FATF Report on Offshore VASPs: Understanding and Mitigating Risks

The Financial Action Task Force (FATF) has released its March 2026 report, Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers (oVASPs), focusing on how gaps in oversight of offshore VASPs are exploited to facilitate large-scale fraud, money laundering (ML), terrorism financing (TF) and proliferation financing (PF) activities. The report also presents good practices to mitigate these risks, including in detection, licensing/ registration, and supervision of oVASPs. In particular, the report notes the importance of the Travel Rule being a key supervisory focus and as the crucial source of investigation information, alongside enforcement and international cooperation in reducing regulatory arbitrage. For supervisors, compliance leads, and policy teams, this report is a roadmap for closing offshore blind spots before they turn into enforcement cases. 

The Offshore VASP Landscape

Defining Offshore VASPs and Why Do They Matter?

Offshore VASPs are VASPs created under the laws of one jurisdiction ("home jurisdiction") with or without a physical presence, that provide services to clients domiciled or residing in jurisdictions outside their jurisdiction of incorporation or physical location ("host jurisdiction"). Many oVASPS are characterised by the lack or inadequate physical presence (e.g. appointing the so-called “dummy” nominal compliance officers), operating without being licensed or registered where they actively provide services – creating potential AML/CFT blind spots.

The Report identifies that just under half (46%) of jurisdictions have adopted an activity-based approach to regulation and supervision - this means jurisdictions extending licensing or registration requirements to VASPs based on the activities they perform in their jurisdiction, regardless of where those VASPs are created or located.

For both regulators and industry, understanding this landscape is essential to identifying where offshore business models are undermining the effectiveness of existing AML/CFT and CPF frameworks. 

How Criminals Exploit Offshore Gaps: Key FATF Typologies

The FATF warns against the following key typologies and risks where criminals exploit gaps in regulation and supervision to use oVASPs for ML, TF and PF.

1.  Active targeting – Unlicensed or unregistered oVASPs targeting users in jurisdictions where they are not regulated

2.  Global pooling of customers – Some VASPs with global operations are structuring customer onboarding and account management through offshore group entities rather than locally supervised VASPs, blurring accountability.

3.  Fragmented Travel Rule implementation – Causing blind spots that undermine preventive measures and slow investigations; VASPs engaging in relation arbitrage often fail to comply with Travel Rule and other core AML/CFT/CPF obligations.

4.   Nested VASP activity – OVASPs frequently rely on nested or intermediated arrangements to access trading, liquidity, and on-ramp and off-ramp of fiat currencies, obscuring underlying offshore activities where controls are inadequate. In some cases, oVASP activities are nested at onshore VASPs with weaker AML/CFT/CPF controls as if they are retail activities, limiting the onshore VASP’s ability to monitor transactions. The FATF warns that these arrangements may give rise to correspondent-banking style risks in the virtual asset ecosystem if not properly risk‑assessed and controlled.

5.  Divergent approaches across jurisdictions – The optionality for jurisdictions to put in place activity-based licensing regimes creates regulatory and supervisory gaps, potentially hindering effective international cooperation and incentivising jurisdiction shopping.

Supervisory and Enforcement Challenges and the Sunrise Issue

The report highlighted the issues arising from the jurisdictional and legal limitations arising from the multi-jurisdictional operation structure of oVASPs, including jurisdictions with weak or non-existent AML/CFT frameworks. Among the systemic vulnerabilities, the uneven and delayed global implementation of the Travel Rule, a core cross-border transparency measure, is highlighted as a source of monitoring blind spots. The delayed implementation, commonly referred to as the “Sunrise Issue”, hinders competent authorities’ ability to request or exchange originator and beneficiary information for cross-border virtual asset transfers, constraining both VASPs’ and authorities’ ability to apply effective, risk-based mitigation measures.

Good Practices for Jurisdictions and the Private Sector

The report has identified good practices in mitigating the risks arising from oVASPs, including building a toolkit that covers identification of oVASPs, imposing regulatory and supervision oversight, and enforcement enabled by domestic and international cooperation.

For jurisdictions:
• Detecting and licensing/registering oVASPs using an activity-based approach, including requiring VASPs providing services to another VASP or FI as part of a nested relation to apply risk-based control under FATF Recommendation 13.
• Enforcing sanctions for non-compliance with AML/CFT/CPF obligations
• Building shared understanding through inter-agency task forces and public-private partnerships
• Maximising supervisory and enforcement cooperation across jurisdictions

For the private sector:
• Assessing exposure to unlicensed or unregistered oVASPs
• Applying clear, consistent AML/CFT/CPF rules across all group entities
• Ensuring no group entity operates as an oVASP abroad outside regulatory oversight
• Refraining from establishing or maintaining business relationships with unlicensed or unregistered providers

VerifyVASP's Role in Mitigating the oVASP Risks

The FATF emphasises that all VASPs should adopt risk-mitigating measures in accordance with its recommendations. VerifyVASP has and remains committed to adhering to the FATF standards related to virtual assets, and emphasises the value that can be brought by effective counterparty due diligence and Travel Rule implementation in financial crime prevention through public-private partnerships.

1. Verified Network Architecture – Effective Travel Rule implementation starts at the counterparty layer due diligence, similarly to the establishment of correspondent banking relationship under FATF Recommendation 13.

Our Verified Network architecture maintains a list of verified VASPs (as highlighted by our company name VerifyVASP) as a membership structure, keeping verified and current documental proof of our members’ information at the legal entity level required to facilitate counterparty due diligence (including KYB and a comprehensive questionnaire adapted from the Wolfsberg Counterparty Due-Diligence Questionnaire for the Virtual Assets industry). This also mitigates the risks arising from the confusion between the service (name of the VASPs in offering services) and legal entity.

This focus on counterparty due-diligence has proven to be an effective regulatory tool where regulated domestic exchanges within our Verified Network are able to influence oVASPs to tighten level up their standards (as shown in the image below) in order to maintain a counterparty relationship. Examples of this include

●      Leveling up their KYC processes to ensure better quality data used in Travel Rule verifications.

●      Delisting Anonymity Enhanced Coins (AEC) or implementing risk mitigants in relation such as blocking it for customers of a certain jurisdiction or disallowing the on and off ramping for AECs.

●      Responding to official requests such as regulatory enquiries, investigation or asset recovery

2. VerifyName – A scalable solution that VASPs can implement to comply with the Travel Rule with a non-obliged counterparty VASP, providing critical Enhanced Due Diligence (EDD) by verifying that the originator and beneficiary identities match. As an effective risk mitigant, the solution strictly allows only 1st-party transactions and provides wallet and name screening, which dramatically reduces impersonation scams and fraudulent VASP activities among our members.

3. Law Enforcement Solutions (LES) – Verified and secure Travel Rule data brings value to supervision and enforcement. LES is an AI-driven tracing tool offered to the public sector (Law Enforcement Agencies, Financial Intelligence Units, and Regulators) for effective and quick tracing by combining blockchain data with VerifyVASP's verified transactional information accumulated through objective-based Travel Rule compliance.

4. Public Private Partnerships (PPP) – VerifyVASP is an active participant in various PPPs established internationally and regionally to jointly combat illicit activity in the industry.

VerifyVASP was borne out of an urgent necessity of Travel Rule compliance. The Verified Network architecture iterates over time with the maturing standards and regulations mature at the international body and national regulator level, and evolving market practice at the private sector level. We commit to accelerating innovation while safeguarding transparency and integrity, and continue to contribute to the digital asset space and the wider ecosystem. However, this needs to be a whole of system (industry) effort in order to drive the responsible growth of the industry.

Read the full FATF report: https://www.fatf-gafi.org/content/fatf-gafi/en/publications/Virtualassets/Understanding-Mitigating-Risks-Offshore-VASPs.html