Adv Abigail Munsami, Principal Consultant at TrueNorth Consulting
The Financial Sector Conduct Authority’s (FSCA) draft Omni-Risk Return (ORR) is approximately 2 weeks away from close of public comments and it matters that every player in the financial-services chain including the EB ecosystem: trustees, principal officers, administrators, consultants, should be paying close attention.
At the recent three-part workshop series covering all 12 sections of the Draft return, FSCA supervisors urged Financial Institutions (FI’s) to use the consultation period to flag any hurdles to obtaining the required data, what can’t be sourced, why, and how long it would take to acquire the data as well as any sector-specific nuances or commentary on more suitable questions. Feedback submitted now will shape the final requirements, with go-live expected toward the end of 2026.
Inside the ORR: How it changes supervision
The ORR is the Regulator’s revised streamlined return (replacing Omni-CBR). It will plug into the FSCA’s new Integrated Regulatory Solution (IRS) and harmonised risk model to give the Regulator a consistent, comparable view of conduct risk across financial sectors. Using defined indicators, a risk rating per institution will mean that the FSCA can spot red flags, benchmark peers and, when needed, focus supervision and enforcement on specific FI’s. It’s the foundational source (not the only one) to how a FI’s conduct risk will be scored.
Each data point reflected in the Draft return template influences multiple risk metrics. A given data point may increase or decrease risk dependent on the context.
A noteworthy requirement is the declaration that must accompany each ORR submission. A senior officer of the Governing Body (For funds, this will likely be the PO or Trustees) must formally attest to the accuracy and completeness of the return. The intent is to instill direct accountability at the highest level of the FI for the data provided.
Governance, ownership, structure and outsourcing
Section 1 covers who owns the financial institution, how the Group (if its part of one) fits together, and reliance on shared services. High reliance may signal concentration risks, single points of failure, and reduced transparency. Clear lines and controls may therefore lower risk while grey areas are likely to raise it. Section 2 checks the operational footprint (local and cross-border) and whether oversight keeps pace across all offices and advisers. Section 3 looks at board quality and behaviour, independence, incentives, ethics, and how quickly issues are fixed; slow or weak responses likely to increase risk. Low independence on boards may increase conflicts of interest or management dominance, while greater diversity and balanced skills may enhance decision-making, governance, and risk management. The FSCA noted at the workshops that race is an important aspect of diversity that strengthens governance and risk management. They stated that in future, this information will also assist the FSCA in monitoring institutions’ implementation of their Transformation Plans. Section 11 tests resourcing adequacy, conduct related training and outsourcing capacity. High vacancy rates may signal resource strain that can weaken governance, controls and customer service delivery while low spend on conduct training suggest limited commitment to a customer centric culture. High outsourcing of critical or control or core functions may raise operational and servicing risk.
Customer base and conduct risk
Section 4 tests customer understanding beyond onboarding, including segmentation (entity type, income band, PEP status); incomplete KYC, weak PEP screening, or poor segment visibility lift risk, while clean data, ongoing monitoring, and segment-specific fair-treatment checks reduce it. Under customer segmentation, the FSCA indicated that the categories provided are a broad segmentation of customers by financial capability and product needs, not fixed income levels. They noted that FI’s should apply a consistent, justifiable approach and may use recognised tools like the Socio-Economic Measure (SEM), which classifies consumers by living standards and access to resources. They further welcomed feedback on whether specific monetary thresholds or formal SEM classifications should be defined to improve consistency across sectors. Section 5 assesses safeguarding of client money, segregation, timely allocation and reconciliation, and oversight of third parties; delays, breaks, or weak administrator controls may raise risk, whereas prompt allocation and tight oversight lower it. Significant declines in asset values may indicate outflows signalling potential loss of customer confidence, weak portfolio management, reputational issues (including negative publicity) or customer dissatisfaction. Section 9 reviews complaints handling, end-to-end tracking, closure within timelines, escalation, and evidence of learning; low Ombud referrals, quick resolution, and few customer-favor determinations may signal a healthy complaints culture. On the other hand, high complaint volumes relative to customer base may indicate product or service weaknesses or disclosure issues.
Products, transactions and persistency
Section 6 examines where the financial institution’s business comes from and whether sales conduct is sound, analysing volumes by channel/adviser/intermediary to spot risks such as high replacements, degree of high reliance on specific distribution methods, excessive chargebacks, or channels with higher complaints and early lapses; strong adviser supervision and fair-sales controls will likely reduce risk. Section 7 looks at product terminations, lapses, cancellations, surrenders and what they signal about suitability and customer experience. The Regulator expects trends by product/channel, clear root-cause analysis, and remediation. High customer-driven terminations may indicate dissatisfaction, poor product design, or aggressive sales, while institution-driven terminations can suggest risky or unfair offboarding practices.
IT, data governance and operational resilience
Section 8 tests marketing and client communications, clarity, accuracy, governance, and transparency of campaign spend. High advertising expenditure may signal aggressive sales strategies, which could increase the risk of unsuitable product promotion. Section 10 assesses system resilience, data protection, uptime monitoring, and incident management, expecting every outage or breach to be logged, assessed for customer impact, and backed by controls that are regularly tested and shown to work. Repeat findings are a strong signal of inadequate governance and ineffective management of IT-related risks. Together, these sections gauge whether communications are trustworthy and operations robust enough to support fair outcomes.
Financial data and sustainability
This final theme shifts to the institution’s financial health, testing whether the business model is sustainable, well-funded, and resilient under stress. It requires splits between financial and non-financial services, South African vs international sources, and clear disclosure of funding structures. FSCA looks for realistic turnover projections and signs that financial pressure isn’t driving poor conduct (e.g., aggressive selling or weak claims handling). In short, the data is used to flag early strain, funding dependency, or sustainability risks that could spill into conduct risks explicitly linking financial resilience to fair customer outcomes.
What financial institutions must know about the draft ORR
1. COFI will set the rules; ORR will likely be one of the tools that measures them.
2. Data becomes board-level currency: Clean, complete, traceable data will drive your supervisory risk rating. Messy or incomplete data or weak controls will result in higher risk profiles.
3. Move away from silos: Implementation teams must be cross-cutting and must align on definitions, controls and evidence. Conduct risk should sit on board and Exco agendas, not be pushed down to a single (compliance) function.
4. Move early: automate data pulls, standardise definitions, tighten controls, and evidence your culture. Early adopters avoid regulatory friction and gain trust and efficiency. Consider taking part in the Pilot.
5. Automation: manual data collection won’t scale for reporting. FI’s need to start investing in automated data pipelines, validation controls, CRM’s and defined ownership now, ahead of the 2026 go-live.
6. Define “good” now. Institutions that close gaps ahead of time will likely set the benchmark for COFI-era supervision.
ENDS
Ed’s note: Find the FSCA’s slides to their recent consultant sessions here. And I’ve posted the FSCA’s explanatory guide to the Omni-risk return here.
