July 10, 2026
July 10, 2026
Industry
8 minutes

The enterprise CFO's 2026 payments readiness checklist: PEM, Vision 2030+, open finance and AI in one map

Three major regulatory threads are converging in South Africa's financial sector in 2026: the SARB's PEM Programme and Vision 2030+, the IFWG's open finance framework, and the FSCA and Prudential Authority's AI governance work. This piece maps how they fit together and gives enterprise product, finance and risk leaders a practical checklist of what requires action this year and what can be staged.

The Stitch Team
Share this article
The enterprise CFO's 2026 payments readiness checklist: PEM, Vision 2030+, open finance and AI in one map

Three major regulatory workstreams are converging right now in South Africa's financial sector. For enterprise product, finance and risk leaders, keeping track of each one in isolation is manageable, whereas understanding how they fit together, which require action this year and which can be staged, is harder.

We’ve built that map, drawing on Stitch's existing analysis of the Payments Ecosystem Modernisation (PEM) Programme and SARB's Vision 2030+, and setting them alongside the IFWG's open finance framework and the Prudential Authority and FSCA's joint AI report, to give enterprise teams a single sequencing guide they can act on.

The three workstreams, and why they are converging now

1. PEM and Vision 2030+

The PEM Programme is the SARB's most consequential structural intervention in the national payment system in nearly three decades. It is rebuilding the payment rails from the ground up: upgrading the Real-Time Gross Settlement (RTGS) system to support ISO 20022 messaging, expanding PayShap as the primary fast payments rail with an interoperable QR code called QR+, establishing a National Payment Utility (NPU) through the SARB's 50% acquisition of PayInc (formerly BankservAfrica), and introducing PEMKey, a reusable digital identity and credential framework that allows verified credentials to be issued, held and presented across the ecosystem.

Vision 2030+, published for consultation in February 2026, sets the strategic horizon above all of this. As we wrote in our detailed analysis of the paper, it articulates a shift toward an ecosystem model of payments, where value is created through interconnected participants rather than through dominant single players. One of the clearest signals in Vision 2030+ is the direction of travel on fraud: as payment systems become more resistant to external attack, authorised push payment (APP) scams are emerging as the dominant risk, and the SARB has signalled that enterprises need real-time identity verification and payee validation built into their payment flows rather than relying on post-event detection.

2. The IFWG open finance framework

The Intergovernmental Fintech Working Group (IFWG) completed a comprehensive cost-benefit analysis of open finance in 2025, producing concrete recommendations to guide the implementation of an open finance framework in South Africa. According to the National Treasury's 2026 budget review annexure, the IFWG is now actively progressing implementation work on the back of that analysis.

The framework will require financial institutions to provide secure API access to consumer data, with regulatory oversight covering financial institutions, third-party providers, fintechs and other relevant service providers. The FSCA has indicated that entities using APIs to access data for financial services will require a licence and will be subject to relevant regulatory requirements.

For enterprise businesses, this is not a distant event. Open finance formalises what products like Capitec Pay and Pay by bank have already been demonstrating in practice: bank-to-bank payment APIs that bypass card infrastructure and give consumers direct, authenticated payment flows. The IFWG's position, stated clearly in its policy documents, is that personal financial data stored by financial institutions belongs to the customer. A formal open finance framework makes that portable across institutions and services. Enterprise businesses that handle customer financial data, or that build services on top of third-party payment APIs, need to be thinking now about how their data governance and API management infrastructure will hold up in a regulated open finance environment.

3. The FSCA and Prudential Authority AI report and discussion paper

In November 2025, the FSCA and Prudential Authority published the first comprehensive report on AI adoption across South Africa's financial sector, covering banking, insurance, payments and investments. The survey gained roughly 2,100 responses, and the findings were instructive. Banking and payments institutions are the leading adopters of AI, each with approximately 50% adoption rates. The majority of institutions are investing cautiously, with most planning less than R1 million in AI spend for 2024, though the banking sector shows a strong inclination toward substantial investment of over R20 million.

Critically, the FSCA and PA stated that the report will form the basis of a discussion paper and further stakeholder engagement on regulatory and supervisory questions. For enterprise teams, this is the workstream that is least defined but most rapidly evolving. The direction of travel is toward principle-based regulation focused on outcomes and fairness, with strong collaboration between regulators and industry. POPIA compliance in the context of AI decision-making, governance of automated customer interactions and transparency requirements are all live topics.

This connects directly to agentic commerce and the broader question of AI-driven payment flows. As Stitch's regulatory team outlined in our analysis of how agentic commerce will be regulated in South Africa, the SARB has not created a new regulatory category for AI-driven payments, but the existing frameworks around delegated authority, mandate-based payments and operational resilience all apply.

How they fit together: a one-page mental model

These three workstreams are not independent. They are building toward the same destination from different directions.

PEM and Vision 2030+ are rebuilding the infrastructure layer: faster rails, richer transaction data, a national identity and trust framework, prefunded settlement and more open connectivity for non-bank participants.

The IFWG open finance framework is building the data and access layer on top of that infrastructure: standardised APIs, consumer data portability, regulatory licensing for third-party providers and a formal framework for what products like Capitec Pay and Pay by bank represent at scale.

The FSCA and PA's AI governance work is addressing what happens when financial institutions and their counterparties use AI to make decisions and execute actions on top of that infrastructure and data layer. It is asking: how do we ensure those decisions are fair, transparent and auditable when they are made by systems rather than people?

For enterprise CFOs and product leaders, the practical implication is this: the payment system is being rebuilt to be more open, more real-time and more data-rich. The AI governance work will determine the rules under which businesses are permitted to operate autonomously within that system. Both are moving in 2026.

The checklist: what requires a 2026 response and what can be staged

Requires action in 2026

Review your reconciliation and reporting infrastructure for ISO 20022 readiness. PEM's upgraded RTGS will introduce richer transaction data, and your reporting systems need to be able to process it. Waiting until the system is live is not the right approach.

Audit your current payment method stack against open finance assumptions. If your business relies on card as its primary payment rail, and your customer segments are already using Capitec Pay, Pay by bank or PayShap, your infrastructure needs to reflect that. The Stitch 2025 Consumer Payments Report found that nearly half of South African consumers surveyed used Pay by bank or Capitec Pay in the last year. That is not a future preference; it is a current one.

Begin governance documentation for AI-assisted payment decisions. If your business uses AI for fraud detection, credit decisions, claims processing or any automated customer-facing decision in financial services, begin building the governance paper trail now. The FSCA and PA have signalled that a discussion paper and regulatory engagement process is coming. Businesses that have documented their AI governance frameworks will be in a much stronger position when that engagement begins.

Engage with the activity-based licensing framework as it is finalised. The COFI Bill, approved by Cabinet for submission to Parliament in April 2026, introduces a more differentiated approach to licensing that could directly affect how your business participates in the payments ecosystem, particularly if you operate in financial services, insurance or lending. The COFI Bill does not yet have a confirmed tabling date, and the final version may differ from the 2022 public comment draft, but enterprise legal and compliance teams should be tracking it actively.

Can be staged into 2027

QR+ adoption planning. The SARB's unified QR code standard is coming as part of the PayShap roadmap, but enterprise businesses do not need to act immediately. Monitor the timeline and factor it into your medium-term infrastructure planning.

PEMKey credential integration. The reusable digital identity framework being built under PEM will have significant implications for onboarding and KYC processes, particularly for businesses with high-volume customer acquisition. However, the framework is still being developed, and early-adopter positions will become clearer as the NPU operationalises. This is a 2027 planning item for most enterprises, with the exception of businesses in financial services that carry heavy KYC obligations and stand to gain materially from reduced onboarding overhead.

Full open finance API compliance. While the IFWG framework is progressing, the mandatory licensing and API standards are still being determined. Enterprises should understand the direction of travel and begin internal data governance reviews, but the hard technical compliance work is a 2027 and beyond conversation for most.

Where PayShap and Capitec Pay sit in this diagram

Both products deserve specific mention because they are often treated as payment method choices rather than as infrastructure indicators.

PayShap is PEM's faster payments rail, and its capabilities are expanding. The transaction limit was raised to R50,000 in October 2024, and PayShap Request, which launched in December 2024, introduced request-to-pay functionality across participating banks. PayInc has also signalled plans for QR code payments as part of the PayShap roadmap. Enterprises that currently view PayShap as a low-value consumer method should update that assumption. It is being built toward mid-value and eventually high-value transactions as the infrastructure matures.

Capitec Pay is, in practical terms, the most advanced instantiation of open finance currently live in South Africa. It is a direct bank API that gives Capitec's customer base, the largest bank account base in the country, a fast, authenticated, mobile-first payment experience that bypasses card infrastructure entirely. The IFWG's open finance framework is, in part, building toward a world where the model Capitec Pay represents is available across all major banks under a consistent regulatory and technical standard. Enterprises that have already integrated Capitec Pay through a provider like Stitch are better positioned for that world than those who have not.

One additional thread: South Africa's FATF grey list exit

South Africa's removal from the FATF grey list in October 2025 is relevant context for enterprise teams planning into 2026. As we outlined in our analysis of what the exit means for fintech businesses, the grey list exit reduces friction on cross-border payment flows and improves the country's international risk profile. For enterprises with cross-border operations or international payment providers, KYC and AML processes should be reviewed in light of the post-grey-list baseline. Importantly, the compliance standards that were raised during the grey listing period are not reverting. They represent a permanent uplift to South Africa's AML/CFT framework, and businesses should plan accordingly.

Getting ahead of convergence

The regulatory workstreams described here are individually significant. Their convergence makes 2026 a year where enterprise businesses that engage early will be in a structurally different position to those that wait.

PEM is rebuilding the rails. Open finance is building the access layer on top. AI governance is determining the rules of engagement for businesses operating autonomously within that ecosystem. Each workstream has immediate planning implications; none requires a complete transformation this year.

The practical approach is to assign clear ownership across finance, product and compliance teams, get the governance documentation started, and use your payments partner as an early warning system for how these workstreams are evolving in practice. That is precisely the kind of engagement Stitch is built for.

FAQs

What is the PEM Programme and why does it matter for enterprise businesses?

The Payments Ecosystem Modernisation (PEM) Programme is the SARB's initiative to rebuild South Africa's national payment infrastructure. It covers upgrading the RTGS system to ISO 20022 messaging, expanding PayShap as the national faster payments rail, establishing a National Payment Utility through PayInc, and introducing PEMKey, a reusable digital identity framework. For enterprise businesses, it means richer transaction data, new settlement models and a more open infrastructure that will require updates to reconciliation, reporting and payment stack management.

What is the IFWG open finance framework and when will it apply to businesses?

The Intergovernmental Fintech Working Group (IFWG) completed a cost-benefit analysis of open finance in 2025 and is now progressing a formal regulatory framework. When implemented, it will require financial institutions to provide secure API access to consumer data under a licensed framework. The mandatory compliance requirements are still being finalised, but businesses that handle customer financial data or build services on top of bank APIs should begin internal data governance reviews in 2026.

What did the FSCA and Prudential Authority AI report find?

The joint FSCA and Prudential Authority report published in November 2025 found that banking and payments institutions each have approximately 50% AI adoption rates, making them the leading sectors in South Africa. Key risks identified include data privacy, cybersecurity and ethical governance. The report will serve as the basis for a discussion paper and further regulatory engagement. Enterprise businesses using AI for customer-facing financial decisions should begin building governance documentation now.

Where do PayShap and Capitec Pay fit in the regulatory picture?

PayShap is the national faster payments rail being built out under PEM, with a transaction limit of R50,000 and expanding capabilities including request-to-pay (PayShap Request) and planned QR code functionality. Capitec Pay is currently the most advanced example of the open finance model in practice in South Africa. Both represent the direction the payments ecosystem is heading, and enterprises integrating them now are better positioned for the open finance framework when it is formalised.

What should enterprise teams prioritise in 2026?

The four most important actions in 2026 are: reviewing reconciliation infrastructure for ISO 20022 readiness, auditing the current payment method stack against open finance assumptions, beginning governance documentation for AI-assisted payment decisions, and tracking the COFI Bill as it progresses through Parliament. QR+ adoption, PEMKey integration and full open finance API compliance can be staged into 2027 for most enterprises.

Future proof your payments stack with Stitch

Request a demo