From CompliNEWS | Financial Service Intelligence Watch
Practice note: Crypto compliance obligations for CASPs in South Africa – A practical guide
As South Africa continues to strengthen its regulatory grip on crypto assets, Crypto Asset Service Providers (CASPs) must ensure they align with the growing list of obligations under the Financial Intelligence Centre Act (FIC Act). With the implementation of Directive 9 set for 30 April 2025, and increased scrutiny following South Africa’s greylisting by the Financial Action Task Force (FATF), CASPs can no longer afford a passive approach to compliance.
Understanding the Risks and Legal Framework
Crypto asset transactions offer significant benefits—speed, borderless execution, and partial anonymity. But these same features make them attractive for illicit use, particularly in money laundering (ML), terrorist financing (TF), and proliferation financing (PF) schemes. Unlike traditional financial services, crypto transactions operate outside the purview of central banks or governments, which limits transparency and increases regulatory challenges.
To combat these risks, the FIC has classified CASPs as accountable institutions, requiring them to comply with the same AML/CFT obligations as banks and financial service providers. Whether you’re a decentralised exchange, wallet provider, crypto broker, or platform operator—if you facilitate crypto transactions in South Africa, you must register with the FIC via goAML, implement a robust Risk Management and Compliance Programme (RMCP), and actively monitor client activity.
Practical Example
A crypto exchange allowing clients to buy, sell, or store crypto—regardless of whether it uses blockchain, smart contracts, or other technologies—must register with the FIC. If the exchange fails to identify and report a suspicious transaction (eg, a R500 000 BTC transfer to an address linked to ransomware payments), it could face administrative sanctions, financial penalties, or even criminal prosecution.
Core Compliance Obligations for CASPs
Customer Due Diligence (CDD) & Beneficial Ownership
CASPs must conduct identity verification for all clients during onboarding, including identifying the natural person behind a legal entity (the beneficial owner). This includes collecting certified identity documents, verifying residential addresses, and ensuring clients are not using intermediaries to conceal control. See PCC 59 for beneficial ownership guidance.
Risk-Based Approach & RMCP
CASPs must apply a risk-based approach, adjusting the depth of client assessments based on their risk profile. A local user transacting small amounts may be low risk, whereas a politically exposed person (PEP) in a sanctioned jurisdiction would require enhanced due diligence. These methodologies must be outlined in a formal RMCP document.
Transaction Monitoring and Reporting
• CASPs are obligated to monitor transaction patterns and file reports with the FIC under section 29 of the FIC Act.
• Suspicious Transaction Reports (STRs) are filed when suspicious activity occurs during a completed transaction.
• Suspicious Activity Reports (SARs) apply when a transaction is abandoned or incomplete but raises red flags.
• Reports must be submitted within 15 days of identifying the suspicious behaviour. Refer to Guidance Note 4B for submission details.
Targeted Financial Sanctions (TFS) Compliance
CASPs must screen clients against the FIC’s TFS list at onboarding and on an ongoing basis. If a match is found, all assets must be frozen and a Terrorist Property Report (TPR) submitted to the FIC. Refer to PCC 44A and the FIC’s TFS Manual for practical implementation.
Practical Example:
A CASP onboarding a user who later appears on the TFS list due to links with a designated terrorist group must freeze all crypto wallets linked to the user and immediately file a TPR. Failing to act would be a direct breach of South African sanctions laws.
goAML Registration and Reporting System
All CASPs must register electronically via goAML, the FIC’s official reporting platform. The registration is free and requires supporting documents, including a letter of authorisation and certified IDs. Refer to PCC 5D and the goAML registration guide for assistance.
Preparing for Directive 9: The Travel Rule
From 30 April 2025, Directive 9 requires CASPs to implement the ‘travel rule’, which mandates that personal data of both the originator and beneficiary accompany all qualifying crypto transactions. For transactions over R5 000, this includes:
• Full name
• Identity/passport number
• Date and place of birth
• Residential address (if readily available)
• Wallet address
This information must be collected, verified, shared with the receiving CASP, and stored for regulatory review. CASPs must also understand when to reject or suspend a transfer based on risk findings and what follow-up steps to take. See Directive 9 for full details.
Privacy Considerations
While Directive 9 strengthens oversight, it raises POPIA compliance challenges. Sharing personal information with CASPs or service providers in jurisdictions lacking equivalent privacy protections could violate local data protection laws. CASPs must therefore build privacy-by-design controls to mitigate cross-border risks.
Tools to Support Compliance
Compliance can be resource-intensive, especially for smaller CASPs. Digital solutions like VOCA by SearchWorks are helping CASPs automate identity verification, client screening, and ongoing monitoring. VOCA’s real-time alerts and integrated reporting functions ensure that CASPs stay ahead of their FIC Act and FATF obligations—without breaching POPIA requirements.
Final Thoughts
As South Africa moves to align its crypto regulatory regime with international standards, CASPs have no choice but to adapt. With Directive 9 and the travel rule on the horizon, the era of crypto anonymity is ending. CASPs must ensure their compliance programmes are proactive, technologically robust, and aligned with both financial crime prevention and data privacy frameworks.
Non-compliance carries serious consequences—not only administrative penalties but also reputational damage. The message is clear: register, implement, and monitor—or risk being shut out of South Africa’s increasingly regulated crypto future.