The Financial Intelligence Centre (FIC) has released a report assessing the money laundering (ML) and terrorist financing (TF) risk facing crypto asset service providers (CASPs).
Entities that meet the definition of a CASP in Schedule 1 of the Financial Intelligence Centre Act became accountable institutions on 19 December 2022, when the most recent amendments to the Schedule took effect.
Persons that are established, registered, incorporated, or licensed in South Africa to provide activities or operations referred to in Item 22 of Schedule 1 are required to register as CASPs with the FIC.
In addition, persons that provide advisory and intermediary services in respect of crypto assets are also required to register with the FIC, in accordance with Item 12.
The purpose of the FIC’s sector risk assessment (SRA) report is to help CASPs to understand their ML/TF risks. It also provides the measures that CASPs could introduce to mitigate and manage those risks by complying with FICA.
In a statement announcing the release of the report, the FIC said: “All sectors listed in the FICA need to understand the environment in which they operate and the potential risks they face. Sector risk assessments are, therefore, important tools for financial and non-financial institutions to customise and implement mitigation measures.”
The Centre said the report speaks directly to a Financial Action Task Force (FATF) requirement that vulnerable sectors gain a better understanding of the ML/TF risks they face.
“This understanding of the risks should be at a national and sector level, and at an individual business level where institutions are required to apply a risk-based approach by allocating their resources in accordance with their understanding of the ML and TF risks they may face.”
‘Inherent’ and ‘residual’ risk assessment
The 36-page report addresses the “inherent” and “residual” ML/TF risks pertaining to CASPs’ products, services, clients, transactions, delivery channels, and location.
The inherent risk for the CASP sector in South Africa has been classified as “high”. However, as a result of the residual risks, CASPs have been classified as “medium high”.
In the context of the SRA, “inherent risk” is the raw, unmitigated level of risk that exists in the absence of any controls, policies, or mitigation measures. It represents the natural vulnerability of CASPs to ML/TF based on their characteristics, operations, and environment before any regulatory or supervisory actions are applied.
“Residual risk” is the remaining level of risk after applying controls, regulations, and mitigation measures. It reflects the risk that persists despite efforts to manage or reduce the inherent risk. The following developments have reduced the inherent risk:
- Designating entities that conform to the definition of a CASP in Item 22 as accountable institutions, which means they must register with the FIC and are subject to South Africa’s anti-money-laundering (AML) regime. CASP FSPs must also register as accountable institutions in terms of Item 12 and be licensed by the FSCA.
- The supervisory actions by the FIC and the FSCA, which include monitoring CASP registrations, licensing, and reporting actions.
- The analysis of regulatory reports filed with the FIC by CASPs, and the assessment of emerging risks involving CASPs.
- Risk-based supervisory action by the FIC and the FSCA, including inspections of CASPS.
- The FIC’s imposing administrative sanctions on CASPs that did not comply with Directive 7 of 2023.
Why the crypto sector faces high ML/TF risks
The report indicates that the CASP sector’s “high” risk classification stems from a mix of technological vulnerabilities, operational challenges, and real-world evidence of abuse.
Anonymity
At the heart of the sector’s risk profile is the anonymity offered by crypto assets. Crypto transactions can be conducted pseudonymously, often using privacy coins or mixing services that obscure the origins of funds.
The report highlights how criminals exploit these tools in a multi-stage laundering process –buying crypto with clean intermediaries, converting it to privacy coins, masking it through tumblers, and reintegrating it into the financial system. For terrorist financing, this anonymity enables groups to transfer funds globally without revealing their identities.
Borderless nature
Crypto’s borderless nature amplifies its appeal for illicit activities. The report notes that CASPs facilitate instant cross-border transactions, bypassing the controls of traditional banks.
In sub-Saharan Africa, where centralised exchanges dominate more than 50% of crypto activity, illicit funds from global sources – such as darknet markets or sanctioned entities – can easily flow into South Africa.
Locally, transactions with high-risk jurisdictions, such as those with weak AML measures or high corruption, further elevate the sector’s exposure. The report cites the Democratic People’s Republic of Korea’s use of crypto to evade sanctions as a stark example of this global threat.
Regulation is still finding its feet
The CASP sector’s relative youth in South Africa’s regulatory landscape adds to its risk. Only since December 2022 have CASPs been accountable institutions. The report warns that supervisory measures are still being refined, leaving gaps that criminals exploit. For instance, the FIC found unregistered entities operating online, some linked to serious crimes such as child sex abuse and sanctions evasion. This regulatory immaturity, coupled with rapid growth – more than 5.8 million South Africans owned crypto in 2022 –creates a fertile ground for ML and TF.
Evidence of abuse
The report provides a number of case studies to illustrate the ML/TF risks facing the sector.
In one ongoing trial, a South African allegedly transferred Bitcoin worth R11 500 in 2017 to a charity tied to terrorist groups, showcasing TF risks. Other case studies discuss fraud and money muling, such as a crypto exchange uncovering a falsified bank statement used to externalise more than R11.7 million to the Seychelles.
Transactional analysis further identified nine CASPs linked to “severe” risks and four to “high” risks, including illicit goods and malware. These incidents underline the sector’s vulnerability to exploitation.
Challenges fuelling the risks
Operational and societal challenges exacerbate these risks. Security breaches, such as ransomware and romance scams, thrive in the crypto space, while limited consumer awareness leaves South Africans prone to becoming unwitting money mules.
Market volatility drives speculative behaviour that criminals can manipulate, and the competitive influx of new CASPs strains oversight. Even banking hesitancy – although improving – pushes CASPs towards alternative, less-regulated conversion methods, heightening ML risks.
High-impact threat of TF
For TF, the stakes are uniquely high. The report emphasises the severe impact of terrorist activities, where even small sums can fund devastating acts.
International trends, such as crowdfunding disguised as humanitarian aid or direct wallet donation appeals on social media, are mirrored in South Africa’s emerging TF cases.
Crypto’s decentralised, untraceable nature makes it an “accomplice” to terrorism, as noted by the FATF, with the United States Federal Reserve warning of its use in anonymous peer-to-peer transfers.
How the crypto sector can tackle ML/TF risks
The report provides a roadmap for CASPs to manage and mitigate ML/TF threats through robust compliance, technology, and collaboration.
The cornerstone of risk management lies in South Africa’s evolving regulatory framework. As stated above, the regulatory measures adopted since December 2022 – coupled with joint FIC-FSCA supervision – have already reduced the residual ML risk to medium high.
CASPs must fully comply with obligations such as customer due diligence, record-keeping, and suspicious transaction reporting (STRs).
Adhering to the FATF’s Recommendation 16, the “travel rule”, set to take effect via FIC Directive 9 on 30 April 2025, will further ensure that CASPs share customer data, enhancing transparency.
Read: FIC tightens crypto asset compliance with ‘travel rule’ directive
Strengthening identity verification
Anonymity is a key vulnerability, but CASPs can counter it with rigorous identity checks.
The report emphasises the need “to match and relate blockchain transactions with true identities”, creating an auditable trail for AML and counter-the-financing-of-terrorism (CFT) investigations. This means robust Know Your Customer processes to screen out high-risk clients – such as Politically Exposed Persons or those from sanctioned jurisdictions – and noticing red flags such falsified documents or unexplained fund sources.
For non-face-to-face onboarding, common in the digital crypto space, enhanced verification (for example, biometric checks or multi-factor authentication) can prevent criminals from layering illicit proceeds through lax controls.
Leveraging technology for monitoring
Crypto’s public blockchain offers a paradox: anonymity for users, but transparency for transactions. CASPs can harness this by deploying monitoring tools to detect suspicious patterns, such as peel chain transactions, rapid transfers to unregulated regions, or high-frequency large sums.
Blockchain analytics, geolocation tools, and coin risk assessments – recommended in the report – can identify tainted wallets or coins linked to crimes such as ransomware or darknet markets. By integrating these into AML/CFT compliance programmes, CASPs can proactively investigate anomalies and file STRs.
Addressing high-risk areas
The report identifies specific risk hotspots – products, clients, transactions, delivery channels, and geography – that CASPs must target.
For products, scrutinising privacy coins and peer-to-peer services can limit their misuse. Client risk management involves extra diligence for those from high-risk jurisdictions or showing anonymity-seeking behaviours (for example, VPN use).
Transaction risks can be mitigated by questioning unexplained patterns, such as structuring or rapid conversions, while delivery channel risks require clear terms of service and intermediary vetting.
Geographically, CASPs should consult the FIC’s Targeted Financial Sanctions (TFS) list to avoid dealings with sanctioned entities or terrorist-linked addresses, a practice bolstered by international blacklisting efforts.
Educating and protecting consumers
Limited consumer awareness fuels risks such as money muling and scams. CASPs can mitigate this by educating users about crypto’s use, storage, and risks – such as romance scams or rug pulls – through clear platform guidance.
The report suggests highlighting terms and conditions to deter criminal exploitation, ensuring clients understand how to avoid becoming unwitting conduits for illicit funds. This not only reduces risk but builds trust in the sector.
Collaborating with the authorities
The fight against TF demands public-private teamwork. The report calls for CASPs, alongside blockchain analytics firms and exchanges, to share intelligence on potential TF activities – such as crowdfunding disguised as humanitarian aid – with the authorities.
Accessing the FIC’s TFS list and US-blacklisted crypto addresses helps CASPs to screen out terrorist financiers. The report’s case studies, such as the freezing of R1.2m in a money mule scheme, show how swift reporting to bodies such as the South African Reserve Bank can halt illicit flows.
Build resilience against emerging threats
As the sector evolves, so do its risks. The report notes emerging TF trends, such as wallet donation appeals, and proliferation financing by entities such as the Democratic People’s Republic of Korea.
CASPs must stay agile, adopting risk-based approaches per FATF Recommendation 15 – assessing new products or technologies before launch. Regular updates to Risk Management and Compliance Programmes will keep CASPs ahead of threats.
Download the full report
Click here to download the CASP SRA report of 1 April 2025.
