POPIA vs B-BBEE vs SARS vs FSCA: the South African compliance stack explained
By Matt Owen, CA(SA) — founder, Komply
Ask a CFO or COO at a mid-sized South African business which regulator they answer to, and most will name one — usually SARS, because it’s the one with the annual deadline everyone dreads. In practice, most businesses of any size are running at least three separate compliance regimes simultaneously, often four, each with its own regulator, its own rulebook, its own reporting cadence, and its own penalty structure. None of the four talk to each other. A business can be in perfect standing with SARS and still be exposed on POPIA, or hold a strong B-BBEE certificate while its FSCA licence sits one missed deadline from a debarment.
This piece maps all four: what each one actually requires, who it applies to, and — because this is the part most compliance content skips — where they intersect.
The Four Frameworks at a Glance
| Framework | Regulator | Who it applies to | Core obligation | Penalty exposure |
|---|---|---|---|---|
| POPIA | Information Regulator | Virtually every business that processes personal information | Lawful processing under 8 conditions; security safeguards; data subject rights | Admin fines up to R10m (s109); criminal penalties up to R10m / 10 years for serious offences (s107) |
| B-BBEE | B-BBEE Commission | Commercially relevant to any business seeking government or large-corporate business; statutorily compulsory in some licensed sectors | Score across 5 scorecard elements; certified level | No direct criminal penalty for non-participation, but loss of procurement access, tender disqualification, supply-chain exclusion |
| SARS | South African Revenue Service | Every registered business, without exception | Tax registration, return filing, and payment across the tax types that apply to you (Income Tax, VAT, PAYE/UIF/SDL) | Administrative penalties + interest under the Tax Administration Act; criminal prosecution for wilful non-compliance |
| FSCA | Financial Sector Conduct Authority | Only businesses providing financial products/advice/intermediary services (FSPs, insurers, retirement funds, collective investment schemes, and — since crypto assets were declared a financial product in 2022 — crypto asset service providers) | Licensing, fit-and-proper standards, conduct rules under FAIS | Licence suspension, debarment, administrative penalties |
That “who it applies to” column is the one worth sitting with, because the four frameworks are not equally universal — a mistake we see often enough to call out explicitly below.
POPIA — Protecting Personal Information
POPIA (Protection of Personal Information Act 4 of 2013) has been fully enforceable since 1 July 2021 and applies to any organisation that processes personal information, with no small-business or turnover exemption. It’s built around eight conditions for lawful processing, and its most consequential provision for most businesses is section 19 — the duty to secure personal information through “appropriate, reasonable technical and organisational measures.” We cover this in full in our complete POPIA guide and go deep on the security-safeguards obligation specifically in POPIA §19: what “appropriate security safeguards” actually requires.
The practical point for this comparison: POPIA is the one framework on this list every business is in scope for, on day one, regardless of size, sector, or ambition.
B-BBEE — Economic Transformation and Procurement Leverage
Broad-Based Black Economic Empowerment is different in kind from the other three: it isn’t a criminal-law regime you can be prosecuted for ignoring. It’s a scorecard system under the B-BBEE Act 53 of 2003 (as amended) and the Codes of Good Practice, and its teeth come from where it’s used rather than a direct statutory penalty for non-participation:
- Organs of state and state-owned entitiesare required to apply B-BBEE scoring in tender evaluation under the Preferential Procurement Regulations — no certificate, no realistic path to government business.
- Large private-sector customersneed your B-BBEE contribution to feed their own scorecard (their Enterprise & Supplier Development and Preferential Procurement elements depend on the certified status of who they buy from) — so mid-sized suppliers are pulled into B-BBEE by their customers’ scorecards, not by direct legal compulsion.
- Certain licensed sectors (mining rights, liquor licences, broadcasting licences among others) have statutory B-BBEE minimums built directly into their sector-specific legislation, where it does become a hard compliance requirement.
The generic scorecard covers five elements — Ownership, Management Control, Skills Development, Enterprise & Supplier Development, and Socio-Economic Development. Three of those five (Ownership, Skills Development, and Enterprise & Supplier Development) are priority elements: fail the sub-minimum threshold on any one of them, and your certified level is automatically discounted by a full level, regardless of your total points score. A business scoring comfortably in Level 3 territory can be certified at Level 4 purely because one priority element fell short — which is the single most common surprise we see in scorecard reviews.
Which scorecard applies depends on annual turnover:
- Exempt Micro Enterprise (EME)— turnover under R10 million. Simplified compliance; 100%-black-owned EMEs qualify for an automatic Level 1.
- Qualifying Small Enterprise (QSE)— turnover between R10 million and R50 million. Full five-element scorecard, but with QSE-specific point weightings and a relaxed priority-element test: Net Value (Ownership) is compulsory, plus a pass on at least one of Skills Development or Enterprise & Supplier Development — not all three, as a Generic-scorecard entity must clear.
- Generic— turnover above R50 million. The full scorecard at its most rigorous, all three priority elements tested.
Certain industries also have their own sector codes(Mining, Tourism, ICT, Construction, AgriBEE, Property, and the Financial Sector Code among them) that override the generic scorecard where they apply — a bank or insurer, for instance, is measured against the Financial Sector Code, not the generic five-element scorecard. Don’t confuse the B-BBEE Financial Sector Code with the FSCAbelow — they share a name fragment and nothing else. One is a B-BBEE scorecard variant for banks and insurers; the other is the market-conduct regulator you’ll meet in the next section.
SARS — Tax Compliance Across Multiple Tax Types
The South African Revenue Service is the one regulator on this list every registered business deals with, no exceptions and no thresholds that exempt you entirely — though several of SARS’s individual obligations are themselves threshold-gated. A registered company needs to manage, depending on its situation:
- Income Tax— annual returns, plus provisional tax paid twice yearly (with an optional top-up) via the IRP6 process.
- VAT— mandatory registration once your taxable supplies cross the compulsory threshold, with a lower voluntary-registration threshold available below that. VAT is charged at the standard rate, which the 2025 Budget proposed increasing before the increase was legislated away — worth knowing if you’re relying on older commentary that assumes a higher rate.
- PAYE, UIF, and SDL— for any business with employees, deducted and remitted monthly.
SARS verifies standing through the Tax Compliance Status (TCS) system, which replaced the old paper Tax Clearance Certificate. Instead of a static document, you hold a TCS PIN that whoever needs to check you — a government buyer, a bank, a large client — can use to see your live compliance status on SARS eFiling. That’s a meaningfully different risk profile to the old paper certificate: your status can go from green to red the day you miss a return, for everyone you’ve already handed the PIN to.
Non-compliance carries administrative penalties and interest under the Tax Administration Act, escalating to criminal prosecution for wilful evasion. The specific penalty percentages and interest rates change with SARS’s own published tables — worth checking current rates directly with SARS or your accountant rather than relying on a fixed figure quoted in an article.
FSCA — Market Conduct for Financial Services, Not Everyone
This is the framework most often mis-assumed to be universal, and it isn’t. The Financial Sector Conduct Authority was established under the Financial Sector Regulation Act 9 of 2017 and became operational on 1 April 2018 as part of South Africa’s “Twin Peaks” regulatory model — the FSCA is the market-conduct (“good conduct”) peak, while the Prudential Authority, sitting within the Reserve Bank, handles prudential (financial-soundness) regulation.
The FSCA’s authority reaches only businesses actually conducting financial-services activity: Financial Services Providers (FSPs) under the FAIS Act, insurers, retirement funds, collective investment schemes, and — since the FSCA declared crypto assets a financial product in 2022 and opened its CASP licensing framework in 2023 — crypto asset service providers. If you’re not giving financial advice, selling financial products, or otherwise intermediating in the financial sector, you have no FSCA obligation at all, full stop.
If you are in scope, the obligations are substantive: FSP licensing before you may legally operate, ongoing fit-and-proper standards for key individuals and representatives, continuous professional development requirements, conflict-of-interest management, complaints-handling timelines, and cyber-resilience obligations under Joint Standard 2 of 2024. Non-compliance risks range from licence conditions and administrative penalties up to debarment of individuals and suspension of the FSP licence itself.
Who Actually Needs to Worry About Which Framework
Stripped of the detail, the applicability question resolves fast:
- POPIA— everyone, from day one.
- SARS— every registered business, with specific obligations (VAT, PAYE) gated by thresholds like turnover and headcount.
- B-BBEE— commercially essential if you sell to government or to large corporates with their own scorecard pressure, or if you’re in a licensed sector with a statutory minimum; otherwise commercially optional but rarely cost-free to ignore.
- FSCA— only if you’re actually providing a financial product, advice, or intermediary service. Zero obligation otherwise.
A retailer with no government contracts and no financial-services activity is realistically managing two of these four (POPIA and SARS) as hard legal obligations, with B-BBEE as a commercial lever it may or may not choose to pull. A financial advisory practice is managing all four simultaneously, with FSCA carrying the highest individual stakes (debarment ends careers, not just contracts).
Where the Frameworks Intersect
The four regimes don’t share a regulator, but they share data, and that’s where cross-module blind spots open up. A POPIA finding on how customer data is handled can directly affect a B-BBEE tender submission that relies on that same customer data as evidence of enterprise development activity. A SARS anomaly in payroll data can tie back to a FSCA disclosure about a key individual’s fit-and-proper status. A security compromise notifiable under POPIA section 22 may also trigger a FAIS section 11 material-change notification if it affects a licensed FSP’s operational ability.
Businesses running four separate spreadsheets, or four separate consultants, rarely catch these intersections until an auditor or regulator does it for them. This is the specific case for monitoring all four from one dashboard rather than four disconnected ones — which is the whole reason Komply exists as a single subscription rather than four separate tools.
The Cost of Fragmented Compliance
None of this is inherently complicated in isolation. What makes it expensive is fragmentation: a POPIA consultant who’s never seen your B-BBEE scorecard, a tax practitioner who doesn’t know your FSCA renewal calendar, four separate annual engagements that each treat their slice as the whole picture. If your business is managing three or four of these frameworks and doesn’t currently have one place that sees all of them together, that’s the gap worth closing first — either with continuous monitoring across all four, or with an advisory partner who can triage all four at once and tell you honestly which ones are actually urgent for your business.