<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Regulatory Archives - Werksmans Attorneys</title>
	<atom:link href="https://werksmans.com/tag/regulatory/feed/" rel="self" type="application/rss+xml" />
	<link>https://werksmans.com/tag/regulatory/</link>
	<description>Corporate and Commercial Law Firm</description>
	<lastBuildDate>Fri, 03 Jul 2026 14:31:44 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	

<image>
	<url>https://werksmans.com/wp-content/uploads/2025/04/cropped-WERKSMANS-W-scaled-1-32x32.bmp</url>
	<title>Regulatory Archives - Werksmans Attorneys</title>
	<link>https://werksmans.com/tag/regulatory/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Mind the Conduct: A Guide to COFI – Part 6: COFI &#8211; What Really Changes?</title>
		<link>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-6-cofi-what-really-changes/</link>
					<comments>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-6-cofi-what-really-changes/#respond</comments>
		
		<dc:creator><![CDATA[Hilah Laskov]]></dc:creator>
		<pubDate>Tue, 30 Jun 2026 10:30:40 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=26016</guid>

					<description><![CDATA[<p>by Hilah Laskov, Director Introduction In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill – a major financial sector regulatory reform – one theme at a time. COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin  [...]</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-6-cofi-what-really-changes/">Mind the Conduct: A Guide to COFI – Part 6: COFI &#8211; What Really Changes?</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Hilah Laskov, Director</em></p>
<p><strong>Introduction</strong></p>
<p>In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill – a major financial sector regulatory reform – one theme at a time.</p>
<p>COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks regulatory reform. The Twin Peaks regulatory reform is a response to financial system weaknesses identified by the 2008 Global Financial Crisis, such as the systemic risks of large insurers and inappropriate market conduct practices.</p>
<p>The FSRA has already been implemented. The FSRA introduced the Twin Peaks regulatory framework, bringing into existence two regulators for the industry. The first regulator is the Prudential Authority (PA) responsible for the prudential regulation of financial institutions, while the second is the Financial Sector Conduct Authority (FSCA) responsible for regulating market conduct.</p>
<p>COFI represents a major overhaul of how financial institutions will be regulated in South Africa. Currently, different financial institutions are regulated by different legislation. COFI will involve shifting to a harmonised, principles-based conduct regime focused on customer outcomes, transparency and inclusion. COFI also provides for a single licensing and supervision framework and stronger enforcement and standards across the financial sector. Its implementation will unfold over several years and reshape regulatory expectations for financial institutions and consumers alike.</p>
<p>National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adop­ted by Cab­inet for sub­mis­sion to Par­lia­ment.</p>
<p><strong>COFI &#8211; What Really Changes?: Part 6</strong></p>
<p>In our previous articles, we examined the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi/" target="_blank" rel="noopener">Purpose and Application of COFI</a>, the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing/" target="_blank" rel="noopener">Licensing Framework,</a> <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-3-consumer-protection-and-transparency/" target="_blank" rel="noopener">Consumer Protection and Transparency</a>, the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-4-principles-and-conduct-requirements/" target="_blank" rel="noopener">Principles and Conduct Requirements</a> and the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-5-governance-and-accountability/" target="_blank" rel="noopener">Governance and Accountability</a> under COFI. In this article, we look at COFI versus the current regime, with a focus on FAIS, and consider what the shift to COFI will mean in practice. That is, what really changes?</p>
<p><strong>From sectoral to unified, activity-based regulation and licencing</strong></p>
<p>The current regime is not governed by a single statute, but rather by a combination of laws, including FAIS, the Long-term and Short-term Insurance Acts, the Collective Investment Schemes Control Act (“CISCA”) and elements of the FSRA. While these frameworks have developed over time, they have resulted in a fragmented and sector specific approach to conduct regulation in the sense that under the current framework, financial institutions are regulated based on their legal form and sector. Different rules apply to financial advisors and managers, insurers, collective investment scheme administrators and other market participants, often resulting in overlapping or inconsistent requirements.</p>
<p>COFI introduces a single conduct framework that applies across the financial sector. Rather than regulating specific categories of institutions, COFI regulates financial activities, regardless of who performs them. This also means that entities that previously have fallen outside specific sectoral regimes are now to be brought within the regulatory net owing to the activities they perform (for example, “corporate advisory services”).</p>
<p>This shift permeates into the licencing framework. Under the current regime, licensing is largely entity based and sector-specific. Financial advisors and investment managers are licensed as FSPs under FAIS, insurers are licensed as such under insurance legislation, collective investment scheme managers are authorised under CISCA and so on. This means that one entity may require multiple licences in terms of multiple legislation.</p>
<p>In line with international trends, COFI replaces this with an activity-based licensing model, under which a financial institution holds a single licence with multiple activity authorisations linked to the activity/ies performed, the financial product involved and the category of customer served.</p>
<p>In short, <em>it is not what you are, but what you do that counts</em>.</p>
<p><strong>From indirect to direct accountability</strong></p>
<p>A defining feature of the current framework, particularly under FAIS, is its reliance on the concept of representatives, including both natural persons and juristic representatives, who act under the licence of an FSP.</p>
<p>COFI represents a shift towards increased accountability. This is seen by increasing transparency requirements through imposing greater disclosure requirements (such as, in some cases, making financial statements available to the public) but also in shifting the focus away from representatives and towards the person who actually performs the regulated activity.</p>
<p>This has potentially significant implications: First, certain entities that currently operate as juristic representatives may be required to obtain their own licences, particularly in areas such as discretionary investment management. Second, the continued role of juristic representatives in other contexts, such as the provision of financial advice, remains uncertain under the current draft, including in light of transitional provisions.</p>
<p>This represents a move towards increased accountability as well as direct accountability at the level at which the activity is performed, rather than reliance on layered licensing structures.</p>
<p>Ultimately, COFI signals a shift towards a regulatory regime in which <em>it is not only what you do that counts, but how you behave while doing it.</em></p>
<p><strong>From rules-based to outcomes-based conduct</strong></p>
<p>The current regulatory framework is largely rules-based, supported by detailed subordinate legislation, codes of conduct and sector-specific requirements. Compliance is often demonstrated through adherence to prescribed rules and processes.</p>
<p>COFI introduces a principles- and outcomes-based framework, centred on the delivery of fair customer outcomes. Financial institutions must consider whether conduct has resulted in appropriate outcomes for customers. While this allows for greater flexibility, it also introduces interpretive uncertainty, particularly in the absence of detailed conduct standards at the outset.</p>
<p><em>It is not only what you do and how you behave while doing it, but also how it lands with consumers that counts.</em></p>
<p><strong>From protective rules to increased governance and culture expectations</strong></p>
<p>Under the current framework, governance requirements vary across sectors and are often indirect or embedded within broader prudential or operational requirements.</p>
<p>COFI places greater emphasis on governance, conduct culture and accountability. COFI requires that the governing body takes responsibility for conduct, institutions embed a conduct-oriented culture and that senior management actively oversees conduct risk.</p>
<p>This elevates conduct from a compliance issue “managed” by a compliance team to a core governance function across all financial institutions for which leadership is responsible. Conduct consideration is expected to be an integral part of the culture of every financial institution.</p>
<p><em>It is not only what a financial institution does that counts, but what its leadership does and what its culture is.</em></p>
<p><strong>From reactive to proactive enforcement</strong></p>
<p>Under the current regime, supervision is often focused on compliance with sector-specific rules and licensing conditions, with different regulators historically overseeing different parts of the market.</p>
<p>COFI empowers the FSCA to adopt a more proactive and judgement-based supervisory approach. The FSCA is empowered to issue binding conduct standards and monitor customer outcomes. Notably, the FSCA is empowered to intervene where there is a risk of harm, even in the absence of clear rule breaches.</p>
<p>This represents a shift towards more intrusive and risk-based (as opposed to breach-based) supervision.</p>
<p><strong>What does this mean for financial institutions?</strong></p>
<p>The existing legislative framework will not fall away immediately upon the introduction of COFI. Instead, there will be a phased transition, during which existing licences and authorisations will remain valid and institutions will be migrated to the COFI licensing framework over time.</p>
<p>Financial institutions should begin to align their businesses with the new regulatory philosophy encompassed by COFI.</p>
<p>In anticipation of COFI’s implementation, financial institutions should begin &#8211;</p>
<ul>
<li>mapping their activities against the proposed licensing categories;</li>
<li>assessing whether any group entities or service providers may require separate licences;</li>
<li>reviewing governance and operational structures to align with an activity-based regulatory framework;</li>
<li>reviewing their financial reporting and audit processes and considering the potentially public positioning of their financial information;</li>
<li>reviewing their product governance frameworks, assessing how customer outcomes are currently measured and monitored, strengthening conduct risk management processes and embedding conduct considerations into decision-making at all levels of the organisation;</li>
<li>clarifying the roles and responsibilities of boards and senior management; and</li>
<li>strengthening conduct risk governance frameworks, reviewing remuneration and incentive structures and ensuring that appropriate management information is available to monitor customer outcomes.</li>
</ul>
<p>Early engagement and preparation will be key to navigating the transition to COFI.</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-6-cofi-what-really-changes/">Mind the Conduct: A Guide to COFI – Part 6: COFI &#8211; What Really Changes?</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-6-cofi-what-really-changes/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Mind the Conduct: A Guide to COFI – Part 5: Governance and Accountability</title>
		<link>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-5-governance-and-accountability/</link>
					<comments>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-5-governance-and-accountability/#respond</comments>
		
		<dc:creator><![CDATA[Hilah Laskov]]></dc:creator>
		<pubDate>Thu, 25 Jun 2026 10:21:25 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=26013</guid>

					<description><![CDATA[<p>by Hilah Laskov, Director Introduction In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill – a major financial sector regulatory reform – one theme at a time. COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin  [...]</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-5-governance-and-accountability/">Mind the Conduct: A Guide to COFI – Part 5: Governance and Accountability</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Hilah Laskov, Director</em></p>
<p><strong>Introduction</strong></p>
<p>In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill – a major financial sector regulatory reform – one theme at a time.</p>
<p>COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks regulatory reform. The Twin Peaks regulatory reform is a response to financial system weaknesses identified by the 2008 Global Financial Crisis, such as the systemic risks of large insurers and inappropriate market conduct practices.</p>
<p>The FSRA has already been implemented. The FSRA introduced the Twin Peaks regulatory framework, bringing into existence two regulators for the industry. The first regulator is the Prudential Authority (PA) responsible for the prudential regulation of financial institutions, while the second is the Financial Sector Conduct Authority (FSCA) responsible for regulating market conduct.</p>
<p>COFI represents a major overhaul of how financial institutions will be regulated in South Africa. Currently, different financial institutions are regulated by different legislation. COFI will involve shifting to a harmonised, principles-based conduct regime focused on customer outcomes, transparency and inclusion. COFI also provides for a single licensing and supervision framework and stronger enforcement and standards across the financial sector. Its implementation will unfold over several years and reshape regulatory expectations for financial institutions and consumers alike.</p>
<p>National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adop­ted by Cab­inet for sub­mis­sion to Par­lia­ment.</p>
<p><strong>Governance and Accountability: Part 5</strong></p>
<p>In our previous articles, we examined the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi/">Purpose and Application of COFI</a>, the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing/">Licensing Framework,</a> <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-3-consumer-protection-and-transparency/">Consumer Protection and Transparency</a> and the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-4-principles-and-conduct-requirements/">Principles and Conduct Requirements</a> under COFI. In this article, we consider COFI’s approach to governance and accountability and the extent to which COFI seeks to influence not only what financial institutions do, but how they are run.</p>
<p><strong>Conduct as a governance issue</strong><br />
A defining feature of COFI is that it elevates market conduct from a compliance function to a governance responsibility.</p>
<p>Under the current regime, conduct risk is often managed within legal or compliance teams. COFI, however, makes it clear that responsibility for delivering fair customer outcomes rests with the leadership of the institution itself.</p>
<p>This reflects a broader international regulatory trend: poor conduct is increasingly seen not as a failure of rules, but as a failure of governance, oversight and culture.</p>
<p><strong>The role of the “governing body”</strong></p>
<p>COFI places primary responsibility for conduct on an institution’s “governing body”. The governing body is expected to ensure that the institution conducts its business in a manner that delivers fair customer outcomes, oversee the effectiveness of conduct risk management frameworks and embed appropriate policies, processes and controls across the organisation.</p>
<p>This represents a shift from oversight of compliance to active accountability for conduct outcomes.</p>
<p><strong>Conduct culture</strong></p>
<p>COFI introduces a focus on “conduct culture”, being the values, behaviours and incentives that shape how an institution interacts with its customers. Financial institutions will be expected to demonstrate that their culture supports fair treatment of customers, responsible product design and distribution and ethical decision-making at all levels of the organisation.</p>
<p>This will impact expectations pervasively. For example, remuneration structures will need to be reevaluated to ensure that they do not incentivise poor customer outcomes.</p>
<p><strong>Senior management accountability</strong></p>
<p>While COFI does not introduce a formal individual accountability regime equivalent to those seen in some international jurisdictions (such as the United Kingdom’s Senior Managers and Certification Regime), it nonetheless places heightened expectations on senior management.</p>
<p>In practice, this is likely to lead to a more structured allocation of responsibilities within institutions, even if not formally prescribed in the legislation.</p>
<p><strong>Key challenges</strong></p>
<p>While the governance framework under COFI is conceptually aligned with international best practice, it<br />
raises several practical and conceptual challenges.</p>
<p>Concepts such as “conduct culture” and “fair outcomes” are inherently difficult to define, much less measure and evidence. These concepts require institutions to make qualitative judgments about behaviours and outcomes. The reliance on broad, principles-based obligations introduces interpretive uncertainty, (particularly, before any conduct standards are issued &#8211; see our article: <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-4-principles-and-conduct-requirements/">Principles and Conduct Requirements</a>). In addition, it is unclear how the FSCA and PA will distinguish between genuine conduct failures and reasonable differences in business judgment. This begs the question: Will the emphasis on governing bodies, senior management and conduct culture lead to better customer outcomes on the ground? Without clear guidance on quantifiable outcomes and how they should be assessed and evidenced, there is a possibility that institutions will prioritise regulatory defensibility over substance.</p>
<p>Smaller institutions may face disproportionate challenges in implementing governance frameworks that are sufficiently robust to meet regulatory expectations. Concepts such as a “governing body”, formal conduct risk frameworks and sophisticated monitoring systems may not align neatly with the structures of smaller firms (see our comments about proportionality in our previous article: <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi/">Purpose and Application</a>). This, in turn, may serve as a disincentive for market entrants, scuppering objectives of inclusivity in the financial services sector.</p>
<p><strong>Practical implications</strong></p>
<p>COFI’s governance requirements will require financial institutions to reassess not only their policies and procedures, but also their decision-making structures and organisational culture.</p>
<p>In preparation, institutions should consider &#8211;</p>
<ul>
<li>clarifying the roles and responsibilities of boards and senior management;</li>
<li>strengthening conduct risk governance frameworks;</li>
<li>reviewing remuneration and incentive structures; and</li>
<li>ensuring that appropriate management information is available to monitor customer outcomes.</li>
</ul>
<p>COFI represents a ramping up in accountability. <em>It is not only what a financial institution does that counts, but what its leadership does and what its culture is.</em></p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-5-governance-and-accountability/">Mind the Conduct: A Guide to COFI – Part 5: Governance and Accountability</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-5-governance-and-accountability/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>When a misdirected email becomes a data breach: The Information Regulator issues an enforcement notice on internal and accidental security compromises</title>
		<link>https://werksmans.com/when-a-misdirected-email-becomes-a-data-breach-the-information-regulator-issues-an-enforcement-notice-on-internal-and-accidental-security-compromises/</link>
					<comments>https://werksmans.com/when-a-misdirected-email-becomes-a-data-breach-the-information-regulator-issues-an-enforcement-notice-on-internal-and-accidental-security-compromises/#respond</comments>
		
		<dc:creator><![CDATA[Armand Swart]]></dc:creator>
		<pubDate>Thu, 18 Jun 2026 11:50:00 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=25944</guid>

					<description><![CDATA[<p>by Armand Swart, Director, Hlonelwa Lutuli, Associate and Isabella Keeves, Candidate Attorney On 22 May 2026, South Africa’s Information Regulator served an enforcement notice on the Central Johannesburg TVET College after employees’ personal credential verification reports were accidentally emailed to unauthorised staff. The enforcement notice sets a significant precedent: even accidental, purely internal disclosures of  [...]</p>
<p>The post <a href="https://werksmans.com/when-a-misdirected-email-becomes-a-data-breach-the-information-regulator-issues-an-enforcement-notice-on-internal-and-accidental-security-compromises/">When a misdirected email becomes a data breach: The Information Regulator issues an enforcement notice on internal and accidental security compromises</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Armand Swart, Director, Hlonelwa Lutuli, Associate and Isabella Keeves, Candidate Attorney</em></p>
<p>On 22 May 2026, South Africa’s Information Regulator served an enforcement notice on the Central Johannesburg TVET College after employees’ personal credential verification reports were accidentally emailed to unauthorised staff. The enforcement notice sets a significant precedent: even accidental, purely internal disclosures of personal information to unauthorised parties constitute a &#8220;security compromise&#8221; under the Protection of Personal Information Act 4 of 2013 (&#8220;<strong>POPIA</strong>&#8220;), triggering formal breach notification obligations. This article examines the enforcement notice, analyses its implications under POPIA, compares the position to the GDPR, and offers practical guidance for businesses.</p>
<p><strong>Background </strong></p>
<p>The Central Johannesburg TVET College (the &#8220;<strong>College</strong>&#8220;) had been placed under administration to address governance failures, including undisclosed criminal records and conflicts of interest among staff. As part of this process, employees&#8217; personal information was collected to verify their academic qualifications and criminal records. This was done by a service provider preparing Personal Credential Verification Reports (&#8220;<strong>Verification Reports</strong>&#8220;). The Acting Chief Financial Officer erroneously included the complainants’ Verification Reports in a folder of finance policies, which was then emailed to unauthorised employees.</p>
<p>The email was recalled and a follow-up was sent alerting staff to the error. An investigation was launched and corrective action was taken against staff who forwarded the document.</p>
<p>The Information Regulator (the “<strong>Regulator</strong>”) identified three categories of POPIA violation. First, the College had failed to register an information officer or designate deputy information officers, breaching POPIA&#8217;s accountability condition (section 8). Second, distribution of the Verification Reports to staff uninvolved in the governance restoration exercise constituted further processing incompatible with the original collection purpose (section 15). Third, the College’s failure to maintain separate files for Verification Reports and finance policies, coupled with its failure to register an information officer, evidenced an absence of organisational controls to prevent unlawful access or processing (section 19). The Regulator found that the accidental internal disclosure triggered POPIA&#8217;s security compromise notification obligations under section 22, which the College had failed to discharge.</p>
<p>The Regulator directed the College to: (i) register an information officer and deputy information officers; (ii) formally notify the Regulator and affected data subjects of the compromise; (iii) issue a written apology to the complainants, to be circulated to all staff; (iv) take disciplinary action against the responsible employee; (v) develop and submit a POPIA Compliance Framework; and (vi) conduct staff awareness and training programmes. Failure to comply with an enforcement notice is a criminal offence punishable by a fine of up to R10 million, imprisonment of up to ten years, or both (section 103).</p>
<p><strong>Accidental and Internal Breaches are Security Compromises</strong></p>
<p>The most significant aspect of this enforcement notice is the Regulator&#8217;s confirmation that both accidental breaches and internal disclosures fall within the meaning of a &#8220;security compromise&#8221; for POPIA purposes. Section 22(1) requires a responsible party to notify the Regulator and affected data subjects &#8220;where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person&#8221;. The provision does not distinguish between external attackers and internal employees, nor between deliberate and inadvertent disclosures. Any access by a person not authorised to receive the information is sufficient to trigger the obligation.</p>
<p>In the College’s case, the breach was entirely accidental: an employee attached the wrong file to an email, and the recipients were internal staff members, not external third parties. Nevertheless, the Regulator held that this constituted a security compromise triggering POPIA&#8217;s notification obligations in full. The College had attempted to mitigate the error by recalling the email, launching an investigation, and alerting employees that the information was not for staff use. However, the Regulator held that these good-faith remedial steps did not absolve the College of its statutory duty to formally notify the Regulator and affected data subjects. The message is clear: informal internal remediation, however swift, is no substitute for formal compliance with POPIA&#8217;s security compromise notification requirements.</p>
<p>This interpretation is grounded in the broad language of section 19(1), which requires responsible parties to take &#8220;appropriate, reasonable technical and organisational measures&#8221; to prevent, among other things, &#8220;unlawful access to or processing of personal information&#8221;. Read together with section 22, the statutory framework imposes a duty to safeguard personal information against all forms of unauthorised access, whether originating externally or internally, and whether intentional or accidental.</p>
<p><strong>Key Takeaways for Businesses</strong></p>
<p>Organisations must implement robust security measures to protect against both internal and external breaches. This requires both: (i) technological measures, such as access controls and data loss prevention technology; and (ii) organisational measures, such as policies, clear processes, and employee training. As the College’s case demonstrates, something as simple as storing personal information in a separate, access-controlled folder could have prevented the breach entirely.</p>
<p>Businesses should implement appropriate access controls to limit internal exposure to personal information. Personal information should be accessible only to those who require it for the specific purpose for which it was collected. Role-based access controls, file segregation, and clear protocols for handling sensitive documents are essential.</p>
<p>Every organisation should develop and maintain a comprehensive data breach response plan. The College’s experience illustrates that good-faith remedial steps &#8211; such as recalling an email and investigating internally &#8211; do not satisfy statutory breach notification obligations. A proper response plan should include: clear procedures for identifying and escalating potential security compromises; templates for notification to the Regulator and affected data subjects; designated personnel responsible for managing the response; and defined timelines to ensure notification is made &#8220;as soon as reasonably possible&#8221; as required by POPIA.</p>
<p>Most importantly, businesses must recognise the obligation to report all breaches to both the Regulator and affected data subjects. Unlike the GDPR, POPIA contains no materiality threshold. Every security compromise, no matter how minor, must be formally notified. Organisations should ensure that staff at all levels understand this obligation and that internal reporting channels are in place to escalate potential breaches promptly to those responsible for regulatory notification.</p>
<p><strong>Conclusion </strong></p>
<p>Although other jurisdictions, such as the EU and UK, also require reporting of internal and accidental breaches, they apply a materiality threshold and only high-risk breaches have to be reported. POPIA contains no such exception. The practical consequence is that private and public bodies under POPIA must report every security compromise, however minor, even a misdirected internal email. This places a considerable administrative burden on responsible parties, and it stretches the Regulator&#8217;s finite resources. In the absence of a materiality threshold, there is a real risk that regulatory attention is diverted from serious incidents to trivial ones. Until the legislature revisits this position, however, organisations must comply with the law as it stands.</p>
<p>Responsible parties must treat their data security obligations with the seriousness they demand or face the risk of a simple mistake inviting the full scrutiny of the Regulator, as was unfortunately the case for the College.</p>
<p>The post <a href="https://werksmans.com/when-a-misdirected-email-becomes-a-data-breach-the-information-regulator-issues-an-enforcement-notice-on-internal-and-accidental-security-compromises/">When a misdirected email becomes a data breach: The Information Regulator issues an enforcement notice on internal and accidental security compromises</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/when-a-misdirected-email-becomes-a-data-breach-the-information-regulator-issues-an-enforcement-notice-on-internal-and-accidental-security-compromises/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Renting out your home? The Consumer Protection Act does not apply to you says Supreme Court of Appeal</title>
		<link>https://werksmans.com/renting-out-your-home-the-consumer-protection-act-does-not-apply-to-you-says-supreme-court-of-appeal/</link>
					<comments>https://werksmans.com/renting-out-your-home-the-consumer-protection-act-does-not-apply-to-you-says-supreme-court-of-appeal/#respond</comments>
		
		<dc:creator><![CDATA[Armand Swart]]></dc:creator>
		<pubDate>Thu, 18 Jun 2026 11:39:45 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=25975</guid>

					<description><![CDATA[<p>by Armand Swart, Director In the judgment of Els v Venter and Another (449/2024) [2025] ZASCA 163 (27 October 2025), the Supreme Court of Appeal ("SCA") clarified the application of the Consumer Protection Act No 68 of 2008 ("CPA") to residential leases. In this article we discuss the judgment and our key takeaways. Background After  [...]</p>
<p>The post <a href="https://werksmans.com/renting-out-your-home-the-consumer-protection-act-does-not-apply-to-you-says-supreme-court-of-appeal/">Renting out your home? The Consumer Protection Act does not apply to you says Supreme Court of Appeal</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Armand Swart, Director</em></p>
<p>In the judgment of <em>Els v Venter and Another </em>(449/2024) [2025] ZASCA 163 (27 October 2025), the Supreme Court of Appeal (&#8220;<strong>SCA</strong>&#8220;) clarified the application of the Consumer Protection Act No 68 of 2008 (&#8220;<strong>CPA</strong>&#8220;) to residential leases. In this article we discuss the judgment and our key takeaways.</p>
<p><strong>Background </strong></p>
<p>After emigrating to Australia, the respondents, Mr and Mrs Venter (the &#8220;<strong>Venters</strong>&#8220;), leased their Stellenbosch property at De Zalze Winelands Golf Estate, to the appellant, Mr Els, for a period of three years ending on 31 December 2023 (the &#8220;<strong>first lease</strong>&#8220;). After the first lease expired, the parties concluded a second lease agreement (the &#8220;<strong>second lease</strong>&#8220;) on 4 August 2023 for a further three-year period, commencing on 1 January 2024. The second lease permitted the Venters to terminate the agreement by providing three months&#8217; written notice.</p>
<p>The property was subsequently sold on 19 December 2023, and the Venters issued a termination notice on 21 December 2023 requiring Mr Els to vacate the property by 31 March 2024. Mr Els challenged the termination on the basis that the second lease constituted a fixed-term agreement under the CPA, which could only be terminated by the Venters in the event of his material failure to comply with the lease agreement.</p>
<p>The parties failed to resolve the dispute, and the Venters launched an urgent application in the Cape Town High Court, seeking an order that the second lease was validly terminated and that Mr Els must vacate the property. The High Court agreed with the Venters that the CPA did not apply and ordered Mr Els to vacate by 31 March 2024. Mr Els subsequently took the matter on appeal to the SCA.</p>
<p><strong>Key CPA Terms and Concepts</strong></p>
<p>Before addressing its substantive reasoning, the court considered several key terms and concepts under the CPA. The CPA applies to every &#8220;<em>transaction</em>&#8221; occurring in South Africa, unless specifically excluded. A &#8220;<em>transaction</em>&#8221; is defined as a &#8220;<em>person acting in the ordinary course of business</em>&#8220;, as including, amongst others, (i) an agreement for the supply or potential supply of any goods or services in exchange for consideration, or (ii) the performance of services for or at the direction of a consumer for consideration.</p>
<p>&#8220;<em>Service</em>&#8221; is in turn defined as including, amongst others, access to or use of any premises or property in terms of a &#8220;<em>rental</em>&#8220;; whereas a &#8220;<em>rental</em>&#8221; means an agreement for consideration in the ordinary course of business in terms of which temporary possession of any premises or property is delivered to the consumer; or the right to use any premises or property is granted to the consumer.</p>
<p>The CPA does not define &#8220;<em>ordinary course of business</em>&#8220;. It does however define &#8220;<em>business</em>&#8221; as &#8220;<em>the continual marketing of any goods or services</em>&#8221; and &#8220;<em>market</em>&#8221; as to &#8220;<em>promote or supply any goods or services</em>&#8220;.</p>
<p><strong>The Test for the CPA to Apply to a Residential second lease</strong></p>
<p>The SCA held that for the CPA to apply to a residential lease, two requirements must be satisfied. First, the lessor must be in the business of letting or hiring. Second, the lease must be within the lessor&#8217;s ordinary course of business, being their normal, routine, or day-to-day business activities, rather than a once-off transaction. Only if both requirements are met will a residential lease constitute a &#8220;rental&#8221; for CPA purposes, and only then will the lessee be a &#8220;<em>consumer</em>&#8220;, namely a person to whom &#8220;<em>services are marketed in the ordinary course of the supplier&#8217;s business</em>&#8220;.</p>
<p>Whether a lease is in the lessor&#8217;s ordinary course of business is an objective test that depends on the circumstances of each case.</p>
<p><strong>Application to the Facts</strong></p>
<p>The court held that the letting of the property was not in the course of the Venters&#8217; business or trade, let alone in the ordinary course of business. The Venters were not in the business of letting property for consideration: each of them was engaged in their own occupation, and they rented out their family home in South Africa after emigrating. The second lease was therefore an agreement between private individuals and not a commercial letting arrangement.</p>
<p>It followed that, for the purposes of the CPA, the Venters were not &#8220;<em>suppliers</em>&#8221; as they did not promote or supply any goods or services to consumers. Nor was Mr Els a &#8220;<em>consumer</em>&#8221; to whom services were marketed in the ordinary course of business.</p>
<p>The court further observed that the second lease was not a fixed-term agreement in terms of the CPA as it exceeded the maximum period of 24 months prescribed in Regulation 5(1) of the Consumer Protection Regulations (the second lease was for 36 months). This meant that Mr Els&#8217;s reliance on section 14(2)(b)(ii) of the CPA was misplaced. The section provides that a supplier may only cancel a fixed-term agreement after giving 20 business days’ written notice to the consumer of a material failure to comply with the agreement, and only if the consumer has not rectified the failure within that time. It should be noted, however, that this aspect of the SCA&#8217;s reasoning is questionable: if an agreement qualified as a fixed-term agreement but was for a period exceeding 24 months, the more logical conclusion would be that the supplier had contravened the CPA with regard to the length of the agreement, rather than that the agreement ceased to be a fixed-term agreement altogether.</p>
<p>The SCA also bolstered its interpretation by reference to the CPA&#8217;s underlying purpose, which it held was to protect the rights of historically disadvantaged persons who are vulnerable to exploitation. The court noted that Mr Els &#8211; the Chief Group Economist of Old Mutual &#8211; was not a vulnerable, low-income consumer. He had freely concluded the second lease on an equal bargaining footing with the Venters and was fully apprised of the circumstances, including that the second lease would be terminated once the property was sold.</p>
<p><strong>The PIE Issue</strong></p>
<p>Although the SCA dismissed Mr Els&#8217;s appeal in the main, it found that the High Court erred in ordering Mr Els to vacate the property by 31 March 2024. This order effectively amounted to an eviction order, which was incompetent because Mr Els was not yet an unlawful occupier under the Prevention of Illegal Eviction from and Unlawful Occupation of Land Act No 19 of 1998 (the &#8220;<strong>PIE Act</strong>&#8220;).</p>
<p>More fundamentally, the order cut across the powers conferred upon a court under section 4(7) of the PIE Act, which requires a court to consider whether it is just and equitable to grant an eviction, having regard to all relevant circumstances. The SCA accordingly set aside the High Court&#8217;s order in this regard.</p>
<p><strong>Conclusion and Key Takeaways</strong></p>
<p>Save for the setting aside of the High Court’s vacation order, Mr Els&#8217;s appeal was dismissed, with costs on the scale as between attorney and own client.</p>
<p>This judgment provides important clarity regarding the application of the CPA to residential leases. The CPA applies only to residential leases that are entered into in the ordinary course of the lessor&#8217;s business. Private individuals who let their own property on an occasional basis are unlikely to fall within the Act&#8217;s ambit.</p>
<p>Following an objective test, a court will consider not whether the transaction itself is ordinary, but whether it is carried out in the ordinary course of the supplier&#8217;s business. The SCA&#8217;s interpretation is both practical and sensible: a person in the business of letting property will be required to comply with the CPA (and ensure a lessee is provided with the protections contained in the Act); whereas someone renting out their home is unlikely to the CPA&#8217;s stringent obligations.</p>
<p>The SCA also relied on the CPA&#8217;s purpose to protect vulnerable and historically disadvantaged consumers and took into account Mr Els&#8217;s bargaining power when reaching its decision. We hope that the courts continue to take such a purposive and pragmatic approach to the interpretation of the CPA.</p>
<p>The post <a href="https://werksmans.com/renting-out-your-home-the-consumer-protection-act-does-not-apply-to-you-says-supreme-court-of-appeal/">Renting out your home? The Consumer Protection Act does not apply to you says Supreme Court of Appeal</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/renting-out-your-home-the-consumer-protection-act-does-not-apply-to-you-says-supreme-court-of-appeal/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Mind the Conduct: A Guide to COFI – Part 4: Principles and Conduct Requirements</title>
		<link>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-4-principles-and-conduct-requirements/</link>
					<comments>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-4-principles-and-conduct-requirements/#respond</comments>
		
		<dc:creator><![CDATA[Hilah Laskov]]></dc:creator>
		<pubDate>Wed, 17 Jun 2026 13:22:52 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=25942</guid>

					<description><![CDATA[<p>by Hilah Laskov, Director Introduction In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill - a major financial sector regulatory reform - one theme at a time. COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin  [...]</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-4-principles-and-conduct-requirements/">Mind the Conduct: A Guide to COFI – Part 4: Principles and Conduct Requirements</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Hilah Laskov, Director</em></p>
<p><strong>Introduction</strong></p>
<p>In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill &#8211; a major financial sector regulatory reform &#8211; one theme at a time.</p>
<p>COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks regulatory reform. The Twin Peaks regulatory reform is a response to financial system weaknesses identified by the 2008 Global Financial Crisis, such as the systemic risks of large insurers and inappropriate market conduct practices.</p>
<p>The FSRA has already been implemented. The FSRA introduced the Twin Peaks regulatory framework, bringing into existence two regulators for the industry. The first regulator is the Prudential Authority (PA) responsible for the prudential regulation of financial institutions, while the second is the Financial Sector Conduct Authority (FSCA) responsible for regulating market conduct.</p>
<p>COFI represents a major overhaul of how financial institutions will be regulated in South Africa. Currently, different financial institutions are regulated by different legislation. COFI will involve shifting to a harmonised, principles-based conduct regime focused on customer outcomes, transparency and inclusion. COFI also provides for a single licensing and supervision framework and stronger enforcement and standards across the financial sector. Its implementation will unfold over several years and reshape regulatory expectations for financial institutions and consumers alike.</p>
<p>National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adop­ted by Cab­inet for sub­mis­sion to Par­lia­ment.</p>
<p><strong>Principles and Conduct Requirements: Part 4</strong></p>
<p>In our previous articles, we examined the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi/">Purpose and Application of COFI</a>, the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing/">Licensing Framework</a> and <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-3-consumer-protection-and-transparency/">Consumer Protection and Transparency</a> under COFI. In this article, we consider the conduct requirements introduced by COFI, which form the core of the new market conduct regime.</p>
<p><strong>A shift to outcomes-based regulation</strong></p>
<p>COFI represents a decisive move away from detailed, rules-based regulation towards a principles-and outcomes-based framework. Rather than prescribing exhaustive requirements for each sector, COFI establishes overarching conduct principles that apply across all financial institutions.</p>
<p>At the centre of this framework is the expectation that financial institutions must deliver fair outcomes for financial customers. This reflects the long-standing “Treating Customers Fairly” (TCF) approach, embedded into primary legislation.</p>
<p>Financial institutions will be required not only to comply with specific rules, but to demonstrate that their business models, products and distribution practices consistently result in fair customer outcomes.</p>
<p>While the conduct framework under COFI is conceptually coherent, it raises a number of practical challenges. The concern most commonly raised is that the shift to an outcomes-based model introduces interpretive uncertainty. Unlike a rules-based framework, which provides prescriptive requirements and clearer compliance benchmarks, an outcomes-based approach requires financial institutions to exercise judgment in determining what constitutes “fair outcomes” in a wide range of contexts. This creates challenges in both designing compliant processes and evidencing compliance to the regulator. Institutions may struggle to assess whether their product design, distribution strategies, pricing models and customer communications meet the required standard, particularly where customer outcomes may vary across different segments.</p>
<p><strong>Conduct standards and regulatory flexibility</strong></p>
<p>A key feature of COFI is the expanded role of the FSCA in issuing conduct standards. These standards will provide more detailed, activity-specific requirements that sit beneath the primary legislation.</p>
<p>This approach allows the regulatory framework to evolve over time, enabling the FSCA to respond more quickly to emerging risks, new products and market developments without requiring legislative amendment.</p>
<p>However, this flexibility also introduces a degree of regulatory uncertainty, particularly in the early stages of implementation, as much of the practical detail will be contained in future conduct standards rather than in COFI. In addition, the lack of early guidance increases the risk of inconsistent interpretation across the industry, potentially leading to uneven application of the law and retrospective regulatory scrutiny once conduct standards and supervisory expectations become more clearly defined.</p>
<p><strong>Core conduct principles</strong></p>
<p>COFI introduces a set of high-level conduct principles that apply across the financial sector, including acting honestly, fairly, and with due skill, care and diligence; avoiding conflicts of interest; ensuring that customers are provided with clear, appropriate and timely information; and design and distribution of financial products in a manner that is appropriate for the target market. These principles are deliberately broad and are intended to apply across a wide range of business models and activities.</p>
<p><strong>Product life cycle </strong></p>
<p>COFI places significant emphasis on product governance and oversight. Financial institutions will be required to ensure that (a) products are designed with a clearly identified target market; (b) distribution strategies are aligned to that target market; and (c) products continue to perform as expected over their lifecycle.</p>
<p>This represents a shift from a disclosure-based regime to one that scrutinises the entire product lifecycle, from design through to post-sale monitoring.</p>
<p><strong>Conduct culture</strong></p>
<p>COFI is focused on conduct culture within institutions. Boards and senior management will be expected to take responsibility for embedding a culture that prioritises fair customer outcomes.</p>
<p>This reflects a broader regulatory trend towards holding senior individuals accountable for the conduct of the institutions they manage.</p>
<p><strong>Practical implications</strong></p>
<p>COFI’s conduct requirements will require financial institutions to move beyond a tick-box compliance approach and towards a more holistic, outcomes-focused model.</p>
<p>In preparation, institutions should consider reviewing their product governance frameworks, assessing how customer outcomes are currently measured and monitored, strengthening conduct risk management processes and embedding conduct considerations into decision-making at all levels of the organisation.</p>
<p>Ultimately, COFI signals a shift towards a regulatory regime in which <em>it is not only what you do that counts, but how you behave while doing it and how it lands with consumers.</em></p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-4-principles-and-conduct-requirements/">Mind the Conduct: A Guide to COFI – Part 4: Principles and Conduct Requirements</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-4-principles-and-conduct-requirements/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Leave to Appeal Refused, but Questions Remain: The Matric Results Privacy Dispute and the Meaning of Personal Information under POPIA</title>
		<link>https://werksmans.com/leave-to-appeal-refused-but-questions-remain-the-matric-results-privacy-dispute-and-the-meaning-of-personal-information-under-popia/</link>
					<comments>https://werksmans.com/leave-to-appeal-refused-but-questions-remain-the-matric-results-privacy-dispute-and-the-meaning-of-personal-information-under-popia/#respond</comments>
		
		<dc:creator><![CDATA[Armand Swart]]></dc:creator>
		<pubDate>Tue, 09 Jun 2026 12:30:34 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=25909</guid>

					<description><![CDATA[<p>by: Armand Swart, Director and Isabella Keeves, Candidate Attorney On 3 June 2026, the Gauteng High Court refused the Information Regulator's application for leave to appeal to the Supreme Court of Appeal against the order of 12 December 2025, in which a full bench held that the Department of Basic Education may lawfully publish matric  [...]</p>
<p>The post <a href="https://werksmans.com/leave-to-appeal-refused-but-questions-remain-the-matric-results-privacy-dispute-and-the-meaning-of-personal-information-under-popia/">Leave to Appeal Refused, but Questions Remain: The Matric Results Privacy Dispute and the Meaning of Personal Information under POPIA</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by: Armand Swart, Director and Isabella Keeves, Candidate Attorney</em></p>
<p>On 3 June 2026, the Gauteng High Court refused the Information Regulator&#8217;s application for leave to appeal to the Supreme Court of Appeal against the order of 12 December 2025, in which a full bench held that the Department of Basic Education may lawfully publish matric results using examination numbers. The court concluded that the Regulator has no reasonable prospects of success. The practical upshot: matric results will continue to be published in newspapers using examination numbers without names or surnames. However, many questions remain.</p>
<p>This article examines the decision and analyses what it means for the interpretation of &#8220;personal information&#8221; under the Protection of Personal Information Act 4 of 2013 (&#8220;<strong>POPIA</strong>&#8220;) and the Act&#8217;s application as a whole. Was the court’s refusal of leave a missed opportunity to secure authoritative guidance on questions of public importance?</p>
<p><strong>History of the Matter</strong></p>
<p>The dispute began when POPIA came fully into effect on 1 July 2021, prompting the Department to halt its long-standing practice of publishing matric results in newspapers. In January 2022, a matriculant, Ms Anle Spies, together with other parties, brought urgent proceedings against the Department. The Regulator was cited as a respondent. The matter was settled by a consent order, which the Regulator confirmed: results would be published using examination numbers only, without student names or surnames. Results have been published in this manner since then.</p>
<p>The Regulator subsequently conducted an own-initiative assessment, and in November 2024, it issued an enforcement notice ordering the Department to cease publication of the 2024 matric results in newspapers and obtain consent before any future publication. The Department did not comply. The Regulator then brought urgent enforcement proceedings, which were struck from the roll on 8 January 2025 for lack of urgency. On 12 December 2025, a full bench upheld the Department’s appeal, set aside both the enforcement and infringement notices, and ordered the Regulator to pay the costs of the appeal. The latest development is that the Regulator&#8217;s application for leave to appeal was refused on 3 June 2026.</p>
<p>In our view, it is unfortunate that leave was not granted. The underlying questions discussed below are of considerable significance.</p>
<p><strong>Arguments in the High Court</strong></p>
<p>In the High Court matter which resulted in the December 2025 judgment, the Department argued that examination numbers, published without names or surnames, do not relate to an &#8220;identifiable&#8221; person and therefore do not constitute &#8220;personal information&#8221; for purposes of POPIA. The Regulator, on the other hand, contended that because examination numbers are issued sequentially, a learner could memorise where their classmates sat and identify one another&#8217;s results by cross-referencing published numbers. Judge Mooki dismissed this as &#8220;fanciful&#8221;, akin to &#8220;a poorly constructed thought experiment&#8221; unsupported by empirical evidence.</p>
<p>The judgment turned on a single dispositive question: whether the manner of publication constitutes &#8220;personally identifiable information&#8221; for purposes of POPIA. The court answered in the negative, and it upheld the appeal against the enforcement notice on that basis, declining to address the remaining arguments of the parties.</p>
<p>In refusing the application for leave to appeal the December 2025 judgment, Judge Mooki stated: &#8220;I am not persuaded that the expression &#8216;personally identifiable information&#8217; offends against the POPIA, or that it constitutes legislation by a court,&#8221; adding that the expression &#8220;goes no further than a description of essential facts in the dispute between the parties&#8221;.</p>
<p><strong>Practical Implications of the Dismissal</strong></p>
<p>The December 2025 judgment establishes that information published in a form that does not permit the identification of a specific individual without more does not constitute &#8220;personal information&#8221; under POPIA.</p>
<p>The court’s reasoning invites comparison with the EU General Data Protection Regulation (&#8220;<strong>GDPR</strong>&#8220;) and the UK GDPR. Those frameworks draw a critical distinction between anonymisation (which requires that re-identification be irreversible and effectively impossible) and pseudonymisation (which merely replaces direct identifiers with codes whilst keeping information allowing re-identification separately). Crucially, pseudonymised data remains personal data under both regimes, subject to the full suite of data protection obligations. Examination numbers assigned to learners would, on a conventional European analysis, constitute pseudonymised data rather than anonymised data.</p>
<p>The High Court, by contrast, applied a narrower test, asking whether a person could, &#8220;without any particular diligence&#8221; and &#8220;without more&#8221;, identify a learner. Because the answer was no from the general public&#8217;s perspective, the court concluded that POPIA did not apply <em>at all</em>.</p>
<p><strong>Did the Court Get It Right?</strong></p>
<p>The court&#8217;s reasoning is defensible on its own terms: no learner had complained, and no harm had been demonstrated across the consecutive years of publication. The court specifically referred to no privacy infringement being demonstrated, and Judge Mooki stated that he considered all the other issues as &#8220;incidental&#8221;. This counted against the Regulator’s case.</p>
<p>That said, tensions remain. The court&#8217;s binary approach &#8211; data being either personally identifiable or not &#8211; did not engage with the intermediate category of pseudonymised data recognised under EU and UK frameworks. Additionally, the expression &#8220;personally identifiable information&#8221; is not a term used in POPIA itself. The Regulator&#8217;s Chairperson, Advocate Pansy Tlakula, has maintained that the examination numbers are &#8220;not de-identified&#8221; because they remain &#8220;linked to a student&#8221;, a position that carries considerable force under European norms.</p>
<p>If pseudonymous data is effectively excluded from POPIA’s protective ambit, the consequences for data subjects could be significant. Responsible parties would be able to process, disseminate, and share coded personal data without: a lawful basis (like consent); providing notice to data subjects; conducting impact assessments for high-risk processing; or responding to data subject access requests. In other words, a responsible party would not be required to comply with POPIA at all. This is simply because the recipients of the data cannot, without more, independently identify the individuals concerned. Data that remains personal in the responsible party&#8217;s hands would be treated as non-personal once disclosed to third parties. This appears to be in direct tension with POPIA, which excludes from the Act&#8217;s application <em>only</em> information &#8220;that has been de-identified to the extent that it cannot be re-identified again&#8221;, i.e. truly anonymous data, not pseudonymous data where re-identification remains possible (POPIA, section 6(1)(b)).</p>
<p>The court also declined to address whether a lawful basis for processing existed. Had it treated examination numbers as personal information, the question would have shifted to justification. A legitimate interests analysis, balancing the substantial public interest in educational transparency against the minimal privacy intrusion of publishing a learner&#8217;s examination number, could have still found that publication is proportionate and justified. The court could also have considered whether the Department&#8217;s constitutional mandate in relation to education, and its legislative obligations regarding the dissemination of examination results, supported a public law duty justifying the publication of results using examination numbers under POPIA (section 11(1)(e)).</p>
<p><strong>Conclusion</strong></p>
<p>In refusing leave, Judge Mooki stated: &#8220;I am also not persuaded that the application raises compelling reasons that warrant granting leave to appeal&#8221;. The Regulator raised legitimate questions about the interpretation of POPIA, and the primary concern now is that the High Court judgment results in an unjustified narrowing of the definition of personal information. Whether the Regulator chooses to petition the SCA directly remains to be seen. If it does, the SCA will have the opportunity to consider whether the High Court’s binary approach to what constitutes personal information is consistent with POPIA’s broader purposes, or whether a more nuanced assessment &#8211; one that acknowledges pseudonymised data as a recognised intermediate category &#8211; better serves the statute’s protective aims whilst accommodating justified processing in the public interest.</p>
<p>The post <a href="https://werksmans.com/leave-to-appeal-refused-but-questions-remain-the-matric-results-privacy-dispute-and-the-meaning-of-personal-information-under-popia/">Leave to Appeal Refused, but Questions Remain: The Matric Results Privacy Dispute and the Meaning of Personal Information under POPIA</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/leave-to-appeal-refused-but-questions-remain-the-matric-results-privacy-dispute-and-the-meaning-of-personal-information-under-popia/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Mind the Conduct: A Guide to COFI – Part 3: Consumer Protection and Transparency</title>
		<link>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-3-consumer-protection-and-transparency/</link>
					<comments>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-3-consumer-protection-and-transparency/#respond</comments>
		
		<dc:creator><![CDATA[Hilah Laskov]]></dc:creator>
		<pubDate>Tue, 09 Jun 2026 10:35:08 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=25907</guid>

					<description><![CDATA[<p>by Hilah Laskov, Director Introduction In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill - a major financial sector regulatory reform - one theme at a time. COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin  [...]</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-3-consumer-protection-and-transparency/">Mind the Conduct: A Guide to COFI – Part 3: Consumer Protection and Transparency</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Hilah Laskov, Director</em></p>
<p><strong>Introduction</strong></p>
<p>In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill &#8211; a major financial sector regulatory reform &#8211; one theme at a time.</p>
<p>COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks regulatory reform. The Twin Peaks regulatory reform is a response to financial system weaknesses identified by the 2008 Global Financial Crisis, such as the systemic risks of large insurers and inappropriate market conduct practices.</p>
<p>The FSRA has already been implemented. The FSRA introduced the Twin Peaks regulatory framework, bringing into existence two regulators for the industry. The first regulator is the Prudential Authority (PA) responsible for the prudential regulation of financial institutions, while the second is the Financial Sector Conduct Authority (FSCA) responsible for regulating market conduct.</p>
<p>COFI represents a major overhaul of how financial institutions will be regulated in South Africa. Currently, different financial institutions are regulated by different legislation. COFI will involve shifting to a harmonised, principles-based conduct regime focused on customer outcomes, transparency and inclusion. COFI also provides for a single licensing and supervision framework and stronger enforcement and standards across the financial sector. Its implementation will unfold over several years and reshape regulatory expectations for financial institutions and consumers alike.</p>
<p>National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adop­ted by Cab­inet for sub­mis­sion to Par­lia­ment.</p>
<p><strong>Consumer Protection and Transparency: Part 3</strong></p>
<p>In our previous articles in this series, we examined the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi/?utm_source=email&amp;utm_medium=email&amp;utm_campaign=%7bvx:campaign%20name%7d" target="_blank" rel="noopener">Purpose and Application</a> of COFI and the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing?utm_source=email&amp;utm_medium=email&amp;utm_campaign=%7bvx:campaign%20name%7d" target="_blank" rel="noopener">Licensing Framework</a> under COFI. In this article, we consider COFI’s approach to consumer protection and transparency, with a particular focus on the obligation imposed on financial institutions to publish their audited annual financial statements (AFS).</p>
<p><strong>Transparency as a regulatory pillar</strong></p>
<p>A central objective of COFI is to promote transparency in the financial sector as a mechanism for enhancing consumer protection and market discipline.</p>
<p>COFI seeks to ensure that financial customers are placed in a position to make informed decisions and that financial institutions operate in a manner that is open and accountable. This is reflected in disclosure requirements at a product level, such that institutions must ensure that fees, terms, risks and benefits of financial products are transparent and understandable. In addition, this is reflected at an institutional-level via transparency obligations.</p>
<p><strong>Publication of audited financial statements</strong></p>
<p>COFI requires that institutions prepare audited AFS and submit those statements to the FSCA. One of the more notable, and vociferously debated, features of COFI is the requirement that certain financial institutions must make those statements publicly available within a prescribed period after the end of their financial year.</p>
<p>This represents a shift from existing frameworks, where financial reporting obligations are typically directed at regulators, shareholders and/or specific stakeholders — but not typically the general public.</p>
<p>The publication requirement reflects an intention to enhance market-wide transparency, enabling customers, counterparties and other stakeholders to better assess the financial position and conduct of financial institutions.</p>
<p>From a regulatory perspective, the publication requirement appears to be grounded in three key objectives: Enhanced accountability, improved comparability and consumer empowerment.</p>
<p>Notwithstanding these objectives, the requirement has attracted meaningful criticism from industry participants and legal commentators.</p>
<ul>
<li><strong>Lack of clarity</strong>: It is not entirely clear to which institutions the publication requirement applies. COFI states that the publication requirement applies broadly to &#8220;financial institutions&#8221; required to prepare AFSs in terms of COFI or applicable conduct standards. The detail (i.e. who must be audited) is not exhaustively set out. Rather, it is expected to be specified in conduct standards, or determined by reference to other applicable legislation (such as the Companies Act). Based on the current drafting and regulatory intent, the following categories are <em>likely</em> to be caught: (a) licensed financial institutions carrying on regulated activities at scale, including insurers, CIS managers, discretionary investment managers, large FSPs and retirement fund administrators as well as certain credit providers / payment providers (depending on classification); (b) any other regulated entity where audit requirements are imposed owing to other applicable legislation. That being said, this is mere conjecture.</li>
<li><strong>Limited utility for consumers</strong>: AFSs are unlikely to be meaningful or accessible to most retail customers. AFSs are technical documents, rendering it questionable whether their publication materially advances consumer protection, in practice.</li>
<li><strong>Confidentiality and competitiveness</strong>: Financial institutions, particularly those that are not publicly listed, have understandably raised concerns about the commercial sensitivity of their financial information. Requiring the public disclosure of detailed financial statements may expose proprietary or commercially sensitive information, place firms at a competitive disadvantage and deter market entry, particularly for smaller or niche providers. Against the backdrop of the limited utility for consumers (and high utility for competitors), this seems intrinsically unfair.</li>
</ul>
<p>The requirement to publish AFS highlights a broader tension within COFI: the need to balance enhanced transparency and consumer protection against practical, proportionate regulation. While the objective of improving transparency is widely supported, stakeholders have emphasised that disclosure measures should be targeted, meaningful and proportionate to the risks being addressed.</p>
<p><strong>Practical implications</strong></p>
<p>If implemented in its current form, the publication requirement will require financial institutions to &#8211;</p>
<ul>
<li>review their financial reporting and audit processes;</li>
<li>consider the public positioning of their financial information; and</li>
<li>implement processes to ensure timely publication within prescribed deadlines.</li>
</ul>
<p>Institutions should also assess whether any group-level or subsidiary structures may be affected, particularly where entities have not historically been subject to public disclosure requirements.</p>
<p>Ultimately, COFI signals a shift towards a regulatory regime in which <em>it is not only what you do that counts, but how you behave while doing it</em>.</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-3-consumer-protection-and-transparency/">Mind the Conduct: A Guide to COFI – Part 3: Consumer Protection and Transparency</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-3-consumer-protection-and-transparency/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Mind the Conduct: A Guide to COFI &#8211; Part 2: Licensing</title>
		<link>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing/</link>
					<comments>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing/#respond</comments>
		
		<dc:creator><![CDATA[Hilah Laskov]]></dc:creator>
		<pubDate>Tue, 02 Jun 2026 12:54:06 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=25870</guid>

					<description><![CDATA[<p>by Hilah Laskov, Director Introduction In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill - a major financial sector regulatory reform - one theme at a time. COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin  [...]</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing/">Mind the Conduct: A Guide to COFI &#8211; Part 2: Licensing</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Hilah Laskov, Director</em></p>
<p><strong>Introduction</strong></p>
<p>In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill &#8211; a major financial sector regulatory reform &#8211; one theme at a time.</p>
<p>COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks regulatory reform. The Twin Peaks regulatory reform is a response to financial system weaknesses identified by the 2008 Global Financial Crisis, such as the systemic risks of large insurers and inappropriate market conduct practices.</p>
<p>The FSRA has already been implemented. The FSRA introduced the Twin Peaks regulatory framework, bringing into existence two regulators for the industry. The first regulator is the Prudential Authority (PA) responsible for the prudential regulation of financial institutions, while the second is the Financial Sector Conduct Authority (FSCA) responsible for regulating market conduct.</p>
<p>COFI represents a major overhaul of how financial institutions will be regulated in South Africa. Currently, different financial institutions are regulated by different legislation. COFI will involve shifting to a harmonised, principles-based conduct regime focused on customer outcomes, transparency and inclusion. COFI also provides for a single licensing and supervision framework and stronger enforcement and standards across the financial sector. Its implementation will unfold over several years and reshape regulatory expectations for financial institutions and consumers alike.</p>
<p>National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adop­ted by Cab­inet for sub­mis­sion to Par­lia­ment.</p>
<p><strong>Licensing: Part 2</strong></p>
<p>In our previous article in this series, we looked at the <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi/">Purpose and Application</a> of COFI. In this article, we look at the licencing framework under COFI.</p>
<p>COFI introduces a unified market conduct licensing regime, replacing the fragmented system of industry-specific authorisations with a single licence issued by the FSCA. This licence is activity-based, marking a fundamental shift from the current model in which financial institutions are licensed according to their institutional form (for example, as banks or insurers). In other words, under COFI, <em>it is not what you are, but what you do that counts</em>.</p>
<p>Under COFI, licensing will be aligned to the specific activities performed by an institution. A single financial institution may hold one FSCA licence with multiple activity authorisations, reflecting the reality that many institutions operate across different product lines and services.</p>
<p>The framework adopts a three-tiered approach to licensing: (a) the financial activity being performed; (b) the financial product/s to which that activity relates; and (c) the category of customer to whom the product or service is provided.</p>
<p><img fetchpriority="high" decoding="async" class="wp-image-25879 size-full" src="https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-scaled.jpg" alt="" width="2560" height="863" srcset="https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-200x67.jpg 200w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-300x101.jpg 300w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-400x135.jpg 400w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-600x202.jpg 600w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-768x259.jpg 768w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-800x270.jpg 800w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-1024x345.jpg 1024w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-1200x404.jpg 1200w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-1536x518.jpg 1536w, https://werksmans.com/wp-content/uploads/2026/06/COFI-Part-2-Licensing-Diagram-scaled.jpg 2560w" sizes="(max-width: 2560px) 100vw, 2560px" /></p>
<p>This structure is intended to enable more granular and risk-based regulation, but it will also require firms to undertake careful analysis of how their business models are categorised under COFI.</p>
<p><strong>Transition to the new regime</strong></p>
<p>Financial institutions currently licensed under existing sectoral laws will transition into the COFI regime through a mapping process, in which their existing permissions are aligned to the new activity-based framework. This transition is expected to take place over a staggered period. This approach is broadly consistent with the implementation of the Insurance Act, 2017.</p>
<p>New entrants, however, will be required to apply directly under the COFI framework once it comes into force.</p>
<p>Notwithstanding the conceptual clarity of the activity-based model, practical concerns have been raised: the transition to COFI will involve a large-scale relicensing exercise, potentially affecting thousands of institutions. This raises concerns about regulatory capacity, implementation timelines and the operational burden on firms required to reassess and map their activities.</p>
<p><strong>Dual licensing under Twin Peaks</strong></p>
<p>In line with the Twin Peaks regulatory model, under which institutions are subject to both market conduct and prudential regulation, certain institutions will continue to require authorisation from both the FSCA and the PA, depending on the nature of their activities.</p>
<p><strong>Outsourcing </strong></p>
<p>COFI recognises that financial institutions frequently outsource certain activities and contemplates a differentiated approach:</p>
<ul>
<li>in some cases, outsourced service providers may be required to hold their own licences;</li>
<li>in others, the licensed financial institution will remain fully responsible for the outsourced activity, even where the service provider is not licensed.</li>
</ul>
<p>The FSCA will be able to set conduct standards for outsourced activities and to take enforcement action against service providers where appropriate. This reflects a broader regulatory focus on functional accountability, rather than formal legal structure.</p>
<p>There remains ongoing uncertainty regarding the treatment of juristic representatives. The activity-based framework appears, in some contexts (notably, discretionary investment management), to require entities currently operating as juristic representatives to obtain their own licences. However, the position is less clear in relation to other activities, such as the provision of financial advice. This lack of clarity has significant implications for business models across the financial services sector and will require further guidance in the legislative process.</p>
<p><strong>Practical implications</strong></p>
<p>What is clear is that COFI will require a fundamental reassessment of licensing across the financial sector. Both currently regulated and previously unregulated entities may fall within scope.</p>
<p>In anticipation of COFI’s implementation, financial institutions should begin:</p>
<ul>
<li>mapping their activities against the proposed licensing categories;</li>
<li>assessing whether any group entities or service providers may require separate licences; and</li>
<li>reviewing governance and operational structures to align with an activity-based regulatory framework.</li>
</ul>
<p>Early preparation will be critical to managing the transition to COFI’s new licensing regime.</p>
[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing/">Mind the Conduct: A Guide to COFI &#8211; Part 2: Licensing</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/mind-the-conduct-a-guide-to-cofi-part-2-licensing/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Mind the Conduct: A Guide to COFI &#8211; Part 1: Purpose and Application</title>
		<link>https://werksmans.com/mind-the-conduct-a-guide-to-cofi/</link>
					<comments>https://werksmans.com/mind-the-conduct-a-guide-to-cofi/#respond</comments>
		
		<dc:creator><![CDATA[Hilah Laskov]]></dc:creator>
		<pubDate>Tue, 26 May 2026 09:42:23 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=25811</guid>

					<description><![CDATA[<p>by Hilah Laskov, Director In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill — a major financial sector regulatory reform - one theme at a time. COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks  [...]</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi/">Mind the Conduct: A Guide to COFI &#8211; Part 1: Purpose and Application</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Hilah Laskov, Director</em></p>
<p>In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill — a major financial sector regulatory reform &#8211; one theme at a time.</p>
<p>COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks regulatory reform. The Twin Peaks regulatory reform is a response to financial system weaknesses identified by the 2008 Global Financial Crisis, such as the systemic risks of large insurers and inappropriate market conduct practices.</p>
<p>The FSRA has already been implemented. The FSRA introduced the Twin Peaks regulatory framework, bringing into existence two regulators for the industry. The first regulator is the Prudential Authority (PA) responsible for the prudential regulation of financial institutions, while the second is the Financial Sector Conduct Authority (FSCA) responsible for regulating market conduct.</p>
<p>COFI represents a major overhaul of how financial institutions will be regulated in South Africa. Currently, different financial institutions are regulated by different legislation. COFI will involve shifting to a harmonised, principles-based conduct regime focused on customer outcomes, transparency and inclusion. COFI also provides for a single licensing and supervision framework and stronger enforcement and standards across the financial sector. Its implementation will unfold over several years and reshape regulatory expectations for financial institutions and consumers alike.</p>
<p>National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adop­ted by Cab­inet for sub­mis­sion to Par­lia­ment.</p>
<p><strong>Purpose and Application: Part 1</strong></p>
<p>In this article, we consider the scope and application of COFI.</p>
<p><strong>Application</strong></p>
<p>COFI applies to all &#8220;financial institutions&#8221;, a term defined broadly to include banks, insurers, retirement funds, investment managers, collective investment schemes, credit providers, payment service providers and a wide range of other entities involved in the provision of financial products or services.</p>
<p>Critically, COFI is not concerned with the form of an institution, but with the activities it performs. In other words, under COFI, <em>it is not what you are, but what you do that counts</em>.</p>
<p><strong>Purpose and regulatory approach</strong></p>
<p>The purpose of COFI is to strengthen market conduct regulation across the financial sector by introducing a single, overarching legal framework governing how financial institutions behave and treat customers. To achieve this, COFI seeks to eliminate the current fragmented conduct regime, which is spread across multiple, and often overlapping, pieces of legislation. In its place, COFI introduces a harmonised, activity-based framework that applies consistently across the financial sector.</p>
<p><strong>Breadth of application</strong></p>
<p>COFI’s wide scope is a deliberate feature. By applying common conduct standards across all financial activities, the framework aims to ensure that customers receive consistent levels of protection, regardless of the type of institution with which they engage.</p>
<p>However, this breadth has also attracted meaningful industry concern. Stakeholders have noted that COFI’s application to a wide range of financial activities may extend regulatory oversight into areas that were previously lightly regulated or unregulated, for example, the introduction of a licensing category for &#8220;corporate advisory services&#8221;, which appears to capture activities typically associated with investment banking — including the arrangement of debt and equity issuances and advisory services in relation to mergers and acquisitions. While the framework appears to contemplate the ability for certain counterparties to &#8220;opt out&#8221; of protection, this nonetheless represents a significant expansion of regulatory scope into activities involving sophisticated, non-retail clients. This raises a broader policy question as to whether COFI’s extension into these areas is appropriately calibrated, given that such clients are not traditionally regarded as vulnerable.</p>
<p>A further concern relates to the replacement of sector-specific legislation (such as FAIS) with a single, cross-sectoral framework. While harmonisation reduces fragmentation, it may also obscure important differences between sectors and business models.</p>
<p>COFI incorporates the principle of proportionality, recognising that regulatory requirements should be applied in a manner that is appropriate to the size, nature and complexity of a financial institution. In theory, this should ensure that smaller providers — such as independent financial advisors — are not subject to the same expectations as large, complex institutions. In practice, however, the application of proportionality remains uncertain in certain respects. COFI makes use of concepts such as &#8220;governing body&#8221; and &#8220;corporate culture&#8221;, which are not always clearly defined and may not translate easily to smaller firms or new market entrants. This creates a degree of ambiguity as to how such entities are expected to comply with COFI’s conduct expectations.</p>
<p><strong>Practical implications</strong></p>
<p>COFI’s broad scope means that its impact will be felt across the entire financial sector, including by entities that may not currently be subject to comprehensive conduct regulation.</p>
<p>Given the scale of reform, COFI will be implemented on a phased basis. Transitional arrangements will allow financial institutions time to align with the new framework, including the move to activity-based licensing. That being so, in anticipation of COFI’s implementation, financial institutions should assess whether their activities fall within the scope of COFI and map existing products, services and business lines to the activity-based framework.</p>
<p>Importantly, entities that are not currently regulated — or that are only lightly regulated — should consider whether COFI will introduce new licensing and compliance obligations.</p>
<p>While there is uncertainty as to how certain aspects of COFI will be implemented in practice, what is clear is that COFI represents a material expansion in both the scope and depth of conduct regulation.</p>
<p>Early engagement and preparation will be key to navigating this transition.</p>
<p>The post <a href="https://werksmans.com/mind-the-conduct-a-guide-to-cofi/">Mind the Conduct: A Guide to COFI &#8211; Part 1: Purpose and Application</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/mind-the-conduct-a-guide-to-cofi/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Your customer consented to direct marketing &#8211; but can you still contact them after they have registered on the National Opt-Out Registry?</title>
		<link>https://werksmans.com/your-customer-consented-to-direct-marketing-but-can-you-still-contact-them-after-they-have-registered-on-the-national-opt-out-registry/</link>
					<comments>https://werksmans.com/your-customer-consented-to-direct-marketing-but-can-you-still-contact-them-after-they-have-registered-on-the-national-opt-out-registry/#respond</comments>
		
		<dc:creator><![CDATA[Tebogo Sibidla]]></dc:creator>
		<pubDate>Thu, 21 May 2026 12:29:46 +0000</pubDate>
				<category><![CDATA[Legal updates and opinions]]></category>
		<category><![CDATA[Regulatory]]></category>
		<guid isPermaLink="false">https://werksmans.com/?p=25788</guid>

					<description><![CDATA[<p>by Tebogo Sibidla, Director Many businesses assume that once a customer has consented to direct marketing, they may continue contacting that customer unless the consent is expressly withdrawn. South Africa’s updated direct marketing regime may challenge this assumption. Where a customer has expressly consented to receive direct marketing but later registers a pre-emptive block on  [...]</p>
<p>The post <a href="https://werksmans.com/your-customer-consented-to-direct-marketing-but-can-you-still-contact-them-after-they-have-registered-on-the-national-opt-out-registry/">Your customer consented to direct marketing &#8211; but can you still contact them after they have registered on the National Opt-Out Registry?</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><em>by Tebogo Sibidla, Director</em></p>
<p>Many businesses assume that once a customer has consented to direct marketing, they may continue contacting that customer unless the consent is expressly withdrawn. South Africa’s updated direct marketing regime may challenge this assumption. Where a customer has expressly consented to receive direct marketing but later registers a pre-emptive block on the National Opt-Out Registry (the &#8220;Registry&#8221;), businesses face a difficult question: should the earlier consent or the later Registry entry prevail? The question is becoming increasingly important following recent amendments to the Consumer Protection Act Regulations, 2011 (the &#8220;CPA Regulations&#8221;), which operationalise the Registry and which the National Consumer Commission (the &#8220;NCC&#8221;) has indicated will commence practical registration and implementation processes in July 2026. South African law does not yet clearly prescribe a hierarchy between prior express consent and subsequent pre-emptive block in every scenario. Pending clearer regulatory or judicial guidance, the issue should be managed as both a legal interpretation question and a data-governance risk.</p>
<p><strong>Why this matters operationally</strong></p>
<p>For many companies, consent and opt-out records are fragmented across business units, legacy platforms, outsourced call centres, CRM systems, loyalty databases, and third-party lead-generation arrangements.</p>
<p>A customer&#8217;s marketing status may be recorded in multiple parallel datasets reflecting historical contractual consent, marketing preferences, channel-specific opt-outs, POPIA objections, customer‑service suppressions, and external opt-out registry requirements. (For ease of reading, this article refers generally to &#8220;customers&#8221;, while using &#8220;consumers&#8221; where the CPA is being discussed and &#8220;data subjects&#8221; where POPIA is being discussed.) One system may show that a customer previously consented to direct marketing, while another may show a later channel-specific opt-out.</p>
<p>Businesses will therefore need rules for dealing with conflicts between earlier consent, later Registry-based opt-outs, POPIA objections and channel-specific marketing campaigns. If a customer appears on the Registry, but remains marked as having &#8220;consented&#8221; to direct marketing, which instruction will prevail? How should the business treat customers who gave prior express, and sometimes written, consent before registering a pre-emptive block on the Registry? How should customer databases be cleansed where consent records, channel-specific opt-outs, POPIA objections and Registry suppressions conflict? How should third-party lead-generating databases be assessed before use? What audit trails must exist to demonstrate that the business has a lawful basis for sending direct‑marketing communication?</p>
<p>Until this hierarchy is clarified, direct marketers will need to implement a clear governance position that can be applied across systems, channels, and third-party data sources.</p>
<p><strong>The CPA position </strong></p>
<p>Section 11 of the CPA, headed &#8220;The Right to Restrict Unwanted Direct Marketing&#8221;, prescribes consumers&#8217; rights in respect of direct marketing. In terms of this section, consumers have the right to refuse direct marketing, require that it be discontinued, or pre-emptively block unwanted marketing. The amended CPA Regulations give practical effect to this by recognising a pre-emptive block registered on the Registry established by the National Consumer Commission (&#8220;NCC&#8221;). This section also prohibits direct marketing to any person who has requested that direct marketing be discontinued or has registered a pre-emptive block.</p>
<p>In terms of the CPA Regulations (as amended), a &#8220;pre-emptive block&#8221; means &#8220;registering a block on the opt-out registry established by the Commission … to prevent any unwanted electronic communication from direct marketers&#8221;.</p>
<p>The use of the word “unwanted” is notable. It leaves room for the argument that direct marketing sent within the scope of a consumer’s specific, informed, and current consent is not &#8220;unwanted&#8221; direct marketing. On that view, a later Registry entry should not automatically override all prior or subsequent consent in every circumstance. However, this interpretation is not risk-free and would have to be weighed against the express prohibitions in the amended CPA Regulations.</p>
<p>The amended CPA Regulations strongly suggest that pre-emptive blocks are intended to have practical force. The CPA Regulations expressly prohibit a direct marketer from marketing any goods or services directly to any consumer who has registered a pre-emptive block. They also oblige a direct marketer to remove, from its direct‑marketing databases, the people who have registered pre-emptive blocks. The overall structure of the CPA regime appears designed to enable a consumer to (a) block direct marketing from a particular direct marketer by sending an opt-out message to that direct marketer; or (b) block direct marketing without having to opt out repeatedly from multiple marketers individually by registering a pre-emptive block on the Registry.</p>
<p>The Registry is therefore intended to create a centralised mechanism through which consumers can broadly signal that they do not wish to receive unwanted direct‑marketing communications. This is where the consent issue becomes significantly more complicated. Neither the CPA nor the amended CPA Regulations expressly or comprehensively address whether express consent for direct marketing can override a subsequent Registry entry.</p>
<p>The omission is significant because many organisations already rely on broad contractual or digital consent mechanisms. Consumers routinely &#8220;agree&#8221; to receive direct-marketing communications when opening accounts, downloading apps, entering competitions, or subscribing to services.</p>
<p>This lack of clarity is therefore not merely theoretical. It creates a real compliance, governance, and evidentiary challenge for businesses, especially those with large customer databases and legacy marketing systems.</p>
<p><strong>The POPIA position</strong></p>
<p>POPIA does not resolve the issue. In broad terms, section 69 of POPIA regulates direct marketing by means of unsolicited electronic communications and generally requires consent unless the existing-customer soft opt-in applies.</p>
<p>POPIA also recognises ongoing control by data subjects: data subjects who have provided prior consent may withdraw their consent at any time. Data subjects may also object to the processing of their personal information for direct‑marketing purposes.</p>
<p>POPIA therefore regulates the lawful processing of personal information, while the CPA regulates unwanted direct marketing from a consumer-protection perspective. Although the two regimes overlap substantially, in practice, they regulate different things and do not fit together neatly. It is therefore unclear how the exercise of rights under one statute affects rights and obligations under the other.</p>
<p>POPIA adds another layer to the difficult questions that arise under the CPA. It is unclear what role pre-emptive blocks under the CPA will play under the POPIA framework. Will registration on the Registry be treated as a withdrawal of earlier direct-marketing consent, an objection to processing, or a separate CPA-based suppression instruction?</p>
<p><strong>Key unresolved questions</strong></p>
<p>The current interaction between the CPA and POPIA creates several unresolved questions that affect business operations, including:</p>
<ul>
<li>Whether a pre-emptive block automatically constitutes withdrawal of prior consent.</li>
<li>Whether a marketer may continue relying on consent obtained before a Registry entry.</li>
<li>Whether a later and more specific consent can revive marketing after registration.</li>
<li>Whether the answers to these questions differ for existing customers and prospective customers.</li>
</ul>
<p>From a governance perspective, this creates a difficult compliance position for businesses attempting to design defensible direct marketing frameworks in advance of likely enforcement activity.</p>
<p>The regulatory position is also split across regimes. The CPA framework and the Registry are administered by the NCC and are aimed at addressing the consumer&#8217;s right to restrict unwanted direct marketing.  POPIA, on the other hand, regulates the processing of personal information and places specific limits on unsolicited electronic direct marketing. A single marketing campaign may therefore raise both consumer-protection and data‑protection issues, particularly where internal consent records, POPIA objections and pre-emptive block‑based suppressions are not aligned.</p>
<p>The timing and nature of the consent may also matter. Consent obtained before a customer registers a pre-emptive block may become difficult to rely on if the later Registry entry is treated as a broader suppression instruction. Consent obtained after registration may present a different question, particularly where it was recently obtained, is channel-specific and auditable. The law does not yet provide a comprehensive answer to this hierarchy issue, which is why businesses should distinguish between historical consent, post‑registration consent and broad bundled consent captured through standard customer journeys.</p>
<p>Comparative international frameworks indicate that laws often expressly clarify whether and when prior consent operates as an exception to do‑not‑contact registry protections. Certain countries, such as Canada, Australia, and the United States, expressly recognise consent-based exceptions to do‑not‑contact restrictions, although the scope and operation of those exceptions differ materially across regimes. The amended CPA Regulations currently do not provide equivalent clarity regarding the relationship between prior consent and later pre-emptive‑block based suppression rights.</p>
<p><strong>What should you do in the meantime?</strong></p>
<p>Pending clarification of the hierarchy between direct-marketing consent, pre-emptive blocks and POPIA opt-outs, businesses should consider adopting the following controls:</p>
<ol>
<li>Screen marketing databases against the Registry before campaigns, and repeat that screening monthly in line with the amended CPA Regulations.</li>
<li>Reconcile Registry matches against internal consent records, channel-specific opt-outs, POPIA objections, customer-service suppressions, and legacy marketing preferences.</li>
<li>Apply a default suppression rule where the customer appears on the Registry unless there is a properly documented and supportable basis for continuing to market to that customer within the relevant channel and scope.</li>
<li>Require exceptions to be approved and documented with reference to the wording, date, source, scope, and channel of the consent relied on.</li>
<li>Allocate responsibility for suppression management to a defined business owner supported by legal, compliance, marketing operations, and data governance, rather than allowing consent status to be managed inconsistently across marketing, sales, customer service, compliance, and outsourced call centre teams.</li>
<li>Treat third-party lead lists as high-risk data assets and do not use them unless the origin, wording, scope, date, and transferability of the relevant consent can be verified before use, and the data have been screened against the Registry and other applicable suppression requirements.</li>
<li>Retain an audit trail showing how conflicts between consent records, Registry status and POPIA objections were identified, escalated, and resolved.</li>
</ol>
<p>Until clearer regulatory or judicial guidance emerges, businesses engaging in direct marketing may need to adopt more conservative suppression frameworks. In practice, this may require organisations to treat pre-emptive block-based suppression rights as potentially overriding historical consent records unless the business can demonstrate a well-documented and defensible basis for continuing to market within the relevant channel and scope.</p>
<p>The post <a href="https://werksmans.com/your-customer-consented-to-direct-marketing-but-can-you-still-contact-them-after-they-have-registered-on-the-national-opt-out-registry/">Your customer consented to direct marketing &#8211; but can you still contact them after they have registered on the National Opt-Out Registry?</a> appeared first on <a href="https://werksmans.com">Werksmans Attorneys</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://werksmans.com/your-customer-consented-to-direct-marketing-but-can-you-still-contact-them-after-they-have-registered-on-the-national-opt-out-registry/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
