FATF’s latest report reveals global challenges implementing AML/CTF measures for virtual assets and providers

• While jurisdictions have made progress in developing and implementing AML/CTF regulations for VAs and VASPs, significant challenges remain in assessing risks and implementing mitigation measures.
  • 40 of the 138 surveyed jurisdictions are now listed as ‘largely compliant’ with FATF standards, which is an improvement on FATF’s 2024 survey results. More jurisdictions are conducting risk assessment, but translating findings into action continues to be a challenge, as a number of jurisdictions continue to pursue partial provisions only.
  • 62% of jurisdictions allow VASPs, while 20% have imposed full or partial prohibitions. FATF warns that while a prohibition is permissible within FATF standards, it is difficult to implement effectively. Examples of partial prohibitions implemented by jurisdictions include prohibiting VAs from being used to pay for goods and services or for retail investment purposes.
  • Around 85% of surveyed jurisdictions require VASPs to be licenced or registered. Despite this, many jurisdictions face practical difficulty in identifying natural or legal persons who conduct VASP activities.
  • Only 37% of jurisdictions with licensing/registration frameworks extend those requirements to offshore VASPs. 

• About 73% of surveyed jurisdictions have passed legislation implementing the Travel Rule, which requires VASPs to obtain and transmit specific information during transactions. This includes originator and beneficiary information, which must be obtained, held and transmitted immediately and securely when transferring VAs.
• Of the 85 jurisdictions who have passed legislation, 50 have yet to issue findings or directives, or take enforcement or supervisory actions in relation to the Travel Rule– suggesting that uptake is relatively recent.
• 48% of jurisdictions that are considered ‘more advance’ in regulating VASPs are requiring certain DeFi arrangements to be licensed or registered as a VASP.
• FATF reports that enforcement and operationalisation of this rule is still limited. 

• Stablecoins are being used by various illicit actors, terrorist financiers and drug traffickers, with an approximate $30 trillion in stablecoin volume growth since May 2024. FATF considers that this growth is likely due to the perceived reduction in volatility, transaction efficiency with low costs and abundant liquidity, which makes stablecoins attractive to criminals looking to make a profit.
• The Democratic People’s Republic of Korea carried out the largest single VA theft in history, stealing approximately $1.46 billion from the VASP ByBit. Given only 3.8% of stolen funds have been recovered, this highlights the need to address asset recovery challenges and improve international co-operation.
• There has been a significant increase of the use VAs in fraud and scams with one industry participant estimating illicit on-chain activity of approximately $51 billion.
• There have been significant cases of international money laundering networks that collect funds in one jurisdiction and make the equivalent value available in another, often swapping VAs for cash. VAs have been used to purchase illicit substances without the need to move physical money across borders. FATF highlighted the importance of being able to freeze and seize assets to disrupt criminal activity. 

FATF published a list of recommendations for jurisdictions based on its findings, which have been summarised below: 

• Risk assessment and policy approach to VASPs:
  • Jurisdictions who have not yet assessed money laundering, terrorism financing and proliferation financing risks associated with VAs and VASPs should implement risk mitigation measures without delay.
  • Jurisdictions should decide whether they are permitting or prohibiting VASPs (either fully or partially) and develop procedures to monitor and ensure against non-compliance.
• Licensing/ registering and supervising VASPs
  • Jurisdictions should take immediate action against money laundering, terrorism financing and proliferation financing risks, including a full implementation of R.15. In practice this involves licensing and registering VASPs, identifying natural or legal persons who carry out VASP activities and implementing a risk-based approach to the supervision of VASPs in line with identified risks.
• Implementation of the travel rule
  • Jurisdictions who have not yet implemented the Travel Rule should do so urgently.
  • Jurisdictions who have introduced the Travel Rule should operationalise it immediately. The Best Practices on Travel Rule Supervision paper can be used for guidance on effective supervision and enforcement.
• Addressing emerging and increasing risks related to stablecoins and DeFi
  • Jurisdictions should monitor market developments and assess illicit finance, money laundering, terrorism financing and proliferation financing risks, particularly in relation to large scale thefts and money laundering and take appropriate risk mitigation measures.
  • Supervisors and investigators should enhance public-private sector collaboration and international collaboration to improve R.15 implementation and address challenges of recovering stolen funds.
  • Supervisors and investigators should take effective countermeasures to address the increased professionalism of scammers, including through the establishment of scam-as-as service activity and scam types in the virtual asset ecosystem. This includes addressing poisoning and approval phishing.
  • Jurisdictions should also implement risk mitigation measures for transactions with unhosted wallets that are commensurate with their risk assessment.  

• VASPs should ensure that they have appropriate risk identification and mitigation measures in line with R.15 and should adopt other risk-based measures as appropriate. This includes mitigating the risks associated with stablecoins, the increase in fraud and scams including investment and romance scams and large-scale hacks.
• The private sector should refer to the Best Practices on Travel Rule Supervision paper for further guidance on examples of engagement such as:
  • industry engagements which led to industry initiatives to advance Travel Rule compliance;
  • the creation of dedicated working groups and supporting capacity building in the private sector; and
  • ongoing engagement with private sector and expansion of existing public/private partnerships. 

FATF will continue to produce papers on stablecoins, offshore VASPs and DeFi between October 2025 and June 2026 and continue to offer jurisdictions support on identified areas of serious concern.