The fintech market in South Africa demonstrated its resilience and technical responsiveness when almost all businesses and non-commercial services adopted digital and, in particular, cash-free and no-contact solutions in response to the COVID-19 pandemic. Presently, fintech is one of the main drivers of equity capital market transactions in South Africa, with more than half of the deals concluded in 2021 having a footing in fintech. 

Furthermore, the evolution of fintech has seen industry players collaborating with the major mobile network providers and commercial banks in South Africa, and providing services catering to the low-income consumer. Economic circumstances at a global level, and also those peculiar to South Africa, have stimulated retail consumers’ support, and significantly, institutional investors’ support, of crypto-assets, including derivative and/or stablecoin variants, as a store of value or commodity. 

However, a number of high-profile cryptocurrency investment scams and regulators’ concerns regarding the volatility and credit-rating challenges of crypto-assets, have led to a proposed ban on investment by pension funds, an effective ban on collective investment schemes (CIS) in crypto-assets and derivative products, and an effective ban on banks’ processing of credit card payments for offshore purchases of crypto-assets. 

The ban is described as "effective" because the measures are presently informal and could be intended to serve as a holding position pending formal regulation, which may not necessarily be as restrictive as the holding position. 

In the coming 12 months, the enactment of the Conduct of Financial Institutions (CoFI) Bill is anticipated, which includes specific provisions regarding open banking as well as provisions regarding the licensing of crypto-asset service providers (CASPs), including crypto-asset trading platforms (CATPs). Changes are expected in the way that established and traditional financial institutions and emerging technology providers are likely to collaborate, as the rules in this regard – whether permissive or restrictive – become formalised and clearer.

From a broader regulatory perspective, there has been an official shift from a stance of observing and assessing without regulating, towards a formal, multi-regulator roadmap for specific regulation of crypto-assets and related services and service providers.

The predominant business models in the South African fintech market relate to digital banking and payment services. The major commercial banks have taken advantage of digital banking services to allow for transacting and accessing of banking services through a digitised app. Transaction delivery business models, which facilitate transactions between small enterprises and the end consumer, have seen significant growth in technologies as well as product volumes, with Jumo and Yoco ranking at the top of lists of companies that have secured the biggest investments in the past five years. 

There are about 19 crypto-asset trading platforms/exchanges operating in South Africa, according to the IFWG (a collaborative research and policy mapping forum established by the five principal regulators). The dominant CATPs are locally incorporated entities (Luno, with a South African-founded Singaporean parent, and VALR).

There is a wealth of fintech support operators, such as payment aggregators, Application Programming Interface (API) developers, NFT developers and trading/auction platforms, and digital market infrastructures for the listing and exchange of tokens and raising of share capital.

It is common for South African fintech companies to expand out of South Africa into global markets. This may entail externalising intellectual property and other operations but retaining a base in South Africa to leverage local resources, in particular, the relatively low-cost base and skilled fintech practitioners, to ensure a cost-efficient and more competitive offering.

There is currently no fintech-specific regime which regulates fintech per se, or fintech products and services. Certain fintech products and services fall within the scope and ambit of general local financial services laws or regulations, as those are generally activities-based, such that any particular activity might trigger one or more of the traditional financial services laws. The issuing, offering or distribution of those fintech products and services would then be subject to those particular laws or regulations. Examples of traditional financial services frameworks that are often applied to fintech products or service offerings include:

• the Financial Advisory and Intermediary Services Act, 2002 (the "FAIS Act"), in respect of investment management, "robo-advisory" and other financial services;
• the Financial Markets Act, 2012 (FMA), in respect of financial markets, exchanges, etc;
• the National Credit Act, 2005 (NCA), in respect of credit and lending activities/"peer-to-peer" lending platforms;
• the Banks Act, 1990 (the "Banks Act"), in respect of banking and deposit-taking activities, and the concept of "e-money";
• the National Payment Systems Act, 1998 (NPSA) in respect of payment services; and
• the Currency and Exchanges Act, 1933 (the "Currency and Exchanges Act") and the regulations under the Currency and Exchanges Act, 1933 (the "Exchange Control Regulations") in respect of cross-border capital flows and currency controls generally.

The remuneration, fees, and any other consideration or compensation that an industry participant is permitted to receive from a customer depends on the regulatory framework to which that industry participant is subject. 

By way of example, the FAIS Act requires financial services providers (FSPs) to disclose to their clients the nature, extent and frequency of any monetary obligations, incentives, remuneration, etc, payable to the FSP (whether directly or indirectly) in respect of financial services rendered. There are also limitations in respect of the financial interest that FSPs can receive from third parties (including product suppliers, other FSPs, distribution channels, etc).

By way of a further example, the fees, costs and charges that credit providers are permitted to levy on credit receivers are strictly prescribed under the NCA, in terms of a closed list, and must be disclosed in a prescribed manner and form to credit receivers. 

As stated above, there is currently no fintech-specific regulatory regime in South Africa. Any person (fintech industry participant or legacy player) offering products or services falling within the scope and ambit of general financial services regulatory frameworks must comply with the triggered framework. 

Whether a specific regulatory framework will apply in law (or will be applied in practice by a regulator) will depend on the particular characteristics, functionality and/or description of the product or instrument in question. Accordingly, at this stage, there would be no differentiation in the regulation of the different product issuers, suppliers, developers or marketers.

The IFWG has established a regulatory sandbox, which is intended to give participants an opportunity to test their innovative product or service against existing legislation and regulations. 

The IFWG runs a cohort-based application process for its sandbox, in terms of which applicants may submit applications during a specified window. Successful applicants may test their products or services for six months, working with the relevant lead regulators to determine appropriate testing parameters (testing may be extended under certain circumstances, although these circumstances are not specified).

In order to be eligible for consideration, an applicant’s product or service (its proposed "innovation") must, as a starting point:

• be intended for deployment in the South African market;
• not clearly fit within the existing regulatory framework, or challenge the existing regulatory framework;
• be beneficial to consumers or the market-at-large (as examples of this, the IFWG suggests, “for Business-to-Consumer companies – lower prices, increased competition, improved access/financial inclusion; for Business-to-Business companies – lower costs, increased efficiency, improved compliance”);
• be "significantly different" from other offerings in the market;
• be ready to be tested, including "fully-developed" technology (ie, testing is not intended to measure the quality, security or profitability of an innovation), with the applicant having sufficient funding to cover the full testing period, as well as secured partnerships (if required for testing)​​​.

Accepted participants must otherwise comply with all existing regulatory requirements, and admission will not change a participant’s licensing status, nor is it intended to signal tacit or implicit approval of the participant’s innovation by the relevant regulators. Participants must provide regular progress reports. 

The IFWG accepted its first cohort of applicants in 2020, and some participants in that cohort have completed testing, while testing for others is ongoing. The IFWG has published summarised information regarding the participants in its first sandbox cohort, which include:

• the People’s Fund, testing to clarify the treatment and appropriate framework for the intermediation of crowd-investing platforms; 
• Standard Bank, testing the reporting of cross-border foreign exchange transactions submitted to the ​South African Reserve Bank's Financial Surveillance Department, utilising the Standard Bank Aroko blockchain platform; 
• Investec, testing a safe-custody service for crypto-assets through its innovative Digital Asset Vault offering; and 
• Xago Technologies, testing the regulatory treatment of crypto-assets, specifically Ripple (XRP), in terms of South Africa’s Exchange Control Regulations, in the context of cross-border transactions between South Africa and the United Kingdom. ​​​

The IFWG has not indicated when it will open applications for its next regulatory sandbox.

Where more than one regulator has jurisdiction over an industry participant, each regulator only regulates the participant to the extent that they fall within their jurisdiction, as described below. 

South African Reserve Bank (SARB)

The SARB is primarily responsible for the maintenance of price stability in the interest of balanced and sustainable economic growth in South Africa. The SARB is the main regulator of banking and payment services in South Africa and oversees cross-border capital flow and exchange controls. The SARB protects/manages currency and accordingly monitors the extent to which digital representations of value may be regarded as e-money. The SARB’s power also extends to the regulation of prudential requirements for all financial services institutions in South Africa through the Prudential Authority (PA). 

Prudential Authority (PA)

The PA operates within the administration of the SARB and is responsible for regulating banks, insurers, co-operative financial institutions, financial conglomerates and certain market infrastructures. The objectives of the PA include assisting in maintaining financial stability, and promoting and enhancing the safety and soundness of market infrastructures and financial institutions providing financial products and securities services. 

Financial Sector Conduct Authority (FSCA)

The FSCA is the market conduct regulator overseeing FSPs, insurers, funds and fund managers, asset management and/or investment advisory entities, retirement funds, stock exchanges, stockbrokers, central securities depositories, central securities depository participants and CISs, among others.

National Credit Regulator (NCR)

The NCR regulates certain aspects of the lending industry, specifically where:

• consumers are natural persons or entities that fall below certain net asset value or annual turnover thresholds; and
• the credit value exceeds certain prescribed thresholds.

The NCR regulates credit providers, credit bureaus and debt collectors. The NCA applies to credit arrangements having effect in South Africa, regardless of the domicile of the credit provider.

Financial Intelligence Centre (FIC)

The FIC is South Africa’s regulator for monitoring and countering money-laundering and terrorism financing. The Financial Intelligence Centre Act, 2001 (FICA) designates “accountable institutions” that must comply with certain requirements, including those relating to anti-money laundering (AML) reporting and client verification (“know your client”). 

IFWG

In so far as developing a common understanding of financial technology developments, as well as policy and regulatory implications for the financial sector and economy in South Africa, are concerned, regulators have adopted a collaborative approach in the establishment of the IFWG by the SARB, the National Treasury (the "Treasury"), the FSCA, the FIC, the South African Revenue Services (SARS), the NCR and the Competition Commission (the "Commission").

Regulated functions can be outsourced, although most regulated functions can only be outsourced to regulated vendors. Depending on the type of regulated functions, there are mandatory contractual and other requirements/obligations applicable to outsourcing by regulated entities. However, such requirements/obligations are placed on the outsourcing entity (and not the vendor). Needless to say, the regulated vendor would be required to comply with its own requirements for providing the outsourced services.

For completeness, it is possible for regulated entities to outsource unregulated support functions (such as back office/information technology services) to unregulated vendors. Such outsourcing would still be subject to mandatory contractual and other requirements/obligations placed on outsourcing regulated entities (and not on the vendor).

Unregulated fintech providers (eg, CASPs) are not deemed by any law to be “gatekeepers” and they have no statutory responsibility (save for regulatory consumer protection obligations). In respect of regulated fintech providers, specifically providers of regulated payment instruments/infrastructures and banks (and not fintech providers) are deemed to be “gatekeepers”, hence the significant part of the payment processing (ie, clearing and processing of payments) is done by banks, and fintech providers are required to partner with banks or get some form of approval from banks to participate in the payment system. Such fintech providers, however, have their own minimal regulatory obligations/responsibilities and direct liability for their non-compliance. 

Fintech providers that provide financial services (eg, robo financial advice) are regulated in their own right and are deemed to be gatekeepers, bearing full responsibility for their activities and for compliance with the applicable legislation.

Some of the significant enforcement actions by regulators for the main verticals include:

• administrative penalties/sanctions;
• criminal prosecution (a fine, imprisonment, or both); 
• withdrawal or suspension of a licence, registration or approval;
• suspension/revocation of a key person’s appointment; 
• debarment of representatives; and
• limiting the activities of an entity.

Competition 

The Commission is empowered by the Competition Act, 1998 (the "Competition Act") to regulate competition and ensure that the markets function efficiently in South Africa. The Competition Act applies to all economic activity that has an effect in South Africa and the Commission therefore has an interest in the financial markets and fintech from a competition law perspective. 

In 2021, the Commission initiated a market inquiry into the online intermediation platforms market (the "Inquiry"), focusing initially only on payment services. That said, the Commission has indicated that the primary issue in the fintech market often revolves around the gatekeeper role of traditional financial institutions, in so far as this relates to consumer data, which it is important for innovators to access in order to offer innovative new services and/or directly contest incumbents. This gatekeeper role, according to the Commission, is largely enabled by the fact that innovative payment mechanisms that may be cheaper and more efficient than established payment mechanisms can only be realised through authorised access to consumer accounts. 

The Commission has therefore stated that, currently, its approach to fintech is collaborative in nature (achieved through the IFWG), as this can achieve the competition objectives in the fintech market in a manner that does not undermine prudential and data security considerations. 

Data Protection and Privacy

South Africa’s data protection legislation is the Protection of Personal Information Act 4 of 2013 (POPIA). POPIA regulates the manner in which the personal information of individuals (data subjects) may be "processed", ie, collected, held, used, disclosed, or transferred. The data controller (termed a "responsible party" under POPIA), who decides how and why such information is processed, may only process personal information in accordance with the provisions of POPIA and must in turn ensure that any data processor (termed an "operator" under POPIA) it appoints complies with POPIA. 

POPIA closely mirrors the General Data Protection Regulation 2016/679 (GDPR), including requiring a justification for processing personal information, the fact that personal information should not be retained for longer than necessary to fulfil the purpose for which it was collected, strict regulation of cross-border transfers of personal information, and the fact that certain prior authorisations from the South African data protection regulator (the "Information Regulator") are required for certain processing activities. 

Unlike the GDPR, POPIA is not triggered when a data controller offers goods and services to South Africans. POPIA applies to data controllers that are:

• incorporated in South Africa; or 
• not incorporated in South Africa but process personal information in South Africa (including storing information and/or locating servers in the country) whether by automated or non-automated means. 

The Information Regulator has not yet published any practical guidance on the application triggers under POPIA and when a controller should be regarded as processing personal information in South Africa, and there is no case law on this issue as yet. The Information Regulator may issue an enforcement notice in respect of non-compliance with a substantive requirement under POPIA. Failure to comply with an enforcement notice is an offence which may result either in the imposition of an administrative fine, or the imposition of a fine or imprisonment (or both). 

Cybercrimes and Cybersecurity

The Cybercrimes Act, 2020 (the "Cybercrimes Act") imposes various obligations on financial institutions to report cyber-offences and to preserve any information that will assist law enforcement. Failure to do so constitutes an offence and may result in a fine. The Cybercrimes Act also criminalises certain offences in POPIA. Among other things, it specifically criminalises the altering of the functioning, confidentiality, integrity or availability of a computer data storage medium or computer system. Such an offence attracts liability of a fine or imprisonment (or both). 

Social Media Content

In terms of the Films and Publications Act, 1996 (FPA), platforms that host user-generated content fall within the definition of a "non-commercial online distributor", which is defined as “any person who distributes content using the internet or enables content to be distributed by a user of online services, for personal or private purposes”. Only very limited provisions of the FPA apply specifically to non-commercial online distributors. 

For example, complaints may be made against such distributors about content that is "prohibited content" (content that amounts to propaganda for war, imminent violence or hate speech) and that they must take down prohibited content when directed to do so by the Film and Publications Board. Advertising material published online falls outside the scope of the FPA and is regulated under the terms of the Code of Advertising Practice administered by the Advertising Regulatory Board (ARB), a self-regulation regime that is triggered if the advertiser is a member of the ARB. 

Encryption Technology

The Electronic Communications and Transaction Act, 2002 (ECTA) regulates the use of encryption and requires the registration authority (the Director General of the Department of Communications) to establish and maintain a register of cryptography providers. No person can provide cryptography services or cryptography products in South Africa unless the particulars of that person have been registered in accordance with the registration requirements of ECTA. A cryptography provider is defined as any person who provides or proposes to provide cryptography services or products in South Africa. Under ECTA, a person who fails to register with the registration authority is guilty of an offence and liable to a fine or imprisonment.

From a non-regulatory perspective, fintech companies need to comply with the International Financial Reporting Standards and will be audited by external auditors. Non-regulatory requirements may increase in future. 

At present, many consulting/advisory firms are assisting clients in this sector to ensure client demands in various aspects are met.

The Independent Regulatory Board for Auditors is not a member of the IFWG.

Given the strict and far-reaching licensing requirements of legacy financial sector participants, their appetite for direct production or provision of novel technologies is somewhat muted, and generally limited to innovations that facilitate delivery of financial products and services more effectively, more cheaply or to a broader market. However, industry participants do offer unregulated products and services in conjunction with regulated products and services, sometimes through the same legal entity, where that is permissible. While this practice is not prohibited by law, regulators expect such industry participants to inform their customers as to which products and services are regulated and which are unregulated, to ensure that customers know the products and services in respect of which they have no recourse to regulators or ombudsmen. Furthermore, such industry participants cannot utilise their regulatory licences, registrations or authorisations to offer or market unregulated products and services.

On the other hand, emerging technology developers do not yet have the comfort of a liberal sandbox environment or accessible regulators to enable them to develop products that compete head to head with traditional products and services. As a result, there is not as yet any significant overlap in the product and service offerings of traditional and emerging products and services.

South Africa’s AML measures are set out in FICA and the Prevention of Organised Crime Act, 1998 (POCA). Generally speaking, FICA establishes the broad legal and administrative framework for combating money laundering in South Africa and POCA creates statutory money-laundering offences.

In terms of FICA, there is a prohibition on persons dealing with economically sanctioned persons or their property. There is also a general obligation on any “person who carries on a business or is in charge of a business or who is employed by a business” to report suspicious and unusual activities or transactions to the FIC. The obligation to report to the FIC arises when a person or an institution knows of certain facts or should reasonably have known or suspected that certain facts existed. This obligation applies to any person conducting any kind of business (regulated or unregulated) in South Africa.

FICA’s AML provisions are more stringent for companies that are accountable institutions in terms of Schedule 1 of FICA. “Accountable institutions” include entities such as banks, managers of CISs and FSPs. Although not specifically included in Schedule 1, a fintech company, depending on its nature, may fall within the definition of an accountable institution and have to be registered as such under FICA and be subject to the various ongoing requirements imposed on accountable institutions relating to client identification, record-keeping, statutory reporting and the requirement to develop and implement a FICA-compliant Risk Management and Compliance Programme. 

In so far as unregulated fintech companies are concerned, such companies may still be caught by FICA in future should they qualify as CASPs, as the proposed amendments to FICA – as canvassed in the IFWG’s Crypto-Asset Position Paper (the "Position Paper") – anticipate CASPs being included in FICA’s list of accountable institutions.

Different asset classes do not require different business models in relation to robo-advice. Certain financial products (such as forex and deposits), however, are subject to additional requirements/codes of conduct (not applicable to other financial products) that may require robo-advisers to take extra steps that are not required in respect of most financial products.

The provision or use of robo-advice is currently not popular in South Africa, probably because the express regulatory framework for robo-advice is fairly new. Most, if not all, legacy players have not commenced implementing robo-advice solutions, and robo-advisers offer their solutions directly to investors, as they are enabled to do so by the current regulatory framework (ie, the FAIS Act and its subordinate legislation). In fact, the regulatory framework is of such a nature that robo-advisers themselves require a licence similar to the one required by typical financial advisers (and asset managers) in order to offer their solutions directly to investors. The result of this is that robo-advisers may be competitors to legacy players, as opposed to selling their solutions to them.

Robo-advisers (once licensed) are subject to a general code of conduct, requiring them at all times to render financial services (such as execution of trades) honestly, fairly, with due skill, care and diligence, and in the interests of clients and the integrity of the financial services industry.

Robo-advisers are also required to provide their services in a manner that achieves six Treating Customers Fairly (TCF) outcomes, designed to ensure that regulated financial institutions (such as robo-advisers) deliver specific and clearly-set-out fair outcomes for their clients.

The provision of loans or any form of credit is regulated under South African law by the NCA, which requires lenders in respect of whose credit agreements the NCA applies, to formally register as "credit providers" with the NCR. Registered credit providers are subject to extensive and onerous market conduct-related rules and obligations. 

The NCA generally applies to every credit agreement between parties dealing at arm’s length (whether the credit receiver is an individual, small business or other person) and made within, or "having an effect in", South Africa. 

The NCA does, however, provide for certain general exemptions from its application. In this regard, the NCA will not apply to:

• a credit agreement in respect of which the credit receiver (borrower) is a juristic or legal person (as opposed to a natural person or individual), whose asset value or annual turnover, together with the combined asset value or annual turnover of all persons related to that juristic-person credit receiver, equals or exceeds ZAR1 million at the time of conclusion of the credit agreement; or
• a "large" credit agreement (eg, a credit transaction, like a loan, in respect of which the principal debt under that transaction falls at or exceeds ZAR250,000, where the consumer for the purposes of the NCA is a juristic person having an asset value or annual turnover of below ZAR1 million).

A local applicant-credit receiver can formally apply to the Ministry of Trade and Industry for a credit agreement that the credit receiver seeks to enter into with an offshore (foreign) credit provider to be formally exempt from the application of the NCA.

The underwriting process typically involves drawing on artificial intelligence techniques like predicative machine learning algorithms that analyse consumer data and help improve underwriting decisions. The prominent APIs for the collection of data include Fundrr, Lulalend, and Stitch. These APIs process consumer data and match it up against the risk criteria of lenders to inform the underwriting process. APIs are predominantly used for entrepreneurship financing by small to medium entities.

The above process involves the analysis of consumer data which is regulated by POPIA (see 2.10 Implications of Additional, Non-financial Services Regulations). Underwriters that process personal information must adhere to the requirements of POPIA.

The innovation in the sector currently does not extend to the creation of credit score data sets, however, it is used particularly in the telecommunications industry for nano-loans, airtime and/or data services.

Lenders typically secure funds from the following:

• deposits from the public – the Banks Act prescribes that only registered banks can take deposits from the general public, and it is an offence for unregistered persons to conduct the business of a bank;
• equity from shareholders and other investors;
• the issuance of debt instruments in accordance with the South African "commercial paper regulations" (Government Notice 2172 in Government Gazette 16167 of 14 December 1994); and
• loans from other institutions.

Raising funds through equity and debt is regulated to the extent that securities are issued to the public. Issuance to the public can attract the listing requirements of the relevant exchange platform. 

The regulation of securities generally does not extend to crypto-assets as they are not regarded as securities. This however is not absolute, as some crypto-assets could meet the functional or factual definition of securities. 

There does not appear to be any syndication of online loans in South Africa. There is no specific regulation for syndication of loans and syndicated loan transactions are a dominant lending structure in South Africa, but this has not yet been seen in the case of online lending. 

Syndicated loans in South Africa follow a standard international process of an agreement between a borrower and an appointed arranger. The arranger carries the responsibility of collating all the information for the preparation of a memorandum to be circulated to interested lenders. This is then followed by a process of negotiations to determine the terms of the facility agreement between all interested parties. The loan is then disbursed once all precedent conditions have been fulfilled.

Payment processors have to make use of existing payment rails for their products. The current regulatory framework, which restricts key payment processing functions to banks and requires banks to be gatekeepers, makes it difficult for payment processors to create their own payment rails.   

Cross-border payments and remittances are subject to South Africa’s exchange controls, which are provided for in the Exchange Control Regulations and in exchange control manuals, orders and rules issued by the SARB. 

Foreign exchange controls require cross-border payments and remittances to be processed, monitored and reported to the SARB by South African-authorised dealers in foreign exchange (local commercial banks authorised as such by the SARB) ("Authorised Dealers") and in certain limited cases by Authorised Dealers with Limited Authority – ADLAs – (being non-bank entities authorised as ADLAs by the SARB). Payment processors that facilitate cross-border payments and remittances have either partnered with Authorised Dealers or obtained their own ADLA authorisation (ADLA authorisation works for payment processors that facilitate peer-to-peer payments). 

The administrators of CISs, pension funds, long-term insurers and medical aid schemes are all required to be approved to conduct such activities, in most instances by the FSCA, in some cases by the PA, and in terms of separate sector-specific legislative frameworks. In each case, the obligation to obtain the relevant approval or licence is triggered by the activity undertaken and providing administration services to any such entity without a licence is an offence.

The FSCA has indicated that, pending formal regulation, pension funds may not maintain any exposure to crypto-assets and, accordingly, pension funds are wary of obtaining or maintaining such exposures, which translates into their investment manager mandates. There is no black letter prohibition, however, on such investments and the proposal is controversial as it is unclear whether the proposed ban would extend, for example, to ordinary securities in crypto-asset development companies, or to stablecoins lawfully traded on offshore derivatives markets, or even to a digital South African fiat currency. 

Presently, CISs are approved in specific asset classes, and since crypto-assets are not among the listed classes, it is not possible for a CIS to be founded with the investment strategy of holding a portfolio of exclusively or predominantly crypto-assets. The Conduct of Financial Institutions Bill (yet to be enacted) proposes the introduction of a vehicle named an “alternative investment fund” which the IFWG has proposed may be the appropriate vehicle for a crypto-asset portfolio.

There are no provisions peculiar to regulated investors, with the proviso that the Pension Funds Act, 1956 (Pension Funds Act) applies more rigorous expectations to ESG investing. 

Any form of a securities marketplace/exchange is permissible provided that it is licensed as an exchange under the FMA. An "exchange" is a person which constitutes, maintains and provides an infrastructure for bringing together buyers and sellers of securities, for matching bids and offers for securities of multiple buyers and sellers, whereby a matched bid and offer for securities constitutes a transaction (a contract of purchase and sale of securities).

Any trading platform (typically used to trade OTC securities) is permissible provided that its provider holds an FSP licence under the FAIS Act. The FSCA construes the provision of a trading platform by a third party as constituting the provision of intermediary services as regulated under the FAIS Act. 

While different asset classes do not have different regulatory regimes from a trading perspective, certain financial products are subject to additional requirements/codes of conduct (not applicable to other financial products). For example, deposit and forex products regulated under the FAIS Act have additional product-specific codes of conduct.

Furthermore, some instruments (such as OTC derivatives, debt instruments and CISs) have product-specific regulatory requirements (such as registration requirements) that must be met by issuers before those instruments can be offered in a marketplace or trading platform.

The emergence of cryptocurrency exchanges has not impacted or changed regulations as yet. It is well established (and confirmed by the relevant regulators) that crypto-assets/cryptocurrencies are currently not regulated. 

The FSCA published a "Draft Declaration of Crypto Assets as a Financial Product" ("Draft Declaration"), on 20 November 2020, seeking to declare crypto-assets as a financial product (as defined in the FAIS Act). The Draft Declaration, once in effect, will require any person rendering "intermediary services" or furnishing "advice" (each as defined in the FAIS Act), in relation to crypto-assets, to be authorised under the FAIS Act as an FSP, and to comply with the requirements of the Act. This will catch crypto-asset exchanges and CATPs. At this stage, there is no indication of when the Draft Declaration will be finalised.

In terms of the Position Paper (see 2.13 Impact of AML Rules), the South African regulators have proposed amendments to Schedule 1 of FICA to ensure CASPs are treated as accountable institutions for AML/CFT purposes.

The possible enactment of the CoFI Bill, which includes specific provisions regarding the licensing of CASPs and CATPs is anticipated. Once in effect, CoFI will materially change the regulatory regime currently applicable to financial institutions and parties seeking to carry out regulated financial services activities in or in relation to South Africa. 

The Johannesburg Stock Exchange Limited (JSE), as the primary stock exchange in South Africa, issues the JSE Listings Requirements, as amended from time to time. This has been promulgated as regulation applicable to companies listed on the exchange operated by the JSE in terms of the FMA, which prescribes the legal landscape applicable to market infrastructures in South Africa.

In terms of the FMA, licensed exchanges may provide for listings under a regulated framework under the purview of listings requirements determined by such exchange and approved by the registrar of securities services at the FSCA. The JSE is the pre-eminent listing platform which dominates South African and African markets, under the supervision of the FSCA.

The expansion of industry in South Africa has also seen the emergence of smaller stock exchanges over the last few years, including ZAR X, the 4AX, the A2X and Easy Equities Exchange. These stock exchanges aim to have less stringent requirements for listing than the JSE, in order to attract smaller players in the market.

Accordingly, the main listings requirements in the market are the JSE Listings Requirements, the ZAR X Listings Requirements, the A2X Listings Requirements and the Easy Equities Exchange Listings Requirements.

In terms of the FMA, knowingly or directly using or participating in any practice which can create a false or deceptive appearance of the demand for, or supply of, or trading activity in connection with a security, or an artificial price for that security, amounts to an offence and a prohibited trading practice in terms of the FMA. 

Examples of contraventions in this regard include, among other things, approving or entering on a regulated market an order to trade a listed security which involves no change in its beneficial ownership, or approving or entering an order with the knowledge that an opposite order at substantially the same price is being made, or approving or entering an order at successively higher prices or successively lower prices with the intention to create a false appearance of trading activity or to artificially influence the market price.

Peer-to-peer trading platforms do not impact both traditional and fintech players. This is because peer-to-peer trading platforms involving regulated instruments are patently accommodated by the existing regulatory framework, which accommodates both traditional and fintech players. Peer-to-peer trading platforms that do not involve regulated instruments are simply offered on an unregulated basis (even by traditional players).

The principle of "Best Execution of Customer Trade" has been introduced in draft form by the FSCA. This principle encourages having policies in place to achieve best execution for clients, and mandates that brokers trade shares on the exchange that has the better price and pursue the avenue that best advances their client’s instruction.

Best execution is a well-known concept in international financial markets, but was not relevant in South Africa until recently, as there was virtually no competition in terms of securities exchanges. The impact of best execution on competition remains to be seen once the principle has been formally adopted.

The JSE, which was the sole player in this space for many years, has a central order book wherein all transactions must be conducted unless dealing with a transaction that qualifies as an off-book trade that is already in the best interests of the client. 

Best execution is typically applicable where competing local exchanges trade in securities that have been dual-listed. A2X, the model for which is based on accommodating secondary listings of JSE-listed companies, has expressed its support for this principle in favour of investors.

Order-handling principles in South Africa are largely in line with international best practices and contain reasonable carve-outs, including allowance of price stabilising mechanisms in accordance with applicable listings requirements. 

There are no express rules against payment for order flow. The practice may be prohibited, however, to the extent that it contravenes other trading rules.

The industry conforms to principles of market integrity informed by good corporate governance. The FMA prohibits behaviour in listed companies amounting to insider trading, prohibited trading practices and the making of false, misleading or deceptive statements, promises or forecasts.

In terms of the FMA, insider trading is an offence which is committed if, among other things, an insider:

• trades in listed securities, directly or indirectly, while knowing that he or she has inside information; 
• encourages or discourages another person from dealing in listed securities while knowing that he or she possesses inside information; or 
• discloses such information to another person, subject to certain exceptions. 

There is currently no regulation that expressly provides for the creation and use of high-frequency and algorithmic trading. This does not mean, however, that such technologies are prohibited. In fact, the JSE does make use of such technologies. 

Some (but not all) financial sector regimes require market makers to be registered or licensed, despite their acting as principals. For example, the FMA Regulations require market-makers to be registered as OTC derivative providers. To access exchange traded securities directly (without using an authorised broker) a market-maker is required by the FMA to be authorised as a broker or as an authorised user by the relevant exchange.     

The regulations in South Africa do not make a distinction between funds and dealers that engage in high-frequency and algorithmic trading.

There is currently no express regulation of programmers who develop and create trading algorithms and other electronic trading tools in South Africa. 

Financial research is not, in and of itself, a regulated activity in terms of South Africa’s financial sector laws. Should a financial research platform extend beyond pure research, to the provision of financial services, however (eg, where the platform provides "advice" (as defined in the FAIS Act) on certain investments that is tailored to the investment needs of a particular investor group, or where material on the platform can be seen to market or promote the research provider’s broader financial services-related capabilities), then a licensing requirement will be triggered for the provider of that platform under the FAIS Act if the platform targets South African clients, is promoted to South African clients, or has a South Africa-specific "element" to it. 

The regulatory framework applicable to the spreading of rumours and other unverified information depends on the subject matter of the rumour/unverified information. For example, as far as the FAIS Act is concerned, it is a criminal offence to make or publish any statement in respect of a financial service or a financial product which the person knows (or ought reasonably to know) is misleading, false, deceptive, contrary to the public interest or contains an incorrect statement of fact. 

As far as the FMA is concerned, it is a criminal offence to make or publish in respect of, among other things, securities traded on a regulated market/exchange any statement, promise or forecast which is, at the time and in the light of the circumstances in which it is made, false or misleading or deceptive in respect of any material fact and which the person knows, or ought reasonably to know, is false, misleading or deceptive. The FMA also broadly and strictly regulates a host of market abuse-type offences, including market manipulation and insider dealing.

The manner in which posts or conversation on a particular platform are curated will likely differ from platform to platform.

Under the FAIS Act, it is a criminal offence to make or publish any statement in respect of a financial service or a financial product which the person knows (or ought reasonably to know) is misleading, false, deceptive, contrary to the public interest or contains an incorrect statement of fact. 

As as the FMA is concerned, it is a criminal offence to make or publish in respect of, among other things, securities traded on a regulated market/exchange any statement, promise or forecast which is, at the time and in the light of the circumstances in which it is made, false or misleading or deceptive in respect of any material fact and which the person knows, or ought reasonably to know, is false, misleading or deceptive. 

These proscriptions regulate, and act as practical deterrents against, pump and dump schemes, the spreading of inside information, or other types of manipulative market behaviour.

Prudential requirements relating to the underwriting of life or non-life insurance products in South Africa is regulated under the Prudential Standards which is subordinate legislation to the Insurance Act, 2017. South African insurance legislation does not make a distinction regarding the process of underwriting specific to distribution basis. Instead, it sets out the requirements with which insurance products need to comply from a prudential perspective or in terms of market conduct requirements. These are universal requirements regardless of whether the insurance product is distributed through insurtech or through traditional channels. 

Prudentially, life and non-life insurance products are treated differently and the sub-categorisation between the two classes of insurance also means that products are treated prudentially differently. For example, a life policy where the limit of indemnity is greater than ZAR100,000 will have different prudential requirements to a micro-insurance life policy where the limit of indemnity is capped at ZAR100,000. Market conduct regulation in most instances is similar in application across both life and non-life insurance policies with the Policyholder Protection Rules (Long-Term Insurance), 2017 or Policyholder Protection Rules (Short-Term Insurance), 2017. 

The former is applicable to all policyholders (natural and juristic). The latter is only applicable to natural or juristic persons whose asset value or annual turnover exceeds ZAR2 million.

There is currently no specific regulatory framework for regtech providers in South Africa. A regtech provider may, however, fall within the ambit of other regulatory regimes. This will need to be considered on a case-by-case basis, depending on the type of activities performed, the client to whom the services are being provided and the specific business model of the regtech provider. 

For instance, certain regtech providers may fall within the scope and ambit of general financial services regulatory frameworks and thus may be subject to regulatory bodies charged with the monitoring of those frameworks. Accordingly, the SARB, the NCR, the FSCA and FIC may provide regulatory oversight in respect of various aspects of the offering of regtech services.

In order to assure performance and accuracy, financial services firms often require pro-customer warranties and indemnities that are common practice in relation to technology transactions. For example, a warranty that the regtech software will perform according to the financial services firms’ business requirements and that the regtech software is fit for purpose (ie, it will help financial services firms comply with regulations efficiently and accurately) and an indemnity for breach of such warranty. 

For the most part, the above contractual terms are not dictated by regulation, but may be classified as industry custom, depending on the bargaining power of the parties involved. Often, contractual terms are required pursuant to regulations governing the protection and processing of personal information, outsourcing requirements (particularly in agreements with insurers and banks) and other regulatory requirements which may be applicable, depending on the nature of the work performed, the client to whom the services are being provided and the specific business model.

Although there has been growing investment in crypto-assets and fintech companies making use of and developing blockchain-powered technologies, the traditional players in the financial services industry have been slower to incorporate blockchain or other distributed ledger technologies into either their own operations or their product and service offerings. As the technology continues to gain investor and consumer trust, the expectation is that traditional financial institutions like banks, brokerages and insurers will more actively start seeking ways in which to harness the potential of these technologies, especially in the arena of smart contracts.

South African regulators’ views on blockchain technologies are rather ambivalent. In the 2021 Crypto Asset Position Paper, the regulators who form part of the IFWG acknowledged the positive role of blockchain to enhance financial inclusion of more financially under-serviced South Africans (whether in the banking, insurance or investment environments) as well as lowering thresholds for entry for emerging FSPs, and accordingly stimulating competition and product development in the financial sector. 

However, concerns around cybersecurity, AML and combating the financing of terrorism (CFT) prerogatives, consumer protection against unregulated operators and products, and concerns about the impact on South Africa’s exchange control regime have tipped the balance towards more restrictive regulation addressed at containing threats rather than more progressive regulation aimed at stimulating the sector, at least for the time being.

There are no blockchain-specific laws or regulations. Products developed, hosted or traded on blockchains are assessed with reference to existing financial sector, consumer protection and related laws and regulations, based on their functionality. The Position Paper identifies 25 recommended regulatory interventions to be rolled out over the coming 24 months to address the perceived risks, including the development of the existing regulations to cater more explicitly for blockchain assets (rather than developing a separate blockchain and crypto-assets regulation framework).

There is no law by which legal protection is afforded to blockchain users or a form of recourse is afforded to investors in blockchain products.

South African regulators have expressed the intention to stay closely aligned to the approaches of the Financial Action Task Force and the Basel Committee on Banking Supervision.

The regulators have proposed amendments to Schedule 1 of FICA to ensure CASPs are treated as accountable institutions for AML/CFT purposes.

In terms of the regulatory authorities’ joint stance, they do not view cryptocurrency as being a form of "legal tender". In terms of Section 17 of the South African Reserve Bank Act, 1989, "legal tender" is defined as being “tender by the Bank itself, of a note of the Bank or of an outstanding note of another bank for which the Bank has assumed liability in terms of section 15 (3) (c) of the Currency and Banking Act or in terms of any agreement entered with another bank before or after the commencement of this act; and a tender by the Bank itself, of an undefaced and unmutilated coin which is lawfully in circulation in South Africa, and of current mass.” 

While no crypto-assets qualify as legal tender in South Africa, by virtue of their particular characteristics (most notably, but not exclusively, "redeemability" and general commercial acceptance), some can meet the regulated definition of "money" (ie, "e-money"). In that case, the tokens themselves, as well as any issuers, remitters, deposit-takers and the related service provider chain, are subject to banking regulations and SARB’s supervision. 

The FSCA has already initiated the process to have all crypto-assets designated as "financial products" for the purposes of FAIS. The result of the definitional change will be that regardless of the characteristics of a token, it may only be promoted, and its transfer processed, by licensed FSPs.

There is no such regulation in South Africa. In principle, the laws relating to the issuing of securities to the public could be triggered by the issuance of a token that displays the defined characteristics of a security (including a derivative instrument). 

In terms of the Companies Act, 71 of 2008 (Companies Act), "securities" means, “any shares, debentures or other instruments, irrespective of their form or title, issued or authorised to be issued by a profit company”. The scope of the definition could be wide enough to include almost any tokens, however, the regulator under the Companies Act has not issued any guidance in this regard, and it is proposed to amend the definition of "securities" (likely to take place in 2022) to delete "other instruments" and limit it to shares and debentures. 

The IFWG has announced a slate of specific regulatory interventions to bring issuers within the supervisory ambit of the FIC (as accountable institutions), the FSCA (as licensed intermediaries and/or advisers) and the SARB (as a CATP or special category money remitter under the Exchange Control Regulations).

CATPs are not regulated specifically. The reputable local platforms have voluntarily registered with the FIC and apply FICA on a voluntary basis. The IFWG has announced a slate of specific regulatory interventions to bring CATPS within the supervisory ambit of the FIC (as accountable institutions), the FSCA (as licensed intermediaries and/or advisers) and the SARB Financial Surveillance Department (as a CATP or special category money remitter under the Exchange Control Regulations).

It is currently not possible to set up a retail CIS with a predominantly crypto-asset portfolio in terms of the Collective Investment Schemes Control Act, 2002 (CISCA). It is proposed that such funds be established by way of a relatively new vehicle, an alternative investment fund (AIF), proposed in the CoFI Bill with additional permission required from the SARB.

Draft regulations to the Pension Funds Act propose the prohibition of investment in crypto-assets by pension funds.

Virtual currencies are defined in South African tax legislation as being investments and taxable assets. Virtual currencies are defined by the SARB as a form of digital money. There are no material differences, at this stage, in the way virtual currencies are regulated in comparison to any other blockchain assets.

The IFWG’s recommendation is that no crypto-assets, including virtual currencies, may be allowed for settlement obligations in financial market infrastructures such as the South African Multiple Option Settlement System.

Decentralised finance ("DeFi") is undefined in South African legislation. No existing regulations set out how to deal with DeFi platforms and there is no pending legislation regulating DeFi platforms. At present, the non-regulation of DeFi platforms therefore allows them to continue to operate within South Africa, without acting as accountable institutions. 

South Africa has seen significant interest in the development of, trading and auctions of NFTs in the past 12 months. NFTs are not viewed as legal tender but they remain taxable from a taxation perspective. There is no existing legislation in place regulating NFTs or an NFT platform. NFTs qualify as a form of digital art and the laws of intellectual property may be applied to them, specifically copyrights.

South Africa is yet to publish specific regulations or standards for open banking infrastructure and practice. The sharing of consumer financial data, including any personal information by any service provider and participating bank, is currently subject to POPIA, which regulates the processing of personal information, provides for the rights of data subjects, and prescribes the obligations of data controllers and data processors.

In November 2020, the SARB issued a consultation paper on open-banking activities in the national payment system, which makes various policy proposals regarding open banking, including: 

• a new class of third-party providers should be introduced, and access to customers’ financial information should be promoted so as to improve product and service offerings for customers; 
• such third-party providers should be regulated by the SARB and the FSCA; 
• banks should provide access to customers’ financial information, subject to customer consent, to such third-party providers;
• technical standards for open banking should be developed and implemented; and
• consumer education or awareness should be conducted. 

Given that there is no open banking-specific regime in South Africa, the collection and processing (including data sharing) of personal information by banks and technology providers is subject to the provisions of POPIA. To comply, banks and technology providers are developing data processing policies that meet the requirements under POPIA and that regulate their operations. There has also been an increased trend towards appointing data protection officers to monitor and ensure organisational compliance with the requirements under POPIA.

Open banking raises regulatory concerns regarding consumer safety and trust as there are no uniform industry security standards, coupled with a lack of certainty that consumer information can and will be secured from a data breach. Banks need to ensure compliance with POPIA during the processing and sharing of personal information. Banks, in collaboration with fintech companies, have established API to ensure secured sharing of customer information. 

A number of banks have taken steps towards open banking by developing APIs for various products and use cases. It is therefore clear that despite the data privacy and data security concerns raised by open banking, traditional banks are keen to welcome and integrate these platforms. However, a major concern identified by the South African Treasury is that there is potential for the fintech industry to bypass regulations and create an uneven regulatory playing field, particularly for traditional banks.