The Financial Intelligence Centre (FIC) has published Draft Public Compliance Communication (PCC) 123 for consultation, providing guidance to crypto asset service providers (CASPs) on implementing Directive 9 of 2024, which gives effect to the Financial Action Task Force (FATF) Recommendation 16 – commonly referred to as the “travel rule” – in the context of crypto asset transfers.
The draft PCC, issued on 2 March, sets out the FIC’s expectations regarding how CASPs must obtain, hold, transmit, monitor, and safeguard originator and beneficiary information when facilitating crypto asset transfers.
Objective and scope
The objective of PCC 123 is to provide practical guidance to CASPs, as accountable institutions under items 12 and 22 of Schedule 1 to the Financial Intelligence Centre Act (FICA), on implementing Recommendation 16 in accordance with Directive 9.
Directive 9, which came into effect on 30 April 2025, applies to accountable institutions that provide or engage in crypto asset transfers for or on behalf of clients. It covers:
- Transfers between CASPs;
- Transfers between CASPs and unhosted (self-hosted or non-custodial) wallets;
- Domestic and cross-border transfers; and
- Transfers that occur within, originate from, or are received into South Africa.
Although Directive 9 does not assert extra-territorial jurisdiction, CASPs that provide services or products in South Africa must comply with its requirements in respect of the domestic and cross-border transfers in which they participate.
The Directive does not apply to fiat currency transfers, which are addressed separately under South African Reserve Bank guidance.
Zero-threshold application
A central feature of the draft PCC is the confirmation that the travel rule applies at a zero threshold for crypto asset transfers conducted during a business relationship. This means all crypto asset transfers, regardless of value, must comply with the requirement to obtain, hold, and transmit the prescribed information.
The draft PCC distinguishes this zero-threshold requirement from the R5 000 single-transaction threshold relevant for customer due diligence (CDD) under FICA. Even where a once-off transfer below R5 000 is not conducted as part of a business relationship, the required originator and beneficiary information must be obtained, recorded and transmitted. However, verification requirements differ in certain limited circumstances.
The draft also reminds accountable institutions that section 20A of FICA prohibits conducting transactions on behalf of anonymous clients.
The FIC states its interpretation that crypto asset transfers are considered to constitute business relationships in light of the nature and recurrence of such engagements. Consequently, full CDD and targeted financial sanctions obligations must apply.
Information requirements and transmission
Directive 9 obliges ordering, intermediary, and beneficiary CASPs to obtain, hold, and transmit specific originator and beneficiary information securely and immediately when transferring crypto assets.
The guidance emphasises:
- Information must be transmitted prior to or simultaneously with the crypto asset transfer.
- Post-facto transmission is not permitted.
- Transmission must be secure and protect against unauthorised access, manipulation or interception.
- Data integrity and confidentiality must be preserved.
Batch transmission is permitted, provided it occurs prior to or simultaneously with the transfer.
The purpose of these requirements is to enhance transparency in crypto transactions, facilitate detection of suspicious and unusual transactions, identify possible terrorist and proliferation financing, and enable freezing of assets where required.
Intermediary CASPs: practical scenarios
The draft PCC provides two detailed scenarios clarifying when a CASP is considered an intermediary and when a direct business relationship exists.
Scenario A: Referral model
- Financial services provider CASP A onboards Client X and provides advisory services on which crypto asset to purchase.
- Client X purchases crypto assets directly from CASP B and transacts on CASP B’s platform.
In this scenario:
- CASP A conducts, at minimum, a single transaction unless ongoing advisory services create a business relationship.
- CASP B establishes a business relationship with Client X.
- CASP B is not an intermediary because it has a direct business relationship with the client.
- CASP B must comply with Directive 9.
Scenario B: Processing model
- FSP CASP A onboards Client X and provides advisory services.
- Client X purchases crypto via CASP A’s platform.
- CASP B provides intermediary crypto asset transaction processing services to CASP A.
In this scenario:
- CASP A has a business relationship with Client X.
- CASP B is an intermediary CASP.
- Both CASP A and CASP B must comply with Directive 9.
These examples clarify that intermediary status depends on the structure of the transaction and whether a direct client relationship exists.
Sunrise considerations
The draft PCC addresses “sunrise” situations, where two CASPs are located in different jurisdictions and only one jurisdiction applies the travel rule.
In such cases, a counterparty CASP may not comply with travel rule requirements. However, the draft states clearly that CASPs subject to Directive 9 must comply with the travel rule requirements in all instances. This means they must send and receive the required information regardless of whether the counterparty jurisdiction imposes equivalent obligations.
Counterparty CASP due diligence
The PCC sets out detailed expectations for risk-based due diligence on counterparty CASPs. Before conducting transfers, a CASP must scrutinise counterparties against targeted financial sanctions lists and conduct due diligence.
Factors to consider include:
- Identification and verification of the counterparty CASP, its authorised representatives and beneficial owners;
- Licensing and registration status;
- Jurisdictional risk;
- Negative media or links to criminal actors;
- Sanctions exposure;
- Whether the counterparty implements the travel rule;
- Data protection and confidentiality capabilities;
- Regulatory sanctions history; and
- Whether the counterparty can reasonably avoid dealing with designated persons or entities identified on targeted financial sanctions lists.
Enhanced due diligence is required where heightened risks are identified. The Centre strongly urges CASPs to conduct tests to determine interoperability and compatibility with counterpart CASPs’ travel rule compliance tools.
Monitoring systems and technology expectations
The Centre does not prescribe specific software but requires a risk-based approach to system selection.
CASPs must implement both real-time and post-event monitoring to detect non-compliant transfers. Real-time monitoring must enable swift suspension of transactions. Independent compliance functions are advised to conduct sample testing to determine post-event compliance levels.
Where monitoring systems are used, they must enable:
- Interoperability with internal and external systems;
- Handling of transaction volumes;
- Detection of missing, incomplete or inaccurate information;
- Suspension or blocking of non-compliant transfers;
- Secure transmission, storage and monitoring of travel rule data; and
- Record-keeping and audit trails.
The draft further outlines system considerations when assessing counterparty CASPs, including whether systems:
- Send and receive all required information regardless of transfer amount;
- Transmit information prior to or simultaneously with the transfer;
- Scrutinise information against sanctions lists before completion;
- Detect missing information and apply execute/suspend/return rules;
- Enable further queries regarding transfers;
- Identify correct counterpart CASPs;
- Support transaction monitoring, sanctions screening, data protection and record-keeping; and
- Support automated monitoring consistent with Directive 5 and PCC 45, including processes to monitor market trends.
Where third-party service providers are used, the CASP remains responsible for ensuring systems are fit for purpose and compliant. Accountable institutions are advised to seek independent internal or external testing to confirm that controls function effectively.
CASPs must also develop escalation and remediation processes where non-compliant transactions are identified. The Risk Management and Compliance Programme (RMCP) must set out how the institution will execute, suspend, reject or return crypto asset transfers. The draft states that there are no exemptions to the travel rule obligation.
In addition, where activity suggests that a client may be conducting counterparty CASP-type activity, such as high volumes of transactions, this should be reported to the Centre, as it may indicate an unlicensed or unregistered CASP.
Freezing and targeted financial sanctions
The guidance reinforces obligations relating to targeted financial sanctions under sections 26A, 26B, 26C, and 28A of FICA.
All crypto asset transfers must be scrutinised against United Nations Security Council targeted financial sanctions lists. Crypto assets linked to designated persons must be frozen immediately and without delay.
If the Centre issues a section 34 directive, the CASP must immediately freeze, for a period of 10 working days, the transaction or wallet address specified in the directive.
The document explicitly states that under no circumstances may crypto asset value be made available to a client before sanctions screening has been conducted.
Unhosted wallets
Transfers involving unhosted wallets are identified as posing heightened money laundering, terrorist financing, and proliferation financing risks.
Where a CASP transfers crypto assets to or from an unhosted wallet on behalf of a client, it must obtain required originator and beneficiary information and apply enhanced due diligence measures. Monitoring of patterns involving unhosted wallets is required, and client profiling must consider source of funds, transaction purpose, volume, and duration of the relationship.
Peer-to-peer transfers between unhosted wallets are described as particularly vulnerable because they bypass accountable institutions.
Training, record-keeping, and governance
CASPs must:
- Provide adequate employee training on travel rule compliance;
- Maintain secure record-keeping of travel rule information;
- Be able to provide information upon request by regulators or supervisory bodies;
- Document processes in their Risk Management and Compliance Programme; and
- Update risk assessments when trigger events occur.
Independent testing of systems and controls is advised to ensure compliance effectiveness.
Authoritative nature of guidance
The FIC states that guidance issued by the Centre is the only form of guidance formally recognised under FICA and must be considered when interpreting statutory obligations or assessing compliance.
The draft further notes that enforcement action may emanate from non-compliance with FICA in areas addressed by the guidance. Where an accountable institution does not follow the guidance, it must be able to demonstrate that it has complied with the relevant obligation in an equivalent manner.
Consultation process
The FIC has invited interested parties to submit written comments on Draft PCC 123. The deadline to submit comments is the close of business on Monday, 16 March 2026.
