The Financial Sector Conduct Authority has chosen not to wait for the Conduct of Financial Institutions (COFI) Bill to be finalised before aligning its work to the principles of the new law, Deputy Commissioner Katherine Gibson (pictured) told delegates at the Financial Planning Institute of Southern Africa’s annual convention on 4 November.
“We had to make a decision,” she said. “Are we going to just wait for COFI, which is actually out of our control – it’s a National Treasury-led, parliamentary-sanctioned piece of legislation – or are we going to see how, given how much we’ve learned through the COFI development process, we start shaping ourselves as the FSCA for this more activity-based, outcomes-focused, consistent approach? And it’s definitely the latter. That’s the strategic decision that we’ve made.”
Gibson said COFI will introduce a significant change for the FSCA because its supervisory and regulatory responsibilities will no longer be conducted according to sector-based laws. “The COFI framework gives us something different.” It is an entities-facing piece of legislation that provides a set of requirements for an entity – linked to all the activities the entity performs – as opposed to separate pieces of laws and separate requirements that are linked to an entity’s institutional structure.
Although the Bill is still with the Minister of Finance for submission to Cabinet and then Parliament, Gibson said the Authority is already implementing its principles. The FSCA does not want to start thinking about how to do that only when COFI is enacted, because the changes are substantial. “So, we’ve already started thinking around what COFI means for us, and how we would actually implement pieces of the intention of COFI even through the FSRA [Financial Sector Regulation Act], because the FSRA does give us a lot of powers.”
The FSCA has established working groups to start building the supporting cross-cutting frameworks that COFI will require, she said. “The priorities at the moment being the competency framework – very relevant to you – governance, there’s a culture and governance workstream; we’re also looking at, with the PA [Prudential Authority], how we would jointly look at assessing some of these requirements, and risk management.”
She said the Authority is already applying parts of COFI through existing Standards. For example, the Conduct Standard for Banks includes many of COFI’s principles. The FSCA will its existing regulatory toolset if COFI is further delayed.
Single-entity view and the OMNI-Risk Return
Gibson linked the COFI-aligned supervision model to the authority’s new Supervisory Technology (SupTech) system, the Integrated Regulatory System (IRS).
“Our SupTech solution is being designed with COFI in mind. What that means is the way in which we request information, collect information, analyse that information – all of that is being re-engineered,” she said.
The system is being built to enable a single view of each regulated entity. “At a high level, it’s looking at a new risk model, and how we then think around these entities that we are regulating,” she said.
The IRS will improve risk management by providing a centralised, unified view of each regulated entity, allowing for more effective monitoring and oversight. By consolidating data from multiple sources into a single platform, the IRS reduces the risk of important issues slipping through the cracks and enables better information sharing between supervisory teams.
The system streamlines processes – such as risk indicator analysis, data collection, and reporting – leading to higher data quality, improved consistency, and greater operational efficiency.
It is also a central data repository, which means the FSCA will have quality data. It has been more difficult than it should be for the FSCA to extract data on the actions that it is taking in a reliable, formal, and consistent way, Gibson said.
The IRS enables standardised processes. Currently, there are multiple processes and approaches in terms of how FSPs interact with the Authority, as well as how its supervisors interact with and assess entities.
“There have historically been quite different approaches at varying stages of maturity. What this IRS adaptation is helping us do is again put those together in a pot and say, what are the best aspects of what we do, what are we learning that should be shared across our supervisors, and bring back to you as our one set of customers.”
Closely linked is the OMNI-Risk Return – a new, harmonised reporting return the FSCA published as a draft on 30 September. The OMNI-Risk Return is intended to become “the foundational data source” for the FSCA’s automated, harmonised supervisory risk model and will be embedded within the SupTech platform.
The FSCA has opened a two-month consultation on the draft return, and the comment period runs to 30 November.
Gibson said the risk-return consultation has been “tremendously oversubscribed” – “the level of interest has been phenomenal”. Extra workshops were added, although these have been also filled up, she said. Recordings of the events will be made available online.
The FSCA is working towards a go-live for IRS towards the end of next year. There are “a lot of moving parts”, she added, but “the most important thing that I can communicate today is that there will be continual and ongoing engagement with how we tie these different pieces together”. There will be an industry pilot that runs around the middle of next year, “which will be crucial for us in continuing to iron out bugs”.
Understanding the rise of influencers
Turning to financial influencers, Gibson said the Authority has conducted two studies. One was a general research landscaping study, and the other was a survey that asked the industry, particularly product providers, how they are using and thinking about influencers. The Authority will be sharing this research in the coming months.
She said there is no standard definition of “influencers” or “finfluencers” – and the terms are often used interchangeably. Part of the challenge will be to unwind how the FSCA thinks about influencers versus finfluencers.
Generally, “influencers” refer to people sharing experiences about a wide range of products, including complex financial instruments, while “finfluencers” tend to have more targeted expertise.
Gibson noted the risks (such as unqualified advice, potential harm, and promotional bias) and the potential benefits (enhancing financial education and literacy) of influencer activity. The FSCA’s approach, for now, is to issue guidance and promote financial awareness rather than heavy-handed regulation, although the need for regulatory intervention – particularly where financial advice is involved – remains under consideration.
She emphasised that anyone who provides advice about a financial product comes within the FAIS framework, “and we need to think around how to make sure that the existing laws are applied in the right way”.
Responsible adoption of AI
Regarding artificial intelligence, Gibson said the FSCA conducted a survey of product providers to understand how AI was being used. It received about 2 500 responses.
The findings showed that banks are leading in AI investment and usage, focusing mainly on data analysis, internal process optimisation, sales, and marketing, while generative AI is starting to drive new sales and distribution channels. The main risks associated with AI are data privacy and protection, cyber security, insufficient expert talent, and the difficulty in explaining AI model outcomes.
Companies are expected to ensure robust governance – prioritising data quality, accuracy, representativeness, and clear accountability – for all AI use.
Although there is no specific AI law yet, Gibson said firms must always consider customer outcomes and risk management when deploying AI tools.
Gibson encouraged firms to ensure they have the right protections, the right risk management, and the right controls. “It can start at a very basic way, which is even having the conversation on an executive level in terms of what the risks are to consumers, what the risks are to your business, and seeing whether you’ve got the right controls in place.”
The FSCA will have to co-ordinate with the Information Regulator on standards for ethical, fair, and responsible AI. “That doesn’t necessarily mean standalone regulatory instruments – it can also be guidance.”
