Business Report

How the FSCA Washed a Licence Clean

Published
While investigating Astrix Data over an international fraud exposé, South Africa's financial regulator quietly allowed the company's licence to be renamed. The public was never told. Three other platforms were not so fortunate.

While investigating Astrix Data over an international fraud exposé, South Africa's financial regulator quietly allowed the company's licence to be renamed. The public was never told. Three other platforms were not so fortunate.

Image: File

While investigating Astrix Data over an international fraud exposé, South Africa's financial regulator quietly allowed the company's licence to be renamed. The public was never told. Three other platforms were not so fortunate.

There is a straightforward piece of advice the Financial Sector Conduct Authority gives to every South African worried about financial fraud. Check the register. The FSCA's public database of authorised financial service providers is, in the regulator's own telling, the first line of defence for any consumer dealing with a trading platform or investment firm. Enter the company name, or the FSP number displayed on the firm's literature, and the register will confirm whether the entity holds a valid licence.

It is a reasonable system, provided the information on the register reflects reality.

Search FSP number 52313 on the FSCA's register today and the result returns one entry: IGM Financial Services (Pty) Ltd. Status: Authorised.

Search for Astrix Data (Pty) Ltd and nothing comes up at all.

Yet the FSCA's own press release of 6 June 2024, still publicly available on the authority's website, describes FSP 52313 as belonging to "Astrix Data (Pty) Ltd, an authorised financial services provider." That same document announced that the FSCA had registered a formal investigation into Astrix Data, its juristic representative Vector Financial Services, and the Finbok trading platform, following a wave of complaints from members of the public who said they could not get their money back.

At some point between that announcement and today, the FSCA approved a name change on the licence. Astrix Data became IGM Financial Services. The investigation, by the FSCA's own account, remained open throughout.

Nobody told the public.

What the Register Was Supposed to Protect Against

The timing matters and so does the context in which it sits.

In March 2025, an international consortium of investigative journalists published a detailed account of what it called the Scam Empire: a global online trading fraud network with a significant South African footprint. The story, based on a substantial document leak, was later reported extensively by the IOL, Fast Company South Africa, and the Cape Argus, while Daily Maverick was part of the original consortium that exposed it. The reporting described a cross-border operation running call centres in several jurisdictions, including the Philippines, where police had carried out a raid as part of international law enforcement activity.

At the heart of the South African operation, the reporting found, was Astrix Data. The company held an FSCA licence and had appointed two so-called juristic representatives, Vector Financial Services and Libra Wealth, which in turn operated the Finbok, Finxocap, and VP Trade trading platforms. Juristic representatives are permitted under South African law to conduct financial services under the licence of another entity, provided the licence holder performs due diligence and remains accountable for their conduct.

What the leaked documents showed was that the nominal directors of Vector Financial Services and Libra Wealth appeared, on the evidence, to be identity theft victims: a Bulgarian man described in employment records as unemployed, and a Romanian model. Neither had any documented connection to the South African financial industry. The real operational and financial control, according to the reporting, lay elsewhere, routed through corporate structures in Cyprus and other jurisdictions.

Finbok alone, operating under Astrix's FSP 52313, had by the end of 2024 collected deposits of more than R210 million from South African investors. Approximately R20 million had been returned. The ratio of funds taken to funds returned was, on those figures, roughly ten to one against the investor.

IOL and Fast Company South Africa noted that the FSCA's response, when queried by journalists, amounted to confirmation that the investigation was ongoing and had been prioritised. The regulator said it was not yet in a position to take administrative action and would update the public if anything changed.

Administratively, one thing did change. The name on the licence changed. The public was not updated.

The Warning That Made Astrix Look Like the Victim

There is a further detail that compounds the picture considerably.

At some point after international reporting linked Astrix Data to the Scam Empire investigation, the FSCA issued a separate public warning. The warning concerned Gold Trading Advisors Ltd, an entity the authority said was impersonating a licensed FSP by using the FSP number of Astrix Data — FSP 52313.

The FSCA's purpose in issuing such warnings is to protect the public from fraudsters who falsely claim regulatory authorisation. It is a legitimate and necessary function. But the timing and framing of this warning created an impression that sat awkwardly alongside everything else. To a member of the public reading only the FSCA's own communications, Astrix Data appeared in two registers: as a company under investigation for potential client harm, and as a company whose identity was being stolen by fraudsters, positioning it as a victim deserving of regulatory protection.

The FSCA did not, at any point, issue a comparably prominent public communication acknowledging the international journalism that had placed Astrix Data at the centre of a global fraud network. It did not say to South Africans: this company has been the subject of serious international scrutiny, its platforms have been identified in cross-border law enforcement activity, and you should exercise caution. That statement was never made and most importantly unlike other platforms under preliminary investigation their license remained fully operational.

What was made was a statement saying: be careful of people pretending to be Astrix Data.

Separately, and without public announcement, Astrix Data's licence was transferred to a name the public would not recognise. The investigation, per the FSCA, continued.

Three Others Who Were Not Given the Same Treatment

The contrast between the FSCA's handling of the Astrix situation and its handling of three other trading platform cases in the same period is a matter of public record, and it is stark. What makes it more difficult to explain is that the investigations ran concurrently. The Astrix and Banxso inquiries were both active at the same time, overseen by the same enforcement division, under the same divisional executive. The FSCA was, by its own account, investigating all of them simultaneously. The decisions it took in each case were therefore not the product of different regulatory moments or different teams working in isolation. They reflected choices made in parallel.

Banxso (Pty) Ltd had its licence provisionally withdrawn in October 2024. The authority said preliminary investigation findings had identified a potential risk to clients and the public. Banxso disputed the characterisation of its conduct vigorously throughout the proceedings. Its directors offered security exceeding R57 million, funded personally, sufficient by their own account to cover the full proven claims of all creditor applicants.

That offer was rejected by the applicants' attorneys without, according to at least some of those applicants, those clients being informed it existed. The company's client funds remained frozen. Banxso's legal representatives raised, in court filings, what they described as serious concerns about the conduct of the applicants' attorneys and the fairness of the proceedings. The court noted those concerns without finding them sufficient to defeat the liquidation application.

Then, in December 2025, as the final proceedings approached, the FSCA imposed an administrative penalty on Banxso and its directors totalling R2 billion. It was, by any measure, the largest enforcement penalty in the authority's history. It was announced with considerable public fanfare. And it is worth reconstructing precisely where it landed in the sequence of events.

The final licence withdrawal had been issued on 4 July 2025. Within weeks, in August 2025, the Western Cape High Court granted the provisional liquidation order. The licence withdrawal, publicly announced with detailed findings, had come first and provided an allegedly authoritative, independent foundation on which the liquidation proceedings could rest. That was the first intervention.

The R2 billion fine came on 9 December 2025. Two days later, on 11 December, the Financial Services Tribunal handed down its ruling dismissing Banxso's reconsideration applications. The final liquidation ruling followed in early 2026, with the judgment confirming the winding-up issued in March. The fine, by the account of the court record itself, had been placed before the presiding judge as part of the evidentiary picture.

Two major FSCA interventions. Two judicial or quasi-judicial rulings arriving shortly after. The sequence occurred twice within the same set of proceedings, each time with an FSCA announcement of maximum public impact landing immediately before a decision of maximum consequence to the company and its clients.

A penalty of that magnitude imposed on a company already in provisional liquidation functions, as a matter of insolvency law, as an unsecured concurrent creditor claim. It ranks behind the costs of the liquidation proceedings themselves, behind preferent creditors, and behind SARS. In practical terms, the R2 billion had no realistic prospect of meaningful recovery for the investors it was ostensibly designed to vindicate. What it demonstrably did was to place an allegedly independent, authoritative, and unprecedented regulatory conclusion into the public domain at precisely the moment courts were deciding the fate of the company. The FSCA had never before imposed a fine of anything approaching that scale. The timing of when it chose to do so is not a matter of inference. It is a matter of dates.

There is an even harder question. Despite the size of the penalty, the FSCA has not, as far as the available record shows, lodged a claim against the Banxso estate. Had it done so, that claim would have had to stand in the insolvency process like any other creditor claim. It could have been scrutinised, challenged and tested. The authority may have had to explain, in a public forum, how it arrived at R2 billion, what losses that figure was meant to reflect, and why the penalty was imposed in that amount at that point in the proceedings. Instead, the fine achieved maximum public impact while avoiding the one process that might have forced the calculation into the open.

The FSCA's communications around the final licence withdrawals of both Banxso and AfriMarkets were extensive and public. Press releases were issued. The findings were laid out. Debarments were announced. The names of individuals and the sums involved were given to the media and published widely. Every step of the process was documented in the public record.

AfriMarkets Capital (Pty) Ltd had its licence provisionally withdrawn in July 2025, on the basis that the FSCA identified it as sharing directorships and a business model with Banxso. The withdrawal was made final in December 2025, again with full public communication from the authority.

Mixirite (Pty) Ltd had its licence provisionally withdrawn on 24 June 2026, the day before this article was finalised. The FSCA cited preliminary concerns, including alleged sales-pressure issues, unauthorised advice, unrealistic return claims, suitability failures and inadequate risk disclosures. These allegations are serious, but they remain conventional regulatory concerns, not allegations on the scale of being identified in international reporting as part of a global scam network. Even so, the FSCA again acted publicly and issued a statement.

In each of those three cases, the FSCA acted during an active investigation on the basis of preliminary findings. In each case the authority made its actions public, issued formal communications, and ensured the market knew what it had decided and why.

Now consider the Astrix investigation against that standard. The FSCA registered it formally in June 2024. Its response to press queries throughout 2025 confirmed it remained open. At no point has the authority issued any public communication about the outcome of that investigation. No findings have been published. No penalties have been announced. No debarments have been declared. No press release has told South Africans what the FSCA concluded after examining a network that international reporting identified as part of a global fraud operation responsible for collecting at least R210 million from local investors and returning less than ten per cent of it.

The investigation into Astrix Data has, as far as any public record shows, produced nothing.

What it did produce, without announcement, was a name change on the licence.

On the one metric that matters most to an investor deciding whether an entity is safe to deal with — the proportion of deposited funds that are returned — the Astrix cluster presents a far more alarming picture than anything documented about Banxso, AfriMarkets, or Mixirite at the time enforcement action was taken against them. A return rate of less than ten per cent is not the profile of a poorly run trading platform. It is the profile of an operation in which the primary activity is the collection of deposits. The FSCA's own investigation was, by its own account, seeking to determine whether that was exactly what had been happening. It has shared its conclusion with no one.

The Register Becomes the Mechanism

What makes the name change on FSP 52313 more than a bureaucratic footnote is what it means in practical terms for the people the register is supposed to serve.

A South African investor who read any of the international journalism about Finbok, Astrix Data, and the fraud allegations in 2025 would have had grounds for concern. The natural protective step — checking the FSCA register — would have returned the same entity's licence, under its original name, listed as authorised. That alone was a problem, suggesting to a careful reader that the investigation had produced no definitive finding.

After the name change, the situation became materially worse. A person who remembered the name Astrix Data from the reporting and searched it on the register would find nothing. The name does not appear. The reputational damage accumulated through more than a year of investigative journalism, the international law enforcement activity, the questions about identity theft and offshore money flows — none of it attaches to the register entry that now carries FSP 52313. That entry belongs to IGM Financial Services, listed as Authorised, with no indication of any investigative history.

An investor presented with FSP number 52313 by a new platform claiming South African regulatory authorisation would search the number and find a clean, actively licensed entity. They would have no reason to associate that number with anything they had previously read or heard about.

Companies change their names for entirely legitimate reasons. That happens in every industry. The question here is not whether a name change is inherently suspicious. The question is whether the FSCA's own licensing division, which processes such changes and must approve them, had any mechanism to flag that the entity requesting the change was simultaneously the subject of an open enforcement investigation by the authority's own enforcement division.

If the answer is yes, that mechanism failed here. If the answer is no, that absence of internal communication between licensing and enforcement is itself a significant structural failure in an authority whose core function is to know what it is licensing and why.

The FSCA has not addressed either question publicly.

Who Watches the Watchdog

The National Assembly's Standing Committee on Finance has formal oversight of the FSCA. It receives the authority's annual reports, calls its executives to account, and has the power to compel disclosure. It is, in the architecture of South African financial regulation, the body that is supposed to ensure the FSCA does not become a law unto itself.

The question worth asking is whether it has been doing that, and whether it intends to start.

The Astrix Data situation is not the first time the FSCA's enforcement decisions have caused damage that nobody was required to account for. In 2020 the authority applied for the urgent liquidation of JP Markets, a forex platform employing seventy people and holding R220 million in its own cash. The Supreme Court of Appeal overturned the liquidation order in 2021, finding it was neither just nor equitable and that the FSCA had failed to exhaust less drastic remedies before reaching for the most extreme tool available. The FSCA was ordered to pay the legal costs of two counsel. No one within the authority was disciplined. No public accounting was given for why the decision was made, by whom, and on what analysis. The costs were absorbed, and the individuals responsible continued in their roles.

That case established a pattern that the Astrix situation now throws into sharp relief. When the FSCA acts and the consequences fall on a company, its directors, and its clients, the consequences are irreversible. Licences are withdrawn. Accounts are frozen. Liquidators are appointed. Reputations are destroyed. Investors find themselves locked out of funds they may never recover. But when the FSCA's own actions are found by a court to have been wrong, the institution bears no meaningful consequence and the individuals who made the decision bear none at all. The power to act is exercised by individuals. The accountability for those actions rests nowhere specific.

This matters because what the Astrix Data incident makes visible is not a procedural oversight or an administrative error that slipped through an otherwise functioning system. It is evidence that the authority's most consequential decisions — which entities to investigate quietly and which to pursue publicly, which licences to pull and which to leave intact, which investigations to conclude with press releases and which to conclude in silence, which name changes to approve while an investigation runs — are not governed by a consistent published standard that any external observer can apply. They are governed by the judgements of the individuals who hold the relevant positions, exercised with a degree of discretion that, in the absence of any demonstrated accountability for its misuse, amounts to unchecked power.

The FSCA's head of enforcement holds one of the most consequential regulatory positions in South African financial services. The decisions made in that office determine which companies survive and which are wound up, which individuals are debarred and which continue to operate, which investigations result in the largest penalties in the authority's history and which result in nothing the public is ever told about. That power is not subject to any meaningful external review of individual decisions in real time. The Financial Services Tribunal can reconsider specific administrative actions after the fact, but it cannot examine whether the decision to act against one entity and not another reflects a consistent application of principle. Parliament can ask questions, but only if it chooses to.

The people affected by these decisions have little practical recourse. Investors can be left with funds frozen in liquidations that drag on for years. Employees can lose their jobs after licences are pulled on preliminary findings. Clients of Finbok and VP Trade put money into platforms that the FSCA's own register told them were authorised. Yet none of them has a direct way to challenge the authority's decisions about where, when and how to use its powers. They can complain to the FSCA about regulated companies. Complaining about the FSCA itself is another matter. In practice, that route runs through Parliament, which has so far shown limited appetite for the sustained scrutiny needed to bring these issues into the open.

In the absence of any explanation from the authority, the Astrix Data investigation points to an enforcement approach that is far from consistent. Similar cases do not appear to have been treated according to a clear, published standard. Instead, the outcomes seem to depend on discretionary decisions made inside the FSCA, with little visible accountability and consequences borne largely by others. One company can remain under investigation for more than two years, have its licence quietly renamed after being linked in international reporting to a scam network, and emerge with no published finding, no penalty and a clean register entry under a new name. Another, investigated by the same division at the same time, can have its licence withdrawn, its accounts frozen, its directors fined R2 billion and its business wound up, with each step announced publicly and a major penalty landing just before the court's final decision.

In the absence of evidence to the contrary, the pattern is difficult to ignore. One group of companies appears to have been pursued with every tool available to the regulator, treated in public as effectively guilty while investigations were still at a preliminary stage. Others, facing allegations of a different order, were handled with far greater restraint, and in Astrix's case with a level of silence that left the public register cleaner than the public record. That is the central problem. Not merely that the FSCA acted against some entities, but that its visible force appears to have been applied unevenly.

Both outcomes are legal. Both were decisions made by people who knew that whatever they decided, no one would call them to account for the difference.

The Standing Committee on Finance has the power to change that. It can demand the full file on FSP 52313, including the correspondence, approval records, internal communications between licensing and enforcement, and the unpublished investigation report. It can ask, on the public record, who approved the name change, when it was approved, and why. It can ask what the Astrix investigation found and what was done with those findings. It can also ask why the largest penalty in the authority's history was imposed on a company already in provisional liquidation, where any real recovery was unlikely, just weeks before a judge was due to decide whether to wind it up.

These are not hostile questions. They are the questions a functioning oversight body asks of a regulator whose decisions affect the financial lives of millions of South Africans and whose accountability to anyone for those decisions is, at present, largely theoretical.

The Astrix Data incident did not happen in spite of the system. It happened inside it, with the system's approval, recorded in the system's own register. Until Parliament decides that the people who hold these powers must account for how they use them, the register will continue to reflect not the truth of what has happened, but the version of events that those with the power to alter it have chosen to present.