Once considered the wild west of finance, the South African cryptocurrency industry is now subject to formal regulatory oversight. This article explores the key compliance requirements for Crypto Asset Service Providers (CASPs), with a focus on the Financial Advisory and Intermediary Services (FAIS) Act and the Financial Intelligence Centre Act (FICA), and highlights what businesses need to do to stay compliant while operating in this evolving space.
Initially, the cryptocurrency industry was a niche market dominated by a small group of early adopters. However, in recent years, it has grown exponentially as more individuals and businesses have entered the space. This rapid expansion has come with its own set of pitfalls: there has been an increase in fraudulent activities involving crypto and these digital assets can easily be used by criminals to finance nefarious activities.
In response to these challenges, the Financial Sector Conduct Authority (FSCA) and other regulators like the Financial Intelligence Centre (FIC) have implemented several measures to ensure that the rapidly evolving world of cryptocurrency operates within a secure and well-regulated framework.
What are Crypto Assets and CASPs – and Why are More Stringent Regulations Necessary?
Crypto assets are digital tokens used for payment, investment and other purposes, relying on cryptography and distributed ledger technology. They include various forms such as stablecoins, privacy coins, utility tokens and non-fungible tokens (NFTs). NFTs are not regulated by the FSCA, and you don’t need a licence to trade in them; however, they are subject to FICA regulations.
CASPs provide financial services related to crypto assets, such as advice, intermediary services and investment management. Their activities include:
- Exchanging crypto assets for fiat currency or vice versa
- Exchanging one crypto asset for another
- Transferring crypto assets
- Safekeeping or administrating crypto assets
- Participating in financial services related to a crypto asset sale
In the past two years, CASP regulations have significantly evolved, especially under the FAIS Act and FICA. The FSCA’s General Notice 1350 of 2022 recognised crypto assets as financial products, and FICA’s Schedule 1 was amended to include CASPs under anti-money laundering (AML), countering the financing of terrorism (CFT) and counter proliferation financing (CPF) measures.
Regulating cryptocurrencies aims to mitigate risks like money laundering, terrorism financing and proliferation financing, improve consumer protection and maintain market integrity. Moreover, the inclusion of crypto assets under the FAIS Act protects consumers until broader regulations, like the Conduct of Financial Institutions (COFI) Bill, are finalised.
Compliance and Crypto – What CASPs Need to Know
FAIS Compliance:
CASPs are now generally subject to the same FAIS regulations as traditional FSPs, including the General Code of Conduct (GCOC) and Fit and Proper requirements. There are a few exceptions however:
- CASPs are not required to have professional indemnity (PI) cover at this stage, as PI cover specific to crypto assets does not exist. This only relates to the rendering of financial services in respect of crypto assets. Where a financial services provider is authorised to render services in other financial products in addition to crypto assets, they must still obtain and maintain the appropriate PI cover for these other financial products.
- Their Key Individuals (KIs) are currently exempt from having passed the relevant RE exam. However, this exemption ends on 11 November 2024.
- CASPs are not required to complete any specific crypto-related Class of Business (COB) training at this stage because such training does not exist yet.
While it’s beyond the scope of this article to cover all the FAIS requirements for CASPs, it’s crucial for them to take note of the following key points:
- Licensing: Anyone offering financial services related to crypto must be appropriately licensed with the FSCA or act as a Representative of a licensed FSP. Existing FSPs must add crypto assets to their current licences, while CASPs that were not previously licensed must apply for an FSP licence. The licensing process for CASPs began on 1 June 2023, with existing institutions providing crypto-related financial services required to submit their licence applications by 30 November 2023. The FSCA has continued to receive and process new applications, and as of 30 June 2024, 138 licenses have been approved.
- Experience requirement: One challenge for many crypto licence applicants, especially traditional FSPs who now want to get involved with crypto, is demonstrating to the FSCA that they meet the necessary experience requirements. CASPs must provide evidence of their practical involvement in the crypto industry, not merely personal experience, but experience working with a business that offered crypto services.
- Qualification requirement: CASPs now need a qualification approved by the FSCA. Those without the required qualifications can apply to have their qualification added to the FSCA’s approved list, which can be a time-consuming process, or request an exemption. If a CASP receives an exemption, they can obtain a licence with the condition that their KI completes the required qualification in a specified timeframe.
- Disclosure responsibilities: Under FAIS, FSPs have a well-defined responsibility to disclose the nature, benefits, risks and workings of financial products to their clients. This includes thoroughly explaining how these products work and ensuring that clients fully understand their features and potential risks. CASPs are expected to do the same but with an added layer of complexity due to the volatile nature of crypto assets. CASPs must not only explain the workings of crypto products but also ensure that clients are fully aware of the inherent risks associated with these digital assets, including their high volatility and potential for significant price fluctuations.
FICA Compliance:
When it comes to FICA, CASPs are subject to the same obligations as traditional FSPs: they must register with the FIC, submit regulatory reports, implement a Risk Management and Compliance Programme (RMCP) and conduct customer due diligence (CDD) to verify the identity of their clients, assess the risk each client poses and gather detailed information about the source of funds and the intended purpose of transactions.
However, due to the high-risk nature of the crypto industry, FICA obligations may be even more strenuous for CASPs, necessitating more robust risk mitigation measures than those typically required for a traditional Category I FSP.
Soon, CASPs will also need to adhere to the “travel rule”, which requires them to collect and share information about both the sender and receiver of crypto transactions. Specifically, when one CASP sends crypto assets to another, they must include accurate details about the sender and the recipient in the transaction. This rule is currently in draft, but once it takes effect, it will help track who is involved in crypto transfers, making it harder for criminals to use these transactions for illegal activities like money laundering or terrorism financing.
To meet these stringent FICA obligations, CASPs will need to adopt several robust measures:
- Enhanced KYC protocols: CASPs may need to go beyond basic identity verification, incorporating advanced biometric verification, video KYC processes and real-time checks against global watchlists to ensure the authenticity and legitimacy of their clients.
- Ongoing transaction monitoring: Unlike traditional FSPs, CASPs might be required to deploy advanced analytics and machine learning algorithms to constantly monitor transactions. These systems can detect unusual patterns or behaviours that might indicate money laundering or other illicit activities. While such programmes can track the movement of wallets indefinitely, they can also be very expensive and may exceed the budget of smaller FSPs looking to enter the crypto market.
- Enhanced record-keeping: CASPs will likely need to maintain more detailed and extensive records of client transactions, including the metadata associated with crypto transactions (e.g., IP addresses, transaction hashes and wallet addresses) to provide a complete audit trail that can be easily accessed for regulatory review.
- Rigorous risk assessment frameworks: CASPs must implement sophisticated risk assessment frameworks that not only evaluate client risk at the onboarding stage but also continuously reassess risk based on transaction activity, changes in client behaviour or external factors such as geopolitical developments.
- Increased reporting requirements: Given the high-risk nature of crypto transactions, CASPs may face more frequent and detailed reporting obligations, including submitting detailed reports on large or suspicious transactions to the FIC more often than traditional FSPs might be required to.
Additional Crypto Compliance Obligations:
In addition to FAIS and FICA, CASPs will also be required to comply with other regulations. For example, as personal information is involved in crypto transactions, CASPs must ensure the protection of personal data in line with regulations set out in the Protection of Personal Information Act (POPIA).
Moreover, Exchange Control Regulations require CASPs to adhere to restrictions on capital exportation and seek necessary approvals for large-scale crypto arbitrage transactions. Crypto arbitrage involves buying cryptocurrency on one exchange at a lower price and selling it on another exchange at a higher price, capitalising on the price difference. For transactions exceeding R1 million, CASPs must obtain permission from SARS to move the money offshore. Additionally, if a CASP conducts arbitrage on behalf of clients, it qualifies as a Cat II FSP and will be subject to the same regulations, with the exceptions previously mentioned, as a Cat II FSP.
In the crypto space, the Joint Standard on Information Technology (IT) Governance and Risk Management and the Joint Standard on Cybersecurity and Cyber Resilience only applies to CASPs licensed as Cat II FSPs. However, all crypto providers can gain from reviewing these standards because they offer insights into best practices for IT management and crypto security. Although not mandatory for all, the financial and reputational risks from cyberattacks or IT failures are significant for all businesses but especially so for CASPs.
Common Compliance Pitfalls
CASPs may encounter several common pitfalls in meeting compliance requirements:
Anonymity of wallets: The anonymous nature of non-custodial wallets presents significant challenges for AML, CTF and CPF efforts. Custodial wallets, managed by third parties like exchanges, hold and manage private keys for users. In contrast, non-custodial wallets give users full control over their private keys, providing greater security and privacy but demanding more technical know-how. Without central control, these wallets make it difficult to track transactions and verify identities. This anonymity poses substantial risks for money laundering, as funds can easily move between CASPs or individuals without detection.
Implementing enhanced KYC requirements: The decentralised and pseudonymous nature of crypto transactions poses significant challenges for some CASPs in establishing comprehensive KYC measures. Verifying users with non-custodial wallets, which provide privacy and security, is particularly difficult. Additionally, the constantly evolving nature of crypto assets and global transactions further complicates the implementation of KYC across various jurisdictions.
Cybersecurity risks: The risk of cyberattacks and data breaches is significant, especially for custodians of crypto assets. Ensuring robust cybersecurity measures is crucial but challenging.
Regulatory updates: Keeping up with frequent regulatory changes and updates can be demanding, particularly for entities new to the crypto space.
Tips and Solutions for Overcoming Challenges
To navigate these challenges, CASPs should consider the following strategies:
- Implement robust KYC processes: Utilise advanced transaction tracking tools and partner with services that offer FICA compliance solutions to address anonymity issues effectively.
- Stay updated on regulations: Regularly review regulatory updates and regulator reports and engage with industry bodies like the Intergovernmental Fintech Working Group (IFWG) to stay informed about changes.
- Enhance cybersecurity: Adopt a multi-layered cybersecurity approach, including hot and cold wallets, multi-stage authentication and regular security audits.
- Invest in compliance training: Ensure that staff are well-versed in crypto-related compliance requirements through continuous professional development and training.
Enhanced Crypto Compliance for Enhanced Protection
The regulatory landscape for cryptocurrencies in South Africa has become more structured and stringent, with a clear focus on enhancing transparency, protecting consumers and maintaining market integrity.
For CASPs and FSPs, adapting to these regulations involves embracing comprehensive compliance practices, staying abreast of regulatory changes and addressing common pitfalls through effective strategies.
By doing so, they can ensure they meet regulatory requirements while fostering a secure and trustworthy crypto environment.
