by Hilah Laskov, Director

Introduction

In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill – a major financial sector regulatory reform – one theme at a time.

COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks regulatory reform. The Twin Peaks regulatory reform is a response to financial system weaknesses identified by the 2008 Global Financial Crisis, such as the systemic risks of large insurers and inappropriate market conduct practices.

The FSRA has already been implemented. The FSRA introduced the Twin Peaks regulatory framework, bringing into existence two regulators for the industry. The first regulator is the Prudential Authority (PA) responsible for the prudential regulation of financial institutions, while the second is the Financial Sector Conduct Authority (FSCA) responsible for regulating market conduct.

COFI represents a major overhaul of how financial institutions will be regulated in South Africa. Currently, different financial institutions are regulated by different legislation. COFI will involve shifting to a harmonised, principles-based conduct regime focused on customer outcomes, transparency and inclusion. COFI also provides for a single licensing and supervision framework and stronger enforcement and standards across the financial sector. Its implementation will unfold over several years and reshape regulatory expectations for financial institutions and consumers alike.

National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adop­ted by Cab­inet for sub­mis­sion to Par­lia­ment.

Licensing: Part 2

In our previous article in this series, we looked at the Purpose and Application of COFI. In this article, we look at the licencing framework under COFI.

COFI introduces a unified market conduct licensing regime, replacing the fragmented system of industry-specific authorisations with a single licence issued by the FSCA. This licence is activity-based, marking a fundamental shift from the current model in which financial institutions are licensed according to their institutional form (for example, as banks or insurers). In other words, under COFI, it is not what you are, but what you do that counts.

Under COFI, licensing will be aligned to the specific activities performed by an institution. A single financial institution may hold one FSCA licence with multiple activity authorisations, reflecting the reality that many institutions operate across different product lines and services.

The framework adopts a three-tiered approach to licensing: (a) the financial activity being performed; (b) the financial product/s to which that activity relates; and (c) the category of customer to whom the product or service is provided.

This structure is intended to enable more granular and risk-based regulation, but it will also require firms to undertake careful analysis of how their business models are categorised under COFI.

Transition to the new regime

Financial institutions currently licensed under existing sectoral laws will transition into the COFI regime through a mapping process, in which their existing permissions are aligned to the new activity-based framework. This transition is expected to take place over a staggered period. This approach is broadly consistent with the implementation of the Insurance Act, 2017.

New entrants, however, will be required to apply directly under the COFI framework once it comes into force.

Notwithstanding the conceptual clarity of the activity-based model, practical concerns have been raised: the transition to COFI will involve a large-scale relicensing exercise, potentially affecting thousands of institutions. This raises concerns about regulatory capacity, implementation timelines and the operational burden on firms required to reassess and map their activities.

Dual licensing under Twin Peaks

In line with the Twin Peaks regulatory model, under which institutions are subject to both market conduct and prudential regulation, certain institutions will continue to require authorisation from both the FSCA and the PA, depending on the nature of their activities.

Outsourcing

 COFI recognises that financial institutions frequently outsource certain activities and contemplates a differentiated approach:

• in some cases, outsourced service providers may be required to hold their own licences;
• in others, the licensed financial institution will remain fully responsible for the outsourced activity, even where the service provider is not licensed.

The FSCA will be able to set conduct standards for outsourced activities and to take enforcement action against service providers where appropriate. This reflects a broader regulatory focus on functional accountability, rather than formal legal structure.

There remains ongoing uncertainty regarding the treatment of juristic representatives. The activity-based framework appears, in some contexts (notably, discretionary investment management), to require entities currently operating as juristic representatives to obtain their own licences. However, the position is less clear in relation to other activities, such as the provision of financial advice. This lack of clarity has significant implications for business models across the financial services sector and will require further guidance in the legislative process.

Practical implications

What is clear is that COFI will require a fundamental reassessment of licensing across the financial sector. Both currently regulated and previously unregulated entities may fall within scope.

In anticipation of COFI’s implementation, financial institutions should begin:

• mapping their activities against the proposed licensing categories;
• assessing whether any group entities or service providers may require separate licences; and
• reviewing governance and operational structures to align with an activity-based regulatory framework.

Early preparation will be critical to managing the transition to COFI’s new licensing regime.