Concerns and praise for South Africa’s proposed new crypto rules
Several crypto industry insiders have told MyBroadband that they are concerned about regulations the Financial Intelligence Centre (FIC) has proposed regarding cryptocurrency transactions in South Africa.
This includes concerns around interoperability and the possible centralisation of highly sensitive financial information.
The FIC issued a draft directive in April that would require crypto platforms in South Africa to identify the parties of a cryptocurrency transaction.
This is part of an effort to get off the Financial Action Task Force (FATF) greylist by complying with its “Travel Rule” for virtual assets like cryptocurrency.
The FATF’s Travel Rule requires financial institutions, including those who deal in virtual assets, to provide relevant originator and beneficiary information alongside transactions.
According to the FATF, this helps to prevent criminal and terrorist misuse.
Under FIC’s proposed directive, South African crypto asset service providers (CASPs) must transmit a sender’s full name, ID or passport number, residential address, date and place of birth, and wallet address.
It also requires that CASPs verify the information they receive from other providers in line with the FIC Act (i.e. FICA).
For cross-border transfers, senders must provide full names, full details of the sending and receiving crypto wallets, and the beneficiary’s name.
It also proposed that CASPs must first identify the counterpart provider, conduct due diligence on the counterparty, and regularly update their due diligence when dealing with them before transmitting this private data.
Additionally, the draft directive places the risk of accepting transfers from “unhosted wallets” onto CASPs.
Unhosted wallets are what people in crypto would call self-custody or self-hosted wallets. These are any wallets not provided by third parties like CASPs. It is a cornerstone of the technology and the movement that spawned it.
The FIC’s proposed directive stipulates that CASPs must have a risk-based policy for obtaining further information on unhosted wallets if they determine there is a higher risk of money laundering, terrorist financing or proliferation financing.
Interested parties have until 31 May 2024 to comment on the proposal.
Altify CEO Sean Sanders told MyBroadband he is concerned about how the Travel Rule would be implemented practically.
“Different travel rule software-as-a-service solutions operate differently, and it’s uncertain whether one Travel Rule system will be interoperable with another,” Sanders said.
“Implementing the Travel Rule also brings data privacy risks as user data needs to be shared with external crypto exchanges which may not have strict data privacy measures in place.”
Sanders said this was one of the key challenges the Travel Rule faced in the EU — particularly in Germany.
Other industry insiders expressed similar concerns, but were unwilling to be identified.
Major crypto exchanges Luno and VALR told MyBroadband that their legal and compliance teams were reviewing the proposed regulations.
VALR cofounder and CEO Farzam Ehsani said many of the challenges and uncertainties in implementing the Travel Rule were raised by the FIC itself in a consultation paper accompanying the draft directive.
Some of the questions it raised included:
- What should the minimum threshold be for crypto asset transfers to be subject to the maximum requirements?
- What controls should be placed on CASPs regarding unhosted wallets?
- The Sunrise Issue — how to handle the fact that some jurisdictions will require their CASPs to comply before others.
“There is also an overarching concern that the implementation of the Travel Rule will substantially increase the cost of compliance for CASPs, and these costs are ultimately borne by end-users,” Ehsani said.
Ehsani said the FIC should provide a substantial grandfathering period to allow CASPs to put sufficient measures in place to comply with the guidelines.
Regarding what the directive gets right, Altify, Luno, and VALR all agreed that it aligned South Africa well with the FATF’s requirements.
“On face value (and subject to a detailed review), the proposal appears to be broadly in line with the Travel Rule requirements developed by other jurisdictions like Malaysia and Indonesia,” said Luno’s head of compliance and anti-financial crime, Johan Hetzel.
Hetzel said the regulations would also help correct a key misconception about crypto: that all transactions are anonymous.
He added that implementing the Travel Rule will enable CASPs to share originator and beneficiary information.
“[This] is an issue which the banking industry is still actively trying to address for domestic transactions,” Hetzel said.
Sanders said they wholeheartedly support initiatives aimed at removing South Africa from the FATF greylist.
“Implementing systems to reduce criminal activities is in the industry’s and society’s broader interests,” he said.
A key issue in implementing the Travel Rule is the databases CASPs will need to use to identify wallets and verify information supplied by transaction originators.
For example, a service called Notabene describes itself as the only pre-transaction crypto compliance platform.
This raised concerns that the FIC’s directive would effectively make South African CASPs beholden to an overseas monopoly by law.
However, Ehsani, Hetzel, and Sanders said this was incorrect as there were already several such service providers, with others in development.
Sanders highlighted Elliptic and Sumsub as also offering similar services.
“Each has its strengths and weaknesses, but there’s a wider concern about depending on just one or a few platforms for critical user data sharing,” he said.
Ehsani warned that coordination between providers will result in more centralisation of information.
“Should any breach of these central intermediaries occur, there could be a widescale leak of very sensitive information,” he said.
Unhosted wallets
Asked about the possibility that CASPs would simply refuse to accept transfers from self-hosted wallets to avoid any risk, Altify, Luno, and VALR said it was possible but unlikely.
Ehsani highlighted that the risk already existed before the Travel Rule.
“For example, transactions to unhosted wallets that form part of a global sanctions list cannot be accepted,” Ehsani said.
“The large exchanges around the world, including VALR, are already utilising the services of chain analytics providers to screen transactions against these sanctions lists and flag transactions from wallets associated with illicit activities.”
Sanders said jurisdictions like South Korea and Japan require users to sign waivers for such transfers, putting the risk and regulatory reporting requirements on them.
This is similar to FIC requirements in South Africa for cash transactions above R20,000.
“I believe South Africa might adopt a similar approach after the FIC gathers feedback from industry stakeholders,” Sanders said.
Hetzel said that Luno welcomes the shift from a rules-based regime to a risk-based one.
“Theoretically, it would allow a CASP to disallow transactions to or from unhosted wallets, based on each CASP’s risk appetite,” he said.
“Alternatively, transactions with unhosted wallets could be used as one risk indicator, amongst various risk indicators, to determine the risks of money laundering, terrorist financing and/or proliferation financing”.
Decentralised Finance (DeFi)
As for decentralised finance (DeFi), Hetzel said that no crypto transactions appear to be exempt from the Travel Rule.
Therefore, the same requirements would apply whether transactions occurred through a CASP or via smart contracts on a blockchain.
Sanders agreed, saying DeFi protocols and apps will likely require some form of digital identity verification that includes a Travel Rule check in the not-too-distant future.
DeFi luminary Andre Cronje, credited with helping to grow the field into a multi-billion dollar industry, told MyBroadband that the Travel Rule’s impact would likely be limited.
He said that from a South African perspective, DeFi protocols would technically need a CASP licence from the FSCA.
However, any regulator’s control is only in being able to shut down a service — and they can never shut down DeFi or non-custodial (e.g. unhosted) wallets.
Ehsani broadly agreed, saying the risk of placing too many burdensome regulations on centralised exchanges is that users will simply move underground.
“Peer-to-peer transactions [and] DeFi [are] very difficult, if not impossible, to impose the Travel Rule upon,” he said.
“DeFi relies on computer protocols that just need an Internet connection to function,” Ehsani explained.
“Ironically, the very activities that the authorities may be trying to monitor may be pushed out of their purview and result in less insight rather than more. This is why it’s extremely critical to think through the ramifications of any new regulation.”