Regulating the Disruptor: Fintech’s Legal Evolution in South Africa

Crypto used to be that thing your cousin traded at 2 am.

Now it operates under a licence.

That, in many ways, is the story of fintech in South Africa.

For years, crypto exchanges operated in regulatory limbo. Not illegal. Not formally legal. They functioned in a tolerated space, visible to regulators but not fully inside the system.

That space has now closed.

South Africa has brought digital assets into its financial architecture. They operate under licence, under supervision, and under the same anti-money laundering rules that govern traditional finance.

Drawing the Regulatory Perimeter

The real shift occurred when the Financial Sector Conduct Authority (FSCA) classified crypto assets as “financial products” under the Financial Advisory and Intermediary Services Act.

That single move changed the tone of the entire industry.

Crypto platforms could no longer operate as tech startups experimenting with financial tools. If they offered advice or intermediary services relating to digital assets, they had to apply for a FAIS licence. That meant submitting to supervisory oversight and embedding formal compliance structures.

By late 2025, hundreds of applications from Crypto Asset Service Providers had been processed. Some firms were approved. Some were refused. A number withdrew once they realised the regulatory bar was higher than expected.

The FSCA did not create an entirely new crypto statute. Instead, it extended existing financial law over digital assets. It was pragmatic and efficient.

Crypto, in other words, stopped being experimental fintech. It became regulated finance.

Surveillance Becomes Standard

Licensing was only the first layer. Anti-money laundering enforcement followed.

Crypto platforms are now accountable institutions under the Financial Intelligence Centre Act. That sounds technical, but in practice, it changed how the industry operates day-to-day.

Crypto was once marketed on speed and pseudonymity. Open a wallet. Move value. Minimal friction.

Crypto is no longer operating in a parallel financial universe. It is subject to the same scrutiny as traditional banking transactions. Identity must be verified. The source of funds may be questioned. Unusual transaction patterns must be flagged and, where necessary, reported. Large transfers can no longer move quietly without identifying information attached.

For regulators, that is a win. It reduces crime risk and increases transparency.

For platforms, it raises compliance costs. Building systems, hiring compliance teams, and engaging with regulators is expensive. Smaller players feel it more sharply than large, well-funded exchanges.

But this is the trade-off of legitimacy. If fintech wants institutional trust, it cannot operate outside the surveillance framework that governs the rest of the financial system.

When the Banks Joined the Party

If licensing brought crypto into the system, banking integration cemented it there.

Discovery Bank’s decision to integrate crypto trading through Luno inside its app in late 2025 was more than a feature upgrade. It was a statement that digital assets are no longer too fringe for mainstream banking. A retail customer could now view their savings account, credit card balance, and crypto holdings on the same interface.

And banks do not move lightly. That integration required more than software compatibility. It required legal alignment.

If a customer’s crypto holdings dropped sharply in value, who would carry disclosure responsibility? If operational failure prevented access to assets, where did liability sit?

Those are not marketing decisions. They are legal and governance decisions.

The Legal Profession Responds

As the regulatory perimeter expanded, so did the demand for specialised advice.

Firms such as Bowmans and Webber Wentzel have built dedicated fintech and financial regulation teams because crypto has outgrown its experimental phase. A licence application now needs more than just regulatory paperwork. It requires decisions about corporate structure, custody models, data governance, tax exposure, and cross-border strategy, all at once.

What makes fintech interesting from a legal perspective is that it forces disciplines to overlap. Regulatory law meets corporate structuring. Data protection meets AML compliance. Banking law meets digital asset custody.

It is not a new area of law entirely. It is an intersection of several.

And that intersection is where a lot of the real work now sits.

Is Fintech Fully Grown Up?

Almost.

South Africa has done the difficult work. It pulled crypto out of the shadows and into the regulatory system. Licensing under FAIS introduced accountability. AML rules introduced traceability. Banking integration introduced legitimacy.

But maturity in financial regulation has two dimensions: depth and reach. And this is where the conversation becomes more nuanced.

Strong on Conduct, Lighter on Prudence

The current framework focuses primarily on how crypto businesses behave. It sets standards for governance, disclosure and compliance. That is conduct regulation.

Banks, however, are regulated differently. Beyond conduct rules, they must hold capital buffers. They are stress-tested. If they fail, there are structured resolution mechanisms.

Crypto exchanges, even when licensed, are not subject to that same prudential framework. So if an exchange were to collapse because of liquidity problems or operational weaknesses, retail investors would not have the same safety architecture that protects traditional depositors.

This does not mean the system is flawed. It means it is still layered differently. As digital assets become embedded inside mainstream banking apps, the gap between conduct regulation and prudential oversight becomes more relevant.

The deeper crypto moves into the financial core, the harder that distinction will be to ignore.

Clear Perimeter, Unclear Edges

If the first issue is depth, the second is scope.

The licensing model works well when there is a company to supervise. But decentralised finance platforms do not always operate through a central operator. Some systems function through distributed governance and automated code rather than traditional management structures.

So the question becomes straightforward: if there is no identifiable entity, who exactly does the regulator license? If a protocol fails, where does accountability sit?

At present, South Africa regulates the gateways into these systems, such as exchanges and custodians. That approach is practical and effective for now. But if decentralised models expand significantly, regulators may need to rethink how oversight functions in systems where control is dispersed, and responsibility is less visible.

A Market Growing Into Itself

South Africa has moved fintech from speculation to structure. But as digital assets move closer to the financial core, the legal questions become more complex, not less.

Regulation has caught up once.

The next challenge is whether it can keep pace with the system it helped formalise.