Skip to main content
Komply

Guides · Guide · 11 min read

POPIA · B-BBEE · SARS · FSCA

FSCA · FAIS Act 37 of 2002

13 July 2026

Do you need an FSP licence? The FSCA & FAIS guide for South African businesses

By Matt Owen, CA(SA) — founder, Komply

The FSCA is the regulator South African businesses most often get wrong in both directions: some assume it applies to them when it doesn’t, and others discover far too late that it does. The distinction that settles it is simple. An FSP licence is not a general business or operating licence — it is a targeted authorisation to do one specific thing: give financial advice, or act as an intermediary in financial products, for clients. If your business does that, the Financial Sector Conduct Authority and the FAIS Act apply to you in full. If it doesn’t, you have no FSCA obligation at all.

This guide sets out who is actually in scope, the licence categories, the fit-and-proper bar you have to clear to hold a licence, the ongoing conduct duties, what the FSCA can do when conduct goes wrong — and the big change on the horizon, the COFI Bill, which as of mid-2026 is still a Bill, not law.

Twin Peaks: who the FSCA actually is

In 2018 South Africa moved to a “Twin Peaks” model of financial regulation under the Financial Sector Regulation Act 9 of 2017. The two peaks split the job in two. The Prudential Authority, housed inside the Reserve Bank, worries about soundness — whether banks and insurers hold enough capital to keep their promises. The Financial Sector Conduct Authority (FSCA), operational since 1 April 2018, is the market-conductregulator: it cares about how financial firms treat their customers — whether you’re competent, licensed to do what you do, and dealing with clients fairly. This guide is about the FSCA peak.

The question that matters first: are you even in scope?

Because the FSP licence is an authorisation for specific activities rather than a general licence, the threshold question is what you actually do. Under the FAIS Act (Financial Advisory and Intermediary Services Act 37 of 2002), you need an FSP licence if you render advice or an intermediary service in relation to a financial product:

  • Advice— any recommendation, guidance or proposal of a financial nature made to a client about buying, investing in, or varying a financial product.
  • Intermediary service— acting between a client and a product supplier so that the client enters into (or manages) a transaction in a financial product: arranging it, collecting premiums, servicing the policy.

If you sell shoes, run a restaurant, or build software, none of that touches you. If you advise on or arrange insurance, investments, retirement products, or — since the FSCA declared crypto assets a financial product in October 2022 — crypto, you are in scope and cannot legally operate without a licence. The crypto point is live: a licensing regime for crypto asset service providers opened on 1 June 2023, and the FSCA is now actively enforcing against providers operating without one.

The same conduct authority also supervises insurers, retirement funds, and collective investment scheme managers — but for most SME owners wondering “does this apply to me,” the FAIS advice-or-intermediary test is the line. If you’re on the wrong side of it, the rest of this guide is your world.

The FSP licence categories

FAIS doesn’t issue one generic licence. It issues a licence in a category matched to what you do, and within that category you’re approved only for specific product subcategories — short-term insurance, long-term insurance, pension benefits, shares, and so on. Most South African FSPs sit in Category I.

IAdvice & intermediary servicesNon-discretionary — the catch-all where most FSPs sitIIDiscretionary FSPsDecide and trade on a client's behalf — asset managersIIAHedge fund FSPsDiscretionary management of hedge fundsIIIAdministrative FSPsBulking and administration — LISPsIVAssistance businessAdminister assistance (funeral) policies for insurers
Fig 6The five FSP licence categories under FAIS. Most South African FSPs hold a Category I licence (advice and intermediary services); Categories II, IIA, III and IV are the discretionary, hedge-fund, administrative and assistance-business tiers. You are licensed for specific product categories within your category — not for everything.

Getting the category and product subcategories right at application matters, because rendering a financial service outside what your licence authorises is itself a contravention, not a technicality.

Fit and proper: the bar to get and keep a licence

The FSCA will not license you — and won’t let you keep the licence — unless you and your key people are “fit and proper.” The requirements live in the Determination of Fit and Proper Requirements (Board Notice 194 of 2017, still the operative instrument), and they run across five areas:

  • Honesty, integrity and good standing— a clean record; a history of fraud, dishonesty or a previous debarment is disqualifying.
  • Competence— a recognised qualification for your product categories, the regulatory examinations, and relevant experience.
  • Continuous Professional Development— ongoing learning, every year.
  • Operational ability— the systems, governance and resources to actually run a compliant FSP.
  • Financial soundness— not insolvent, and able to meet your liabilities.

Two of these trip people up in practice. The regulatory examinationsare pass-or-you-don’t-operate: a key individual must pass the RE1 exam before the FSCA approves them, and a representative must pass the RE5 within two years of being first appointed. And CPDruns on a fixed annual cycle from 1 June to 31 May, with 6, 12 or 18 hours required depending on how many product classes you advise across — miss the deadline and the FSP must withdraw the appointment until it’s made up.

Key individuals and representatives

FAIS draws a sharp line between two roles, and the obligations differ:

  • Key Individual (KI)— the person who manages and oversees the FSP’s financial-services activities. A KI has to be approved by the FSCA and is personally accountable for the firm’s conduct.
  • Representative— a person who renders financial services to clients for or on behalf of the FSP, under a written mandate for which the FSP takes responsibility. A newly appointed representative may work “under supervision” while still completing the competence requirements.

The provision that gives this real weight is debarmentunder section 14 of the FAIS Act. If a representative is no longer fit and proper — or has materially contravened the Act — the FSP mustdebar them, notify the FSCA within five days, and the person is placed on the FSCA’s public Debarred Persons Register. Debarment is not a warning letter: it effectively shuts someone out of the financial-services industry. This is why, in the compliance-stack comparison, FSCA is the framework that carries the highest personalstakes — it ends careers, not just contracts.

Treating Customers Fairly, and the conduct rules

The FSCA supervises conduct through an outcomes-based framework called Treating Customers Fairly (TCF). Rather than a checklist, it asks you to demonstrate six fair-treatment outcomes across the whole product lifecycle:

#OutcomeWhat it means
1CultureFair treatment of customers is central to how the firm is run.
2ProductsProducts and services are designed to meet the needs of identified customers.
3InformationCustomers get clear information and are kept informed before, during and after the sale.
4AdviceWhere advice is given, it is suitable and takes the customer’s circumstances into account.
5PerformanceProducts perform, and service is delivered, as customers were led to expect.
6Post-saleNo unreasonable barriers to switch, claim, or complain after the sale.

Underneath TCF sits the General Code of Conduct, which turns those outcomes into concrete duties: proper disclosure to clients, suitable advice, a documented conflict-of-interest policy, a working complaints procedure, and record-keeping you can produce on demand. The recurring theme is evidence — it isn’t enough to treat customers fairly; you have to be able to show that you did.

Cybersecurity: the Joint Standard

Since 1 June 2025, the FSCA and Prudential Authority’s Joint Standard 2 of 2024 on Cybersecurity and Cyber Resiliencehas been in force. It requires the financial institutions they regulate — banks, insurers and retirement funds among them — to maintain a cybersecurity strategy, controls including multi-factor authentication, incident detection and response, regular testing, and to report material cyber incidents to the regulator. If you’re a regulated financial institution, this is now a hard obligation, not a best-practice aspiration — and it sits alongside your POPIA section 19 security duties, which apply to you as well.

What it costs to get conduct wrong

The FSCA’s enforcement toolkit runs from public warnings, directives and enforceable undertakings up to administrative penalties, licence suspension or withdrawal, and debarment. The penalties are not token, and there is no fixed rand cap — the size is driven by how serious the conduct was:

  • In December 2025 the FSCA imposed a R2.016 billionpenalty on Banxso and handed its directors 30-year debarments — the largest financial-regulatory penalty in South African history.
  • In May 2026 it withdrew the SA Army Foundation’s FSP licence and fined two officials a combined R44.7 million, with 30-year debarments, over the mishandling of soldiers’ contributions.

Clients have their own route, too. The FAIS Ombud resolves complaints against FSPs informally and for free, and can order compensation of up to R3.5 million (a ceiling raised from R800,000 in July 2024). For a small FSP, an adverse Ombud determination can hurt as much as an FSCA penalty.

COFI is coming — but FAIS is still the law

The largest change on the horizon is the Conduct of Financial Institutions (COFI) Bill, which will eventually replace FAIS’s category-based licensing with a single activity-based conduct framework, consolidating around seven financial-sector laws into one. It is a genuine overhaul — but timing matters, and the honest position as of mid-2026 is this: COFI is still a Bill, not an Act.It was introduced to Parliament in April 2026 and is working its way through the legislative process; there is no fixed commencement date. When it does become law, existing FSPs are expected to get a three-year transition period to move onto the new licence. For now, FAIS is the regime you comply with, and COFI is the one to keep an eye on — not a reason to wait.

FSCA is one of four regulatory regimes, not the only one

FSCA is the narrowest of South Africa’s four main compliance regimes — it only reaches businesses actually in financial services — but for those it does reach, it carries the highest personal stakes. The same FSP is also carrying POPIA data-protection duties, SARS tax obligations, and usually B-BBEE scorecard pressure, none of which talk to each other. We’ve mapped how the four fit together in POPIA vs B-BBEE vs SARS vs FSCA: the South African compliance stack explained, and gone deep on the tax side in the complete SARS guide and the data side in the complete POPIA guide.

Frequently asked questions

Do I need an FSP licence?

Only if you give financial advice or act as an intermediary in relation to a financial product — insurance, investments, retirement products, or crypto. Selling non-financial goods or services doesn’t bring you into scope. An FSP licence authorises specific activities; it isn’t a general business licence.

What’s the difference between a key individual and a representative?

A key individual manages and oversees the FSP’s financial-services activities and must be approved by the FSCA. A representative renders financial services to clients under the FSP’s mandate. A new representative can work under supervision while still completing the competence requirements.

What are the regulatory exams?

RE1, which a key individual must pass before the FSCA approves them, and RE5, which a representative must pass within two years of first appointment — on top of a recognised qualification and ongoing CPD.

What happens if a representative is debarred?

The FSP must debar a representative who is no longer fit and proper or who has materially contravened FAIS, notify the FSCA within five days, and the person is listed on the public Debarred Persons Register — which effectively bars them from the financial-services industry.

Is COFI law yet?

No. The COFI Bill was introduced to Parliament in April 2026 and has not been passed or brought into force; there is no fixed commencement date. FAIS remains the current regime, and existing FSPs are expected to get a three-year transition once COFI is enacted.