Running a Financial Services Provider (FSP) in South Africa means navigating a complex web of regulations—and increasingly, those regulations have direct implications for your IT systems. The days of treating technology as a back-office concern are over. Today, your IT infrastructure is a compliance matter, and getting it wrong can cost you your licence.
The Regulatory Landscape for FSPs
South African FSPs operate under multiple overlapping regulatory frameworks, each with IT implications:
Financial Sector Conduct Authority (FSCA)
The FSCA expects FSPs to maintain adequate operational systems and controls. This includes:
- Systems capable of maintaining accurate client records
- Adequate backup and disaster recovery capabilities
- Controls to prevent unauthorised access to client information
- Audit trails for all client-facing transactions
The FSCA's fit and proper requirements extend to your operational capability—if your IT systems can't support compliant operations, you're not fit and proper to hold a licence.
FAIS Act Requirements
The Financial Advisory and Intermediary Services Act mandates specific record-keeping requirements:
- Client records must be maintained for a minimum of five years after the relationship ends
- Advice records documenting the basis for recommendations must be kept and retrievable
- Transaction records must be complete, accurate, and tamper-proof
- Complaint records must be maintained with full audit trails
Your IT systems must support these requirements—not just store the data, but ensure its integrity, accessibility, and security for the required retention periods.
POPIA Compliance
The Protection of Personal Information Act applies to all the client data FSPs handle:
- Lawful processing — Systems must enforce data handling policies
- Purpose limitation — Technical controls to prevent data misuse
- Security safeguards — Appropriate technical measures to protect personal information
- Data subject rights — Ability to locate, export, and delete individual client data on request
- Breach notification — Systems to detect breaches and support the 72-hour notification requirement
For FSPs, POPIA compliance isn't optional—it's a licence condition. The Information Regulator has enforcement powers, and the FSCA takes data protection failures seriously.
FICA and AML Requirements
The Financial Intelligence Centre Act requires FSPs to:
- Verify client identities (FICA documentation)
- Screen clients against sanction lists
- Monitor transactions for suspicious activity
- Report suspicious transactions to the FIC
- Maintain records for at least five years
These requirements demand specific IT capabilities—you can't do AML screening manually at scale, and you can't maintain proper audit trails without proper systems.
Cyber Resilience Requirements
The FSCA's Joint Standard on Cybersecurity and Cyber Resilience (effective 2024) sets explicit requirements:
- Cyber risk governance — Board-level oversight of cyber risks
- Cyber risk management — Documented policies and procedures
- Cyber resilience — Ability to continue operations during and after cyber incidents
- Incident response — Documented procedures and regular testing
- Third-party risk management — Due diligence on IT service providers
This isn't guidance—it's a binding standard with compliance expectations.
The IT Systems FSPs Actually Need
Meeting these requirements demands specific IT capabilities:
1. Secure Document Management
FSPs generate and receive mountains of documentation—FICA documents, advice records, policy documents, client correspondence. You need:
- Centralised document repository — All documents in one searchable system, not scattered across email inboxes and personal drives
- Version control — Track changes and maintain document history
- Access controls — Role-based permissions ensuring staff only access what they need
- Retention management — Automated policies to maintain documents for required periods and dispose of them appropriately afterward
- Audit trails — Complete logs of who accessed, modified, or deleted documents
A proper document management system isn't a luxury—it's a compliance requirement.
2. CRM with Compliance Features
Your client relationship management system must go beyond basic contact management:
- Advice record integration — Link advice documentation directly to client records
- FICA status tracking — Monitor client verification status and document expiry
- Consent management — Track client permissions for data processing and marketing
- Complaint handling workflow — Structured process with required escalations and timeframes
- Regulatory reporting — Generate required reports for FSCA submissions
Off-the-shelf CRMs designed for general business often lack these FSP-specific features.
3. Email Security and Archiving
Email is where most FSP business happens—and where most compliance failures occur:
- Email archiving — Immutable copies of all email retained for required periods
- eDiscovery capability — Search and retrieve specific communications when required
- Encryption — Protect sensitive client information in transit
- Data loss prevention — Prevent accidental or intentional leakage of client data
- Phishing protection — FSPs are prime targets for business email compromise
The FSCA expects you to produce email records during inspections. "We don't have those emails anymore" is not an acceptable answer.
4. Endpoint Security
Every laptop, desktop, and mobile device that accesses client data is a potential compliance failure:
- Endpoint protection — Modern anti-malware that detects sophisticated threats
- Device encryption — Full-disk encryption on all devices, especially laptops
- Mobile device management — Control and wipe company data on personal devices
- Patch management — Keep all systems updated against known vulnerabilities
- USB and peripheral control — Prevent data exfiltration via removable media
A stolen laptop containing unencrypted client data is a POPIA breach, an FSCA reportable event, and a reputational disaster.
5. Network Security
Your network is the perimeter protecting client data:
- Business-grade firewall — Not a consumer router with "firewall" marketing
- Network segmentation — Separate guest WiFi from business systems
- VPN for remote access — Secure connections for staff working remotely
- Intrusion detection — Monitor for suspicious network activity
- Web filtering — Block access to malicious sites and reduce malware risk
6. Backup and Disaster Recovery
The FSCA expects business continuity. That means:
- Regular automated backups — Daily at minimum, more frequently for critical data
- Offsite backup storage — Survive fire, theft, or ransomware at your primary location
- Tested recovery procedures — Backups are worthless if you can't restore from them
- Documented recovery time objectives — Know how long recovery will take and plan accordingly
- Ransomware resilience — Air-gapped or immutable backups that attackers can't encrypt
"We lost everything in a ransomware attack" doesn't satisfy your record-keeping obligations.
7. Access Control and Identity Management
Control who can access what:
- Unique user accounts — No shared logins; every action traceable to an individual
- Strong authentication — Complex passwords plus multi-factor authentication (MFA)
- Principle of least privilege — Staff access only what they need for their role
- Access reviews — Regular audits of who has access to what
- Prompt deprovisioning — Remove access immediately when staff leave
Shared passwords and generic accounts make audit trails meaningless.
8. Monitoring and Logging
You can't prove compliance without evidence:
- Security event logging — Record authentication attempts, access to sensitive data, configuration changes
- Log retention — Maintain logs for appropriate periods (align with your record-keeping obligations)
- Log protection — Prevent tampering with audit records
- Alerting — Notify appropriate staff of security events requiring attention
- Regular review — Actually look at the logs; automated systems only help if someone responds
The Cost of Non-Compliance
FSPs who neglect IT compliance face serious consequences:
Regulatory Penalties
- FSCA enforcement — Fines, licence conditions, or licence withdrawal
- POPIA penalties — Fines up to R10 million for serious breaches
- Administrative costs — Resources consumed responding to regulatory inquiries
Operational Disruption
- Inspection failures — Inability to produce required records during FSCA visits
- Business interruption — Downtime from cyber incidents or system failures
- Client complaints — Escalate to the FAIS Ombud and attract regulatory attention
Reputational Damage
- Client trust — Difficult to recover once lost
- Industry standing — Word travels fast in the FSP community
- Competitive disadvantage — Sophisticated clients demand evidence of proper controls
Building a Compliance-Ready IT Environment
Getting IT compliance right requires a systematic approach:
1. Gap Assessment
Start by understanding where you are:
- Map current systems against regulatory requirements
- Identify gaps and vulnerabilities
- Prioritise based on risk and regulatory urgency
2. Policy Development
Document your approach:
- Information security policy
- Acceptable use policy
- Data retention policy
- Incident response procedures
- Business continuity plan
Policies aren't just paperwork—they're evidence of governance that regulators expect to see.
3. Implementation
Deploy appropriate systems and controls:
- Select solutions that meet FSP-specific requirements
- Configure systems according to security best practices
- Train staff on proper use and compliance obligations
4. Ongoing Management
Compliance isn't a project—it's a continuous process:
- Regular security assessments and penetration testing
- Continuous monitoring for threats and anomalies
- Periodic policy reviews and updates
- Staff awareness training
- Incident response drills
The Case for Managed IT Services
Most FSPs lack the internal resources to build and maintain compliance-ready IT environments. The expertise required spans security, compliance, and multiple technology domains.
A managed services provider with FSP experience offers:
- Compliance expertise — Understanding of FSCA, FAIS, POPIA, and FICA requirements
- Appropriate solutions — Systems designed for regulated environments
- Continuous monitoring — 24/7 security oversight
- Rapid response — Expertise available when incidents occur
- Documentation — Evidence of controls for regulatory inspections
- Ongoing guidance — Keep pace with evolving regulatory expectations
The cost of proper IT support is a fraction of the cost of a compliance failure.
Conclusion
For South African FSPs, IT compliance isn't a nice-to-have—it's a licence condition. The FSCA, POPIA, FICA, and the new cyber resilience standards all demand specific IT capabilities that many FSPs currently lack.
The question isn't whether you can afford proper IT systems and support. The question is whether you can afford the consequences of operating without them.
Is your IT infrastructure compliance-ready? Dexani helps FSPs build and maintain IT environments that meet regulatory requirements. Contact us for a compliance gap assessment.