NovaBank SA — Risk Management & Regulatory Compliance
The risk-management framework, SARB Prudential Authority licensing and prudential requirements, AML/KYC, and the regulatory-compliance approach.
Section 8 · Business Plan
Risk Management & Regulatory Compliance
The risk-management framework, SARB Prudential Authority licensing and prudential requirements, AML/KYC, and the regulatory-compliance approach.
Banking is a fundamentally regulated activity, and rigorous risk
management is the price of admission, not a competitive lever.
NovaBank’s risk and compliance function is being built to meet — and
from Year 3 onwards, to exceed — the SARB Prudential Authority’s
expectations for a Tier-2 bank, with explicit alignment to Basel III,
the Banks Act, COFI, FAIS, FICA, and POPIA.
8.1 Risk Governance Framework
Risk governance follows a Three Lines of Defence model:
- First Line: Business units own their risks and
execute control activities daily. - Second Line: Independent Risk, Compliance, and
Information Security functions, reporting to the CRO and CCO. - Third Line: Internal Audit, reporting to the
Board Audit Committee with full unrestricted scope.
8.2 Principal Risk Categories
| Risk Category | Description | Primary Mitigant |
|---|---|---|
| Credit Risk | Default in unsecured loan book; concentrated in lower-LSM segments | Behavioural scorecard; concentration limits; ECL provisioning IFRS 9 |
| Liquidity Risk | Funding mismatch; deposit run-off in stress | LCR > 110%, NSFR > 105%; diversified funding |
| Market Risk | Interest rate repricing risk; minimal trading exposure | Banking book duration limits; ALCO oversight |
| Operational Risk | System outages; fraud; process failures | RCSA; KRIs; Basel III ORSA capital allocation |
| Cyber Risk | External attack; data exfiltration; ransomware | 24/7 SOC; SARB Joint Standard 2; ISO 27001 |
| Regulatory & Conduct | FAIS, COFI, POPIA, NCA breaches | Compliance Monitoring Plan; mandatory training |
| Financial Crime | Money laundering, terrorist financing, sanctions | Risk-based KYC, transaction monitoring, FIC reporting |
| Strategic Risk | Failure to scale; competitor response | Quarterly strategy reviews; scenario planning |
| Reputational Risk | Customer complaints; social media incidents | Tone-of-voice playbook; incident response team |
| ESG & Climate Risk | Climate transition risk; loadshedding impact on cust. | Climate Risk Framework aligned to TCFD/SARB CD7 |
Table 8.1 — Principal risk categories, descriptions, and primary
mitigants.
8.3 Regulatory Strategy
NovaBank is engaging with the SARB Prudential Authority on a Section
13 Banking Licence application. The team has held three pre-application
meetings during 2025 and has a detailed gap-and-readiness plan in place.
The licensing critical path is the binding constraint on the overall
implementation timeline.
| Regulator / Body | Scope | NovaBank’s Engagement |
|---|---|---|
| SARB Prudential Authority | Banking licence; Basel III prudential supervision | Section 13 application T+0; target T+8 months |
| FSCA | Conduct supervision; FAIS licensing for advice | FSP application Q1 of Year 1 |
| NCR | Credit provision; NCA compliance | NCR registration prior to credit launch |
| FIC | AML/CFT compliance | Risk-rated KYC framework certified |
| Information Regulator | POPIA & PAIA | Information Officer registered; PAIA Manual |
| Payments Association SA (PASA) | Membership of payments system | Application timeline aligned with launch |
8.4 Capital Planning
NovaBank will hold capital substantially in excess of regulatory
minima during the early scaling phase, with capital ratios converging
toward more efficient levels as the business matures. Detailed capital
projections are provided in Section 15.
Confidential — this business plan is provided to prospective investors and lenders for evaluation purposes only and may not be reproduced or distributed without the written consent of NovaBank SA (Pty) Ltd.