Crypto asset service providers' FIC Act obligations explained

Crypto currencies have many legitimate uses, but they're also favoured in financial crime because crypto transactions can be anonymous, fast, automated and global in nature, making it more difficult for law enforcement agencies to trace them. 

To that end, crypto asset service providers (CASPs) have been brought into the SA regulatory fold as accountable institutions listed as item 22 of Schedule 1 to the Financial Intelligence Centre (FIC) Act.

As accountable institutions, CASPs are subject to certain FIC Act obligations. These include registering with the FIC and filing regulatory reports that assist in combating money laundering and terrorist financing.

The three main regulatory reporting streams for accountable institutions, including CASPs, are:

• Cash threshold reports;
• Suspicious and unusual transaction reports; and 
• Terrorist property reports.

Risks associated with crypto assets

In the FIC’s draft sector risk assessment on CASPs issued in March 2024, the overall inherent risk of money laundering and terrorist financing for the sector in SA was classified as high. 

Vulnerabilities of the sector to criminal exploitation include transaction speed, cross-border and pseudonymous characteristics, the ability to transact in a non-face-to-face manner, and to enable anonymous funding (cash funding or third-party funding).

While there may be increased transparency in digital currencies — and these are comparatively smaller in volume compared to Fiat currencies — crypto assets are used to facilitate money laundering. In classifying CASPs as accountable institutions, the FIC seeks to mitigate and manage the risks emerging from crypto assets. 

There are presently 87 CASPs registered with the FIC under item 22 of Schedule 1 of the FIC Act and it's estimated that about 5.8-million South Africans own crypto assets. This points to consumers’ increased use and the growing popularity of crypto assets.

As outlined in the sector risk assessment, the money-laundering and terrorist-financing vulnerabilities and risks associated with CASPs could include:

• Technological features that increase anonymity such as the use of peer-to-peer exchanges websites, mixing or tumbling services or anonymity-enhanced cryptocurrencies;
• Sender or recipient profiles (unusual behaviour can suggest criminal activity);
• The CASPs' lack of money-laundering and terrorist-financing awareness;
• High-risk customers and jurisdictions, such as clients linked to institutions or jurisdictions on the sanctions lists;
• Payments from non-associated or unknown third parties and payments for fees in cash where this practice is not typical;
• Crypto currencies facilitate cross-border transactions while bypassing the controls of traditional financial institutions; and
• Funds are received from or sent to a foreign country when there is no apparent connection between the country and the client.

Read more in the FIC-issued public compliance communication (PCC) 57 that discusses money-laundering and terrorist- financing issues facing CASPs. 

Suspicious and unusual transaction reports (STRs)

As part of the FIC control measures, the three principles of money-laundering detection and investigation should be adhered to, namely:

• That intermediaries in the financial system must know with whom they are doing business;
• The audit trail of transactions through the financial system must be preserved; and
• Possible money-laundering transactions must be brought to the attention of the FIC and the investigating authorities. 

CASPs are required to monitor all crypto asset transactions to identify suspicious and unusual activity, this includes all crypto-to-crypto transactions as well as fiat-to-crypto transactions. See guidance note 4B for more information on how accountable institutions ought to submit suspicious and unusual transaction reports (STRs) to the FIC. 

The FIC advises CASPs to include comprehensive transactional information, including transactional hashes, the originator’s crypto asset address, the identified wallet, and beneficiary crypto asset addresses with associated wallet identification when filing reports with the FIC. 

CASPs are encouraged to provide their own analysis and assessment of the suspicious activity, and to highlight any red-flag indicators, unusual patterns or potential connections to known illicit actors or activities.

CASPs should include these details when reporting to the FIC: 

• Transaction details, including transaction IDs, date and time of the transaction, amounts involved, crypto asset address, wallet identifiers and any relevant transaction notes or memos; 
• Client information such as the user's full name, contact details, identification documents or any other identifying information provided during the account registration process; 
• Address and device information; and
• A summary of the client's account activity, including transaction history, account balances, trading patterns and any additional relevant information. 

A report in terms of section 29 of the FIC Act must be submitted to the FIC as soon as possible without delay, but not longer than 15 working days (excluding weekends and public holidays).

STRs must contain sufficient particulars when reporting to the FIC. The FIC analyses the information provided in the reports, and should a reasonable belief be formed of suspected unlawful activity, the information may be referred to the relevant authorities for investigation. 

Targeted financial sanctions 

The appeal of crypto assets for terrorist financing is its anonymity of use, cross-border nature, convertibility and the opportunity to circumvent government and banking supervision.

Trends have indicated that terrorist groups often use social media to advertise wallet addresses for direct funding, and at times under the pretence of humanitarian causes. Similarly, crypto assets have been associated with proliferation financing risks. High-risk jurisdictions have been identified as having received funds towards its proliferation activities. 

As accountable institutions, CASPs must submit terrorist property reports (TPRs) when they become aware that they possess property or are in control of property of a person or entity that is designated on a UN Security Council targeted financial sanctions (TFS) list. The consolidated TFS list is accessible on the FIC website; FIC guidance note 6A provides guidance on TPRs. 

TPRs must be filed within five days of becoming aware that the institution possesses or controls property of a person or entity listed on a targeted financial sanctions list. There is also an obligation to freeze all assets. In other words, when filing a TPR it is an offence to continue with the transaction or deal with the property in question.

Scrutinise-hit-freeze-report approach

CASPs must adopt the “scrutinise-hit-freeze-report” approach in complying with their TFS obligations.

This requires the CASP to scrutinise information concerning the client (beneficial owner, person acting on behalf of the client, person on whose behalf the client is acting or party to a transaction) against the TFS list.

Should any of these be a match on the TFS list, the CASP must immediately freeze property belonging to the designated person or entity. TFS obligations must be met without delay. Reference should be made to PCC 44A and the TFS list manual for guidance.

Risk and compliance return

An important step in contributing to the fight against money laundering and terrorist financing is for individual businesses to assess their vulnerabilities and risk to criminal abuse.

The FIC designed a questionnaire called a risk and compliance return, which enables the regulator to measure and individual CASP’s understanding of the money laundering and terrorist financing risks they face. In addition, the FIC can use the information to assess the inherent money laundering and terrorist financing risks in the sector and supervise them using a risk-based approach. 

All CASPs must submit their risk and compliance returns in respect of Directive 7 without further delay. CASPs that fail to submit their risk and compliance returns are non-compliant and may face administrative sanctions.

The risk and compliance returns questionnaire can be accessed on the FIC website.

Contact the FIC

More information and guidance for accountable institutions can be found on the FIC website.

Alternatively, contact the FIC’s compliance contact centre on 012 641 6000 or log an online compliance query.

This article was sponsored by the FIC.