Latest white paper on evolving regulations and emerging technologies

  • Industry perspective: The key forces driving AML reform in 2025 and beyond.

  • Operational insight: How automation is reshaping onboarding and accuracy.

  • Strategic value: Where collaboration is unlocking the next era of compliance.

Access White Paper
relycomply whitepaper

Get updates that matter

Stay connected with:

  • Industry insights - Reports on trends, threats, and regulatory shifts shaping the financial services world.

  • Customer highlights - See how businesses like yours are closing AML gaps and protecting their customers.

  • Feature releases - Discover the latest products and AI-powered capabilities in our platform.

relycomply whitepaper

The great convergence: Twin Peaks and the COFI Bill’s unified approach to end siloed compliance

South Africa loses an estimated R100 billion annually to financial crime – yet the institutions meant to stop it still operate in silos. Organised crime networks, by contrast, are highly coordinated: sprawling operational structures designed to execute multiple financial crime typologies simultaneously and at scale.

In opposition, South Africa’s regulators, law enforcement, and financial institutions have no standardised, interconnected risk management system. As criminals accelerate their use of digital innovation, this disparity creates an ever-widening gap that undermines the finance sector’s fundamental responsibility to ensure public safety.

That is about to change. Under the 2017 Financial Sector Regulation (FSR) Act, the ‘Twin Peaks’ reform model and its Conduct of Financial Institutions (COFI) Bill aim to consolidate varying financial sector laws under one framework. Together, they represent an overarching reform designed to end individually-handled operations that have long siloed AML, fraud risk, and prudential risk teams from one another. All accountable institutions must now condense these traditionally distinct functions into one co-dependent workflow – and in doing so, contribute to a coordinated data-sharing ecosystem that is the essential backbone of real-time financial crime prevention.

Annual financial crime impact in South Africa

The structural impracticalities facing COFI

In 2018, the Twin Peaks model established two regulatory authorities to improve oversight of the financial market. Put simply, the model splits regulatory responsibility in two. The Prudential Authority supervises prudential risk – maintaining the safety and stability of the financial system – while the Financial Sector Conduct Authority (FSCA) focuses equally on market conduct risk, including how fairly customers are treated.

Supporting this structure is the COFI Bill. Being rolled out in phases by the National Treasury, its alignment under Twin Peaks is largely the FSCA’s responsibility. COFI works to unite existing financial sector laws into a single, consistent piece of legislation – creating a new statutory framework that reflects today’s strict regulatory expectations, protects customers, and improves risk governance. It includes significant amendments to the Banks Act 1990, the Financial Markets Act 2012, and several other existing statutes.

The core problem is that the COFI regulation assumes South African businesses have already adopted comprehensive frameworks and digitalised AML processes. The reality falls well short of that assumption. AML, fraud, and conduct risk teams still operate separately. Compliance reporting is conducted independently. Cross-functional threats are frequently managed more than once, according to different rules, and in entirely different systems.

Where financial crime intelligence and compliance operations are fragmented, the core capacity needed to meet COFI requirements simply does not exist. This fracture weakens both the structural soundness required to mitigate prudential risk and the institution’s ability to implement coherent AML and fraud controls – a problem that cuts across virtually every regulated industry in South Africa.

Creating an accountability shift

The COFI Bill affects all accountable institutions under the FSR Act: large banks, asset and investment managers, insurers, payment service providers, and credit rating companies. A “principle of proportionality” means smaller businesses will not face identical obligations to larger players – but proportionality does not mean exemption. Every institution must demonstrate genuine compliance with COFI’s consolidated framework.

For board members, the stakes are particularly high. Directors will face stricter governance requirements and significant licensing changes, and will be expected to articulate clear rationale for their decision-making oversight. They must show measurable evidence of how AML processes, fraud controls, and market conduct risk management are being maintained.

Monthly or annual periodic reporting will no longer be sufficient. Real-time monitoring is now required – systems capable of identifying suspicious fraud or laundering behaviours as they occur, and routing alerts to relevant personnel for immediate follow-up. Built-in audit trails must also explain to the Financial Intelligence Centre (FIC) precisely where decisions were made to act on or report high-risk alerts, providing transparent context to any other institutions drawn into subsequent investigations.

The AML compliance shift before the COFI Bill vs after

FSCA expectations for real-time prevention

Even with more advanced technical infrastructure now available, AI-enhanced fraudsters continue to exploit the AML gaps that exist between institutions. The inconsistency of controls from one firm to the next is itself a vulnerability – one that organised crime actively targets.

At the FSCA 2026 conference, they urged firms to look beyond their internal financial data and fraud detection systems and ensure that gathered financial crime intelligence – excluding sensitive personal customer data – is shareable with regulators, related sectors, and law enforcement. The logic is straightforward: if criminal networks collaborate, so must the institutions defending against them.

AI-based monitoring must therefore become an embedded feature at every point in the defence against digital fraud and laundering. It gives businesses real-time visibility into emerging risk alerts which, when shared across the ecosystem, multiply each institution’s ability to neutralise similar threats. Automating this process creates a seamless, data-driven mechanism to accelerate the identification and prosecution of wrongdoers – simultaneously across AML and fraud functions.

The cultural shift required here is as significant as the technical one. Senior leaders and teams must move decisively away from the sporadic reviews that once dominated compliance workflows. End-to-end platforms can deliver continuous, AI-powered intelligence – consistently raised and consistently actioned – all aligned under the single regulatory framework the COFI Bill demands. The result is a more interconnected barrier against sophisticated criminality: a collective of similarly well-equipped institutions, closing the gaps that criminals have long relied upon.

Elements of a COFI-ready institution

Regulatory technology (RegTech) providers already help a broad range of financial services firms overcome compliance burdens – taking quality AML from an aspiration to an operational reality through cost-effective, integratable, and bespoke AI-driven solutions.

Strategic partnerships with RegTechs can craft risk conduct processes fully compliant with the Twin Peaks model, and strengthen the internal tools required for advanced AML and fraud detection, investigation, and reporting. In practical terms, a COFI-ready institution will typically need to:

  • Maintain board-level dashboards to oversee market conduct governance and measure outcomes of anti-financial crime platforms
  • Integrate with existing KYC and AML data and workflows to sharpen the accuracy of high-risk alerts across all teams, and monitor transactional behaviour changes in real time
  • Adopt explainable AI models that document their decision-making when flagging anomalous risk behaviours – including those indicative of laundering, fraud, or other financial crime typologies
  • Create a single source of truth for tracking and auditing financial data, supporting the automated compilation of suspicious activity reports to the FIC
  • Deploy flexible cloud-based infrastructure that scales with growing customer data volumes and adapts to shifting risk thresholds as Twin Peaks’ and COFI’s requirements evolve

With consistent platform support and ongoing staff training, cross-functional teams can operate productively under standardised frameworks – eliminating the manual inefficiencies, repetitive processes, and false-positive overload that siloed AML, fraud, and prudential risk workflows have long produced.

How to build a COFI-ready institution

A positive future for financial crime governance

The COFI Bill’s vision of collaborative, system-wide financial crime prevention is ambitious, but it is also achievable, and South Africa is better positioned than many to deliver it. Every firm must centralise internal policies, invest in staff development, and unify teams under a single AML and fraud system. The path away from siloed compliance is supported by two distinct advantages: a clear, singular regulatory direction to navigate; and the practical assistance of RegTech partnerships to get there.

When a shared base standard for market integrity and anti-financial crime controls is established and sustained, the compliance gaps that organised criminals depend on begin to close. Real-time data sharing becomes the norm rather than the exception. Every structural pillar of the process – from board oversight to transaction monitoring to cross-sector intelligence sharing – reinforces a compliance-first culture capable of matching the sophistication of today’s financial criminals.

South Africa has the framework. Now it needs the collective will to use it.