Dear Defenders of Doing Things Right,
South Africans were treated to a blood moon this month, and astronomers gave their usual reminder that a red moon, much like our newsletter, is nothing to panic about! Lunar eclipses come around every 18 months or so, and we would be lying if we said we hoped that compliance updates followed a similar timetable ...
They land when they land, and usually mean more work. But, that’s where we come in.
We’re a week late this month, but your training isn’t. We keep the course updates steady, you keep your teams learning.
POPIA
Consent, transparency, fairness: do your staff know the rules?
South Africa’s Information Regulator is investigating Truecaller for potential POPIA breaches, focusing on its crowd-sourced collection of contact details and its controversial “pay-to-whitelist” service.
Why it matters:
Third-party tools can put your organisation at risk, even when you don’t control how they collect or use data, which is exactly what the regulator is now testing Truecaller against using POPIA’s eight conditions for lawful processing.
Do your employees know what these eight conditions are?
Would they recognise when a supplier’s practices could expose your business to non-compliance?
Customer service and sales staff, who often rely on calling clients, need to be especially alert to the risks of sharing or using contact data.
Our POPIA in a Nutshell course takes less than an hour to complete. It's a simple way to raise awareness before the regulator asks questions.
Fraud and corruption
Trust can collapse in a single moment. Are your leaders ready to make the right call?
A South African CEO was exposed for attempting to bribe a journalist, prompting warnings about corruption risks and weak ethical culture.
Why it matters:
Bribery doesn’t only take place in tenders or procurement. It can arise in day-to-day decisions where individuals feel under pressure, and one poor decision under pressure can unravel years of effort and destroy leadership credibility overnight.
Tone from the top drives the culture of the entire organisation, and this scandal shows how quickly trust can collapse.
The real question is: are you confident your senior management team are trained to make the right call when the pressure is on?
Competition Law
When a WhatsApp chat becomes collusion
A group of major banks have been accused of colluding to fix the rand, with their conduct likened to cartel behaviour.
Why it matters:
Collusion is a core competition law risk any business can face when employees engage with competitors. Do your staff realise that even an informal WhatsApp chat about pricing or market allocations can amount to unlawful conduct?
So while our Competition Law training doesn’t require an update, it’s a strong reminder that employees in sales, procurement, finance, and leadership roles must understand how everyday conversations or “routine” agreements can cross the line, and the severe consequences that follow.
Collusion isn’t only about price-fixing
In a separate case, the Competition Tribunal confirmed a R30 million settlement with WesBank and Toyota Financial Services SA over market-division in car finance.
Why it matters:
Collusion isn’t only about price-fixing. Internal agreements, exclusivity clauses, or shareholder arrangements can also be anti-competitive. Competition risk often hides in structural agreements, not just pricing.
The problem:
Many employees still think competition law only applies to sales or pricing. This case shows competition risk isn’t limited to pricing; it can be built into contracts and internal agreements too. That gap in awareness can leave businesses exposed.
The solution to both these stories is to close that gap.
Our Competition Law course brings these scenarios to life in under an hour, and Policy Passport can ensure responsibilities are understood, attested to, and audit-ready.
FICA
Training is the key to a living RMCP
On 1 September 2025 the FIC issued Revised Guidance Note 7A. It sets out updated expectations for accountable institutions, including how to design, document and approve RMCPs, handle customer due diligence, identify beneficial ownership, apply risk-based approaches, and implement sanctions screening.
Why it matters:
These are not cosmetic edits. They raise the bar for how accountable institutions demonstrate compliance in practice and confirm that training must be kept up to date with current risks and regulatory expectations .
Our FICA for Accountable Institutions course already addresses AML/CFT, KYC, sanctions screening, and RMCP obligations, so we’re relieved about that.
However, your RMCP is only as strong as the people who understand and follow it. Policy Passport can help you evidence that staff have read and understood your RMCP. It provides exactly the sort of audit trail you’ll need if the regulator comes calling.
Cybersecurity
One data breach, many consequences
A series of recent cyber incidents were reported locally, including ransomware attacks and data breaches targeting global businesses.
Why it matters:
Cyber incidents matter because they don’t just cause IT disruption; they create compliance, reputational, and legal risks. If customer data is compromised, it immediately raises POPIA obligations in South Africa and GDPR obligations if EU data is involved.
Do your employees know how to spot and report phishing emails before they click?
Would your senior management team know how to communicate a data breach to regulators and clients within the required timeframe?
These are not IT-only questions; they’re compliance questions.
We have a cybersecurity course, but did you know that Policy Passport can ensure your staff know the exact steps to follow if a breach happens, and give you an audit trail to prove it.
Thanks for reading.
As always, if there’s something you’re grappling with, let us know. We’re happy to share what we’ve seen working elsewhere.
Enjoy the warmer weather, never panic, and we’ll see you next month.
The Compliance Online team
