Still compliant, still current. Here’s what to know this March

Diversity and Inclusion

Global DEI shifts to watch

In March 2025, DEI strategies are pulling in two directions. Some big US companies are scaling back under political pressure. At the same time, South Africa is re-examining its BEE laws in response to global and local headwinds.

Many businesses are becoming cautious about being seen as overly politicised, especially in a tough economic climate. But local regulations still require demonstrable inclusion efforts. Employment equity, mental health, accessibility, and workplace respect are now tied not just to legal compliance, but to reputation and retention too.

So while global headlines may shift, compliance training in South Africa can’t afford to. The risks, and expectations, are still firmly in place.

POPIA and Data Protection

Three reasons to stay sharp on POPIA

1. Real-world reminders: the Pam Golding breach

   The recent breach reported by Pam Golding is a sharp reminder that third-party vulnerabilities can still expose personal data and trigger POPIA obligations.

2. Growing pressure to show your work

   There’s increasing scrutiny on how businesses process and protect personal data. It’s not just about policies, it’s about being able to prove that your teams know what to do.

3. AI and direct marketing: what’s next?

   South Africa’s draft National AI Policy Framework is calling for tighter oversight of how AI systems manage personal data, especially in areas like automated decision-making and targeted marketing.

Cybersecurity and cyber resilience

Financial services: are you ready for June 2025?

Last year, the South African Reserve Bank (SARB) and the Financial Sector Conduct Authority (FSCA) published the Joint Standard 2 of 2024: Cybersecurity and Cyber Resilience Requirements. The Joint Standard establishes clear, specific expectations for cybersecurity practices across financial institutions, including banks, insurers, asset managers, and financial services providers. It expected to come into effect from 1 June 2025. 

Although formal confirmation of the effective date is still pending, the authorities strongly recommend that organisations start preparing now.

A key requirement of the Standard is continuous cybersecurity training for all staff to ensure they stay ahead of evolving cyber threats.

FICA and Accountable Institutions

FIC Guidance Notes: Legally optional, practically essential

FIC guidance notes aren’t law, but they might as well be. They’re the only officially recognised guidance under FICA, so ignoring them means proving compliance another way (and that’s tough to do).

The latest Guidance Note 7A (GN 7A), released on 13 February 2025, has clear expectations around compliance training:

1. Document your training: The Risk Management and Compliance Programme (RMCP) must clearly define your training approach, including scope, frequency, and specific employee roles involved.

2. Equip your employees: Staff must know how to identify, manage, and report financial crime risks, including escalating high-risk concerns.

3. Role-specific content: Training should directly reflect each employee’s exposure to risks, not just generic overviews.

4. Tailored to your institution: Training must be specifically aligned to your RMCP, risk profile and assessment methods.

5. Continuous updates: Ongoing training is essential to ensure your teams stay informed as risks and regulatory requirements evolve.