Home affairs minister Leon Schreiber has gazetted draft regulations that pave the way for a smartphone-based digital identity system in South Africa, with banks and other private-sector “trusted entities” potentially able to operate enrolment points and receive automatic updates from the national population register.
The draft amendments (PDF) to the identification regulations of 1998, gazetted on Monday for public comment until 6 June, would create a digital identity credential delivered through a mobile application called MyMzansi – alongside, not in place of, South Africa’s existing smart ID card.
Use of the digital credential would be optional, and the regulations explicitly state that no one would be compelled to obtain one to continue using a valid physical ID card.
Citizens aged 16 and over would apply at an “accredited enrolment point”, which under the draft regulations includes home affairs offices, South African foreign missions, ports of entry, branches or premises of accredited trusted entities and mobile enrolment units deployed by the department.
Standard in-person enrolment would involve documentary verification, cross-referencing against the population register, biometric deduplication, capture of facial biometric and fingerprints, liveness detection, verification of mobile number and e-mail address, proof of residential address, “device binding” – linking the credential to a specific phone through cryptographic means – and an automated fraud detection assessment.
Proof of identity
Once issued, the digital credential could be presented for proof of identity by means of near-field communication, Bluetooth, QR code or “such other secure presentation means as the director-general may determine”.
It would have a validity of five years and could be renewed via facial biometric verification through the MyMzansi app, which would notify holders 90 days before expiry. A credential would lapse if the holder had not undergone any in-person enrolment or in-person verification at an accredited trusted entity in the preceding 10 years.
Read: South Africa’s digital ID gets a targeted launch date
The draft requires digital credentials to be cryptographically signed and proposes the use of “asymmetric cryptography”, including elliptic-curve methods. Biometric templates would be stored in encrypted form in the population register.
Standard in-person enrolment would be free at home affairs offices and at “no additional cost beyond prescribed identity document fees” at accredited private-sector enrolment points. The director-general would be required to ensure such enrolment is available in every municipality “as soon as reasonably possible after commencement of these regulations”.
The most consequential element of the draft is the regime around so-called trusted entities – a defined class of organisations that could enrol citizens, verify identity in real time against the population register, and in some cases receive automatic updates of personal information.
A trusted entity is defined in the draft regulations as a person or organisation under a “direct and primary statutory obligation” to verify identity for purposes including anti-money laundering and counter-terrorist-financing compliance, controlling access to electronic communications networks, administering social benefits, issuing licences and permits, administering taxes, or law enforcement.
Banks, telecommunications operators, the South African Revenue Service and the South African Police Service would all fall within scope of the definition for relevant statutory functions, subject to accreditation by the director-general.
A notable provision in the draft is regulation 38A, which would allow the director-general to record a “verified relationship” in the population register between an accredited trusted entity and a person whose identity has been verified in person – and then to push update notifications “in near real time” to that entity whenever relevant particulars in the register change.
In practice, that would mean a citizen’s bank or mobile operator could be automatically notified of an address or contact-detail change without the citizen needing to inform each one separately. The regulations restrict such notifications to particulars that have actually changed, and only in respect of categories the entity is authorised to hold under its data sharing agreement. The Protection of Personal Information Act would prevail over the regulations in any conflict.
Explicit limits
The draft places explicit limits on access by law enforcement and security agencies. Regulation 32(4) states that nothing in the regulations authorises the furnishing of population register information “to any law-enforcement or security body otherwise than in accordance with an applicable law that permits such access, including any requirement in that law for judicial authorisation, a warrant or a court order”.
Trusted entities would be barred from using identity information for “data commercialisation, open-ended intelligence gathering, profiling or generalised searching”, and would be required to demonstrate that each access is “necessary and proportionate” to a specific statutory function. Audit logs of access to the population register would have to be retained for at least seven years.
Read: Estonia’s digital ID lesson for South Africa
Offences under the regulations – including enrolling under a false identity, presenting another person’s credential, tampering with a credential, attempting to circumvent liveness detection or misusing population register data – would carry penalties of a fine or imprisonment of up to two years.
The draft also requires that the system be implemented “in a manner that does not unreasonably exclude persons who do not own suitable mobile devices, do not have reliable internet access or are otherwise unable to use digital services without assistance”.
“The draft regulations propose the creation of a world-class digital identity system as the ultimate expression of our vision to leverage digital transformation to deliver Home Affairs @ home,” Schreiber said in a statement on Tuesday. He said the department was working with the presidency to support the goal of digitalising government services.
The new regulations would come into operation on a date fixed by the minister. Written submissions on the draft must be made to the chief director for legal services at home affairs by 6 June 2026. – © 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.
