South Africa's crypto sector has crossed a line it cannot uncross. The Financial Sector Conduct Authority (FSCA) has now approved over 300 crypto asset service provider (CASP) licences, marking a decisive shift from informal market to regulated industry.
South Africa's Crypto Licensing Milestone
By 12 December 2025, the FSCA had received 512 CASP licence applications. Of these, 300 were approved, 14 were declined, and 121 were voluntarily withdrawn by applicants following engagements with the FSCA about the appropriateness of their business and operating models.
The numbers tell a clear story. More than one in four applicants either failed outright or pulled out after regulators questioned their readiness. For crypto firms in South Africa, this is not a soft compliance environment. It is an active enforcement one.
The FSCA has initiated 81 investigations into entities suspected of providing crypto-related services without authorisation. While 25 cases were closed after firms ceased trading or were found to be dormant, 56 investigations remain ongoing.
The message from the regulator is direct: get licensed or face consequences. FSCA licensing requirements are no longer optional for any crypto firm in South Africa that wants to keep operating.
What FSCA Licensing Requires for Crypto Firms
Before understanding who passed, it helps to understand what the FSCA actually requires. FSCA licensing requirements for crypto firms in South Africa sit under the Financial Advisory and Intermediary Services (FAIS) Act, though this will eventually migrate to the Conduct of Financial Institutions (CoFI) Bill once it is enacted.
Here is the baseline every CASP must meet:
- Registration As a CASP Under FAIS
Any firm exchanging, transferring, safekeeping, or providing advice on crypto assets must be formally licensed. Crypto assets are defined as a digital representation of value that is not issued by a central bank but is capable of being traded, transferred or stored electronically for the purpose of payment, investment and other forms of utility. Operating without a licence is grounds for investigation and enforcement action.
- Fit and Proper Requirements
Key individuals must meet competency, experience, and integrity standards set under the FAIS Act. All licensed CASPs and their key individuals were required to fulfil regulatory examination requirements by 30 June 2025. No further extensions were granted. Failure to comply may lead to regulatory action, including suspension or withdrawal of licences.
- FICA Alignment: AML, CFT, And CPF Obligations
In addition to supervising CASPs as financial services providers under the FAIS Act, the FSCA supervises CASPs in respect of their anti-money laundering, counter-financing-of-terrorism, and counter-proliferation financing obligations under the Financial Intelligence Centre Act. Every licensed CASP must have systems in place to identify, monitor, and report suspicious activity.
ALSO READ: AML/CFT Compliance in South Africa
- A Risk Management And Compliance Programme (RMCP)
Every CASP must develop and implement a documented RMCP that covers how it identifies and manages money laundering, terrorist financing, and proliferation financing risks. This is not a formality. The FSCA's first round of supervisory inspections focused specifically on governance arrangements, risk management and compliance programmes, and business risk assessments.
- Ongoing FSCA Supervision
Licensing is not a one-time event. A further 30 supervisory inspections were planned between April 2025 and March 2026, 21 of which have already been completed. Most of these inspections cover the full range of compliance requirements under the FIC Act.
Why So Many Applications Were Declined or Withdrawn
Of the 512 applications received, only 300 crossed the line. That means 135 firms either failed or walked away. Understanding why is just as important as understanding what success looks like.
The FSCA was specific about its reasons for declined applications. Both failure points came down to one thing: firms were not ready.
- Operational ability shortfalls: Applicants failed to provide clear and comprehensive business plans and business model descriptions. The FSCA expected firms to show exactly how they intended to operate, what crypto asset activities they would conduct, and what frameworks they had in place to support those activities. Vague or incomplete business plans were rejected.
- Competency gaps: Firms also failed to demonstrate the requisite knowledge and practical experience in crypto assets. Key individuals could not show they understood the market, the risks, or the regulatory obligations well enough to be trusted with a licence.
-Voluntary withdrawals: 121 applications were voluntarily withdrawn by applicants following engagements with the FSCA that raised concerns about applicants' business or operating models. In many cases, the FSCA's questions during the review process revealed that firms had structural or operational problems they could not resolve quickly. Walking away was a signal that readiness had been overstated from the start.
Firms that withdrew or were declined can reapply, but they cannot conduct any CASP-related activities in the meantime. The regulator is watching, and 56 active investigations confirm that.
What the 300+ Licensed Crypto Firms Did Right: The FSCA Compliance Checklist
The firms that secured licences did not get lucky. They did the groundwork before submitting. Here is what the approved CASPs in South Africa had in common:
1. A clear, specific business plan
Successful applicants did not submit generic documents. They outlined their exact crypto asset activities, their operating model, their target customers, and the systems they had in place to manage risk. The FSCA needed to see that the business was real, structured, and manageable.
2. Demonstrated knowledge and experience
Key individuals showed they understood crypto assets at a technical and regulatory level. This meant completing the required regulatory examinations and being able to articulate how their firm's operations aligned with FAIS and FICA obligations. The RE deadline of June 2025 was not negotiable.
3. A solid, documented RMCP
The FSCA checked RMCPs directly in its first round of inspections. Licensed firms had programmes that identified their specific AML, CFT, and proliferation financing risks, documented their controls, and showed how those controls would be monitored and updated. A template RMCP was not enough. It had to reflect the firm's actual business.
4. Governance structures that held up to scrutiny
The FSCA's first inspections focused on governance arrangements as one of three core areas. Approved firms had clear accountability structures, designated compliance officers, and internal policies that reflected the requirements of the FIC Act. Governance was not treated as an afterthought.
5. Business risk assessments
Firms needed to show they had assessed their own exposure to financial crime risk based on their specific customer base, products, geographies, and transaction types. A risk assessment that did not reflect the firm's actual operations was quickly identified.
6. FICA-aligned systems from day one
Identity verification, transaction monitoring, sanctions screening, and suspicious transaction reporting processes had to be live from day one not planned for later. The regulator wanted to see FSCA compliance infrastructure that was already operational, not promised.
INTERESTING READ: Travel Rule Enforcement for Crypto Rule in South africa
How Crypto Firms Can Achieve FSCA Compliance in 2026
The licensing window is not closed. Firms that withdrew or were declined can reapply. New entrants can still apply. But the standard the FSCA has set through its approvals and rejections is now visible, and the bar will not get lower.
Here is what firms building toward FSCA compliance in 2026 need to prioritise:
- Start with the RMCP, not the application form. The RMCP is the foundation everything else is built on. Before submitting anything to the FSCA, a firm needs a complete, tailored risk management programme that reflects its actual operations and the specific risks of its business model.
- Get key individuals RE-qualified. Every key individual needs to meet the fit and proper requirements under FAIS. This is a hard requirement with no workaround.
- Build compliance infrastructure before you need it. Licensed CASPs in South Africa are already being inspected on their AML and FICA obligations. Firms applying now need to show those systems exist and work, not that they are planning to build them after approval.
- Know your crypto risk exposure specifically. Generic risk assessments are being identified and rejected. Firms need to assess their risk based on the actual customers they serve, the crypto assets they handle, the geographies they operate in, and the channels they use.
The FSCA established the Crypto Asset Supervisory Engagement Forum in August 2025 to improve information sharing, risk awareness, and regulatory coordination across the sector. Engaging with this forum and staying current on supervisory expectations is now part of operating responsibly as a crypto firm in South Africa.
Conclusion
The 300+ firms that secured licences have shown what FSCA compliance looks like in practice. The 135 firms that failed or withdrew have shown what regulators will not accept.
For crypto firms in South Africa still building toward compliance, the path is clear. Operational readiness, demonstrated expertise, FICA-aligned systems, and a credible RMCP are the foundation. The FSCA is not waiting, and with 56 active investigations still open, the cost of delay is rising.
Youverify's unified compliance platform helps CASPs in South Africa meet these requirements through automated KYC and identity verification, continuous AML monitoring, sanctions and PEP screening, and audit-ready reporting that aligns with FICA and FATF standards. Whether you are preparing a first application or strengthening an existing compliance programme, the infrastructure needs to be in place before the regulator comes looking.
Speak to our compliance experts today and see how Youverify can help you close compliance gaps before your next regulatory review.