A Pact Born of Legislative Paralysis
On June 26, 2026, South Africa's six major mobile operators — Vodacom, MTN, Telkom, Cell C, Rain, and Liquid Intelligent Technologies — announced a coordinated industry framework to tighten SIM-card registration under the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA). The Association of Comms & Technology (ACT), which represents the operators, described the package as including stronger identity verification, tighter controls at distribution points, and wider biometric authentication at registration counters. The Competition Commission was consulted throughout; it found the measures unlikely to raise anticompetitive concerns provided appropriate safeguards were maintained.
The timing is not accidental. July 1, 2026 is the date on which ICASA has indicated it will begin enforcing existing RICA penalties — fines of up to R5 million or imprisonment of up to 10 years — against non-compliant operators. The pact is, in essence, a pre-emptive compliance gesture ahead of that cliff edge.
The Crime Case Is Real
Before critiquing the framework, it is worth being honest about why it exists. South Africa's SIM-swap problem is serious. According to a 2025 report by the Communications Risk Information Centre cited by ITWeb, annual telecommunications fraud costs reached R5.3 billion. Roughly 60% of mobile banking fraud is attributed to SIM-swap attacks, in which fraudsters obtain replacement SIMs using falsified or stolen identity documents, then intercept one-time passwords to drain bank accounts. SAPS has also linked improperly registered SIM cards to cash-in-transit heists, extortion, contract killings, and kidnappings.
On March 26, 2026, Minister Mmamoloko Kubayi convened an urgent inter-departmental meeting acknowledging that RICA's verification regime, in its current form, is inadequate. The meeting concluded that enforcement of existing penalties would begin July 1, supported by coordinated action from SAPS and the National Prosecuting Authority. The case for doing something is not a regulatory fiction.
Why Industry Is Leading Rather Than Parliament
The deeper story here is that formal RICA legislative reform has repeatedly stalled. ACT CEO Nomvuyiso Batyi was blunt about this in October 2025: "Every time it is updated and sent up the chain, it is turned back." The Department of Justice has been promising a draft legislative proposal for stakeholder engagement since at least March 2026 — yet the framework announced on June 26 remains explicitly an interim safeguard while that reform process continues.
There is an additional structural problem. In June 2025, the Department of Home Affairs raised its database-query fee — charged each time an operator verifies an ID against the national identity system — from 15 cents to R10 per search. For an industry processing hundreds of millions of prepaid SIM activations annually, that is a compliance tax that actively discourages the very verification the government now demands. The fee increase has not been reversed.
The result is an industry self-regulatory compact to paper over a legislative gap, negotiated with a competition lawyer in the room and minutes documenting every session. That is admirable process discipline. It is not a substitute for statute.
The POPIA Tension
Biometric data is not ordinary personal information under South African law. The Protection of Personal Information Act (POPIA) classifies it as "special personal information" under Section 26, prohibiting processing without specific legal authorisation. Section 33 addresses biometric information specifically, requiring operators who collect fingerprints or facial-recognition data to satisfy heightened conditions.
The 2022 ICASA proposal to mandate biometric SIM linkage attracted close to 21,000 public comments — the overwhelming majority opposed. Privacy International noted at the time that a mandatory national biometric-SIM database operates in a "legal void" when built incrementally through sector-specific rules rather than explicit statutory authority, with data potentially retained indefinitely and repurposed beyond its original justification.
The June 2026 framework does not resolve this question. It proposes expanded use of biometric authentication without the legislative amendment to RICA that would clarify the lawful basis under POPIA. Operators conducting facial-recognition checks against the Department of Home Affairs database are processing special personal information under a voluntary industry compact, not a clear statutory mandate. That creates compliance risk for operators and leaves consumers with no statutory right to challenge how their biometric data is retained or shared.
The Proportionality Problem
The prepaid market is where most of the enforcement failure lives — and it is structurally resistant to biometric uplift. Pan-African operators like Vodacom and MTN already deploy biometric SIM registration in Kenya and Nigeria through branded channels. South Africa's prepaid market distributes over half of approximately 200 million annual SIM activations through informal retail: spaza shops, street vendors, informal traders. Rolling out facial-recognition terminals to every informal distribution point is not a compliance programme — it is a market-restructuring exercise that would likely push low-income consumers toward unregistered channels rather than pulling them into compliant ones.
The proportionate response is targeted enforcement at the fraud vectors that actually drive harm — specifically SIM swaps and bulk SIM activations — rather than blanket biometric collection at the point of every new SIM sale. The ACT framework does include "tighter oversight of distribution channels" and "improved compliance monitoring," which suggests some targeting. The risk is that biometrics become the headline measure while the structural challenges of informal distribution remain unaddressed.
An Honest Interim Step
The June 26 compact is better than inaction. Competitors coordinating on registration standards with Competition Commission oversight is legally sound and practically necessary given legislative paralysis. The July 1 enforcement deadline creates a real compliance incentive for the first time in RICA's history.
But South Africa needs three things the compact cannot deliver: a revised RICA statute that explicitly authorises biometric collection and specifies data-retention limits; a coherent POPIA authorisation framework so biometric SIM data is not processed in a legal grey zone; and a reversal or reduction of the Home Affairs query-fee increase that is actively undermining the verification economics the government wants to improve. Until those pieces are in place, the industry framework is a workaround — a well-organised one, but a workaround nonetheless.