In October 2025, South Africa exited the Financial Action Task Force (FATF) “grey list” after demonstrating significant progress in its anti-money laundering (AML) and counter-terrorist financing (CFT) regime. This milestone not only restored international confidence in its financial system, but also imposed stricter obligations on banking institutions: demonstrating sustained increases in investigations and confiscations of illicit assets, strengthening risk-based supervision, and ensuring competent authorities have fast and accurate access to beneficial ownership information.
In 2026, cybersecurity and digital identity integrity have become central pillars in maintaining that status and ensuring the confidence of investors, regulators, and citizens.
A Digitized Banking Ecosystem with Growing Risks
South Africa has one of the most developed financial systems in Africa. Four major banks — Standard Bank, FirstRand/FNB, Absa, and Nedbank — hold 85% of the market share, while digital challengers such as TymeBank have already attracted seven million customers. Banking penetration exceeds 80%, and an estimated 20 million people use mobile banking services.
The government, through the Department of Home Affairs (DHA), has implemented a biometric population registry with an error rate below 1%, demonstrating its commitment to digitalization.
However, this digital progress has been accompanied by a significant rise in digital fraud. Electronic banking fraud accounted for 65.3% of all reported incidents in 2024 — nearly double the previous year — with losses exceeding 1.4 billion rand. Most scams rely on social engineering: criminals distribute fake links via SMS, WhatsApp, or social media, or use deepfakes and fraudulent advertisements to trick customers into revealing passwords or one-time passwords (OTPs). These figures confirm that digitalization requires stronger controls at every point of contact.
Another alarming phenomenon is SIM swap fraud. Although primarily linked to the telecommunications sector, it directly impacts banking. According to the Communication Risk Information Centre (COMRiC), telecommunications fraud — including identity impersonation and SIM swap — cost South Africa more than 5.3 billion rand in 2025. This type of attack allows fraudsters to duplicate a victim’s SIM card, intercept OTP codes, and gain access to bank accounts.
Cybercrime is constantly evolving. As COMRiC’s CEO notes, operators and their partners “must remain constantly alert because criminals try something new every day.” For banks, this means authentication based solely on mobile phones is no longer sufficient.
Regulatory Requirements: FICA, POPIA, and Joint Standards
South Africa’s regulatory framework has tightened in response to these risks.
The Financial Intelligence Centre Act (FICA) requires designated institutions to identify and verify customers, appoint a compliance officer, and implement a risk management and compliance program. During onboarding, institutions must apply Customer Due Diligence (CDD) and ongoing monitoring tailored to the customer’s risk level.
FICA allows remote verification: identity can be digitally confirmed through biometric recognition with liveness detection or online document verification. In addition, institutions must file Suspicious Transaction Reports (STRs) within 15 days and report any indication of terrorist financing within five days.
The Protection of Personal Information Act (POPIA) complements this framework by requiring companies to process customer data securely, limit its use to specific purposes, and ensure transparency. The balance between privacy and fraud prevention is delicate: banks must collect and analyze biometric, behavioral, and transactional data to combat impersonation, while complying with POPIA’s principles of data minimization and consent.
In May 2024, the Financial Sector Conduct Authority (FSCA) and the Prudential Authority (PA) issued Joint Standard 2 on Cybersecurity and Cyber Resilience, which came into force on 1 June 2025. This landmark standard requires banks, insurers, pension funds, rating agencies, and other institutions to adopt mandatory cybersecurity and digital risk management practices. It mandates periodic audits, cybersecurity governance, third-party oversight, and incident recovery plans.
Although implementation may be costly and complex — particularly for smaller institutions — the objective is clear: reduce systemic risk and protect both consumers and the financial ecosystem. Preceded by Joint Standard 1 (2023) on IT governance, this framework signals a regulatory shift toward digital resilience.
Sector-specific standards also apply. In 2016, the Payments Association of South Africa (PASA), in collaboration with Visa and Mastercard, launched an interoperable biometric authentication standard for payment cards. The framework enables secure and uniform verification using fingerprint, palm, voice, iris, or facial recognition. For banks, this sets a precedent: systems must support multiple biometric modalities.
Additional compliance requirements include:
- Identity verification against the National Population Register (DHA)
- Screening of domestic and foreign Politically Exposed Persons (PEPs)
- Beneficial ownership verification for holdings of 25% or more
- Real-time sanctions screening (UN and domestic lists)
- Cybersecurity incident reporting within 24 hours
These obligations raise supervisory expectations and require efficient integration of diverse data sources.
How Banks Are Responding: Biometrics, Tokens, and Advanced Analytics
Faced with regulatory and criminal pressure, South African banks are strengthening identification and authentication processes.
Biometrics has become the cornerstone of digital onboarding and sensitive transactions. Thanks to FICA and PASA alignment, institutions can compare customer selfies or fingerprints with DHA records and use liveness detection algorithms to prevent deepfake attacks.
The gradual replacement of SMS-based OTPs with push notifications, hardware tokens, and biometric authentication reduces reliance on SIM cards, now considered a vulnerable attack vector.
Banks are also deploying AI and advanced analytics to monitor transactional behavior and detect anomalies suggesting account takeover or identity misuse. Contextual and behavioral biometrics — such as typing speed, geolocation, or IP address analysis — allow additional verification when significant behavioral deviations occur.
This risk-based, event-triggered approach avoids uniform controls that generate friction. In mature digital ecosystems, identity is no longer verified once; it is continuously defended.
Facephi’s Role in South African Banking
In this environment, Facephi provides a suite of solutions tailored to South Africa’s compliance and cybersecurity requirements.
Digital onboarding with DHA integration
Facephi connects to the National Population Register to validate identity via facial or fingerprint biometrics, with error rates below 1%. It includes ISO 29794-5-compliant liveness detection to prevent presentation attacks.
Multimodal biometric authentication
Aligned with PASA standards, Facephi supports facial, fingerprint, and voice verification, enabling multi-factor biometric authorization for sensitive transactions. This removes reliance on OTPs and protects customers against SIM swap and credential theft.
AML screening and real-time monitoring
The platform screens against UN sanctions lists, domestic restrictive measures, PEP databases, and adverse media. It automates STR generation within FICA’s 15-day requirement and detects structuring patterns (“smurfing”).
Behavioral biometrics and mule detection
Through transaction pattern and network analysis, Facephi helps identify mule accounts used to launder illicit funds, supporting FATF’s requirement for sustained investigative progress.
Transaction monitoring
The module aligns with FICA reporting thresholds (e.g., large cash deposits or withdrawals) and automates submissions to the Financial Intelligence Centre (FIC).
These capabilities enable banks to reduce fraud without compromising customer experience, comply with FICA and POPIA, and prepare for Joint Standard 2 cybersecurity requirements. The modular architecture allows controls to adapt to risk levels and customer lifecycle stages.
Innovation and Challenges Toward 2026
Despite significant progress, challenges remain.
The transition to a national digital identity system — driven by DHA — may eliminate forged or duplicate documents, but fraud will likely shift toward account takeover, SIM swap, and device compromise. Banks must prepare for dynamic, multi-factor authentication environments.
Joint Standard 2 requires institutions of all sizes to strengthen defenses. In the absence of a centralized national cybersecurity center and after years of underinvestment, the sector must invest in talent, audits, segregation of duties, and third-party oversight.
For smaller institutions, collaboration with specialized providers like Facephi enables access to advanced technology while maintaining agility.
User education remains critical. The FSCA has warned of increasing scams via SMS, WhatsApp, Telegram, and fraudulent financial advisors. Banks must combine technology with awareness programs to ensure customers recognize phishing, deepfakes, and “easy money” schemes — and understand they should never share OTPs or biometric data.
Conclusion: A Future Built on Digital Trust
South Africa’s exit from the FATF grey list marks a turning point, but maintaining trust requires ongoing commitment to cybersecurity and identity integrity.
Attacks are becoming more sophisticated. Fraud is shifting toward SIM swap and account takeover. Regulators are raising the bar to prevent regression.
A rigorous regulatory framework (FICA, POPIA, Joint Standards), combined with robust verification technologies (multimodal biometrics, liveness detection, behavioral analytics) and a risk-based, event-driven approach, will enable banks to protect customers and safeguard financial stability.
Facephi positions itself as a strategic partner in this transition. By delivering integrated digital onboarding, biometric authentication, and fraud monitoring solutions aligned with South African and international standards, it helps financial institutions remain compliant, reduce fraud, and provide secure, seamless user experiences.
By 2026, banks that adopt these technologies will not only reduce losses and penalties — they will strengthen their reputation as trusted pillars of the digital economy.