This is not a future-tense story anymore.
Cabinet approved the Conduct of Financial Institutions Bill following its meetings of 25 March and 1 April 2026. Finance Minister Enoch Godongwana then gave formal notice in the Government Gazette of the Bill's introduction to the National Assembly. The bill that the South African financial services industry has been debating since 2018 is now in Parliament, moving toward enactment. MoonstoneMoonstone
For every FSCA-regulated forex broker in South Africa, the transition period has started, whether your operations are ready for it or not.
Every Financial Services Provider will need to apply for a new licence under COFI, which makes 2026 a critical transition period. Beyond licensing, COFI introduces enhanced standards for advertising, disclosure, and communication, and expands the focus from pre-sale advice to the entire client relationship, including post-sale service levels, complaints management, and redress. Fia
There is also a hard deadline that applies regardless of when COFI is formally enacted: the Omni-Risk Return is scheduled to go live in September 2026. The first Omni-Risk Return submission will be due in September 2026, regardless of whether COFI is enacted or not. That is four months away. FiaFAnews
This article explains exactly what COFI means for a forex brokerage's operations, what the Omni-Risk Return requires you to demonstrate, and where a CRM either solves these problems or becomes the compliance liability itself.
Most of the coverage of COFI focuses on the legislative architecture: activity-based licensing replacing product-category licensing, the consolidation of FAIS and multiple other conduct acts into a single framework, the Twin Peaks model reaching completion. That is all accurate and worth understanding.
But the operational question for a forex brokerage running sales, retention, compliance, and finance teams is more concrete: what does COFI require you to do differently on Monday morning?
Here is what changes at the operations level.
Under FAIS, the main conduct obligations for forex brokers centred on onboarding, know your client, verify documents, apply AML/KYC, disclose terms before someone signs up. Post-sale conduct was largely about not doing harmful things: no manipulation, no misleading communication, segregated funds.
COFI expands that focus. Advice businesses will be judged not only on how they onboard clients, but on how they treat them throughout the client lifecycle. This includes post-sale service levels, how complaints are handled and resolved, how disclosure is maintained across the relationship, and whether communication is accurate and in plain language throughout, not just at onboarding. Fia
For a forex brokerage, this means every retention call, every email campaign to dormant clients, every push notification about a market move, every IB communication, all of it now sits inside the conduct framework. If your retention team is operating without documented processes, if your marketing sends messages that overstate returns, if your complaint resolution sits in someone's inbox with no audit trail, those are COFI compliance gaps, not just operational shortcomings.
Marketing that exaggerates benefits or hides fees will no longer be tolerated under COFI. This is a direct problem for a market where forex brokerages have historically competed partly on bold performance claims in advertising. Fia
"Trade with the best" is vague enough to survive. "Earn up to 40% monthly returns with our signals", which still appears in marketing from some brokers operating in the South African market, is exactly the kind of claim COFI is designed to eliminate. The FSCA has already signalled that enforcement will become more visible. Expect more public warnings, published penalties, and licence suspensions or withdrawals for non-compliance. Reputational risk is real and no firm can afford to appear on the wrong side of a regulatory notice. Fia
For a brokerage whose marketing materials, IB scripts, and sales team phrasing have not been reviewed against these standards, that review needs to happen before September, not when the final conduct standards are published.
This is the most immediate hard deadline, and it catches many brokerages off guard because it does not depend on COFI being enacted.
The Omni-Risk Return is a 12-section structured report that every FSP will submit. It sits alongside your entity profile to help the FSCA calculate your risk score and decide the level of oversight your firm is subject to. The FSCA will use this data to identify patterns of client complaints, lapses in disclosure, governance weaknesses, and operational risks across the sector. FAnews
In practical terms, financial institutions will need to strengthen internal reporting systems to capture accurate, timely data and align operational and compliance functions to produce consistent information. Fia
For a forex brokerage, the Omni-Risk Return will ask you to report on, among other things, your client complaint volumes and resolution outcomes, your disclosure practices across the client journey, your governance structure, your product oversight processes, and your operational risk management. If the data to answer these questions does not currently exist in a structured, consistent format, you have four months to build the systems that generate it.
Firms should already be mapping their current services to COFI's schedule of licensed activities to identify overlaps, gaps, and areas that may require re-licensing. Fia
Under FAIS, your license was categorised by product type, forex, securities, derivatives. Under COFI, the license maps to the activity being performed. For a forex brokerage that operates as both intermediary and OTC derivatives provider, that may involve separate activity authorisations. For one that also runs an IB program with disclosed commission structures, the intermediary activity needs to be correctly categorised.
The COFI Bill explicitly introduces obligations to maintain the integrity of customer data and advice records, and requirements to ensure that automated tools comply with duty of care obligations. If your CRM is automating client communications, lead scoring, or retention triggers, those automations are now within scope of your compliance obligations, not just your operations. Financialregulationjournal
This is the part most compliance discussions skip, because they focus on policy rather than operations. But the reality is that COFI compliance at a forex brokerage is not primarily a legal question after the relicensing is done, it is a data and workflow question. Your CRM is either generating the data COFI requires, or it is not.
Here is how this maps out practically.
COFI requires documented complaint handling with structured outcomes data. In most mid-size forex brokerages in South Africa right now, client complaints are not centralised, they arrive via email, WhatsApp, phone, and live chat, get handled by whichever team member picks them up, and are resolved without a consistent record of the issue, the response, the timeline, and the outcome.
When the Omni-Risk Return asks about complaints management, a brokerage whose complaints live across four different inboxes cannot answer accurately. And inaccurate answers to a regulatory risk assessment are themselves a compliance event.
A CRM that centralises client communication across all channels, email, calls, chat, SMS, and logs every interaction against the client record gives you the complaints data COFI requires, not as a reporting exercise but as a natural output of how your operations run.
COFI requires that all client-facing information be accurate, balanced, and written in plain language throughout the client relationship. Not just in the terms and conditions at onboarding, in every communication. Fia
If your retention team is sending ad hoc emails, your sales team is making verbal commitments that are not logged, and your marketing is running campaigns that have not been reviewed against disclosure standards, there is no way to demonstrate to the FSCA that your disclosure across the client lifecycle was compliant. You cannot reconstruct it from memory after a supervisory query arrives.
A CRM that creates an auditable record of every client-facing communication, tied to a timestamp and the agent who sent it, gives you that trail. It is not about surveillance, it is about being able to answer the question "what did your client see and when did they see it?" with actual data rather than an estimate.
The single biggest operational shift in COFI for forex brokers is the extension of conduct obligations across the whole client relationship. Under FAIS, you could argue that a client who funded their account and then went dormant was technically served, they were onboarded correctly, funds were segregated, no misconduct occurred. Under COFI, a client who funded and then went three months without engagement is a question about your post-sale service standard.
That changes what your CRM needs to do. It is not enough to record that a client exists and has a funded account. The system needs to track client activity, flag disengagement, generate a retention response, and create a record of what happened. That is how a brokerage demonstrates it treated clients fairly throughout the relationship, not just at the point of sale.
The Omni-Risk Return is designed to give the FSCA a consistent, data-driven picture of each FSP's conduct, risks, and outcomes. The FSCA explicitly said this data should be used internally as a management tool, not just filed for compliance. Fia
A brokerage whose management team is working from weekly spreadsheet reports compiled by an operations analyst is not in a position to produce Omni-Risk Return data accurately or efficiently. The data needs to be live, centralised, and consistent across all teams. If your sales numbers, your complaint logs, your disclosure records, and your client activity data all live in different systems, your Omni-Risk Return will be an expensive reconciliation exercise every reporting period.
Now through June 2026, Map your activities and audit your current systems.
Walk through every service your brokerage provides and map it to COFI's activity-based licensing categories. Identify where your current FSP and ODP authorisations cover what you do and where gaps exist. Simultaneously, audit your CRM and back-office systems against the data requirements the Omni-Risk Return will impose. If your systems cannot generate complaint volumes, resolution timelines, disclosure audit trails, and client engagement data in a structured format, that gap needs to be closed before September.
June through August 2026, Fix the operational gaps.
This is when brokerages that identified gaps in the mapping exercise need to implement changes. For most mid-size brokerages, this means centralising client communication into a single CRM, establishing a formal complaint logging process with consistent resolution tracking, reviewing all marketing and sales communication against COFI's plain language and accuracy standards, and ensuring the IB management structure is fully documented with compliant commission disclosure.
September 2026, First Omni-Risk Return submission.
This deadline applies regardless of where COFI is in the parliamentary process. Your first structured risk return to the FSCA goes in. If your data is not ready, you cannot negotiate this deadline.
Ongoing, Relicensing under COFI's activity-based framework.
Once COFI is enacted and the transitional period begins, every FSP needs to apply for authorisation under the new activity-based framework. Financial institutions must evaluate their operational capabilities and confirm that automated and technology-driven systems and processes remain fit for purpose under the new regulatory expectations. That evaluation should not wait until the new licence applications open. Bizcommunity
AltimaCRM is built specifically for regulated forex brokerages, not adapted from a generic CRM. That distinction is directly relevant to COFI compliance because the platform is built around the operational reality of running a brokerage across multiple teams, not around managing a generic sales pipeline.
The compliance-specific capabilities matter here: automated KYC and AML workflows that create audit-ready records at every step of onboarding; centralised client communication logging across email, VoIP, SMS, and chat so that every interaction is tied to a client record with a timestamp; complaint tracking that creates the structured resolution data the Omni-Risk Return requires; and real-time management reporting across sales, retention, compliance, and finance that gives the brokerage leadership the live operational picture they need to both manage the business and produce accurate regulatory data.
The platform manages over 1.2 million leads and serves 45,000 daily active users across regulated brokerages in Europe, the Middle East, and Africa. The 18 years behind AltimaCRM have been spent inside a regulatory environment that has always demanded audit-ready compliance documentation, which means the infrastructure that COFI now explicitly requires for South African brokerages is already how the platform is built.
A CRM that cannot generate centralised complaint logs, disclosure audit trails, and client engagement data is not just an operational inconvenience under COFI. It is a liability in your Omni-Risk Return, in a supervisory query, and eventually in a licence renewal.
See how AltimaCRM supports COFI-ready operations for regulated brokerages
The COFI Bill is now formally introduced to the National Assembly. The Omni-Risk Return goes live in September 2026 regardless of when COFI is enacted. The three-year transitional period for full COFI implementation begins once it passes, but the compliance data requirements, the conduct standards for advertising and disclosure, and the whole-of-lifecycle client treatment expectations are shaping FSCA supervision right now, not in three years. MoonstoneFAnews
For a forex brokerage whose operations were built for FAIS, front-loaded compliance, manual post-sale processes, ad hoc complaint handling, the gap between where you are and where COFI requires you to be is real and measurable. The brokerages that close that gap before September are the ones whose Omni-Risk Return reflects an operation under control. The ones that do not will be answering supervisory queries about the gaps the FSCA's risk engine identifies.
The conversation about your CRM is not a technology conversation. It is a compliance readiness conversation.
See AltimaCRM in action.
