South Africa loses an estimated R100bn a year to financial crime, yet the institutions meant to stop it still work in silos. Organised crime does not.
According to RelyComply, its networks are coordinated, executing multiple financial crime typologies at once and at scale, while regulators, law enforcement and financial firms lack any standardised, interconnected risk management system. As criminals accelerate their use of digital tools, that gap keeps widening.
RelyComply recently took the time to discuss what it labels ‘the great convergence’, through the Twin Peaks and the COFI Bill’s unified approach to end siloed compliance.
Reform is now closing in. Under the 2017 Financial Sector Regulation (FSR) Act, the ‘Twin Peaks’ model and the Conduct of Financial Institutions (COFI) Bill will pull the sector’s fragmented laws into a single framework, forcing AML, fraud risk and prudential risk teams – long kept apart – into one co-dependent workflow feeding a coordinated data-sharing ecosystem.
A framework meeting reality
Twin Peaks, launched in 2018, split oversight in two: the Prudential Authority guards the system’s safety and stability, while the Financial Sector Conduct Authority (FSCA) polices market conduct and customer fairness. COFI, rolled out in phases by the National Treasury, welds existing statutes, including the Banks Act 1990 and Financial Markets Act 2012 – into one consistent piece of legislation.
The snag is that COFI assumes firms already run digitalised, joined-up AML processes. Most do not. Compliance teams still report separately, and cross-functional threats are handled repeatedly, under different rules, in different systems. Where intelligence is fragmented, the capacity to meet COFI’s demands simply does not exist.
Boards in the firing line
COFI applies to all accountable institutions under the FSR Act, from major banks and insurers to payment providers and credit rating companies. A “principle of proportionality” spares smaller firms identical obligations, but not compliance itself.
Directors face the sharpest shift. Stricter governance and licensing rules mean they must evidence how AML, fraud and conduct controls are maintained. Periodic reporting will no longer do, real-time monitoring is required, with audit trails showing the Financial Intelligence Centre (FIC) precisely where decisions on high-risk alerts were made.
Matching criminal coordination
At the FSCA 2026 conference, firms were urged to share financial crime intelligence – excluding sensitive personal data, with regulators, related sectors and law enforcement. If criminal networks collaborate, defenders must too. Embedded AI monitoring gives firms real-time visibility of emerging threats which, once shared, multiplies every institution’s ability to neutralise them.
RegTech partnerships can make this practical. A COFI-ready institution typically needs board-level dashboards, integrated KYC and AML workflows, explainable AI models that document their decisions, a single source of truth for automated FIC reporting, and scalable cloud infrastructure that adapts as requirements evolve.
The COFI vision is ambitious but achievable. With one clear regulatory direction and RegTech support to reach it, the gaps criminals rely on can finally close. South Africa has the framework. Now it needs the collective will to use it.
RelyComply’s full post can be read here.
Copyright © 2026 FinTech Global









