FATF Rec 15: What It Requires and Who It Applies To

What is FATF Rec 15?

FATF Recommendation 15 is the Financial Action Task Force standard requiring countries and financial institutions to identify, assess, and manage money laundering and terrorist financing (ML/TF) risks arising from new financial technologies. The FATF adopted the original Recommendation 15 as part of its 40 Recommendations in 2012, then substantially revised it in June 2019 to bring Virtual Asset Service Providers (VASPs) within the global AML/CFT framework.

The 2019 revision was direct. Crypto exchanges, custodial wallet providers, and other VASPs were expected to meet the same AML/CFT standards as banks: licensing or registration, customer due diligence, transaction monitoring, and suspicious activity reporting. Countries that didn't regulate VASPs were flagged as deficient. It's a hard criterion in FATF mutual evaluations, not a soft suggestion.

The background matters. By 2018, FATF and the Egmont Group had documented virtual asset transactions worth hundreds of millions of dollars moving criminal proceeds across borders with minimal friction. Existing AML frameworks had no grip on exchanges or wallet providers operating in unregulated spaces.

FATF updated its interpretive notes again in October 2021, addressing decentralized finance (DeFi) and non-fungible tokens in standalone guidance, the FATF VA Guidance. That document is now the operational reference for any firm determining where Rec 15 applies to its business.

This is a living standard. FATF's 2023 targeted review found that the majority of jurisdictions had not yet fully implemented the VASP requirements. Countries with weak regimes have been placed on FATF's grey list, which carries direct correspondent banking consequences.

Who does FATF Rec 15 apply to?

FATF Rec 15 applies to two distinct groups: countries, which must create and enforce the regulatory regime, and the entities that operate within scope.

Covered entity types include:

• Cryptocurrency exchanges (centralized): Any platform exchanging fiat for virtual assets or virtual assets for other virtual assets. Coinbase, Kraken, and regional equivalents are the clearest examples. These are unambiguously VASPs under FATF's definition.
• Custodial wallet providers: Services that hold private keys on behalf of customers. If the provider can move assets without the customer's direct action, it's a VASP.
• Virtual asset transfer and payment services: Platforms facilitating the movement of virtual assets between users, including crypto payment processors.
• ICO and token issuers: Entities that offer new virtual assets to the public and manage the financial infrastructure behind them.
• Fintechs launching new financial products or delivery channels: Any financial institution or fintech launching a new product must complete a technology risk assessment before going live. A bank rolling out a mobile-only lending product, an embedded finance provider adding a wallet function, a real-time payment rail operator: all trigger the Rec 15 obligation.
• Traditional banks and payment firms: A conventional bank introducing AI-driven onboarding or a new payment channel still has to assess the ML/TF risks of that delivery mechanism.

The scope is global. FATF's member jurisdictions, plus countries in the FATF-Style Regional Bodies network, are expected to implement Rec 15 in national law. In the EU, it came through MiCA for crypto asset regulation and the EU TFR for the Travel Rule. In the US, FinCEN classified VASPs as Money Services Businesses subject to the BSA, requiring formal MSB Registration.

What does FATF Rec 15 require?

The obligations split into two tracks.

Track 1: New technology risk assessment (all financial institutions)

1. Pre-launch ML/TF risk assessment: Before deploying any new financial product or delivery channel, countries and financial institutions must assess ML/TF risks. There's no defined size threshold; the assessment must be proportionate to the product's risk profile.
2. Documented risk mitigation: Where risks are identified, institutions must take measures to manage them. In high-risk cases, countries may prohibit or restrict the product entirely.
3. Ongoing monitoring: The assessment is not a one-time checkbox. Products must be monitored against their initial risk profile as transaction patterns evolve.

Track 2: VASP-specific obligations

4. Licensing or registration: VASPs must be licensed or registered in the jurisdiction where they're incorporated or where they operate. Countries must prevent unlicensed VASPs from offering services. The beneficial ownership of VASPs must be identifiable, connecting this obligation to FATF Rec 24.
5. AML/CFT program: VASPs must implement a full Customer Due Diligence (CDD) program covering Know Your Customer (KYC) verification, Enhanced Due Diligence (EDD) for higher-risk customers, and ongoing customer monitoring. The CDD requirements mirror those in FATF Rec 10.
6. Transaction monitoring and STR filing: VASPs must monitor transactions for suspicious activity and file Suspicious Transaction Reports with the financial intelligence unit. This obligation runs alongside FATF Rec 20.
7. Travel Rule: VASP-to-VASP transfers of USD/EUR 1,000 or more must include originator and beneficiary information. The Travel Rule mechanics sit in FATF Rec 16, but Rec 15 requires VASPs to have the technical infrastructure to comply with it.
8. Record retention for five years: Transaction records and customer identification documents must be retained for a minimum of five years, consistent with FATF Rec 11.
9. Sanctions screening: VASPs must screen customers and transactions against designated lists at onboarding and on a continuous basis.

What evidence do regulators expect?

Examiners reviewing FATF Rec 15 compliance want documented evidence, not policy statements. A generic risk assessment that's undated or disconnected from specific products won't satisfy a mutual evaluation team.

The practical checklist:

• Pre-launch technology risk assessment: A written assessment for each new product or delivery mechanism, identifying ML/TF risks, assigning risk ratings, and documenting mitigating controls. Must be dated and signed off by senior management before the product went live.
• VASP licensing or registration certificate: Current and valid, covering every jurisdiction where the firm operates. Multi-jurisdiction VASPs need documentation for each.
• AML/CFT program manual: A written program covering CDD, transaction monitoring, SAR (Suspicious Activity Report) filing, record-keeping, and training. The program must specifically address virtual asset risks, not just standard financial crime controls.
• KYC and CDD records: Customer identification and verification files for all onboarded accounts, including source of funds documentation for higher-risk customers. For VASPs, this means records that identify the natural persons controlling wallets.
• Transaction monitoring configuration logs: Evidence that monitoring rules are calibrated for virtual asset transaction patterns, with a documented history of threshold adjustments and rule tuning.
• Travel Rule compliance records: For qualifying transfers of $1,000 or above, logs showing originator and beneficiary information was transmitted outbound and received and screened inbound.
• SAR/STR filing log: A complete record of all suspicious activity reports filed, with supporting case documentation.
• Staff training records: Completion logs covering all relevant personnel, with training content specific to virtual asset risks and Rec 15 obligations.
• Independent audit or third-party review: Evidence of periodic program testing, including assessment of transaction monitoring effectiveness.

Common failure modes

Most FATF Rec 15 deficiencies aren't technical failures. They're process gaps that repeat across mutual evaluations and enforcement actions.

• No pre-launch risk assessment: The most common issue. An institution launches a crypto product or new payment channel without a documented ML/TF risk assessment dated before go-live. FATF's 2021 updated guidance on virtual assets found this gap widespread, and later supervisory reviews confirmed it hadn't improved.
• KYC that covers fiat customers but not VASP customers: Institutions apply standard KYC at onboarding but fail to collect source of funds for high-volume crypto accounts or apply enhanced due diligence to wallet activity. This is a FATF Rec 10 gap presented as a Rec 15 failure.
• Travel Rule non-compliance on inbound transfers: VASPs collect originator information on outbound transfers but don't screen or retain beneficiary data on incoming ones. FATF's 2023 VASP supervision survey found fewer than half of surveyed VASPs were fully Travel Rule compliant.
• Sanctions screening limited to names at onboarding: VASPs that screen customer names once at registration but don't screen wallet addresses against OFAC-designated lists on an ongoing basis. In November 2023, Binance pleaded guilty to Bank Secrecy Act violations including AML program failures, resulting in $4.3 billion in penalties across FinCEN, OFAC, and DOJ. The full details are in the DOJ press release.
• Five-year record retention gaps: Transaction records not kept for the full five-year period, or stored in formats that can't be retrieved during an examination window.
• Operating without a license: FATF's own assessments found more than 50 jurisdictions had not yet passed comprehensive VASP legislation as of 2023, meaning active VASPs in those countries were operating in a compliance vacuum.

Penalties for non-compliance

FATF doesn't impose fines directly. Penalties come from national regulators applying FATF standards through domestic law, and the consequences fall into two categories: institutional penalties and country-level consequences.

Institutional penalties:

In the United States, FinCEN can assess civil money penalties up to $1 million per violation per day under the Bank Secrecy Act. In 2022, FinCEN and the CFTC each penalized HDR Global Trading (BitMEX) $100 million for AML program failures, including the complete absence of a KYC program. The FinCEN news release details the specific violations. In November 2023, Binance agreed to $4.3 billion in combined penalties to FinCEN, OFAC, and DOJ, with Changpeng Zhao personally pleading guilty.

In the European Union, the EU AMLR and 6AMLD allow penalties of up to €10 million or 10% of annual group turnover for serious AML failures. Individual criminal liability is available in most member states.

In the United Kingdom, the FCA imposes unlimited financial penalties for AML failures. Under UK MLR 2017, operating as an unregistered crypto asset exchange business is a criminal offence with potential imprisonment for principals.

Country-level consequences:

Countries that fail to implement Rec 15 risk FATF grey-listing. Grey-listed countries face reduced correspondent banking access, higher transaction costs, and friction in accessing international capital markets. Several jurisdictions saw correspondent banks withdraw entirely from virtual asset transaction processing after their FATF ratings dropped.

Related regulations and frameworks

FATF Rec 15 doesn't operate in isolation. It sits within the FATF 40 Recommendations and connects to national implementing legislation across major jurisdictions.

Within the FATF framework:

FATF Rec 1 establishes the risk-based approach that the technology risk assessment in Rec 15 applies. FATF Rec 10 governs the CDD requirements VASPs must meet. FATF Rec 16 is the Travel Rule, specifying how originator and beneficiary data must travel with virtual asset transfers. FATF Rec 20 covers the suspicious transaction reporting obligation that applies to VASPs alongside traditional financial institutions.

National and regional implementation:

The EU implemented Rec 15 through two instruments. MiCA covers licensing requirements for crypto asset service providers. The EU TFR implements the Travel Rule for transfers within the EU. Both took effect from 2024.

In the US, FinCEN applies Rec 15 obligations through the BSA, treating VASPs as Money Services Businesses requiring MSB Registration. Singapore implements equivalent rules through the SG PSA for Digital Payment Token service providers. Australia covers digital currency exchange providers under the AML/CTF Act.

For VASPs and fintechs deploying AI in compliance functions, the EU AI Act adds governance requirements. AI systems used for transaction monitoring or customer risk scoring may qualify as high-risk under Article 6 and require additional documentation and human oversight.

How FluxForce supports FATF Rec 15 compliance

FluxForce's AI agents automate the compliance workflows FATF Rec 15 demands for VASPs and fintechs. Nova Sentinel handles real-time transaction monitoring and automated suspicious activity flagging. Aiden Flux manages customer risk scoring and CDD document workflows. Pre-launch technology risk assessments are supported through structured risk templates with full audit trails examiners can review on-site. Travel Rule data capture and beneficiary screening run automatically on qualifying transfers. Every decision carries a full evidence chain, making examination responses faster and more complete. Request a demo to see how FluxForce maps to your specific VASP or fintech compliance obligations.