counterpoints: 7 included.

South African Fintech Regulation Post-2024 — Comprehensive Landscape