Are South African businesses breaking the law without knowing it?

Many South African businesses believe they are operating within the law. They have policies in place, submit statutory returns and may even keep compliance files neatly stored away.

But according to industry experts, a growing number of organisations are exposing themselves to serious financial, legal and reputational consequences. In the 2023/24 financial year alone, the Financial Sector Conduct Authority (FSCA) imposed nearly R943 million in fines on firms that failed to address anti-money laundering weaknesses.

Muhammad Ali, managing director of ISO specialist World Wide Industrial & Systems Engineers (WWISE), explains that companies across industries often equate paperwork with compliance. “In reality, compliance failures are often hidden in daily operations, systems and governance structures rather than obvious acts of misconduct,” he says.

Basic statutory obligations are frequently overlooked. Missed annual returns, incorrect tax filings, incomplete statutory registers and failures to submit returns to the SA Revenue Service (SARS), Companies and Intellectual Property Commission (CIPC), Unemployment Insurance Fund (UIF), or under the Compensation for Occupational Injuries and Diseases Act (COIDA) remain common.

This issue is particularly acute among smaller businesses. Tax compliance failures - including incorrect VAT applications, late corporate tax submissions and poor record-keeping - often trigger audits, penalties and reputational damage. According to a 2025 survey of 400 South African small-enterprise owners by small-business software platform Xero, more than a quarter (27%) said submitting tax returns was one of their biggest stressors.

Another major blind spot, experts say, is data protection. While many organisations believe a privacy policy alone meets the requirements of the Protection of Personal Information Act (POPIA), audits regularly reveal inadequate cybersecurity controls, poor consent management and ineffective breach response. The Information Regulator recorded 1 355 POPIA complaints in the 2024/25 financial year, reflecting growing public awareness and regulatory scrutiny.

Transformation compliance presents another significant risk area. Ali warns that many organisations still treat Broad-Based Black Economic Empowerment (B-BBEE) as a tick-box exercise. “Misinterpreting scorecard requirements or appointing nominal directors or partners without genuine participation is not just non-compliance, it is fronting, which constitutes criminal fraud,” he says.

Labour law violations are also widespread. Businesses frequently breach the Employment Equity Act, minimum wage provisions, maximum working hours and fair dismissal requirements - often without malicious intent.

Occupational health and safety is another area where assumed compliance masks legal exposure. According to WWISE audits, many companies maintain outdated risk assessments, insufficient worker training, incomplete safety documentation and weak competency management. “Having a SHE (Safety, Health and Environmental file) does not automatically mean you are compliant with the Occupational Health and Safety Act. If controls are not embedded into how work is actually performed, legal exposure remains,” Ali notes.

Beyond individual regulatory breaches, Ali highlights weak corporate governance as a systemic issue. Many organisations underestimate governance obligations such as maintaining policies, documenting controls and keeping evidence of compliance activities.

Anti-money laundering compliance under the Financial Intelligence Centre Act (FICA) is another emerging risk. Poor customer due diligence, weak risk assessments and failures to report suspicious transactions are common. “Some organisations simply don’t realise they qualify as accountable institutions under FICA,” Ali says.

Despite these risks, many businesses still view compliance as a narrow legal or HR function rather than a core business risk. Ali attributes this to how compliance historically developed. “Compliance grew out of contracts, labour law and disciplinary processes, so it became associated with legal and HR departments. Over time, it turned into checklists, forms and training sessions instead of being embedded into operational systems.”

This fragmented approach is increasingly dangerous as penalties escalate. POPIA fines can reach R10 million, while FICA penalties can be as high as R50 million for companies.

To address these challenges, Ali argues that compliance must shift from a reactive exercise to an integrated management discipline. International ISO management system standards play a critical role in this transition.

While no ISO standard is tax-specific, frameworks such as ISO 9001 for quality management, ISO 31000 for risk management, ISO/IEC 27001 for information security and ISO 44001 for collaborative business relationships help organisations systematically identify and manage compliance obligations.

In the occupational health and safety space, ISO 45001 embeds legal compliance directly into risk-based operational processes. Similarly, ISO 14001 addresses environmental compliance by requiring organisations to identify environmental aspects across the full life cycle of products and services, actively monitor legal changes and involve leadership in environmental governance.

Ultimately, Ali believes ISO-aligned management systems help organisations move beyond fear-driven compliance. “They embed risk-based thinking, strengthen leadership accountability and encourage cross-functional collaboration. Compliance stops being something you do when forced and becomes part of how the organisation operates.”