Industries · Fintech

Fintech Lawyer in South Africa

Payment platforms, lending tech, crypto, robo-advisors. The seven regulatory regimes that shape every SA fintech engagement — and the contract stacks that hold up against the FSCA, Information Regulator, and FIC.

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer

South African fintech sits within an unusually thick regulatory framework. Beyond the universal SA tech-law overlay — POPIA, ECTA, Cybercrimes Act, Consumer Protection Act, Copyright Act — fintech-specific layers add: FAIS for advice-giving services; NCA for credit and lending; FICA for AML/KYC obligations; POCDATARA for sanctions and terror financing; SARB exchange-control for cross-border payments; and (looming) the COFI Bill reorganising the conduct framework. The Information Regulator increasingly treats financial data as special personal information requiring heightened safeguards. Contract stacks for production-grade fintech: R45,000–R75,000; ongoing retainer R8,000–R15,000/month.

The regulatory overlay for SA fintech

POPIA (Protection of Personal Information Act 4 of 2013)

Mandatory operator agreements (s 21); 72-hour breach notification (s 22); cross-border transfer restrictions (s 72); enhanced rules for "special personal information" including financial data.

FAIS (Financial Advisory and Intermediary Services Act 37 of 2002)

Licensing requirements for advice-giving fintech; representative supervision; record-keeping obligations. Technology vendors to FSPs face operational-risk scrutiny.

NCA (National Credit Act 34 of 2005)

Lending and credit-extension fintech faces NCA registration, affordability assessments, prescribed disclosures, and protection-from-reckless-lending obligations.

FICA (Financial Intelligence Centre Act 38 of 2001)

AML/KYC obligations on accountable institutions; ongoing CDD; suspicious-transaction reporting. Affects payment fintech, crypto, savings products.

POCDATARA (Protection of Constitutional Democracy Against Terrorist and Related Activities Act)

Sanctions screening obligations; UN Security Council list compliance; targeted financial sanctions framework.

ECTA + Cybercrimes Act

Electronic transaction validity (ECTA s 22); section 43 disclosures; section 54 Cybercrimes Act reporting for financial institutions on cyber incidents (72-hour SAPS notification).

SARB exchange control

Cross-border payment processing, authorised-dealer requirements, currency-conversion compliance for any payment fintech moving funds across SA borders.

Frequently asked

Does our fintech need to be FAIS-licensed?

It depends on what your platform does. Pure infrastructure (payment processing, data analytics, banking-as-a-service rails) typically does not require an FSP licence. Advice-giving fintech (robo-advisors, retirement-planning tools, investment recommendations) typically does. Intermediary services (effecting transactions for clients in respect of financial products) typically does. The line is blurry; FSCA guidance has expanded over recent years.

What is the difference between a responsible party and an operator for a payment fintech?

A payment fintech is usually both. Responsible party in relation to its own merchant customers and end-user data it determines processing for; operator in relation to data passing through its rails on behalf of merchants. The dual role requires careful contractual structuring — typically the master commercial agreement deals with responsible-party obligations, and a separately-executed Data Processing Agreement covers the operator obligations.

How does POPIA section 72 apply to a SA fintech using AWS or Azure infrastructure overseas?

Section 72 restricts cross-border transfers of personal information unless: (i) the recipient is subject to a binding agreement providing protection substantially similar to POPIA; (ii) the data subject consents; (iii) the transfer is necessary for the contract. Major cloud providers (AWS, Azure, GCP) now offer SA regions (Cape Town, Johannesburg) — keeping data in-country eliminates the section 72 issue. For data flowing offshore, the cloud provider's POPIA-aligned Data Processing Addendum must be in place.

What POPIA obligations apply to crypto / digital-asset platforms?

Standard POPIA obligations apply — operator agreements, security measures, breach notification, cross-border restrictions. Special-category-personal-information rules apply to financial data of natural persons. Additionally, the FSCA's Crypto Asset Service Provider (CASP) framework imposes parallel AML/KYC obligations and operational-soundness requirements that interact with the POPIA framework.

What does a fintech-grade contract stack cost?

For a payment-fintech / SaaS hybrid with merchant customers and end-user data: full contract stack (Master Services Agreement + Order Form template + DPA + Merchant Terms + End-User Terms + Privacy Policy + Cookie Policy + AML/KYC schedule) typically R45,000–R75,000 excluding VAT. Annual retainer for ongoing review and regulator interaction R8,000–R15,000/month.

What about the Conduct of Financial Institutions (COFI) Bill?

The COFI Bill is being progressed through Parliament and, when enacted, will reorganise the FAIS / FSCA conduct framework into a single conduct-of-business regime. SA fintech businesses should monitor — substantive conduct obligations are unlikely to change dramatically but the licensing taxonomy will. Our updates flow through to client work as the Bill progresses.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.