South Africa Didn’t Write a Crypto Law. It Lost a Court Case.
Njami (CryptedInk)6 min read·Just now--
In May 2025, a judge in Gauteng ruled that Bitcoin is not capital. The ruling was narrow, technical, and correct. Under Regulation 10(1)© of the Exchange Control Regulations of 1961, crypto assets simply did not fit the definition. The court wasn’t making a philosophical statement about decentralization. It was reading a 64-year-old law and applying it honestly.
South Africa’s National Treasury read the same ruling and did what governments do when they lose an argument they cannot afford to lose. They rewrote the dictionary.
The Draft Capital Flow Management Regulations 2026, published on April 17, is not a modernization of exchange controls. It is a legislative reversal of a court ruling. That distinction matters more than anything else in this debate, because it tells you what the framework is actually designed to do and who it is actually designed to catch.
The steelman first, because it deserves one.
South Africa has real exposure to illicit capital flows. The Financial Action Task Force added the country to its greylist in 2023, and removing that designation requires demonstrable progress on anti-money laundering infrastructure. Crypto, operating outside the existing exchange control perimeter, creates a visible gap.
Treasury’s logic is that a modern capital flow framework should cover all capital, digital or otherwise, and that aligning with OECD and FATF standards is not optional for a country trying to remain integrated with global financial markets. That argument is coherent. The intent, stripped of its execution, is defensible.
The problem is not the intent. The problem is that whoever drafted Regulation 25(5) does not appear to understand what a private key is. Or does But its 1984 and Big Brother Is watching You!
The provision empowers enforcement officers to demand any “password, PIN, private key, or other information” needed to access crypto assets held by anyone crossing a South African border. Refusal is a criminal offence carrying a fine of up to R1 million ($60,000) or five years in prison.
On the surface, this reads like an aggressive but familiar power, the kind that exists in various forms in the UK and elsewhere. The surface is misleading.
A bank password and a private key are not the same object. If you hand your bank password to a border officer, your bank can issue you a new one afterward. The compromise is contained and reversible.
A private key has no reset function. It is a 256-bit number that controls a wallet with mathematical finality. Once you disclose it, you have disclosed it permanently. The officer who holds it now has irrevocable access to your holdings for the rest of time, regardless of what happens next.
The regulation treats this as equivalent to unlocking a phone. It is not. It is handing someone the only key to a vault that cannot be rekeyed.
This is not a civil liberties argument. It is a technical one. The provision is dangerous not because it is authoritarian, though critics will make that case, but because its authors demonstrably do not understand the object they are legislating.
The industry response has been swift and specific, which is itself informative. VALR, one of the country’s largest licensed exchanges, described the provisions as “overly restrictive” and warned they “undermine the nature of crypto assets and the practical exercise of self-custody rights.”
Luno’s general manager for Africa and Europe, Marius Reitz, raised something technically absurd: under the draft, a transaction between two South African residents on a locally licensed South African exchange would be classified as a capital export, despite never leaving the country.
VALR’s CEO Farzam Ehsani pushed the logic further. If all crypto assets are by default foreign assets because they exist on a blockchain, what happens to a rand-denominated stablecoin? Is a token pegged to the South African rand, issued on-chain by a South African entity, a foreign asset? The draft offers no answer, because the draft’s authors appear not to have asked the question.
These are not fringe objections. They are the objections of licensed, compliant, FSCA-regulated businesses that built their operations on the assumption that South Africa would remain a serious regulatory environment. That assumption is now in question.
The AML argument, which Treasury leans on heavily, also fails on its own terms.
The actors who move meaningful volumes of illicit capital through crypto are not carrying hardware wallets through OR Tambo International. They are using mixers, chain-hopping between privacy coins, routing through offshore structures in jurisdictions that have no interest in cooperation.
None of these actors will be inconvenienced by a mandatory declaration requirement or a border seizure power. They will adapt in 48 hours.
What the regulation will catch is the retail Bitcoin holder, the developer building on-chain infrastructure, the fintech startup that chose South Africa because it seemed like a sensible place to operate.
Every serious AML regime in the world has converged on the same answer: transaction monitoring at the service provider level, combined with Travel Rule compliance for cross-border transfers. South Africa already built that answer. The FSCA licensing framework, operational since 2023, requires Crypto Asset Service Providers to register, implement KYC, and comply with Financial Intelligence Centre directives.
The Travel Rule was implemented in April 2025. The infrastructure for catching bad actors was already in place. Treasury walked past it and reached for a border checkpoint instead.
There is one more problem that nobody has named clearly enough.
The mandatory declaration threshold is not specified in the draft. The document defers that figure to unilateral ministerial discretion, to be published in a separate Gazette notice at a future date. This creates a due process trap with no floor.
A citizen can hold crypto today in full compliance, and wake up tomorrow to find the Minister has published a threshold below their holdings overnight.
There is no retroactive grace period in the draft’s architecture. The 30-day clock runs from the regulation’s effect date, not from the date the threshold is announced. You can be in violation before you have any legal basis to know you are.
For a framework proposing five-year prison sentences, the absence of the threshold amount is not a drafting oversight. You tell me what it is!
The tragedy here is not that South Africa got crypto regulation wrong. It is that South Africa had it right.
From 2022 onward, the country built something genuinely functional: FSCA oversight, mandatory CASP licensing, FIC registration, Travel Rule implementation. By the time the 2025 Gauteng ruling came down, South Africa was one of the few African countries with a crypto framework that matched how the technology actually works.
The court ruling exposed a gap but the gap was narrow, and the tools to manage it were already built.
The response to a narrow legal gap is a precise legislative fix. What Treasury published instead is a 60-year rewrite driven by a court loss, drafted without apparent technical input, carrying criminal penalties for conduct that cannot be undone once an officer demands your private key at a border crossing.
The public comment window closes, depending on which Treasury document you believe, on either May 18 or June 10. The two official publications have not been reconciled.
For a framework threatening five years in prison for non-compliance, the government cannot agree on its own deadline.
That is not a technicality. It is a signal.
Public submissions can be sent to the National Treasury. The deadline discrepancy between Government Gazette №7375 and the Treasury media statement remains unresolved, industry bodies including VALR, Cape Crypto, and Bitcoin ZAR advise submitting to both addresses before May 18.
