MONEYVAL ¦ Report on the Use of Virtual Assets for Money Laundering, Terrorist Financing and the Evasion of Sanctions

Practice of Using Virtual Assets and VASPs in Money Laundering, Terrorist Financing and Sanctions Evasion – Key Lessons for Financial Crime Practitioners

MONEYVAL’s December 2025 typologies report confirms that virtual assets (VAs) and virtual asset service providers (VASPs) are now firmly embedded in the AML/CFT and sanctions landscape – but regulatory progress has not eliminated operational gaps. The report documents real advances in licensing, supervision, international cooperation and public–private engagement across MONEYVAL jurisdictions, while also underscoring persistent weaknesses in enforcement, data collection, Travel Rule implementation and the handling of privacy-enhancing technologies. This article synthesises the report’s findings and highlights practical implications for compliance officers, investigators and supervisors.

Jump to: Luxembourg-specific considerations

Regulatory and supervisory progress – what has improved

Since 2023, most jurisdictions in the MONEYVAL network have moved quickly to bring VASPs into formal AML/CFT regimes. Roughly 81% of responding jurisdictions now require VASPs to be licensed or registered and over 90% have designated supervisors. Many countries have adopted legal definitions of VAs and VASPs that align with international instruments; EU members have implemented MiCA and the EU funds transfer rules, which together raise licensing, prudential and travel-rule standards.

Supervisors increasingly deploy standard risk-based tools: on‑site and off‑site inspections, regulatory returns adapted to crypto providers, and thematic reviews focused on Targeted Financial Sanctions (TFS) and the Travel Rule. Several authorities have augmented supervisory capability with blockchain analytics and added IT specialists to regulatory teams. Public registers and supervisory returns are becoming routine in multiple jurisdictions, and some supervisors now require detailed reporting on customer composition, transaction volumes and exposure by jurisdiction.

Cross-border cooperation is a strong point. FIU-to-FIU exchanges, Law Enforcement Agency (LEA) collaboration, and supervisory networks were widely reported as functioning effectively. Jurisdictions used these channels to support asset freezes, criminal referrals and coordinated inquiries, demonstrating that international cooperation is a practical countermeasure to the inherently cross-border crypto ecosystem.

Bastian Schwind-Wagner _Follow

"Regulatory progress has strengthened oversight of VASPs, but operational gaps remain that criminals exploit through rapid innovation and cross-border flows. Improving STR quality and operationalising the Travel Rule are immediate steps that will materially enhance traceability and enforcement.

Sustained investment in blockchain analytics, targeted training, and structured public–private partnerships will be essential to keep pace with evolving typologies like sanctions evasion and DeFi misuse. International cooperation and regularly updated risk assessments must underpin national measures to ensure effectiveness across jurisdictions."

Emerging typologies and operational risks

The report identifies a series of typologies that continue to evolve rapidly and that require targeted attention:

• Sanctions evasion: sanctioned actors use peer-to-peer transfers, layering through intermediaries and escrow-like arrangements, as well as chain-hopping and mixers, to obscure flows. Stablecoins and fast cross-border transfers make evasion more attractive and feasible.
• Proliferation financing: state‑sponsored cyber theft and laundering of crypto (notably operations attributed to DPRK actors) illustrate how VAs can be weaponised to procure dual‑use goods or otherwise support proliferation.
• Money mules adapted for crypto: recruitment of individuals to host exchange accounts or to perform peer-to-peer transfers is a growing vector that complicates KYC and transaction monitoring.
• Fraud, romance scams and investment schemes: the irreversibility and speed of VA transfers amplify victim losses and create concentrated volumes of tainted assets that require careful tracing.
• Misuse of gaming and other non-financial rails: acceptance of VAs in online gaming and similar platforms creates channels for obfuscation and potential exposure to exploitative criminality, including child exploitation in extreme cases.

Practical enforcement and intelligence challenges

The report makes clear that legal frameworks are no substitute for operational capacity. Key enforcement shortfalls include weak detection of unlicensed operators, inconsistent application of sanctions against compliant failures, and low-quality suspicious transaction reports (STRs) produced by some VASPs.

Common operational obstacles observed across jurisdictions are:

• Incomplete Travel Rule implementation: only about 46% of jurisdictions had operationalised Travel Rule requirements at the time of data collection, leaving gaps in upstream information sharing that undermine traceability.
• Limited STR quality: automated or defensive STRs generated by monitoring tools without sufficient human analysis produce high volumes of low-value reports. Outsourcing of core AML functions and compliance teams dominated by IT experts with limited AML training reduce report usefulness.
• Resource and tooling constraints: many FIUs, supervisors and LEAs still lack commercial blockchain analytics, or cannot fully leverage such tools because of budgetary or staffing constraints. Smaller jurisdictions sometimes rely on external specialists to perform tracing.
• Freezing and seizure complexities: practical seizure often requires cooperation from custodial VASPs, judicial authorisations or mutual legal assistance when assets reside abroad. Handling seeded hardware wallets, multi‑sig custody and government-controlled wallets raises procedural and evidential questions.

What works – good practice examples

The report highlights several effective measures that other jurisdictions should consider replicating:

• Sectoral risk assessments and targeted NRAs: jurisdictions that performed dedicated VASP or sectoral assessments (rather than only a high-level NRA) gained actionable insights into typologies and supervisory priorities.
• Mandatory supervisory returns plus blockchain analytics: combining granular regulatory returns with on‑chain analytics improves detection of anomalies and can identify unregistered actors.
• Focused public–private partnerships (PPPs): structured PPPs and initiatives such as Malta’s FINREP and Gibraltar’s Project Nexus have strengthened STR quality and typology development by creating regular, trust-based exchange between FIUs, supervisors and VASPs.
• Outreach and supervised demonstrations: supervisory or FIU visits during which a VASP demonstrates monitoring systems and analytic processes lead to better mutual understanding and more targeted reporting.
• Integrated TFS checks within supervision: explicitly including targeted financial sanctions checks in VASP supervision (and sanctioning frameworks that include civil remedies) increases deterrence and operational clarity.

Immediate priorities for practitioners

For compliance officers, investigators and supervisors seeking to translate the report’s lessons into action, the following priorities are practical and urgent:

• Improve STR quality, not just quantity: invest in analyst training to complement automated alerts, require richer contextual narratives in reports, and use feedback loops from FIUs to onboard VASPs to typologies and reporting standards.
• Operationalise Travel Rule obligations end‑to‑end: implement the upstream automated exchange of originator and beneficiary data, ensure robust verification of self-hosted wallet transactions where feasible, and coordinate with foreign counterparts on cross-jurisdictional transfers.
• Harden TFS screening: ensure sanction-screening tools cover on‑chain identifiers, integrate blockchain analytics into sanctions screening workflows, and develop escalation protocols for suspected circumvention that include immediate freezing or voluntary holds pending legal orders.
• Build interoperable analytics and data-sharing channels: where direct procurement of tools is constrained, form consortia, leverage PPPs, or use regional supplier arrangements so LEAs and FIUs can jointly access tracing capabilities.
• Strengthen frameworks for handling seized VAs: adopt standardized custody and chain-of-custody processes (multi‑sig government wallets, audited custodial arrangements), and clarify procedures for using court-authorised transfers to government-controlled wallets so assets remain available for recovery or forfeiture.
• Target privacy-enhancing tools and DeFi risks with tailored controls: require VASPs to document exposure to mixers, chain bridges and privacy coins, and apply enhanced due diligence (EDD) or restrict acceptance of certain privacy-enhancing services where the regulatory appetite is low.

Longer-term systemic actions

The report emphasizes that national action must be sustained by international cooperation and continuous capability building. Long-term steps include:

• Ensure NRAs and sectoral risk assessments integrate TFS and proliferation financing explicitly, updating them regularly as typologies evolve.
• Expand structured PPPs including meaningful VASP representation so private sector insights flow into supervision and law enforcement in real time.
• Promote harmonised, expedited mechanisms for cross-border freezing and seizure of VAs to reduce dissipation risks and accelerate mutual legal assistance (MLA).

Encourage supervisory innovation in metrics collection to track Travel Rule compliance, STR quality and VASP registration coverage so regulators can quantify and address blind spots.

Luxembourg-specific considerations

In Luxembourg, the oversight of virtual assets and VASPs sits alongside the EU AML/CFT framework and the supervisory remit of the Commission de Surveillance du Secteur Financier (CSSF). Given Luxembourg’s concentration of banks, investment funds, professional specialised fiduciaries (PSFs) and an expanding FinTech ecosystem, VA-related risks are considered within the broader prudential and AML context rather than as an isolated niche. The CSSF expects firms to reflect VA exposures in their institutional risk assessments and to coordinate with national authorities where cross-border flows or third‑country VASPs are involved.

Typical CSSF focus areas or supervisory expectations

The CSSF’s supervisory approach emphasises robust governance, senior‑management accountability, and documented risk‑based policies. Examinations typically review board oversight of AML/CFT matters, documented procedures for onboarding and monitoring clients with VA exposure, effective transaction screening (including sanctions lists and on‑chain identifiers), and demonstrable use of analytics where material. The authority will expect clear documentation of rationale for accepting VA activity, evidence of due diligence on service providers, and prompt escalation protocols when suspicious patterns or potential sanctions evasion are detected.

Practical implications for in‑scope institutions

Luxembourg regulated entities should ensure their AML frameworks explicitly incorporate VA scenarios, with updated policies, evidence of control testing, and staff competence records. Investment funds and custodial banks must document how they assess custodial and counterparty risk when interacting with VASPs; PSFs should record enhanced governance steps where they facilitate VA transactions for clients. FinTechs licensed or operating under CSSF oversight need fitting internal controls, change‑management logs for analytic tools, and retention of CDD and transaction provenance data to support any supervisory requests.

Conclusion

MONEYVAL’s typologies report is a useful reality check: regulatory scaffolding for VASPs now exists across most jurisdictions, and law enforcement and supervisors are adopting better tools and cooperative practices. Nevertheless, the technology and typologies move faster than many enforcement and reporting processes.

To close the gap, practitioners must focus on operational measures:

• improving STR quality through analyst capacity and feedback;
• implementing Travel Rule exchanges and upstream sanctions screening;
• acquiring or sharing blockchain analytics; and
• building durable PPPs that turn industry data into actionable intelligence.

Only by pairing legal frameworks with consistent, resourced operational practice will jurisdictions limit the misuse of VAs for money laundering, terrorist financing, proliferation financing and sanctions evasion.

Dive deeper

• Council of Europe’s MONEYVAL ¦ New report on the use of virtual assets for money laundering and terrorist financing ¦ Link