Who Protects South Africans? Regulatory Sovereignty in an Age of Redistributed Financial Power

South Africa’s financial sector is undergoing a structural transformation that no single policy paper can fully capture. Data is escaping institutional silos. Decisions once made by credit analysts and insurance underwriters are increasingly delegated to algorithms. Contracts that once required legal counterparties and regulated intermediaries now execute themselves on decentralised protocols. And somewhere in a laboratory, a quantum computer is being built that may, within the decade, render the cryptographic foundations of all of this dangerously fragile.

Each of these shifts is, in isolation, a story about technology. Taken together, they represent something far more fundamental: a redistribution of power in financial services — from institutions to data, from intermediaries to code, from regulated entities to permissionless protocols. The question this creates for South African regulators is both urgent and deceptively simple: as power in finance migrates, who ensures that consumer protection, market integrity, and financial stability travel with it?

South Africa is not a passive observer of these changes. Financial exclusion has fallen sharply — from 51% in 2014 to just 12% in 2023, driven largely by the rapid adoption of mobile money services. This progress is hard-won and fragile. As the financial sector adopts artificial intelligence, open data architectures, and decentralised protocols at pace, the risk is not merely that innovation outpaces regulation — it is that the gains of the past decade could be undone by the very tools designed to extend them, if those tools are deployed without adequate governance.

This blog argues that South Africa’s regulatory agenda must be understood as a single, coherent response to the redistribution of financial power across four interconnected layers: data, intelligence, protocol, and infrastructure. Understanding how these layers connect — and where they create gaps that existing frameworks do not yet cover — is the analytical work that will define South Africa’s financial regulatory posture for the decade ahead.

The data layer: who owns your financial life?

Open finance is, at its core, a political question dressed in technical clothing. The question of whether a bank customer has a right to instruct her institution to share her transaction history with a third-party lender, insurer, or savings platform is not merely a question of API standards and data formats. It is a question about ownership, consent, and the appropriate distribution of informational power in a market that has historically concentrated data — and therefore competitive advantage — within a small number of large financial institutions.

The FSCA’s 2024 Open Finance Policy Recommendations^[1] represent a significant milestone in South Africa’s response to this question. The paper defines open finance as consent-based financial data sharing and payment initiation to licensed third parties, and recommends a phased approach that would eventually become mandatory — on the grounds that voluntary regimes have consistently failed to generate sufficient coverage or competitive dynamism. This position aligns with the international evidence: the United Kingdom’s experience, cited extensively in the FSCA’s own analysis, demonstrates that mandated open banking generates significantly more innovation and consumer benefit than market-led approaches alone.

But mandating open finance creates its own governance challenges. Consent must be genuine, not buried in terms and conditions that no consumer actually reads. Data minimisation principles must prevent third parties from accumulating financial profiles that extend far beyond what is necessary for the service being provided. And liability frameworks must be clear enough to give consumers meaningful redress when shared data is misused. South Africa’s Protection of Personal Information Act (POPIA) provides important baseline protections, but it was not designed with active, real-time financial data flows in mind. The legislative architecture that bridges POPIA and the emerging open finance regime will be among the most consequential regulatory drafting work of the next five years.

The stakes are asymmetric. When open finance works well, consumers gain access to tailored credit, personalised savings products, and seamless payment experiences. When it works badly — through data breaches, predatory third parties, or poorly designed consent mechanisms — the consumers most exposed are precisely those who have most recently entered the formal financial system and who have the least capacity to absorb a data-driven financial shock. Regulatory design must be calibrated to this asymmetry.

The intelligence layer: when machines decide, who answers?

There is nothing new about data-driven decision-making in financial services. What is new — and genuinely disruptive — is the opacity and speed of the systems now making those decisions.

Modern AI systems in financial services do not merely apply rules. They learn patterns from historical data, generate outputs that their designers cannot always explain, and operate at speeds and scales that make human oversight practically difficult. The Financial Stability Board’s November 2024 report on the financial stability implications of AI^[2] identifies this explainability gap as one of the most significant risk factors in the current wave of AI deployment, noting that the lack of transparency in model outputs complicates the ability of financial institutions and supervisors to assess whether AI-driven decisions are appropriate. The same report identifies third-party concentration risk — the dependence of financial institutions on a small number of cloud and AI service providers — as a further systemic vulnerability with the potential to amplify operational shocks across the system.

For South African consumers, the stakes are concrete. An algorithm that systematically underweights the creditworthiness of informal sector workers, or that prices insurance products adversely for customers in historically underserved communities, does not need to be intentionally discriminatory to produce discriminatory outcomes. Bias in training data produces bias in outputs. The question for South African regulators is whether the existing Treating Customers Fairly (TCF) framework, and the forthcoming Conduct of Financial Institutions (COFI) Act, provide sufficient hooks to address this risk — and whether ‘treating customers fairly’ is a standard that can be meaningfully operationalised when the entity making the decision is a model, not a person.

This is what might be termed the “accountability fracture”: the structural gap that opens when AI systems make consequential decisions but the traditional mechanisms for holding decision-makers accountable — human oversight, professional liability, contestable reasoning — are absent or attenuated. Addressing this fracture will require South African regulators to develop AI-specific supervisory methodologies, including requirements for explainability, model validation, algorithmic audit, and consumer redress mechanisms that are fit for purpose in an algorithmic environment. It will also require clarity on which entity — the financial institution deploying the AI, the technology vendor providing the model, or the cloud provider on which it runs — bears responsibility when an algorithmic decision causes consumer harm.

The decentralised layer: when the institution disappears

The first two challenges — data governance and algorithmic accountability — are, at some level, challenges about regulating institutions that are changing. Decentralised Finance (DeFi) poses a more fundamental challenge: it is about regulating activity when the institution itself has disappeared.

In DeFi, financial services — lending, borrowing, trading, earning yield — are provided not by banks or brokers but by smart contracts: code deployed on a blockchain that executes automatically when specified conditions are met. There is no board of directors, no branch manager, no compliance officer. There is, in principle, no entity that can be licensed, supervised, or held accountable in the manner that financial regulation has always assumed.

IOSCO’s December 2023 Final Report with Policy Recommendations for Decentralised Finance^[3] acknowledges this challenge directly, while resisting the conclusion that DeFi is therefore unregulable. The report’s core analytical move is to note that, regardless of how decentralised the protocol appears, there are almost always identifiable persons or entities — founders, developers, governance token holders — who exercise real influence over the protocol and who can, in principle, be made subject to regulatory requirements. This “responsible persons” doctrine is pragmatically compelling but legally untested at scale, and raises difficult questions about when participation in protocol governance becomes regulatory accountability.

For South Africa, the DeFi challenge intersects directly with the country’s Crypto Asset Service Provider (CASP) regulatory framework. The framework, which brought CASPs under FSCA oversight as financial service providers, was designed primarily with centralised exchanges in mind. A lending protocol deployed on Ethereum, with no South African nexus beyond the location of its users, sits awkwardly within this architecture. The FATF’s June 2023 targeted update on virtual assets and VASPs^[4] found that more than half of the jurisdictions surveyed had taken no steps towards implementing the Travel Rule for virtual assets — pointing to a global pattern of regulatory lag that creates significant opportunities for criminal misuse. South Africa’s exit from the FATF grey list in 2024 represents significant progress on AML/CFT compliance for traditional virtual assets, but the DeFi frontier remains substantially uncovered by existing frameworks.

The regulatory response to DeFi in South Africa will need to be principled rather than reactive. A principles-based approach — focused on the nature of the activity and its risks to consumers and market integrity, rather than on the formal legal structure of the entity providing it — offers the most durable foundation. The principle that the same activity, presenting the same risks, should attract the same regulatory outcomes, regardless of whether it is delivered by a bank, a fintech, or a smart contract, is the correct starting point for that analysis.

The infrastructure layer: the earthquake under the architecture

Every layer described above — open finance APIs, AI model infrastructure, DeFi smart contracts — rests on a single cryptographic foundation. The security of every data-sharing transaction, every algorithmic credit decision, every blockchain record depends on the presumed impossibility of breaking public-key encryption.

Quantum computing threatens that presumption. Sufficiently powerful quantum computers would be capable of solving the mathematical problems — prime factorisation, discrete logarithms — that underpin RSA and elliptic curve cryptography, which secure the vast majority of financial transactions globally. The BIS’s 2024 paper on quantum computing and the financial system^[5] provides a comprehensive assessment of both the opportunity and risk dimensions, including the “harvest now, decrypt later” threat model, whereby adversaries may already be collecting encrypted data now with the intention of decrypting it once sufficiently powerful quantum computers become available.

In August 2024, the National Institute of Standards and Technology (NIST) published three finalised post-quantum cryptography standards — FIPS 203, FIPS 204, and FIPS 205 — based on algorithms designed to withstand quantum attack.^[6] This represents a significant milestone, but the transition from current cryptographic standards to post-quantum alternatives is a complex, multi-year process requiring careful planning at both the institutional and systemic level. The BIS’s subsequent 2025 roadmap paper on quantum readiness^[7] identifies crypto-agility — the ability of systems to switch cryptographic algorithms rapidly — as a key architectural property that financial institutions should be building into new systems today, even before a cryptographically relevant quantum computer exists.

For South Africa, this carries a specific implication. Quantum risk is not a concern that can safely be deferred until the technology matures. The infrastructure decisions made now — about core banking systems, payment rails, digital identity frameworks, and open finance APIs — will determine how expensive and disruptive the eventual transition to quantum-safe cryptography will be. Regulators and supervisors need to begin engaging with this dimension of systemic risk now, in the form of guidance, supervisory expectations, and industry engagement, before it becomes an emergency.

Regulatory sovereignty in the age of distributed power

The central argument of this blog is that South Africa’s FinTech regulatory agenda — spanning open finance, AI, DeFi, insurtech, connected insurance, and quantum computing — is not a collection of separate technical challenges. It is a single, connected response to a structural shift in where financial power resides.

In the old architecture of finance, power was concentrated in institutions — banks, insurers, asset managers — that were visible, licensed, and accountable. Regulation worked by attaching obligations to those institutions. In the emerging architecture, power is distributed: across data flows, across algorithmic systems, across permissionless protocols, across cryptographic infrastructure. The regulatory question that connects every item on South Africa’s FinTech policy agenda is the same: how do you ensure that as power migrates, the obligations that protect consumers and maintain market integrity migrate with it?

The FSCA and the SARB, operating within the Twin Peaks framework, are better positioned than most regulators to answer this question. The Twin Peaks model gives South Africa a dedicated market conduct regulator focused on consumer outcomes — precisely the kind of outcomes most at risk from the accountability fractures created by AI, DeFi, and data-hungry open finance ecosystems. The task ahead is to build supervisory frameworks that are specific enough to be operationalisable, adaptive enough to keep pace with innovation, and principled enough to ensure that South Africa’s financial sector remains one in which all participants — regardless of their digital literacy or economic standing — are genuinely protected.

The walls of the financial institution are dissolving. The question is not whether to stop them from dissolving. It is whether the regulatory architecture being built today will be strong enough to ensure that, when the walls are gone, what remains is a financial system that still works for ordinary South Africans.