South Africa’s major banks have demonstrated, over several years of sustained investment, that they can control the fraud vectors they were built to defend against. ATM attacks are down. Card fraud detection has improved. The aggregate financial crime loss figures show an 18% reduction in the most recent annual data from SABRIC. ABSA, FNB/FirstRand, Standard Bank, and Nedbank deserve credit for that result.
The problem is not what those numbers show falling. It is what they show rising. Within that improved aggregate, digital banking fraud incidents rose 86% and digital fraud losses rose 74%, according to SABRIC’s most recent annual statistics. Social engineering cases almost doubled. AI-generated phishing emails, cloned WhatsApp messages, and voice deepfakes impersonating banking officials are now the dominant fraud vectors — and SABRIC has explicitly warned that real-time deepfake audio and video will become common tools in the near term. In November 2025, the SARB’s Prudential Authority and the FSCA published a joint assessment of AI across South Africa’s financial sector that found governance frameworks uneven, explainability absent in many deployed models, and dedicated AI oversight mechanisms missing at most institutions. The detection infrastructure built for the fraud environment that is receding was not designed for the one that is arriving — and the regulatory expectation that institutions address that gap has now been formally stated.
Three pressures are converging on South African banks simultaneously. The fraud threat has shifted to AI-enabled vectors that existing systems cannot detect. The regulator has published its supervisory direction. And South Africa’s Rapid Payments Programme will create an irrevocable settlement rail that makes real-time AI fraud scoring an infrastructure requirement, not an enhancement. Each of these forces alone would justify a fundamental review of how South African banks make decisions. Together they define the strategic context for AI investment over the next several years.
The threat transition: controlling yesterday’s fraud while tomorrow’s accelerates
The reduction in overall financial crime losses reflects meaningful investment across the industry. ATM attacks are down, with cash losses falling substantially. Card fraud detection has improved. SABRIC attributes these results to strengthened industry-wide controls and collaboration — and the trajectory validates that investment. What the aggregate numbers obscure is the composition shift happening beneath them.
What the aggregate numbers obscure is the composition shift. Digital banking now accounts for 65.3% of all reported fraud incidents, and banking apps have become the dominant channel. The fraud that is growing is AI-enabled social engineering — not technical breaches of banking platforms but manipulation of customers into authorising fraudulent transactions themselves. This is a categorically different attack surface from card skimming or ATM bombing, and it requires a categorically different defence. Rules-based systems can identify known fraud patterns against known transaction typologies. They cannot identify a transaction that looks entirely legitimate — because the customer was deceived into authorising it — except through behavioural analysis that detects the anomaly in how the customer is acting, not in what the transaction looks like.
Vehicle Asset Finance fraud illustrates the AI-enabled document forgery dimension. VAF fraud surged nearly 50% in 2024, with potential losses estimated at R23 billion by SABRIC. Fraudsters are using AI-generated documents and synthetic identities to exploit weaknesses in vehicle financing origination. The same AI tools that generate convincing phishing emails generate convincing supporting documentation for credit applications. Rule-based verification systems built around document format checks and bureau lookups are not designed to detect AI-generated forgeries that pass all the format checks and are submitted under synthetic identities that have artificially constructed credit histories.
SABRIC’s warning for 2025 and beyond is specific: real-time deepfake audio and video may become common fraud tools. South African banks that are not building AI behavioural detection — systems that identify the anomaly in how a customer is interacting, not just what they are authorising — are preparing for the fraud environment of three years ago.
The regulatory signal: SARB and FSCA have published their supervisory direction
On 24 November 2025, the South African Reserve Bank’s Prudential Authority and the Financial Sector Conduct Authority published a joint report on artificial intelligence in the South African financial sector — the first assessment of its kind in South Africa’s regulatory history. The report draws on a survey of approximately 2,100 financial institutions conducted in late 2024 and represents the clearest signal yet of how SARB and FSCA intend to supervise AI in banking.
The findings warrant attention. Banks lead AI adoption across the sector at 52% of survey respondents, with payment providers at 50% — but only 10.6% of the financial sector overall currently uses AI in production. Of banks using AI, 45% planned to invest more than R30 million in 2024. Against that investment, the governance picture the report describes is uneven: many institutions rely on existing risk management structures without dedicated AI oversight mechanisms, 41% identified lack of explainability and transparency as a constraint on deployment, and 37 to 39% identified insufficient data access and inadequate accountability and governance frameworks as barriers. Fifty-three percent of staff across financial institutions are not sufficiently trained to use AI systems appropriately.
The report is not legally binding. But it signals supervisory direction in the way that the CFPB’s circulars signalled enforcement direction in the United States before enforcement actions followed, and in the way the FSCA and PA’s public statements on POPIA automated decision-making have shaped bank behaviour without requiring new legislation. The FSCA and PA have stated explicitly that the report will form the basis of a discussion paper and further regulatory engagement. The governance frameworks that the report recommends — board-level AI oversight, model risk management, explainability documentation, continuous monitoring — are the frameworks that will be examined when supervisory engagement intensifies. Banks that build them now are not anticipating an uncertain future requirement. They are responding to a clearly stated current expectation.
POPIA’s Section 71 already creates binding obligations for automated decision-making. In the credit context, this means AI loan rejections require additional safeguards — human review capability and an appeal mechanism — that many AI credit systems in production have not been designed to accommodate. The Conduct of Financial Institutions Bill, when enacted, will strengthen consumer protections further and give the FSCA enforcement tools aligned with the supervisory direction the joint AI report describes.
The Rapid Payments Programme creates the next fraud surface
South Africa’s Rapid Payments Programme is the SARB’s flagship initiative to modernise the national payments landscape — the functional equivalent of FedNow in North America, Pix in Brazil, and the NPP in Australia. When RPP reaches full scale, it will process payments on an irrevocable, real-time settlement basis. The fraud architecture consequence is identical to every other market that has deployed real-time irrevocable payment infrastructure: batch-scoring fraud systems will be unable to prevent losses on the RPP rail, because they make their assessment after the funds have moved.
South Africa is at an earlier stage in this transition than Brazil or Australia, which means there is a window to build real-time AI fraud scoring infrastructure before the irrevocable settlement problem becomes acute rather than in response to it. The banks that build inline AI fraud scoring as part of their RPP readiness programme — rather than as a retrofit after RPP volumes expose the gap — will have the same structural advantage that early movers on FedNow and Pix have over institutions that are now building under operational pressure.
The three pressures together — AI-enabled fraud escalating against a backdrop of controlled traditional crime, a regulatory signal that governance frameworks must improve, and a payment modernisation programme that will create a new real-time fraud surface — define the strategic context for AI investment in South African banking. None of them is a distant risk. SABRIC’s 2024 data is already published. The SARB/FSCA joint report is already in the public domain. RPP development is in progress. The question is whether South African banks build their response on their own terms or under the pressure of escalating fraud losses and supervisory scrutiny.
The addressable value across South African banking
The opportunity for institutions that act is material across four decision categories. The South African market is smaller in absolute terms than North America, EMEA, or APAC, but the trajectory of digital fraud growth and the governance gap documented by the SARB/FSCA report mean the cost of inaction compounds faster here than in markets where the AI transition is more advanced.
| Decision type | Estimated annual value | Basis |
|---|---|---|
| AI-powered fraud detection and prevention | R3–6B | Digital banking fraud losses: R1.888B in 2024, up 74% year-on-year. Social engineering losses: R1.4B+. AI behavioural detection addresses the vector traditional systems cannot. Trajectory suggests losses will continue rising without architectural response. (SABRIC 2024) |
| Credit and VAF fraud prevention | R2–5B | VAF fraud potential losses estimated at R23B. Unsecured credit fraud up 57.6%. AI document verification and synthetic identity detection directly address the primary attack vectors. (SABRIC 2024; industry estimates) |
| AML programme efficiency | R1.5–3B | FICA obligations require transaction monitoring. Rule-based alert systems produce high false positive rates identical to global benchmark. AI reduces analyst burden while improving genuine detection rates. (Industry estimates) |
| RPP real-time fraud prevention | R1–2.5B | Forward-looking: irrevocable settlement on RPP rail creates structural prevention gap for batch-scoring systems. Value realised as RPP volumes grow. Building capability now avoids retrofit cost. (SARB RPP programme; industry estimates) |
| Total | R7.5–16.5B | Ranges reflect uncertainty in market sizing. RPP category is directional pending RPP volume trajectory. All other categories informed by SABRIC primary data and industry benchmarks. |
The sourced floor — fraud detection, credit fraud, and AML efficiency combined — is material and grounded in SABRIC’s published loss statistics. The RPP category is directional, reflecting the forward-looking opportunity rather than current loss data. Institutions should plan the sourced categories as immediate priorities and the RPP category as the infrastructure investment that future-proofs the fraud prevention architecture they are building now.
Part 1 of 3.
Sources
South African Banking Risk Information Centre (SABRIC). Annual Crime Statistics 2024. Published August 2025. South African Reserve Bank Prudential Authority / Financial Sector Conduct Authority. Artificial Intelligence in the South African Financial Sector — Joint Report. 24 November 2025. South African Reserve Bank. Payment Ecosystem Modernisation Programme (RPP). sarb.co.za. Republic of South Africa. Protection of Personal Information Act (POPIA), 2013. Section 71: Automated Decision-Making. Financial Sector Conduct Authority. Treating Customers Fairly Principles (TCF). FSCA, 2025.
