How will agentic commerce be regulated in South Africa?

Agentic commerce has introduced a structural shift in the way online transactions are initiated and authorised, particularly in the retail and e-commerce space. When AI agents act on behalf of users to discover, evaluate and execute purchases, payment systems move from user-initiated interaction to delegated authority.

In South Africa, this shift cannot be considered purely a technological evolution. It intersects directly with the National Payment System (NPS), the oversight mandate of the South African Reserve Bank (SARB), Prudential Authority standards and broader compliance frameworks such as the Protection of Personal Information Act (POPIA).

For enterprises operating at scale, the question is not whether agentic commerce is feasible. The question is whether current governance, authorisation and control frameworks are sufficient to support delegated transactions under South African regulatory expectations.

Stitch Compliance lead Kathryn Santana explores how this new technology is being evaluated within South Africa’s regulatory landscape.

The regulatory perimeter: where agentic commerce fits

The SARB oversees the safety, efficiency and integrity of the National Payment System which operates under the National Payment System Act (NPS Act). Its mandate includes market conduct, systemic stability, payment clearing and settlement, acquiring and the oversight of payment service providers.

Agentic commerce is not a new regulatory category in itself. However, it introduces new operational and risk dynamics within existing regulatory structures.

Three areas are particularly relevant include:

1. Authorisation and mandate governance
2. Operational resilience and systemic risk
3. Data protection and financial crime controls

Each of these is already governed under South African law. Agentic commerce alters how they must be implemented in practice.

Delegated authority and mandate control

At its core, agentic commerce depends on delegated decision-making; a user authorises an AI system to act within defined parameters. In regulatory terms, this resembles mandate-based payments, such as debit orders or variable recurring payments, where consent and limits are central.

South African regulators have historically placed strong emphasis on clear customer mandates, revocation rights and dispute resolution processes. Under the NPS framework and card scheme rules, merchants and acquirers must demonstrate that a valid mandate exists for recurring or variable payments.

Agentic commerce increases the complexity of this requirement. Enterprises must ensure that:

• Delegated authority is explicitly captured and recorded
• Spending limits and conditions are enforceable and auditable at the infrastructure level
• Customers can revoke or amend permissions in real time
• Dispute processes clearly identify agent-initiated transactions

From a compliance perspective, the key issue is enforceability. It is insufficient to rely on user interface disclosures alone. Controls must be embedded within payment infrastructure so that transactions outside approved parameters cannot execute. 

It is therefore essential that any agentic payment method is rigorously tested to safeguard consumers, merchants and payment providers. Because liability can be allocated to the negligent party, failures can carry significant - and far-reaching - consequences across all participants of the payments ecosystem. 

For enterprises regulated by the Reserve Bank or operating within financial services, this intersects with broader governance obligations relating to operational risk and conduct risk.

Operational resilience and systemic stability

The SARB has increasingly emphasised operational resilience within the payments ecosystem. Load shedding, cyber incidents and systemic shocks have reinforced the importance of continuity planning and robust infrastructure.

Agentic commerce amplifies these concerns. When agents can execute transactions at scale and potentially at high frequency, infrastructure failures may propagate more rapidly.

Operational resilience in this context requires:

• Deterministic authorisation logic
• Clear fallback mechanisms
• Real-time monitoring and anomaly detection
• Strict change management processes

Enterprises must be able to demonstrate that automated execution does not introduce uncontrolled systemic risk. This aligns with SARB expectations around safe and efficient operation of payment systems.

In practical terms, agentic commerce demands mature payment orchestration and monitoring capabilities. Real-time policy enforcement, audit logging and transaction traceability are the bare minimum critical mechanisms for this process, and a heavier focus on them would need to be applied. 

Financial crime, fraud and AML considerations

South Africa maintains a robust anti-money laundering (AML) and counter-terrorist financing framework under the Financial Intelligence Centre Act (FICA). Some payment providers and regulated entities must implement customer due diligence, transaction monitoring and suspicious activity reporting.

Agentic commerce does not remove these obligations. Instead, it modifies transaction patterns.

AI agents may generate more consistent behavioural signals, potentially reducing some traditional fraud markers. However, they may also create new risk vectors, including:

• Automated exploitation of pricing or refund policies
• Rapid execution of transactions within authorised ceilings
• Sophisticated misuse of delegated permissions

Savvy fraudsters will also catch on quickly and new and more complex fraud methods may evolve from agentic payments. Payment providers will need to ensure that their fraud systems evolve with the agentic payments industry to protect consumers and the financial system from harm. 

Enterprises must therefore continuously adapt their fraud models to align not only with behaviour-based detection but also place a strong focus on policy-based validation. At Stitch, we are constantly updating our fraud detection models to identify and prevent fraud in real-time. See our recent case study as an example. 

Transactions should be assessed not only for anomaly, but for compliance with declared intent and mandate parameters.

From a regulatory standpoint, the ability to evidence oversight is central. Firms must demonstrate that automated decision-making does not reduce their ability to detect and respond to suspicious activity.

POPIA and data governance in agentic environments

Agentic commerce relies on contextual data to function effectively. Agents evaluate preferences, spending patterns and historical behaviour in order to act autonomously.

Under POPIA, personal information must be processed lawfully, minimally and securely. Delegated AI systems therefore introduce heightened governance requirements.

Enterprises must ensure:

• Explicit consent for data use in agent-driven decision-making
• Transparent explanations of automated processing
• Secure storage and transmission of financial data
• Clear separation of identity and payment credentials
  
  

In regulated industries, explainability becomes particularly important. If a customer challenges an agent-initiated transaction, the organisation must be able to explain the decision logic that led to execution.

Data governance frameworks must therefore extend beyond cybersecurity into algorithmic accountability.

Regulatory engagement and proactive design

South Africa’s payments ecosystem has historically evolved through collaboration between regulators, banks, schemes and fintech infrastructure providers. Innovations such as real-time clearing, tokenisation and digital mandates have progressed within existing oversight structures.

Agentic commerce will likely follow a similar trajectory. It may not require new laws to exist, but it does require disciplined interpretation of existing ones.

Enterprises should approach agentic commerce with proactive regulatory engagement. This includes:

• Stress-testing mandate frameworks against delegated execution
• Aligning internal risk committees on policy enforcement models
• Documenting operational controls for audit readiness
• Ensuring payment partners meet SARB-aligned compliance expectations

Payment infrastructure providers operating within South Africa must already meet scheme, banking and regulatory standards. Enterprises should prioritise partners with demonstrable compliance maturity, including strong information security certifications and operational governance. For example, Stitch has PCI P2PE encryption, dynamic 3DS, ISO 27001 certification and embedded fraud controls designed to protect revenue without hurting conversion.

Strategic implications for South African enterprises

For South African enterprises, the opportunity of agentic commerce lies in improved customer experience and operational efficiency. However, this opportunity must be balanced against regulatory expectations.

Three strategic implications emerge.

• First, compliance cannot be retrofitted. Delegated transaction models must be designed with mandate control, auditability and revocation built into core infrastructure.
• Second, governance structures must evolve alongside technology. Risk, finance and engineering teams must collaborate in defining policy boundaries and monitoring controls.
• Third, resilience remains foundational. In a market shaped by load shedding, infrastructure variability and macroeconomic volatility, payment systems must remain robust under stress.

Agentic commerce may reduce friction at the consumer interface. It should not reduce rigour within the financial system.

The future of agentic commerce in South Africa

Agentic commerce represents an architectural evolution in digital payments. In South Africa, its success will depend not only on technical capability but on regulatory alignment.

The SARB’s mandate to safeguard the National Payment System, alongside broader compliance frameworks such as FICA and POPIA, requires enterprises to embed control, transparency and resilience into delegated transaction models.

For leaders across finance, risk and technology, the imperative is clear: design agentic commerce systems that expand autonomy for customers while preserving the governance standards that underpin trust in South Africa’s financial system.

‍