FATF Publishes Report on Risks of Offshore VASPs

On 11 March 2026, the Financial Action Task Force (FATF) published a report on understanding and mitigating the risks of offshore virtual asset service providers (oVASPs).

Who are oVASPs?

oVASPs are VASPs created under the laws of one jurisdiction, with or without a physical presence, that provide services to clients residing in another jurisdiction. The report notes that a growing number of jurisdictions require VASPs to be registered or licensed where they engage in defined activities such as advertising, onboarding local users, or offering services into the market, regardless of physical presence.

However, many of these jurisdictions continue to report difficulties in detecting offshore providers, enforcing requirements against entities without a physical presence, effectively supervising their regulated VASPs, and securing timely international co-operation. Several other jurisdictions only place licensing or registration obligations on VASPs located or incorporated in their jurisdiction, which can present vulnerabilities exploited for ML/TF/PF purposes.

The objective of the report is to better understand the risks of oVASPs with a view to identifying good practices in mitigating these risks. The report notes that oVASPs may be categorised as:

• unintentional, where they may be unaware of, misunderstand, or misinterpret the regulatory framework applicable to the activities they are undertaking

• intentional, where they wilfully circumvent registration/licensing requirements as part of their business model (e.g. through limiting formal presence in jurisdictions in which they offer products and services, fragmenting group structures, routing customer activity through affiliates or intermediaries in other jurisdictions, using nested relationships). This wilful circumvention may happen after unsuccessful licensing or registration processes or a revocation of licence or registration

Good Practices and Mitigating Measures

The report also presents good practices to detect, licence or register oVASPs, as well as to enforce sanctions for non-compliance with AML/CFT/CPF obligations and roll-out mitigating measures (e.g. reducing unregistered or unlicensed oVASPs’ ability to actively provide services in a market where they are not regulated). It concludes with possible recommendations for stakeholders.

Identified measures for jurisdictions to mitigate risks include:

• jurisdictions should take steps to identify natural or legal persons carrying out covered virtual asset activities or operations without the required licence or registration, including oVASPs providing services into their jurisdiction. Competent authorities have noted a range of indicators suggesting intentional targeting of a jurisdiction, as well as the following red flags:

  • the absence of geo-blocking in the VASP’s platform

  • platform content encouraging participating in a jurisdiction (e.g. using local language or currencies)

  • application availability in app stores popular in a market, including reviews from users in said jurisdiction evidencing an active user base

  • offering the possibility of on-ramp or off-ramp through domestic methods of payment

  • provision of video tutorials on how to trade virtual assets in a market

  • marketing tactics leveraging local influencers and/or opinion leaders through social media platforms

  • sponsoring of local events

  • surrogate marketing for expanded reach

• implementing measures to licence or register oVASPs that actively provide services into their market, regardless of where the VASP is incorporated or physically located, and to ensure such oVASPs have sufficient physical presence in-jurisdiction. The report notes that where jurisdictions apply such requirements, clarity on territorial scope is important. Authorities should aim to clearly articulate what constitutes the active provision of VASP services into the jurisdiction, in order to support enforceability and provide legal certainty. Relevant indicators may include:

  • targeted or localised marketing or promotion

  • use of local language

  • conducting substantial business in the jurisdiction

  • onboarding or servicing of residents

  • use of domestic payment rails

  • maintenance of local infrastructure (e.g., bank accounts)

• enforcing sanctions for non-compliance with AML/CFT/CPF obligations

• building a shared understanding and improving coordination through inter-agency task forces and public-private partnerships

• using to the fullest extent possible supervisor to supervisor channels and financial intelligence unit (FIU) to FIU cooperation to speed up access to information and coordinate enforcement

Guidance for Registered VASPs and Financial Institutions

The report also highlights the important role that financial institutions and VASPs can have in addressing risks linked to oVASPs. It recommends that they assess their exposure to unlicensed or unregistered oVASPs, apply clear and consistent AML/CFT/CPF rules across all entities in their group, ensure that no group entity operates as an oVASP abroad outside regulatory oversight, and refrain from establishing or maintaining business relationships with unlicensed or unregistered providers.

The report also includes a number of case studies highlighting jurisdiction approaches to mitigating risks.