South Africa’s Travel Rule: What VASPs Need to Know
The South African Travel Rule is live. The Financial Intelligence Centre (FIC) published Directive 9, mandating all crypto asset service providers (CASPs) to implement the Travel Rule in line with FATF Recommendation 16.
To comply, CASPs must also develop and enforce a Risk Management and Compliance Programme (RMCP), as required under Section 42 of the FIC Act. Non-compliance can result in administrative sanctions under Section 45C of the Act.
Understanding the Regulatory Obligations for Virtual Asset Service Providers
Scope of the Travel Rule in South Africa
The scope of the Travel Rule in South Africa, as defined in Directive 9, covers all CASPs acting as originators (ordering institutions), beneficiaries (recipient institutions), or intermediaries (transmission agents).
The regulation applies to entities involved in crypto-to-fiat exchanges, wallet custody services, crypto asset transfers, and the provision of crypto-related financial services.
Notably, the Directive encompasses domestic and cross-border crypto transactions, ensuring broad compliance obligations across all CASP operations.
Download the South African Travel Rule Overview
Compliance Obligations for VASPs
The South African Travel Rule applies to all crypto asset transactions regardless of value, though data requirements vary based on a ZAR 5,000 threshold (explained below).
For transactions above this amount, complete data collection and verification are mandatory; for those below, reduced data is sufficient, with verification required only if red flags or high-risk jurisdictions are involved.
Before initiating any transfer, originator CASPs must identify and conduct due diligence on the counterparty CASP to ensure appropriate safeguards are in place and that the entity is not sanctioned. This due diligence is typically a once-off obligation unless new risks emerge.
Originator CASPs are also responsible for developing and maintaining an RMCP, ensuring timely and complete data transmission, and refraining from executing transactions where the counterparty fails due diligence.
Intermediary CASPs must relay all required data, develop risk-based policies within their RMCP, and define clear procedures for executing, rejecting, or suspending non-compliant transactions.
Beneficiary CASPs must verify beneficiary identities per the FIC Act, monitor for missing or incomplete data, and incorporate risk-based procedures in their RMCP to guide responses to incomplete or suspicious transfers.
Required Travel Rule Data
The required data depends on whether the transaction is above or below ZAR 5,000. For transactions above ZAR 5,000, the following must be transmitted
Originator’s name
Originator’s ID number if a South African citizen or resident, or passport number and date of birth if a non-citizen or non-resident,
Originator’s residential address, or country of birth if no residential address is available,
Originator’s distributed ledger address associated with the transfer (if the transfer is registered on a network using distributed ledger or similar technology),
Originator’s crypto asset account number with the originator CASP, or unique transaction reference number,
Beneficiary’s name,
Beneficiary’s distributed ledger address associated with the transfer (if the transfer is registered on a network using distributed ledger or similar technology),
Beneficiary’s crypto asset account number with the beneficiary CASP (if this information is readily available).
For transactions below ZAR 5,000, verification is not mandatory, unless:
There is suspicion of money laundering or terrorist financing
The transaction involves a high-risk or monitored jurisdiction
Moreover, the originator’s ID number and residential address do not need to be provided.
Self-hosted Wallets
Directive 9 does not prescribe a standard framework for self-hosted wallet transfers. Instead, CASPs must:
Create and enforce internal risk-based policies
Include procedures to collect further information when self-hosted wallets are deemed high-risk
Document these policies in their RMCP
In Conclusion
South Africa’s implementation of the Travel Rule represents a critical advancement in crypto regulation. CASPs must immediately align systems, policies, and compliance frameworks with the Directive 9 requirements. The inclusion of zero transaction thresholds and extensive RMCP mandates means a proactive and risk-based approach is essential to avoid regulatory breaches and maintain client trust.
21 Analytics and the South African Travel Rule
21 Analytics' Travel Rule solution, 21 Travel Rule, offers South African CASPs a secure, on-premises solution tailored to meet all FIC requirements under Directive 9. Built on experience navigating Switzerland’s strict Travel Rule regulations, 21 Travel Rule ensures data privacy by keeping sensitive customer information under the CASP’s control and is fully POPIA-compliant.
The solution simplifies counterparty identification through automated discovery and due diligence tools, preventing non-compliant transfers and asset returns.
With automated checks, global interoperability, and secure data handling, 21 Travel Rule enables faster, safer transactions while ensuring local and international regulatory compliance.
Find out more about 21 Travel Rule - request a demo.
Further Reading
South Africa Travel Rule Regulation Breakdown
Download the South African Travel Rule Overview
