Dear John, BIOMETRIC IDENTIFICATION, COMMUNICATIONS METADATA AND BANK ACCOUNT VERIFICATION BILL (DRAFT)

A Bill to require biometric verification for issuance and use of SIM cards and for opening / transacting on bank accounts; to mandate retention and controlled access to communications metadata and device identifiers; to require internet access providers and Wi-Fi network operators to maintain specific records and to cooperate with lawful investigations; to align compliance with the Immigration Act (including Section 42 obligations); to provide privacy, security and oversight safeguards; and to provide for related matters.

BE IT ENACTED by the Parliament of the Republic of South Africa, as follows:

PART A — PRELIMINARY
1. Short title and commencement

This Act is the Biometric Verification and Communications Integrity Act, [year].

Sections [specify] come into force on assent. Other provisions come into force on dates determined by Presidential proclamation, but not later than 24 months from assent, and subject to phased rollout schedules in Schedule 1.

2. Definitions

In this Act, unless inconsistent with the context—

“biometric identifier” means a human physiological or behavioral characteristic used for identification, including fingerprint, facial template, iris scan, or other modality approved by the Minister;

“bank account” means any transactional or deposit account held with a registered bank or authorised financial institution in the Republic;

“communications service provider” means any person who provides electronic communications services, including mobile network operators (MNOs), mobile virtual network operators (MVNOs), internet service providers (ISPs), and wifi operators;

“device identifier” means any hardware identifier including IMEI, MAC address or other unique hardware code;

“RICA” means the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002, as amended;

“Minister” means the Minister of Communications and Digital Technologies;

“Information Regulator” means the Information Regulator established under POPIA;

“POPIA” means the Protection of Personal Information Act, 2013;

“Section 42 offences” refers to the prohibitions and offences in section 42 of the Immigration Act, 2002.

(Additional definitions: “subscriber”, “SIM”, “mobile money”, “lawful request”, “authorised officer”, “metadata”, etc.)

PART B — MANDATORY BIOMETRIC VERIFICATION FOR SIM ISSUANCE & USAGE
3. Biometric registration for SIM issuance and activation

No communications service provider shall issue, activate or re-activate a SIM card, e-SIM profile, or subscriber account unless the subscriber has been verified in accordance with this Act and regulations.

Verification must include:
a. collection of national identity number (or passport/permit number for non-citizens) and proof of residence as required by RICA;
b. biometric capture of at least one biometric identifier (fingerprint and facial template unless impracticable) using certified capture devices; and
c. live biometric matching against the National Population Biometric Repository (NPBR) or an authorised government biometric verification service.

If the subscriber cannot be matched to NPBR, the subscriber will be assigned a unique verified identity token only after identity adjudication under regulations.

4. Live authentication for SIM swap / SIM transfer / porting

All SIM-swap, SIM replacement or mobile number porting requests must require live biometric authentication of the registered subscriber at point of transaction, whether online or in-store.

Providers must implement transaction authentication controls to prevent remote transfers without live biometric verification.

5. Deactivation and re-verification

SIMs that cannot be biometrically verified within the transitional period shall be deactivated for outbound calls, mobile money, and data, except for emergency calls, pending verification.

Emergency and limited services (e.g., access to emergency hotlines) shall remain available to deactivated SIMs.

PART C — MANDATORY BIOMETRIC VERIFICATION FOR BANK ACCOUNTS
6. Biometric verification for account opening and continued access

No bank or financial institution shall open a bank account, or permit full transactional access to an existing account, without biometric verification of the natural person account holder as prescribed.

Corporate accounts require biometric verification of their legal representative(s). Beneficial owner verification must include biometric linkage where possible.

Banks must implement ongoing risk-based re-verification for dormant, suspicious or high-risk accounts.

7. Linking bank accounts, SIMs and device identifiers

Banks shall maintain records linking bank account identifiers to primary verified mobile numbers (SIM) and device IMEI where provided by account holder, to enable tracing of accounts used for mobile transactions.

Banks and MNOs must implement secure API