FATF’s latest report reveals global challenges implementing AML/CTF measures for virtual assets and providers
On 26 June 2025, the Financial Action Task Force (FATF) released its sixth targeted update on the global implementation of anti-money laundering and counter-terrorism financing (AML/CTF) measures to virtual assets (VA) and virtual asset service providers (VASPs).
Given the borderless nature of VAs, regulatory failures in one jurisdiction can have global consequences. This report assesses how jurisdictions’ are complying with FATF’s Recommendation 15 (R.15) and its Interpretative Note, which was updated in 2019 to apply to VAs and VASPs. It examined each jurisdiction’s progress in undertaking risk assessment, enacting legislation to regulate VASPs and conducting supervisory inspections, among other criteria.
While the report notes progress since 2024, it identifies areas needing stronger action to safeguard the integrity of the international financial system. Key challenges include identifying individuals and entities conducting VASP activities and addressing risks posed by offshore VASPs.
We’ve summarised the key findings below.
Key takeaways
- Most jurisdictions have made progress in enacting AML/CTF regulations for VAs and VASPs, but many struggle to assess risk and identify entities conducting VASP activity.
- Around 73% of jurisdictions have enacted the Travel Rule for VASPs, but enforcement and operationalisation remain limited.
- The use of stablecoins in illicit activities has surged – highlighting the challenges in regulating Decentralised Finance (DeFi) arrangements and the rise of scams and frauds involving VAs.
- FATF has provided further recommendations for both the public and private sector which aims to assist them address VA and VASP risk mitigation.
Background
FATF is an independent inter-governmental body that sets and promotes policies on anti-money laundering, counter-terrorism financing and countering proliferation financing. Its recommendations are recognised on a global scale, with Australia being a founding and active member of FATF.
In 2018, FATF updated R.15 to require countries to recognise and assess the risks associated with VAs and VASPs, and to implement measures to mitigate those risks – including licensing or registering VASPs.
In 2019, an update to Interpretive Note to R.15 further clarified how FATF requirements, including AML/CTF measures applied to VAs and VASPs.
We recently published guidance on how AUSTRAC proposes to strengthen VASPs regulation in line with FATF recommendation as part of reforms to the Anti-Money Laundering and Counter-Terrorism Financing Rules 2025 (Cth).
Key findings
Progress and challenges
- While jurisdictions have made progress in developing and implementing AML/CTF regulations for VAs and VASPs, significant challenges remain in assessing risks and implementing mitigation measures.
- 40 of the 138 surveyed jurisdictions are now listed as ‘largely compliant’ with FATF standards, which is an improvement on FATF’s 2024 survey results. More jurisdictions are conducting risk assessment, but translating findings into action continues to be a challenge, as a number of jurisdictions continue to pursue partial provisions only.
- 62% of jurisdictions allow VASPs, while 20% have imposed full or partial prohibitions. FATF warns that while a prohibition is permissible within FATF standards, it is difficult to implement effectively. Examples of partial prohibitions implemented by jurisdictions include prohibiting VAs from being used to pay for goods and services or for retail investment purposes.
- Around 85% of surveyed jurisdictions require VASPs to be licenced or registered. Despite this, many jurisdictions face practical difficulty in identifying natural or legal persons who conduct VASP activities.
- Only 37% of jurisdictions with licensing/registration frameworks extend those requirements to offshore VASPs.
Travel rule implementation
- About 73% of surveyed jurisdictions have passed legislation implementing the Travel Rule, which requires VASPs to obtain and transmit specific information during transactions. This includes originator and beneficiary information, which must be obtained, held and transmitted immediately and securely when transferring VAs.
- Of the 85 jurisdictions who have passed legislation, 50 have yet to issue findings or directives, or take enforcement or supervisory actions in relation to the Travel Rule– suggesting that uptake is relatively recent.
- 48% of jurisdictions that are considered ‘more advance’ in regulating VASPs are requiring certain DeFi arrangements to be licensed or registered as a VASP.
- FATF reports that enforcement and operationalisation of this rule is still limited.
Emerging risks
- Stablecoins are being used by various illicit actors, terrorist financiers and drug traffickers, with an approximate $30 trillion in stablecoin volume growth since May 2024. FATF considers that this growth is likely due to the perceived reduction in volatility, transaction efficiency with low costs and abundant liquidity, which makes stablecoins attractive to criminals looking to make a profit.
- The Democratic People’s Republic of Korea carried out the largest single VA theft in history, stealing approximately $1.46 billion from the VASP ByBit. Given only 3.8% of stolen funds have been recovered, this highlights the need to address asset recovery challenges and improve international co-operation.
- There has been a significant increase of the use VAs in fraud and scams with one industry participant estimating illicit on-chain activity of approximately $51 billion.
- There have been significant cases of international money laundering networks that collect funds in one jurisdiction and make the equivalent value available in another, often swapping VAs for cash. VAs have been used to purchase illicit substances without the need to move physical money across borders. FATF highlighted the importance of being able to freeze and seize assets to disrupt criminal activity.
FATF recommendations for the public sector
FATF published a list of recommendations for jurisdictions based on its findings, which have been summarised below:
- Risk assessment and policy approach to VASPs:
- Jurisdictions who have not yet assessed money laundering, terrorism financing and proliferation financing risks associated with VAs and VASPs should implement risk mitigation measures without delay.
- Jurisdictions should decide whether they are permitting or prohibiting VASPs (either fully or partially) and develop procedures to monitor and ensure against non-compliance.
- Licensing/ registering and supervising VASPs
- Jurisdictions should take immediate action against money laundering, terrorism financing and proliferation financing risks, including a full implementation of R.15. In practice this involves licensing and registering VASPs, identifying natural or legal persons who carry out VASP activities and implementing a risk-based approach to the supervision of VASPs in line with identified risks.
- Implementation of the travel rule
- Jurisdictions who have not yet implemented the Travel Rule should do so urgently.
- Jurisdictions who have introduced the Travel Rule should operationalise it immediately. The Best Practices on Travel Rule Supervision paper can be used for guidance on effective supervision and enforcement.
- Addressing emerging and increasing risks related to stablecoins and DeFi
- Jurisdictions should monitor market developments and assess illicit finance, money laundering, terrorism financing and proliferation financing risks, particularly in relation to large scale thefts and money laundering and take appropriate risk mitigation measures.
- Supervisors and investigators should enhance public-private sector collaboration and international collaboration to improve R.15 implementation and address challenges of recovering stolen funds.
- Supervisors and investigators should take effective countermeasures to address the increased professionalism of scammers, including through the establishment of scam-as-as service activity and scam types in the virtual asset ecosystem. This includes addressing poisoning and approval phishing.
- Jurisdictions should also implement risk mitigation measures for transactions with unhosted wallets that are commensurate with their risk assessment.
Recommendations for the private sector
- VASPs should ensure that they have appropriate risk identification and mitigation measures in line with R.15 and should adopt other risk-based measures as appropriate. This includes mitigating the risks associated with stablecoins, the increase in fraud and scams including investment and romance scams and large-scale hacks.
- The private sector should refer to the Best Practices on Travel Rule Supervision paper for further guidance on examples of engagement such as:
- industry engagements which led to industry initiatives to advance Travel Rule compliance;
- the creation of dedicated working groups and supporting capacity building in the private sector; and
- ongoing engagement with private sector and expansion of existing public/private partnerships.
FATF will continue to produce papers on stablecoins, offshore VASPs and DeFi between October 2025 and June 2026 and continue to offer jurisdictions support on identified areas of serious concern.
Australia’s position – where to next?
While FATF’s call for action may feel burdensome for some jurisdictions, Australia is ahead of the curve. As outlined in our 27 May article, the Travel Rule is currently being implemented for VASPs.
Australia performed well in FATF’s review. We’ve already conducted VA and VASP risk assessments, undertaken supervision and enforcement, and introduced legislation requiring registration and AML/CTF compliance for VASPs.
While Australia appears to have less work to do compared to other jurisdictions, Australian VASPs should familiarise themselves with the latest draft rules, consider their new registration requirements and whether they have appropriate policies in place to address relevant AML/CTF risks. VASPs should begin preparing their policies now – well ahead of any deadlines.
This article was written with assistance by Ruby Wensor, Law Graduate.
Contact