EST · MMXXVI
Home/Jurisdictions/South Africa/AML/cft policy drafting in South Africa: Legal Requirements for Businesses
Compliance, AML & Travel Rule

AML/cft policy drafting in South Africa: Legal Requirements for Businesses

Aml/cft policy drafting in South Africa. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk to OBOLUS.

Operating a digital-asset business that touches South African users without a properly drafted AML/CFT policy (anti-money laundering and counter-financing of terrorism policy) is not a compliance gap – it is an enforcement trigger. South Africa's Financial Intelligence Centre (FIC), the country's primary AML supervisor, now classifies crypto exchanges, custodians and certain token-service providers as accountable institutions under the Financial Intelligence Centre Act, placing them inside the same supervised perimeter as banks and asset managers. The consequence is direct: a firm without a documented, tested and board-approved AML/CFT program is operating illegally under South African law, regardless of where it is incorporated.

This page sets out the regulated basis, the policy-drafting process, the cross-border interaction with Travel Rule obligations and correspondent banking, and the decision points for an inbound operator. A single anonymized matter illustrates how the gap between a foreign entity's home-country compliance program and South Africa's FIC requirements emerges in practice – and how it is resolved.

South Africa's AML Regulatory Regime for Digital-Asset Businesses

South Africa's AML regime for virtual assets rests on the Financial Intelligence Centre Act and its amendments, which brought crypto asset service providers (CASPs) formally into the accountable-institution schedule. The FIC is the competent authority for AML/CFT supervision of CASPs, working in coordination with the Financial Sector Conduct Authority (FSCA), which manages the broader CASP licensing regime introduced under the Financial Advisory and Intermediary Services Act. These two pillars – FIC supervision and FSCA licensing – operate in parallel, and a policy that satisfies one without addressing the other is incomplete.

South Africa is a FATF (Financial Action Task Force) member. Its grey-listing by FATF in February 2023 significantly raised the practical stakes for every business with a South African nexus. Correspondent banks and global payment processors now apply heightened scrutiny to South African-connected flows. An inbound operator whose AML/CFT policy was drafted for an EU or Asia-Pacific regulator will almost certainly need material revision to satisfy FIC's specific requirements – and to satisfy the enhanced due-diligence expectations that counterparty banks now apply to South African business.

The good news is that South Africa has since demonstrated meaningful legislative and supervisory progress. FATF formally removed South Africa from the grey list in late 2024, following implementation of a range of remedial measures. That removal matters operationally: correspondent banking relationships that were paused or constrained are reopening, and the compliance burden, while still substantial, is now assessed against a jurisdiction with a clear remediation record.

What a FIC-Compliant AML/CFT Policy Must Contain

A FIC-compliant AML/CFT policy for a CASP is a structured, written program covering four core obligations: risk assessment, customer due diligence, transaction monitoring, and reporting. Each element is mandatory, and each has CASP-specific content requirements that differ from the generic financial-services template.

The risk assessment must identify and document the specific money-laundering and terror-financing risks the business faces – by product line, customer segment, transaction type and geographic exposure. For a crypto exchange with global users, this means distinguishing between on-ramp/off-ramp risk, peer-to-peer trading risk, and the risk profile of counterparty VASPs in correspondent-chain transactions. A boilerplate bank-risk matrix does not map onto a crypto exchange; the FIC expects a product-specific analysis.

Customer due diligence (CDD) must be risk-tiered. Simplified CDD applies at lower risk; enhanced CDD applies for higher-risk customers, politically exposed persons and correspondent-VASP relationships. For digital-asset businesses, the CDD obligations extend to beneficial ownership analysis of corporate clients – a step that requires structured entity verification, not just ID collection. The FIC's guidance is specific about the depth of verification expected for high-risk business relationships.

Transaction monitoring requires automated systems capable of detecting patterns associated with layering, structuring and sanctions evasion. For crypto, this means blockchain analytics integration – the ability to score incoming and outgoing on-chain flows against risk typologies. A policy that describes transaction monitoring in general terms, without addressing how on-chain activity is monitored, will not survive a supervisory review.

Reporting obligations include Suspicious Transaction Reports (STRs) and Cash Threshold Reports (CTRs) filed with the FIC. The policy must specify the internal escalation path, the timelines for filing, and the role of the designated Money Laundering Reporting Officer (MLRO) – the individual accountable for AML/CFT compliance within the firm.

How the Travel Rule Applies to South African CASPs

South Africa has implemented the Travel Rule – the FATF obligation requiring VASPs to pass originator and beneficiary information alongside a virtual-asset transfer. Under the applicable provisions, a South African CASP must collect, verify and transmit identifying information for both the sending and receiving parties when a transfer meets or exceeds the applicable threshold. The specific de-minimis threshold is set by regulation and should be confirmed against current legislation, as it may be updated by the FIC.

In practice, Travel Rule compliance for a South African CASP requires three things: a technical solution capable of sending and receiving Travel Rule messages with counterparty VASPs (the leading IVMS 101 protocol is the applicable data standard), a policy that specifies how the firm handles transfers to or from VASPs that are not Travel Rule-enabled, and a process for dealing with unhosted-wallet transfers where the counterparty identity cannot be obtained through a VASP intermediary.

The cross-border dimension is acute. A South African CASP receiving transfers from a European exchange must be able to accept Travel Rule data in a format consistent with MiCA-aligned EU requirements. A South African CASP sending to a Singapore-regulated entity must satisfy MAS Travel Rule expectations on the counterparty side. The policy must address both directions – inbound and outbound – and must specify the firm's approach when a counterparty jurisdiction's standards differ from South Africa's.

We regularly advise clients on Travel Rule interoperability between South Africa's FIC regime and the requirements of MAS, the FCA and ESMA-supervised entities. The policy language that works for a bilateral CASP-to-CASP transfer in a single jurisdiction fails quickly when the transfer crosses three regulatory perimeters.

For a scoped assessment of your AML/CFT policy against FIC and Travel Rule requirements, contact OBOLUS at info@oboluslaw.com. The process above describes the standard obligations. Your entity structure, user base and banking relationships change the analysis materially. Map your options.

What Does the Policy-Drafting Process Look Like for an Inbound Operator?

For a business entering the South African market from outside, the AML/CFT policy-drafting process has four sequential phases. Each phase has a defined output, and none can be skipped without creating a downstream liability.

Phase one is jurisdictional gap analysis. The operator's existing home-country AML program is mapped against FIC's accountable-institution requirements. In our practice, the most common gaps we identify are: absence of a South Africa-specific risk assessment, CDD standards calibrated to a different regulatory benchmark, and transaction-monitoring policies that do not address on-chain analytics. The gap analysis typically takes one to two weeks and produces a written delta report.

Phase two is policy drafting. The core AML/CFT policy document is drafted or redrafted to FIC standard, incorporating the risk assessment, CDD framework, transaction-monitoring specification, Travel Rule procedures, STR/CTR reporting process, MLRO governance and staff-training obligation. Supporting procedures – the CDD procedure, the PEP procedure, the sanctions screening procedure, the Travel Rule procedure – are drafted as annexes. The full policy suite for a mid-sized exchange is typically eight to twelve documents.

Phase three is board adoption. The FIC requires the policy to be approved at board level. For a foreign entity operating a South African subsidiary or branch, this means a board resolution that specifically adopts the South Africa-facing policy as a stand-alone instrument, not merely a reference to the parent entity's global program. Regulators have been explicit that a parent-entity policy does not satisfy the South African statutory obligation.

Phase four is implementation testing. Before the FSCA processes a CASP licence application, the firm must demonstrate that the policy is operational – not just documented. This means a functioning MLRO, a live transaction-monitoring system, evidence of staff training, and at least one completed CDD cycle. The FIC and FSCA both review this implementation evidence; the policy document alone is insufficient.

The Cross-Border Interaction: Banking, Tax and Licensing

No AML/CFT policy exists in isolation. For a South African CASP, the policy sits at the intersection of three cross-border pressures that must be managed together: correspondent banking, the FSCA licensing obligation and tax reporting.

Banking for South African CASPs has been the most acute operational challenge in recent years. During the FATF grey-listing period, several major South African banks applied blanket restrictions to CASP-related accounts. Post-removal, the environment is improving, but banks continue to require a complete AML/CFT policy package before opening or maintaining accounts. In our experience, a properly documented policy – with a clear risk assessment, a functioning MLRO and evidence of Travel Rule capability – materially accelerates the banking onboarding process.

On the licensing side, the FSCA requires CASP applicants to submit their AML/CFT policy as part of the licence application. A policy that satisfies FIC requirements will broadly satisfy the FSCA submission, but the FSCA may ask specific questions about how the policy addresses the firm's particular product mix. The licence application and the AML/CFT policy must therefore be drafted in coordination, not sequentially.

Tax reporting is a third layer. South Africa's South African Revenue Service (SARS) has issued guidance on the tax treatment of crypto assets, and the firm's AML/CFT records – particularly the CDD files and transaction records – are the same data set that SARS may review in a tax audit. A policy that produces complete, searchable CDD and transaction records also serves the firm's tax compliance posture. Operators who treat AML compliance and tax compliance as entirely separate workstreams typically find that both suffer.

For businesses operating across the EU and South Africa simultaneously, the interaction with MiCA's CASP regime is relevant. A firm that holds a MiCA authorisation in an EU member state cannot rely on that passport to cover South African users; South African law applies independently to services delivered to South African clients. The policy must address both perimeters, and the MLRO governance structure must be clear about which regulator takes priority in a conflict scenario.

A Practical Illustration: The Compliance Gap That Surfaces at the Banking Stage

In a recent cross-border matter, a payments technology company incorporated in a common-law offshore jurisdiction sought to expand its stablecoin conversion service to South African institutional clients. The firm held a VASP registration in its home jurisdiction and had an AML/CFT policy drafted to that regulator's standard. When its South African banking partner requested the policy ahead of account opening, the bank's compliance team identified three specific deficiencies: the risk assessment contained no South Africa-specific risk factors, the CDD procedures referenced identity-document standards from a different jurisdiction, and the Travel Rule procedure contained no provisions for South African FIC reporting. We were engaged to conduct a gap analysis and redraft the relevant policy components. The revised policy and a supporting MLRO appointment letter were submitted to the bank within three weeks. Account opening proceeded without further objection. The firm subsequently submitted the same revised policy as part of its FSCA CASP licence application.

Is a Single Offshore Licence Sufficient for South African Operations?

A common assumption among inbound operators is that a robust offshore VASP registration – in the BVI, Cayman or an EU member state – is sufficient to support services delivered to South African users. It is not. South African law applies on the basis of where the client is located and where the service is received, not solely where the service provider is incorporated. A firm that markets to South African users, accepts South African rand, or maintains South African banking relationships is within the FIC's and FSCA's jurisdiction regardless of its place of incorporation.

The consequences of proceeding without a South Africa-specific AML/CFT program are not theoretical. The FIC has powers to impose administrative sanctions, direct remediation and refer matters to criminal prosecution authorities. More immediately, correspondent banks and payment processors are now required to conduct their own AML due diligence on their CASP counterparts; a firm that cannot produce a FIC-compliant policy will find its banking rails closed before a formal regulatory action is ever taken.

We map the licence stack – operating entity, custody layer and payment layer – across all relevant jurisdictions before a client commits to a structure. That mapping, done early, avoids the costly restructuring that follows when a bank or regulator identifies the gap after go-live.

If a prior application stalled or a banking relationship was closed due to AML policy deficiencies, a structured review can surface the specific gap and the route back. Write to info@oboluslaw.com or map your options here.

Sanctions Screening and the KYC Framework: What South African Law Requires

The FIC's accountable-institution obligations include an explicit requirement for real-time sanctions screening against South Africa's domestic targeted financial sanctions lists, as well as the OFAC, UN and EU consolidated lists where counterparty flows involve those jurisdictions. For a CASP processing cross-border transfers, this means screening at customer onboarding, at transaction initiation and on an ongoing basis as sanctions lists are updated.

The KYC framework (know-your-customer framework) required under the FIC Act for CASPs mirrors FATF's Recommendation 10 structure: identity verification, beneficial ownership identification for legal persons, and ongoing monitoring proportionate to risk. The firm's policy must specify the documentary standards for each customer category – individual retail, corporate and institutional – and must address the specific challenges of remote onboarding in a crypto context, including liveness checks, document verification and source-of-funds evidence for high-value onboarding.

One area where South Africa-specific practice departs from some other FATF jurisdictions is the treatment of domestic Politically Exposed Persons (PEPs). The FIC Act takes a broad definition of domestic PEP, extending to senior officials and their associates across a wide range of public-sector roles. A CDD procedure calibrated to a narrower foreign-PEP definition will undercount South African domestic PEPs and will likely fail a supervisory review. The policy must define domestic PEPs by reference to the FIC Act's definition, not by reference to a foreign equivalent.

Related at OBOLUS

FAQ

What does the Travel Rule require from a VASP?

The Travel Rule requires a VASP (virtual asset service provider) to collect, verify and transmit identifying information about the originator and beneficiary of a virtual-asset transfer – name, account identifier and, where required, address details – to the counterparty VASP before or during the transfer. In South Africa, this obligation applies under the FIC Act as amended in alignment with FATF Recommendation 16. The specific transfer threshold above which the obligation applies should be confirmed against current FIC guidance, as it is subject to regulatory update.

Who must act as MLRO for a crypto firm?

Under the FIC Act, every accountable institution – including a CASP – must designate a Money Laundering Reporting Officer (MLRO): a senior individual with sufficient authority and resources to discharge the AML/CFT compliance function independently. For a South African CASP, the MLRO must be resident or accessible in South Africa and must be identified by name in the compliance policy and in any regulatory submission. A parent entity's global compliance officer does not automatically satisfy the requirement; the FIC expects a locally accountable individual.

How do regulators audit crypto AML programs?

The FIC conducts both scheduled and unannounced supervisory reviews of accountable institutions. For CASPs, an audit typically covers: the written policy and its board-approval record, the implementation evidence (MLRO appointment, staff-training records, system configurations), a sample of CDD files, STR filing history, and – increasingly – the firm's Travel Rule technical capability and transaction-monitoring alert logs. The FSCA may conduct parallel reviews in connection with the CASP licensing regime. Firms that document policy decisions as they are made – rather than reconstructing them later – fare significantly better in these reviews.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. Digital assets are the whole of our practice. We map the licence stack across operating, custody and payment layers before you commit – and we structure licensing, banking and tax as one mandate rather than three disconnected workstreams. To discuss your situation, contact info@oboluslaw.com.

By Victor Olsen, Regulatory & Compliance Analyst – specialising in AML/CFT program design and cross-border supervisory compliance for digital-asset businesses across FATF-member jurisdictions.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours