South African fintechs operate in one of the more heavily regulated consumer credit environments in the world. The National Credit Act (NCA) governs how credit providers interact with consumers, and the Protection of Personal Information Act (POPIA) adds data protection requirements on top.
For BNPL platforms, lenders, and subscription fintechs, getting early-stage recovery wrong doesn't just mean lost revenue. It means regulatory exposure, fines, and reputational damage.
This guide covers the practical compliance requirements for automated, pre-collections recovery in South Africa, with a focus on what fintechs need to build into their systems from the start.
Where pre-collections sits in the NCA landscape
Most of the NCA provisions people associate with “debt collection” (Section 129 notices, debt enforcement, credit bureau reporting) apply once an account is in default and you're preparing for legal action. The 1 to 30 day past-due window that BNPL platforms and subscription fintechs actually lose most of their recoverable revenue in sits upstreamof that. It's still regulated, but the rules that bite are proportionality, consent, and record-keeping, not enforcement procedure.
What the NCA covers
The National Credit Act (Act 34 of 2005) applies to credit agreements where a consumer is required to make deferred payments, pay interest, or pay fees. Most BNPL arrangements and lending products fall under its scope. The provisions most relevant to recovery communication:
Section 129: required notice before legal enforcement
Before a credit provider can take legal action to enforce a debt, they must deliver a written notice to the consumer (commonly called a “Section 129 notice”). This notice must:
- Be in writing and delivered to the consumer
- Inform the consumer of the default and the amount outstanding
- Propose that the consumer refer the matter to a debt counsellor, alternative dispute resolution agent, or the consumer court
- Provide the consumer with at least 10 business days to respond
For automated systems: your pre-collections flow must hand cleanly over to the Section 129 process. Pre-collections recovery is not a substitute for Section 129. It runs before it, and stops once the account moves into the formal enforcement track.
Section 130: debt enforcement
A credit provider may only approach a court for debt enforcement after the Section 129 notice period has expired and the consumer has not responded or resolved the default. Automated recovery systems must respect this waiting period and not escalate prematurely.
Fair treatment requirements
The NCA requires that credit providers treat consumers fairly throughout the credit lifecycle, including during recovery. This means:
- Recovery communications must be proportionate to the debt
- Harassment, threats, or intimidation are prohibited
- The consumer's right to dispute the debt must be respected
- Communication frequency must be reasonable
What POPIA requires
The Protection of Personal Information Act adds data protection requirements on top of the NCA:
Lawful processing
Processing personal information (including sending recovery messages) requires a lawful basis. For recovery related to an existing credit agreement, the lawful basis is typically “legitimate interest” or “contractual obligation.” However, this does not give unlimited licence to contact the consumer. The processing must be proportionate and reasonable.
Purpose limitation
Personal information collected for the credit agreement can be used for recovery related to that agreement. Using it for marketing, selling to third parties, or unrelated purposes is a violation.
Consent for channels
While recovery messages related to an existing obligation generally have a lawful basis, the channel used may require additional consent:
- WhatsApp: Requires opt-in under Meta's WhatsApp Business Policy. The consumer must have agreed to receive messages from your business number.
- Email: Transactional emails related to an existing financial obligation generally do not require additional consent under POPIA, but the consumer's right to object must be respected.
- SMS: The Electronic Communications and Transactions Act (ECTA) governs commercial electronic communications. Recovery messages tied to an existing agreement typically have a lawful basis.
Data retention
POPIA requires that personal information is not kept longer than necessary for the purpose it was collected. For recovery records, this means establishing a retention policy: how long you keep recovery communication logs, and when they are purged.
Building compliance into pre-collections recovery
For fintechs automating the 1 to 30 day past-due window, compliance must be built into the system architecture, not bolted on afterwards. Here is what that means in practice:
1. Full audit trail
Every recovery action must be logged with:
- Timestamp (when the message was sent)
- Channel (email, WhatsApp, SMS)
- Content (what was sent, or a reference to the template used)
- Delivery status (sent, delivered, read, failed)
- Escalation stage (friendly, professional, firm)
This audit trail serves two purposes: it proves compliance if challenged, and it provides operational visibility into the recovery pipeline.
2. Consent management
Your system must track consent status per customer per channel. If a customer has not opted in to WhatsApp messages, the recovery flow must automatically exclude WhatsApp and use only permitted channels. Consent status must be queryable and auditable.
3. Escalation controls
Automated escalation must include safeguards:
- Maximum message frequency (do not send daily reminders, which may constitute harassment)
- Minimum waiting periods between escalation stages
- Automatic pause if the consumer disputes the debt or requests debt counselling
- A clean handoff to the Section 129 track when the account ages out of pre-collections
4. Consumer rights handling
The system must support:
- Opt-out: If a consumer requests to stop receiving messages on a specific channel, the system must respect this immediately.
- Dispute: If a consumer disputes the debt, the recovery flow must pause until the dispute is resolved.
- Debt counselling referral: If a consumer indicates they want to engage a debt counsellor, this must be facilitated, not obstructed.
Why a layer on top of your stack makes compliance easier
One of the practical benefits of running pre-collections as a recovery layersitting on top of your core system, rather than inside it, is that compliance controls stop being spread across your CRM, your payments service, and your ops team's inbox. Audit logs, consent checks, frequency caps, and channel gating all live in one place. When your compliance team asks “show me every message sent to this customer in the past 90 days,” it's one query instead of three exports.
That separation also means ops can iterate on tone, channel order, and timing without risking a CRM deployment. You can test a new recovery flow in an afternoon without touching your core system or re-running a compliance review on production code.
What PayChasers provides
PayChasers is designed with South African compliance requirements in mind:
- Full audit logging. Every follow-up is logged with timestamp, channel, escalation stage, and AI-generated flag. This creates the compliance record automatically.
- Consent-based delivery. Delivery channel is configurable per chase (email, WhatsApp, or both). The system respects channel preferences at the customer level.
- Graduated escalation. The automated escalation flow (friendly, professional, firm) aligns with the NCA's proportionality requirements.
- No credit bureau reporting. PayChasers handles pre-collections recovery communication, not collections enforcement. It operates upstream of the Section 129 and legal enforcement process.
- API-first. The REST API lets your compliance team audit recovery actions programmatically.
Practical recommendations
- Start with audit logging. Even if you are doing manual recovery today, start logging every action. When you automate, the logging should be built into the flow, not added afterwards.
- Map your escalation stages to NCA requirements. Know which stage of your recovery flow is a general reminder versus the handover point to a Section 129 notice. Build the distinction into your system.
- Get consent right at onboarding. The easiest time to get channel consent is when the customer signs up. Include WhatsApp opt-in in your onboarding flow so your recovery system can use it later.
- Review with your legal team. This article provides a practical overview, not legal advice. Have your compliance or legal team review your recovery flow against current NCA and POPIA requirements before going live.
The bottom line
Compliance is not a constraint on effective recovery. It is a framework for doing recovery well. The NCA and POPIA requirements around proportionate communication, consent, and record-keeping are aligned with what actually works in the pre-collections window: graduated messaging, channel-appropriate delivery, and transparent records.
Fintechs that build compliance into their recovery automation from day one avoid regulatory risk and build recovery systems that are more effective, not less.