Folio v0.9 — CEX + On-chain Consolidation is liveSee what's new →
Wag3sWAG3S
Get Started

FATF VASP Guidance: The Definition, the Risk-Based Approach, the Limits (2026)

Regulation·

FATF VASP Guidance: The Definition, the Risk-Based Approach, the Limits (2026)

FATF sets the global AML/CFT standard: Recommendation 15 covers virtual assets and VASPs, Recommendation 16 is the Travel Rule, the VASP definition turns on five activities. But FATF Recommendations are standards, not binding law — implemented unevenly, nationally. What that means in practice.
Author avatar Wag3s TeamEditorial team specializing in Web3 finance, crypto tax, and DAO operations. Based in Zurich, Switzerland.

Reviewed by Wag3s Editorial Team — verified against FATF Recommendation 15 (virtual assets / VASPs), the FATF VASP definition (five enumerated activities), the risk-based approach, the offshore-VASP risk, and the standards-not-binding-law nature of FATF Recommendations · Last reviewed May 2026

FATF VASP Guidance: The Definition, the Risk-Based Approach, the Limits

FATF guidance is the source nearly every crypto-AML conversation invokes — usually as if it were a statute. It is not. FATF sets standards: Recommendation 15 covers virtual assets and VASPs, Recommendation 16 is the Travel Rule, and the VASP definition turns on five enumerated activities. But the FATF Recommendations are standards, not directly binding law — they take legal effect only through national implementing legislation, which arrives unevenly. This guide sets out the definition, the risk-based approach and the limits, hedged, because whether a business is a VASP is a legal determination under implementing law, not a self-assessment. For the Travel Rule specifically, see crypto travel rule compliance.

In short

What FATF actually is, the five-activity VASP definition, what the risk-based approach expects, why FATF flags offshore VASPs, and why "FATF-compliant" is not the same as compliant everywhere.

  • FATF is the global AML/CFT standard-setter; the FATF Recommendations are standards, not directly binding law — they bite via national implementing legislation.
  • Recommendation 15 covers virtual assets and VASPs; Recommendation 16 is the Travel Rule.
  • The VASP definition turns on five enumerated activities (VA↔fiat, VA↔VA, transfer, safekeeping/administration, and participation in an issuer's VA offer/sale).
  • A risk-based approach is expected — but FATF reports that only a minority of jurisdictions fully apply it to VASP supervision.
  • An offshore VASP (formed in one jurisdiction, serving another) is FATF-flagged for elevated illicit-finance risk where supervision is weak.
  • This is jurisdiction-specific and evolving — "FATF-compliant" is not compliant everywhere; confirm with compliance counsel. Not legal or compliance advice.

FATF sets standards, not law

FATF (the Financial Action Task Force) is the global standard-setter for AML/CFT. The FATF Recommendations are standards, not directly binding law; they take legal effect only when a jurisdiction implements them via its own legislation, which differs in scope, timing and detail. "FATF requires X" is shorthand for "FATF recommends X; your jurisdiction's implementing law determines what applies to you" — a compliance-counsel question.

The VASP definition (five activities)

FATF broadly defines a Virtual Asset Service Provider as a natural or legal person who, as a business, conducts one or more of:

#Activity
1Exchange between virtual assets and fiat currencies
2Exchange between one or more forms of virtual assets
3Transfer of virtual assets
4Safekeeping/administration of VAs or instruments enabling control over VAs
5Participation in/provision of financial services for an issuer's offer/sale of a VA

Whether a specific business is in scope is a legal determination under the implementing national law — not a self-assessment.

The risk-based approach

FATF expects jurisdictions and VASPs to apply a risk-based approach: identify, assess and mitigate ML/TF risk proportionately, rather than applying uniform controls blindly. FATF's own updates indicate that only a minority of jurisdictions fully apply the risk-based approach to VASP supervision, so implementation maturity varies widely. The principle is global; the practical expectation depends on the supervising jurisdiction.

Why FATF flags offshore VASPs

FATF defines an offshore VASP as one created under one jurisdiction's laws (with or without a physical presence) serving clients in another, and has highlighted elevated illicit-finance risk where supervision is weak or absent. This ties directly to crypto-company jurisdiction choice: registering somewhere without genuine supervision and substance can increase regulatory and counterparty risk, not reduce it.

Practical guidance

  1. Read "FATF" as a standard, not your law — find the implementing national legislation.
  2. Test VASP status against the five activities under the applicable law — counsel, not self-assessment.
  3. Build a genuine risk-based approach — expect supervisory variance by jurisdiction.
  4. Treat offshore-VASP structuring cautiously — weak supervision raises risk.
  5. Satisfy each relevant jurisdiction — "FATF-compliant" is not compliant everywhere.
  6. Confirm with compliance counsel per jurisdiction — evolving; not legal/compliance advice.

Where analytics tools stop

Chainalysis and Elliptic provide blockchain analytics and risk screening that support a risk-based AML programme. What they do not do is determine VASP status or what a jurisdiction's implementing law requires — those remain legal determinations for the business and its compliance counsel. Confirm any tool reflects the current national rules.

Where Wag3s fits

Wag3s is not an AML or screening provider. What Wag3s HR and the finance OS do is keep the auditable financial record that a risk-based AML programme and the AML/KYC process rely on. It supports, rather than replaces, the compliance counsel whose call the VASP determination and the implementing-law obligations remain. See the HR product page.

Further reading

Jurisdiction-specific rules: how FATF translates into national law

The most practically consequential aspect of FATF's approach to VASPs is that the same Recommendation 15 produces different national laws in every jurisdiction that adopts it. A business operating across borders cannot assume a single "FATF-compliant" standard covers all of them. The following examples illustrate how the same framework produces materially different obligations.

European Union. The EU implemented the FATF VASP framework through successive AML Directives. The 6th AMLD and, more comprehensively, MiCA and the Transfer of Funds Regulation (TFR) together capture most FATF Recommendation 15 and 16 obligations for EU-facing VASPs. The Travel Rule under the TFR applies to all crypto-asset transfers in the EU regardless of value — more demanding than the FATF standard, which recommends a USD/EUR 1,000 threshold.

United Kingdom. Post-Brexit, the UK operates its own VASP registration regime under the FCA (Financial Conduct Activities). Registration does not equal authorisation — many applications have been refused or withdrawn. The UK applies the FATF definition through the Money Laundering Regulations 2017 (as amended). The FCA has been notably strict on compliance quality.

United States. The US does not have a single VASP statute. Obligations under FinCEN's BSA framework apply to Money Services Businesses, which includes many crypto businesses. State-level Money Transmitter Licences (MTLs) add a further layer. A business that is FATF-standard compliant under one framework may still be operating without required state licences. The US has not implemented the FATF Travel Rule uniformly.

Singapore. The MAS implements the FATF framework through the Payment Services Act 2019 (as amended). Digital Payment Token services require a licence; the MAS has been selective in granting them. The Travel Rule applies from a SGD 1,500 threshold.

UAE. The VARA in Dubai has implemented a VASP framework aligned with FATF, with an own-regulatory overlay. Onshore and DIFC/ADGM free-zone operators face different supervisors and different rule sets.

The practical lesson: for any business operating in more than one jurisdiction, a compliance programme that maps FATF's Recommendations to each jurisdiction's implementing law — separately and with local counsel — is the minimum defensible starting point. "We follow FATF standards" is not a compliance programme.

Sources

Editorial disclaimer
This article is informational and does not constitute legal or compliance advice. Whether an entity is a VASP, and the resulting obligations, are determined under national law implementing the FATF standards and are jurisdiction-specific. Confirm with qualified compliance counsel.

Crypto Travel Rule Compliance: FATF Recommendation 16 for VASPs (2026)

The Travel Rule extends FATF Recommendation 16 to virtual assets: a VASP must collect, verify and transmit originator and beneficiary info to the counterpart VASP. The FATF threshold is USD/EUR 1,000 but jurisdictions diverge (the EU applies it at zero), and the 'sunrise issue' breaks the data exchange.

OFAC Crypto Sanctions Compliance: Strict Liability and the Tornado Cash Lesson (2026)

OFAC sanctions are strict-liability: exposure to a sanctioned address can create liability without knowledge. OFAC has listed digital-currency addresses on the SDN List since 2018, but listings are not exhaustive. The Tornado Cash delisting (March 2025) shows the law moves — confirm current status.

Explore the coverage

Every chain, integration, and competitor mentioned in this article gets its own page — coverage detail, comparison signals, and the audit trail your finance team needs.