Today on The Settlement Layer: South Africa's central bank rewrites the rules on who can offer payment services, Kenya's Treasury tries to tax its way into digital payments oversight, and Mastercard drops $1.8 billion on stablecoin infrastructure. The regulatory ground is shifting faster than the compliance teams can map it.
The South African Reserve Bank published the third draft of amendments to the National Payment System regulatory framework, introducing activity-based authorisation that allows both banks and non-banks to offer payment services directly. The framework defines discrete payment activities — e-money issuance, acquiring, clearing, settlement, money remittance — with proportionate oversight and transaction-volume-linked capital thresholds. Crypto assets and cross-border activities are explicitly excluded. Stakeholder comments due 15 June 2026, final publication expected Q3 2026.
Why it matters
This is the most consequential structural reform in South African payments in a decade. Activity-based licensing removes the requirement for non-bank payment providers to rely on bank sponsorship, directly lowering barriers to market entry for fintechs operating in acquiring, e-money issuance, and remittance. The modular regulatory structure means operators can seek authorisation only for the activities they perform, with capital requirements scaled to transaction volumes rather than institutional category. For anyone building payment infrastructure in South Africa — PayFac models, mobile money, merchant acquiring — this framework defines the regulatory pathway forward. The exclusion of crypto and cross-border activities signals SARB will address those in separate instruments, likely the capital flow management regulations due by 30 June.
Kenya's Finance Bill 2026 proposes a 16% VAT on fees charged by all 42 licensed payment service providers including M-Pesa and Airtel Money — directly overwriting the August 2025 High Court judgment (Pesapal v. Commissioner of Domestic Taxes) that classified PSP commissions as VAT-exempt financial services. The VAT stacks on M-Pesa's existing 20% excise duty, adding approximately KES 17 to a KES 108 M-Pesa transfer fee. Separately, a 10% excise duty hits VASPs, 5% WHT applies to local card transactions, and KRA gains expanded retroactive audit authority over 5-year digital transaction histories. Treasury publicly denied the bill grants KRA real-time mobile money surveillance, but legal scholars note the enabling language is vague enough for broad interpretation. M-Pesa's market share has already eroded from 97% (2023) to 89% (September 2025).
Why it matters
This is the most aggressive digital-finance taxation package in East Africa's history. The Treasury's decision to legislate around a court ruling rather than appeal it reveals how sovereign tax authorities respond when judicial outcomes constrain revenue: they rewrite the law. The compounding effect — excise + VAT + WHT — creates a measurable cost wedge that will accelerate user migration to cash or informal alternatives in a market where M-Pesa handles 46.4 billion transactions annually. For operators building cross-border payment rails through Kenya, the bill introduces material compliance burden (eTIMS real-time reporting, retroactive audit windows) alongside cost pass-through that changes unit economics for every PSP, PayFac, and acquirer in the market.
The Bank of Ghana announced the creation of specialised departments for artificial intelligence, data analytics, and virtual assets oversight. Governor Dr. Johnson Pandit Asiama confirmed passage of a Virtual Asset Service Provider law and establishment of formal supervision structures, citing growing stablecoin activity with limited regulatory visibility. This follows the BoG's fintech license passporting framework (live with Rwanda, piloting with Nigeria) and its explicit 'regulating risk, not technology' positioning from last week's ACI Congress.
Why it matters
Ghana is closing a key regulatory capacity gap that has constrained central bank oversight of virtual asset operators across West Africa. The institutional build-out — dedicated departments with subject-matter staffing, not just policy papers — distinguishes this from the typical 'we're watching' stance. Combined with the VASP law and the sandbox-to-license pathway already running three firms on Ghana-Nigeria pilots, the BoG is assembling a supervision stack that will define the compliance surface for any operator building stablecoin or digital asset infrastructure in the region.
Safaricom updated its 'My One App' (the M-Pesa consolidation) to allow customers on Wi-Fi and rival networks (Airtel, etc.) to access money-sending, bill payments, and other services — after initial complaints locked out diaspora users and non-Safaricom network customers. The app now supports biometric authentication (Face ID, fingerprint) replacing PIN-only entry.
Why it matters
This is a competitive pressure response, not a generosity move. M-Pesa's market share has eroded from 97% to 89% since 2023, and locking out users on rival networks or in the diaspora during a forced app migration is the kind of friction that accelerates switching to Airtel Money. The biometric upgrade matters operationally: it reduces session-initiation friction and addresses a common USSD pain point (PIN entry errors on poor connections). For operators building on M-Pesa rails in East Africa, the Wi-Fi-capable path opens diaspora remittance flows that were previously blocked by network-level restrictions — a meaningful corridor expansion.
WorkOS published auth.md, an open protocol for agent registration extending OAuth standards (RFC 9728, ID-JAG) to enable agents to register, obtain scoped credentials, and be audited without raw API keys or session tokens. Two flows are supported: agent-verified (ID-JAG-based, synchronous, no human interaction) and user-claimed (OTP-based, no provider integration required). The protocol bakes audit events (registration.created, claim.requested, otp.generated, claim.confirmed, registration.expired, registration.revoked) into the standard, with discovery via two-hop Protected Resource Metadata.
Why it matters
This addresses the foundational gap Simon Willison and others have flagged in agent infrastructure: how agents obtain credentials that are scoped per session, auditable, and revocable — versus the current workaround of unscoped API keys that can't be attributed or time-bounded. The built-in audit events map directly to the KYC-for-agents problem in payments: if an agent is a delegated actor operating on behalf of a human, the issuing system needs to verify the human's identity once, attest it to the agent's provider, and let the agent register with minimal friction. This isn't vendor lock-in — it composes existing OAuth standards. The question is whether it gets adopted alongside or in competition with Visa's TAP and Mastercard's Agent Pay frameworks.
Mastercard is acquiring BVNK, a UK-based stablecoin infrastructure provider processing $30 billion annually across 130+ countries, for $1.5 billion base plus up to $300 million in performance milestones. The company simultaneously dropped a minority investment in rival Zerohash, signalling a strategic choice to build a single integrated stablecoin rail rather than diversify across providers. Regulatory approval expected before year-end. Same week, Deel launched stablecoin payroll via BVNK, and Paytrie operationalised a Canada-to-Nigeria stablecoin remittance corridor using CACD and USDC via Circle Payments Network.
Why it matters
This acquisition confirms that card networks now view stablecoin settlement as core infrastructure, not an adjacent experiment. BVNK's chain-agnostic model and multi-jurisdiction payment licenses solve the compliance complexity that prevents most operators from building stablecoin settlement in-house. Mastercard's concurrent Yellow Card partnership (Africa-focused stablecoin provider, announced earlier this month) signals that this infrastructure will extend into African corridors. The Deel payroll launch on BVNK rails — $250M in crypto payouts during 2025, now offering stablecoin salary payouts with zero admin overhead — demonstrates real B2B adoption at scale. For operators in emerging markets: the build-vs-buy window for stablecoin settlement infrastructure is closing rapidly.
International Holding Company executed AED 110 million ($30M) using DDSC, a dirham-backed stablecoin on ADI Chain, following CBUAE regulatory approval. This follows approvals for AE Coin (Al Maryah Community Bank) and AEDZ (Zand Bank). Four major UAE banks (Zand, Rakbank, FAB, Al Maryah) now have or are seeking approval to issue AED stablecoins. Startups Finigenie and Famunera are piloting stablecoin-based settlement on India-UAE and Gulf-Africa trade corridors, reducing settlement from 5–7 days to under 2 hours.
Why it matters
This is the first major institutional transaction in a CBUAE-regulated domestic stablecoin, validating operational readiness. The Gulf-Africa corridor pilots are directly relevant: they demonstrate how local-currency stablecoin issuance combined with institutional blockchain infrastructure can compress settlement times and eliminate correspondent banking friction in corridors where traditional rails impose multi-day delays. The multi-bank AED stablecoin approach — multiple issuers on different chains — creates both liquidity depth and interoperability complexity that will need solving.
South African online betting operators and regulators are embedding responsible gaming into core platform architecture. Industry survey data shows player protection is now the second-highest technical priority (37%) for operators, with implementations moving toward data-driven behavioural detection, AI/ML risk monitoring, and earlier intervention mechanisms calibrated to local economic stress contexts. Separately, Mpumalanga Economic Regulator board member Brenda Mabaso detailed specific structural deficits: cross-provincial data coordination gaps, inadequate real-time monitoring capacity, and the lack of RegTech infrastructure to handle AI betting algorithms and crypto-based transactions.
Why it matters
This represents a shift from 'tick the responsible gaming box' to 'build it into the stack.' For operators building iGaming payments infrastructure in South Africa, this means responsible gaming capability is becoming a licensing prerequisite and platform interoperability requirement — not an optional feature. Mabaso's candid articulation of provincial regulatory capacity gaps (enforcement can't keep pace with digital expansion, no cross-provincial coordination, no technological audit capability) flags exactly where compliance friction will concentrate. Operators who architect responsible gaming into their platform layer — behavioural detection, automated intervention, audit trails — will have a structural advantage as provincial boards modernise oversight.
Microsoft is retiring Claude Code licenses across its Experiences and Devices division (Windows, Office, Teams, Surface) by June 30, migrating engineers to GitHub Copilot CLI. The retreat follows documented unit-economics failures: Uber burned its entire 2026 AI coding budget in four months with individual engineers spending $500–$2,000/month on tokens; Nvidia reports compute costs now exceed employee salaries; GitHub paused Copilot Pro sign-ups in November 2025 when agentic workloads exceeded plan pricing. Gartner reports 25% of planned 2026 AI budgets will slip into 2027. The June 15 billing split — separating interactive and programmatic pools with the $200 Max credit billed at API rates and no rollover — lands into a market already showing structural resistance to token-denominated pricing under agentic load.
Why it matters
Microsoft had maximum leverage and preferred Claude Code internally, yet walked away when the bill arrived — the sharpest external validation yet that the June 15 billing split is landing at exactly the wrong moment for enterprise adoption. The compounding math works against buyers: per-task token consumption is rising by design (more reasoning, planning, verification) while per-token cost falls at ~10× per 18 months. The overnight agent runs ($2–$8/shift) documented in prior coverage will exhaust the $200 programmatic pool mid-month even for moderate workloads; Microsoft's retreat suggests that exposure at scale is worse than the back-of-envelope math implied.
The MCP protocol's 2026-07-28 release candidate (locked May 21, finalised July 28) removes stateful session handshakes and Mcp-Session-Id headers, replacing them with stateless request routing. The spec introduces a formal Extensions framework, Tasks for long-running operations, MCP Apps for server-rendered UI, and OAuth-aligned authorisation. Tier 1 SDK maintainers have ten weeks to ship support.
Why it matters
For anyone running MCP servers at scale, this is a breaking but beneficial change. Stateless MCP eliminates sticky sessions, Redis session stores, and deep packet inspection at load balancers — reducing operational complexity for high-throughput agent deployments. The Tasks extension directly addresses the timeout and retry pain point in payment and compliance workflows where operations take minutes, not milliseconds. OAuth alignment improves enterprise SSO integration, critical for regulated deployments. The shift to date-stamped versioning and formal SDK tiers signals MCP's maturation from research project to production protocol. If you're running MCP in production, the migration clock starts now.
A detailed production guide to Anthropic's self-hosted sandboxes (public beta since May 19) and MCP tunnels (research preview) documents seven deployment patterns with maturity ratings: HITL approval gates and audit-log shipping are GA-ready; vault-and-proxy patterns require custom implementation. Three material gaps: no first-party credential vault, memory not yet supported in self-hosted mode, and limited AWS region availability. MCP tunnels use outbound-only Cloudflare connections for private-network tool access without exposing firewall holes.
Why it matters
The launch coverage glossed over the real operational boundaries. This guide exposes what actually works in production versus what's aspirational: HITL gates and structured audit logging are ready for regulated workloads; credential management and memory require custom engineering. For anyone evaluating Claude Managed Agents for payment processing or compliance workflows, the absence of a native credential vault means you're building your own secrets management layer. The MCP tunnels pattern — outbound-only, no firewall exposure — is architecturally sound for connecting agents to private APIs behind corporate networks, but it's research preview, not GA.
IOL's post-season financial analysis puts the revenue gap between Sundowns' CAF Champions League victory and Pirates' domestic treble in stark terms: Sundowns' continental success unlocked approximately R360M ($20M) in prize money, qualification pathways, and FIFA Club World Cup earnings, against the R37M combined from Pirates' MTN8, Carling Knockout, and Premiership. The 10:1 ratio lands alongside Ouaddou's continued public equivocation — energy and psychological capacity, not money, driving his decision — adding genuine uncertainty about whether the coaching architecture behind a record 69-point, 21-clean-sheet, zero-red-card season survives into the next campaign.
Why it matters
The financial gap crystallises what the statistical postmortem (covered yesterday) left implicit: the treble was a historic sporting achievement built on exceptional defensive discipline and squad cohesion, but it generates a fraction of the resources that would fund the squad depth needed to sustain it. Ouaddou's resignation offer after the first two defeats — retained by management, vindicated by the season — now sits alongside a departure signal driven by exhaustion, not dissatisfaction. If he leaves, Pirates must replace not just a coach but the specific retention decision that kept this group together through its roughest stretch.
Activity-based licensing is the new regulatory grammar SARB's third NPS draft and Ghana's BoG restructuring both move toward licensing what entities do (e-money issuance, acquiring, clearing) rather than what they are (bank vs. non-bank). This is converging with Canada's PSP framework and the EU's PSD model. The consequence: regulatory moats shift from institutional status to operational capability and compliance capacity.
Kenya is stress-testing the tax ceiling on digital finance The Finance Bill 2026 stacks 16% VAT on PSP fees atop existing 20% excise duty, adds 10% excise on VASPs, introduces 5% WHT on card transactions, and proposes 20% WHT on gambling winnings — all while the Treasury denies building surveillance infrastructure. This is the most aggressive digital-finance tax experiment in East Africa and will produce data on elasticity, channelisation, and regulatory flight within months.
Stablecoin infrastructure is being acquired, not built Mastercard's $1.8B BVNK acquisition, Deel's BVNK-powered payroll launch, Paytrie's Canada-Nigeria corridor, and the UAE's institutional AED stablecoin trades all point to the same conclusion: the build-vs-buy window for stablecoin settlement infrastructure is closing. Late entrants will integrate with incumbents' rails rather than laying their own.
Agent authentication is the new payments plumbing WorkOS's auth.md protocol, the MCP 2026-07-28 stateless spec, and PYMNTS' merchant-readiness checklist all converge on the same infrastructure layer: scoped, auditable, revocable credentials for non-human actors. The pattern is OAuth-derived but agent-specific — and it's hardening faster than the payment protocols it will sit beneath.
Claude's unit economics are repricing the agentic bet Microsoft retreating from Claude Code licenses, Anthropic splitting subscription billing on June 15, and developers routing through DeepSeek V4 at 10-15× cost reduction all confirm that token-denominated pricing under agentic load is unsustainable at current rates. The market is searching for metered utility models that haven't been invented yet.
What to Expect
2026-06-05—Eskom deadline: Johannesburg municipality owes R1.5 billion instalment on R6.7 billion arrears; disconnection threat if unpaid.
2026-06-15—SARB NPS third draft comment deadline: stakeholders must submit feedback on the activity-based payment authorisation framework.
2026-06-15—Anthropic billing split takes effect: programmatic/Agent SDK usage moves to separate credit pool at API rates.
2026-06-30—South Africa capital flow management regulations comment deadline (extended from original date); crypto cross-border manual expected.