- within Technology topic(s)
- within Accounting and Audit, Cannabis & Hemp and Environment topic(s)
The Financial Intelligence Centre (the "FIC" or the "Centre") published two new Public Compliance Communications ("PCCs") on 30 March 2026, with significant implications for South Africa's anti-money laundering, counter terrorist financing and counter proliferation financing ("AML/CFT and CPF") framework. PCC 23A provides clarity on the scope of credit provider obligations under the Financial Intelligence Centre Act 38 of 2001 ("FICA") while PCC 61 sets out practical guidance for crypto asset service providers ("CASPs") on complying with the "travel rule" introduced by Directive 9 of 2024. Both communications are authoritative and must be considered when interpreting compliance obligations under FICA. Enforcement action may follow where an accountable institution has failed to comply with the Centre's guidance.
PCC 23A: Scope of Credit Provider Obligations
PCC 23A addresses the interpretation of "credit provider" under item 11 of Schedule 1 to FICA. Item 11(a) captures any person who carries on the business of a credit provider as defined in the National Credit Act34 of 2005 ("NCA"), while item 11(b) extends to any person providing credit under an agreement excluded from the NCA by virtue of section 4(1)(a) or (b).
The Centre has adopted a wide interpretation aligned with the Financial Action Task Force ("FATF") definition of lending providers, encompassing consumer credit, mortgage credit, factoring, finance of commercial transactions and financial leasing. Entities considered within scope include banks, microfinance institutions, factoring firms, credit unions, mortgage lenders, credit card issuers, fintech -length related party lenders.
The Centre will look to the substance and economic reality of an entity's activities when determining whether it "carries on the business" of a credit provider. For item 11(b), factors include the frequency and regularity of credit transactions, whether the activity is conducted for commercial gain, the existence of systems or infrastructure to manage credit and whether the activity is marketed to third parties. No single factor is determinative.
Where a credit provider cedes its rights under a credit agreement (through factoring, the creation of a special purpose vehicle, or the sale of a loan book) the transferee steps into the role of credit provider and must register as an accountable institution with the Centre. Institutions managing run-off loan books are also included. By contrast, entities merely providing a service to a credit provider, such as debt collection, without assuming the rights and obligations under the credit agreement, fall outside scope.
The Centre has confirmed that entities entering into only incidental credit agreements are not deemed accountable institutions under item 11(a). However, multiple incidental arrangements that collectively amount to the regular provision of credit may indicate a credit provider business in substance. Artificial structuring or fragmentation will not be regarded as a valid basis for exclusion.
There is generally no maximum monetary threshold applicable when determining whether an entity is a credit provider under item 11(b). Credit agreements are treated as business relationships rather than single transactions, meaning the full suite of customer due diligence and targeted financial sanctions obligations under FICA must be applied. Credit providers must also develop, implement and maintain a Risk Management and Compliance Programme ("RMCP") proportionate to the nature, size and complexity of their business.
PCC 23A further provides a catalogue of risk indicators, including the use of credit funds for illicit activities, unexplained early repayment, multiple cash repayments without a plausible explanation for the source of funds, and loans serviced by unrelated third parties. Terrorist financing indicators include large purchases of crypto assets on credit by customers with no prior history of such purchases, while proliferation financing indicators include credit facilities extended to entities involved in dual-use goods or sanctioned jurisdictions.
PCC 61: The Crypto Travel Rule
PCC 61 provides guidance on the travel rule for crypto asset transfers under Directive 9 of 2024, which came into effect on 30 April 2025. The Directive requires CASPs designated under items 12 and 22 of Schedule 1 to FICA to obtain, hold and transmit originator and beneficiary information securely and immediately when transferring crypto assets. The travel rule applies to all crypto asset transfers between CASPs and between CASPs and unhosted wallets, covering transfers within, from or into South Africa. Fiat currency transfers are not covered.
A zero threshold applies per crypto asset transfer conducted in the course of a business relationship, meaning all transfers regardless of amount must comply. Even where a single transfer falls below ZAR5 000, section 20A of FICA prohibits conducting transactions on behalf of anonymous clients.
Travel rule information must be transmitted prior to or simultaneously with the crypto asset transfer and post-facto transmission is not permitted. Batch transmission is permitted provided information is still sent before or with the transfers. The Centre recommends pre-settlement authorisation to ensure travel rule information is obtained before the transaction is processed. No exemption or buffer time applies.
Prior to conducting crypto asset transfers, the ordering CASP must scrutinise the counterpart CASP against the targeted financial sanctions list and should conduct customer due diligence on the counterpart CASP. Relevant factors include identification and verification of the counterpart CASP, data protection controls, licensing status, the risk level of the jurisdiction and historic transaction patterns. The Centre also addresses the "sunrise" challenge: CASPs subject to Directive 9 must comply regardless of whether the counterpart jurisdiction applies the travel rule.
Transfers to or from unhosted wallets pose a heightened risk, as there is no beneficiary CASP that has conducted customer due diligence, and enhanced due diligence should accordingly be applied. CASPs must obtain information from their clients regarding the identity of the person holding the unhosted wallet.
All crypto asset transfers must be scrutinised against the United Nations Security Council targeted financial sanctions list. Crypto asset value must not be given to the client prior to this screening. Where a transfer relates to a designated person, the CASP's obligation to freeze and file a terrorist property report arises immediately. CASPs must develop clear processes for executing, suspending, rejecting or returning transfers in accordance with Directive 9 and section 26B of FICA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
