Compliance report

There have been no significant environmental, social and/or governance-related incidents during FY23, including incidents of legal
non-compliance (whether under investigation, pending finalisation, or finalised) and directives, compliance notices, warnings or investigations and any public controversies.

There were no fines, settlements, penalties, or other monetary losses suffered in relation to ESG incidents.


The IRCC oversees the discharge of regulatory compliance responsibilities. The Committee monitors, assesses, researches and reports on the regulatory environment in which Blue Label operates. The IRCC reports to the Audit, Risk and Compliance Committee (ARCC).

The process of compliance management encompasses:

  • identifying and prioritising all Acts and regulations at a national level applicable to Blue Label;
  • incorporating regulatory requirements into control measures such as standard operating procedures, processes, manuals, and policies;
  • recommending corrective measures or steps to ensure compliance; and
  • monitoring compliance through the adequacy and effectiveness of control measures.

The risk of non-compliance is being managed through:

  • the quarterly review and update of the Blue Label regulatory universe;
  • the compilation of compliance risk management plans for high-risk legislation utilising external service providers; and
  • the continuous monitoring of the regulatory environment.

The regulatory environment changes constantly. We proactively contribute to and manage our regulatory environment by taking care of the interests of all our stakeholders and clients.

The Board is satisfied that Blue Label has complied with all relevant provisions of the Companies Act of South Africa and the JSE Listings Requirements and has operated in conformity with Blue Label’s MOI during the year.

here has been no significant environmental, social and governance-related incidents of legal non-compliance and directives, compliance notices, warnings or investigations and any public controversies during FY23.

Similarly, there have been no fines, settlements or penalties paid in relation to ESG incidents/breaches during FY23.

There has been no substantial complaints received concerning breaches of customer privacy, categorised by complaints received from data subjects and complaints/ requests for information from the Information Regulator.


Taxation compliance

Taxation is managed as part of the regulatory compliance process managed under the IRCC and overseen by the ARCC. There were no instances of significant penalties or disputes with the South African Revenue Service during the year under review. Expert advice is obtained in managing the compliance with any complex areas of tax legislation. Blue Label does not have any significant foreign subsidiaries.

The total tax incurred by Blue Label in the current year amounted to R508.4 million. The total amount consists of the following categories of taxes:

Category 2023
Income taxes 253 506 225 841
Property taxes 2 497 1 914
Non-creditable VAT 74 588 174 617
Employer-paid payroll tax 177 839 138 321
Other taxes 1 427


The information below summarises the status of the top two pieces of legislation within Blue Label:


POPIA gives effect to section 14 of the Constitution, which provides that everyone has the right to privacy. The Act promotes the protection of personal information processed by public and private bodies and seeks to balance the right to privacy against other rights such as access to information.

The following POPIA initiatives have been embedded to ensure compliance at 31 May 2023:

  • Blue Label Compliance Framework has been reviewed and approved by the Audit and Risk Committee;
  • POPIA information sessions have been presented to the various subsidiaries, associates and stakeholders;
  • POPIA-related policy documents have been updated;
  • POPIA Control Risk Management Plan has been completed to assist risk management;
  • Promotion of Access to Information Act, No 2 of 2000 (PAIA) manuals have been updated; and
  • POPIA impact assessments have been prepared to perform gap analyses. These impact assessments are ongoing based on new products/initiatives being introduced throughout Blue Label.


Blue Label operations rely heavily on technology platforms to facilitate service delivery, which increases the risk of cybercrime. It is therefore of critical importance to maintain the integrity and stability of key IT systems to protect stakeholder interests against increasingly sophisticated targeted attempts at digitally assisted fraud, which is one of the main objectives of the Cybercrimes Act, 19 of 2020 and Cybercrimes Bill, 2021.

Cybersecurity threats remain a critical ongoing risk and form a significant part of our technology investments. Stringent standards for information and infrastructure security controls are constantly being reviewed and reinforced to ensure that our efforts continue to strengthen our cybersecurity posture. We proactively assess our vulnerabilities and risk of exposure on an ongoing basis while driving cyber risk prevention, assessment and education programmes to maintain vigilance. We are embedding security as a core component within platform delivery via governed development mechanisms and implemented detection capabilities and response processes in our environment.

The initial focus of our cybersecurity maturity journey was on the suite of the NIST Cybersecurity Framework controls in line with our approved strategy. The following have been accomplished:

  • implementation of Security Operations Centre services;
  • security awareness training campaigns through the KnowBe4 platform;
  • designed and implemented cybercrimes and incident management processes;
  • developed incident response and incident response testing as well as scenario planning; and
  • developed and implemented an Information Security Management Systems (ISMS) aligned to ISO 27001.