South African Financial Sector Regulators: Who’s Who — FSCA, PA, SARB, FIC, NCR, Information Regulator (and more)

South Africa’s “Twin Peaks” regulatory model separates prudential and market conduct supervision, with the South African Reserve Bank (SARB) anchoring financial stability. For bankers and other financial professionals, understanding who does what — and where mandates overlap — is essential for day-to-day compliance, product design, risk management, and assurance.

This guide maps the main regulators and related bodies, what each supervises, how they interact, and the practical implications for banking teams.

The Twin Peaks model at a glance

What it is

• Prudential Authority (PA): focuses on the safety and soundness of banks, insurers, and financial conglomerates (capital, liquidity, governance, risk).
• Financial Sector Conduct Authority (FSCA): regulates how financial firms behave in the market (customer outcomes, distribution, product governance, disclosures).
• Framework: Financial Sector Regulation Act, 2017 (FSR Act). SARB anchors financial stability and houses the PA and the Resolution Authority.

Why it matters in practice

• Expect dual supervision with different objectives and evidence sets: prudential vs conduct.
• Teams must evidence both “soundness” (capital, liquidity, risk) and “fair outcomes” (treating customers fairly, value, complaints handling).

FSCA — Financial Sector Conduct Authority

Core role

• South Africa’s market conduct regulator across banks, insurers, intermediaries, retirement funds, and financial market infrastructures.
• Sets, supervises, and enforces conduct standards, including Treating Customers Fairly (TCF) outcomes, product governance, distribution, and disclosure.

What it supervises/enforces

• FAIS Act (Financial Advisory and Intermediary Services): licensing of financial services providers (FSPs), fit-and-proper requirements for key individuals and representatives.
• Conduct Standards under the FSR Act and sector laws (e.g., Insurance Act) covering product design, conflicts of interest, disclosure, complaints handling, and incentives.
• Financial Markets Act oversight for market infrastructures and conduct in financial markets.

Practical touchpoints for banks

• Product and distribution governance (target market, value-for-money, outcomes testing).
• Sales practices and incentive schemes; conflict management.
• Complaints, MI and root-cause remediation; outsourcing/third-party oversight for conduct.

Key laws/instruments

• FSR Act, 2017; FAIS Act, 2002; Insurance Act, 2017; Financial Markets Act, 2012; FSCA Conduct Standards and Guidance.
• COFI Bill (Conduct of Financial Institutions): still a Bill as at Oct 2024 — monitor status and draft standards.

Prudential Authority (PA) — within the South African Reserve Bank

Core role

• Prudential regulation and supervision of banks, mutual banks, insurers, and financial conglomerates.

What it supervises/enforces

• Capital and liquidity (Basel framework), governance and risk management, ICAAP/ORSA (for insurers), large exposures and related-party limits.
• Group-wide supervision, recovery planning, and (with SARB’s Resolution Authority) resolvability.

Practical touchpoints for banks

• Model risk governance (credit, market, operational, IFRS 9).
• Stress testing and risk appetite implementation; liquidity buffer management.
• Fit-and-proper and governance expectations for boards and control functions.

Key laws/instruments

• FSR Act, 2017; Banks Act, 1990; Mutual Banks Act, 1993; Insurance Act, 2017; Financial Sector Laws Amendment Act, 2021 (resolution and deposit insurance framework).

SARB — South African Reserve Bank (system-level mandates)

Core role

• Central bank: monetary policy, financial stability, lender of last resort, oversight of the national payment system, exchange control policy, and resolution.

Functional areas relevant to banks

• National Payment System Department (NPSD): oversight under the National Payment System Act, 1998; designation and oversight of systemically important payment systems; settlement and clearing.
• Financial Stability: macroprudential surveillance and systemic risk assessments.
• Financial Surveillance Department (FinSurv): exchange control administration and policy; oversight of Authorised Dealers.
• Resolution Authority and deposit insurance framework: enabled by the Financial Sector Laws Amendment Act; delivered via the SARB Group’s Corporation for Deposit Insurance (CoDI).

Practical touchpoints

• Participation, risk, and resilience requirements for payment, clearing, and settlement systems (incl. modernisation, e.g., ISO 20022 and PayShap ecosystem).
• Exchange control rules and reporting for cross-border flows (circulars, rulings for Authorised Dealers).
• Resolution planning, depositor data quality and single customer view readiness for deposit insurance.

Key laws/instruments

• SARB Act, 1989; National Payment System Act, 1998 (directives/position papers); Exchange Control Regulations; FSR Act; Financial Sector Laws Amendment Act, 2021.

FIC — Financial Intelligence Centre

Core role

• South Africa’s financial intelligence unit (FIU) for AML/CFT/CPF. Issues guidance, receives/analyses regulatory reports, and supports enforcement via supervisory bodies.

Supervisory/enforcement model

• The FIC sets the AML/CFT/CPF framework and intelligence, while sector supervisors (e.g., PA for banks/insurers, FSCA for certain FSPs) supervise compliance with the FIC Act in their populations.

What is supervised/required

• Risk-based AML/CFT/CPF controls: governance, enterprise and customer risk assessment, RMCPs, CDD/EDD, record-keeping, training, and independent assurance/effectiveness testing.
• Reporting obligations (under the FIC Act and Regulations):
  • Suspicious and Unusual Transaction Reports (STRs).
  • Cash Threshold Reports (CTRs) and aggregated CTRs.
  • Terrorist Property Reports (TPRs) and implementation of targeted financial sanctions (FIC Act ss 26A–26C).
  • International Funds Transfer Reports (IFTRs) — phased implementation; check current go-live and scope for your entity type.

Practical touchpoints for banks

• RMCP effectiveness; alert quality and tuning (transaction monitoring and screening); sanctions list governance; proliferation financing indicators; remedial action tracking.

Key laws/instruments

• Financial Intelligence Centre Act, 2001 (as amended); FIC Guidance Notes/Directives; Public Compliance Communications; UN Security Council sanctions lists as domestically implemented.

NCR — National Credit Regulator

Core role

• The NCR enforces the National Credit Act (NCA) across credit providers (including banks), credit bureaus, and debt counsellors.

What it supervises/enforces

• Affordability assessment regulations and reckless lending prohibitions.
• Credit marketing and disclosure rules; pre-agreement statements and quotations.
• Debt counselling process oversight; credit information accuracy, retention, and dispute handling.

Practical touchpoints for banks

• Affordability model design and governance; traceability of inputs/overrides.
• Collections strategies aligned to NCA and conduct standards; communications QA; re-ageing/restructuring policies.
• Credit bureau data supply quality and adverse listing rules.

Key laws/instruments

• National Credit Act, 2005 and Regulations; NCR guidelines and enforcement notices.

Information Regulator — POPIA and PAIA

Core role

• Regulates personal information processing under the Protection of Personal Information Act (POPIA) and access to information under the Promotion of Access to Information Act (PAIA).

What it supervises/enforces

• Lawful processing, purpose limitation, minimisation, security safeguards, cross-border transfers, and processor (operator) contracts.
• Mandatory security breach notifications to the Regulator and affected data subjects “as soon as reasonably possible.”
• PAIA compliance for proactive publication and access to records.

Practical touchpoints for banks

• Privacy-by-design; data retention and destruction; DPIAs for high-risk processing; vendor/operator due diligence and clauses; incident response evidence and timelines.

Key laws/instruments

• POPIA, 2013; PAIA, 2000; Codes of Conduct and Enforcement Notices issued by the Information Regulator.

Other South African financial sector bodies you should know

Corporation for Deposit Insurance (CoDI)

• An entity in the SARB Group implementing South Africa’s deposit insurance scheme under the FSLAA.
• Bank impacts: coverage parameters, funding/levies, depositor single customer view, payout readiness testing. Check current coverage limit and effective date.

PASA — Payments Association of South Africa

• Recognised Payment System Management Body under the NPS Act; sets participation, scheme and PCH rules, and technical standards across payment streams.
• Bank impacts: scheme adherence (e.g., EFT, debit orders, cards, real-time payments/PayShap), dispute/fraud collaboration, readiness for modernisation (including ISO 20022).

Ombud Council

• Established under the FSR Act to designate and oversee financial ombud schemes and harmonise standards.
• Historically includes the Ombudsman for Banking Services (OBS), FAIS Ombud, Credit Ombud, and others; consolidation toward a single National Financial Ombud Scheme has been announced — verify the current designations and effective dates.

National Treasury

• Leads financial sector policy and legislative reform (e.g., COFI, financial inclusion, resolution and deposit insurance policy).
• Bank impacts: participate in consultations; track implementation timelines.

SARS — South African Revenue Service

• Tax administration and Automatic Exchange of Information (AEOI) reporting (FATCA/CRS).
• Bank impacts: due diligence and classification, reporting controls, and any withholding obligations.

IFWG — Intergovernmental Fintech Working Group (incl. the Regulatory Sandbox/Innovation Hub)

• Collaboration among SARB, FSCA, FIC, National Treasury, and others on fintech policy and experimentation.
• Bank impacts: FSCA has declared crypto assets “financial products” under FAIS (Oct 2022), with CASP licensing rolling out; monitor guidance and licensing lists.

CBDA — Co-operative Banks Development Agency

• Supports development and supervision of co-operative financial institutions (CFIs) under the Co-operative Banks Act; the PA supervises registered co-operative banks (prudential).
• Bank impacts: sector dynamics and potential partnerships.

CIPC — Companies and Intellectual Property Commission

• Maintains beneficial ownership registers following AML/CFT legislative amendments supporting FATF remediation.
• Bank impacts: KYB data sourcing/cross-checks, ongoing monitoring.

Enforcement partners (criminal)

• Directorate for Priority Crime Investigation (DPCI/Hawks) and SAPS Commercial Crimes work with the FIC and supervisors on serious financial crime matters.
• Bank impacts: escalation pathways for criminal matters beyond administrative enforcement.

How mandates overlap and interact

Conduct vs prudential

• FSCA focuses on customer outcomes, distribution, and disclosure; PA focuses on capital, liquidity, governance, and risk. Evidence sets differ: outcomes testing vs ICAAP/ILAAP and model governance.

AML/CFT/CPF

• FIC issues guidance and receives reports; PA/FSCA supervise compliance for their sectors under the FIC Act. Targeted financial sanctions are implemented domestically under the FIC Act; SARB’s exchange control intersects for certain cross-border restrictions.

Credit regulation

• NCR’s NCA applies to all credit providers (including banks); PA/FSCA continue prudential and conduct oversight of those same institutions.

Data protection

• Information Regulator’s POPIA/PAIA obligations apply across entities; intersects with FSCA conduct (fair, transparent use of data) and PA (outsourcing/vendor risk, operational resilience).

Payments

• SARB (NPSD) oversees the NPS; PASA administers participation/scheme rules; FSCA may examine conduct aspects of payment products; PA considers operational risk and resilience for prudential purposes.

Dispute resolution

• Ombud Council sets standards and designates schemes; outcomes can drive conduct remediation and MI improvements in firms.

Practical implications for banking teams

Compliance and risk leaders

• Maintain a regulator–obligation register with owners, controls, evidence, cadence, and KPIs/KRIs.
• Evidence effectiveness (not just design) for AML/CFT/CPF and conduct outcomes; align second/third-line testing to supervisors’ expectations.

Product and distribution

• Embed target market definitions, value-for-money assessments, and outcomes testing; align marketing and disclosures; define vulnerable customer policies; manage third-party distribution oversight.

Credit and collections

• Align affordability testing with NCA and model governance; ensure collections practices meet conduct and NCA standards with MI and QA on communications and treatments.

Treasury and balance sheet

• Deliver ICAAP/ILAAP; monitor IRRBB, liquidity stress tests, and resolution planning interfaces; ensure eligible collateral/settlement risk controls in the NPS.

Data and technology

• Privacy-by-design and data minimisation; data lineage and model governance (credit, IFRS 9, AML/f

Disclaimer

This article is for informational purposes only and is not legal, regulatory, tax, or compliance advice.

Content reflects publicly available information and guidance current as of the publication date and may change without notice. Always verify requirements with official sources (FSCA, PA/SARB, FIC, NCR, Information Regulator, PASA, National Treasury, Ombud Council) and applicable legislation.

No representation or warranty is made as to completeness or accuracy. Neither the author nor IOBSA accepts liability for any loss arising from reliance on this material.

Readers should consult their institution’s compliance/legal functions or a qualified adviser for advice on specific circumstances.

References to third-party organisations or resources do not constitute endorsement or affiliation.