FATF VA Guidance: What It Requires and Who It Applies To

What is FATF VA Guidance?

The FATF Updated Guidance for a Risk-Based Approach to Virtual Assets is a standard issued by the Financial Action Task Force in October 2021 that brings virtual assets and their service providers fully into the global AML/CFT framework. FATF is an intergovernmental body whose 39 member countries and more than 200 affiliated jurisdictions treat its standards as the reference point for domestic AML law. Non-compliance puts countries at risk of grey listing, which disrupts correspondent banking relationships and sovereign credit access.

The 2021 guidance replaced the 2019 version and more than doubled its scope. The June 2019 amendment to FATF Rec 15 (FATF) was the first time VASPs appeared in FATF's framework at all. The 2021 update went further: it clarified how the Travel Rule applies operationally to VASP-to-VASP transfers, addressed decentralized finance (DeFi) for the first time, analyzed non-fungible tokens (NFTs), and expanded the VASP definition to capture new business models including peer-to-peer facilitators with a centralized control element.

The rationale was documented. The UN Security Council's 1267 Sanctions Committee had identified crypto as a financing channel for designated groups. FinCEN's own analysis showed exchanges processing hundreds of millions in transactions linked to ransomware, darknet markets, and sanctions evasion. FATF's 2020 Virtual Assets Red Flag Indicators report named chain-hopping, mixing services, and high-frequency small-value transfers as priority monitoring typologies.

Countries must require VASPs to register or obtain a license before operating, subject them to AML/CFT supervision, and apply sanctions when they fail. A VASP operating without a license violates the guidance at the most basic level.

Who does FATF VA Guidance apply to?

The guidance applies to any natural or legal person that, as a business, conducts one or more of the following activities on behalf of another person:

• Centralized crypto exchanges: Platforms where users buy, sell, or exchange virtual assets for fiat or other virtual assets. Coinbase, Kraken, Binance, OKX, and comparable regional platforms are the clearest examples.
• Custodial wallet providers: Any entity that holds private keys on behalf of users, including exchange custody arms and standalone hosted wallet services.
• Virtual asset transfer services: Firms that move crypto between wallets on customer instruction, including crypto-native remittance services and payment processors settling in virtual assets.
• Token issuers and ICO platforms: Firms managing initial coin offerings or equivalent token distribution events where the tokens function as investment instruments or means of payment.
• Crypto ATM operators: Physical kiosks that convert cash to virtual assets or vice versa. These are explicitly in scope and have been a frequent enforcement focus in the US and UK.
• DeFi facilitators with control: FATF's position is that DeFi protocols with an identifiable controlling entity qualify as VASPs, even when transactions execute via smart contracts. A development company, a foundation holding governance tokens, or a fee-capture mechanism all point toward VASP classification.
• NFT platforms (conditionally): NFT marketplaces fall within scope where NFTs function as investment vehicles or are used in payment transfers. FATF treated this as case-by-case.

Jurisdictional reach is global in intent. Every FATF member must implement these standards in national law. Some jurisdictions go further: the EU's Transfer of Funds Regulation sets a €0 Travel Rule threshold, stricter than FATF's $1,000 baseline. Singapore's Payment Services Act, the UAE's VARA framework, and the UK's Money Laundering Regulations 2017 all implement VASP obligations traceable to this guidance.

What does FATF VA Guidance require?

The core obligations track FATF's standard AML/CFT framework, adapted for the virtual asset context:

1. Registration or licensing: VASPs must register or obtain a license from a competent national authority before operating. Operating without registration is itself a regulatory violation, independent of any other AML failure. Many jurisdictions have added criminal penalties for unlicensed VASP operation.

2. AML/CFT program: A written, board-approved program covering risk assessment, internal controls, transaction monitoring, suspicious activity reporting, and staff training. The program must be reviewed at least annually and updated when the business risk profile changes materially.

3. Customer due diligence: Full Customer Due Diligence (CDD) is required at account opening and for occasional transactions above $1,000. For higher-risk customers, including politically exposed persons or customers from high-risk jurisdictions, enhanced due diligence applies, with source of wealth verification and more frequent monitoring.

4. Travel Rule compliance: Under FATF Rec 16 (FATF), VASPs must collect and transmit originator and beneficiary information for any transfer at or above $1,000. Required originator data: full name, wallet address, and at least one of physical address, national identity number, or date and place of birth. Required beneficiary data: name and wallet address. This information must accompany the transfer to the receiving VASP.

5. Sanctions screening: All customers and counterparty VASPs must be screened against applicable designated party lists before onboarding and on an ongoing basis. Any match triggers an asset freeze and reporting obligation.

6. Suspicious activity reporting: VASPs must file suspicious transaction reports with their national financial intelligence unit when they know or suspect a transaction is linked to crime or terrorist financing. In the US, FinCEN requires filing within 30 days of initial detection, or 60 days if no suspect has been identified at the time of detection.

7. Record retention: All CDD records, transaction records, and Travel Rule transmission logs must be retained for at least 5 years from the end of the business relationship or the date of the individual transaction.

8. Unhosted wallet risk assessment: VASPs must assess the risk of transactions involving non-custodial wallets and apply CDD proportionate to that risk. A blanket policy of refusing all unhosted wallet transactions isn't required, but a documented risk-based approach is.

What evidence do regulators expect?

Examiners assessing a VASP's compliance want documentation that the program exists, is being followed, and is kept current. A working audit checklist:

• Written AML/CFT policy: Current, board-approved, and dated. An undated policy is an immediate red flag. Examiners check the date of last update against recent regulatory developments.
• Enterprise-wide risk assessment: Documented ML/TF risk assessment covering product risk (DeFi integrations, high-risk jurisdictions, mixing services), customer risk, and transaction typology risk. Must be updated at least annually.
• Customer onboarding records: Identity documents, KYC verification outputs (liveness checks, document verification logs), CDD forms, and, for higher-risk customers, source of wealth documentation. These must be retrievable within a reasonable timeframe during an examination.
• Travel Rule transmission logs: Evidence that originator and beneficiary data was captured and transmitted for every qualifying transfer. Where the receiving VASP lacked the technical capability to receive that data (the "sunrise problem"), examiners expect documented policies covering that gap.
• Transaction monitoring configuration: The rules, thresholds, and logic used to generate alerts, along with evidence of periodic review. An untouched rule set running since 2019 invites a citation.
• SAR/STR filing log: Every report filed, with timestamps. Examiners cross-reference alert dispositions to check that suppressed alerts have adequate documented rationale.
• Staff training records: Completion records for AML training by all relevant staff, including dates and content covered. New-hire training is assessed separately from annual refresher records.
• VASP counterparty due diligence: Records confirming that transfer counterparties have been assessed for regulatory status before the relationship was established.

Common failure modes

Most VASP enforcement actions don't result from a single catastrophic failure. They accumulate from the same recurring gaps:

• Travel Rule non-implementation: The most frequent finding. Examiners at Bitzlato (FinCEN, 2023) and BitMEX (FinCEN/CFTC, 2021) found that originator and beneficiary information was not transmitted with transfers, even well above the $1,000 threshold. Many smaller VASPs believed their transaction size exempted them. It doesn't.
• Inadequate CDD on high-risk customers: Accepting customers from high-risk jurisdictions with basic identity verification and no source of wealth inquiry. Examiners expect documentation of additional steps taken for PEPs and high-volume customers.
• No written unhosted wallet policy: Many VASPs have no documented procedure for assessing risk on transactions to or from non-custodial wallets. FATF explicitly requires a risk-based approach, and its absence is cited.
• Stale transaction monitoring rules: Running the same rule set for three or more years without documented review. When a published FATF typologies report names a new method (chain-hopping, NFT wash trading) and a VASP's monitoring hasn't been updated, that's a compliance failure.
• Sanctions screening gaps: Screening customer names at onboarding but not screening wallet addresses in real time against designated party lists. OFAC has published specific guidance requiring address-level screening, and several exchanges were cited for this exact gap.
• No SAR filed on mixer usage: When a customer routes funds through a known mixing service or privacy coin, that's a red flag requiring documented investigation and usually a suspicious activity report. High-volume mixer usage generating zero alerts is a systemic failure.

FinCEN's January 2023 action against Bitzlato specifically cited failure to implement a functioning AML program and systematic failure to collect customer identity information before processing over $700 million in transactions.

Penalties for non-compliance

Recent enforcement sets concrete benchmarks.

United States: FinCEN and the DOJ reached a $4.3 billion settlement with Binance in November 2023, the largest AML enforcement action against a crypto firm in US history (DOJ press release, November 2023). The action cited willful Bank Secrecy Act violations, failure to implement an adequate AML program, and failure to file SARs on transactions with sanctioned parties. BitMEX received a $100 million combined penalty from CFTC and FinCEN in 2021 for running an unregistered derivatives exchange with no AML controls (CFTC order, August 2021).

European Union: Under the EU's AMLR and MiCA regime, crypto-asset service providers face fines up to €5 million or 10% of annual turnover, whichever is higher, for serious AML failures. The EU's new Anti-Money Laundering Authority (AMLA) will have direct supervisory powers over the largest crypto firms from 2025.

United Kingdom: The FCA has rejected a substantial share of VASP registration applicants since 2020, with fewer than 15% of applicants receiving approval on first submission (FCA cryptoasset register data, 2024). Operating without registration carries criminal penalties of up to 2 years imprisonment and unlimited fines under the Money Laundering Regulations 2017.

Beyond direct fines, the operational consequences are severe: license revocation, correspondent bank account termination, and personal criminal prosecution of the MLRO or CEO in multiple jurisdictions.

Related regulations and frameworks

FATF VA Guidance doesn't operate in isolation. It sits within a network of complementary and implementing frameworks.

FATF Recommendations: The guidance implements and extends Recommendation 15 on new technologies, Recommendation 16 on the Travel Rule, and Recommendation 10 on CDD. Suspicious transaction reporting maps to Recommendation 20, and the 5-year record retention requirement comes from Recommendation 11.

European Union: MiCA (EU) and the Transfer of Funds Regulation are the EU's primary implementing mechanisms. The EU set a €0 Travel Rule threshold, meaning all crypto transfers carry originator and beneficiary data obligations regardless of value. The sixth AML directive adds criminal liability for legal persons and expands predicate offenses to include cybercrime and environmental crime.

United States: FinCEN treats VASPs as money services businesses under the BSA (US-FinCEN), requiring federal registration and full BSA program compliance. The Anti-Money Laundering Act of 2020 modernized this framework, explicitly extending BSA obligations to VASPs and adding whistleblower provisions with awards of up to 30% of sanctions collected above $1 million.

Singapore: The Payment Services Act licenses digital payment token service providers and maps directly to FATF's VASP definition. MAS has been active, issuing several prohibitions on unlicensed crypto advertising and operations.

UAE: VARA (Virtual Assets Regulatory Authority) and the UAE's federal AML decree implement FATF's VASP standards across mainland UAE, with ADGM and DIFC maintaining separate but substantially equivalent frameworks.

The guidance also connects directly to sanctions regimes. VASPs operating in the US must screen against the OFAC SDN list; UN Security Council 1267 designations apply globally. A VASP that facilitates a transaction for a designated entity violates both the FATF guidance and directly applicable sanctions law.

How FluxForce supports FATF VA Guidance compliance

FluxForce's AI agents automate the highest-volume work VASP compliance teams face: continuous transaction monitoring against FATF typologies, real-time screening of wallet addresses and customer names against global sanctions lists, Travel Rule data capture and transmission logging, and automatic escalation of unhosted wallet transactions for risk-based review. Every alert, disposition, and screening result is documented with full evidence for audit purposes. Book a demo to see how FluxForce maps to your specific VASP obligations.