FATF Virtual Asset Standards

The Financial Action Task Force (FATF) is the inter-governmental body that establishes international standards for anti-money laundering (AML) and counter-terrorism financing (CFT). Its 40 Recommendations constitute the global AML/CFT framework, adopted by over 200 jurisdictions through FATF membership and its regional associate bodies (FSRBs). FATF’s approach to virtual assets has evolved substantially since 2018, when it first applied its standards to what it calls virtual assets (VAs) and virtual asset service providers (VASPs).

Recommendation 15: Risk Assessment and VASP Regulation

FATF Recommendation 15 (as amended in June 2019) requires member jurisdictions to:

• Identify and assess the ML/TF risks associated with virtual asset activities
• Apply a risk-based approach to supervise or monitor VASPs for AML/CFT compliance
• License or register VASPs (countries must choose one): no unlicensed VASP may operate
• Apply FATF’s Recommendations to VASPs in the same manner they apply to financial institutions — including CDD, record-keeping, suspicious transaction reporting, and internal controls
• Subject VASPs to adequate regulation and supervision by a competent authority

VASP definition: FATF defines a VASP as any natural or legal person who, as a business, conducts one or more of the following activities for or on behalf of another person:

1. Exchange between virtual assets and fiat currencies
2. Exchange between one or more forms of virtual assets
3. Transfer of virtual assets
4. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets
5. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset

This definition covers exchanges, custodians, brokers, and many other virtual asset businesses — but the application to DeFi protocols, NFT platforms, and other newer use cases has been subject to ongoing interpretation.

Recommendation 16: The Travel Rule

FATF Recommendation 16 — the Travel Rule — requires VASPs to obtain, hold, and transmit originator and beneficiary information for VA transfers above USD/EUR 1,000. For full coverage of the Travel Rule’s mechanics, technical solutions, and implementation status, see the Travel Rule entry.

Virtual Asset Definition

FATF defines a virtual asset as “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes.” FATF explicitly excludes digital representations of fiat currencies (CBDCs, bank e-money, payment tokens regulated under existing e-money law) and financial instruments already covered by other FATF recommendations. NFTs are generally not VAs under FATF’s guidance unless used for payment or investment rather than as collectibles.

Risk-Based Approach

FATF does not prescribe a one-size-fits-all approach. VASPs and jurisdictions apply a risk-based approach: the level of due diligence, monitoring, and controls applied should be proportionate to the ML/TF risks presented by the customer, product, jurisdiction, and transaction. Higher-risk indicators for VASPs include:

• Transactions involving high-risk jurisdictions (FATF grey list or black list countries)
• Large-value or unusual transaction patterns
• Customers identified as politically exposed persons (PEPs)
• Use of privacy coins or mixing services designed to obscure transaction trails
• Unhosted wallet transactions above defined thresholds

Country Assessments and Mutual Evaluations

FATF assesses member jurisdictions’ compliance with the Recommendations through mutual evaluations conducted on approximately 5–10-year cycles. Evaluations assess both technical compliance (whether a jurisdiction has enacted laws implementing the Recommendations) and effectiveness (whether the laws are actually working to prevent ML/TF).

Jurisdictions found to have strategic deficiencies are placed on the grey list (Jurisdictions Under Increased Monitoring) or, in severe cases, the black list (Call for Action). Financial institutions are required to apply enhanced due diligence to customers and transactions from grey-listed and black-listed jurisdictions. Several jurisdictions with significant virtual asset activity have been grey-listed in recent years, including UAE (grey-listed 2022, removed 2024), Turkey, Nigeria, and South Africa.

2023 Updated Guidance on DeFi

FATF updated its virtual asset guidance in 2023 to address decentralised finance (DeFi) and non-fungible tokens (NFTs). Key positions:

• DeFi protocols: Where DeFi protocols have a controlling person or entity — founders, development teams, governance token holders with voting control — that person or entity may qualify as a VASP. FATF acknowledges that truly decentralised protocols with no controlling party may fall outside the VASP definition, but warns that such protocols are rare in practice and that “DeFi” labels do not determine regulatory status.
• NFTs: NFTs used primarily as collectibles are generally not VAs; NFTs used as investment instruments or traded on secondary markets with investment intent may be.
• Unhosted wallets: Transfers between VASPs and unhosted (self-custodied) wallets require VASPs to apply a risk-based approach; some jurisdictions mandate additional screening and disclosure requirements for such transfers.

FATF Grey/Black List Impact on Tokenized Assets

For tokenized asset issuers and exchanges, FATF list status has direct operational implications. Serving customers from grey-listed jurisdictions triggers enhanced due diligence requirements and may require senior management approval. Operating from a grey-listed jurisdiction can reduce access to correspondent banking, international investor bases, and institutional counterparties. Token smart contracts implementing jurisdictional restrictions (via ERC-3643 compliance modules) may block transfers to or from FATF-listed jurisdictions automatically.

Related entries: Travel Rule, KYC/AML in Tokenization, VARA, DAO — Regulatory Status

Primary source: FATF Recommendations and Guidance on Virtual Assets | BIS on AML in Crypto