FIC tightens crypto asset compliance with ‘travel rule’ directive

Posted on

A directive that requires crypto asset service providers (CASPS) to collect and share client information when facilitating crypto transfers will come into effect on 30 April 2025.

The Financial Intelligence Centre (FIC) issued Directive 9 on 15 November. The directive sets out the “travel rule” obligations that apply to accountable institutions that engage in crypto asset transfers.

“Travel rule” is the term used to describe the application of the Financial Action Task Force’s Recommendation 16 requirements regarding wire transfers or electronic funds transfers to crypto asset transfers.

Directive 9 makes it mandatory for prescribed information to accompany crypto asset transactions. This information, held by the ordering and beneficiary crypto asset service providers (CASPs), must be made available to the authorities upon request. The directive covers domestic and cross-border crypto asset transactions.

“The primary purpose for implementing the travel rule is to help ensure that the transfer or receipt of crypto assets via CASPs is not used for money laundering, terrorist financing, and proliferation financing purposes. Also, the travel rule meets international standards for combating money laundering, terrorist financing, and proliferation financing set by the FATF,” the FIC said in a statement on Friday.

Directive 9 places different obligations on CASPs and on FSPs that act as intermediaries when receiving or transmitting crypto assets.

An entity is a CASP if it engages in the activities defined in Item 22 of Schedule 1 to the Financial Intelligence Centre Act (FICA). An FSP is an accountable institution if its activities conform to the definition in Item 12.

In terms of Directive 9, CASPs located in South Africa that transfer crypto assets on behalf of clients living in South Africa or elsewhere are obliged to provide in a secure manner information on the originators and beneficiaries of crypto asset transactions to beneficiary institutions. The originator CASP must do this immediately – that is, before or simultaneously with the transfer of the crypto assets.

The FIC said CASPs should note that, when effecting their travel rule obligations, they must also comply with any other applicable legislation involving crypto assets, “and participants should obtain independent legal advice in this regard”.

Obligations on ‘ordering CASPs’

Directive 9 makes the “ordering CASP” responsible for gathering and transmitting the client information. This means an Item 12 (FSP) or an Item 22 (CASP) accountable institution that initiates a transfer and transfers a crypto asset for “an originator” – the person or entity that issues the transfer instruction.

The information must be transmitted to the “recipient CASP”, which means an Item 12 or Item 22 accountable institution that receives a crypto asset from an originator CASP, directly or through an intermediary CASP or financial institution, and makes the crypto asset associated with the transfer available to the beneficiary.

The draft directive sets out the information that must be obtained, which includes the originator’s full name, identity or passport number, date and place of birth, residential address (if “readily available”), and wallet address.

The ordering CASP must verify this information in accordance with its Risk Management and Compliance Programme (RMCP) and FICA.

No ‘de minimis’ threshold

In the case of a transfer that is a single transaction of less than R5 000, the ordering CASP must transmit to the following minimum information to the recipient CASP:

  • the originator’s full name;
  • information about the wallet that the originator uses as the source of the crypto asset to be transferred;
  • the name of the beneficiary; and
  • information about the destination wallet.

An ordering CASP will not have to verify the accuracy of the abovementioned information in respect of a cross-border transfer that is a single transaction valued at less than R5 000, unless there is a suspicion of money laundering or terrorist financing.

According to the Consultation Feedback Note, most comments on Draft Directive 9 confused the R5 000 single transaction threshold with a de minimis threshold. There is no de minimis threshold, or rather, it is zero. The Directive does reduce the information-gathering requirements for transactions under R5 000, and in the case of such transactions, it is not mandatory to verify the originator’s information unless suspicious activity is detected.

Due diligence requirements

When an ordering CASP transmits information to another CASP, it must, before transferring the information, identify the counterparty CASP to which it will transmit the information and conduct a due diligence on that CASP to:

  • determine whether the counterparty can reasonably be expected to protect the confidentiality of information transmitted to it; and
  • avoid dealing with a person or an entity that is sanctioned by the United Nations Security Council and is on the FIC’s Targeted Financial Sanctions lists.

The ordering CASP does not have to undertake the due diligence for each crypto asset transfer if it has already conducted due diligence on the counterparty CASP.

But it must update its due diligence on a counterparty CASP “periodically” or when it identifies that a money laundering, terrorist financing, or proliferation financing risk emerges from the relationship with the counterparty CASP.

And the ordering CASP must conduct a due diligence whenever there is a suspicion of money laundering, terrorist financing, or proliferation financing.

Importantly, an ordering CASP may not execute a crypto asset transfer if it cannot comply with all the abovementioned information-collection, verification, and due diligence requirements (where applicable).

Originator and intermediary CASPs must transmit the required information before or simultaneously with the transfer itself to the recipient CASP or intermediary. Post facto transmission of the required information will not be permitted.

Red tape for intermediaries

An intermediary CASP will have to ensure that all originator and beneficiary information that pertains to a crypto asset transfer (cross-border or domestic) is transmitted to the recipient CASP, or another intermediary CASP.

The intermediary will have to take “reasonable measures” to identify cross-border crypto asset transfers that lack the required information.

Intermediaries will be required to develop, document, maintain, and implement effective risk-based policies and procedures for determining:

  • when to execute, reject, or suspend a cross-border crypto asset transfer that lacks the required information; and
  • the appropriate follow-up action the intermediary will take in each instance where it executes, rejects, or suspends a cross-border crypto asset transfer.

The abovementioned measures must be included in the intermediary’s RMCP.

Obligations on recipient CASPs

The proposed directive places verification obligations on the recipient CASP.

It must verify the beneficiary’s identity in accordance with its RMCP and FICA.

In addition, a beneficiary CASP must verify the accuracy of the beneficiary information in the case of an inward cross-border transfer that is a single transaction valued at less than R5 000 from an originator in a high risk or other monitored jurisdiction as listed by the FATF.

Recipient CASPs will be required to take “reasonable measures”, which may include post-event or real-time monitoring, to identify cross-border crypto asset transfers that lack the required information.

They must develop, document, maintain, and implement effective risk-based policies and procedures for determining:

  • when to execute, reject, or suspend a cross-border crypto asset transfer that lack the required information; and
  • the appropriate follow-up action they will take in each instance where they execute, reject, or suspend a cross-border crypto asset transfer that lacks the information.

The abovementioned measures must be included in the recipient CASP’s RMCP.

POPIA concerns

Some commentators were concerned that implementing the travel rule will present significant privacy governance challenges.

The Protection of Personal Information Act (POPIA) places restrictions on the transfer of personal information outside South Africa, permitting such transfers only to countries that offer similar levels of data protection. The global nature of cryptocurrency transactions, however, means personal data may have to be transmitted to entities in countries that do not have equivalent privacy safeguards, potentially violating POPIA.

In response, the FIC said the processing of personal information for the purposes of the FICA compliance may be done only within the confines of POPIA. The Act permits the processing and further processing of personal information to comply with FICA.

The FIC said accountable institutions should ensure that CASPs offer the necessary safeguards in relation to their clients’ personal information when they conduct counterpart due diligence.

Some commentators said the principle of data minimisation in POPIA dictates that only the data necessary for achieving a specified purpose should be collected and processed. The travel rule could conflict with this principle by necessitating the collection of extensive personal information for each transaction above a certain threshold, which might not always be strictly necessary for completing the transaction itself.

The FIC said the information sought in respect of the originator client and beneficiary client is in line with the FATF’s standards, is necessary for the transparency of crypto asset transactions, and it is not extensive.