The department of home affairs has published draft regulations that would give banks, telecom companies and other regulated businesses a formal role in enrolling citizens for the country’s new digital ID system.
The regulations, gazetted by home affairs minister Leon Schreiber, establish the digital ID as a legally equivalent alternative to the physical ID card, accessible through a mobile application, MyMzansi.
The move is the latest step in a broader strategy by Schreiber to embed private-sector institutions in the delivery of home affairs services.
In August 2025, the department announced partnerships with Capitec and FNB to offer smart ID and passport applications at certain branches and roll out the service at 1,000 branches by 2029.
The regulations outline a federated digital identity system in which the state remains the primary source of identity data while relying on banks, telecom operators and other regulated sectors to expand verification.
If implemented, the regulations could reduce fraud and lower compliance costs in industries such as banking and telecommunications, though it also introduces risks about data governance, liability and the concentration of identity infrastructure among a limited number of large private players.
Under the draft regulations, companies can apply for accreditation as trusted entities, which would allow them to operate as enrolment points, receive identity data from the national population register in real time and feed verified information back into it.
Companies with an existing statutory obligation to verify identity, for example, banks, mobile operators, social grant administrators and licensing bodies, will not automatically qualify for accreditation and will have to apply.
A bank that onboards a customer through an accredited enrolment point can verify the person’s identity against the population register in real time, receive automatic notifications when that person’s details change and satisfy its regulatory know-your-customer obligations in a single interaction.
Private entities must keep audit logs for seven years, report security breaches within 24 hours, and can have their accreditation withdrawn at any time. They are also explicitly barred from using identity data for profiling, commercial purposes, or any form of generalised searching of the population register.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.