Buy online
“There has been a substantial increase in the use of enforceable undertakings by the FSCA.” FSCA Regulatory Actions Report, March 2024.
The message from the FSCA is clear – comply or be caught and face the consequences. To help financial advisers meet regulatory requirements, 1Life’s Kobus Wentzel and compliance experts from Masthead and Compli-Serve share the compliance areas financial advisers need to pay attention to in the next six months to avoid suspensions and fines. And remember, the buck stops with senior management and Key Individuals who are ultimately responsible for their FSPs adhering to the relevant legislation and Acts, guidelines, codes of conduct and standards.
Note: Our list is comprehensive but not exhaustive and won’t include every compliance requirement. Always check with your compliance officer for full details of what you need to comply with, how and when.
1. Submit your returns in time
All FSPs need to submit annual financial statements to the FSCA within 4 months of their financial year-end. Category I FSPs who are collecting premiums and all Category II FSPs are also required to submit Form A with details of liquidity calculations twice a year. In the last reporting period, the FSCA suspended a number of licences because annual reports were not submitted.
Top tip: Masthead’s Nikki Thavhana says that you can request extensions via the FAIS online system on the FSCA website. But you must apply at least 15 days before the due dates.
2. Prepare your levy payment details
“FAIS and Ombud levies are usually due by 30 November, but the FSCA confirms the exact date each year,” says Thavhana. “Keep your Representative Register updated, as levies are based on the average number of Key Individuals and Representatives, and report any changes within 15 days.”
3. Review and check the scope of your licence and accreditations
Don’t run the risk of being suspended, fined or debarred because you offered a service or product outside the scope of your licence. Check your licence details and make sure that you are operating within its parameters.
Thavhana says that the FSCA updated the list of recognised qualifications for Category I and II FSPs (as of April 2025) under FAIS Notice 37 of 2025, replacing earlier notices. “The new list includes full and modular qualifications for Category I, and tailored modules for discretionary FSPs in Category II and IIA.” Ryno Volschenk of Masthead adds that FSPs need to make sure that any representatives are accredited for the correct subcategory of products they wish to provide advice or intermediary services in.
Top tip: Also check that your fidelity and/or indemnity insurance is up to date and appropriate for your business and licence.
4. Make sure you have a Risk Management and Compliance Programme (RMCP) in place
“FIC Guidance Note 7A, which came into effect on 13 February 2025, requires accountable institutions to develop a tailored RMCP,” says Thavhana. “The RMCP must include risk identification, mitigation, and monitoring measures, with version control and regular reviews. The guidance emphasises a strong compliance culture and prohibits delegation of accountability for the RMCP’s adequacy and effectiveness. Senior management are responsible for its implementation.”
5. Document your due diligence process
Thavhana says that FSPs must follow a risk-based due diligence process that includes identifying and verifying clients, applying enhanced checks for high-risk individuals, monitoring transactions, and keeping records for five years.
Regulators want proof that you have performed a due diligence on clients and suppliers, product providers, employees and checked beneficial ownership. Compli-Serve’s James George says this cannot just be a vague “we checked them out”. “Document everything,” he says: “Beneficial ownership verification, sanctions and PEP screening and adverse media checks should all be part of your onboarding checklist.”
And make sure you report irregularities. “Suspicious Transaction Reports (STRs) must be accurate, timely, and not resemble the “dog-ate-my-homework” excuse,” says George.
6. Implement cybersecurity measures
In terms of the joint standard on Cybersecurity and Cyber Resilience, Category I and II FSPs are required to implement and maintain cyber security measures. “We advise that you seek out professional assistance in implementing the appropriate measures required in terms of the cybersecurity standards,” says Volschenk.
7. Prepare for COFI
“While the Conduct of Financial Institutions (COFI) Bill may still be grinding through Parliament, the FSCA is already expecting FSPs to act like it’s law,” says George. “COFI is about outcomes, not tick-boxes,” he adds.
Thavhana says the Bill will introduce stricter rules around Treating Customers Fairly (TCF), governance, transformation plans and data reporting. “Advisers may also need to update or reapply for licences in terms of the COFI Bill. Prepare now. Starting early will ensure a smooth transition and compliance with the new regulatory framework.”
Key to being COFI-ready is following TCF. “COFI is seen as a codification/ formalisation of the TCF principles,” says Volschenk. “Meeting these makes compliance easier.”
“The FSCA wants to see them embedded in your client journey — not just pasted onto your website as lip service,” says George. “That includes advice, disclosures, complaints handling, and product design. If your client touchpoints feel more like a puzzle than a service, you’re not TCF-aligned.”
Make sure you and all agents, representatives and staff are aware of TCF principles and how they are implemented in your business.
8. Review your succession plans
Succession plans are legally required for all FSPs, give clients peace of mind and can enhance the value of your business.
Advisers also need to remember that succession plans aren't just for retirement or disasters, says George. “If you're out of action for a week (illness, family emergency, or - heaven forbid - actual leave), who covers your compliance duties?” he asks. “The FSCA doesn’t accept “I was out of office” as a reason for regulatory lapses. Build a plan. Test the plan. Repeat.”
9. Pay attention to POPIA
Marketing material must be signed off by senior management and meet POPIA regulations. “Under the amended 2025 POPIA regulations, businesses in South Africa must now obtain explicit, written consent before sending direct marketing via unsolicited electronic communication such as email, SMS and WhatsApp,” says Thavhana. “Consent must be a positive action – opt-out or implied consent is no longer valid. Additionally, individuals must be informed of their right to object to marketing at the point of data collection.”
10. Be clear on whether you are educating and informing, or advertising
George says that new conduct standards (effective March 2026) require oversight for financial education initiatives. “If you're sending newsletters, giving talks, or hosting webinars, make sure they’re genuinely educational — not thinly veiled product pushes. The rule here is no branding allowed. If in doubt, ask your compliance officer before your marketing team hits send.”
If you are actively marketing, make sure you give all the required disclosures and health warnings.
There is no doubt that the compliance burden, and keeping up with the many changes and new
Comply now, later will compromise your business
requirements, can take time and resources. Work with your compliance officers and partners such as product providers, make sure you follow TCF principles and keep records and the burden will be manageable. Don’t leave it too late or you could face fines or a suspension. As George says, in the compliance world, prevention is cheaper!
With thanks to our compliance experts: James George, Chief Compliance Officer at Compli-Serve SA; Nikki Thavhana, Masthead Compliance and Practice Management Consultant and Ryno Volschenk, Masthead JHB Regional Manager.