FATF Crypto Guidelines: The VASP Compliance Framework Explained

The FATF crypto guidelines are the global baseline that almost every national crypto licence is built on. Whether you read about the FINMA regime in Switzerland, MiCA in the European Union, or the VARA rulebook in Dubai, the AML and counter-terrorist-financing core looks similar because all of it traces back to a single intergovernmental standard. This page explains that standard: what the guidelines actually say, which named documents make them up, how the Travel Rule works, and how unevenly the world has implemented them so far.

What are the FATF crypto guidelines?

The FATF crypto guidelines are FATF Recommendation 15 and its Interpretive Note (INR.15), together with the 2019 first guidance and the October 2021 Updated Guidance, which extend AML and CFT rules to virtual assets and the businesses that handle them. They require countries to license or register virtual asset service providers and supervise them like financial institutions.

That is the short answer, and it is the one most searchers want first. The longer answer is that "guidelines" is a colloquial label for a stack of related instruments. FATF amended Recommendation 15 in October 2018 to bring virtual assets (VAs) and virtual asset service providers (VASPs) inside the AML perimeter, then adopted the Interpretive Note to Recommendation 15 and its first guidance in June 2019 (AMLBot, FATF Crypto Standards). The framework has been refined every year since, most recently through annual targeted updates that report on how well the world is actually implementing it.

This page uses the searcher's word "guidelines" in the heading for lexical clarity, but throughout the body it names the actual FATF instruments: Recommendations, the Interpretive Note, and the Updated Guidance. Getting the document names right matters, because each one carries different weight when a national regulator transposes it into binding law.

FATF in one line: standard-setter, not a regulator

The Financial Action Task Force is the intergovernmental standard-setter for anti-money-laundering and counter-terrorist-financing. It does not license anyone, supervise anyone, or fine anyone directly. What it does is publish the 40 Recommendations, then run mutual evaluations of its members to check whether they have implemented those standards in national law (AMLBot). A jurisdiction that fails to implement the standards risks being grey-listed or black-listed through that mutual-evaluation process, which carries real consequences for its banking access and reputation. So FATF has no licensing power, but it has powerful leverage over the countries that do.

Which FATF documents make up the "crypto guidelines"

When practitioners say "FATF crypto guidelines" they are usually referring to several documents read together:

• Recommendation 15 (New Technologies): amended October 2018 to cover VAs and VASPs.
• Interpretive Note to R.15 (INR.15): adopted June 2019, with the first guidance, setting the VA and VASP definitions and the licensing-plus-supervision baseline.
• The 2019 first risk-based-approach guidance: confirmed how R.15 and R.16 apply to the sector.
• The October 2021 Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs: six focus areas covering definitions, stablecoins, DeFi, NFTs, peer-to-peer transfers, and the Travel Rule.
• The annual targeted updates (latest 2025): progress reports on global implementation rather than new rules.

Read together, these documents are the FATF VASP framework that the rest of this page unpacks.

Why FATF created a framework for virtual assets

Virtual assets are borderless by design. A transfer can cross a dozen jurisdictions in seconds, and value can move between an exchange, a custody wallet and a peer-to-peer counterparty without ever touching a traditional bank. That created an obvious AML and CFT gap: criminals and sanctioned actors could exploit the seams between national regimes, moving funds through whichever jurisdiction had the weakest controls. FATF's headline framing in its recent work is that a regulatory failure in one jurisdiction now has global consequences (21Analytics, 2025 FATF Targeted Update).

The lever FATF pulled was the same one it had used for traditional finance: bring the sector inside the existing AML perimeter, then use the mutual-evaluation process to pressure members into compliance. Rather than invent a separate crypto regime, FATF extended its existing Recommendations, principally R.15 and R.16, to virtual assets. That design choice is why a VASP's obligations feel familiar to anyone who has worked in regulated banking: customer due diligence, recordkeeping, suspicious-transaction reporting and sanctions screening are the same tools, applied to a new asset class.

The risk-based approach explained

The entire framework is explicitly risk-based. A risk-based approach means calibrating AML and CFT controls to the actual money-laundering and terrorist-financing risk of your customers, products and the jurisdictions you serve, rather than applying a single fixed checklist to everyone (FATF 2021 Updated Guidance). Higher-risk relationships get enhanced due diligence; lower-risk ones can use simplified measures. The 2021 document is literally titled "Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs," which signals how central this principle is. For a VASP, the practical consequence is that you cannot buy a single off-the-shelf compliance template and assume you are covered. You must document your own risk assessment and show that your controls are proportionate to it.

What is FATF Recommendation 15? (the load-bearing crypto rule)

FATF Recommendation 15, the "New Technologies" recommendation, is the load-bearing rule for crypto. It was amended in October 2018 to cover virtual assets and VASPs, with the Interpretive Note (INR.15) and first guidance following in June 2019 (AMLBot). At its core, R.15 instructs countries to treat VASPs as financial institutions for AML and CFT purposes: a country may choose to permit or to prohibit VASPs, but if it permits them, it must bring them fully inside the AML regime.

This is the rule that every national crypto licence ultimately answers to. When you read that the FINMA regime, MiCA's CASP authorisation, or the BaFin framework all demand a money-laundering reporting officer, transaction monitoring and KYC, you are reading R.15 transposed into local law. Understanding R.15 first makes every country guide on this site easier to read.

The four duties R.15 places on countries

R.15 places four concrete duties on each country for the virtual-asset sector (AMLBot citing FATF INR.15):

1. Identify and assess the money-laundering and terrorist-financing risks arising from virtual assets and VASP activities.
2. License or register VASPs operating in the jurisdiction, so the sector is not left unsupervised.
3. Supervise or monitor VASPs for AML and CFT compliance (this is conduct supervision, not prudential supervision of capital).
4. Apply the full preventive-measures toolkit to VASPs: customer due diligence and KYC, recordkeeping, suspicious-transaction reporting, the Travel Rule, and targeted financial-sanctions screening.

These four duties are the spine of the framework. Every other instrument, from the Travel Rule to the targeted updates, is an elaboration on how countries should discharge them.

The five VASP service categories under FATF

FATF defines a VASP by activity, not by the technology a business uses. Any natural or legal person who, as a business, conducts one or more of the following is a VASP (FATF 2021 Updated Guidance):

1. Exchange between virtual assets and fiat currencies (VA-to-fiat exchange).
2. Exchange between one or more forms of virtual asset (VA-to-VA exchange).
3. Transfer of virtual assets on behalf of another person.
4. Safekeeping or administration of virtual assets or instruments enabling control over them (custody).
5. Participation in, and provision of financial services related to, an issuer's offer or sale of a virtual asset (for example, services around an ICO).

If your business model fits any one of these as a commercial activity, you are a VASP for FATF purposes. The detailed scope tests, including edge cases, are covered on our companion page on what counts as a VASP.

How FATF defines a "virtual asset"

A virtual asset, in FATF's words, is a digital representation of value that can be digitally traded or transferred and that is used for payment or investment purposes (FATF 2021 Updated Guidance). The definition deliberately excludes digital representations of fiat currencies, securities, and other assets already covered by other FATF Recommendations, to avoid double-regulation. The point of the definition is breadth combined with a carve-out: most tokens used for payment or investment are caught, but instruments that already sit inside another regulatory net are not double-counted as VAs.

What is the FATF Travel Rule (Recommendation 16)?

The FATF Travel Rule is the application of Recommendation 16, originally written for traditional wire transfers, to virtual-asset transfers. INR.15 extends R.16 to VAs, so VASPs must obtain, hold and transmit the required originator and beneficiary information with each qualifying transfer, and make that information available to authorities on request (Sumsub, FATF Travel Rule). The Travel Rule is operationally one of the hardest parts of the framework, because it requires two independent businesses to share verified customer data securely and in real time. This page summarises it; the full mechanics, protocols and counterparty due-diligence detail live on our dedicated page on the crypto Travel Rule.

What information must travel with a crypto transfer

Under the revised Recommendation 16, the data that must travel with a transfer is, broadly (Moody's, FATF Recommendation 16, GLEIF on R.16):

• Originator: name, account or wallet number (or a unique transaction reference), and address (or a national ID number, or date and place of birth). Name, account number and address are treated as the mandatory core.
• Beneficiary: name and account or wallet number. The revised R.16 adds expectations around the beneficiary's country or town.

Exactly which originator and beneficiary fields are mandatory versus optional after the 2025 R.16 revision should be confirmed against the Interpretive Note to R.16 itself before you build a compliance solution, because the authoritative secondaries differ on the detail (see the open questions at the end of this page).

The USD/EUR 1,000 threshold and the sunrise problem

FATF recommends a de minimis threshold of approximately USD/EUR 1,000: below it, a reduced unverified data set may apply, while above it the fuller verified data set is required (Sumsub). This is a recommended threshold only, and national thresholds differ significantly. The European Union's Transfer of Funds Regulation, for example, applies Travel Rule obligations to all transfers with no de minimis threshold at all, while some other jurisdictions use the roughly 1,000-unit figure. Always treat the threshold as "FATF recommends about USD/EUR 1,000; national thresholds differ."

A second complication is the sunrise problem. Because jurisdictions adopt the Travel Rule on different timelines, a compliant VASP often has no compliant counterparty to send the data to: the sun has risen in your jurisdiction but not in your counterparty's (Sumsub). This uneven adoption is one of the main reasons Travel Rule compliance remains a cross-border headache even where the local law is clear.

The 2019 and October 2021 Updated Guidance: six focus areas

FATF's virtual-asset guidance has been refined in two main passes. The 2019 first risk-based-approach guidance established the VA and VASP definitions, confirmed that R.15 and R.16 applied, and set the licensing-plus-supervision baseline. The October 2021 Updated Guidance then went considerably deeper, organised around six focus areas (FATF 2021 Updated Guidance, FSB note on the 2021 guidance). This Updated Guidance is what most people mean when they search for FATF virtual asset guidance, so it is worth reading the focus areas closely.

Definitions read expansively, stablecoins in scope

The first thing the 2021 guidance did was tell jurisdictions to read both "virtual asset" and "VASP" expansively: if something functions like a VA or a VASP and is not already covered by another Recommendation, it should be treated as one. Within that expansive reading, stablecoins are firmly in scope. Both fiat-backed and crypto-collateralised stablecoins are virtual assets under FATF, and the guidance clarified how the standards apply across the stablecoin lifecycle, including to central developers and governance bodies (FATF 2021 Updated Guidance). This is not an academic point. By the 2025 targeted update, FATF identified stablecoins as the dominant vehicle for on-chain illicit activity (21Analytics), so any business touching stablecoins should expect close supervisory attention.

DeFi, NFTs and peer-to-peer transfers

The 2021 guidance also tackled the harder edge cases:

• DeFi: the software or protocol itself is generally not a VASP, but a person who has control or sufficient influence over the arrangement (through admin keys, fee-taking or ongoing governance, for example) can be the VASP. A genuinely decentralised arrangement with no controlling party may fall outside, which is why the control-or-influence test matters so much for token projects. This is also the terminology bridge to the EU, where similar activities surface as a CASP authorisation; see our explainer on VASP vs CASP under MiCA.
• NFTs: generally not virtual assets, unless they are used in practice for payment or investment, in which case the NFT and its platform may fall in scope. The test is functional, not nominal: what the asset is used for, not what it is called.
• Peer-to-peer transfers: transfers between unhosted or self-hosted wallets without a VASP in the middle are not directly subject to obligations, but FATF flags them as a risk and lets countries impose monitoring or controls on flows between VASPs and unhosted wallets.

FATF crypto rules timeline: 2018 to 2025

One weakness of older explainers is that they never dated anything, blurring the 2018 amendment, the 2019 guidance and the 2021 update into a single undated "FATF says." The version history matters, because each step changed what regulators expect. Here is the dated sequence (AMLBot, Notabene, 2024 Targeted Update, FATF Best Practices on Travel Rule Supervision):

The trend across the timeline is clear: FATF moved from defining the rules (2018 to 2021) to measuring and pressing for their enforcement (2024 to 2025), as the next section shows.

How many countries comply with FATF crypto rules? (2024-2025 implementation data)

This is where the framework meets reality, and the reality is uneven. According to the 2025 targeted update, of 138 jurisdictions assessed for Recommendation 15, about 29% were largely compliant (up from 25% in 2024), and non-compliance fell to roughly 21%, around 29 of the 138. Strikingly, only one jurisdiction was rated fully compliant with R.15, unchanged from 2024 (21Analytics, 2025 FATF Targeted Update). On the Travel Rule, the large majority of relevant jurisdictions had passed legislation according to the most recent FATF data, but only about a third (roughly 46 of 138) adequately required VASP licensing or registration in practice (21Analytics). The picture is one of widespread law-making and patchy execution.

The Travel Rule legislation figure is reported differently by different sources depending on the denominator and survey year, so this page deliberately phrases it as "the large majority (most recent FATF data)" rather than committing to a single percentage that may not survive verification against the FATF report itself.

The enforcement gap

The starker gap is between passing a law and enforcing it. The 2024 targeted update found that of the jurisdictions that had enacted Travel Rule legislation (about 65 of 94 respondents), only around 17 had taken any supervisory or enforcement action on Travel Rule compliance (Notabene, 2024 Targeted Update). In other words, most countries that wrote the rule were not yet policing it. For an operator, that gap is a trap, not a reprieve: enforcement tends to catch up sharply, and a business that treated weak supervision as permission can find itself non-compliant overnight when a regulator finally acts.

Why uneven implementation is the systemic risk

FATF's own framing in the 2025 update is that uneven implementation is the core systemic risk, precisely because virtual assets are borderless (21Analytics). If one jurisdiction leaves a hole, illicit flows route through it, and the consequences spill across the whole network. That is why FATF keeps pressing for stronger global action rather than declaring the job done. For a compliant VASP, it also means the counterparty risk is real: you may be doing everything right and still be exposed to a counterparty in a weaker jurisdiction.

What the FATF guidelines mean for your VASP (practical compliance)

The single most useful mental model is this: the FATF framework is the floor, and national law is the binding instrument. FATF does not license you. You obtain a licence or registration from a national regulator, such as FINMA's Swiss crypto licence, whose rules are FATF-derived but legally binding in a way the Recommendations themselves are not (FATF 2021 Updated Guidance). Understanding the framework tells you why every regime looks similar; obtaining a licence still happens country by country. If you are planning to apply, the practical starting point is our pillar on how to become a licensed VASP.

Self-classify against the five VASP service types

Before anything else, work out whether your activity is one of the five VASP service types, because that determines whether the framework applies to you at all. For DeFi, custody and smart-contract businesses, the deciding question is control and influence: do you, or someone in your arrangement, hold admin keys, take fees or run ongoing governance (FATF 2021 Updated Guidance)? If yes, you are likely the VASP, regardless of how decentralised the front end looks. Self-classification is not optional; regulators expect you to have reached a documented view on your own status.

Build the full preventive-measures toolkit, not just KYC

Many operators equate compliance with KYC, but R.15 demands the full preventive-measures toolkit (FATF 2021 Updated Guidance). That means a documented risk assessment, customer due diligence and KYC, transaction monitoring, recordkeeping, suspicious-transaction reporting, sanctions screening, and Travel Rule data transmission. The specific capital and AML obligations that national regulators attach to these duties are set out on our page covering VASP AML and capital requirements. Treat KYC as one component of a larger programme, not the programme itself.

One licence is not global compliance

Finally, a licence in one country does not make you globally compliant. Obligations attach in every jurisdiction you serve, so cross-border operations face multiple national regimes simultaneously (FATF 2021 Updated Guidance). A common and expensive mistake is to secure one registration and assume it travels. It does not. Where to register, and how the obligations stack across markets, is the subject of our guide on where to register a VASP. And because the EU transposes FATF through its own bespoke regime, anyone serving European customers should read our explainer on the EU's MiCA regime alongside this page.

From our practice. In advising founders and operators on crypto licensing from our base in Zug, the pattern we see most often is teams who built strong KYC but under-invested in the rest of the R.15 toolkit, then discovered the gap during a regulator's first review. The fix is rarely glamorous: a documented risk assessment, a clear self-classification against the five service types, and a Travel Rule solution chosen early rather than retrofitted. Treating the FATF framework as the design brief from day one, rather than a compliance afterthought, is consistently the difference between a smooth application and a stalled one.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisers. No commitment. Book a Call