The SARB Prudential Authority and FSCA’s joint AI report, published on 24 November 2025, contains a finding that every South African bank’s board should read carefully. Governance frameworks across financial institutions are uneven. Many institutions rely on existing risk management structures without dedicated AI oversight mechanisms. Forty-one percent of institutions identified lack of explainability and transparency as a constraint on AI deployment. Thirty-seven to thirty-nine percent identified insufficient accountability and governance frameworks as barriers. The report explicitly recommends board-level AI oversight, model risk management, explainability documentation, continuous monitoring, and effective consumer disclosure practices — particularly where AI influences credit and insurance outcomes.
These recommendations are not the aspirational guidance of a regulator commenting on what good practice looks like in other markets. They are the supervisory expectations of the two regulators responsible for South African financial institutions, based on a direct assessment of how AI is actually being deployed in those institutions right now. The report states explicitly that it will form the basis of a discussion paper and further engagement with stakeholders on regulatory and supervisory questions. The direction of travel is clear. The institutions building governance-grade AI before binding requirements follow are investing once. The institutions that wait will invest in remediation under supervision.
What the regulatory framework already requires
South Africa does not have a dedicated AI Act. The regulatory framework is principle-based, with POPIA and existing conduct and prudential obligations providing the binding layer while the SARB and FSCA develop sector-specific AI governance requirements. This is sometimes read as meaning governance requirements are less urgent than in EMEA or ANZ. That reading misunderstands how principle-based regulation works in practice.
POPIA Section 71 is already binding. Automated decisions with legal or significant effects on individuals require additional safeguards: mechanisms allowing the individual to make representations about the decision, and — in the loan rejection context specifically — human review capability and an appeal mechanism. A bank deploying AI credit decisioning without these safeguards is not operating in advance of future requirements. It is currently non-compliant with existing law.
The Financial Advisory and Intermediary Services Act requires that automated advice systems meet standards on human oversight, internal controls, algorithm testing, resource adequacy, and governance. The General Code of Conduct applies equally to AI-driven tools and to human advisers. The Information Regulator has reported nearly 2,000 data breaches in South Africa since April 2025 — a 40% increase from 2024 — and is actively coordinating with the FSCA and PA on data protection enforcement. The Conduct of Financial Institutions Bill, when enacted, will give the FSCA enforcement tools that align with the supervisory direction the joint AI report describes.
Taken together, the binding obligations that already apply and the supervisory direction that the SARB/FSCA have clearly signalled constitute an AI governance requirement that is not theoretical. The question facing South African banks is not whether governance requirements exist. It is how much of the compliance cost will be paid proactively as part of a well-designed AI programme versus reactively under examination or enforcement conditions.
The compliance view and the advantage view produce different institutions
The framing that produces poor outcomes is familiar. Governance is box-ticking for the regulator. Documentation is a cost to build after deployment. Explainability slows model development. Human oversight is a checkbox, not a genuine capability. Institutions operating with this framing consistently find that AI credit models cannot satisfy POPIA Section 71’s human review requirements without expensive architecture changes, that FSCA examination of AI-influenced outcomes produces findings they cannot document their way out of, and that regulators are adversarial because the evidence of sound process is unavailable when it is needed.
The advantage framing produces materially different outcomes specific to the South African context.
Banks that build explainability into AI credit models from the outset — rather than as a retrofit — satisfy POPIA Section 71 requirements as a natural output of how the model was designed. They can produce the specific, auditable reason for every adverse credit decision without human intervention, meeting both the legal requirement and the supervisory expectation the FSCA has articulated. In South Africa’s credit market, where thin-file and informal-sector applicants represent a significant underserved population, the ability to explain and defend AI credit decisions is also the ability to serve segments that banks relying on opaque models effectively exclude. That is a revenue opportunity, not a compliance cost.
Banks that treat audit trails as a data asset find that every logged fraud decision is a labelled training example. In the social engineering and deepfake detection context — where SABRIC has explicitly flagged that AI-generated attacks are escalating — a model that learns continuously from every decision it makes in production will outperform a static model within months. The governance infrastructure that creates this feedback loop is the same infrastructure that satisfies the SARB/FSCA’s monitoring and continuous improvement expectations.
Banks that build governance-grade AI fraud detection before the Rapid Payments Programme reaches scale will have inline scoring infrastructure ready for an irrevocable settlement rail before they need it. The institutions that treat RPP preparation as a genuine architectural exercise — building real-time AI fraud scoring into their payments infrastructure now — will not face the retrofit cost that every other market in this series has documented when real-time payment volumes expose the gap in batch-scoring defences.
The financial difference between these postures follows the same pattern as every other market. Retrofitting POPIA-compliant explainability, FSCA-documented human oversight, and SARB/FSCA governance frameworks into production AI models typically costs three to five times what building them in from the start would have cost. The joint AI report has provided the road map. Institutions that follow it as a design specification are making the lower-cost investment.
Three paths, with a narrowing window on the first
The SARB/FSCA joint report has changed the strategic landscape for AI in South African banking. Before November 2025, an institution could reasonably characterise the governance requirements as aspirational guidance without a clear enforcement timeline. After November 2025, that characterisation is no longer credible. The supervisory direction has been stated, the gaps in current practice have been documented, and the regulators have committed to further engagement that will produce more specific requirements.
The first path is to lead: identify the highest-priority decision — AI social engineering and digital fraud detection — build the governance infrastructure alongside the model, with POPIA-compliant explainability, board-level oversight documentation, and continuous monitoring from day one, and use the first production deployment to establish the internal capability for faster subsequent deployments. Institutions that act now build governance infrastructure before examination scrutiny intensifies, establish regulatory relationships that are cooperative rather than adversarial, and begin accumulating the outcome data that improves model quality continuously. Every month of production data on South Africa’s specific AI-enabled fraud typologies — voice deepfakes, AI-crafted WhatsApp scams, synthetic identity documents — is a month of competitive advantage in detection accuracy that followers cannot buy.
The second path is to follow: wait for further regulatory clarity before committing, watch early movers, continue current investments in traditional fraud prevention while preparing for AI deployment. This path remains viable. Its costs are bounded but real: no first-mover advantage in model quality on the escalating fraud vectors, a regulatory compliance timeline that shortens as the SARB/FSCA discussion paper and subsequent requirements develop, and a talent market for AI governance expertise that is already constrained in South Africa — the joint report notes a shortage of skilled AI professionals as a systemic challenge across the sector.
The third path is to defer: continue with current rule-based and detection systems and revisit when external pressure forces action. SABRIC’s data makes clear that this path is not cost-neutral. Digital banking fraud losses grew 74% in a single year. AI-generated attack vectors are documented and escalating. A rule-based system that could not prevent those losses in 2024 will not prevent a more sophisticated version of the same attacks in 2026. The structural cost disadvantage compounds with every SABRIC annual report. The regulatory gap widens with every month that passes after the SARB/FSCA joint report without a governance response.
South Africa’s big four banks have already demonstrated that meaningful fraud prevention investment produces results — the 18% overall reduction in losses in 2024 is the evidence. The same institutions now face a second and harder challenge: building AI that defends against the fraud vectors their existing infrastructure cannot address, within a governance framework that satisfies regulators who have publicly documented what they expect to see. The institutions that treat those two requirements as a single integrated programme will deliver both at the cost of one.
Part 3 of 3.
Sources
South African Reserve Bank Prudential Authority / Financial Sector Conduct Authority. Artificial Intelligence in the South African Financial Sector — Joint Report. 24 November 2025. Republic of South Africa. Protection of Personal Information Act (POPIA), 2013. Section 71: Automated Decision-Making. Republic of South Africa. Financial Advisory and Intermediary Services Act (FAIS). General Code of Conduct. Financial Sector Conduct Authority. Treating Customers Fairly Principles (TCF). 2025. Republic of South Africa. Conduct of Financial Institutions (CoFI) Bill. In progress. South African Banking Risk Information Centre (SABRIC). Annual Crime Statistics 2024. August 2025. South African Reserve Bank. Payment Ecosystem Modernisation Programme (RPP). sarb.co.za. Information Regulator South Africa. Data breach statistics 2025.
