FATF Crypto Standards in 2026: Virtual Assets, VASPs, and Recommendation 15 Explained

Nearly six years after the Financial Action Task Force extended its global AML/CFT framework to crypto, only 29% of assessed jurisdictions are compliant with Recommendation 15 — and just 33% (46 of 138) adequately require virtual asset service providers to be licensed or registered in practice. That gap is the single most important fact for anyone trying to understand what FATF crypto standards actually mean in 2026. FATF does not write local crypto laws, does not license exchanges, and does not fine custodians. What it does is set the global AML/CFT baseline that countries are expected to translate into their own legislation — and as the 2025 figures show, that translation is still uneven across the 67 jurisdictions covering roughly 98% of global VASP activity.

In practical terms, the way crypto businesses experience FATF is indirect but inescapable. You feel FATF through your licensing regime, your customer due diligence obligations, your wallet and transaction screening, your sanctions checks, your Travel Rule readiness, and your suspicious activity reporting workflows.

This guide explains the framework end-to-end: what FATF is, why Recommendation 15 sits at the center of crypto compliance, what counts as a virtual asset, who is a VASP, and what the standards mean for compliance teams heading into 2026.

What Is FATF and Why Does It Matter for Crypto?

The Financial Action Task Force is an intergovernmental body created to set international standards for combating money laundering, terrorist financing, and proliferation financing. It is a standard-setter, not a regulator. It does not issue crypto licenses, does not directly supervise exchanges, and has no authority to penalize an individual VASP. What it does have is enormous influence over the countries that do.

In practical terms, FATF works through three mechanisms that crypto businesses should understand:

The chain of influence runs from FATF Recommendations → National Legislation → Licensing and Supervisory Rules → Enforcement Actions against individual businesses. So when a crypto exchange in the EU is asked by its CASP supervisor for a documented risk assessment, or when a U.S. money services business is examined on its sanctions controls, the underlying logic is almost always traceable back to FATF expectations.

FATF Recommendation 15: The Core Standard for Virtual Assets

Recommendation 15 originally addressed risks from "new technologies" generally. In October 2018, FATF amended R.15 to explicitly cover virtual assets and VASPs, and in June 2019 it adopted an updated Interpretive Note (INR.15) that spells out exactly how countries should apply AML/CFT measures to the sector. That is the moment crypto formally entered the global AML framework.

In practical terms, R.15 requires countries to do four things for the virtual asset sector:

What this means in plain language is that Recommendation 15 is not a single rule — it is the structural floor under everything else a crypto AML Program does. Risk assessments, licensing, supervision, KYC, monitoring, recordkeeping, the Travel Rule: each of these flows from R.15 and INR.15.

Recommendation 15 and Its Interpretive Note

The Interpretive Note to Recommendation 15 is where the practical substance lives. It defines a virtual asset, defines a VASP, sets the activities-based scope of who is covered, and explains how the preventive measures in FATF's other Recommendations should be applied to virtual asset transfers — including the specific information that must accompany VA transfers under the Travel Rule. In practical terms, when a national regulator drafts a crypto AML regime, it is almost always working from INR.15 paragraph by paragraph. The structure of the EU's MiCA-adjacent AML rules, the UK's FCA registration regime for crypto-asset businesses, and the US FinCEN approach to convertible virtual currency all map onto INR.15 categories, even where the local terminology differs.

Source: FATF, Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs, October 2021, current reference document for R.15 and INR.15 interpretation.

What FATF Means by Virtual Assets

FATF's definition of a virtual asset is deliberately broad and function-based. A virtual asset is a digital representation of value that can be digitally traded or transferred and used for payment or investment purposes. It does not have to be a "coin" in the colloquial sense. This definition pulls in most of what crypto industry professionals would recognize:

A few things are deliberately not virtual assets in the FATF sense: fiat currencies, securities and other financial assets already covered by other FATF Recommendations, and central bank digital currencies (which FATF treats as fiat). NFTs and DeFi assets are handled case-by-case based on the actual function they perform — a tokenized investment product behaves like a VA, a unique collectible without payment or investment use generally does not.

The cautious framing matters because FATF takes a substance-over-form approach. As FATF guidance has repeatedly emphasized, what determines coverage is the activity and the function of the asset, not the label its issuer uses. That means a compliance team cannot decide it is outside scope simply because a token is marketed as a "utility" or a service is described as "decentralized." The test is what the asset and the service actually do.

What FATF Means by VASPs

The VASP definition is similarly activities-based. A virtual asset service provider is any natural or legal person who, as a business, conducts one or more of the following activities on behalf of another natural or legal person:

The two phrases that do the heavy lifting are "as a business" and "on behalf of another". A wallet you run for yourself is not VASP activity. Pure software development without operational control is generally not VASP activity. But the moment a company holds, moves, or exchanges someone else's virtual assets in a business context, the VASP test is in play.

Why VASP Classification Matters

VASP status is the on-switch for nearly the entire crypto AML obligation set. Once a business is identified as a VASP under local law, it inherits — in practical terms — the same kinds of obligations that apply to a bank, a payment institution, or a money transmitter: licensing or registration, an AML program, designated compliance personnel, customer due diligence, transaction monitoring, sanctions screening, Travel Rule compliance, recordkeeping, and suspicious activity reporting.

The classification question is therefore not academic — it determines whether a business is operating legally and whether its banking partners, exchange counterparties, and institutional clients will engage with it at all.

Main AML/CFT Obligations Under FATF Crypto Standards

FATF crypto standards are sometimes mistaken for "just the Travel Rule." That undersells the framework by a wide margin. The full set of obligations that flow from R.15 and INR.15 forms a complete AML/CFT program.

Risk-Based Approach

The risk-based approach (RBA) is the principle that runs through every other obligation. Rather than applying identical controls to every customer and every transaction, FATF expects businesses to focus resources where the ML/TF risk is highest — and to be able to document and defend that judgment.

In practical terms, the RBA is also where many crypto businesses still fall short. FATF's June 2025 update specifically flagged that "many jurisdictions still struggle with the implementation of some of the fundamental requirements of R.15, particularly undertaking a risk assessment on VA/VASP." If countries are struggling, the private sector within them is rarely doing better. A documented, periodically refreshed VA-specific risk assessment is now considered table stakes by serious supervisors and banking partners.

Transaction Monitoring and Suspicious Activity

KYC at onboarding answers the question who is this customer. It does not tell you what they do next. FATF standards therefore require ongoing monitoring of customer activity to detect unusual patterns, identify potentially suspicious transactions, and trigger enhanced review or reporting where warranted. In a crypto context, that monitoring is inherently dual: it covers the customer's account activity (deposits, withdrawals, internal transfers) and the on-chain risk profile of the addresses they interact with (exposure to sanctioned entities, darknet markets, mixers, fraud-related clusters).

FATF Travel Rule: Important, but Not the Whole Framework

The Travel Rule is the most discussed FATF crypto requirement and one of the least well-implemented. In simple terms, it requires VASPs and financial institutions to obtain, hold, and transmit specific originator and beneficiary information when they conduct qualifying virtual asset transfers — analogous to the wire-transfer information rules that have applied to banks for decades. The 2025 numbers show why the Travel Rule keeps appearing on FATF's priority list:

For a focused walkthrough of the rule itself — what data must travel, what the thresholds are, and how VASP-to-VASP messaging works — see our guide to the FATF Crypto Travel Rule. For the operational reality across counterparties, our piece on Travel Rule Implementation Challenges covers where teams are still getting stuck.

The point to keep in mind is that the Travel Rule is one obligation among many under Recommendation 15. Treating Travel Rule compliance as a proxy for FATF compliance leaves significant blind spots in licensing, risk assessment, monitoring, and reporting.

How FATF Standards Become Local Crypto Regulations

This is the step that confuses the most people: FATF Recommendations are not law. They only become enforceable when a country transposes them into national legislation, regulation, or supervisory rules. That transposition is where the variation lives. At a high level, the implementation pattern looks like this:

A multi-jurisdictional crypto business cannot just "comply with FATF." It has to comply with the specific local transposition wherever it operates, while also accounting for the gaps between countries that affect cross-border activity.

What Changed by 2026: FATF Implementation Progress and Remaining Gaps

The June 2025 sixth Targeted Update — the most recent comprehensive FATF assessment heading into 2026 — gives the clearest picture of where the global framework actually stands. The headline is gradual progress, persistent gaps. Progress that did happen between 2024 and 2025:

The gaps that remain are equally well-documented:

Source: FATF, Targeted Report on Stablecoins and Unhosted Wallets, March 2026

FATF has scheduled the next R.15 implementation status update for 2026 and is producing focused reports on stablecoins, offshore VASPs, and DeFi through the 2025–2026 cycle. The direction of travel is unmistakable: more granular supervision, more attention to high-risk asset classes, and more pressure on jurisdictions that lag.

Why Implementation Gaps Matter for Crypto Businesses

It would be easy to read the gap data and conclude that compliance pressure is lower than it appears on paper. The opposite is true. When formal implementation lags, informal enforcement rises. Banking partners, payment institutions, exchange counterparties, and institutional investors all use FATF-aligned standards as their de facto due diligence benchmark — often more stringently than the local supervisor does. This means a crypto business licensed in a jurisdiction with relaxed R.15 implementation should not assume the relaxed standard is what its counterparties will accept. The realistic benchmark is the FATF-aligned standard, plus whatever additional controls your most demanding counterparty expects.

What FATF Crypto Standards Mean for Compliance Teams

For compliance teams, FATF crypto standards function as a design specification. Even where local law is silent or lighter, building to the FATF baseline gives a defensible structure that holds up across regulators, auditors, and counterparties. A compliance program built on the FATF baseline typically covers:

Those FATF-aligned controls should be documented and testable when examined by a supervisor or external reviewer. For preparation, see our guide on Crypto AML Audit Requirements.

A realistic note: no tool or vendor "delivers FATF compliance" as a product. FATF compliance is a legal status determined by jurisdiction-specific law and supervisory judgment. What tools can do is support specific controls — KYT, sanctions screening, Travel Rule messaging, case management — that compliance teams use to meet those obligations.

Common Misunderstandings About FATF and Crypto

Several misconceptions about FATF crypto standards show up repeatedly in industry discussions, regulatory submissions, and even compliance documentation. Each one is more than a semantic issue — it creates real exposure during examinations, banking due diligence, and counterparty reviews. The four below are the ones that come up most often and that most consistently cause problems in practice.

FATF Standards Are Not the Same as Local Law

The misconception: A business claims to be "FATF compliant," or treats FATF Recommendations as if they were directly binding obligations. Regulators, auditors, and partners are expected to accept that framing at face value.

The reality: FATF Recommendations have no direct legal force on private companies. They are international standards that countries voluntarily commit to implement through their own legislation, regulation, and supervisory frameworks. A crypto exchange in Germany is bound by EU and German AML law — not by the FATF Recommendations themselves. A money services business in the United States is bound by the Bank Secrecy Act and FinCEN rules. The fact that all of these national rules were inspired by FATF does not make FATF itself the source of legal obligation. This distinction matters for three reasons:

Travel Rule Is Only One Part of Recommendation 15

The misconception: Travel Rule readiness is treated as a proxy for full Recommendation 15 alignment. Once a business has implemented a Travel Rule messaging solution, it considers its FATF-related work essentially done.

The reality: The Travel Rule is one preventive measure inside a much broader framework. Recommendation 15 and its Interpretive Note cover at least nine distinct obligation areas: VA/VASP risk assessment, licensing or registration of VASPs, risk-based supervision, customer due diligence, ongoing monitoring, sanctions screening, transaction monitoring, suspicious transaction reporting, recordkeeping, internal controls — and the Travel Rule itself. Treating one of those obligations as the whole leaves the other eight as blind spots.

The 2025 numbers make the gap visible. Travel Rule legislation has been passed in 85 jurisdictions, yet only 29% of assessed jurisdictions are largely compliant with R.15 overall, and just 33% satisfactorily require VASPs to be licensed or registered in practice. A crypto business that builds an excellent Travel Rule solution but neglects its risk assessment methodology, supervisory dialogue, or suspicious transaction reporting workflow is exactly the profile that fails a serious examination. Travel Rule readiness is necessary, but it is not sufficient.

Not Every Crypto Project Is a VASP

The misconception: Any business that "works with crypto" is automatically a VASP and inherits the full set of AML/CFT obligations.

The reality: VASP classification is activities-based and depends on whether the business performs covered activities on behalf of another person, as a business. Both elements have to be present. A non-custodial protocol developer, a blockchain analytics provider, a software vendor, an audit firm, or a node operator may legitimately fall outside the VASP definition even though they sit in the crypto ecosystem. A small custodial wallet service that holds customer keys, by contrast, sits squarely inside it — even if its team is only a few people. FATF guidance has been explicit that the test is functional, not based on branding or self-description. Labeling a service "decentralized" does not exempt it if a natural or legal person is in fact exercising operational control over customer assets or transfers. Equally, labeling a token "utility" does not remove it from the virtual asset definition if it is used for payment or investment purposes. This means three things:

FATF Compliance Is Not Just KYC

The misconception: Strong customer onboarding equals a strong compliance program. Once identity verification is in place, the business is "compliant."

The reality: KYC at onboarding answers one question — who is this customer at the moment they join. It does not answer what they do afterwards, where their funds come from, whether they appear on a sanctions list a year later, or whether their transaction patterns develop in suspicious ways. A FATF-aligned program therefore includes several layers beyond identity verification.

The full set of controls covers customer due diligence (including beneficial ownership and enhanced measures for higher-risk customers), ongoing customer monitoring, wallet and transaction screening (KYT), sanctions screening that is refreshed continuously rather than only at onboarding, alert review workflows, suspicious transaction reporting to the relevant FIU, recordkeeping that can be reproduced under examination, internal policies and training, and governance structures with designated compliance accountability.

The businesses that fail examinations rarely fail at KYC. They fail at the layer below it: alerts that were generated but never reviewed, sanctions matches that were missed because lists were not refreshed, transaction patterns that should have triggered enhanced due diligence and did not, suspicious activity that was identified internally but never reported externally. A program that aces onboarding but neglects ongoing monitoring is a program with strong front doors and no locks on the rest of the building.

Conclusion: FATF as the Baseline for Crypto AML Compliance in 2026

FATF does not replace local law, but it sets the contour that local law follows. Recommendation 15 and its Interpretive Note are the core global standard for virtual assets and VASPs, and as the June 2025 Targeted Update made clear, implementation has improved but remains uneven across the jurisdictions that matter most for the global crypto market.

For crypto businesses operating in 2026, the practical takeaway is straightforward: treat FATF-aligned controls as the baseline, not the ceiling. Build a documented risk assessment, run real customer due diligence, screen wallets and transactions, prepare for the Travel Rule, screen for sanctions, retain records, and make the whole program testable. Where local law is stricter, follow the stricter rule. Where local law is lighter, expect that your banking partners, payment counterparties, and institutional clients will still apply the FATF-aligned standard — because they have to.

Companies that deal in virtual assets need systems that connect customer information, transaction activity, wallet risk, sanctions exposure, and reporting workflows into a single, auditable picture. The standards that decide whether those systems are sufficient are, for now and for the foreseeable future, written in Paris.