Most boards we speak to in South African financial services were braced for a directive. What the joint FSCA and SARB Prudential Authority Artificial Intelligence in the South African Financial Sector report delivered instead was a set of supervisory expectations: principles-based, technology-neutral, and addressed to outcomes rather than algorithms. There is no schedule of prohibited use cases, no risk-tier matrix, no model-specific filing regime. There is, instead, a clear signal that boards must own AI risk, that model governance and customer fairness will become standing items in supervisory dialogue, and that the existing prudential and conduct toolkits — model risk, fair customer treatment, operational resilience, the Cybersecurity and Cyber Resilience Joint Standard — are the instruments examiners will use. For a Head of Risk or MLRO accustomed to the certainty of a rulebook, that is the harder position to defend, not the easier one.
What the joint position actually says
The joint report sets out a coordinated FSCA and Prudential Authority view on AI adoption across banking, insurance, payments, pensions, investments and lending. Adoption is uneven — banking and payments sit around the half-mark, while insurance and lending remain in single digits — and the regulators flag a familiar set of consumer-protection concerns: bias, opacity, weak disclosure, and the risk of unfair outcomes in credit pricing and insurance underwriting.
The regulatory shape is deliberate. The authorities chose a principles-based, technology-neutral path rather than prescribing rules tied to specific architectures or model families. Expectations are framed around outcomes: fair customer treatment, model integrity, board-level oversight, explainability where AI affects customer outcomes, and clear disclosure. FSCA and the Prudential Authority have committed to coordinating with the Information Regulator so that AI expectations align with POPIA — particularly its automated-decision-making provisions in Section 71.
Running underneath this is the Joint Standard 2 of 2024 on Cybersecurity and Cyber Resilience, in force from 1 June 2025. The Joint Standard binds banks, insurers, retirement funds and their administrators, and collective investment scheme managers. It requires a documented cyber-resilience strategy, board-level governance, risk identification, incident response, third-party risk management and reporting. The Joint Standard is not AI-specific — but it applies to AI infrastructure as much as to any other system the organisation runs. A model serving customers from a third-party cloud is squarely within scope.
What FSCA examiners actually ask about AI in 2026
Supervisory dialogue is converging on a small set of themes that any Head of Compliance should be ready to evidence:
- Model governance. Who owns the model? Who is authorised to change it? What is documented — design, training data, validation results, performance monitoring? Is there a model risk framework that treats AI models with the rigour previously reserved for credit and capital models?
- Customer fairness. How is the model’s output tested for bias against protected characteristics? What ongoing monitoring is in place to detect drift in fairness metrics? Is there evidence the organisation reviews customer outcomes by segment, not just aggregate accuracy?
- Operational resilience. Where is the AI infrastructure hosted? What is the third-party AI provider concentration risk? Are failover scenarios tested? Where does data reside, and how is that consistent with the organisation’s data sovereignty position?
- Conduct of business. How is AI-driven advice or pricing disclosed to customers? How is FAIS-aligned suitability ensured when an AI tool sits in the advice chain? Are records sufficient to reconstruct the decision pathway after the fact?
None of this is exotic. It is the existing prudential and conduct framework asked of a new class of system. The organisations that answer well are those that brought AI inside the existing risk-management architecture early. The organisations that struggle are those that treated AI as a technology question rather than a governance one.
FAIS-licensed advisors and AI-driven advice tools
The FAIS overlay is where many organisations underestimate exposure. Where AI is used in advice generation — robo-advice, automated suitability screening, document-assembly tools that draft customer-facing recommendations — the FAIS-licensed representative remains accountable for the advice rendered. The licence does not transfer to the tool, and supervisory dialogue does not soften because a vendor name appears in the workflow.
Documentation expectations follow naturally. A defensible posture includes a current AI tool inventory mapped to the advice functions each tool supports; training records demonstrating that representatives understand the tools they use and their limits; oversight protocols defining when human review is mandatory and when it is discretionary; and suitability override workflows showing how, when and by whom an AI-generated recommendation is reviewed before it reaches the customer. The absence of any of these is what an examiner will probe first.
What’s coming — COFI Bill and beyond
The Conduct of Financial Institutions (COFI) Bill continues to progress through the parliamentary process. It is expected to consolidate market-conduct oversight across the sector and strengthen outcomes-based supervision — both directly relevant to AI fairness obligations. Implementation in the 2026 to 2027 window is the working assumption among practitioners, with AI-specific provisions most likely to land in the implementation phase rather than the primary text. Organisations should treat the current FSCA and Prudential Authority expectations as the floor, not the ceiling, and assume that COFI will codify and extend them.
The FSCA’s own 2025 to 2028 Regulation Plan signals that AI governance is a 2026 work item alongside open finance and cloud technologies. A sector-wide guidance note covering model risk, board oversight, explainability and disclosure is the most likely next regulatory artefact.
What a credible AI governance posture looks like in 2026
A defensible position in supervisory dialogue typically rests on six elements:
- An AI inventory mapped to FSCA and Prudential Authority expectations and to the Joint Standard cyber baseline.
- A documented model risk framework, typically anchored on an international reference such as the NIST AI Risk Management Framework or ISO/IEC 42001, adapted to the organisation’s scale and complexity.
- Bias and fairness testing on customer-facing models, with at least quarterly review and a documented escalation route when metrics drift.
- Third-party AI concentration risk assessed and managed — provider diversity, data residency, contractual rights to model documentation, exit and portability provisions.
- The FAIS overlay where applicable, with reviewer training, documented oversight protocols and an exception log that an examiner can read.
- Joint Standard on Cybersecurity and Cyber Resilience compliance applied consistently to AI infrastructure: governance, incident response, third-party risk and reporting.
Each of these is something a Head of Compliance or Chief Risk Officer can stand up; none requires waiting for a horizontal AI Act that South Africa has explicitly chosen not to pursue.
How Rhentech helps
We run AI Governance and Compliance engagements for South African financial services organisations. The framework we deploy is mapped to FSCA and Prudential Authority expectations, the Joint Standard on Cybersecurity and Cyber Resilience, and POPIA — with a deliberate alignment to NIST AI RMF and ISO/IEC 42001 where the organisation’s wider risk architecture supports it. Engagements begin with an AI Usage Audit: a senior-led discovery exercise that produces the inventory, the risk-ranked exposure register, and the remediation roadmap that supervisory dialogue presumes. Sector-specific consultants lead each engagement; the consultant who scopes the work is the one who delivers it.
If your organisation is preparing for an FSCA or Prudential Authority engagement, or wants a defensible AI governance posture before the next supervisory dialogue, the right next step is a conversation. Book a free initial consultation with one of our senior consultants — we will walk through your AI exposure, your sector position, and what a focused engagement would cover in your case.
This article is for informational purposes. It does not constitute legal or compliance advice. Consult qualified legal counsel or your organisation’s compliance function for matters specific to your organisation.