The Travel Rule: What CASPs Need to Know About Directive 9

With the Financial Intelligence Centre’s (FIC) Directive 9 now in effect, crypto asset service providers (CASPs) face new compliance responsibilities. The directive gives effect to the travel rule in South Africa, requiring CASPs to collect, verify and securely share client and transaction information when facilitating crypto asset transfers.

Introduction to Directive 9

CASPs in South Africa are now subject to stricter data and transaction-handling requirements under Directive 9, which came into effect on 30 April 2025. The directive introduces the travel rule – a set of international anti-money laundering standards designed to enhance transparency in crypto asset transfers.

At its core, the travel rule requires CASPs to gather specific identifying information about both the sender (originator) and the receiver (beneficiary) of a crypto transaction and to transmit this information securely to the receiving service provider. These obligations apply to both domestic and cross-border transfers and aim to prevent crypto assets from being used to conceal or facilitate criminal activity.

This regulatory change aligns South Africa with the Financial Action Task Force’s (FATF) Recommendation 16, which mandates that originator and beneficiary information “travels” with the transaction. This supports efforts to detect suspicious activity, dismantle criminal networks and build confidence in the crypto ecosystem.

Who Must Comply with the Travel Rule?

Directive 9 applies to all accountable institutions registered for Item 22 of Schedule 1 of the FIC Act. This includes:

• Crypto asset service providers (CASPs) – businesses that exchange, transfer or safekeep crypto assets
• Financial service providers (FSPs) – entities that are licensed by the FSCA to render financial services in crypto assets.

If an FSP directly handles the transfer of crypto assets – for example, executing a transaction on a client’s behalf – it is considered a CASP. In this case, the FSP must be registered under Item 22 (CASP) as well as under Item 12 (FSP) of Schedule 1 to the FIC Act and must comply with the requirements of Directive 9.

The directive also applies to foreign CASPs that offer advice or intermediary services to clients in South Africa. In short, any entity involved in initiating, receiving or transmitting crypto asset transfers for South African clients is required to comply with Directive 9 and the FIC Act.

What Transactions Are Covered?

Directive 9 applies to all crypto asset transfers, whether domestic or cross-border, regardless of the transaction amount. However, the verification obligations vary:

• Under R5 000: Basic information must be collected, but verification is only required if there is a suspicion of money laundering or terrorist financing
• R5 000 or more: Full verification is mandatory, in line with the FIC Act’s due diligence requirements
• Inbound transfers from high-risk jurisdictions: Recipient CASPs must verify details even if the amount is below R5 000

It’s also important to note that CASPs facilitating cross-border transfers should be aware that certain transactions may trigger exchange control obligations under the Currency and Exchanges Act, 1933, and related regulations.

What Transactions Are Covered?

For each qualifying transfer, ordering CASPs must collect and transmit specific information securely and without delay – either before or at the time of the transaction. In addition to transaction details such as the amount and execution date, the following information must be obtained from the originator (the person initiating the transfer) when the originator is a natural person:

• Full name
• ID or passport number (or registration number for legal entities)
• Residential address, or if that cannot be obtained, their place of birth
• The wallet address used for the transaction

Where the originator is not a natural person, but a legal person, the following must also be also be collected and transmitted:

• Registered name
• Registration number under which incorporated; and
• Registered address

For the beneficiary – the person receiving the crypto asset – the CASP must collect and transmit the following details to the recipient CASP:

• Full name
• Distributed ledger address
• Account number with the recipient CASP (if used to process the transaction and if available)

Both the ordering and recipient CASPs must retain these records securely and ensure they are protected from unauthorised access. The information must be readily available for regulatory review upon request.

The directive also sets out specific obligations for intermediary CASPs. They need to ensure that all originator and beneficiary information that relates to a transfer is transmitted in a transaction chain. In addition, they must implement measures to identify transfers that lack the required information.

In addition, intermediary CASPs must develop, document, maintain and implement effective risk-based policies and procedures for determining when to execute, suspend or return a transfer that lacks the required information, as well as appropriate follow up actions for these instances.

Practical Examples

Let’s say your client asks you to transfer Bitcoin to her brother in the UK. As the ordering CASP, you must collect your client’s and her brother’s information, then securely transmit it to the recipient CASP before or during the transaction. Both service providers must retain the data for compliance purposes.

If your client instead transfers crypto to another user on the same platform, the rule still applies. In this scenario, there is no need to transmit information externally, but you must still collect, link and store the relevant data securely.

Do Unhosted Wallet Transfers Fall Under the Travel Rule?

Not directly. Transactions between unhosted wallets (i.e. wallets controlled solely by the user) are excluded from the travel rule. However, Directive 9 requires CASPs to establish risk-based policies and procedures for handling transfers that involve unhosted wallets. If one side of a transaction involves an unhosted wallet, the CASP must conduct a risk assessment. Where higher risks are identified, additional due diligence measures must be implemented, as outlined in the CASP’s Risk Management and Compliance Programme (RMCP).

Implementation Requirements for CASPs

Implementing the travel rule will require CASPs to update or enhance several areas of their operations:

• Risk Management and Compliance Programmes (RMCPs) must be updated to reflect Directive 9 obligations.
• Technology and infrastructure must support secure data collection, transmission and storage.
• Staff training is essential to ensure proper execution and understanding of requirements.
• Transaction monitoring may need to be enhanced and increased in complexity, particularly for cross-border or higher-value transfers.

In addition, CASPs must ensure they have the capital, human resources and systems in place to meet their obligations under the FIC Act effectively and on time.

Compliance Tips and Best Practices

To stay compliant and minimise risk, CASPs should:

• Conduct regular risk assessments and update procedures as needed
• Maintain thorough record-keeping for all qualifying transfers
• Foster cooperation with other CASPs to enable seamless data exchange
• Stay informed on regulatory updates and participate in industry forums
• Run internal audits to assess the effectiveness of travel rule processes

Non-compliance with Directive 9 may result in:

• Administrative sanctions under Section 45C of the FIC Act
• Fines and enforcement actions
• Reputational harm, which could impact customer trust and business partnerships
• Heightened regulatory oversight, especially for repeat or serious breaches

Enhancing Transparency and Trust

The implementation of the travel rule marks a critical step in professionalising South Africa’s crypto sector. By aligning crypto asset transfers with global anti-money laundering standards, it provides a framework for greater transparency, trust and regulatory certainty.

Although complying with Directive 9 may come with additional operational and financial costs, it also presents an opportunity. CASPs that adapt early will be better positioned to attract clients, build partnerships and demonstrate credibility in a maturing global market.