The Financial Sector Conduct Authority has reached an “inflection point” in the rollout of its Omni risk return, as industry feedback prompts a reassessment of its design and implementation timelines.
Addressing delegates at the FSCA’s Industry Conference on 19 March, chief digital officer Phokeng Mogase said the regulator may need to adjust its approach – including delaying a planned pilot – as it considers how best to incorporate industry input into the return.
Mogase was among the members of a panel of FSCA officials who discussed recent regulatory developments, supervisory priorities, enforcement trends, and expectations for financial institutions in South Africa.
The Authority has completed key phases of its supervisory technology (SupTech) programme, Mogase said. The Integrated Regulatory Solution (IRS) – the FSCA’s SupTech – is intended to support a more data-centric, responsive, and forward-looking regulator.
The system is designed to:
- create a single, integrated view of each regulated entity,
- improve consistency across supervisory functions,
- improve visibility of the Authority’s internal processes,
- enhance the FSCA’s ability to monitor risks and respond more proactively.
The progress to date includes:
- completion of Phase 1, digitising regulatory returns; and
- completion of Phase 2, digitising the FSCA’s risk model.
The third and final phase is to automate the regulatory processes.
At the centre of this framework is the Omni risk return, which will provide the data points required to operationalise the FSCA’s risk model.
The FSCA engaged with the industry on the draft Omni risk return at the end of last year, and the Authority planned to proceed to a pilot phase in 2026 with selected firms, including training on and testing the system.
However, the feedback received from the industry has prompted a reassessment.
“What we’re finding right now is that we may need to look into what the comments are saying, looking at what changes that we may need to make before we move along. So, there is a high possibility that these timelines may change, but the regulatory engagements on the returns themselves will continue throughout the year,” Mogase said.
“What we’re finding is that we are at an inflection point. We really want to derive value out of that engagement [with the industry]. Is it ideal for us to still go ahead with the pilot right now, or would it be better for us to rather engage deeper with the feedback […] and incorporate some of the credible ones that may have an impact on the system early and then come back and do the pilot? So, we’re making calls on that one. From where I stand, we may have to shift the pilot a little bit backwards.”
One of the issues that has emerged from engagements with the industry is an entity’s ability to provide the data required for the FSCA’s risk model – and how long it will take for an entity to obtain that data.
“That feedback […] is quite crucial to whether we move forward with the risk model as it is, or whether we enhance it, or reduce certain things, so it’s an inflection point.”
Therefore, Mogase said firms should not expect the pilot to take place in June or July, as was previously indicated. “I would much rather have the organisation just focus on those comments, and then we look at the impact of it from a timeline point of view, which we will also share with you.”
Cyber resilience and administrator conduct standard
Zareena Camroodien, the head of the retirement supervision department, highlighted two recent regulatory developments requiring attention.
The first is the Joint Standard on Cybersecurity and Cyber Resilience (Joint Standard 2 of 2024), which had a compliance deadline of 1 June 2025. According to Camroodien, adoption has been uneven, with some entities lagging and others misunderstanding how proportionality should be applied.
“It’s very important to know that just because you are a small administrator or fund it doesn’t mean that […] this conduct standard doesn’t apply to you.”
The second is Conduct Standard 2 of 2025, which imposes new compliance obligations on benefit administrators relating to complaints management, data quality, and governance. Although certain provisions are subject to a transition period, administrators are expected to be ready by August 2026.
“Get all of that in place so that by the time we do our engagements, by the time we do our on-site inspections, you are not found wanting,” she said.
Retirement funds: arrear contributions and watchlists
Camroodien said the FSCA continues to identify areas of concern within the retirement fund sector.
One issue is the non-completion of the mandatory Trustee Training Toolkit, with approximately 300 trustees still outstanding. The FSCA has begun taking enforcement action, issuing about 100 removal letters, with more to follow. Although only about 4.5% of trustees have not completed the Toolkit, Camroodien said the Authority wants 100% compliance.
Arrear contributions remain another significant concern, with direct implications for member outcomes. The FSCA is intensifying its engagements with the Directorate for Priority Crime Investigation, the National Prosecuting Authority, the Auditor-General, and the National Economic Development and Labour Council to try to address the problem.
Camroodien said the FSCA will be monitoring more closely what boards of trustees are doing to deal with arrear contributions.
To support earlier intervention, the FSCA has introduced a watchlist of funds presenting heightened regulatory and conduct risks. These include funds with:
- outstanding statutory returns or valuations,
- arrear or unallocated contributions,
- governance failures,
- unclaimed benefits, and
- high levels of complaints to the Pension Funds Adjudicator.
Funds on the watchlist are subject to more intensive and intrusive supervision. The FSCA will establish a similar watchlist for administrators in the 2026/27 financial year.
Looking ahead, Camroodien said the industry can expect:
- Closer co-ordination between the FSCA’s conduct and prudential supervision departments.
- An increased focus on costs and value for money, including the publication of cost data.
- Continued monitoring of the impact of the two-pot retirement system on member outcomes.
Governance and culture under closer scrutiny
Chwatiya Mtebele, who heads the investment providers department, said the FSCA’s supervisory focus is increasingly extending to digital operational resilience.
The FSCA is building supervisory capability to assess firms’ compliance with the cyber resilience joint standard. This includes developing internal capacity and co-ordinating with the Prudential Authority, because the standard will be supervised jointly.
“As we engage with institutions, [we are] understanding whether they are ready for the standard […] and some of the risks that come with the standard,” she said.
Mtebele also highlighted the rapid adoption of artificial intelligence across financial institutions, noting its use in areas such as data analytics, investment decision-making, and customer engagement.
From a supervisory perspective, the FSCA’s focus is on how AI is applied across the value chain, and in particular the role of governance structures in overseeing its use and the impact on customers.
Mtebele said governance and organisational culture are becoming central to the FSCA’s supervisory approach.
The FSCA has identified gaps in how boards and senior management understand and oversee business activities, as well as how effectively customer-focused outcomes are embedded.
Mtebele indicated that the FSCA is seeking to move beyond a “tick-box” approach to governance and culture, with greater emphasis on how these are embedded in practice.
Future supervisory work will focus on:
- assessing culture across financial institutions,
- improving consistency in supervisory approaches across sectors, and
- supporting a more harmonised framework under the Conduct of Financial Institutions (COFI) Bill.
She also pointed to the increasing intersection between cyber resilience, AI adoption and operational risk, with particular attention to the impact on customers.
Main reasons for FICA-related sanctions
Charl Geel, who heads the FICA supervision department, said all 12 of the AML/CFT-related sanctions issued or being issued by the FSCA involve deficiencies in Risk Management and Compliance Programmes (RMCPs). These include:
- failure to implement an RMCP,
- inadequate execution of existing RMCPs, and
- failure to meet all the requirements in section 42 of the Financial Intelligence Centre Act.
In addition, he said:
- 67% of sanctions involved customer due diligence failures, particularly relating to beneficial ownership identification and verification.
- 50% of sanctions were imposed because of a governance failure. “We expect the board, the senior management, to take control of the anti-money laundering and terrorist-financing controls within the institution, and that’s not happening.”
- 50% involved failures to screen against the Targeted Financial Sanctions lists.
Lessons from grey listing
Geel said three important lessons have emerged from South Africa’s grey listing experience:
First, the need to understand money laundering and terrorist financing risks – this is foundational and must occur at a national and a sectoral level. “You, as our financial sector, need to understand your own business risks so that you can mitigate those risks.”
Second, the AML/CFT system is only as strong as its weakest link. Accountable institutions can perform customer due diligence and do reporting. The FSCA can supervise. But if law enforcement fails, the system fails. Likewise, if law enforcement does its part but accountable institutions and supervisory bodies do not, the system fails.
Third, there is a need for better co-operation and collaboration between the FSCA and accountable institutions. The Authority wants to understand the risks identified by institutions and ascertain the proactive steps it can take before conducting an inspection.
Supervision focus sharpens on online trading
Phumela Mabuza, the head of the enforcement department, said a key priority is the online trading environment, particularly platforms offering products such as contracts for difference (CFDs) and foreign exchange instruments.
Mabuza said her team currently has more than 10 active investigations in this area.
The FSCA has observed that platforms prioritise providing access to complex, high-risk products without taking responsibility for protecting consumers.
The main concerns include:
- aggressive and pervasive marketing, including via social media;
- the use of AI and deepfake technology in promotions;
- inadequate suitability assessments;
- conflicts of interest, where platforms act as counterparties; and
- the use of offshore structures with limited regulatory oversight.
The FSCA has also raised concerns about copy trading and mirror trading models, where trades or strategies are replicated automatically.
Mabuza said her department has adopted a more proactive and targeted enforcement approach, focusing on the areas of greatest consumer harm.
To support its approach, the department has:
- Appointed a company to monitor social media. “Every week, we get reports as to what is happening on those social platforms, so we don’t wait for complaints.”
- Developed closer collaboration with the Authority’s supervision departments.
- Introduced the Regulatory Actions Report, to hold the FSCA accountable to the industry and other stakeholders.
- Focused its investigations on activities that cause the most harm to financial customers.
- Increased the number of warnings posted on the International Securities & Commodities Alerts Network (I-SCAN), hosted by the International Organization of Securities Commissions. I-SCAN enables investors and stakeholders to identify firms or potential investments that have been reported as unlicensed or as a scam in their country or elsewhere in the world.
More intrusive, co-ordinated supervision ahead
Across all areas, FSCA officials on the panel signalled a shift towards:
- earlier intervention,
- greater reliance on data and technology, and
- closer co-ordination across supervisory functions.
Firms can expect more intensive engagement, including joint supervisory activities, deeper scrutiny of governance and risk management, and a stronger focus on customer outcomes.
