With South Africa tightening its grip on crypto regulations, crypto asset service Providers (CASPs) must act now to avoid compliance failures.

As of 30 April 2025, Directive 9 will introduce stricter requirements for tracking and reporting crypto asset transactions. A key component of this is the “travel rule”, which mandates that client details accompany domestic and cross-border crypto transfers.

This information includes the originator’s full name, identity or passport number, date and place of birth, residential address (if “readily available”), and wallet address for transactions over R5 000.

South Africa’s grey-listing by the Financial Action Task Force (FATF) has triggered a wave of stricter compliance regulations. Directive 9 is a direct response, placing responsibility on CASPs to ensure crypto transactions are not linked to money laundering, terrorism financing or other illicit financial activities.

This includes the “ordering CASP” (the CASP where the sender of the crypto assets has their account), the “recipient CASP” (the CASP that receives the crypto assets from the ordering CASP on behalf of the customer) and any intermediary CASP (a CASP that transmits and receives crypto assets on behalf of an ordering CASP or a recipient CASP or another intermediary CASP).

Crypto assets were officially declared financial products by South Africa’s Financial Sector Conduct Authority in October 2022 and CASPs were included in South African regulatory frameworks as accountable institutions in December 2022. As such, these service providers must comply with the Financial Intelligence Centre Act (Fica) regulations to ensure that they stay on the right side of the law.

Due diligence

CASPs now have a responsibility to do customer due diligence and verify a customer’s identity before processing transactions. This is especially important because crypto assets enable the quick and seamless transfer of funds across borders, which makes it harder to determine who is behind the transactions and thus means that they can easily be used for criminal activities.

If CASPs want to avoid financial penalties and possible reputational damage, they should put robust governance and compliance measures in place, like real-time checks against global watchlists, live customer verifications video calls and advanced biometric verification (challenging the user to blink, smile or perform specific movements during the scanning process). But once a customer is verified, the work isn’t over.

Read: Crypto’s next bubble will be politically motivated

CASPS must also monitor transactions regularly, looking for unusual patterns and behaviours that could be linked to illicit activities. These requirements demand that CASPs maintain more detailed and extensive records of client transactions and implement comprehensive risk assessment frameworks to evaluate client risk during onboarding and beyond.

For example, external factors such as geopolitical developments could mean that individuals or groups turn to crypto to finance illegal activity because it is harder to trace than if these transactions were done using traditional banking systems. As part of their risk assessment framework, CASPs need to have a clear understanding of when to reject or suspend a cross-border crypto asset transfer and what follow-up action will be taken when this happens.

While this directive has been welcomed by many, some have voiced concern that the travel rule presents significant privacy governance challenges. The Protection of Personal Information Act (Popia) restricts the transfer of personal information outside South Africa, but given the global nature of crypto transactions, the travel rule dictates that personal data may have to be transmitted to entities in countries that do not have stringent privacy safeguards in place.

Additionally, Popia stipulates that only the data necessary for completing the transaction itself should be collected and processed and the travel rule could conflict with this.

As more and more measures are put in place to ensure that the crypto world operates within well-regulated frameworks, CASPs and other financial institutions need all the help they can get to stay ahead of changing compliance obligations and reduce operational risk.

Read: Crypto tax evasion? Sars is watching

The implementation of Directive 9 marks a critical shift in South Africa’s regulatory framework for CASPs. With non-compliance now carrying the risk of administrative sanctions under Fica, CASPs must take immediate steps to align with these obligations.

Get breaking news from TechCentral on WhatsApp. Sign up here