In hopes of becoming one of the African crypto leaders and a crypto hub, South Africa has confirmed its Travel Rule will be live on 30 April 2025.
The South African Financial Intelligence Centre has put forward Directive 9: Concerning the Implementation of the “Travel Rule” Relating to Crypto Asset Transfers, requiring crypto asset service providers (CASPs) to implement the Travel Rule no later than 30 April 2025. The directive is aligned with the FATF’s Recommendation 16.
Directive 9 is to be implemented alongside a Risk Management and Compliance Programme developed by CASPs, as mandated in Section 42 of the FIC Act*. Additionally, CASPs who fail to comply with the provisions set forth in the directive will be subject to administrative sanctions per Section 45C of the FIC Act**.
*Section 42 of the FIC Act requires all accountable institutions to have a Risk Management and Compliance Programme (RMCP) in place. An RMCP documents the identified money laundering, terrorist, and proliferation financing risks the institution faces and how it will deal with these risks.
**Section 45C of the FIC Act establishes an appeal board to adjudicate on appeals emanating from sanctions issued by the FIC and supervisory bodies for non-compliance with the FIC Act.
What is the scope of the Travel Rule in South Africa?
The Directive is applicable to all institutions listed in items 12 and 22 of Schedule 1 to the FIC Act, that are ordering (originator), intermediary or recipient (beneficiary) CASPs, which facilitate or enable the origination or receipt of domestic and cross-border transfers of crypto assets or act as an intermediary in receiving or transmitting the crypto assets for or on behalf of a client. This includes:
“Any person who carries on the business of a financial services provider requiring authorisation in terms of the Financial Advisory and Intermediary Services Act, 2002 (Act 37 of 2002), to provide advice [and] or intermediary services in respect of the investment of any financial product.”
“A person who carries on the business of one or more of the following activities or operations for or on behalf of a client:
exchanging a crypto asset for a fiat currency or vice versa;
exchanging one form of crypto asset for another;
conducting a transaction that transfers a crypto asset from one crypto asset address or account to another;
safekeeping or administration of a crypto asset or an instrument enabling control over a crypto asset; and
participation in and provision of financial services related to an issuer’s offer or sale of a crypto asset".
[Where “crypto asset” means a digital representation of perceived value that can be traded or transferred electronically within a community of users of the internet who consider it as a medium of exchange, unit of account or store of value and use it for payment or investment purposes, but does not include a digital representation of a fiat currency or a security as defined in the Financial Markets Act, 2012 (Act 19 of 2012)].
Who is the supervisory body for CASPs in South Africa?
South African Financial Intelligence Centre (FIC) - responsible for AML and CTF measures for crypto assets and CASPs
The Financial Sector Conduct Authority (FSCA) - cryptocurrency regulator
What is the Travel Rule threshold in South Africa?
ZAR 0 - The Travel Rule applies to all transactions.
The below information may be submitted to the intermediary or counterparty CASP in batches but must be transmitted before or alongside each crypto transaction.
Obligations of originator crypto asset service providers
For all transactions over ZAR 5000, the originator CASP must transmit the below information to the beneficiary CASP:
originator’s name*,
orginator’s ID number if a South African citizen or resident, or passport number and date of birth if a non-citizen or non-resident*,
originator’s residential address, or country of birth if no residential address is available*,
originator’s distributed ledger address associated with the transfer (if the transfer is registered on a network using distributed ledger or similar technology),
originator’s crypto asset account number with the originator CASP, or unique transaction reference number,
beneficiary’s name,
beneficiary’s distributed ledger address associated with the transfer (if the transfer is registered on a network using distributed ledger or similar technology),
beneficiary’s crypto asset account number with the beneficiary CASP (if this information is readily available).
This data must be obtained in accordance with the FIC Act and the CASP's RMCP, which the originator CASP is required to develop, document, maintain and implement per Section 42 of the FIC Act.
* If the originator is a legal person, the originator’s registered name, registration number under which it is incorporated, and registered address is required.
For a single transaction of under ZAR 5000, less data is required to be exchanged. Moreover, this data does not need to be verified unless there is a suspicion of money laundering and the like, or if the transaction involves a high-risk or FATF-monitored jurisdiction. In this instance, the originator CASP must verify all details pertaining to the originator.
originator’s name,
originator’s distributed ledger address associated with the transfer (if the transfer is registered on a network using distributed ledger or similar technology),
originator’s crypto asset account number with the originator CASP, or unique transaction reference number,
beneficiary’s name,
beneficiary’s distributed ledger address associated with the transfer (if the transfer is registered on a network using distributed ledger or similar technology),
beneficiary’s crypto asset account number with the beneficiary CASP (if this information is readily available).
Irrespective of the transaction, the originator CASP must:
Identify the counterparty CASP,
Conduct due diligence on the counterparty CASP to ascertain whether the CASP has appropriate means to safeguard the information and avoid transferring to a sanctioned institution.
BEFORE the transaction is made.
CASPs do not need to perform due diligence for every transaction with the same counterparty. A once-off check is adequate unless there is a suspicion of money laundering, terrorist financing or proliferation financing.
If the counterparty CASP cannot meet the above requirements, the originator CASP is forbidden from executing the transfer.
Obligations of intermediary crypto asset service providers
In the event that an intermediary CASP is used, the intermediary must ensure that all originator and beneficiary information required (as seen above) is collected and transmitted with the transaction.
It is up to the intermediary CASP to develop a risk-based policy and procedures. These measures must be included in their RMCP.
Moreover, these procedures must determine:
When to execute, reject, or suspend a cross-border crypto asset transfer that lacks any of the required information specified above,
The appropriate follow-up action the intermediary crypto asset service provider will take in each instance where it executes, rejects, or suspends a cross-border crypto asset transfer as described above.
Obligations of beneficiary crypto asset service providers
The beneficiary CASP must adhere to the requirements for verifying the beneficiary's identity as stipulated by the FIC Act. Additionally, they must develop, document, maintain, and implement an RMCP.
For an inward cross-border transfer valued at less than R5 000 from an originator in a high-risk or monitored jurisdiction listed by the FATF, the beneficiary CASP must verify the accuracy of the beneficiary information.
The beneficiary CASP must take reasonable measures, such as post-event or real-time monitoring when feasible, to identify cross-border crypto asset transfers that lack the required information as specified above.
Like intermediary CASPs, beneficiary CASPs must develop risk-based policies and procedures, which must be included in their RMCP.
These procedures must determine:
When to execute, reject, or suspend a cross-border crypto asset transfer that lacks any of the required information specified above,
The appropriate follow-up action the intermediary crypto asset service provider will take in each instance where it executes, rejects, or suspends a cross-border crypto asset transfer as described above.
Self-hosted wallets are in scope
Unlike other regions that blatantly define thresholds, what data is to be collected by CASPs, when and how wallet owners are to provide proof of ownership over their wallets and so forth, the South African Travel Rule Directive 9 leaves a lot to the hands of CASPs.
It stipulates that:
Originator and beneficiary CASPs are required to create, document, maintain, and enforce effective risk-based policies and procedures for handling crypto asset transfers that involve self-hosted wallets.
The policies and procedures must outline how and through what processes additional information on the self-hosted wallet is obtained when the CASP identifies a higher risk of money laundering, terrorist financing, or proliferation financing. The policies and procedures must be incorporated into the RMCP.
When do you need to comply with the Travel Rule in South Africa?
30 April 2025
Which regulations are applicable to the South African Rule?
What Is a Risk Management and Compliance Programme (RMCP)?
A Risk Management and Compliance Programme (RMCP) is a mandatory framework that accountable institutions must develop, document, maintain, and implement to manage risks related to anti-money laundering, counter-terrorist financing, and proliferation financing.
Examples of what an RMCP should define and contain:
Identify, assess, monitor, mitigate, and manage risks associated with new and existing products or services that could facilitate financial crimes.
Define processes for determining whether a person is a prospective or existing client and establish and verify their identity.
Ensure compliance with legal requirements and provide ongoing due diligence and account monitoring.
Outline how the institution examines complex or unusual transactions and keeps written findings.
Establish procedures for confirming client information when there are doubts and reporting suspicious transactions.
Specify how customer due diligence is performed when suspicious activities arise and how business relationships may be terminated if needed.
Identify whether clients are politically exposed persons or prominent influential persons.
Implement enhanced due diligence for high-risk transactions and simplified due diligence when appropriate.
Maintain proper record-keeping and reporting processes for reportable activities.
Ensure RMCP implementation across branches and subsidiaries, including those in foreign countries, and manage risks when local laws hinder full compliance.
Facilitate group-wide information exchange and safeguard confidentiality.
Indicate any RMCP elements that are not applicable and justify why they are not relevant.
Require approval from the institution’s highest-level authority and regular reviews to keep the programme aligned with operational and legal needs.
Make RMCP documentation available to relevant employees and provide copies to regulatory bodies upon request.
For a detailed list of requirements, refer to Section 42 of the Financial Intelligence Centre's Anti-Money Laundering and Counter-Terrorism Financing Legislation.
