by Jude Ayua
South Africa’s Financial Intelligence Centre (FIC) issued Directive No. 9 on 15 November 2024, effective from 30 April 2025, mandating compliance with the Financial Action Task Force (FATF) Recommendations “Travel Rule” for crypto asset transfers.
“The purpose of the Directive is to ensure that accountable institutions that provide or engage in activities of crypto asset transfers, implement the requirements of Recommendation 16 of the Financial Action Task Force in the context of crypto asset transfers,” the introductory section of the Directive reads.
The FATF travel rule aims to combat money laundering, terrorist financing, and the illicit proliferation of weapons. The Directive shows South Africa’s efforts to exit the FATF greylist, which it was placed on in early 2023 due to deficiencies in combating financial crimes.
Read also: Luno and Zignaly become first to receive crypto licenses in South Africa.
Key Provisions and Requirements Directive 9
The Directive applies to crypto asset service providers (CASPs) facilitating domestic or cross-border crypto transfers or acting as intermediaries for clients sending or receiving crypto assets.
- Ordering Crypto Asset Service Providers: CASPs must share key information about the originator—the client of the crypto asset service provider—of a transfer, including their full name, identification details, and either a residential address or country of birth.
- Intermediary and Recipient Crypto Asset Service Providers: Intermediary CASPs must transmit originator and beneficiary information for domestic and cross-border crypto transfers to the next provider in the transaction chain. The Directive requires them to identify transfers lacking the necessary information and establish risk-based policies to decide whether to process, suspend, or return such transfers. The providers must also integrate these measures, along with appropriate follow-up actions, into their Risk Management and Compliance Programme, as mandated by the FIC Act.
Similarly, recipient CASPs must treat transfer beneficiaries as clients under the FIC Act, verifying their identity and ensuring compliance with their Risk Management and Compliance Programme. They must validate beneficiary information for transfers from high-risk jurisdictions and monitor cross-border transactions missing required details.
Immediate Transfer of Originator and Intermediary Information: Ordering and intermediary CASPs must transmit required originator and beneficiary details securely and promptly, either before or during the transfer, to the recipient or other intermediaries. Batch transmissions are allowed but must still meet timing requirements, with no post-transfer submissions permitted. Providers must ensure the security, integrity, and availability of transmitted data to prevent unauthorized access.
Unhosted Wallets: CASPs must establish and implement risk-based policies for handling transfers involving unhosted wallets. These policies should outline procedures to obtain additional information about unhosted wallets when higher risks of money laundering, terrorism financing, or proliferation financing are identified.
These requirements vary depending on the size of transactions:
- For transactions below R5,000 (approximately $270), CASPs must collect the sender’s and beneficiary’s full names, wallet addresses, and relevant account numbers.
- For transactions exceeding R5,000, additional details, including the sender’s ID or passport number, date of birth, and residential address must be provided. Businesses must disclose their registered names, registration numbers, and addresses.
Read also: Yellow Card secures operating license in South Africa
Compliance Impact Analysis
- South Africa’s FATF compliance and greylist exit
The FATF travel rule requirement which Directive 9 aligns with is aimed at preventing criminal misuse of digital assets. South Africa has shown its commitment to complying with global standards and exiting the FATF greylist by enforcing stricter monitoring on CASPs. The FATF requirements also mandate cryptocurrency regulations to balance financial innovation with security and compliance.
- Data Privacy and Security Concerns
Directive 9 raises significant data privacy concerns around the secure storage and handling of sensitive personal information. Although the FIC assures the protection of users’ privacy, cybersecurity risks persist, especially with increased volumes of sensitive data storage. A data breach could expose users to identity theft or financial fraud, a major concern in the European Union (EU)’s General Data Protection Regulation (GDPR), which imposes stringent requirements for data handling and breach reporting.
In comparison with South Africa, EU regulators have integrated GDPR with the Fifth Anti-Money Laundering Directive (5AMLD), aimed at preventing the use of the financial system for criminal purposes, to ensure privacy protections while combating financial crimes. South Africa’s Protection of Personal Information Act (POPIA) provides a legal framework for data privacy. However, its effective implementation is still a challenge.
- Balancing Innovation with Regulation
The FIC’s stringent threshold of R5,000 (approximately $274) is found to be among the lowest globally, compared to countries like Japan ($3,000), Singapore ($1,115), and Canada ($710) adopting higher thresholds.
Sean Sanders, CEO of Altify, criticized the low threshold:
“It may be the lowest out of any country worldwide. This will place extra compliance costs on investment platforms like us at Altify, which may result in slower transaction processing times and an overall worse user experience for our users relative to platforms operating outside of South Africa.”
Lastly, the Directive’s focus on unhosted wallets aligns with trends in global cryptocurrency regulation, with policymakers wrestling to balance decentralization and regulation. In South Korea and Japan, regulators require users to sign waivers for unhosted wallet transactions. However, South Africa leaves the decision to CASPs’ risk assessments. Such flexibility could encourage innovation. Nevertheless, it could also risk creating inconsistencies in enforcement.
Read also: Nigeria’s SEC issues ‘Approvals-in-Principle’ to digital assets exchange firms.
Regional implications
South Africa’s recent regulatory move could influence other African countries. For example, Nigeria, where cryptocurrency adoption is high, may fast-track its efforts to adopt FATF-related policy measures. However, African countries must take into cognizance their unique economic and technological landscapes as well as address the issues of data privacy and balancing regulation with innovation. Countries must also ensure regulatory clarity, a need Carel van Wyk, a South African crypto industry veteran, highlighted:
“The Intergovernmental Fintech Working Group on crypto asset regulation has long recommended updates to exchange control frameworks to account for digital currencies,” said Wyk.
While South Africa’s Directive 9 is part of its efforts to validate its crypto industry and attract global investment by meeting FATF requirements, it must realize that burdensome regulations could deter smaller CASPs and likely stifle innovation. For example, applying exchange control limits to unhosted wallets may complicate cross border transactions and hinder the broader adoption of decentralized finance (DeFi) applications.
Read also: Tether (USDT) Stablecoin: Use Cases and Pros and Cons You Should Know
About the Author: Jude Ayua is a policy analyst at CAB. A lawyer, Jude is an associate at Infusion Lawyers where he is a member of the Blockchain & Virtual Assets Group. He is also a member of the Policy & Regulations Committee of the Stakeholders in Blockchain Technology Association of Nigeria (SiBAN). Jude reports and writes on crypto policy and regulations. jude@infusionlawyers.com
