South African Banks Face Tighter AI Scrutiny as Deployment Races Ahead

South Africa’s Prudential Authority (PA) has pulled artificial intelligence, cloud computing and cyber security into the same rulebook it uses to judge whether a bank is safe. That is the finding in the regulator’s newly published 2025/26 Annual Report, first reported by ITWeb. The report shows technology risk has moved out of the IT department and into the centre of prudential supervision.

Standard Bank, First National Bank (FNB), Absa, Capitec and Nedbank are all moving AI out of pilot projects and into core operations this year. The PA’s own survey found the governance rules, staff and model oversight needed to manage that shift are still catching up.

Tech Risk Moves Into the Prudential Rulebook

The PA operates inside the South African Reserve Bank (SARB) and supervises banks, insurers, cooperative financial institutions, financial conglomerates and certain financial market infrastructures. Its job is protecting depositors, policyholders and the wider financial system by keeping those institutions financially sound.

The annual report says South Africa’s financial system remains stable, but that technological change is increasing the complexity of supervision and the skills required at both board and executive level.

“Digital transformation is also changing the risk profile of banks. As institutions expand across Africa, modernise legacy systems and adopt AI-enabled technologies, boards are expected to oversee increasingly complex operating environments while maintaining sound governance and risk controls,” the report states.

Over the past financial year, the PA has:

  • Introduced new standards covering cyber security and cyber resilience
  • Introduced new standards on cloud computing and data offshoring
  • Run its first nationwide survey into AI adoption across the financial sector
  • Published Joint Communication 2 of 2025 on cloud computing and data offshoring with the Financial Sector Conduct Authority (FSCA) in July 2025
  • Flagged plans to publish a discussion paper on model governance across the banking sector

The push follows the first joint study of AI use in finance that the PA and FSCA released together, which the regulator says now feeds directly into how it supervises individual institutions.

A Sector Still Mostly Offline

The numbers behind that first AI survey are stark. About 2,100 institutions across banking, insurance, investments, pensions and payments answered the PA and FSCA’s joint questionnaire, run between October and December 2024 and published in November 2025.

Adoption varies sharply by segment.

Segment AI Adoption Rate Leading Use Case
Banks 52% Fraud detection and credit scoring
Payment providers 50% Fraud detection and transaction monitoring
Pension funds 14% Portfolio optimisation and risk modelling
Insurance 8% Underwriting and claims management
Lending 8% Credit scoring and underwriting

Banks lead adoption and outspend every other segment on it. More than 45% of banks already using AI plan to invest above R30 million as they scale into 2026, while most other institutions spent under R1 million in 2024.

Traditional machine learning still does most of the work today, largely in fraud detection and back-office automation. Generative AI is earlier stage but growing fast, gaining ground in sales, marketing and customer-facing document work. The findings echo a broader pattern: regulators worldwide are encouraging AI innovation while demanding stronger governance over systems that influence lending, underwriting and fraud decisions.

Five Big Lenders Push Past the Pilot Stage

Standard Bank, FNB, Absa, Capitec and Nedbank all told ITWeb they are entering a new phase of their AI journey in 2026, shifting from pilot projects and isolated experiments into large-scale deployment across fraud detection, customer service, risk management and digital platforms.

Two of the five are already publishing numbers.

  • 20% better campaign outcomes: Standard Bank’s AI-enabled cross-selling tools are driving the gain, and its SmartNudge recommendation engine posts a 66% acceptance rate.
  • 65% of digital queries: Standard Bank’s conversational AI now handles that share across a customer base of nearly 20 million people in 21 sub-Saharan African countries.
  • 312,000 work hours saved: Nedbank credits 30 advanced AI use cases launched in 2025 for the saving.
  • R186 million in realised benefits: Nedbank says the same projects cut global payment processing times by about 30%.

Those figures come from the Evident AI Index, which found South African banks leading AI maturity across the Middle East and Africa. Core-technology vendors are chasing similar scale elsewhere in banking, with one platform embedding AI across 1,500 partner banks even before full access arrives in 2027.

Why Is Agentic AI Such a Problem for South African Law?

South African law assumes every bank customer is a person: a name, a salary, a credit history. Agentic AI systems now initiate transactions and act on a customer’s behalf without a human present, and neither the Financial Intelligence Centre Act (FICA) nor the National Credit Act was written with that possibility in mind.

FICA requires identity verification. The National Credit Act governs lending. Neither considered a non-human transacting party, a gap that surfaced at Nedbank’s Innovation Day in Johannesburg, where banking and technology leaders pointed to a blind spot: figuring out who, or what, sits on the other side of a transaction.

The legislation that they have was barely looking to catch up with AI, and it wasn’t ready then for agentic AI.

David Kerrigan, a technology analyst who lectures at Stanford’s Continuing Studies programme and consults for Mastercard and Enovation, made that point at the event. He said the same gap exists well beyond South Africa, pointing to AI agents already initiating financial transactions on people’s behalf worldwide.

Ciko Thomas, Nedbank’s group managing executive for personal and private banking, acknowledged the issue. “As more autonomous capabilities emerge, the regulatory conversation will evolve, particularly around liability, consent and accountability,” he said.

Absa has taken a more cautious public line, saying it still requires a human in the loop for critical decisions. It treats AI purely as a productivity tool, declining to let it take over sensitive calls outright.

Retiring Executives Leave a Governance Gap

The PA’s report also flags a staffing problem: experienced people are leaving the industry just as boards need them most.

“Board- and executive-level retirement challenges to independence and shortages of experienced talent, especially in Africa region operations, remain areas of ongoing supervisory focus. Skills gaps in key risk and control functions persisted across some banks,” the report says.

“Supervisory engagement should focus on whether boards and senior management can maintain effective governance given the increasing intricacy of models, digitalisation and the swift adoption of new technologies requiring different skills,” it adds. The PA’s own AI survey found regulatory uncertainty, shortages of specialised AI skills and governance challenges among the biggest constraints institutions report facing.

The Rulebook for AI Models Is Still Being Written

The PA says it intends to publish a discussion paper outlining its AI survey findings, aimed at promoting greater consistency in model governance across the banking sector. No publication date has been set.

Cyber risk is climbing alongside the AI push. South Africa’s Information Regulator has logged almost 2,000 data breaches since April 2025, a 40% increase from 2024, Baker McKenzie noted in a client briefing on the sector.

The PA says it is participating in international workstreams examining cyber resilience, climate risk and emerging technologies to keep South Africa’s supervisory approach aligned with global peers. Canada’s banking regulator has taken a similar tack. The Office of the Superintendent of Financial Institutions (OSFI) privately warned banks about Anthropic’s Mythos risk months before it became public.

For now, the model governance discussion paper is still just a plan.

Frequently Asked Questions

What Is South Africa’s Prudential Authority?

The Prudential Authority is the arm of the South African Reserve Bank created under the Financial Sector Regulation Act of 2017. It absorbed the Reserve Bank’s own bank supervision unit, the insurance-supervision team from the former Financial Services Board and the co-operative financial institution unit from National Treasury, giving it a single mandate to supervise banks, insurers, co-operative financial institutions, financial conglomerates and certain market infrastructures.

How Many South African Financial Firms Actually Use AI Today?

Just 220 of the roughly 2,100 institutions that answered the PA and FSCA’s joint survey, about 10.6% of the full sample, said they already use AI in production. Adoption is far higher inside banking alone, where 52% of banking respondents reported deployed AI systems.

What Does Joint Communication 2 of 2025 Require?

Published in July 2025 by the PA and FSCA, the guidance asks banks and insurers to strengthen governance over outsourced technology services, understand exactly where their critical data resides and put risk mitigation measures in place before moving sensitive workloads onto cloud platforms.

Does the New Scrutiny Cover Fintechs and Cloud Vendors Too?

Yes. The PA has said explicitly that both banks and fintech firms face the tighter oversight, and its supervisory focus extends to third-party technology providers, including the cloud vendors banks increasingly depend on, even though the PA does not license those vendors directly.

Will South Africa Pass AI-Specific Financial Regulation?

Not yet. Current oversight leans on the Protection of Personal Information Act (POPIA) and existing sector laws like the Financial Advisory and Intermediary Services Act rather than a dedicated AI statute, and financial institutions have pushed regulators toward principle-based rules focused on outcomes instead of rigid requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *