Quick guide on assessing the Money Laundering risks of virtual assets (VA) and virtual asset service providers (VASP)

Publication details

Language
Country
Topic

According to the FATF’s 2025 Targeted Update on the Implementation of the FATF Standards on VA and VASPs, although there has been some progress with compliance, many jurisdictions still struggle with the implementation of some of the fundamental requirements of R.15, particularly undertaking a risk assessment on VA/VASP [30].

When undertaking a risk assessment related to VA/VASPs, countries should consider how VASPs differ to traditional financial institutions (FIs), and how and to what extent VA/VASPs interact with the traditional financial and non-financial sectors. The table below explains some key differences between VA/VASPs and traditional fiat currencies and FIs.

Countries that decide to prohibit or limit VA/VASPs should still understand the ML risks associated with them and any unlicensed activity. Countries should have a detailed decision-making process evidencing the basis upon which it has adopted its approach towards addressing AML risks linked to VASPs. This can include outright prohibition, restricted permissible VA/VASP activities or the application of an VA/VASP authorisation process. It should include the analysis undertaken to assess the impact the chosen approach could have on the possible ML risks linked to VA/VASPs operating in or from the country. It should also consider that the risks associated with the sector and ability to enforce such a prohibition or limitation may evolve rapidly, and a plan to continue to assess the risks, including emerging risks, on an ongoing basis.

Regardless of whether a country decides to prohibit VA/VASP activity, additional risk mitigating measures may be necessary, including identifying VASPs that operate illegally in the jurisdiction, assessing the risk of VA/VASP services offered in the country by a VASP based abroad, and applying proportionate and dissuasive sanctions to such entities. Based on a country’s risk profile, restricting VA/VASP activity through either a prohibition or activity restrictions should also be supported through ongoing mitigating measures such as outreach to the private sector about such risks and enforcement actions where such restrictions are not complied with and risk-mitigation strategies that account for the cross-border element of VA activities and VASP operations [38].

This annex contains a non-exhaustive reference guide table with suggested areas for assessing the ML risks linked to VA/VASPs, followed by some case examples from countries that have done a VA/VASP risk assessment. 

Considerations when assessing Money Laundering risks of VA/VASP

To assess the ML risks of VA/VASP, countries could consider the following [39]:

Often, countries assess the risks of VA and VASPs in the same document, whether as part of the NRA or a sectoral risk assessment. Countries must be sure to consider the risks of both and consider the linkages between them in their risk assessments. Firstly, countries may wish to understand the types of VA that are present and how they function and are used for both legal and criminal purposes. Then, countries can analyse VASPs - for example their customer base, the types of VA services that they offer, existence of foreign incorporated VASPs in the jurisdiction, existing regulations and controls and their effectiveness, and the vulnerabilities that exist in the sector.

Countries should choose the appropriate authority to lead the risk assessment of VA/VASPs considering its particular circumstances. In some cases, a central authority which is neither the FIU nor the supervisor is best-placed to lead this risk assessment. There are benefits to having the FIU and lead VASP supervisor involved in the VA/VASPs risk assessment, whether it is part of an NRA or a separate sectoral risk assessment, even if they do not lead it, given the data and expertise they have access to.

FIUs:

  • The FIU is at the centre of the national AML/CFT framework and is in a unique position when it comes to VA/ VASP due to its ability to detect unlicensed and suspicious activity via STRs filed by banks or other reporting entities which may come into contact with VA/VASP activity, even if VA/VASP activity is prohibited in the jurisdiction.
  • FIUs are specialists in analysing financial data, making them well-suited to identify vulnerabilities in the financial system that could be exploited for ML, including through VA/VASP.
  • FIUs facilitate information sharing between national authorities and often have established relationships with FIUs in other countries, aiding international cooperation, gathering information, and sharing of best practices regarding VA/VASP risk assessment and emerging typologies and risks.

VASP supervisor:

  • VASP supervisors can provide information and data on the VASP sector, e.g., sectorwide risk trends and red-flag indicators, volumes of VA transfers, geographic risks, emerging ML risks related to VA/VASP, compliance data, and typologies for abuse of the sector.
  • They can flag broader vulnerabilities of the sector in the country as they are involved in assessing compliance of VASPs. They know where there are regulatory gaps or deficiencies in compliance.

Countries could consider including the following stakeholders:

  • Public sector: Financial sector and VASP supervisors, FIUs, LEAs, Central Banks, technology and fintech regulators, cyber security authorities.
  • Private sector: VASPs, VA exchanges, academics, fintech associations, cybersecurity companies and blockchain analytics companies. 

A scoping exercise of the VA/VASPs that are present and operating in the country is recommended to develop a picture of the extent and nature of VA/VASP activity. For a VA/VASP risk assessment it is beneficial to start with an overview of the general risk landscape in the jurisdiction to establish a picture of the level of VA/VASP activity and related frameworks that exist concerning these sectors. Examples of information that could be including in describing the VA/VASP context in a country could include, but not be limited to: 

  • The main types of VA/VASP products and services used and operating in the jurisdiction.
  • Breakdown of VA/VASP activity in terms of licensed or registered VASPs vs. estimated unlicensed or unregistered activity. Prescence of foreign VASPs in the jurisdiction [40]. 
  • Breakdown of the types of legal persons operating as VA/VASPs in and from the country, including the number of legal persons established, controlled or owned by parties outside of the country; breakdown of the number of active legal persons operating as VA/VASPs as compared to those no longer active or dissolved.
  • Regulatory gaps in the jurisdiction, including gaps in the scope of VASPs that are covered (refer to FATF definition of VASPs in the glossary of the FATF Standards). 
  • Appetite of local population for VA/VASP products, evidenced by levels of known activity and most frequently accessed types of products. 
  • Prevalence of use of VA as currency for payments or for investment. 
  • Size of VA/VASP market activity in the country relative to activity taking place in the region and globally. 
  • What licensing and registration processes have been put in place for the sector? Identify potential drivers of VA/VASP presence in the jurisdiction, e.g., speed and ease of legal person incorporation, absence of AML/CFT framework for VA/VASPs, lack of tax obligations on VA transfers and innovation-positive economy. Comparisons with other countries may show evidence of regulatory arbitrage which can develop contextual understanding for the risk assessment. 
  • Levels of financial inclusion, since low levels of financial inclusion may lead to higher uptake of VA.
  • Detectable transfer flows (i.e., receives/sends transfers, is a conduit for onward transfer activity, used for conversion of VA to fiat, mainly handles VA to VA transactions etc.) 
  • Interrelationship between VA activity and other regulated entities – e.g., use of banks, use of payment service providers (online) and use of money service / remittance providers. 
  • A summary of the predicate offences analysed in the last NRA or other risk assessment activity to enable comparison when predicate offences are assessed in relation to VA/VASPs later in the process. 

Consider the key components of risks, threats and vulnerabilities, preferably separately. Countries should explore the linkages between VA/VASP activity and key predicate offences and vulnerable sectors, e.g., VA/VASP used in ransomware or fraud cases to support the crime, artificial intelligence (AI) to help criminals navigate using VA and possible abuse of VA in the Metaverse, on social media platforms or the dark web.

For VAs:

  • Consider features that may make them attractive to criminals, and therefore vulnerable for abuse for ML (i.e., the factors driving a criminal to elect one VA over another for ML purposes).
  • Consider threats arising from the extent of illegal activities carried out on or facilitated by the dark web, where many payments are made in VA.
  • Prevalence of multistage predicate crime in the jurisdiction, e.g., human trafficking, investment fraud and romance/online relationship scams that involve investment in VA or payment in VA. 
  • Consider the prevalence of the use of VA for criminal purposes.

For VASPs:

  • Countries can also refer to the sectoral vulnerabilities section of the ML NRA guidance, which states that the existence of unlicensed and/or unregulated sectors should be considered a factor in the vulnerability analysis, and that “off-the-books” informal businesses and services may be more prevalent in the VASP sector. Vulnerabilities should be considered also in relation to the features of the framework for the creation of legal entities or arrangements and their dissolution, e.g., speed of incorporation, inexpensive set-up of companies, limited requirements for incorporation and ability to incorporate using an international legal entity as sole shareholder/director.
  • Consider the prevalence of the misuse of VASPs for criminal purposes, including for ML. 
  • Consider foreign threats as well, particularly if the country is an international financial centre. VA/VASP activities are cross border in nature and the risk of foreign VASPs operating in the jurisdiction should be analysed.
  • Countries should consider why VASPs are choosing to operate in their jurisdiction (e.g., no tax on VA, quick and easy to set up, innovation-positive economy), and if/how  they are interacting with other service providers based or operating in the jurisdiction (e.g., payment service providers, banks). Countries should consider the risks of VASPs operating in the jurisdiction that may be using services outside of the jurisdiction (where there may be less regulation), which may increase the risk.
  • Regulatory arbitrage in the sector across different countries, when VASPs are incorporated in foreign jurisdictions with lax regulations, allowing them to operate and offer services globally without adhering to adequate AML/CFT compliance mechanisms.

Data held on VA/VASP activity can vary significantly across countries. This is particularly the case where the VA/VASP sector is not regulated or has only recently become a reporting entity. Before beginning the risk assessment exercise, countries should first identify possible data and information sources about VA/VASPs, determine the gaps in their data and what other sources might be used to complement the data they collect. Countries can consider supplementing their existing data with other sources. This could include, but is not limited to:

  • NRAs of other countries and supranational risk assessments, if available. This could include risk assessments where VA/VASP links to the assessing jurisdiction or region have been noted.
  • National, regional and international studies on VA/VASPs produced by the public sector. Reports by international organisations (e.g., FATF, FSRBs, UNODC). 
  • Industry engagement and feedback, e.g., through questionnaires, discussions, focus groups and direct engagement with the private sector, including VASPs. Discussions with subject matter experts, including academics conducting evidence-based research into ML risks. 
  • Data from VASP supervisors, including levels of compliance with AML laws. If a VASP supervisor has not yet been assigned for AML/CFT, there may be other authorities involved in the regulation of VA activity who could provide information for the risk assessment.
  • Data from investment and capital market supervisors about the amount and types of investment products, brokerage and asset management activity known to involve some form of VA, whether as a direct product (i.e., initial coin offerings) or as a product in which the underlying value is set against a VA (e.g., stablecoins).
  • Informal international cooperation e.g., through questionnaires sent to key strategic partners about threats/vulnerabilities and possible links to the assessing country, and perceptions as to levels of ML risks linked to VA/VASP activity in the assessing country. Interpol and Egmont requests received and sent involving VA/VASP to gain insights into international investigations, intelligence sharing, and collaborative efforts to combat transnational organised crime and illicit financial flows. 
  • Formal international cooperation, e.g., review of MLA requests received and sent involving VA/VASPs [41].
  • Information and reports received by or produced by the FIU – Suspicious Activity Reports (SAR)/STR and other regular reporting, catalogue or list of VASPs operating in the country or region, vicinity if known, typologies and strategic analysis reports. 
  • Requests for information received or sent under International Organisation of Securities Commissions (IOSCO) to financial supervisors, e.g., regarding alleged misselling by brokers operating in their jurisdictions.
  • Investigation data and cases handled by LEAs and the judiciary (e.g., case law) in which VA/VASP have been misused for criminal purposes, including to launder the proceeds of crime, to identify typologies.
  • Government statistics on the sector (e.g., from Ministry of Economy, Ministry of Trade), its size, growth and revenue generation relative to the national GDP, administrative tax cases brought before national tax authorities for non-declaration of assets or income linked to investment in or proceeds derived from the sale of VA.
  • Company or BO registry data concerning the number of legal persons identified as engaging in VA/VASP activity, the jurisdiction of residence of those owning and controlling such entities and relevant financial information from annual accounts etc. 
  • Consumer complaints received by supervisory authorities and law enforcement related to VA/VASP activity.
  • Open-source intelligence (OSINT) and information about VA/VASP activity in, from or linked to the jurisdiction such as accessibility of VA/VASP products to residents, annual flows of transfers or website activity in or from the assessing jurisdiction, reliable consumer websites reporting scams or unreliable VASPs linked to the country and blockchain analytics companies [42]. Information may also be available in forums, chats or messaging services. VASPs, including illegal VASPs, are likely to use the internet to advertise their services.

As with all data, it is important to avoid bias and ensure that data comes from reliable and reputable sources. Countries that are not currently collecting their own data should consider doing so going forward, ensuring it is collected in such a way that it can be easily used during the risk assessment. This should include an ongoing evaluation of the data collected and the process for storing and updating it and a gap analysis to determine what data is missing and how it can be obtained.

Including the private sector in the VA/VASP risk assessment process is a good practice and can assist to both provide data where gaps exist and explain how specific VA/VASP products and services are used and misused. Country experience confirms that it is sometimes the most efficient way to get reliable information on risks. In jurisdictions where VA/VASP activity is prohibited or limited, banks and other FIs, such as e-payment, investment and money remittance businesses may have information on informal or illegal VA/VASP activities linked to the country. 

Red flag indicators which complement the country’s risk assessment can help both authorities and the private sector to detect and report suspicious activity. The FATF’s 2020 publication Virtual Asset Red Flag Indicators of ML/terrorist financing (TF) [43] may be referenced to complement the country’s risk assessment and help authorities and private sector to detect suspicious activity. The FIU and VASP supervisor can further develop their own indicators that are present in the country, reviewing them regularly and updating as needed to incorporate emerging trends in this dynamic sector.

Any risk assessment that includes analysis of VA/VASPs should feed into the risk-based supervision of VASPs, including to inform the frequency and focus of on-site and off-site inspections. 

VASPs are the newest reporting entities to be brought under the FATF Standards, and therefore they may not be familiar with AML obligations and may struggle to understand outcomes of ML risk assessments. The communication of the results of the risk assessment should take this into account and frame the findings in the context of AML obligations for VASPs.

Footnotes

[27] (Note: document will be proposed for adoption in June 2025, this footnote will be updated on publication to include the public link.) FATF (2025) Targeted Update on Implementation of the FATF Standards on VA and VASPs, 2025-Targeted-Upate-VA-VASPs.pdf.coredownload.pdf, Figure 1.4.

[28] Survey was in relation to the update of the ML NRA Guidance.

[29] FATF (2024) Targeted Update on Implementation of the FATF Standards on VA and VASPs, 2024-Targeted-Update-VA-VASP.pdf.coredownload.inline.pdf, paragraph 45.

[30] Ibid., Key Findings.

[31] Bank for International Settlements, www.bis.org/basel_framework/ (accessed 27 January 2025).

[32] Tumblers and mixers are services that use various methods to conceal the connection between the address sending VA and the addresses receiving VA. Depending on the products and services offered, these entities themselves may be VASPs.

[33] Chainalysis (2024), Introduction to Cross-Chain Bridges, www.chainalysis.com/blog/introduction-to-cross-chain-bridges/ (accessed 7 May 2025)

[34] Chainalysis (2021), Crypto Scams: 2021 Rug Pulls Put Revenues Near All-Time High, Crypto Scams: 2021 Rug Pulls Put Revenues Near All-Time High (accessed 30 April 2025)

[35]  IMF (2023), Crypto Poses Significant Tax Problems—and They Could Get Worse, www.imf.org/en/Blogs/Articles/2023/07/05/crypto-poses-significant-tax-problems-and-they-could-get-worse (accessed 27 April 2025)

[36] OECD (2023), International Standards for Automatic Exchange of Information in Tax Matters, www.oecd.org/en/publications/2023/06/international-standards-for-automatic-exchange-of-information-in-tax-matters_ab3a23bc.html

[37] Although increasingly VASPs are required to report trading of VA, often information is self-reported information by the individuals taking part in the trading of VA.

[38] For more information, see FATF (2012), Updated Guidance for a Risk-Based Approach for VA and VASPs, This paragraph is taken from paragraph 109 of this guidance.

[38] The suggested sources listed for data are non-exhaustive and should not replace data collection and analysis on a national level. Rather, the goal is to provide a variety of sources for background information that can support jurisdictions in the initial stages of research on their risks. It is recommended that countries assess the reliability of all sources used and do not take external data sources at face value, rather use them to supplement their national level data and risk understanding, especially where there are data gaps.   

[40] It is important to note that VA/VASP are cross-border in nature, and so even if VA/VASP activity is prohibited in the country, VA services and products hosted in a foreign jurisdiction may be offered online.

[41] Some countries may have designated teams or units established to study specific topics or set up teams in overseas offices to facilitate intelligence exchange and cooperation with different sectors, such as VASPs and credit card businesses. FATF (2024), FATF’s Money Laundering National Risk Assessment Guidance,

[42] For example: TRM Labs, Chainalysis, Lukka, Elliptic, Merkle Science.

[43] FATF (2020), Virtual Asset Red Flag Indicators of ML/TF

[44] The Government of the Grand Duchy of Luxembourg (2020), ML/TF Vertical Risk Assessment: VASPs, Vertical Risk Assessment: Virtual Asset Service Providers. Section 3.2. Methodology provides a detailed description of the approach and methodology followed to assess the ML/TF risks of VAs and VASPs. 

[45] Financial Intelligence Centre of South Africa (2025), Assessment of the ML/TF Risks of CASPs, 2025.3-PUB-Sector-risk-assessment-–-Crypto-asset-service-providers-1.pdf

Publication paragraph text

Translated documents

Related materials