APPS
South Africa Drops Draft Rules for MyMzansi Smartphone Digital ID
South Africa moved its identity system out of the wallet and into the phone this week. Home Affairs Minister Leon Schreiber published draft regulations on May 4, 2026 authorising a smartphone digital ID delivered through an app called MyMzansi, with public comment open until June 6. Citizens aged 16 and older can enrol at Home Affairs offices, embassies, ports of entry, or accredited bank branches, get fingerprinted and face-scanned, then verify themselves later by QR code, Bluetooth, or near-field communication. The smart ID card stays. The app is optional.
The draft amends the Identification Act of 1997 and forms the legal scaffolding for the wider MyMzansi roadmap’s functional digital identity initiative, which has been running ahead of its rulebook for the past year. Schreiber’s office is asking everyday South Africans, banks, civil society groups and telecoms operators to file written comments before the window closes.
Schreiber said the system will combat identity theft, financial crimes, corruption and illegal immigration, while delivering services to citizens at home and improving privacy protections. Critics say the privacy half of that promise is the thinnest part of the draft.
What MyMzansi Will Actually Do on a Phone
The app holds verified versions of the documents most South Africans already carry: the national ID, birth certificates and marriage certificates. Once enrolled, a user can prove who they are without showing the plastic card.
Verification works three ways. The phone can throw a QR code on screen for a counter scanner. It can hand off the credential by Bluetooth to a nearby device. Or it can tap a reader using NFC, the same chip your contactless bank card uses.
Behind the scenes, the credential is cryptographically signed by the Department of Home Affairs and checked against the national population register in real time. That is the part that turns a phone screen into a legally meaningful document. A screenshot of an ID is worthless. A signed credential is not.
The draft regulations spell out the user-side feature set:
- Optional digital wallet for ID, birth and marriage certificates.
- QR, Bluetooth and NFC presentment, all three live.
- Facial recognition for renewal, no Home Affairs visit required.
- Liveness detection to block deepfake or photo spoofing.
- Bank and telco lookups against the population register, with consent.

Where to Sign Up, and Who Qualifies
Enrolment is open to South African citizens aged 16 and older. The draft lists four eligible enrolment points so the rollout doesn’t choke at Home Affairs counters alone.
The on-site process runs in a fixed order:
- Document check, where staff confirm an existing ID, birth certificate or passport.
- Biometric capture, fingerprints first, then a facial scan with liveness detection.
- Contact verification, a working phone number and email tied to the applicant.
- Device binding, the credential is provisioned to a single named smartphone.
One Phone, One ID, Five Years
The credential is locked to a specific device. Lose the phone, and you can’t simply move the ID to a new handset by signing into a cloud account. You re-enrol, or you renew, depending on the path the regulations finalise.
Validity runs for five years. Renewal happens entirely inside the MyMzansi app using facial recognition, with no in-person visit required if the system can match the live face to the file. That is the design that turns the catchphrase Schreiber has used since February, Home Affairs at home, into a working flow rather than a slogan.
Device-binding also acts as a fraud control. If the credential cannot be exported or copied between phones, a stolen handset’s value to an identity thief drops sharply. The trade-off is friction. People upgrade phones every two or three years on average, and the draft is currently silent on a smooth handset-to-handset transfer.
Why Banks and Telcos Get a Direct Line to the Population Register
The most consequential part of the draft is buried in the section on trusted entities. Banks and mobile operators that meet the accreditation bar can verify a person’s identity directly against the national population register and receive automatic updates if a name, address or marital status changes.
That ends a long-running annoyance. Today, when a customer changes address, they tell their bank, their phone company, their insurer, and Home Affairs separately. Under the new rules, an update at Home Affairs propagates to every accredited entity holding that customer’s record, with consent.
The fraud math is the bigger driver. South Africa’s Department of Home Affairs estimates that the legacy green barcoded ID book is about 500% more vulnerable to fraud than the smart ID card, and roughly 16 million South Africans still rely on the green book. The Special Investigating Unit reported that more than 630,000 residency permits and marriage certificates linked to sham processes were sold in some cases for as little as R500 a document.
The numbers behind the rollout so far:
- 4,002,964 smart ID cards issued in 2025, the highest annual figure on record.
- 17% jump on the 3.43 million issued in 2024.
- 21 million smart ID cards in circulation by the end of 2023.
- 9 banks accredited for in-branch smart ID applications, starting with Capitec and Standard Bank, with a stretch goal of 1,000 branches by 2029.
That bank channel is what makes the digital ID rollout feasible at scale. There aren’t enough Home Affairs offices to absorb the demand. Capitec branches alone outnumber Home Affairs service points several times over, and the Thales South African ID card case study documents how the smart card chip and biometric back end were architected for exactly this kind of distributed enrolment.
The Two-Year Prison Clause Almost Nobody Reads
Most coverage of the draft skipped past its punitive section. The regulations attach criminal penalties to three specific abuses, and they are sharper than the current Smart ID rules.
| Offence | Maximum Penalty |
|---|---|
| Enrolling under a false identity | Fine or up to 2 years in prison |
| Presenting another person’s digital credential | Fine or up to 2 years in prison |
| Bypassing or spoofing the liveness-detection system | Fine or up to 2 years in prison |
| Trusted-entity profiling or commercial misuse of register data | Civil and administrative sanctions |
| Unlogged access to the population register | Mandatory audit-log retention, minimum 7 years |
The POPIA Question Critics Want Answered Before Launch
The draft sits on top of the Protection of Personal Information Act, the country’s main data-protection law, but POPIA was written in 2013 for a slower world of paper forms and quarterly batch updates. Real-time, cross-sector identity lookups are not what the law was designed for.
Murray Hunter, a senior associate at ALT Advisory and a long-time Right2Know researcher, has been blunt about the framing. He has questioned whether the answer to identity fraud is to clean up corrupt officials or to build a centralised biometric database covering every newborn in the country.
If the solution to identity theft is not to root out corrupt officials but to create a massive biometrics database of all newborns, that is a policy choice the country should debate openly, not adopt by regulation.
Hunter’s broader point, echoed by the Polity policy analysis on citizen data control published May 4, 2026, is that the draft answers the technical question and ducks the governance one. Who audits the auditors. Where does a citizen go when an automatic update is wrong. Can a person revoke a trusted entity’s access without losing the bank account or SIM tied to it.
The draft does forbid trusted entities from using register data for profiling, commercial enrichment, or open-ended intelligence gathering. Law enforcement can pull data only through warrants and court orders, not direct queries. Audit logs run a minimum of seven years. Those are real guardrails. They are also the easiest to write.
Joseph Atick, executive chairman of ID4Africa and one of the most-quoted analysts on continental digital ID, has argued for years that data-protection law should harden before biometric systems scale, not after. South Africa is doing both at once.
The bigger structural critique, surfaced by The Conversation’s academic analysis of South Africa’s digital immigration turn, is that putting biometrics at the centre of identity verification raises the consequence of a single breach. A leaked password resets. A leaked face does not.
A Roadmap That Has Already Slipped
This draft is the second attempt to nail down the legal text. The government missed an April 2025 deadline to get a digital ID legal framework through cabinet, and the original target of a working national digital ID by end-2025 also slid.
Where the schedule stands now:
- May 4, 2026: Draft regulations gazetted under the Identification Act 1997.
- June 6, 2026: Public comment window closes.
- March 31, 2027: Hosting infrastructure deadline, with the South African Revenue Service running the back end.
- 2027 to 2028: Verifiable digital credentials issued to citizens via the secure mobile wallet.
- Q4 2028: Department target of 90% smart ID uptake among citizens, per the MyMzansi roadmap.
The hosting choice matters. SARS already operates one of the most mature data environments inside the South African state, which is why Home Affairs is renting capacity rather than building from scratch. The SAnews briefing on the Home Affairs digital ID rollout confirmed that the public-key infrastructure and certificate authority sit on SARS-managed servers.
What Happens If You Don’t Own a Smartphone
The regulations contain a sentence that civil society groups asked for and the minister included. The system must be inclusive, with enrolment points in every municipality and parallel access for citizens without smartphones or reliable internet.
That is not a small carve-out. Smart ID cards remain valid. So do green ID books, for now. The MyMzansi app is an addition, not a replacement, and a citizen can choose to never download it without losing access to a bank account, a passport, or a grant.
Frequently Asked Questions
Do I Have to Use the MyMzansi App?
No. The draft regulations are explicit that the digital ID is optional. Your smart ID card and even the older green ID book remain valid for identification, banking, voting, and travel within the rules each service already follows. The minister has framed MyMzansi as a convenience layer on top of the existing system, not a replacement, and there is no proposed deadline that forces you onto the app.
How Do I Get a Digital ID Once the Rules Are Final?
Visit one of four enrolment points: a Home Affairs office, a South African embassy abroad, a port of entry, or an accredited bank branch from the nine-bank list led by Capitec and Standard Bank. Bring an existing ID. Staff capture fingerprints and a facial scan, confirm your phone number and email, then provision the credential to your phone. The minimum age is 16.
What Happens If I Lose My Phone?
The credential is bound to that specific device, so a thief cannot move it to another handset. Report the loss to Home Affairs and your accredited bank to flag the credential, then re-enrol on a replacement device. The draft is currently silent on a same-day handset transfer, which is one of the items industry submissions are expected to push back on before the June 6 deadline.
Can the Police Pull My Data Through MyMzansi?
Not directly. Law enforcement access to the national population register still requires a warrant or court order, the same standard that applies to today’s records. Trusted entities like banks and telcos cannot share register data with police outside that legal channel, and every access has to be logged for a minimum of seven years. Misuse can lead to civil sanctions and, for the worst breaches, criminal charges.
How Do I File a Comment Before June 6, 2026?
Submissions go to the Department of Home Affairs by email at Moses.Malakate@dha.gov.za or by physical delivery to the department’s Pretoria office listed in the gazette. Comments can flag specific clauses, propose alternative wording, or raise practical concerns about enrolment, device transfer, or trusted-entity oversight. Civil society groups including Right2Know and ALT Advisory are expected to coordinate joint submissions in the final week of May.
The draft is the first time South Africa has put concrete legal text under a phone-based identity system that has been talked about politically since the 2024 State of the Nation address. The shape of the final regulations, and the strength of the privacy clauses that survive the public comment process, will decide whether the country is building a useful digital convenience or a centralised biometric chokepoint that future governments inherit. Both are still on the table.
-
GAMING1 month agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
-
AI3 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
AI3 weeks agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
CRYPTO2 months agoOCC Issues AML Consent Order Against Wise and Crypto.com Sponsor Bank
-
APPS1 month agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI3 weeks agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
