Most systems manage data. Very few manage obligation states.
Readiness
Evaluation. No relationship exists. The institution accesses zero-party data, explicitly shared, view-only, non-retentive. Nothing enters institutional systems.
Commitment
The commitment boundary. Regulatory responsibility formally attaches. Auditable, timestamped, precise. COFI is enacted and targeted for enforcement from early 2027.
Retention
Formal relationship. All existing institutional obligations and systems operate exactly as they do today. RETERA™ has no effect on this stage.
RETERA™ is applicable to any regulated or contractual context where an obligation boundary must be defined, observed, and made auditable. Financial services and accountable institutions are the primary deployment environment.
Select your function for the relevant briefBoard
Your institution is holding personal information it has no lawful basis to keep, across every product line, with every prospect who did not convert.
The Board executive brief takes this argument further. Name and institutional email required, function and institution optional.
Institutional email addresses only. Your details are used solely to respond to your request and determine whether structured dialogue is appropriate.
GRC & Legal
The Information Regulator has issued enforcement notices in this category. Your institution's pre-commitment data handling may already be a live regulatory exposure.
The GRC & Legal brief contains the full regulatory alignment analysis, zero-party data classification, and Joint Standards mapping.
Institutional email addresses only. Your details are used solely to respond to your request and determine whether structured dialogue is appropriate.
CFO & Procurement
Your institution is already spending on this problem. Verification charges, governance overhead, and regulatory risk provision all sit in budgets you already hold.
The CFO & Procurement brief sets out the cost methodology and the Recovery Diagnostic Tool is a self-assessment instrument for calculating your institution's own recoverable pool.
Institutional email addresses only. Your details are used solely to respond to your request and determine whether structured dialogue is appropriate.
CIO & Operations
RETERA™ sits upstream of existing systems, before core platforms are engaged. Nothing downstream changes. The integration surface is three signals.
The CIO & Operations brief covers the technical architecture, JS1/2024 outsourcing classification, data residency, and the full certification roadmap.
Institutional email addresses only. Your details are used solely to respond to your request and determine whether structured dialogue is appropriate.
Speak to us directly
If you have read enough and want to make contact without requesting a brief, enter your name and institutional email. We respond personally within one working day.
Institutional email required. Your details are used solely to respond to your request and determine whether structured dialogue is appropriate.
The liability is structural
Every institution that evaluates prospects before establishing a formal relationship is generating pre-commitment data. Most of that data has no lawful basis for retention when the prospect does not convert. The institution is not failing to comply. It is failing to notice that it is non-compliant, at scale, across every product line, with every prospect who did not convert.
Under FICA sections 21 and 21A, CDD obligations attach at the point a business relationship is established, not before. Under POPIA section 11, the data that accumulates before that point has no lawful basis for retention once the prospect has departed. The Information Regulator has issued enforcement notices in exactly this category.
What RETERA™ changes
RETERA™ establishes a clear, auditable boundary between pre-commitment interaction and the committed customer relationship. Before commitment, the institution accesses zero-party data and explicitly shared by the individual, view-only, non-retentive. Nothing enters the institution's environment. At commitment, data transfers and FICA obligations attach exactly as the law intends.
The regulatory tailwind
The Intergovernmental Fintech Working Group, which coordinates the SARB, FSCA, Prudential Authority, and National Treasury, has formally endorsed the position that personal information stored by financial institutions belongs to the customer, and has stated that a mandatory open finance regime is the most appropriate approach for South Africa. Institutions that adopt RETERA™ before that mandate arrives will not be retrofitting. They will already be compliant. COFI is enacted and targeted for enforcement from early 2027. The conduct obligations it introduces are addressed by the RETERA™ architecture.
What RETERA™ is not
The legal position
POPIA Section 11(1) grounds are exhaustive. For pre-commitment data from non-converting individuals, none applies cleanly: no consent for speculative retention; no contractual necessity where no contract exists. Legitimate interest does not survive proportionality review for data held from someone who chose a competitor. Section 13 purpose limitation requires that information be retained only for its defined collection purpose, and exhausted once evaluation concludes without commitment.
FICA sections 21 and 21A require CDD when establishing a business relationship, and not at first interaction. Before commitment, the obligation has not attached. The Information Regulator has issued enforcement notices in this category.
The data classification question
At the readiness stage, RETERA™ handles zero-party data exclusively, information the individual has voluntarily and proactively shared, with full awareness, for the specific stated purpose of evaluation. It is not collected passively or inferred from behaviour. This is the most defensible category of data handling available under POPIA. For non-converting prospects, no institutional record exists after evaluation concludes.
The data boundary | three categories
Table A | Statutory KYC: FICA legal obligation at relationship formation. Cannot be revoked. RETERA™ does not disturb it. Transfers at commitment exactly as FICA requires.
Table B | Risk-based CDD: Conditional FICA obligation when triggered. Cannot be revoked. RETERA™ does not alter the conditions under which it is triggered.
Table C | Non-KYC data: POPIA governs. At the readiness stage, handled as zero-party data is the most defensible lawful basis available. For non-converters, no institutional record exists after evaluation concludes.
Consent and preference management infrastructure
RETERA™ does not replace, compete with, or duplicate consent and preference management systems. Those systems are designed for customers and people who have already committed. RETERA™ manages the period before that stage. At commitment it hands off to your existing systems, which engage exactly as they do today. Institutions that have built data classification, retention, and destruction programmes under POPIA will find that RETERA™ completes the architecture.
What RETERA™ is not
The cost already exists
Identity verification services are charged per execution. Every time an institution verifies a prospect's identity, a cost is incurred regardless of whether the prospect converts. In most financial services acquisition funnels, fewer than three in ten prospects who enter an onboarding process convert to customers. The verification cost of the others is absorbed as overhead, inflating client acquisition cost for customers acquired by expenses they did not generate.
The four budget lines
Regulatory risk and compliance: Elimination of the underlying condition generating simultaneous POPIA, FICA, Joint Standard, and TCF liability. Not risk management, risk removal.
Client acquisition cost: Removal of verification and onboarding cost attributable to non-converting prospects. Client acquisition cost normalises to reflect only customers who converted.
Compliance operations and governance: Reduction of audit scope, storage overhead, and record management for pre-commitment data that should not exist.
Consent and preference management infrastructure: Your existing POPIA toolset governs committed customers, the population it was designed for, and not pre-commitment data of uncertain legal standing.
Budget classification
RETERA™ is not a technology purchase. The decision is approved at board level. Budget comes from regulatory risk, compliance efficiency, and client acquisition, not from a technology line. RETERA™ should be classified as governance infrastructure, not a software licence.
What RETERA™ does operationally
RETERA™ sits upstream of existing systems, before core platforms are engaged. It does not touch policy administration, CRM, document management, consent and preference management platforms, or any system of record. It integrates by signalling workflow state, not by storing customer records.
During evaluation, RETERA™ provides a zero-party, view-only reference for information the individual has chosen to make available. Nothing is retained. Nothing enters systems of record. At commitment, existing systems engage exactly as they do today. Nothing in the downstream process changes.
The three signals
Readiness: An individual has prepared information and is ready for evaluation. No data transferred to institutional systems.
Commitment: A commitment event has occurred. Timestamp and reference logged. Triggers downstream onboarding flow in existing systems.
Revocation: An individual has withdrawn from evaluation. No institutional record exists. Nothing requiring protection, disposal, or governance.
Certification target architecture
These describe the target compliance architecture at build, not certifications currently held.
ISO 27001: Information security management baseline. Required for institutional vendor assessment.
SOC 2 Type II: Operational assurance over time with controls performed, not only designed.
ISO 27701: Privacy information management is directly relevant to POPIA and zero-party data architecture.
ISO 22301 / 27017: Business continuity and cloud security controls.
POPIA / GDPR: Statutory compliance by architectural design.
What does not change
The Board executive brief sets out the governance case, the four-framework liability argument, independent cost validation, and the path to structured dialogue.
Ready to take the next step?
Tell us where you are in your review process. We respond personally within one working day.
Further analytical papers
Available to institutions that have progressed to structured dialogue. Delivered directly by 2am.
RETERA™ Category Paper
Board · Executive Leadership · All audiences
"Most systems only manage data. Very few manage obligation states. RETERA™ manages obligation states."
Establishes why RETERA™ is a new governance category. Sets out the structural regulatory case, the four-framework liability argument, and the IFWG mandatory open finance regulatory tailwind.
RETERA™ Economic Justification Paper
CFO · CRO · GRC
"The programme is funded through the correction of inefficiencies that institutions are already paying for."
Full cost methodology with independent external validation and the Recovery Diagnostic Tool is a self-assessment instrument for calculating the institution's own recoverable pool from internal data.
RETERA™ Control and Assurance Brief
GRC · Legal · Compliance · Risk
"RETERA™ enforces existing legal principles more conservatively than current institutional practice."
Complete statutory analysis, zero-party data classification, POPIA and FICA mapping, Joint Standards JS1/2024, IFWG position, COFI alignment, and full certification roadmap.
RETERA™ Regulatory Obligation Mapping
Legal · Compliance counsel
"RETERA™ does not change what the institution must do. It changes when obligations lawfully attach."
Precise statutory analysis of POPIA ss.11, 13, 14 and FICA ss.21, 21A across all three stages with four practical scenarios. Not legal advice.
Questions the board typically asks
It exists because operational systems were not designed for the evaluation stage. In the absence of an operational definition for pre-commitment interaction, institutions treat it conservatively and as though commitment has already occurred. The consequence is compliance effort expended on individuals who will never become customers. That effort is structural and recurring.
No. The question RETERA™ addresses is, when does institutional responsibility begin, and if a governance and compliance matter is approved at board level. Budget comes from regulatory risk, compliance efficiency, and client acquisition, not technology spend.
No. Compliance responsibility never leaves the institution. RETERA™ controls when that responsibility lawfully begins. After commitment, all regulatory obligations apply in full.
Review the brief internally. Share the GRC, CFO, and CIO briefs with the relevant functions. Use the contact form above or email legal@2am.africa
The GRC & Legal brief sets out the full regulatory alignment analysis, zero-party data classification, POPIA and FICA obligation mapping, TCF, Joint Standards, and IFWG open finance direction.
Ready to take the next step?
Tell us where you are in your review process. We respond personally within one working day.
Further analytical papers
Available to institutions that have progressed to structured dialogue.
RETERA™ Control and Assurance Brief
GRC · Legal · Compliance · Risk | primary deep-dive
"RETERA™ enforces existing legal principles more conservatively and consistently than current institutional practice."
Complete statutory analysis, zero-party data classification, POPIA ss.11/13/14 and FICA ss.21/21A mapped across all three stages, JS1/2024 outsourcing classification, IFWG position, COFI alignment, and full certification roadmap.
RETERA™ Regulatory Obligation Mapping
Legal · Compliance counsel | for deep statutory review
"RETERA™ does not change what the institution must do. It changes when obligations lawfully attach."
Precise statutory analysis with four practical scenarios. Prepared for review alongside independent legal opinion. Not legal advice.
RETERA™ Category Paper
Board · All audiences
"Most systems only manage data. Very few manage obligation states. RETERA™ manages obligation states."
Establishes the structural case. Useful for GRC teams briefing upward or seeking board alignment.
Questions GRC and legal teams typically ask
Zero-party data, information the individual has voluntarily and proactively shared, with full awareness, for the specific stated purpose of evaluation. This is the most defensible category of data handling under POPIA. For non-converters, no institutional record exists after evaluation concludes.
RETERA™ does not replace, compete with, or duplicate consent and preference management systems. Those systems are designed for customers and people who have already committed. RETERA™ manages the period before that stage. At commitment it hands off to your existing systems, which engage exactly as they do today.
DocuSign records that parties signed a document. A CRM records a workflow stage. Neither records the specific legal moment at which regulatory responsibility under POPIA and FICA formally attaches in a form capable of surviving supervisory review. RETERA™ records the obligation state.
Review the brief alongside appropriate independent legal counsel. Use the contact form above or email legal@2am.africa
The CFO & Procurement brief sets out the cost argument, the four budget lines affected, pricing philosophy, and the commercial proportionality case including the Recovery Diagnostic Tool.
Ready to take the next step?
Tell us where you are in your review process. We respond personally within one working day.
Further analytical papers
Available to institutions that have progressed to structured dialogue.
RETERA™ Economic Justification Paper
CFO · CRO · GRC | primary deep-dive
"The programme is funded through the correction of inefficiencies that institutions are already paying for."
Full cost methodology, external validation from global and SA research, and the Recovery Diagnostic Tool is a structured self-assessment instrument for calculating the institution's own recoverable pool from internal data across four cost categories.
RETERA™ Category Paper
Board · Executive
"Most systems only manage data. Very few manage obligation states. RETERA™ manages obligation states."
The board-level framing that underpins the budget decision.
RETERA™ Control and Assurance Brief
GRC · Legal · Compliance
"RETERA™ enforces existing legal principles more conservatively than current institutional practice."
Relevant where CFO review requires the regulatory classification and certification roadmap alongside the cost argument.
Questions CFO and procurement teams typically ask
Regulatory risk, compliance efficiency, client acquisition, and consent and preference management infrastructure. Budget owners are risk, compliance, and the CFO function.
It redirects an existing one. The cost of pre-commitment compliance is already being incurred. RETERA™ reallocates that spend to the point where it produces regulatory value: after commitment, on customers who convert.
As governance infrastructure reflecting scope and regulatory exposure, not transaction volume or data processed. Pricing detail is introduced during the structured review process under appropriate confidentiality.
Review the brief internally. The Economic Justification Paper and Recovery Diagnostic Tool are available on request. Use the contact form above or email legal@2am.africa
The CIO & Operations brief covers what changes operationally, the three-signal integration architecture, data residency, JS1/2024 outsourcing classification, and the full certification target roadmap.
Ready to take the next step?
Tell us where you are in your review process. We respond personally within one working day.
Further analytical papers
Available to institutions that have progressed to structured dialogue.
RETERA™ Control and Assurance Brief
GRC · Legal · CIO | primary deep-dive for technical governance
"RETERA™ enforces existing legal principles more conservatively than current institutional practice."
Full certification roadmap, JS1/2024 outsourcing classification argument, data residency position, and security architecture overview directly relevant to CIO review and vendor assessment.
Technical Architecture Documentation
CIO · Technology · Operations
"The integration surface is narrow. Workflow state signals only. Nothing downstream changes."
Integration specifications, data flow diagrams, security architecture, audit trail design, and DPA framework. Available under confidentiality once board participation has been approved.
RETERA™ Category Paper
Board · All audiences
"Most systems only manage data. Very few manage obligation states. RETERA™ manages obligation states."
The clearest single document for briefing upward, and explaining what RETERA™ is and what distinguishes it from existing compliance tooling.
Questions CIO and operations teams typically ask
Existing onboarding, compliance, consent and preference management, and record-keeping systems are unaffected. RETERA™ sits upstream of those systems. Nothing downstream changes.
No. RETERA™ integrates by signalling workflow state, three signals only. No bulk data migration, no infrastructure replacement, no ongoing data pipeline.
Existing customer relationships continue unaffected. No data is lost. The system can be paused or unwound without disruption to committed customer relationships.
Review the brief internally. Technical architecture documentation is available under confidentiality once the board has approved participation. Use the contact form above or email legal@2am.africa
Select your function or read all general questions.
Regulated institutions interact with individuals before a binding relationship exists. During evaluation, information is reviewed, documents are requested, and operational processes begin. No binding agreement has formed. No legal obligation has attached. Yet institutions often treat this period as though it carries the same responsibilities as a committed relationship. Data is collected and retained. Costs accumulate on interactions that may produce no customer at all. RETERA™ defines the precise point at which evaluation ends and obligation begins.
Regulatory frameworks including POPIA and FICA attach different obligations depending on whether a formal relationship exists. Before commitment, certain forms of data collection and retention have no lawful basis. After commitment, specific obligations apply and must be met in full. When that boundary is unclear, institutions carry compliance exposure they cannot easily quantify, hold information they may have no lawful basis to retain, and incur costs on individuals who will never become customers.
RETERA™ is an operational coordination boundary that clarifies when institutional responsibility lawfully begins during interaction with an individual. It manages obligation states, the precise point at which regulatory responsibility attaches. This is distinct from managing data, performing verification, or replacing institutional compliance processes.
No. RETERA™ is not an onboarding platform, compliance automation tool, or system of record. It is a governance standard focused on the timing of responsibility, closer in register to a regulatory framework than to a software product.
RETERA™ is not a customer onboarding platform, identity verification service, KYC or AML tool, compliance outsourcing provider, system of record, or consent and preference management system. It is not an IT procurement decision. All regulatory obligations remain entirely with the institution.
Zero-party data, information the individual has voluntarily and proactively shared, with full awareness, for the specific stated purpose of evaluation. It is not collected passively or inferred from behaviour. The individual is the active party. This is the most defensible category of data handling available under POPIA. Nothing is retained by the institution. For non-converters, no institutional record exists after evaluation concludes.
No. Institutions maintain direct relationships with their customers. Individuals may use XORA™, a governance standard published by 2am, to present consistent information across institutions, but institutional relationships remain direct. RETERA™ does not intermediate the customer relationship.
No. Regulatory obligations remain unchanged in substance. RETERA™ clarifies the point at which those obligations attach. It does not reduce, modify, or transfer them.
No. RETERA™ does not sell, trade, or exploit personal data. The commercial model is an institutional programme fee. Data is never the product.
No. Institutions retain their systems, data, and decision-making authority. RETERA™ governs a boundary. If RETERA™ is unwound, existing institutional processes resume without data loss or operational disruption.
The Intergovernmental Fintech Working Group, which coordinates the SARB, FSCA, Prudential Authority, and National Treasury, has formally endorsed the position that personal information stored by financial institutions belongs to the customer. It has stated that a mandatory open finance regime is the most appropriate approach for South Africa. RETERA™'s zero-party data architecture is precisely the model that open finance regulation is being built to require. Institutions that adopt RETERA™ before the mandatory regime arrives will not be retrofitting. They will already be compliant.
Initial review involves Legal, Compliance, Risk, and Executive leadership. Technology and procurement review follow once classification is understood.
Select your function on the main page and complete the brief access form, or use the direct contact on the main page. Contact: legal@2am.africa
No. RETERA™ is applicable to any regulated or contractual context where an obligation boundary must be defined, observed, and made auditable. Financial services and accountable institutions are the primary deployment environments.
It exists because operational systems were not designed for the evaluation stage. In the absence of an operational definition for pre-commitment interaction, institutions treat it conservatively, as though commitment has already occurred. The consequence is compliance effort expended on individuals who will never become customers. That effort is structural and recurring.
No. The question RETERA™ addresses, when does institutional responsibility begin, is a governance and compliance matter. The decision originates in risk and compliance, is approved at board level, and budget comes from regulatory risk, compliance efficiency, and client acquisition, not technology spend.
No. Compliance responsibility never leaves the institution. RETERA™ controls when that responsibility lawfully begins. After commitment, all regulatory obligations apply in full and remain entirely with the institution.
Boards carry ultimate accountability for regulatory exposure. The current exposure is structural: institutions hold personal information from individuals who evaluated and did not proceed, with no clear lawful basis for retention. RETERA™ eliminates that exposure category. The board can demonstrate, not merely assert, that pre-commitment interaction was proportionate, transparent, and consistent with existing law.
TCF Outcome 1 requires that customers are confident they are dealing with firms where fair treatment is central to institutional culture. RETERA™ enables institutions to demonstrate, with an auditable record, that pre-commitment interaction was transparent, proportionate, and non-misleading.
POPIA Section 11(1) grounds are exhaustive. For pre-commitment data from non-converting individuals, none applies cleanly: no consent for speculative retention, no contractual necessity where no contract exists, and legitimate interest does not survive proportionality review for data held from someone who chose a competitor. Section 13 purpose limitation further requires that information only be retained for its defined collection purpose, which is exhausted once evaluation concludes without commitment.
FICA Sections 21 and 21A require CDD when establishing a business relationship. The obligation attaches at that point, not at first interaction. RETERA™ operationalises what FICA already says about when that point occurs. CDD obligations apply from commitment forward, as the law intends.
Zero-party data, information the individual has voluntarily and proactively shared, with full awareness, for the specific stated purpose of evaluation. This is the most defensible category of data handling under POPIA. For non-converters, no institutional record exists after evaluation concludes, there is nothing to retain, delete, or defend.
The IFWG has formally endorsed the position that personal information stored by financial institutions belongs to the customer, and has stated that a mandatory open finance regime is the most appropriate approach for South Africa. RETERA™'s zero-party data architecture is architecturally positioned for the open finance environment the IFWG is working to establish. When the mandatory regime arrives, GRC functions that have approved RETERA™ will not be navigating that requirement as a new challenge. It will already be built into the institution's operational architecture.
TCF Outcome 1 requires that consumers are confident they are dealing with firms where fair treatment is central to institutional culture. RETERA™ records what explanations were shown, when key disclosures occurred, and when commitment was acknowledged. This provides evidence of fair, informed, and non-misleading process for regulatory review.
Under RETERA™, no personal information from non-converting prospects enters the institution's environment. The Joint Standard compliance overhead therefore attaches only to committed customers. The Control and Assurance Brief sets out the classification argument for JS1/2024 outsourcing in full.
RETERA™ does not replace, compete with, or duplicate consent and preference management systems. Those systems are designed for customers, people who have already committed. RETERA™ manages the period before that stage. At commitment, RETERA™ hands off to the institution's existing systems, which engage exactly as they do today. Institutions that have built data classification, retention, and destruction programmes under POPIA will find that RETERA™ completes the architecture, adding the pre-commitment boundary that those programmes were never designed to address.
No institutional record exists for that individual. Because RETERA™ handles only zero-party, view-only access during evaluation, no data was retained by the institution. The pre-commitment interaction concludes cleanly.
Each institution operates entirely independently. There is no shared institutional network. Information reviewed by an institution that is not selected cannot be retained, because nothing was retained in the first place.
DocuSign records that parties signed a document. A CRM records a workflow stage. Neither records the specific legal moment at which regulatory responsibility under POPIA and FICA formally attaches in a form capable of surviving supervisory review. RETERA™ records the obligation state. The distinction is the point.
No. RETERA™ does not approve, reject, or recommend decisions. All decisions remain solely with the institution.
No. Information becomes visible to an institution only when deliberately provided by the individual during an interaction they initiate. RETERA™ does not grant automatic access to personal records.
RETERA™'s cost is distributed across the lines the institution already holds: regulatory risk, compliance efficiency, and client acquisition. Budget owners are risk, compliance, and the CFO function.
As governance infrastructure, not a software licence. It sits across risk avoidance, compliance efficiency, and client acquisition budgets.
RETERA™ should be understood as an operational coordination boundary rather than a replacement operational system or conventional software vendor. It does not perform institutional functions on behalf of the organisation, does not hold institutional data, and does not create a dependency on its continued operation for existing regulatory obligations. The correct classification is governance infrastructure.
RETERA™ repositions compliance processes to apply only where a relationship actually forms. Checks that currently run on every enquiry run only on committed customers. The cost of evaluation is cleanly separated from the cost of onboarding. That is not a reduction in compliance rigour. It is compliance applied at the point the law intends, and not before.
Client acquisition: verification and onboarding spend incurred only on customers who convert. Compliance overhead: compliance processing applied to pre-commitment interactions generates no regulatory value. Regulatory risk: RETERA™ eliminates the category of risk. Consent and preference management: your existing POPIA infrastructure governs committed customers, the population it was designed for, rather than being burdened with pre-commitment data of uncertain legal standing.
RETERA™ is priced as governance infrastructure reflecting scope and regulatory exposure, not transaction volume, data processed, or individual compliance events. Pricing detail is introduced during the structured review process under appropriate confidentiality.
It redirects an existing one. The cost of pre-commitment compliance is already being incurred. RETERA™ reallocates that spend to the point where it produces regulatory value: after commitment, on customers who convert.
Yes. Once the board has approved participation, standard vendor assessment documentation, a data processing agreement, and security posture information are available. RETERA™ is designed to achieve ISO 27001, SOC 2 Type II, ISO 27701, ISO 22301, and ISO 27017 upon build completion.
Existing onboarding, compliance, consent and preference management, and record-keeping systems are unaffected. RETERA™ sits upstream of those systems. Once commitment occurs, data flows into existing institutional systems and processes in the normal way. Nothing in the downstream process changes.
The commitment event is the moment at which an individual explicitly agrees to enter a relationship with the institution, and the institution accepts. It is observable and auditable. RETERA™ records this event: timestamp, parties, and context. Before that event, information may be reviewed as zero-party data. After that event, regulatory obligations attach and institutional systems engage.
No. RETERA™ integrates by signalling workflow state, not by storing records or replacing data pipelines. No bulk data migration, no infrastructure replacement, no ongoing data pipeline. No changes to consent and preference management platforms.
RETERA™ is designed to sit alongside existing institutional architecture, not inside it. No changes to core banking, policy, CRM, or compliance platforms are required. Integration focuses on workflow state and audit signals, not data ingestion.
No. In practice, RETERA™ reduces onboarding time. The commitment boundary enforces readiness before obligation attaches, which eliminates document chasing, reduces repeated requests, and presents information in the order it is required.
Existing customer relationships continue unaffected. No data is lost. RETERA™ does not hold institutional customer records. Institutions can revert to existing processes. RETERA™ is an enabling control, not a single point of regulatory dependency.
RETERA™ is designed to achieve the following certifications upon build completion, these are not certifications currently held: ISO 27001; SOC 2 Type II; ISO 27701, directly relevant to POPIA and zero-party data architecture; ISO 22301; ISO 27017. POPIA and GDPR compliance are by architectural design.
Yes. Once the board has approved participation, standard vendor assessment documentation, a DPA, and security posture information are available to support CIO and operations review. Implementation documentation follows the governance decision.
RETERA™ does not hold institutional customer records and does not function as a material operational system triggering outsourcing classification under Joint Standard JS1/2024. The integration surface is narrow: workflow state and audit signals only. The Control and Assurance Brief sets out the classification argument in full.
RETERA™ operates this website for the purpose of introducing the RETERA™ governance standard to institutional audiences and facilitating a structured review process.
The only personal information RETERA™ collects is what an institution's representative voluntarily provides when submitting a brief access request or contact form, specifically, name, email address, institution, function, and any optional message provided.
This information is used solely to respond to the request, to determine whether structured dialogue is appropriate, and to route the relevant executive brief to the correct function within the enquiring institution.
RETERA™ does not sell personal information. It does not use personal information for advertising, behavioural profiling, or marketing lists. It does not share information with third parties except where required by law.
You may request access to, correction of, or deletion of information submitted through this site by contacting the Information Officer directly.
Information Officer
legal@2am.africa
This website is provided for general informational purposes only. The content describes the nature of the RETERA™ governance standard and does not constitute professional, compliance, legal, or regulatory advice.
Viewing this website or submitting a brief access request does not create a professional relationship, engagement, or obligation of any kind. A formal engagement exists only once agreed in writing between the parties.
Any descriptions of regulatory frameworks on this site are general in nature. They do not constitute legal advice and should not be relied upon as such without appropriate independent counsel.
Intellectual property. All intellectual property in the RETERA™ governance standard, including all methodologies, frameworks, obligation state architecture, documentation, analytical papers, briefs, and associated materials, is owned exclusively by 2am IP Ltd (GBC Mauritius) as the IP holding entity. No part of the RETERA™ framework, documentation, or materials may be reproduced, distributed, adapted, or used in any form without the prior written consent of 2am Pty Ltd.
For institutional brief requests, use the form on the main page, this ensures your request is routed correctly from the outset.
For all other enquiries e.g. legal, privacy, investment, or general you may contact 2am directly.
legal@2am.africa | legal, compliance, and institutional enquiries
info@2am.africa | general enquiries
Responses are provided personally. Allow one working day.
Prepared in terms of Section 51 of the Promotion of Access to Information Act, 2000 (PAIA).
Private body
2am South Africa Pty Ltd
Registration Number: 2017/108238/07
57 Main Street · Paarl · 7646 · Western Cape · South Africa
Purpose of this manual
This manual explains how a person may request access to records held by 2am in accordance with PAIA. 2am does not operate public platforms, user accounts, or consumer services. The amount of personal information held is limited to professional correspondence and administrative records.
Records held
Records may include business correspondence, engagement agreements, invoices and financial records, and administrative records required by law. 2am does not maintain consumer databases, public user accounts, or marketing mailing lists.
How to request access
A request for access to records must be made in writing and must describe the record requested, provide sufficient detail to identify the requester, and include an email address for response. Requests should be directed to the Information Officer. 2am will respond within a reasonable period in accordance with PAIA.
Fees
If applicable, statutory request fees prescribed by PAIA may apply. The requester will be informed before any fee is payable.
Grounds for refusal
Access may be refused where permitted by PAIA, including where disclosure would reveal confidential commercial information, violate the privacy of a third party, or where disclosure is not in the public interest as defined by the Act.
Information Officer
legal@2am.africa
All institutional briefs and analytical papers. This page is shared directly and is not linked from the main site.
Executive Briefs
Audience-specific briefs. Each addresses the regulatory, cost, and operational argument relevant to that function.
Board Executive Brief
Board & Executive Leadership
"RETERA™ does not change what your institution must do. It changes when obligations lawfully attach."
Governance case, four-framework liability argument, independent cost validation, and the path to structured dialogue.
GRC & Legal Executive Brief
GRC & Legal
"RETERA™ enforces existing legal principles more conservatively and consistently than current institutional practice."
Full regulatory alignment analysis, zero-party data classification, POPIA and FICA obligation mapping, TCF, Joint Standards, and IFWG open finance direction.
CFO & Procurement Executive Brief
CFO & Procurement
"The programme is funded through the correction of inefficiencies that institutions are already paying for. This is not new spend. It is reallocated spend."
Cost argument, four budget lines affected, pricing philosophy, and the commercial proportionality case.
CIO & Operations Executive Brief
CIO & Operations
"The integration surface is narrow. Workflow state signals only. Nothing downstream changes."
Technical architecture, three-signal integration, data residency, JS1/2024 outsourcing classification, and the full certification target roadmap.
Analytical Papers
Supporting depth documents for each function’s review.
Category Paper
Board · All audiences
"Most systems only manage data. Very few manage obligation states. RETERA™ manages obligation states."
Establishes why RETERA™ is a new governance category. Structural regulatory case, four-framework liability argument, IFWG mandatory open finance regulatory tailwind.
Economic Justification Paper
CFO · CRO · GRC
"The programme is funded through the correction of inefficiencies that institutions are already paying for."
Full cost methodology, external validation from global and SA research, and the Recovery Diagnostic Tool.
Recovery Diagnostic Tool
CFO · Finance
"RETERA™ does not make compliance easier. It makes a category of compliance liability structurally impossible."
Structured self-assessment instrument for calculating the institution’s own recoverable pool from internal data across four cost categories.
Control and Assurance Brief
GRC · Legal · CIO
"RETERA™ enforces existing legal principles more conservatively than current institutional practice."
Complete statutory analysis, zero-party data classification, POPIA and FICA mapping, Joint Standards, IFWG position, COFI alignment, and full certification roadmap.
Regulatory Obligation Mapping
Legal · Compliance counsel
"RETERA™ does not change what the institution must do. It changes when obligations lawfully attach."
Precise statutory analysis of POPIA ss.11, 13, 14 and FICA ss.21, 21A across all three stages with four practical scenarios. Not legal advice.
Procurement Classification Brief
CFO · Procurement · CIO
"RETERA™ should be classified as governance infrastructure, not a software licence."
How RETERA™ should be classified for procurement, budget routing, and Joint Standard JS1/2024 outsourcing assessment purposes.
Institutional Review Sequence
All audiences
"The five-stage review process is designed to ensure every function receives the materials relevant to its review."
The five-stage structured review process. Explains the path from initial contact to Heads of Agreement and what each stage involves for the institution.