FATF Updates VASP AML Guidance For DeFi, P2P Wallet, Stablecoin, Travel Rule and NFT Regulations

The FATF’s new virtual asset and VASP guidance update has a light touch but sets up future DeFi, NFT, P2P wallet, and stablecoin regulations.

The Financial Action Task Force (FATF), the global G20 regulatory body tasked to prevent money laundering or terrorist financing, has released new guidance that updates its 2019 Standards on the regulation of Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). While it delivers a lighter touch than expected, it’s quite clear that the FATF is setting up a more comprehensive regulation of both centralized and decentralized cryptocurrency stakeholders.

The 2019 guidance took aim at centralized exchanges and cryptocurrencies under their 2018 definitions, with the biggest shock to the industry being the update of Recommendation 16 on Wire Transfers to include the so-called Travel Rule, an information-sharing requirement imported from the U.S. traditional finance sector.

Since then, the popularity of decentralized finance (DeFi) protocols, non-fungible tokens (NFTs), stablecoins and peer-to-peer (P2P) or “unhosted” wallets have soared, creating new ML/TF blindspots for global regulators to cover as the crypto industry once again pivoted away from the regulatory gaze of authorities.

In April 2021, the FATF announced its intention to broaden its regulatory scope to cover these new areas of concern. These sweeping new proposals garnered significant industry concern and feedback, resulting in the FATF postponing the promulgation of these updates from June this year to October.

With the cryptocurrency sector now worth over $2.5 trillion, regulations that place restrictions and responsibilities on VASPs should be no surprise, yet pumping the breaks on more recent advancements, such as DeFi protocols, or the NFT industry could have a devastating impact on now only normal retail users, but also institutions and technical sectors relying on their light regulation in order to continue fostering innovation.

As a result, the FATF in its October publication chose to not introduce definitive changes to its regulation of virtual assets, but rather to make stakeholders aware of the risks and expectations regarding these areas, and to hold VASPs such as crypto exchanges accountable for conducting compliant and responsible virtual asset services,

FATF believes that while decentralized finance (DeFi) companies themselves are not VASPs, their operators, owners, and creators can be defined as a VASP under certain conditions. This would not only require them to comply with existing FATF requirements, such as the travel rule, but also with guidelines relating to these decentralized services or platforms in the future.

Should decentralized crypto service providers be worried?

The main focus of the FATF has always been to prevent money laundering (AML) and to combat the financing of terrorism (CFT), so we can assume their guidance is intended to regulate decentralized finance apps and VASPs in a way that prevents them from unintentionally aiding bad actors. 

Unfortunately, many anti-money laundering regulations focus on pegging customers to their locations or nationality, such as “know your customer (KYC)” verification or having bodies interact with each other with international, centralized standards, such as SWIFT codes utilized by banks.

The virtual asset sector has always attempted to avoid these financial barriers, valuing the anonymity of the “customer,” with service providers often being a node running on decentralized code with no knowledge of a customer’s background, identity, or previous transactions. 

However, with decentralized exchanges and protocols suffering record hacks and scams (“rug pulls”) worth hundreds of millions of dollars and being largely unregulated, this is creating fertile ground for bad actors to acquire significant funds to perpetrate ML/TF transgressions, which in turn places extra pressure on the FATF and other regulators like FinCEN to take action.

Specific VASP concerns for the new FATF guidelines

DeFi services and platforms

While not as bad as expected, the FATF has made it clear that the DeFi sector is not fully excluded from the AML/CFT conversation, and that under certain conditions, stakeholders may be considered VASPs.

Typically, FATF standards of anti-money laundering (AML) apply only to financial intermediaries. This has made it difficult for FATF to create regulations for the DeFi space, leading the new guidance to also include any DeFi arrangement with “control or sufficient influence” over VA services to require AML supervision.

Still, it’s an improvement over the April wording, which suggested targeting entities involved in DeFi “business development” and explains that individual governance token holders are not to be considered VASPs as they don’t exert the afore-mentioned “control or sufficient influence” over the DeFi arrangement.

These controls or influences could cover anything from restricting or permitting coin listings, domain operations that moderate a user base, or any activity that interacts with the DeFi marketplace, giving local government bodies an expansive ability to define a VASP, then regulate and monitor it for AML activity. 

Unfortunately, as is often the case with cryptocurrency regulation, different operators in the cryptocurrency industry can easily be grouped together under the same expectations and limitations. The new FATF guideline to define a VASP can cause issues for growing VA sectors, such as decentralized autonomous organizations (DAOs). 

DAOs are community-governed organizations that abide by agreed-upon rules enforced by smart contracts within a blockchain. Their unique shared-governance system is unheard of in the traditional financial world, which does not allow for anonymity or a lack of formal leadership, creating a difficult job for lawmakers to define who within the organization qualifies as a VASP. This could possibly leave DAO members such as key signers or private key custodians in harm’s way.

The DeFi-centric sections require high-level interpretations and will certainly present a challenge to FATF member countries to approach consistently and adequately.

P2P Transactions/Unhosted Wallets

The FATF has retained nearly all the suggestions included in its spring draft proposal in regards to P2P transactions and unhosted wallets, but removed the onerous suggestion in paragraph 106(c) that countries may consider “denying licensing of VASPs if they allow transactions to/from non-obliged entities (i.e., private / unhosted wallets). However, this unwavering focus on the P2P arena, which affords direct transactions and broad anonymity for crypto users, has led the likes of Elliptic to raise concerns over whether FinCEN’s unhosted wallet rule of late 2020 is truly dead, or just hibernating.

Travel Rule changes and updates

Since July of 2019, the FATF Travel Rule has required VASPs to collect and share personal/financial information with each other on participants of any transaction exceeding 1000 USD/EUR. The Travel Rule adoption process has since undergone two 12-month reviews in June 2020 and 2021, where the FATF has bemoaned the slow implementation by nations. 

The new FATF guidelines have increased the pressure on VASPs to become compliant with the previous guidelines, but also stressed that expecting a night and day change to how transactions are performed is likely to cause them to be unsuccessful. Instead, they have recommended regulators continue to gradually roll out the infrastructure necessary to track so many transactions and negate the “sunrise problem”, ie the uneven and non-synchronous application of the Travel Rule across different jurisdictions. 

The updated Travel Eule also recommends that already compliant VASPs, most of which are in developed nations, continue to do business with those unable to quickly invest in and create the technology necessary to share, manage, and track so much information to prevent an unfair advantage against undeveloped nations.

In addition, FATF has also delegated some power to service providers.

Deep within the new guidance released, in paragraph 291, VASPs are given the option not to share customer information if they deem the other VASP in the transaction unable to securely manage such sensitive data.
If done on a case-by-case basis, this could place a large burden on VASPs to foot the bill for preventing a leak of a customer’s financial information. Overall the update does little to solve the sunrise problem and deter non-compliant countries.

Counterparty VASP Due Diligence

The October update has retained most of its April key points and suggests that counter-party VASP due diligence is going to become more complex and important, which may bring traditional banking-type requirements to the crypto industry. This will potentially leave VASPs with major data analytics, collection and CDD responsibilities, however, it is worth noting that the crypto industry has made incredible strides in the monitoring of blockchain transactions and beneficial ownership, thanks to the progress of compliance platforms like Elliptic and Chainalysis, whose solutions are both integrated in Sygna’s AML platforms.

So-called stablecoins

FATF has made it very clear in the new report that stablecoins will be under pressure in the future, noting “stablecoin” is not an accepted legal term, and simply a marketing term created by their promoters.

While still considered a virtual asset, according to FATF, stablecoins have posed a greater risk to money laundering (ML) and terrorist financing (TF) due to their higher likelihood of mass adoption. Mass adoption is an important factor to consider when preventing illegal financial activities, as criminals are more likely to use VAs that are liquid and easy to exchange globally. 

To prevent stablecoins from becoming a high risk for ML/FT activity, new FATF standards place responsibility on VASPs to identify, manage, and mitigate risks for stable coins before they launch, and continue to be managed afterward in the event they are widely adopted.

Non-fungible tokens (NFTs)

The parabolic growth of the NFT sector and the eye-popping prices that seemingly insignificant digital art pieces have collected on decentralized marketplaces have led to widespread concerns about NFTS being exploited for potential money laundering and tax evasion purposes.

Despite this, NFTs are not yet to be considered virtual assets in the majority of instances. However, it is likely that certain NFTs may later be defined as a different kind of asset, such as a security, which is indeed covered by the FATF Standards and can therefore be regulated.


While not as bad as the industry feared earlier this year, the FATF’s October updated guidance has taken a long, stern look at the innovations and changes in the crypto space since 2019 and the new financial crime loopholes they might be yielding. While the October changes are not too heavy-handed, they’re still broad and vague enough in many aspects to be considered a preamble to more robust regulations which will surely be introduced after future plenaries. Therefore, it would behoove current and potential VASPs to continue taking a proactive approach to how they view and deal with AML/CFT requirements, in order to avoid any nasty future surprises.

Written by Werner Vermaak

CoolBitX Joins Global Blockchain Business Council (GBBC)

CFTC Charges 14 Crypto Firms: A Signal Of Wider Regulatory Intent?