Most compliance guides tell you what the rules are. This one tells you what happened when people ignored them.
The examples below are real events — documented in official government notices, court records, and public media. The scale may surprise you.
CIPC: Half a million companies deregistered in one month
In December 2024, the Companies and Intellectual Property Commission (CIPC) — the government body that registers and regulates South African companies — deregistered approximately 500,000 companies and close corporations in a single bulk action.
These were not obscure shell companies. Many were active businesses that had simply fallen behind on two specific filings: their Annual Return (a yearly confirmation that the company is still operating) and their Beneficial Ownership Declaration (a record of who actually owns and controls the business).
CIPC had issued formal warnings months earlier. Notice 60 of 2024, published in September, gave companies explicit notice that deregistration proceedings were underway. Bulk deregistrations began between 2 and 23 December 2024, with final deregistrations following in February 2025.
For every business caught in that wave, the consequences were immediate:
The company legally ceased to exist. A deregistered company cannot trade, cannot issue invoices, cannot sign contracts, and cannot open or maintain a bank account. Banks are legally required to freeze accounts held by deregistered entities.
Directors became personally liable.When a company is deregistered, the limited liability protection that makes a (Pty) Ltd valuable disappears. Directors can be held personally liable for the company's debts — meaning creditors can come after personal assets.
Suppliers and creditors walked away. Businesses that discovered a supplier was deregistered stopped paying them immediately. Some businesses found themselves unable to collect money owed for work already completed.
Reinstatement was not straightforward. CIPC did offer a reinstatement process, but it required proof of economic activity at the time of deregistration, supporting documents, and payment of all outstanding fees. Due to the volume of applications, significant delays were expected.
The hard part: most of these business owners did not know they were in trouble until it was too late. CIPC sent SMS and email notifications — but only to the contact details on file, which for many companies were outdated or belonged to a previous accountant or service provider.
The Beneficial Ownership hard stop
A separate but related CIPC issue has been trapping businesses since April 2024. CIPC introduced a technical block — a “hard stop” — that prevents any company from filing its Annual Return until its Beneficial Ownership Declaration is complete.
This created a compounding problem for tens of thousands of businesses. They wanted to file their Annual Return and stay compliant, but the system would not let them proceed. Without completing the Beneficial Ownership filing first, the Annual Return could not be submitted. Without the Annual Return, deregistration proceedings could begin.
In January 2025, CIPC issued a further notice identifying a list of non-compliant entities and giving them until 21 January 2025 to file. Companies that missed this deadline were prohibited from transacting with CIPC at all — which means they could not register changes to directors, update company details, or take any other action that required CIPC interaction.
SARS: Penalties that multiply quietly
The South African Revenue Service (SARS) does not send a single large bill when a business falls behind. It issues administrative non-compliance penalties that accrue monthly — and they stack.
For failing to submit outstanding tax returns, SARS penalties range from R250 to R16,000 per month, per company, per outstanding return. A business with three outstanding returns can be accumulating up to R48,000 in penalties every month — before any tax owed is even calculated.
The compounding problem is particularly acute for entrepreneurs who register multiple companies. Each entity carries its own set of obligations. An owner with seven registered companies — a common structure for property or investment portfolios — could be accumulating penalties across all seven simultaneously, often without realising it.
Between 20 and 23 percent of South African SMMEs that apply for formal funding are not even registered with SARS, despite having a CIPC registration and active clients. For these businesses, the penalty clock started running from the date they should have registered — and they do not find out until they apply for a loan or a government tender and the funding falls through.
SARS also has the legal authority to:
- Issue preservation orders against business assets pending tax investigations
- Hold directors personally liable for tax debts in cases of negligence or fraud
- Blacklist businesses from government procurement if tax compliance certificates cannot be produced
SARS has been significantly expanding its enforcement capacity since 2024, using AI and machine learning to identify non-compliance patterns earlier. The agency's stated focus for the 2024/25 financial year explicitly named small business non-compliance as a priority target.
UIF and COIDA: A R10 million raid in one week
In late September 2024, the Department of Employment and Labour conducted a nationwide compliance inspection targeting employers across multiple sectors, with a particular focus on hospitality businesses.
The result: fines totalling more than R10 million imposed on non-compliant employers in a single operation.
The violations were not exotic. They included:
- Failure to pay the National Minimum Wage (at the time R27.58 per hour)
- Deducting UIF contributions from employee salaries but not paying those contributions over to the UIF
- Non-compliance with COIDA (the Compensation for Occupational Injuries and Diseases Act), which provides workers' compensation coverage for employees injured on the job
The Babel Restaurant in Pretoria was publicly identified as one of the named cases, cited for underpaying cleaners and waitstaff.
The UIF issue is particularly damaging because it involves a double failure. The employer withholds the employee's 1% contribution from their salary — the employee never receives that money — but then fails to pass it to the fund along with the employer's matching 1%. The employee has lost income and has no UIF coverage when they need it.
For COIDA non-compliance, the consequences extend beyond fines. An employer without a valid COIDA registration and an up-to-date Letter of Good Standing is personally liable for the full cost of any workplace injury claim. Depending on the severity of an injury, that liability can run into hundreds of thousands of rands.
POPIA: The first fines have been issued
The Protection of Personal Information Act (POPIA) — South Africa's data privacy law — came into full effect in 2021. For several years, enforcement action was limited. That changed in 2023, and the precedents set by the first fines give a clear signal of where enforcement is heading.
First fine — Department of Justice and Constitutional Development, July 2023: R5 million.
Following a 2021 ransomware attack that exposed approximately 1,204 files of personal information, the Information Regulator issued an Enforcement Notice requiring the department to implement specific security improvements. The department failed to comply. The result: South Africa's first major POPIA administrative fine — R5 million.
Second fine — Department of Basic Education, December 2024: R5 million.
The Information Regulator issued an enforcement notice instructing the Department of Basic Education not to publish matric results in newspapers, on data privacy grounds. The department did not comply with the notice. A second R5 million fine followed.
Both cases involve government departments, not private businesses. But the legal maximum — R10 million per violation, or imprisonment of up to 10 years for certain offences — applies equally to private companies. And the enforcement trajectory is clear: the Information Regulator is actively using its powers and seeking to expand them. During 2024, over 30 PAIA compliance assessments were conducted, and the Regulator has publicly signalled that direct marketing non-compliance is a priority focus for 2025 and 2026.
For most South African SMEs, the most common POPIA gap is simple: the Information Officer — the person legally required to be responsible for the company's data — has never been registered with the Information Regulator. The registration is free. The risk of not doing it is not.
The pattern across all of these cases
Looking at the CIPC deregistrations, the SARS penalties, the labour inspection fines, and the POPIA enforcement actions together, a clear pattern emerges.
The consequences are not triggered by doing something wrong. They are triggered by not doing something at all.
Every business caught in the December 2024 CIPC deregistration wave missed a filing. The employers fined in the September 2024 labour raid had simply stopped making contributions they were legally required to make. The POPIA fines came from failing to implement the security measures an enforcement notice required.
In almost every case, the business owner either did not know the obligation existed, did not know they had fallen behind, or assumed that because nothing bad had happened yet, nothing bad would happen.
The second pattern: by the time most businesses find out, the problem has compounded.
CIPC penalties accumulate before the company knows they exist. SARS penalties stack monthly. A COIDA Letter of Good Standing lapses quietly in April each year. POPIA compliance gaps can sit unnoticed until a data breach or a complaint triggers an investigation.
The third pattern: the cost of fixing it is always higher than the cost of preventing it.
CIPC reinstatement after deregistration requires legal support, supporting documents, and outstanding fees — often costing more than years of basic annual return filings would have. SARS penalty disputes require accountants and tax practitioners. Workplace injury claims against unregistered COIDA employers can run to hundreds of thousands of rands.
What ClearComply tracks — so you do not have to find out the hard way
ClearComply monitors the compliance obligations that generated every consequence described in this article.
CIPC Annual Return status— checked against 2.25 million CIPC records, including the same gazette publications that triggered the December 2024 bulk deregistrations.
Beneficial Ownership filing status— the specific issue behind the CIPC hard stop that has been blocking tens of thousands of Annual Return filings since April 2024.
SARS compliance reminders— automated alerts before provisional tax, EMP201, VAT, and annual return deadlines, so penalty clocks never start running unnoticed.
UIF and COIDA tracking— deadline reminders for Return of Earnings submissions and Letter of Good Standing renewals, the two obligations most commonly missed in the labour inspections.
POPIA Information Officer registration— a check on whether your company has registered its Information Officer with the Regulator, the most common POPIA compliance gap in the SME market.
The free CIPC health check at clearcomply.co.za/checkshows your company's current status in 30 seconds. No sign-up, no credit card — just the information you need to know whether you are exposed right now.
If there is an issue, the fix-it report inside ClearComply walks you through exactly what to do, step by step.
A Basic plan at R49 per month adds the full compliance calendar — every obligation tracked to your specific company's dates, with automated reminders at 60, 30, 14, 7, and 1 day before every deadline.
The December 2024 deregistrations affected 500,000 companies. Most of them had no idea it was coming.