Your 2025 Compliance Regulation Updates

Recently, there have been various regulatory changes to legislation that businesses need to heed. Two of the upgrades that need to be on your radar include updates to the POPI Act and the welcoming of the AML and CTF Amendment Bill.

All legislation can be seen as live documents. They outline who is supposed to follow which rules under what circumstances and why. They also need to be updated regularly to ensure that they remain relevant to the intricate dynamics of society. As technology, society and political nuances alter, legislation needs to keep up and reflect the latest developments.

Protection of Personal Information Act Updates

Amendments to the Protection of Personal Information Act (POPIA or POPI Act) took effect on 17 April 2025. The updates aimed to make the Act clearer, tighter with regard to marketing consent, and expand the complaints process.

Improved Clarity

Regulation 1 of the Act has several new definitions. These are:

• “Complainant” and “Complaint” to identify legitimate grievances.
• “Day” to enhance procedural certainty.
• “Office hours” for the Regulator and designated bodies.
• “Relevant bodies” to support industry-specific codes of conduct.
• “Writing” in support of digital documentation and accessibility.

Strict Marketing Consent

Regulation 6 deals with the consent for direct marketing. Notable changes under this section emphasise:

• Explicit recording of consent, particularly in telephonic or automated communication.
• Opt-out and consent are indicated to be two separate actions.
• Forms of consent now also include fax, WhatsApp, e-mail, SMS, and automated calling machines.

Expanded Complaints Process

POPIA can only work if there is trust in the regular process, therefore, the complaints process was streamlined. As per the updates in Regulation 7, handling complaints now includes the following:

• Confidentiality protection has been aligned with the Protected Disclosure Act.
• Requirements for the evidence of complaints have been detailed.
• Complainants have assistants for other languages.
• There is now online and physical access to Form 5.
• Interested third parties and the public can make complaints.
• A 14-day timeline has been introduced for designated offices to transmit complaints to the Regulator.

Objections and Rights

Under regulation 2, data subjects have improved ways of objecting. This includes:

• Objections may now be made through digital tools like SMS, WhatsApp, and e-mail.
• Telephonic objections are allowed, as long as it is recorded and made available on request.
• Responsible parties must inform data subjects of their right to object under Section 18(1)(h)(iv).

Accountability

Regulation 4 emphasises the continuous improvement of data protection compliance frameworks. For this reason, outdated references have been removed.

Regulation 3 fosters accountability and responsiveness from responsible parties. Form 2 may now be submitted free of charge through modern, digital channels. Alternatively, a telephonic request is also allowed. Responses to these requests require a mandatory response within 30 days of the submission.

Additionally, a new regulation (Regulation 13) had been implemented to make provision for paying administrative fines in instalments.

Transitional Provisions and Legal Continuity

As there are now new regulations, the verdict on the continuity of complaints or actions taken previously under the 2018 regulations is that it will remain valid.

Legal practitioners and DPOs need to note that there is now a greater emphasis on procedural facilitation and documentation. Furthermore, data protection programmes should be updated to include multi-channel support for objections and corrections.

For responsible parties, the legal implications are that data subjects must be proactively informed of their rights. All consent must be formalised and auditable.

Members of the public will receive more enhanced democratic access to justice through the updates.

General Laws (Anti-money Laundering and Combating Terrorism Financing) Amendment Bill

December 2024 saw the South African Treasury publish the draft AML and CTF Amendment Bill and open it for public comment until February.

The changes to this legislation aim to bring South African regulations in line with international standards. It also intends to strengthen South Africa’s financial compliance landscape and ultimately rectify the country’s greylisting. The greylisted status has impaired investment in the nation and resulted in many setbacks. However, this status is up for review (2026/2027), necessitating the changes in legislation.

It’s imperative that the government make the necessary amendments to the Bill before the Financial Action Task Force (FATF) conducts a Mutual Evaluation Report (MER) to make their evaluation.

Relevant Legislation

The Department of Trade, Industry and Competition (DTIC), the Department of Social Development (DSD) and the Financial Intelligence Centre (FIC) joined forces to give birth to the Bill. It proposes to make changes to four Acts:

• The Financial Intelligence Centre Act, 2001;
• The Financial Sector Regulation Act, 2017;
• The Companies Act, 2008;
• The Nonprofit Organisations Act.

The Financial Intelligence Centre Act, 2001

Sections 26A, 26B, 28A and 51A will address minor deficiencies relating to targeted financial sanctions. Section 42 amends deficiencies identified in new technologies. Section 46 speaks to customer due diligence measures for anonymous clients.

These changes look at risk management for new products based on new technologies. Businesses need to develop comprehensive risk management plans.

If there are any suspicious activities, Suspicious Transaction Reports (STRs) must be submitted to the FIC within 15 business days. Furthermore, clear procedures are outlined for timelines for compliance and reporting through Terrorist Property Reports (TPRs).

The Financial Sector Regulation Act, 2017

Sections 2, 3, 58, 106, 108, 111, 131 and 135 address gaps in the protection of financial customers, as well as licensing and regulations for market conduct and anti-money laundering, while strengthening licensing and enforcement powers.

To protect customers, relevant businesses are encouraged to use technology, such as biometric verification and electronic Know Your Customer (e-KYC) solutions.

Additionally, the FIC now has the authority to issue real-time compliance directives. They may also conduct unannounced inspections to ensure adherence.

The Companies Act, 2008

Sections 82 and 175 changes provide clarity on the application of remedial actions and/or dissuasive and proportionate sanctions for noncompliance with beneficial ownership obligations;

According to the public disclosure of beneficial ownership information for all companies and trusts, these must maintain a public register for anyone who owns at least 25% of the shares or voting rights. This must form part of the public record for at least five years. Administrative penalties may be awarded for non-compliance.

The Nonprofit Organisations Act

Section 30 indicates the maximum amount of the fine and the years of imprisonment in respect of an offence in terms of the Act.

Should any business fail to meet these requirements, fines of up to R 10 million may be imposed. Alternatively, for repeated non-compliance, the fine may be 10% of a company’s turnover.

Where imprisonment is relevant, an individual may be sentenced to up to fifteen years in prison. The amendment states that individuals convicted of non-compliance can receive fines of up to R 1 million or five years in prison.

Based on the changes in legislation, companies should have proactive, comprehensive compliance procedures that can be audited by the FIC. It is vital to remain informed about delivery mechanisms and possible partnerships that have an increased risk of money laundering or terrorism financing.