Payment Institution Readiness in South Africa: A Legal Checklist for Fintechs

If your business moves money, issues stored value, supports merchant payments, facilitates remittances or sits between payer and payee, it is worth asking a harder question:

South Africa’s payments environment is moving toward a more structured, activity-based and interoperable regulatory model. The SARB has consistently indicated through its Payments Ecosystem Modernisation Programme (PEM) that it aims to support fast, affordable, inclusive and secure digital payments, while creating opportunities for appropriately authorised, registered, designated and/or sponsored non-bank participants and fintechs to participate more directly in the payments ecosystem.

Recent developments relating to the National Payments Utility (NPU), the PayInc transition, the QR+ Standard, the PayShap reset and broader interoperability initiatives further reinforce the direction toward a more modernised, accessible and participation-driven National Payment System.

While the proposed framework remains subject to ongoing regulatory development and implementation, the South African Reserve Bank (SARB) has already published the draft Authorisation Framework and draft Exemption Notice for industry consultation, setting out the proposed regulatory direction for payment activities within the National Payment System (NPS). Following the recent PEM Industry Dialogue held on 9 and 10 April 2026, the PEM team indicated that the finalised activity-based regulatory framework and exemption notice are expected to be published later this year.

For payment businesses, that creates significant opportunity. It also raises the standard for legal, governance, operational, safeguarding and broader regulatory readiness.

This is where many businesses get caught out. A payment solution may be commercially strong and technically sophisticated, but still have weak legal and operational foundations. The draft SARB framework already provides a strong indication of the issues payment institutions and payment participants are likely to need to address, including governance, safeguarding and segregation of client funds, compliance, operational resilience, outsourcing oversight, complaints handling, data governance and broader risk management frameworks.

1. Have you identified the payment activity your business actually performs?

This is the first question to get right.

The draft Payment Activities Exemption Notice identifies specific payment activities such as acquiring payment instructions, issuing electronic money or store of value, issuing payment instruments, third-party payment provision, money remittance, clearing and settlement. It also says those activities may be treated as not constituting “the business of a bank”, but subject to conditions and the broader regulatory framework.

That means the real question is not whether your business calls itself a fintech. The real question is what payment activity your business actually performs.

Self-audit: Can you clearly describe your payment activity in legal and operational terms?

2. Is your governance structure ready for real scrutiny?

A founder-led business is not automatically a governance-ready business.

The draft authorisation framework says the governing body must ensure that a payment institution has an independent, permanent and effective compliance function. It also says the internal audit function must provide independent assurance on internal controls, risk management, compliance and corporate governance.

In practice, this means your governance cannot live only in presentations or informal processes. It needs to exist on paper and in operation.

Self-audit: Would your governance structure look credible to a regulator, bank or investor reviewing your business today?

3. Are your directors and key persons fit and proper?

The draft framework places clear emphasis on the people behind the business.

It says payment institutions must develop and maintain fitness and propriety policies and procedures, define the criteria for directors and key persons, conduct periodic assessments, and retain enough documentation to demonstrate those assessments. It also requires steps to be taken if a director or key person no longer meets the fit-and-proper standard.

Self-audit: Could you evidence, on file, why your directors and key persons are suitable for their roles?

4. Can you show real compliance and risk controls?

The draft framework says payment institutions must maintain effective policies, procedures and controls for the timeous reporting of unusual or suspicious transactions. It also requires details of risk management measures, including security controls and mitigation measures to protect payers, payees and the national payment system from cyber incidents, fraud and the illegal use of personal data.

That means broad statements are not enough. You need documented controls, reporting lines and evidence that those controls actually operate.

Self-audit: If asked today, could you produce your compliance framework, risk controls and escalation procedures?

5. Are client funds properly separated from your own funds?

The SARB’s draft authorisation framework says client funds must be properly identified in the books of the payment institution and held in a segregated bank account for safeguarding purposes. It also states that funds still held beyond the required period must be segregated and deposited into a segregated bank account.

For a payment business, this is not a small technical issue. It goes directly to customer protection, legal risk and operational integrity.

Self-audit: Do your fund flows, contracts and bank arrangements clearly show where client money sits and how it is protected?

6. Are your capital arrangements properly evidenced?

Readiness is not only operational. It is financial too.

The draft framework sets minimum capital requirements for certain payment activities and says applicants must provide evidence of minimum capital based on the source of funding. It also requires ongoing capital to be held consistently, and says that ongoing capital must remain unencumbered.

That means businesses should already know what evidence they have, how capital is held and whether the numbers support the model.

Self-audit: Can you evidence both the source and adequacy of the capital supporting your payment business?

7. Do you control your data and records?

The draft framework says applicants must implement measures to ensure that data and records maintained by a service provider or third party remain the property of the applicant or payment institution. It also requires the names and physical addresses of third parties holding those records to be provided.

In other words, you can outsource systems. You cannot outsource accountability.

Self-audit: If a key service provider failed tomorrow, would you still have clear legal control over your records and payment data?

8. Are your outsourcing arrangements strong enough for a regulated environment?

Outsourcing can improve efficiency. It can also expose legal weaknesses.

The draft framework says payment institutions must establish a service level agreement for all outsourcing arrangements and submit copies to the Reserve Bank within ten business days of signing. It also requires a description of how outsourced functions are monitored and controlled so that internal controls are not impaired.

That matters because many payment businesses rely heavily on external technology, operational support or control functions.

Self-audit: Does your outsourcing agreements and oversight processes show that your business remains in control?

9. Could you explain how complaints and disruption are handled?

The draft framework requires payment institutions to describe their structure and process for handling client complaints, including escalation procedures, service channels and expected time frames for acknowledging, investigating and resolving complaints. It also requires robust business continuity capabilities and disaster recovery planning at the time of application, including plans for disruption, data loss, system failure and other major continuity events.

This is where legal readiness and operational readiness meet.

Self-audit: Could you show, today, how your business handles complaints, outages and continuity risk?

Final thought

Authorisation readiness is not simply about filing an application when the time comes. It is about whether your business is already structured in a way that can support regulation, operational resilience, commercial growth and long-term trust within an increasingly regulated and interconnected payments ecosystem.

The direction of travel is becoming increasingly clear. The SARB’s PEM programme is intended to modernise South Africa’s payments ecosystem, broaden participation and support greater interoperability across the National Payment System, while the draft Exemption Notice and draft Authorisation Framework indicate that broader participation is likely to be accompanied by significantly clearer legal, governance, safeguarding, prudential, operational and compliance expectations

Businesses that begin preparing early are likely to be in a stronger position to adapt as the framework develops, engage more confidently with banks, sponsors, payment participants and regulators, and build on a foundation that supports sustainable growth, operational scalability and long-term participation within South Africa’s evolving payments landscape.

If you are unsure whether your structure, contracts, fund flows, safeguarding arrangements, governance frameworks or operational controls are appropriately positioned for potential authorisation, registration, sponsorship, participation or broader regulatory scrutiny, Mahon Attorneys can assist in reviewing your business model and identifying legal, regulatory, operational and structuring issues before they become larger compliance or business risks.

FAQs