FSCA highlights common CASP compliance failures

Posted on Leave a comment

The Financial Sector Conduct Authority is entering a more intensive phase of oversight of the crypto asset service provider (CASP) sector. Having established a licensing framework for the industry, the regulator is increasingly focused on whether licensed providers have the governance, systems, and expertise to meet their ongoing obligations under the Financial Intelligence Centre Act (FICA).

Two articles in the FSCA’s first-quarter 2026 newsletter illustrate different stages of that regulatory framework. One provides an update on the licensing programme introduced under the Financial Advisory and Intermediary Services Act in 2023, while the other outlines common shortcomings identified during supervisory inspections of licensed CASPs.

By 31 March 2026, the FSCA had received 533 applications for CASP licences. It had approved 310 applications, declined 17, and recorded 124 voluntary withdrawals following engagement with applicants about the appropriateness of their business and operating models.

Applicants whose applications were declined or withdrawn remain free to apply again once they can demonstrate compliance with the licensing requirements.

According to the Authority, unsuccessful applications generally reflected one of two shortcomings. Some applicants were unable to provide sufficiently clear business plans or explain the operational frameworks supporting their proposed crypto asset activities. Others failed to demonstrate the knowledge and practical experience of crypto assets required for authorisation.

The FSCA also continues to pursue suspected unlicensed operators. It has initiated 81 investigations into entities that may be conducting CASP business without authorisation. Thirty investigations have been finalised, while 51 remain under way. The regulator reiterates that any person or institution found operating without a licence may face enforcement action.

The newsletter also reminds licensed CASPs and their key individuals that the exemption from the regulatory examination requirements expired on 30 June 2025, and no further extensions will be granted. Those who fail to meet the applicable examination requirements under Board Notice 194 risk regulatory action, including the suspension or withdrawal of their licences under section 9 of the FAIS Act.

Weaknesses in AML compliance

Once authorised, CASPs are supervised as accountable institutions under FICA and must comply with South Africa’s anti-money laundering (AML), counter-financing of terrorism (CFT), and counter-proliferation financing (CPF) requirements. They are also required to register with the Financial Intelligence Centre (FIC), which shares oversight of the sector.

In a companion article in the newsletter, Wisani Mabasa, specialist analyst: AML/CFT supervision at the FSCA, outlines the common shortcomings identified during the regulator’s supervisory inspections of licensed CASPs.

Between April 2025 and March 2026, the FSCA conducted 30 inspections, assessing not only compliance with obligations under FICA but also the organisational capacity of licence holders to meet those obligations on an ongoing basis. The regulator plans to conduct a further 35 AML/CFT/CPF inspections during the 2026/27 financial year.

The inspections identified a number of recurring weaknesses.

Mabasa says one of the most common findings was the failure to conduct comprehensive business risk assessments. Although some CASPs had undertaken risk assessments, many had not adequately considered proliferation financing risks alongside money laundering and terrorist financing risks. Effective risk assessments should identify all relevant financial crime risks and ensure that appropriate mitigation measures are in place.

Inspectors also found shortcomings in Risk Management and Compliance Programmes (RMCPs) required under section 42 of FICA, says Mabasa. In several instances, RMCPs did not adequately address ongoing customer due diligence, account monitoring, the identification of unusual or complex transactions, suspicious transaction reporting, sanctions screening, customer risk assessments, beneficial ownership verification, or formal approval by the board or highest governing authority.

Mabasa also highlighted weaknesses related to implementation of the FIC’s Directive 9, commonly known as the “travel rule”. Some CASPs were unable to demonstrate that they could transmit and receive the information required to accompany crypto asset transfers. The FSCA noted that the prescribed information must be transmitted before, or at the same time as, the relevant transaction is executed.

The regulator expects licensed CASPs to review the inspection findings and address weaknesses in their risk management and compliance frameworks. Mabasa says the effective application of a risk-based approach depends on an institution understanding its own money laundering, terrorist financing, and proliferation financing risk profile and implementing controls appropriate to those risks.

The newsletter also highlights the work of the Crypto Asset Supervisory Engagement Forum, established in August 2025 to facilitate structured engagement with the industry. Its third meeting, held in February 2026, focused on terrorist financing and proliferation financing risks, reflecting the regulator’s increasing supervisory attention to these areas as the sector develops.

Leave a Reply

Your email address will not be published. Required fields are marked *