FATF's 2026 Offshore VASP Report: What Compliance Teams Need to Know

March 2026 | Regulatory Analysis

---

In March 2026, the Financial Action Task Force (FATF) published a landmark report: Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers (oVASPs). For compliance officers at crypto exchanges, payment platforms, and financial institutions, this report isn't just reading material — it's a preview of where global regulatory pressure is headed.

This article breaks down the key findings, the five risk typologies regulators are watching, and what your organization should do now.

---

What Is an Offshore VASP (oVASP)?

FATF defines an offshore VASP as a VASP created under the laws of one jurisdiction (the "home jurisdiction") that actively provides services to clients residing or domiciled in other jurisdictions (the "host jurisdiction") — often without holding a license or registration there.

The critical phrase is "actively provides services." This isn't about passive access. It's about VASPs that deliberately target customers in markets where they haven't registered, exploiting gaps between where they're incorporated and where they operate.

---

Why FATF Is Paying Attention Now

FATF extended its AML/CFT standards to VASPs back in 2019 through amendments to Recommendation 15 (R.15). But implementation has lagged globally. According to the 2026 report, only 46% of jurisdictions have adopted an activity-based approach — meaning they require licensing based on where services are offered, not just where a VASP is incorporated.

This gap creates a regulatory arbitrage opportunity that bad actors are actively exploiting. As more jurisdictions tighten their frameworks, the window for offshore workarounds is narrowing — which is precisely why FATF launched dedicated work on oVASPs through its Virtual Assets Contact Group (VACG) in October 2025.

---

5 Risk Typologies Compliance Teams Must Understand

FATF identified five primary ways illicit actors exploit offshore VASP structures. Each has direct implications for how you conduct counterparty due diligence and risk assessments.

1. Targeting Unlicensed Offshore VASPs

Criminal networks actively seek out VASPs that operate without proper licensing in the host jurisdiction. These platforms offer fewer KYC controls, limited transaction monitoring, and little recourse for regulators. The result: a convenient on-ramp for moving illicit funds across borders with minimal friction.

What to watch for: Counterparty VASPs incorporated in jurisdictions with no VASP AML/CFT framework, or those lacking any verifiable regulatory registration.

2. Global Client Pooling to Obscure Accountability

Some oVASPs aggregate clients from multiple jurisdictions into a single account or liquidity pool. This deliberately blurs the origin of funds and makes it harder to attribute transactions to any specific customer or jurisdiction — complicating both Travel Rule compliance and suspicious activity reporting.

What to watch for: VASPs that cannot provide clear originator/beneficiary information and claim clients from an unusually broad geographic spread without corresponding regulatory coverage.

3. Travel Rule Non-Compliance (The Sunrise Problem)

The Travel Rule — FATF Recommendation 16 applied to VASPs — requires the transfer of originator and beneficiary information alongside transactions. But implementation is uneven globally. oVASPs in jurisdictions that haven't enacted Travel Rule obligations have no legal requirement to collect or share this data.

This is the so-called "sunrise issue": counterparties in non-compliant jurisdictions can't legally share what they're not required to collect. The result is a systematic gap in transaction traceability that undermines the entire Travel Rule architecture.

What to watch for: Counterparties that cannot provide Travel Rule data and are incorporated in jurisdictions not yet compliant with R.16. Use a FATF country checker before onboarding any VASP counterparty.

4. Nested VASP Structures Bypassing Controls

Sophisticated oVASPs embed themselves within the account structures of regulated VASPs (nesting). The regulated VASP sees only the oVASP as a customer, not the oVASP's underlying clients. This creates layers of indirection that obscure the true source and destination of funds.

This is not a new technique — it was well-documented in the traditional banking sector — but it has found a new home in the VASP ecosystem with potentially faster transaction velocity and less institutional oversight.

What to watch for: VASPs that transact significantly higher volumes than their stated customer base would justify, or that show transaction patterns inconsistent with their disclosed business model.

5. Regulatory Arbitrage Across Jurisdictions

The lack of harmonization across VASP licensing frameworks allows oVASPs to shop for the most permissive home jurisdiction. Thresholds for licensing, territorial scope definitions, and supervisory capacity vary dramatically across the FATF global network. oVASPs exploit these inconsistencies to establish legal domicile in low-scrutiny jurisdictions while serving customers in high-regulation markets.

What to watch for: VASPs incorporated in FATF grey-listed or non-compliant jurisdictions but claiming to serve customers globally.

---

FATF's Recommended Actions

The report closes with specific recommendations grouped by stakeholder. Here's what matters most for compliance teams at regulated entities:

For All Jurisdictions

• Identify and sanction unlicensed VASP activity regardless of where the VASP is incorporated
• Implement risk-based approaches to oVASP supervision
• Strengthen international cooperation mechanisms

For Host Jurisdictions

• Adopt activity-based licensing that covers VASPs actively serving local customers, irrespective of physical presence
• Develop enforcement tools to restrict unlicensed oVASPs from accessing domestic payment infrastructure

For the Private Sector (That Means You)

• Conduct enhanced due diligence on VASP counterparties in high-risk or non-compliant jurisdictions
• Implement Travel Rule solutions that flag when counterparty data is incomplete due to regulatory gaps
• Report suspicious patterns consistent with nested VASP or pooled account structures

---

Practical Steps for Your Compliance Program

Based on the FATF report, here's what compliance teams should prioritize in the next 90 days:

1. Audit your VASP counterparty list. Cross-reference each counterparty against FATF's country risk classifications. Any VASP incorporated in a grey-listed or non-compliant jurisdiction warrants enhanced due diligence or relationship review.

2. Review your Travel Rule data completeness rates. Track what percentage of incoming transactions arrive without required originator/beneficiary data. High rates of missing data from specific counterparties are a red flag.

3. Identify nested relationships. If a VASP counterparty's transaction volumes seem inconsistent with their stated customer base, investigate further. Request transparency into their customer onboarding and AML controls.

4. Update your risk methodology. The oVASP typologies in this report should be reflected in your institution's VASP risk assessment framework. If your current framework doesn't distinguish between licensed domestic VASPs and offshore-incorporated ones, it needs updating.

5. Monitor licensing status actively. VASP licensing is not a one-time check. Licenses can be revoked, suspended, or expire. Build a process to verify counterparty licensing status at least annually.

---

The Bottom Line

The FATF's 2026 oVASP report marks a clear regulatory direction: the era of "incorporated elsewhere, operating everywhere" is ending. As more jurisdictions adopt activity-based licensing and enforcement, the compliance burden on regulated VASPs to know their counterparties will only increase.

The five typologies in this report — unlicensed targeting, client pooling, Travel Rule gaps, nesting, and regulatory arbitrage — are the scenarios your AML program needs to be built to detect.

Getting ahead of this now, before enforcement actions proliferate, is the difference between a proactive compliance posture and a reactive one.

---

Source: FATF (2026), Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers (oVASPs), FATF, Paris.

This article is for informational purposes only and does not constitute legal advice. Always verify with official sources and professional counsel before making compliance decisions.