Regulatory Archives - Werksmans Attorneys

When a misdirected email becomes a data breach: The Information Regulator issues an enforcement notice on internal and accidental security compromises

Armand Swart — Thu, 18 Jun 2026 11:50:00 +0000

by Armand Swart, Director, Hlonelwa Lutuli, Associate and Isabella Keeves, Candidate Attorney

On 22 May 2026, South Africa’s Information Regulator served an enforcement notice on the Central Johannesburg TVET College after employees’ personal credential verification reports were accidentally emailed to unauthorised staff. The enforcement notice sets a significant precedent: even accidental, purely internal disclosures of personal information to unauthorised parties constitute a “security compromise” under the Protection of Personal Information Act 4 of 2013 (“POPIA“), triggering formal breach notification obligations. This article examines the enforcement notice, analyses its implications under POPIA, compares the position to the GDPR, and offers practical guidance for businesses.

Background

The Central Johannesburg TVET College (the “College“) had been placed under administration to address governance failures, including undisclosed criminal records and conflicts of interest among staff. As part of this process, employees’ personal information was collected to verify their academic qualifications and criminal records. This was done by a service provider preparing Personal Credential Verification Reports (“Verification Reports“). The Acting Chief Financial Officer erroneously included the complainants’ Verification Reports in a folder of finance policies, which was then emailed to unauthorised employees.

The email was recalled and a follow-up was sent alerting staff to the error. An investigation was launched and corrective action was taken against staff who forwarded the document.

The Information Regulator (the “Regulator”) identified three categories of POPIA violation. First, the College had failed to register an information officer or designate deputy information officers, breaching POPIA’s accountability condition (section 8). Second, distribution of the Verification Reports to staff uninvolved in the governance restoration exercise constituted further processing incompatible with the original collection purpose (section 15). Third, the College’s failure to maintain separate files for Verification Reports and finance policies, coupled with its failure to register an information officer, evidenced an absence of organisational controls to prevent unlawful access or processing (section 19). The Regulator found that the accidental internal disclosure triggered POPIA’s security compromise notification obligations under section 22, which the College had failed to discharge.

The Regulator directed the College to: (i) register an information officer and deputy information officers; (ii) formally notify the Regulator and affected data subjects of the compromise; (iii) issue a written apology to the complainants, to be circulated to all staff; (iv) take disciplinary action against the responsible employee; (v) develop and submit a POPIA Compliance Framework; and (vi) conduct staff awareness and training programmes. Failure to comply with an enforcement notice is a criminal offence punishable by a fine of up to R10 million, imprisonment of up to ten years, or both (section 103).

Accidental and Internal Breaches are Security Compromises

The most significant aspect of this enforcement notice is the Regulator’s confirmation that both accidental breaches and internal disclosures fall within the meaning of a “security compromise” for POPIA purposes. Section 22(1) requires a responsible party to notify the Regulator and affected data subjects “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person”. The provision does not distinguish between external attackers and internal employees, nor between deliberate and inadvertent disclosures. Any access by a person not authorised to receive the information is sufficient to trigger the obligation.

In the College’s case, the breach was entirely accidental: an employee attached the wrong file to an email, and the recipients were internal staff members, not external third parties. Nevertheless, the Regulator held that this constituted a security compromise triggering POPIA’s notification obligations in full. The College had attempted to mitigate the error by recalling the email, launching an investigation, and alerting employees that the information was not for staff use. However, the Regulator held that these good-faith remedial steps did not absolve the College of its statutory duty to formally notify the Regulator and affected data subjects. The message is clear: informal internal remediation, however swift, is no substitute for formal compliance with POPIA’s security compromise notification requirements.

This interpretation is grounded in the broad language of section 19(1), which requires responsible parties to take “appropriate, reasonable technical and organisational measures” to prevent, among other things, “unlawful access to or processing of personal information”. Read together with section 22, the statutory framework imposes a duty to safeguard personal information against all forms of unauthorised access, whether originating externally or internally, and whether intentional or accidental.

Key Takeaways for Businesses

Organisations must implement robust security measures to protect against both internal and external breaches. This requires both: (i) technological measures, such as access controls and data loss prevention technology; and (ii) organisational measures, such as policies, clear processes, and employee training. As the College’s case demonstrates, something as simple as storing personal information in a separate, access-controlled folder could have prevented the breach entirely.

Businesses should implement appropriate access controls to limit internal exposure to personal information. Personal information should be accessible only to those who require it for the specific purpose for which it was collected. Role-based access controls, file segregation, and clear protocols for handling sensitive documents are essential.

Every organisation should develop and maintain a comprehensive data breach response plan. The College’s experience illustrates that good-faith remedial steps – such as recalling an email and investigating internally – do not satisfy statutory breach notification obligations. A proper response plan should include: clear procedures for identifying and escalating potential security compromises; templates for notification to the Regulator and affected data subjects; designated personnel responsible for managing the response; and defined timelines to ensure notification is made “as soon as reasonably possible” as required by POPIA.

Most importantly, businesses must recognise the obligation to report all breaches to both the Regulator and affected data subjects. Unlike the GDPR, POPIA contains no materiality threshold. Every security compromise, no matter how minor, must be formally notified. Organisations should ensure that staff at all levels understand this obligation and that internal reporting channels are in place to escalate potential breaches promptly to those responsible for regulatory notification.

Conclusion

Although other jurisdictions, such as the EU and UK, also require reporting of internal and accidental breaches, they apply a materiality threshold and only high-risk breaches have to be reported. POPIA contains no such exception. The practical consequence is that private and public bodies under POPIA must report every security compromise, however minor, even a misdirected internal email. This places a considerable administrative burden on responsible parties, and it stretches the Regulator’s finite resources. In the absence of a materiality threshold, there is a real risk that regulatory attention is diverted from serious incidents to trivial ones. Until the legislature revisits this position, however, organisations must comply with the law as it stands.

Responsible parties must treat their data security obligations with the seriousness they demand or face the risk of a simple mistake inviting the full scrutiny of the Regulator, as was unfortunately the case for the College.

The post When a misdirected email becomes a data breach: The Information Regulator issues an enforcement notice on internal and accidental security compromises appeared first on Werksmans Attorneys.

Renting out your home? The Consumer Protection Act does not apply to you says Supreme Court of Appeal

Armand Swart — Thu, 18 Jun 2026 11:39:45 +0000

In the judgment of Els v Venter and Another (449/2024) [2025] ZASCA 163 (27 October 2025), the Supreme Court of Appeal (“SCA“) clarified the application of the Consumer Protection Act No 68 of 2008 (“CPA“) to residential leases. In this article we discuss the judgment and our key takeaways.

Background

After emigrating to Australia, the respondents, Mr and Mrs Venter (the “Venters“), leased their Stellenbosch property at De Zalze Winelands Golf Estate, to the appellant, Mr Els, for a period of three years ending on 31 December 2023 (the “first lease“). After the first lease expired, the parties concluded a second lease agreement (the “second lease“) on 4 August 2023 for a further three-year period, commencing on 1 January 2024. The second lease permitted the Venters to terminate the agreement by providing three months’ written notice.

The property was subsequently sold on 19 December 2023, and the Venters issued a termination notice on 21 December 2023 requiring Mr Els to vacate the property by 31 March 2024. Mr Els challenged the termination on the basis that the second lease constituted a fixed-term agreement under the CPA, which could only be terminated by the Venters in the event of his material failure to comply with the lease agreement.

The parties failed to resolve the dispute, and the Venters launched an urgent application in the Cape Town High Court, seeking an order that the second lease was validly terminated and that Mr Els must vacate the property. The High Court agreed with the Venters that the CPA did not apply and ordered Mr Els to vacate by 31 March 2024. Mr Els subsequently took the matter on appeal to the SCA.

Key CPA Terms and Concepts

Before addressing its substantive reasoning, the court considered several key terms and concepts under the CPA. The CPA applies to every “transaction” occurring in South Africa, unless specifically excluded. A “transaction” is defined as a “person acting in the ordinary course of business“, as including, amongst others, (i) an agreement for the supply or potential supply of any goods or services in exchange for consideration, or (ii) the performance of services for or at the direction of a consumer for consideration.

“Service” is in turn defined as including, amongst others, access to or use of any premises or property in terms of a “rental“; whereas a “rental” means an agreement for consideration in the ordinary course of business in terms of which temporary possession of any premises or property is delivered to the consumer; or the right to use any premises or property is granted to the consumer.

The CPA does not define “ordinary course of business“. It does however define “business” as “the continual marketing of any goods or services” and “market” as to “promote or supply any goods or services“.

The Test for the CPA to Apply to a Residential second lease

The SCA held that for the CPA to apply to a residential lease, two requirements must be satisfied. First, the lessor must be in the business of letting or hiring. Second, the lease must be within the lessor’s ordinary course of business, being their normal, routine, or day-to-day business activities, rather than a once-off transaction. Only if both requirements are met will a residential lease constitute a “rental” for CPA purposes, and only then will the lessee be a “consumer“, namely a person to whom “services are marketed in the ordinary course of the supplier’s business“.

Whether a lease is in the lessor’s ordinary course of business is an objective test that depends on the circumstances of each case.

Application to the Facts

The court held that the letting of the property was not in the course of the Venters’ business or trade, let alone in the ordinary course of business. The Venters were not in the business of letting property for consideration: each of them was engaged in their own occupation, and they rented out their family home in South Africa after emigrating. The second lease was therefore an agreement between private individuals and not a commercial letting arrangement.

It followed that, for the purposes of the CPA, the Venters were not “suppliers” as they did not promote or supply any goods or services to consumers. Nor was Mr Els a “consumer” to whom services were marketed in the ordinary course of business.

The court further observed that the second lease was not a fixed-term agreement in terms of the CPA as it exceeded the maximum period of 24 months prescribed in Regulation 5(1) of the Consumer Protection Regulations (the second lease was for 36 months). This meant that Mr Els’s reliance on section 14(2)(b)(ii) of the CPA was misplaced. The section provides that a supplier may only cancel a fixed-term agreement after giving 20 business days’ written notice to the consumer of a material failure to comply with the agreement, and only if the consumer has not rectified the failure within that time. It should be noted, however, that this aspect of the SCA’s reasoning is questionable: if an agreement qualified as a fixed-term agreement but was for a period exceeding 24 months, the more logical conclusion would be that the supplier had contravened the CPA with regard to the length of the agreement, rather than that the agreement ceased to be a fixed-term agreement altogether.

The SCA also bolstered its interpretation by reference to the CPA’s underlying purpose, which it held was to protect the rights of historically disadvantaged persons who are vulnerable to exploitation. The court noted that Mr Els – the Chief Group Economist of Old Mutual – was not a vulnerable, low-income consumer. He had freely concluded the second lease on an equal bargaining footing with the Venters and was fully apprised of the circumstances, including that the second lease would be terminated once the property was sold.

The PIE Issue

Although the SCA dismissed Mr Els’s appeal in the main, it found that the High Court erred in ordering Mr Els to vacate the property by 31 March 2024. This order effectively amounted to an eviction order, which was incompetent because Mr Els was not yet an unlawful occupier under the Prevention of Illegal Eviction from and Unlawful Occupation of Land Act No 19 of 1998 (the “PIE Act“).

More fundamentally, the order cut across the powers conferred upon a court under section 4(7) of the PIE Act, which requires a court to consider whether it is just and equitable to grant an eviction, having regard to all relevant circumstances. The SCA accordingly set aside the High Court’s order in this regard.

Conclusion and Key Takeaways

Save for the setting aside of the High Court’s vacation order, Mr Els’s appeal was dismissed, with costs on the scale as between attorney and own client.

This judgment provides important clarity regarding the application of the CPA to residential leases. The CPA applies only to residential leases that are entered into in the ordinary course of the lessor’s business. Private individuals who let their own property on an occasional basis are unlikely to fall within the Act’s ambit.

Following an objective test, a court will consider not whether the transaction itself is ordinary, but whether it is carried out in the ordinary course of the supplier’s business. The SCA’s interpretation is both practical and sensible: a person in the business of letting property will be required to comply with the CPA (and ensure a lessee is provided with the protections contained in the Act); whereas someone renting out their home is unlikely to the CPA’s stringent obligations.

The SCA also relied on the CPA’s purpose to protect vulnerable and historically disadvantaged consumers and took into account Mr Els’s bargaining power when reaching its decision. We hope that the courts continue to take such a purposive and pragmatic approach to the interpretation of the CPA.

The post Renting out your home? The Consumer Protection Act does not apply to you says Supreme Court of Appeal appeared first on Werksmans Attorneys.

Mind the Conduct: A Guide to COFI – Part 4: Principles and Conduct Requirements

Hilah Laskov — Wed, 17 Jun 2026 13:22:52 +0000

by Hilah Laskov, Director

Introduction

In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill – a major financial sector regulatory reform – one theme at a time.

COFI was drafted in conjunction with the Financial Sector Regulation Act (FSRA), the two pillars of the Twin Peaks regulatory reform. The Twin Peaks regulatory reform is a response to financial system weaknesses identified by the 2008 Global Financial Crisis, such as the systemic risks of large insurers and inappropriate market conduct practices.

The FSRA has already been implemented. The FSRA introduced the Twin Peaks regulatory framework, bringing into existence two regulators for the industry. The first regulator is the Prudential Authority (PA) responsible for the prudential regulation of financial institutions, while the second is the Financial Sector Conduct Authority (FSCA) responsible for regulating market conduct.

COFI represents a major overhaul of how financial institutions will be regulated in South Africa. Currently, different financial institutions are regulated by different legislation. COFI will involve shifting to a harmonised, principles-based conduct regime focused on customer outcomes, transparency and inclusion. COFI also provides for a single licensing and supervision framework and stronger enforcement and standards across the financial sector. Its implementation will unfold over several years and reshape regulatory expectations for financial institutions and consumers alike.

National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adopted by Cabinet for submission to Parliament.

Principles and Conduct Requirements: Part 4

In our previous articles, we examined the Purpose and Application of COFI, the Licensing Framework and Consumer Protection and Transparency under COFI. In this article, we consider the conduct requirements introduced by COFI, which form the core of the new market conduct regime.

A shift to outcomes-based regulation

COFI represents a decisive move away from detailed, rules-based regulation towards a principles-and outcomes-based framework. Rather than prescribing exhaustive requirements for each sector, COFI establishes overarching conduct principles that apply across all financial institutions.

At the centre of this framework is the expectation that financial institutions must deliver fair outcomes for financial customers. This reflects the long-standing “Treating Customers Fairly” (TCF) approach, embedded into primary legislation.

Financial institutions will be required not only to comply with specific rules, but to demonstrate that their business models, products and distribution practices consistently result in fair customer outcomes.

While the conduct framework under COFI is conceptually coherent, it raises a number of practical challenges. The concern most commonly raised is that the shift to an outcomes-based model introduces interpretive uncertainty. Unlike a rules-based framework, which provides prescriptive requirements and clearer compliance benchmarks, an outcomes-based approach requires financial institutions to exercise judgment in determining what constitutes “fair outcomes” in a wide range of contexts. This creates challenges in both designing compliant processes and evidencing compliance to the regulator. Institutions may struggle to assess whether their product design, distribution strategies, pricing models and customer communications meet the required standard, particularly where customer outcomes may vary across different segments.

Conduct standards and regulatory flexibility

A key feature of COFI is the expanded role of the FSCA in issuing conduct standards. These standards will provide more detailed, activity-specific requirements that sit beneath the primary legislation.

This approach allows the regulatory framework to evolve over time, enabling the FSCA to respond more quickly to emerging risks, new products and market developments without requiring legislative amendment.

However, this flexibility also introduces a degree of regulatory uncertainty, particularly in the early stages of implementation, as much of the practical detail will be contained in future conduct standards rather than in COFI. In addition, the lack of early guidance increases the risk of inconsistent interpretation across the industry, potentially leading to uneven application of the law and retrospective regulatory scrutiny once conduct standards and supervisory expectations become more clearly defined.

Core conduct principles

COFI introduces a set of high-level conduct principles that apply across the financial sector, including acting honestly, fairly, and with due skill, care and diligence; avoiding conflicts of interest; ensuring that customers are provided with clear, appropriate and timely information; and design and distribution of financial products in a manner that is appropriate for the target market. These principles are deliberately broad and are intended to apply across a wide range of business models and activities.

Product life cycle

COFI places significant emphasis on product governance and oversight. Financial institutions will be required to ensure that (a) products are designed with a clearly identified target market; (b) distribution strategies are aligned to that target market; and (c) products continue to perform as expected over their lifecycle.

This represents a shift from a disclosure-based regime to one that scrutinises the entire product lifecycle, from design through to post-sale monitoring.

Conduct culture

COFI is focused on conduct culture within institutions. Boards and senior management will be expected to take responsibility for embedding a culture that prioritises fair customer outcomes.

This reflects a broader regulatory trend towards holding senior individuals accountable for the conduct of the institutions they manage.

Practical implications

COFI’s conduct requirements will require financial institutions to move beyond a tick-box compliance approach and towards a more holistic, outcomes-focused model.

In preparation, institutions should consider reviewing their product governance frameworks, assessing how customer outcomes are currently measured and monitored, strengthening conduct risk management processes and embedding conduct considerations into decision-making at all levels of the organisation.

Ultimately, COFI signals a shift towards a regulatory regime in which it is not only what you do that counts, but how you behave while doing it and how it lands with consumers.

The post Mind the Conduct: A Guide to COFI – Part 4: Principles and Conduct Requirements appeared first on Werksmans Attorneys.

Leave to Appeal Refused, but Questions Remain: The Matric Results Privacy Dispute and the Meaning of Personal Information under POPIA

Armand Swart — Tue, 09 Jun 2026 12:30:34 +0000

by: Armand Swart, Director and Isabella Keeves, Candidate Attorney

On 3 June 2026, the Gauteng High Court refused the Information Regulator’s application for leave to appeal to the Supreme Court of Appeal against the order of 12 December 2025, in which a full bench held that the Department of Basic Education may lawfully publish matric results using examination numbers. The court concluded that the Regulator has no reasonable prospects of success. The practical upshot: matric results will continue to be published in newspapers using examination numbers without names or surnames. However, many questions remain.

This article examines the decision and analyses what it means for the interpretation of “personal information” under the Protection of Personal Information Act 4 of 2013 (“POPIA“) and the Act’s application as a whole. Was the court’s refusal of leave a missed opportunity to secure authoritative guidance on questions of public importance?

History of the Matter

The dispute began when POPIA came fully into effect on 1 July 2021, prompting the Department to halt its long-standing practice of publishing matric results in newspapers. In January 2022, a matriculant, Ms Anle Spies, together with other parties, brought urgent proceedings against the Department. The Regulator was cited as a respondent. The matter was settled by a consent order, which the Regulator confirmed: results would be published using examination numbers only, without student names or surnames. Results have been published in this manner since then.

The Regulator subsequently conducted an own-initiative assessment, and in November 2024, it issued an enforcement notice ordering the Department to cease publication of the 2024 matric results in newspapers and obtain consent before any future publication. The Department did not comply. The Regulator then brought urgent enforcement proceedings, which were struck from the roll on 8 January 2025 for lack of urgency. On 12 December 2025, a full bench upheld the Department’s appeal, set aside both the enforcement and infringement notices, and ordered the Regulator to pay the costs of the appeal. The latest development is that the Regulator’s application for leave to appeal was refused on 3 June 2026.

In our view, it is unfortunate that leave was not granted. The underlying questions discussed below are of considerable significance.

Arguments in the High Court

In the High Court matter which resulted in the December 2025 judgment, the Department argued that examination numbers, published without names or surnames, do not relate to an “identifiable” person and therefore do not constitute “personal information” for purposes of POPIA. The Regulator, on the other hand, contended that because examination numbers are issued sequentially, a learner could memorise where their classmates sat and identify one another’s results by cross-referencing published numbers. Judge Mooki dismissed this as “fanciful”, akin to “a poorly constructed thought experiment” unsupported by empirical evidence.

The judgment turned on a single dispositive question: whether the manner of publication constitutes “personally identifiable information” for purposes of POPIA. The court answered in the negative, and it upheld the appeal against the enforcement notice on that basis, declining to address the remaining arguments of the parties.

In refusing the application for leave to appeal the December 2025 judgment, Judge Mooki stated: “I am not persuaded that the expression ‘personally identifiable information’ offends against the POPIA, or that it constitutes legislation by a court,” adding that the expression “goes no further than a description of essential facts in the dispute between the parties”.

Practical Implications of the Dismissal

The December 2025 judgment establishes that information published in a form that does not permit the identification of a specific individual without more does not constitute “personal information” under POPIA.

The court’s reasoning invites comparison with the EU General Data Protection Regulation (“GDPR“) and the UK GDPR. Those frameworks draw a critical distinction between anonymisation (which requires that re-identification be irreversible and effectively impossible) and pseudonymisation (which merely replaces direct identifiers with codes whilst keeping information allowing re-identification separately). Crucially, pseudonymised data remains personal data under both regimes, subject to the full suite of data protection obligations. Examination numbers assigned to learners would, on a conventional European analysis, constitute pseudonymised data rather than anonymised data.

The High Court, by contrast, applied a narrower test, asking whether a person could, “without any particular diligence” and “without more”, identify a learner. Because the answer was no from the general public’s perspective, the court concluded that POPIA did not apply at all.

Did the Court Get It Right?

The court’s reasoning is defensible on its own terms: no learner had complained, and no harm had been demonstrated across the consecutive years of publication. The court specifically referred to no privacy infringement being demonstrated, and Judge Mooki stated that he considered all the other issues as “incidental”. This counted against the Regulator’s case.

That said, tensions remain. The court’s binary approach – data being either personally identifiable or not – did not engage with the intermediate category of pseudonymised data recognised under EU and UK frameworks. Additionally, the expression “personally identifiable information” is not a term used in POPIA itself. The Regulator’s Chairperson, Advocate Pansy Tlakula, has maintained that the examination numbers are “not de-identified” because they remain “linked to a student”, a position that carries considerable force under European norms.

If pseudonymous data is effectively excluded from POPIA’s protective ambit, the consequences for data subjects could be significant. Responsible parties would be able to process, disseminate, and share coded personal data without: a lawful basis (like consent); providing notice to data subjects; conducting impact assessments for high-risk processing; or responding to data subject access requests. In other words, a responsible party would not be required to comply with POPIA at all. This is simply because the recipients of the data cannot, without more, independently identify the individuals concerned. Data that remains personal in the responsible party’s hands would be treated as non-personal once disclosed to third parties. This appears to be in direct tension with POPIA, which excludes from the Act’s application only information “that has been de-identified to the extent that it cannot be re-identified again”, i.e. truly anonymous data, not pseudonymous data where re-identification remains possible (POPIA, section 6(1)(b)).

The court also declined to address whether a lawful basis for processing existed. Had it treated examination numbers as personal information, the question would have shifted to justification. A legitimate interests analysis, balancing the substantial public interest in educational transparency against the minimal privacy intrusion of publishing a learner’s examination number, could have still found that publication is proportionate and justified. The court could also have considered whether the Department’s constitutional mandate in relation to education, and its legislative obligations regarding the dissemination of examination results, supported a public law duty justifying the publication of results using examination numbers under POPIA (section 11(1)(e)).

Conclusion

In refusing leave, Judge Mooki stated: “I am also not persuaded that the application raises compelling reasons that warrant granting leave to appeal”. The Regulator raised legitimate questions about the interpretation of POPIA, and the primary concern now is that the High Court judgment results in an unjustified narrowing of the definition of personal information. Whether the Regulator chooses to petition the SCA directly remains to be seen. If it does, the SCA will have the opportunity to consider whether the High Court’s binary approach to what constitutes personal information is consistent with POPIA’s broader purposes, or whether a more nuanced assessment – one that acknowledges pseudonymised data as a recognised intermediate category – better serves the statute’s protective aims whilst accommodating justified processing in the public interest.

The post Leave to Appeal Refused, but Questions Remain: The Matric Results Privacy Dispute and the Meaning of Personal Information under POPIA appeared first on Werksmans Attorneys.

Mind the Conduct: A Guide to COFI – Part 3: Consumer Protection and Transparency

Hilah Laskov — Tue, 09 Jun 2026 10:35:08 +0000

by Hilah Laskov, Director

Introduction

In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill – a major financial sector regulatory reform – one theme at a time.

National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adopted by Cabinet for submission to Parliament.

Consumer Protection and Transparency: Part 3

In our previous articles in this series, we examined the Purpose and Application of COFI and the Licensing Framework under COFI. In this article, we consider COFI’s approach to consumer protection and transparency, with a particular focus on the obligation imposed on financial institutions to publish their audited annual financial statements (AFS).

Transparency as a regulatory pillar

A central objective of COFI is to promote transparency in the financial sector as a mechanism for enhancing consumer protection and market discipline.

COFI seeks to ensure that financial customers are placed in a position to make informed decisions and that financial institutions operate in a manner that is open and accountable. This is reflected in disclosure requirements at a product level, such that institutions must ensure that fees, terms, risks and benefits of financial products are transparent and understandable. In addition, this is reflected at an institutional-level via transparency obligations.

Publication of audited financial statements

COFI requires that institutions prepare audited AFS and submit those statements to the FSCA. One of the more notable, and vociferously debated, features of COFI is the requirement that certain financial institutions must make those statements publicly available within a prescribed period after the end of their financial year.

This represents a shift from existing frameworks, where financial reporting obligations are typically directed at regulators, shareholders and/or specific stakeholders — but not typically the general public.

The publication requirement reflects an intention to enhance market-wide transparency, enabling customers, counterparties and other stakeholders to better assess the financial position and conduct of financial institutions.

From a regulatory perspective, the publication requirement appears to be grounded in three key objectives: Enhanced accountability, improved comparability and consumer empowerment.

Notwithstanding these objectives, the requirement has attracted meaningful criticism from industry participants and legal commentators.

Lack of clarity: It is not entirely clear to which institutions the publication requirement applies. COFI states that the publication requirement applies broadly to “financial institutions” required to prepare AFSs in terms of COFI or applicable conduct standards. The detail (i.e. who must be audited) is not exhaustively set out. Rather, it is expected to be specified in conduct standards, or determined by reference to other applicable legislation (such as the Companies Act). Based on the current drafting and regulatory intent, the following categories are likely to be caught: (a) licensed financial institutions carrying on regulated activities at scale, including insurers, CIS managers, discretionary investment managers, large FSPs and retirement fund administrators as well as certain credit providers / payment providers (depending on classification); (b) any other regulated entity where audit requirements are imposed owing to other applicable legislation. That being said, this is mere conjecture.
Limited utility for consumers: AFSs are unlikely to be meaningful or accessible to most retail customers. AFSs are technical documents, rendering it questionable whether their publication materially advances consumer protection, in practice.
Confidentiality and competitiveness: Financial institutions, particularly those that are not publicly listed, have understandably raised concerns about the commercial sensitivity of their financial information. Requiring the public disclosure of detailed financial statements may expose proprietary or commercially sensitive information, place firms at a competitive disadvantage and deter market entry, particularly for smaller or niche providers. Against the backdrop of the limited utility for consumers (and high utility for competitors), this seems intrinsically unfair.

The requirement to publish AFS highlights a broader tension within COFI: the need to balance enhanced transparency and consumer protection against practical, proportionate regulation. While the objective of improving transparency is widely supported, stakeholders have emphasised that disclosure measures should be targeted, meaningful and proportionate to the risks being addressed.

Practical implications

If implemented in its current form, the publication requirement will require financial institutions to –

review their financial reporting and audit processes;
consider the public positioning of their financial information; and
implement processes to ensure timely publication within prescribed deadlines.

Institutions should also assess whether any group-level or subsidiary structures may be affected, particularly where entities have not historically been subject to public disclosure requirements.

Ultimately, COFI signals a shift towards a regulatory regime in which it is not only what you do that counts, but how you behave while doing it.

The post Mind the Conduct: A Guide to COFI – Part 3: Consumer Protection and Transparency appeared first on Werksmans Attorneys.

Mind the Conduct: A Guide to COFI – Part 2: Licensing

Hilah Laskov — Tue, 02 Jun 2026 12:54:06 +0000

by Hilah Laskov, Director

Introduction

In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill – a major financial sector regulatory reform – one theme at a time.

National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adopted by Cabinet for submission to Parliament.

Licensing: Part 2

In our previous article in this series, we looked at the Purpose and Application of COFI. In this article, we look at the licencing framework under COFI.

COFI introduces a unified market conduct licensing regime, replacing the fragmented system of industry-specific authorisations with a single licence issued by the FSCA. This licence is activity-based, marking a fundamental shift from the current model in which financial institutions are licensed according to their institutional form (for example, as banks or insurers). In other words, under COFI, it is not what you are, but what you do that counts.

Under COFI, licensing will be aligned to the specific activities performed by an institution. A single financial institution may hold one FSCA licence with multiple activity authorisations, reflecting the reality that many institutions operate across different product lines and services.

The framework adopts a three-tiered approach to licensing: (a) the financial activity being performed; (b) the financial product/s to which that activity relates; and (c) the category of customer to whom the product or service is provided.

This structure is intended to enable more granular and risk-based regulation, but it will also require firms to undertake careful analysis of how their business models are categorised under COFI.

Transition to the new regime

Financial institutions currently licensed under existing sectoral laws will transition into the COFI regime through a mapping process, in which their existing permissions are aligned to the new activity-based framework. This transition is expected to take place over a staggered period. This approach is broadly consistent with the implementation of the Insurance Act, 2017.

New entrants, however, will be required to apply directly under the COFI framework once it comes into force.

Notwithstanding the conceptual clarity of the activity-based model, practical concerns have been raised: the transition to COFI will involve a large-scale relicensing exercise, potentially affecting thousands of institutions. This raises concerns about regulatory capacity, implementation timelines and the operational burden on firms required to reassess and map their activities.

Dual licensing under Twin Peaks

In line with the Twin Peaks regulatory model, under which institutions are subject to both market conduct and prudential regulation, certain institutions will continue to require authorisation from both the FSCA and the PA, depending on the nature of their activities.

Outsourcing

COFI recognises that financial institutions frequently outsource certain activities and contemplates a differentiated approach:

in some cases, outsourced service providers may be required to hold their own licences;
in others, the licensed financial institution will remain fully responsible for the outsourced activity, even where the service provider is not licensed.

The FSCA will be able to set conduct standards for outsourced activities and to take enforcement action against service providers where appropriate. This reflects a broader regulatory focus on functional accountability, rather than formal legal structure.

There remains ongoing uncertainty regarding the treatment of juristic representatives. The activity-based framework appears, in some contexts (notably, discretionary investment management), to require entities currently operating as juristic representatives to obtain their own licences. However, the position is less clear in relation to other activities, such as the provision of financial advice. This lack of clarity has significant implications for business models across the financial services sector and will require further guidance in the legislative process.

Practical implications

What is clear is that COFI will require a fundamental reassessment of licensing across the financial sector. Both currently regulated and previously unregulated entities may fall within scope.

In anticipation of COFI’s implementation, financial institutions should begin:

mapping their activities against the proposed licensing categories;
assessing whether any group entities or service providers may require separate licences; and
reviewing governance and operational structures to align with an activity-based regulatory framework.

Early preparation will be critical to managing the transition to COFI’s new licensing regime.

[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

The post Mind the Conduct: A Guide to COFI – Part 2: Licensing appeared first on Werksmans Attorneys.

Mind the Conduct: A Guide to COFI – Part 1: Purpose and Application

Hilah Laskov — Tue, 26 May 2026 09:42:23 +0000

by Hilah Laskov, Director

In this article series, we take a deep dive into the South African Conduct of Financial Institutions (COFI) Bill — a major financial sector regulatory reform – one theme at a time.

National Treasury has indicated that COFI will be finalised in 2026. COFI has recently been adopted by Cabinet for submission to Parliament.

Purpose and Application: Part 1

In this article, we consider the scope and application of COFI.

Application

COFI applies to all “financial institutions”, a term defined broadly to include banks, insurers, retirement funds, investment managers, collective investment schemes, credit providers, payment service providers and a wide range of other entities involved in the provision of financial products or services.

Critically, COFI is not concerned with the form of an institution, but with the activities it performs. In other words, under COFI, it is not what you are, but what you do that counts.

Purpose and regulatory approach

The purpose of COFI is to strengthen market conduct regulation across the financial sector by introducing a single, overarching legal framework governing how financial institutions behave and treat customers. To achieve this, COFI seeks to eliminate the current fragmented conduct regime, which is spread across multiple, and often overlapping, pieces of legislation. In its place, COFI introduces a harmonised, activity-based framework that applies consistently across the financial sector.

Breadth of application

COFI’s wide scope is a deliberate feature. By applying common conduct standards across all financial activities, the framework aims to ensure that customers receive consistent levels of protection, regardless of the type of institution with which they engage.

However, this breadth has also attracted meaningful industry concern. Stakeholders have noted that COFI’s application to a wide range of financial activities may extend regulatory oversight into areas that were previously lightly regulated or unregulated, for example, the introduction of a licensing category for “corporate advisory services”, which appears to capture activities typically associated with investment banking — including the arrangement of debt and equity issuances and advisory services in relation to mergers and acquisitions. While the framework appears to contemplate the ability for certain counterparties to “opt out” of protection, this nonetheless represents a significant expansion of regulatory scope into activities involving sophisticated, non-retail clients. This raises a broader policy question as to whether COFI’s extension into these areas is appropriately calibrated, given that such clients are not traditionally regarded as vulnerable.

A further concern relates to the replacement of sector-specific legislation (such as FAIS) with a single, cross-sectoral framework. While harmonisation reduces fragmentation, it may also obscure important differences between sectors and business models.

COFI incorporates the principle of proportionality, recognising that regulatory requirements should be applied in a manner that is appropriate to the size, nature and complexity of a financial institution. In theory, this should ensure that smaller providers — such as independent financial advisors — are not subject to the same expectations as large, complex institutions. In practice, however, the application of proportionality remains uncertain in certain respects. COFI makes use of concepts such as “governing body” and “corporate culture”, which are not always clearly defined and may not translate easily to smaller firms or new market entrants. This creates a degree of ambiguity as to how such entities are expected to comply with COFI’s conduct expectations.

Practical implications

COFI’s broad scope means that its impact will be felt across the entire financial sector, including by entities that may not currently be subject to comprehensive conduct regulation.

Given the scale of reform, COFI will be implemented on a phased basis. Transitional arrangements will allow financial institutions time to align with the new framework, including the move to activity-based licensing. That being so, in anticipation of COFI’s implementation, financial institutions should assess whether their activities fall within the scope of COFI and map existing products, services and business lines to the activity-based framework.

Importantly, entities that are not currently regulated — or that are only lightly regulated — should consider whether COFI will introduce new licensing and compliance obligations.

While there is uncertainty as to how certain aspects of COFI will be implemented in practice, what is clear is that COFI represents a material expansion in both the scope and depth of conduct regulation.

Early engagement and preparation will be key to navigating this transition.

The post Mind the Conduct: A Guide to COFI – Part 1: Purpose and Application appeared first on Werksmans Attorneys.

Your customer consented to direct marketing – but can you still contact them after they have registered on the National Opt-Out Registry?

Tebogo Sibidla — Thu, 21 May 2026 12:29:46 +0000

by Tebogo Sibidla, Director

Many businesses assume that once a customer has consented to direct marketing, they may continue contacting that customer unless the consent is expressly withdrawn. South Africa’s updated direct marketing regime may challenge this assumption. Where a customer has expressly consented to receive direct marketing but later registers a pre-emptive block on the National Opt-Out Registry (the “Registry”), businesses face a difficult question: should the earlier consent or the later Registry entry prevail? The question is becoming increasingly important following recent amendments to the Consumer Protection Act Regulations, 2011 (the “CPA Regulations”), which operationalise the Registry and which the National Consumer Commission (the “NCC”) has indicated will commence practical registration and implementation processes in July 2026. South African law does not yet clearly prescribe a hierarchy between prior express consent and subsequent pre-emptive block in every scenario. Pending clearer regulatory or judicial guidance, the issue should be managed as both a legal interpretation question and a data-governance risk.

Why this matters operationally

For many companies, consent and opt-out records are fragmented across business units, legacy platforms, outsourced call centres, CRM systems, loyalty databases, and third-party lead-generation arrangements.

A customer’s marketing status may be recorded in multiple parallel datasets reflecting historical contractual consent, marketing preferences, channel-specific opt-outs, POPIA objections, customer‑service suppressions, and external opt-out registry requirements. (For ease of reading, this article refers generally to “customers”, while using “consumers” where the CPA is being discussed and “data subjects” where POPIA is being discussed.) One system may show that a customer previously consented to direct marketing, while another may show a later channel-specific opt-out.

Businesses will therefore need rules for dealing with conflicts between earlier consent, later Registry-based opt-outs, POPIA objections and channel-specific marketing campaigns. If a customer appears on the Registry, but remains marked as having “consented” to direct marketing, which instruction will prevail? How should the business treat customers who gave prior express, and sometimes written, consent before registering a pre-emptive block on the Registry? How should customer databases be cleansed where consent records, channel-specific opt-outs, POPIA objections and Registry suppressions conflict? How should third-party lead-generating databases be assessed before use? What audit trails must exist to demonstrate that the business has a lawful basis for sending direct‑marketing communication?

Until this hierarchy is clarified, direct marketers will need to implement a clear governance position that can be applied across systems, channels, and third-party data sources.

The CPA position

Section 11 of the CPA, headed “The Right to Restrict Unwanted Direct Marketing”, prescribes consumers’ rights in respect of direct marketing. In terms of this section, consumers have the right to refuse direct marketing, require that it be discontinued, or pre-emptively block unwanted marketing. The amended CPA Regulations give practical effect to this by recognising a pre-emptive block registered on the Registry established by the National Consumer Commission (“NCC”). This section also prohibits direct marketing to any person who has requested that direct marketing be discontinued or has registered a pre-emptive block.

In terms of the CPA Regulations (as amended), a “pre-emptive block” means “registering a block on the opt-out registry established by the Commission … to prevent any unwanted electronic communication from direct marketers”.

The use of the word “unwanted” is notable. It leaves room for the argument that direct marketing sent within the scope of a consumer’s specific, informed, and current consent is not “unwanted” direct marketing. On that view, a later Registry entry should not automatically override all prior or subsequent consent in every circumstance. However, this interpretation is not risk-free and would have to be weighed against the express prohibitions in the amended CPA Regulations.

The amended CPA Regulations strongly suggest that pre-emptive blocks are intended to have practical force. The CPA Regulations expressly prohibit a direct marketer from marketing any goods or services directly to any consumer who has registered a pre-emptive block. They also oblige a direct marketer to remove, from its direct‑marketing databases, the people who have registered pre-emptive blocks. The overall structure of the CPA regime appears designed to enable a consumer to (a) block direct marketing from a particular direct marketer by sending an opt-out message to that direct marketer; or (b) block direct marketing without having to opt out repeatedly from multiple marketers individually by registering a pre-emptive block on the Registry.

The Registry is therefore intended to create a centralised mechanism through which consumers can broadly signal that they do not wish to receive unwanted direct‑marketing communications. This is where the consent issue becomes significantly more complicated. Neither the CPA nor the amended CPA Regulations expressly or comprehensively address whether express consent for direct marketing can override a subsequent Registry entry.

The omission is significant because many organisations already rely on broad contractual or digital consent mechanisms. Consumers routinely “agree” to receive direct-marketing communications when opening accounts, downloading apps, entering competitions, or subscribing to services.

This lack of clarity is therefore not merely theoretical. It creates a real compliance, governance, and evidentiary challenge for businesses, especially those with large customer databases and legacy marketing systems.

The POPIA position

POPIA does not resolve the issue. In broad terms, section 69 of POPIA regulates direct marketing by means of unsolicited electronic communications and generally requires consent unless the existing-customer soft opt-in applies.

POPIA also recognises ongoing control by data subjects: data subjects who have provided prior consent may withdraw their consent at any time. Data subjects may also object to the processing of their personal information for direct‑marketing purposes.

POPIA therefore regulates the lawful processing of personal information, while the CPA regulates unwanted direct marketing from a consumer-protection perspective. Although the two regimes overlap substantially, in practice, they regulate different things and do not fit together neatly. It is therefore unclear how the exercise of rights under one statute affects rights and obligations under the other.

POPIA adds another layer to the difficult questions that arise under the CPA. It is unclear what role pre-emptive blocks under the CPA will play under the POPIA framework. Will registration on the Registry be treated as a withdrawal of earlier direct-marketing consent, an objection to processing, or a separate CPA-based suppression instruction?

Key unresolved questions

The current interaction between the CPA and POPIA creates several unresolved questions that affect business operations, including:

Whether a pre-emptive block automatically constitutes withdrawal of prior consent.
Whether a marketer may continue relying on consent obtained before a Registry entry.
Whether a later and more specific consent can revive marketing after registration.
Whether the answers to these questions differ for existing customers and prospective customers.

From a governance perspective, this creates a difficult compliance position for businesses attempting to design defensible direct marketing frameworks in advance of likely enforcement activity.

The regulatory position is also split across regimes. The CPA framework and the Registry are administered by the NCC and are aimed at addressing the consumer’s right to restrict unwanted direct marketing. POPIA, on the other hand, regulates the processing of personal information and places specific limits on unsolicited electronic direct marketing. A single marketing campaign may therefore raise both consumer-protection and data‑protection issues, particularly where internal consent records, POPIA objections and pre-emptive block‑based suppressions are not aligned.

The timing and nature of the consent may also matter. Consent obtained before a customer registers a pre-emptive block may become difficult to rely on if the later Registry entry is treated as a broader suppression instruction. Consent obtained after registration may present a different question, particularly where it was recently obtained, is channel-specific and auditable. The law does not yet provide a comprehensive answer to this hierarchy issue, which is why businesses should distinguish between historical consent, post‑registration consent and broad bundled consent captured through standard customer journeys.

Comparative international frameworks indicate that laws often expressly clarify whether and when prior consent operates as an exception to do‑not‑contact registry protections. Certain countries, such as Canada, Australia, and the United States, expressly recognise consent-based exceptions to do‑not‑contact restrictions, although the scope and operation of those exceptions differ materially across regimes. The amended CPA Regulations currently do not provide equivalent clarity regarding the relationship between prior consent and later pre-emptive‑block based suppression rights.

What should you do in the meantime?

Pending clarification of the hierarchy between direct-marketing consent, pre-emptive blocks and POPIA opt-outs, businesses should consider adopting the following controls:

Screen marketing databases against the Registry before campaigns, and repeat that screening monthly in line with the amended CPA Regulations.
Reconcile Registry matches against internal consent records, channel-specific opt-outs, POPIA objections, customer-service suppressions, and legacy marketing preferences.
Apply a default suppression rule where the customer appears on the Registry unless there is a properly documented and supportable basis for continuing to market to that customer within the relevant channel and scope.
Require exceptions to be approved and documented with reference to the wording, date, source, scope, and channel of the consent relied on.
Allocate responsibility for suppression management to a defined business owner supported by legal, compliance, marketing operations, and data governance, rather than allowing consent status to be managed inconsistently across marketing, sales, customer service, compliance, and outsourced call centre teams.
Treat third-party lead lists as high-risk data assets and do not use them unless the origin, wording, scope, date, and transferability of the relevant consent can be verified before use, and the data have been screened against the Registry and other applicable suppression requirements.
Retain an audit trail showing how conflicts between consent records, Registry status and POPIA objections were identified, escalated, and resolved.

Until clearer regulatory or judicial guidance emerges, businesses engaging in direct marketing may need to adopt more conservative suppression frameworks. In practice, this may require organisations to treat pre-emptive block-based suppression rights as potentially overriding historical consent records unless the business can demonstrate a well-documented and defensible basis for continuing to market within the relevant channel and scope.

The post Your customer consented to direct marketing – but can you still contact them after they have registered on the National Opt-Out Registry? appeared first on Werksmans Attorneys.

Do not call me I’ll call you …… South Africa’s 2026 CPA Amendment Regulations: operationalising the national opt‑out regime for direct marketing and shifting day‑to‑day anti‑spam responsibility to the National Consumer Commission

Ahmore Burger-Smidt — Fri, 17 Apr 2026 13:01:45 +0000

by Ahmore Burger-Smidt, Director and Head of Regulatory

The Consumer Protection Act Amendment Regulations, 2026 deliver the long‑awaited operational framework for South Africa’s statutory opt‑out regime by establishing a National Consumer Commission (“NCC“) administered opt‑out registry, mandating direct‑marketer registration and annual renewal, imposing monthly “cleansing” of marketing databases against the registry, and prohibiting marketing to consumers who have registered a pre‑emptive block, with immediate effect from 15 April 2026.

In short, the practical machinery to curb unsolicited electronic marketing under the CPA is finally in force.

While privacy enforcement under other statutes remains important in the broader ecosystem, these Regulations make clear that, within the Consumer Protection Act (“CPA“) framework, the NCC now has custody of the national opt‑out registry and the associated compliance lifecycle for direct marketers, thereby addressing persistent concerns about spam call and messages.

The Regulations are issued by the Minister of Trade, Industry and Competition under section 120(1)(a), read with section 11(6), of the CPA, following consultation with the NCC and provincial consumer regulatory authorities, which situates the new regime squarely within the CPA’s consumer rights to restrict unwanted direct marketing. The Regulations amend the 2011 Consumer Protection Act Regulations by adding three annexures, reflected as Annexures N, O and P, which supply the operative forms and tariff schedules required to run a functioning opt‑out and direct‑marketer registration system. The amended Regulations states expressly that it comes into effect on the date of publication of the Notice, which means the obligations and processes described are already live as of 15 April 2026.

The reliance on section 11(6) is significant because section 11 of the CPA addresses a consumer’s right to restrict unwanted direct marketing, and the amendments implement the mechanics for that right through a Commission‑run registry, rather than leaving it as an unenforced principle.

The Regulations introduce a defined concept of “cleansing”, which is described as the process of removing consumers who have opted‑out of electronic communication from a direct marketer’s database to ensure they are no longer contacted. This is important because it transforms the opt‑out right into a recurring operational duty on marketers. The term “direct marketer” is expressly defined to capture any person who engages in direct marketing, thereby pulling both traditional and digital outreach actors within the compliance perimeter regardless of specific channel. The Regulations also define an “electronic communication recipient” as a consumer who receives electronic communication from a direct marketer and has registered a pre‑emptive block, which clarifies that registry protection attaches to recipients who have taken the step to opt‑out.

The pivotal instrument for exercising that protection, “pre‑emptive block”, is defined as registering a block on the opt‑out registry established by the Commission to prevent unwanted electronic communications from direct marketers.

Collectively, these definitions move compliance from general notions of consent and preference into a concrete taxonomy that underpins duties to register, verify, and purge marketing databases against the official registry.

The amended Regulation 4 makes clear that the opt‑out registry is administered by the Commission, and it must be accessible at all times, save for unforeseen technical interruptions, to all persons in the Republic for the purpose of registering a pre‑emptive block, which positions the NCC as the operational hub and guarantees public access to exercise the opt‑out right. The Regulations require direct marketers to register on the Commission’s opt‑out registry using the dedicated Direct Marketer Registration Form, which internalises a single point of onboarding into the system for all entities engaging in direct marketing. A corresponding Consumer Pre‑emptive Block Form specifies the data elements a consumer must provide to register a pre‑emptive block, embedding a standardised, recordable process for opt‑outs. To preserve integrity and privacy of registry information, the Commission must use information it receives solely to operate the opt‑out registry and may not disclose confidential information without consent, except where required by law, which both limits secondary use and recognises lawful disclosure obligations. The Commission is also obliged to verify all information submitted for registration with other relevant state organs before registering profiles, to publish guidance on its website for consumers and direct marketers on how to use the registry, and to inform the public if the registry is unavailable for 24 hours or more, which together create a governance framework for accuracy, transparency and service continuity.

At its core, the Regulations impose a hub‑and‑spoke compliance model in which every direct marketer must register on the opt‑out registry and must renew that registration annually on the anniversary date by paying the prescribed renewal fee, thereby ensuring that only current, identified entities interface with consumers for direct marketing. Each direct marketing communication must enable the recipient to identify the name, electronic address, physical address and contact number of the direct marketer, and any communication transmitted to a recipient’s device must itself be identifiable, which elevates transparency and traceability across channels. The marketer must ensure that information kept on the opt‑out registry is up to date, must be identifiable even on public platforms, and may not disseminate electronic communication from a public platform where the originator is unidentifiable, which closes anonymity loopholes in social or messaging contexts. A categorical prohibition is placed on direct marketing to any consumer who has registered a relevant pre‑emptive block, and marketers may not contact any consumer for purposes of direct marketing unless the marketer is registered on the opt‑out registry, which together create both a substantive contact bar to protect opted‑out consumers and a procedural registration gate for all outbound marketing activity. Crucially, marketers must remove from their databases all data of persons who have registered a relevant pre‑emptive block by “cleansing” such data monthly with the Commission, translating the opt‑out registry into a recurring data‑hygiene obligation rather than a one‑off scrub.

For marketing teams, the immediate implication is that registration on the NCC’s opt‑out registry is now a gatekeeping requirement for any direct marketing contact, and failure to register forecloses lawful outreach regardless of consent arrangements a marketer may believe it holds, because contact is prohibited unless the marketer is registered. Transparency rules requiring identification of the marketer and contact details in every electronic communication, and prohibitions on unidentifiable dissemination from public platforms, will make it harder for bad actors to hide behind generic handles or anonymous broadcasts when engaging in promotional outreach. From a consumer‑experience perspective, universal public access to register pre‑emptive blocks, combined with Commission website guidance and uptime communication commitments, creates the infrastructure necessary for scale adoption of opt‑out protections, which should, in practice, reduce unsolicited electronic marketing as registry coverage expands.

Organisations engaging in any form of direct marketing should register on the NCC opt‑out registry without delay, and templates for electronic communications should be updated immediately. Consumers who wish to cease unsolicited electronic marketing can complete the Annexure O form to register a pre‑emptive block and should keep their registry information current to maintain effective protection, in line with Commission guidance available on its website.

The message is clear: responsibility for curbing unsolicited direct marketing is now distributed through a concrete CPA compliance machinery anchored by the NCC’s opt‑out registry, and marketers must adapt their processes immediately to the new rule set.

The post Do not call me I’ll call you …… South Africa’s 2026 CPA Amendment Regulations: operationalising the national opt‑out regime for direct marketing and shifting day‑to‑day anti‑spam responsibility to the National Consumer Commission appeared first on Werksmans Attorneys.

The AI Governance Stack and South Africa’s Draft National AI Policy: An Operational Gap in Search of a Framework

Ahmore Burger-Smidt — Tue, 14 Apr 2026 13:09:16 +0000

by Ahmore Burger-Smidt, Director and Head of Regulatory

Author’s Note

I am presently reading Noah M Kenney’s Governing Intelligence: Law, Privacy, Security, and Compliance,[1] and it has given me genuine cause to reflect, which I suspect was precisely the author’s intention. The book lands at a time when South Africa has published its own Draft National Artificial Intelligence Policy,[2] opening a public comment period on what is intended to become the foundational instrument for AI governance in this jurisdiction.

The timing is fortunate. Kenney’s central thesis, that AI governance must be understood and implemented as a structured, layered, interdependent system, throws into sharp focus both the ambitions and the shortcomings of South Africa’s Draft Policy.

What follows is an attempt to read the Draft Policy through the organising framework at the heart of Kenney’s text, the AI Governance Stack, and to consider whether South Africa’s proposed approach is structurally adequate for the task it sets itself.

The AI Governance Stack as an Organising Discipline

Kenney’s AI Governance Stack is a five-layer operational model, drawn from a decade of practical implementation work across regulated industries.[3] Built from the base upward, it comprises:

Layer 1 (Data Governance) constituting data inventory, quality management, bias assessment, provenance tracking, and consent mechanisms;
Layer 2 (Model Governance) focusing on architecture review, fairness testing, robustness evaluation, interpretability, and model documentation;
Layer 3 (System Integration Governance), considering integration architecture, pipeline security, cascading failure analysis, human-AI interaction design, and boundary condition testing;
Layer 4 (Control and Monitoring Governance) addressing access controls, performance monitoring, anomaly detection, incident response, and deployment governance; and
Layer 5 (Audit and Evidence Governance) calling for documentation standards, evidence preservation, audit mechanisms, regulatory reporting, and stakeholder communication.[4]

The framework’s real force lies in its insistence on cascading dependency.

Each layer of the Kennedy AI Governance Stack creates the foundation for the one above it, and points out that a governance failure at Layer N cannot be fully remediated at Layer N+1.[5] This is not simply an architectural preference. It is a testable operational claim: piecemeal governance, attending to audit whilst neglecting data quality, or monitoring without model documentation, will produce governance that is structurally unsound, no matter how many resources are thrown at it.[6] This is in fact true for any form of regulatory compliance.

The practical upshot, which Kenney demonstrates through a detailed walkthrough of an AI credit decision system, is that each layer must have exactly one primary organisational owner and that governance must be sequenced to follow the dependency chain.[7] Done properly, the Stack transforms governance from a set of aspirational commitments into something closer to an executable specification, with defined requirements, thresholds, decision rules, and verification criteria.[8]

South Africa’s Draft Policy: Ambition Without Architecture

There is much to celebrate in the Draft Policy. It is rightly anchored in the Constitution of the Republic of South Africa, 1996, and expressly provides that AI must not be used to violate the rights enshrined in sections 9 (equality), 10 (human dignity), 14 (privacy), 16 (freedom of expression), and 33 (just administrative action), amongst others.[9] It identifies the Protection of Personal Information Act 4 of 2013 (POPIA), the Cybercrimes Act 19 of 2020, and the Promotion of Access to Information Act 2 of 2000 as part of the legislative architecture within which AI governance must operate.[10] It goes further still, proposing the establishment of a National AI Commission, an AI Ethics Board, an AI Regulatory Authority, an AI Ombudsperson Office, a National AI Safety Institute, and an AI Insurance Superfund modelled on the Road Accident Fund.[11]

These are serious institutional commitments that should not be dismissed. But when one measures them against the operational specificity of the Governance Stack, a conspicuous gap opens up. The Draft Policy proceeds largely at the level of principles and institutional mandates. It sets out six key principles of responsible AI, fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability, and proposes embedding these across the AI lifecycle.[12] It calls for “sufficient explainability” and “sufficient transparency” in high-risk systems.[13] It contemplates risk-based classification, drawing some inspiration from the European Union AI Act.[14]

What it does not do is specify the operational infrastructure through which any of these principles can be enforced. One looks in vain for anything equivalent to the Stack’s requirement that organisations maintain data catalogues with provenance records documenting origin, transformations, and lineage, or its mandatory quality thresholds, completeness at 95 per cent, accuracy at 98 per cent for labelled data, cross-source consistency at 90 per cent, below which data must not be used for model training without documented exception approval.[15] Cascading failure analysis, circuit breaker requirements for systems with downstream dependencies, boundary condition testing protocols, none of these features.[16] The Policy’s reference to “AI-specific data governance frameworks that ensure provenance, quality control, and interoperability of datasets” reads as aspiration, not specification.[17]

Key Tensions and Risks

Three tensions in the Draft Policy deserve close scrutiny.

The first concerns accountability. The Draft Policy’s treatment of it is structurally incomplete. It provides that “organisations must take responsibility for the outcomes of their AI systems” and that “accountability must ultimately point to an attributable official or entity.”[18] That is necessary, but it is not enough. Kenney’s point is that diffuse accountability is the primary organisational failure mode in AI governance. The remedy is to assign determinate accountability at each Stack layer: data stewards at Layer 1, ML engineering leads at Layer 2, platform and infrastructure teams at Layer 3, security and operations teams at Layer 4, and compliance and legal teams at Layer 5.[19] Without that degree of granularity, the Draft Policy’s accountability requirement risks becoming what Kenney aptly terms a “compliance fiction”, formally satisfied but operationally hollow.

The second tension arises from the Draft Policy’s reliance on POPIA as the primary data governance instrument for AI, which is, at best, partial. POPIA’s conditions for lawful processing, including purpose limitation (section 13), minimality (section 10), and security safeguards (section 19), were simply not designed with the demands of AI training data in mind. The friction between data minimisation and the data-hungry requirements of machine learning model training, which Kenney identifies as a fundamental governance challenge under the analogous provisions of the GDPR,[20] is not acknowledged in the Draft Policy. Nor does the Draft Policy grapple with how section 71 of POPIA, which governs automated decision-making, will interact with the proposed AI Ombudsperson’s jurisdiction or the AI Regulatory Authority’s audit mandate.[21]

The third tension is regulatory fragmentation. The Draft Policy proposes an elaborate institutional architecture involving the DCDT, ICASA, the Information Regulator, the Competition Commission, the South African Reserve Bank, and the Financial Sector Contingency Forum, among others.[22] Kenney’s argument on this point is direct: the Governance Stack provides a unified architecture through which organisations can satisfy the requirements of multiple regulators by means of a single layered governance system, rather than maintaining separate compliance programmes for each.[23] Without a unifying operational framework, the Draft Policy’s multi-regulator model risks imposing precisely the kind of compliance fragmentation that the Stack was designed to resolve.

A Considered View

What, then, should organisations operating in or entering the South African market actually be doing?

It is submitted that the Draft Policy should be treated as a signal of regulatory direction, not as a governance blueprint. Its principles are sound and its institutional ambitions are genuine. But the operational gap between principle and implementation is wide, and organisations that wait for the regulatory apparatus to mature before building their own governance frameworks will find themselves badly exposed. If the EU AI Act teaches us anything, and Kenney documents this in considerable detail, it is that compliance costs compound rapidly when governance is retrofitted rather than designed in from the outset.[24]

Organisations would be well advised, now, to map their AI systems against the five layers of the Governance Stack, assign primary ownership at each layer, and begin building the documentation, testing, and monitoring infrastructure that any competent regulator will eventually demand.[25] They should ensure that their data governance practices satisfy POPIA’s existing requirements whilst also anticipating the more demanding standards that the Draft Policy foreshadows.[26] And they should engage meaningfully with the public comment process, not merely to protect commercial interests, but to press for the kind of operational specificity that separates effective governance from well-intentioned aspiration.

If Kenney’s book can be reduced to a single proposition, it is that governance must be engineered, not merely declared.[27]

South Africa’s Draft Policy has declared its intentions. The engineering remains to be done.

[1] Kenney NM Governing Intelligence: Law, Privacy, Security, and Compliance (Digital 520 2026).

[2] Draft South Africa National Artificial Intelligence (AI) Policy (March 2026) published in GG 54477 of 10 April 2026.

[3] Kenney (n 1) page 22.

[4] Kenney (n 1) page 22-25.

[5] Kenney (n 1) page 18-19; see also page 25 (“Failure at any layer cascades upward; governance cannot be implemented piecemeal”).

[6] Kenney (n 1) page 30.

[7] Kenney (n 1) page 26-28.

[8] Kenney (n 1) page 30.

[9] Constitution of the Republic of South Africa, 1996, section 9, 10, 14, 16, 33; Draft AI Policy (n 2) page 8.

[10] Protection of Personal Information Act 4 of 2013; Cybercrimes Act 19 of 2020; Promotion of Access to Information Act 2 of 2000; Draft AI Policy (n 2) page 7.

[11] Draft AI Policy (n 2) page 26–27.

[12] Draft AI Policy (n 2) page 62.

[13] Draft AI Policy (n 2) page 35–36.

[14] Draft AI Policy (n 2) page 36; cf Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (EU AI Act).

[15] Kenney (n 1) page 23, 27.

[16] Kenney (n 1) pages 24, 32–33.

[17] Draft AI Policy (n 2) page 53.

[18] Draft AI Policy (n 2) page 58.

[19] Kenney (n 1) page 20, 26.

[20] Kenney (n 1) page 258; see also Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) art 5(1)(c).

[21] POPIA section 71; Draft AI Policy (n 2) page 72, 26.

[22] Draft AI Policy (n 2) page 28, 61.

[23] Kenney (n 1) page 123, 154.

[24] Kenney (n 1) page 26; see also Regulation (EU) 2024/1689 (EU AI Act).

[25] Kenney (n 1) page 22, 26–28.

[26] Draft AI Policy (n 2) page 55–56; POPIA section 10, 13, 19.

[27] Kenney (n 1) page 30.

The post The AI Governance Stack and South Africa’s Draft National AI Policy: An Operational Gap in Search of a Framework appeared first on Werksmans Attorneys.