What is being proposed? The regulations are made under the Currency and Exchanges Act, 1933, and give National Treasury sweeping powers over all cross-border movement of money, gold, securities — and now, for the first time, crypto assets. They introduce a new category of state-authorised "crypto asset service providers" and restrict what anyone else can do with crypto.
Key new crypto provisions include: mandatory declaration of all crypto holdings, a requirement to state a purpose for every acquisition, restrictions on sending crypto outside South Africa, the ability for Treasury to compulsorily purchase your crypto, and the power to freeze assets without a court order.
The regulations take effect on the date of publication in the Gazette — with no transition period.
Read the full draft regulations on the National Treasury website ↗
Why these regulations are harmful Crypto requires a stated purpose — making ordinary use illegal Regulation 3(5) & 3(6) You must declare why you are acquiring crypto. If you no longer need it for that stated purpose, you must immediately offer it for sale to National Treasury. Crypto assets serve multiple simultaneous uses — investment, savings, payments, DeFi — and this provision treats everyday holding as a regulated import activity.
The state can compulsorily purchase your crypto assets Regulation 8(3) Once you declare your crypto holdings, National Treasury may purchase them from you in Rand, at a rate it determines. This is compulsory acquisition with no defined fair-compensation mechanism, inconsistent with property rights protected by Section 25 of the Constitution.
Crypto cannot be sent outside South Africa without Treasury permission Regulation 4(1)(a) Sending crypto to a foreign exchange, using a hardware wallet connected to global networks, or participating in DeFi protocols requires explicit Treasury permission. This goes far beyond AML/CFT compliance and effectively prohibits South Africans from using internationally available financial infrastructure.
All crypto holdings must be declared, then cannot be moved without permission Regulation 10(1) & 10(2) Every crypto asset must be declared to National Treasury within 30 days of acquisition. Once declared, it cannot be sold, transferred, or disposed of without further Treasury permission. This creates an asset lockdown and treats all crypto holders as subjects under active financial surveillance.
Mandatory declaration creates a target list — France shows government crypto registries attract criminal exploitation Regulation 10(1) — declaration requirement In the first 3.5 months of 2026, France experienced approximately 41 crypto-related kidnappings and violent home invasions. The attacks were linked to a French tax official who used government financial software to access and sell the personal details of cryptocurrency holders — including home addresses and asset holdings — to criminal networks. A mandatory national declaration of all crypto holdings creates exactly the kind of centralised target list that enabled that exploitation. South Africa's record on protection of sensitive personal data held by state entities is not strong. A comprehensive government crypto holder registry is not merely a privacy risk — it is a physical safety risk, documented in real time, in a comparable jurisdiction. The declaration regime must not be maintained as a centralised searchable register accessible to operational staff.
Assets can be seized without a court order on suspicion alone Regulation 24 National Treasury can attach, freeze, and seize crypto assets whenever it suspects a breach of regulations — no prior court order required. While PAJA review is available after the fact, the absence of prior judicial oversight for such drastic action is disproportionate and open to abuse.
Administrative forfeiture must be removed — forfeiture must remain a judicial process under POCA Regulation 25 — Forfeiture The Regulations grant authorised officers the power to administratively forfeit crypto assets without judicial oversight. Forfeiture of private property is a severe sanction — in South Africa's existing legal framework it is controlled by POCA and requires a court order. Allowing forfeiture to proceed administratively, subject only to after-the-fact PAJA review, removes the critical protection of prior judicial authorisation and creates an unacceptable risk of wrongful and irreversible asset loss.
Forced surrender of private keys and passwords Regulation 25(5) If crypto assets are forfeited, the owner must provide all passwords, PINs, and private keys to the state on demand. No such obligation exists for any other financial instrument. This raises serious concerns under Section 14 (privacy) and Section 35(3)(j) (right against self-incrimination) of the Constitution.
Regulation 25(5) creates a traceless corruption mechanism — against a documented backdrop of border enforcement fraud Regulation 25(5) & Chapter 5 — enforcement In March 2026 — weeks before this draft was published — SARS executed search-and-seizure orders against six current and former SARS officials in a customs-inspection bribery scheme of approximately R1 billion. The Border Management Industry Anti-Corruption Forum, launched jointly by Home Affairs, BMA, SARS, SIU, NPA, and the Hawks, acknowledges that border corruption is a systemic, syndicate-driven problem. Against this baseline, Regulation 25(5) hands a single official at OR Tambo the power to compel any traveller's private keys on pain of five years' imprisonment. Once credentials are produced, the officer has full unilateral control of the wallet within seconds — irreversibly. A transaction to a pseudonymous receiving wallet leaves no audit trail: no registry links it to the officer, and the traveller has no biometric assurance of what is being signed. The draft contains no requirement that key disclosures be logged, that access be assigned to a named officer, or that wallets be monitored after inspection. There is no operational design and no compensation procedure. What the draft creates is a frictionless mechanism to convert a traveller's entire net worth — untraceable, irreversible, and with no procedural recourse.
No thresholds are defined — compliance is impossible to assess Regulation 31 The entire regulatory framework refers to "determined thresholds" set by the Minister of Finance at will, but none are defined in the draft. Individuals and businesses cannot know whether they are affected, cannot plan their affairs, and cannot assess compliance. Regulations of this scope should not be promulgated before thresholds are published and consulted on.
Regulations take immediate effect with no transition period Regulation 33 The regulations take effect on the date of publication in the Gazette. There is no grace period for individuals to declare holdings, no time for businesses to register as authorised providers, and no transition for existing cross-border arrangements. A minimum transition period of 12 months is necessary for orderly compliance.
The 31-day comment period is grossly inadequate Government Notice, 17 April 2026 Thirty-one days is insufficient for meaningful public consultation on a 35-page regulation that restructures capital flows for individuals, businesses, and crypto service providers. International best practice calls for a minimum 60-day comment period, with extended consultation for provisions of constitutional significance.
The consultation is procedurally defective — two conflicting deadlines and two different email addresses Government Notice vs Treasury Media Statement, 17 April 2026 The Government Gazette notice gives the public 30 days to comment, closing 18 May 2026, to one email address. The National Treasury media statement of 17 April 2026 gives until close of business on 10 June 2026, and lists a different email address. A regulation carrying criminal penalties of five years' imprisonment cannot be published on two contradictory timelines by the same department in the same week. The longer deadline must be publicly confirmed and honoured; anything else is procedurally unfair under section 33 of the Constitution and section 4 of the Promotion of Administrative Justice Act, 2000.
These regulations will accelerate capital flight and the emigration of tech talent General — economic impact The compliance burden, asset seizure risk, and criminal penalties will drive South Africa's technology entrepreneurs, crypto developers, and high-net-worth individuals to jurisdictions with clear and permissive crypto frameworks — UAE, Portugal, Singapore, El Salvador. Remote workers and freelancers paid in crypto face direct barriers to their livelihoods. South Africa cannot afford to export its most mobile and economically productive talent.
The authorised provider model will stifle crypto businesses and innovation Regulation 3(1) & 3(3) Restricting all above-threshold crypto transactions to state-authorised providers creates a gatekeeping regime that entrenches incumbents, bars new entrants, and makes DeFi, DEX trading, and self-custody effectively illegal. International crypto companies will not establish South African presence if every cross-border transaction requires prior Treasury approval. South Africa should be competing to attract crypto innovation, not regulating it out of existence.
Crypto is explicitly excluded from "currency" — yet currency-style controls are applied to it Regulation 1 — Definitions The regulations define "currency" as explicitly not including crypto assets. Yet the entire CFMR mechanism applies exchange controls — a framework designed for currency — to crypto. Regulating something as if it were currency after expressly excluding it from that definition is internally contradictory, creates inherent legal uncertainty, and may be vulnerable to challenge.
The definition of "capital" is overbroad — ordinary commercial transactions would be captured Regulation 1 — Definitions The draft's definition of "capital" is broad enough to encompass every freelance invoice, intellectual property licence, or sale of personal effects to a non-resident. A South African freelancer paid in foreign currency or crypto by an overseas client — or a private individual selling a laptop to someone abroad — could be subject to regulatory requirements designed for institutional cross-border capital flows. This overbreadth creates unnecessary compliance exposure for ordinary economic activity and will produce significant uncertainty for remote workers and the gig economy. The definition must be narrowed to exclude ordinary commercial and personal transactions.
Parliament is bypassed — a 93-year-old Act is used to restructure modern crypto regulation Section 9(1), Currency and Exchanges Act 9 of 1933 Restructuring the regulatory treatment of an entire asset class — particularly one touching constitutional rights — would normally require amendment to primary legislation and Parliamentary scrutiny. Instead, the Minister uses broad delegated powers under a 1933 Act to achieve a major regulatory restructure by ministerial regulation. This concentrates power in the executive and is an inappropriate vehicle for provisions of constitutional significance.
A triple licensing burden is imposed on crypto service providers Regulation 1 (definition of authorised CASP) & Regulation 3 Crypto Asset Service Providers in South Africa already hold an FSCA Financial Services Provider licence (required since the FSCA declared crypto a financial product in 2022) and are registered accountable institutions under FICA. The CFMR now mandates a third authorisation from National Treasury before a CASP may facilitate cross-border transactions. No equivalent triple burden applies to any other financial services category, and it will deter new entrants and drive existing businesses offshore.
The regulations create a parallel regime that conflicts with the FSCA's existing mandate General — regulatory architecture The FSCA has statutory responsibility for market conduct and consumer protection in relation to crypto assets as a financial product. By making National Treasury a second licensing authority over the same entities and activities, the CFMR creates a dual-regulator regime with no coordination mechanism in the regulations. This produces compliance confusion, increases costs, and undermines the FSCA's primary oversight role without formal legislative authority for the overlap.
Self-custody and DeFi participation are left in complete legal limbo Regulation 3 & 4 The entire authorised-provider model assumes a licensed intermediary sits between the user and every crypto transaction. But self-custody wallets — a fundamental feature of crypto that existing regulation has not restricted — and decentralised finance protocols have no such intermediary. The regulations provide no guidance on how self-custody holders or DeFi participants comply, leaving millions of South Africans who hold crypto without a CASP in legally undefined territory.
Travelers face mandatory border declarations and warrantless device searches Chapter 5 — Enforcement powers Travelers must declare digital assets at border crossings, and authorised officers gain expanded powers to search and seize devices — phones, hardware wallets — without prior judicial authorisation. No equivalent obligation applies to travelers carrying foreign currency. This exposes every South African crossing an international border to digital surveillance and device confiscation on administrative suspicion alone, raising concerns under Section 14 (privacy) and Section 21 (freedom of movement) of the Constitution.
The framework is purely punitive — no safe harbours, sandboxes, or compliance incentives General — regulatory design Criminal penalties of up to R1,000,000 or five years' imprisonment, compulsory acquisition, warrantless attachment, and forced key disclosure — but no safe harbour provisions, no regulatory sandbox, no reduced-penalty pathway for voluntary disclosure, and no incentives for proactive AML/CFT compliance. Every jurisdiction that has successfully integrated crypto — EU (MiCA), UK (FCA), Singapore (MAS) — paired enforcement with clear compliance pathways. Strong on the stick, absent on the carrot will drive activity underground or offshore, not into compliance.
South Africa already has adequate AML/CFT tools — Regulation 25(5) adds risk, not compliance General — AML/CFT regulatory framework The goal of staying off the FATF grey list does not require Regulation 25(5). South Africa already has FIC reporting obligations, FSCA supervision of licensed CASPs, the Crypto Asset Reporting Framework adopted on 1 March 2026, and SARS information-sharing under the OECD CARF/CRS framework. None of these require compelled disclosure of private keys. Adding Regulation 25(5) to this stack does not strengthen the AML/CFT regime — illicit flows are detected through transaction monitoring and reporting, not border inspection of private keys. What it does is signal hostility to the only users these regulations can actually reach: legitimate South Africans who hold crypto openly, declared, and in good faith.
International practice licenses intermediaries — it does not criminalise self-custody at the border General — international regulatory architecture The framing that these regulations reflect international best practice is incorrect. The EU's MiCA framework, the UK's Financial Services and Markets Act 2023 regime, and Singapore's Payment Services Act all license and supervise intermediaries — exchanges, custodians, issuers — and do not criminalise self-custody at the border. The FSCA already does the former, with the majority of CASP applicants licensed as of late 2025. The draft regulations duplicate that perimeter and then add a self-custody surveillance layer that no comparable jurisdiction has implemented. This is not alignment with international practice. It is divergence — in the direction of capital controls of a kind South Africa abolished, in stages, after 1991 because they did not work.
These regulations burden the honest and create new opportunities for corrupt enforcement General — enforcement design and policy These regulations will not stop the sophisticated. Those with resources will restructure through compliant intermediaries or relocate to friendlier jurisdictions. They will burden the honest South African who holds crypto legally and in good faith. Expanded search, seizure, and inspection powers granted to an enforcement apparatus already prosecuting its own staff for corruption create new opportunities for the theft of digital assets — assets that, once taken from a self-custody wallet, may be irretrievably lost to the victim. South Africa abolished pass laws and capital controls within living memory. The draft proposes, in 2026, to reintroduce the architecture of both — at the border, on the phone, on the chain. That is the wrong direction.
Constitutional concerns Several provisions raise concerns under the Bill of Rights:
S14 — Right to Privacy S25 — Property Rights S35 — Right Against Self-Incrimination PAJA — Administrative Justice Rule of Law — Legal Certainty
The forced surrender of private keys (Reg 25(5)) has no parallel in any financial regulation and potentially compels self-incriminating disclosure. Mandatory declaration of all holdings (Reg 10) constitutes a significant invasion of financial privacy. Warrantless asset attachment (Reg 24) departs from the normal requirement of prior judicial authorisation. Compulsory acquisition without a transparent compensation mechanism (Reg 8) is in tension with Section 25. These provisions individually and collectively require careful constitutional scrutiny before promulgation.
Draft your submission Note: By submitting a comment, you agree that your name and submission may be made public by National Treasury and disclosed under PAIA. Write formally and factually.
Select all points Deselect all
To CommentDraftRegulations@treasury.gov.za Copy Copied!
Subject Public Comment: Draft Capital Flow Management Regulations 2026 Copy Copied!
stat.cash provides this page as a public resource. This is not legal advice. The submission tool generates a draft only — review and edit before sending.