Folio v0.9 — CEX + On-chain Consolidation is liveSee what's new →
Wag3sWAG3S
Get Started

FATF VASP Guidance: The Definition, the Risk-Based Approach, the Limits (2026)

Regulation·

FATF VASP Guidance: The Definition, the Risk-Based Approach, the Limits (2026)

FATF sets the global AML/CFT standard: Recommendation 15 covers virtual assets and VASPs, Recommendation 16 is the Travel Rule, the VASP definition turns on five activities. But FATF Recommendations are standards, not binding law — implemented unevenly, nationally. What that means in practice.
Author avatar Wag3s TeamEditorial team specializing in Web3 finance, crypto tax, and DAO operations. Based in Zurich, Switzerland.

Reviewed by Wag3s Editorial Team — verified against FATF Recommendation 15 (virtual assets / VASPs), the FATF VASP definition (five enumerated activities), the risk-based approach, the offshore-VASP risk, and the standards-not-binding-law nature of FATF Recommendations · Last reviewed May 2026

FATF VASP Guidance: The Definition, the Risk-Based Approach, the Limits

Every crypto-AML conversation invokes "FATF" as if it were a statute. It is not. FATF sets standardsRecommendation 15 for virtual assets/VASPs, Recommendation 16 the Travel Rule — and those standards only bite through national law, implemented unevenly. This guide is the definition, the risk-based approach and the limits, hedged, because VASP status is a legal determination, not a self-assessment.

TL;DR

  • FATF = global AML/CFT standard-setter; the FATF Recommendations are standards, not directly binding law — they bite via national implementing legislation.
  • Recommendation 15 = virtual assets / VASPs; Recommendation 16 = the Travel Rule.
  • VASP definition turns on five enumerated activities (VA↔fiat, VA↔VA, transfer, safekeeping/administration, participation in an issuer's VA offer/sale).
  • Risk-based approach expected — but FATF says only a minority of jurisdictions fully apply it to VASP supervision.
  • Offshore VASP (formed in one jurisdiction, serving another) = FATF-flagged elevated illicit-finance risk.
  • Jurisdiction-specific, evolving — "FATF-compliant" ≠ compliant everywhere; confirm with compliance counsel. Not legal/compliance advice.

FATF sets standards, not law

FATF (the Financial Action Task Force) is the global standard-setter for AML/CFT. The FATF Recommendations are standards, not directly binding law; they take legal effect only when a jurisdiction implements them via its own legislation, which differs in scope, timing and detail. "FATF requires X" is shorthand for "FATF recommends X; your jurisdiction's implementing law determines what applies to you" — a compliance-counsel question.

The VASP definition (five activities)

FATF broadly defines a Virtual Asset Service Provider as a natural or legal person who, as a business, conducts one or more of:

#Activity
1Exchange between virtual assets and fiat currencies
2Exchange between one or more forms of virtual assets
3Transfer of virtual assets
4Safekeeping/administration of VAs or instruments enabling control over VAs
5Participation in/provision of financial services for an issuer's offer/sale of a VA

Whether a specific business is in scope is a legal determination under the implementing national lawnot a self-assessment.

The risk-based approach

FATF expects jurisdictions and VASPs to apply a risk-based approach — identify, assess and mitigate ML/TF risk proportionately, not uniform controls applied blindly. FATF's own updates indicate only a minority of jurisdictions fully apply the risk-based approach to VASP supervision, so implementation maturity varies widely. The principle is global; the practical expectation depends on the supervising jurisdiction.

Why FATF flags offshore VASPs

FATF defines an offshore VASP as one created under one jurisdiction's laws (with or without physical presence) serving clients in another, and has highlighted elevated illicit-finance risk where supervision is weak/absent. This ties directly to crypto-company jurisdiction choice: registering somewhere without genuine supervision and substance can increase regulatory and counterparty risk, not reduce it.

Practical guidance

  1. Read "FATF" as a standard, not your law — find the implementing national legislation.
  2. Test VASP status against the five activities under the applicable law — counsel, not self-assessment.
  3. Build a genuine risk-based approach — expect supervisory variance by jurisdiction.
  4. Treat offshore-VASP structuring cautiously — weak supervision raises risk.
  5. Satisfy each relevant jurisdiction — "FATF-compliant" is not compliant everywhere.
  6. Confirm with compliance counsel per jurisdiction — evolving; not legal/compliance advice.

How vendor tools relate to FATF compliance

Chainalysis and Elliptic provide blockchain analytics and risk/screening that support a risk-based AML programme. They do not determine VASP status or what a jurisdiction's implementing law requires — those remain legal determinations for the business and its compliance counsel. Confirm any tool reflects the current national rules.

How Wag3s helps

Wag3s is not an AML/screening provider. Wag3s HR and the finance OS keep the auditable financial record that a risk-based AML programme and the AML/KYC process rely on, while VASP determination and the implementing-law obligations stay with the business and compliance counsel. See the HR product page.

Further reading

Sources

  • FATF = global AML/CFT standard-setter; the FATF Recommendations are standards, not directly binding law — take legal effect via national implementing legislation (scope/timing/detail differ by jurisdiction)
  • FATF Recommendation 15 = virtual assets / VASPs; Recommendation 16 = Travel Rule; FATF VASP definition = a person who as a business conducts one or more of: VA↔fiat exchange; VA↔VA exchange; VA transfer; safekeeping/administration of VAs or instruments enabling control; participation in/provision of financial services for an issuer's offer/sale of a VA
  • Risk-based approach expected of jurisdictions/VASPs; FATF updates indicate only a minority of jurisdictions fully apply RBA to VASP supervision (implementation maturity varies)
  • Offshore VASP = formed under one jurisdiction's law serving clients in another — FATF flags elevated illicit-finance risk where supervision weak; VASP status is a legal determination under implementing national law, jurisdiction-specific; not legal/compliance advice
Editorial disclaimer
This article is informational and does not constitute legal or compliance advice. Whether an entity is a VASP, and the resulting obligations, are determined under national law implementing the FATF standards and are jurisdiction-specific. Confirm with qualified compliance counsel.

Crypto Travel Rule Compliance: FATF Recommendation 16 for VASPs (2026)

The Travel Rule extends FATF Recommendation 16 to virtual assets: a VASP must collect, verify and transmit originator and beneficiary info to the counterpart VASP. The FATF threshold is USD/EUR 1,000 but jurisdictions diverge (the EU applies it at zero), and the 'sunrise issue' breaks the data exchange.

OFAC Crypto Sanctions Compliance: Strict Liability and the Tornado Cash Lesson (2026)

OFAC sanctions are strict-liability: exposure to a sanctioned address can create liability without knowledge. OFAC has listed digital-currency addresses on the SDN List since 2018, but listings are not exhaustive. The Tornado Cash delisting (March 2025) shows the law moves — confirm current status.

Explore the coverage

Every chain, integration, and competitor mentioned in this article gets its own page — coverage detail, comparison signals, and the audit trail your finance team needs.