It has been over a year since the Financial Action Task Force (“FATF“) announced that South Africa had been added to the FATF’s greylist for failing to timeously implement the required remedial actions set out in the FAFT’s “Anti-money laundering and counter‑terrorist financing measures: South Africa – Mutual Evaluation Report” (“FATF ME Report“). The FATF ME Report sets out the following: (i) the anti-money laundering and counter-terrorist financing (“AML/ CFT“) measures that South Africa had in place during the period of assessment (being 22 October 2019 to 12 November 2019) (“Period of Assessment“), (ii) the level of South Africa’s compliance with the FATF’s 40 Recommendations set out in FATF ME Report, (iii) the FATF’s analysis of South Africa’s AML/ CFT system and (iv) the FATF’s recommendations on the steps that South Africa should take to strengthen its AML/ CFT compliance and align same to the FATF’s global standards.
The FATF, in relation to South Africa’s AML/ CFT compliance status, noted that ‘virtual assets’ may be used to facilitate fraud, particularly cyber/ digital banking fraud in South Africa. One of the main focuses of the FATF ME Report was therefore to ensure that South Africa, inter alia, assessed the risks related to the use of new technologies (such as ‘virtual assets’), and imposed a comprehensive set of legislative requirements in relation to the use of ‘virtual asset service providers’ and ‘virtual assets’ (“Recommendation 15“). The FATF, in the FATF ME Report, rated South Africa as non‑compliant with Recommendation 15 for the Period of Assessment due to South Africa’s deficiencies with its AML/ CFT compliance status.
South Africa’s response to the FATF ME Report
Following the FATF ME Report, the FATF published its guideline titled “Virtual Assets and Virtual Asset Service Providers – Updated Guidance for a Risk-Based Approach” (“Updated Guidance“), which revised Recommendation 15 and now requires countries, such as South Africa, to (i) manage and mitigate the risks emerging from ‘virtual assets’, (ii) regulate ‘virtual asset service providers’ for AML/ CFT purposes, (iii) enact a regulatory framework to license, register and regulate ‘virtual asset service providers’ and (iv) establish effective systems to monitor all ‘virtual asset service providers’ compliance with the measures required under Recommendation 15.
In response to the FATF greylisting and Updated Guidance, South Africa made several amendments to its regulatory framework relating to ‘crypto assets’ to strengthen South Africa’s AML/ CFT compliance. On 19 October 2022, the Financial Sector Conduct Authority (“FSCA“) published General Notice 1350 of 2022 (“Declaration Notice“), in which ‘crypto assets’ were declared a financial product under the Financial Advisory and Intermediary Services Act No. 37 of 2002 (“FAIS Act“). The FSCA published its “Policy Document Supporting the Declaration of a Crypto Asset as a Financial Product under the Financial Advisory and Intermediary Services Act” (“FSCA Policy Document“), which emphasised the FSCA’s view that crypto asset related activities may pose a significant risk to financial customers. The purpose of the FSCA Policy Document is to contextualise the Declaration Notice and provide clarity on the effect, scope and licensing of crypto asset service providers (“CASPs“). In terms of the FSCA Policy, CASPs must, inter alia, be authorised under section 8 of the FAIS Act as a financial service provider (“FSP“) or be appointed as a representative of an authorised FSP under section 13 of the FAIS Act and comply with the requirements of the FAIS Act and its subordinate legislation which regulates certain financial advisory and intermediary services. The FSCA announced that the first FSP licenses to CASPs will likely be issued early in 2024.
Before the Declaration Notice and the FSCA Policy Document, neither CASPs nor crypto assets were specifically regulated by any financial sector legislation and regulations, which meant that financial transparency was limited and customer protection measures were frequently absent from interactions between the CASPs and their customers (i.e. usually being members of the public).
Legislative amendments in response to the Updated Guidance
The Minister of Finance, Enoch Godongwana, amended the FIC Act to include CASPs as ‘accountable institutions’.Chapter 3 of the FIC Act specifically deals with money laundering, financing of terrorist and related activities and financial sanctions control measures and makes provision for (i) enhanced customer due diligence to prevent accountable institutions from engaging in transactions with anonymous clients, (ii) accountable institutions to keep a record of its customer due diligence records and a record of all its transactions, (iii) accountable institutions to report on its customer due diligence to the Financial Intelligence Centre (“FIC“), and (iv) the board of directors and/ or senior management of an accountable institution to ensure that its employees comply with anti-money laundering and counter‑terrorist financing compliance.
The FATF in its publication titled “Anti-money laundering and counter-terrorist financing measures: South Africa – Follow-up Report & Technical Compliance Re-Rating“, published in November 2023 (“FATF Follow-Up Report“) states that by undertaking the aforementioned actions, South Africa has demonstrated that it is willing to take action to identify unauthorised CASPs and has since re-rated South Africa as partially compliant with Recommendation 15.
Following the various amendments to the regulatory framework, CASPs and crypto assets are now regulated under the FAIS Act (pursuant to the Declaration Notice) and the FIC Act. On 11 May 2023, the FSCA published notice 25 of 2023 (“Exemption Notice“) in terms of which CASPs were, inter alia, temporarily exempt from certain requirements of the FAIS Act such as the Part 4 of Chapter 3 of the Determination of Fit and Proper Requirements for Financial Service Providers, 2017, meaning that, not all the provisions of the financial regulatory framework apply to CASPs.
The road to full compliance with Recommendation 15
Whilst South Africa has taken the legislative steps described above to regulate crypto assets and CASPs, the declaration of a ‘crypto asset’ as a ‘financial product’ under the FAIS Act by the FSCA was intended to be an “interim step to mitigate conduct and consumer protection risks in the crypto asset environment, pending the anticipated Conduct of Financial Institutions (COFI) Bill framework and the broader policy discussions taking place at the time through the [Crypto Assets Regulatory Working Group]”. In order to improve South Africa’s current Recommendation 15 rating from ‘partially compliant’ to ‘compliant’, the South African Regulators could, inter alia, –
- update and finalise the Conduct of Financial Institutions Bill (the last draft of which was published on or about 29 September 2020) to (i) specifically provide for financial services that are related to crypto assets, and the licensing thereof and (ii) regulate new technologies that are currently emerging in the financial sector;
- take steps to (i) identify CASPs to the South African public who do not hold a valid FSP license (“FSP License“) under section 8 of the FAIS Act and (ii) penalise all persons or entities who provide advice and/ or intermediary services in respect of crypto assets without a valid FSP License;
- take steps to (i) identify and institute administrative sanctions against all persons or entities who are listed as accountable institutions in Schedule 1 of the FIC Act and who do not comply with their statutory obligations under the FIC Act (by, for example, not developing, maintaining or implementing a programme for anti-money laundering, counterterrorist financing and proliferation financing risk management and compliance (known as a Risk Management and Compliance Programme) as prescribed by section 42 of the FIC Act), and (ii) supervise and monitor an accountable institution’s compliance with the provisions of the FIC Act;
- update and finalise the draft Joint Standard published under the Financial Sector Regulation Act relating to the cybersecurity and cyber resilience requirements, published by the FSCA and Prudential Authority in December 2021 (“Draft Joint Standard“), which, sets out inter alia, the minimum requirements for financial institutions that make use of cryptography. The Draft Joint Standard requires ‘financial institutions’ to establish and adopt cryptographic key management policies, standards and procedures that comply with the Draft Joint Standard and well-established international standards; and
- issue licenses to CASPs.
The FSCA, in their presentation titled “Crypto Asset Market Study” dated 30 November 2023 and presented by Awelani Rahulani and Keith Sabilika (“FSCA Presentation“), confirmed that the FSCA (i) is of the view that “crypto asset related activities pose significant risks to financial customers” and (ii) acknowledges that whilst a legal framework is in place to regulate FSPs who provide advice and intermediary services on financial products such as crypto assets, the current legal framework is “not necessarily tailored around Crypto Assets Service Providers (CASPs), and the specific risks posed”. The FSCA has also expressed the view that South Africa must “develop bespoke and/or refine further the existing framework to ensure that it is fit for purpose and addresses Crypto Asset specific risk, without stifling innovation”.
During its Crypto Asset Market Study, the FSCA identified a number of risks. One of the risks identified relates to the outsourcing of certain services (such as’ Know your Client’ and ‘Anti-Money Laundering’ procedures, cyber security measures and protections and blockchain monitoring services) by CASPs to third parties. The FSCA is of the view that if a CASP outsources certain activities (such as those mentioned above) to third parties, then those third parties must also be licenced under and regulated by the FAIS Act in order to mitigate “the risk of regulatory arbitrage”. The regulation of outsourcing arrangements entered into by CASPs with third parties by the FSCA (by developing the existing legal framework) is one of the ways in which South Africa can balance compliance of CASPs with local regulations and ensure that the CASPs clients’ information remains confidential.
Conclusion
Even though South Africa has been upgraded to a partially compliant rating in regard to Recommendation 15, the regulatory authorities in South Africa still have several necessary steps to take in order to align the regulatory framework relating to CASPs to comply with Recommendation 15. The manner in which this will be achieved and the speed at which the required steps will be taken by the regulatory authorities remains to be seen.
Written by Kyra South, Senior Associate and Janice Geel, Associate, Werksmans
EMAIL THIS ARTICLE SAVE THIS ARTICLE ARTICLE ENQUIRY
To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here