AI in financial services: the FSCA and SARB rules: a clear, fact-based explanation for South African organisations — with osFoundry as an example and dgm as an independent partner.

dgm is an independent integration partner for osFoundry — it is not affiliated with osFoundry’s maker (OS LLC) and has not yet completed an integration project for any client.

Financial services in South Africa are tightly regulated, but there is no AI-specific statute. Here is the honest position on the FSCA and SARB rules.

What exists and what does not

South Africa has no AI-specific statute, but financial services are tightly regulated. Banks, insurers and financial institutions answer to the South African Reserve Bank (SARB), its Prudential Authority and the Financial Sector Conduct Authority (FSCA); the FSCA/PA Joint Standard 1 of 2023 on IT governance and risk management commenced on 15 November 2024 and the Joint Standard 2 of 2024 on cybersecurity and cyber resilience took effect on 1 June 2025. Both are IT and cyber requirements rather than AI rules, but they shape any AI deployment. Expect documented governance, explainability, human oversight and careful treatment of customer data under POPIA.

What it means for financial institutions

Keep credit and risk models under documented governance, explainability and audit; treat customer data carefully under POPIA. osFoundry pins your data region to the US, the EU or Japan, supports local-first inference on your own device, and lets you self-host it in your own AWS, Azure or Google Cloud account (BYO Cloud). osFoundry has an EU managed region but no managed region inside South Africa. The honest difference from many markets is that South Africa does have in-country hyperscaler regions — AWS Africa (Cape Town) af-south-1, Microsoft Azure South Africa North in Johannesburg, Google Cloud africa-south1 in Johannesburg and Oracle Cloud Johannesburg — so keeping data on South African soil is achievable by self-hosting osFoundry in one of those regions or in a local data centre, or by running it local-first. Note that the US CLOUD Act can compel a US-owned provider to produce data it controls regardless of where that data physically sits, which is why some organisations prefer self-hosting or local-first for their most sensitive workloads.

This article is general information and is not legal, financial or tax advice. Incentives, tax rates and regulations change; always confirm the current position with an official source (SARS, the Department of Science and Innovation, the dtic, the Information Regulator, the FSCA or the relevant authority) or a qualified adviser before you act.

You can explore the osFoundry platform to learn more.

Where dgm comes in

dgm is an independent integration partner that helps organisations in South Africa adopt the osFoundry platform — from identifying the first practical use case, to setting it up, to connecting AI to the systems you already run. dgm operates separately from osFoundry’s maker (OS LLC) and has not yet completed an integration project for any client, so everything above is a proposed service rather than a delivered outcome. If you would like to weigh up a practical first step, dgm would be glad to think it through with you. Arrange an introductory call with dgm.