FIC tightens crypto rules: ‘no data, no transfer’ standard emerges

Posted on by Leave a comment

Crypto asset service providers face a hard shift in how transactions are executed: if the required data cannot be verified and transmitted before or at the point of transfer, the transaction should not proceed. The FIC’s final guidance effectively introduces a “no data, no transfer” standard – with immediate implications for systems, controls, and risk management.

The Financial Intelligence Centre (FIC) has published Public Compliance Communication 61 of 2026 (PCC 61), giving final guidance to crypto asset service providers (CASPs) on how to implement the “travel rule” under Directive 9 of 2024.

The directive, which came into effect on 30 April 2025, transposes the Financial Action Task Force (FATF) Recommendation 16 into South Africa’s anti-money laundering framework, requiring CASPs to collect, verify, and transmit information on both the originator and beneficiary of crypto asset transfers.

PCC 61 follows a short consultation process in March 2026, where industry participants were invited to comment on a draft version (Draft PCC 123). The final communication now provides authoritative guidance on how the FIC expects CASPs to comply – and signals that failure to follow it may expose institutions to enforcement action.

What the guidance does

At its core, PCC 61 translates a high-level regulatory requirement into operational expectations.

The travel rule requires CASPs involved in crypto transfers – whether as ordering, beneficiary, or intermediary institutions – to:

  • obtain information about both parties to a transaction;
  • verify that information through customer due diligence; and
  • transmit it securely and immediately, either before or at the time of the transfer.

The objective is to bring transparency to crypto transactions, enabling CASPs and regulators to detect suspicious activity, identify sanctions exposure, and intervene where necessary.

What CASPs need to know

The travel rule introduced through PCC 61 has broad application and applies across the crypto ecosystem. It covers:

  • all CASPs under items 22 and 12 of Schedule 1 to the FIC Act;
  • both domestic and cross-border transfers; and
  • transactions involving other CASPs, as well as unhosted (self-custodied) wallets.

Crucially, the rule applies regardless of transaction value within a business relationship, effectively creating a zero-threshold regime.

At a practical level, compliance hinges on the quality and integrity of information. CASPs are required to ensure that all travel rule data is verified through customer due diligence (CDD), not merely collected. For once-off transactions below R5 000, verification may not always be required, but the information must still be obtained and recorded. Where there is any suspicion of money laundering or terrorist financing, verification becomes mandatory irrespective of value.

The distinction between a single transaction and a business relationship remains relevant, but cannot be applied mechanically. A business relationship triggers full CDD and ongoing monitoring obligations, while a single transaction is assessed based on value and context. However, PCC 61 emphasises a risk-based approach, requiring CASPs to consider the frequency, duration, and nature of client interactions — not just formal classification.

Risk sensitivity is central to the framework. CASPs are expected to apply enhanced due diligence (EDD) to higher-risk transfers, including those involving high-risk jurisdictions, unhosted wallets, sanctioned or designated persons, or inconsistencies in beneficiary information.

Operationally, the most significant shift lies in data transmission requirements. Required information must be transmitted:

  • before or at the same time as the transaction; and
  • in a secure manner that protects confidentiality and prevents tampering.

Post-transaction transmission is not permitted. Where systems cannot support compliant transmission, CASPs are expected to delay or suspend transactions where required to ensure compliance until the requirement can be met.

The obligation extends beyond the client to include counterparty institutions. CASPs must conduct due diligence on other CASPs they transact with, including:

  • verifying licensing and regulatory status;
  • assessing AML controls and data protection capabilities;
  • screening for sanctions exposure; and
  • evaluating whether the counterparty is itself compliant with the travel rule.

This due diligence must be ongoing and risk-based, rather than a once-off exercise.

Importantly, intermediary CASPs – even where they do not have a direct client relationship – are not exempt. Any CASP that facilitates or enables a crypto asset transfer remains subject to the same travel rule obligations.

Travel rule monitoring and control requirements

PCC 61 places significant emphasis on real-time monitoring and control, making it clear that compliance does not end at data collection and transmission. CASPs are expected to implement systems capable of identifying, assessing, and responding to non-compliant or suspicious transactions as they occur.

At a minimum, CASPs must be able to determine whether to execute, suspend, reject or return a transaction based on the availability and quality of travel rule information. A transfer may only be completed where full and accurate originator and beneficiary information has been received. Clear breach and remediation processes must be implemented, and there are no exemptions to the travel rule obligations.Where information is missing or incomplete, CASPs are required to:

  • suspend the transaction and request the required data;
  • reject the transaction; or
  • return the funds to the sender, where appropriate and where no sanctions concerns arise.

In cases involving designated persons or sanctions exposure, crypto assets must be frozen immediately, and the relevant reporting obligations triggered.

Monitoring must operate on both a real-time and post-event basis. Real-time monitoring enables CASPs to identify and stop non-compliant transactions before completion, while post-event monitoring supports ongoing compliance assurance and detection of emerging risks.

CASPs are also expected to monitor for reportable and suspicious activity, including patterns that may indicate unlicensed CASP activity or unusual transaction behaviour. Given the speed and scale of crypto transactions, the FIC strongly encourages automated monitoring, supported where appropriate by blockchain analytics tools – although these tools cannot replace proper analysis and judgement.

A critical component of monitoring is targeted financial sanctions screening. All transactions must be screened against United Nations Security Council sanctions lists before execution, including checks on originators, beneficiaries, counterpart CASPs, and wallet addresses. No value may be released to a client until this screening has been completed.

The effectiveness of these controls depends heavily on system capability. CASPs must ensure that their systems – and those of their counterparties – are able to:

  • transmit and receive required travel rule data in real time;
  • detect missing, incomplete or inaccurate information;
  • support transaction monitoring and sanctions screening;
  • maintain data integrity, audit trails and secure storage; and
  • operate at the scale and speed required by crypto transactions.

Transfers involving unhosted wallets require particular attention. These are treated as higher risk, as no counterparty CASP is involved to perform due diligence. CASPs must obtain sufficient information about the wallet holder, apply enhanced due diligence, and monitor transaction patterns for indicators of money laundering, terrorist financing or proliferation financing.

Finally, PCC 61 underscores the importance of governance and operational readiness. CASPs must ensure that:

  • staff are adequately trained to identify and manage travel rule obligations;
  • systems support accurate data capture and secure record-keeping; and
  • travel rule information can be retrieved and provided to regulators when required.

The FIC also acknowledges ongoing technology challenges, particularly around interoperability between different travel rule solutions. However, responsibility remains with the CASP: even where third-party tools are used, institutions must ensure their systems are fit for purpose and capable of meeting all Directive 9 requirements.

Bottom line

PCC 61 marks a shift from principle to practical enforcement readiness.

For CASPs, compliance with the travel rule is no longer just about policy alignment — it now requires:

  • robust systems;
  • real-time data capabilities; and
  • continuous monitoring and risk management.

In effect, the FIC has set out a clear expectation: if you cannot transmit, verify and monitor the data, you should not be executing the transaction.

 

Leave a Reply

Your email address will not be published. Required fields are marked *