FATF ¦ Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers (oVASPs)

Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers

Offshore virtual asset service providers (oVASPs) present a growing and complex challenge for anti-money laundering, counter-terrorist financing and counter-proliferation financing regimes worldwide. The FATF’s March 2026 targeted report on oVASPs explains how these entities – VASPs created or located in one jurisdiction that actively provide services into other jurisdictions – can exploit regulatory gaps, frustrate supervision and enable significant illicit-finance activity. This article synthesises the report’s key findings, examines typical abuse patterns, and sets out practical steps that public and private sector actors can take to reduce the risks posed by oVASPs.

Why oVASPs matter: features that raise concern

oVASPs often combine cross-border digital delivery with corporate arrangements designed to minimise regulatory touchpoints. They solicit and onboard customers through online apps, social media, sponsored content and affiliate networks while placing senior management, compliance functions and data infrastructure in other jurisdictions. That structure reduces local visibility and can delay or prevent meaningful engagement by supervisors and law enforcement.

Two broad types of offshore providers emerge in practice: those that unintentionally fall outside a host jurisdiction’s licensing rules because they misinterpret legal requirements, and those that intentionally structure operations to evade licensing, oversight and enforcement. The second group can fragment operations across multiple legal entities, use nominee or “dummy” compliance personnel, pool global customers through omnibus accounts, and route deposits and withdrawals through nested arrangements with other VASPs or intermediaries. Where home jurisdictions lack robust AML/CFT/CPF frameworks, these behaviours create strong incentives for regulatory arbitrage.

Bastian Schwind-Wagner _Follow

"Offshore VASPs exploit gaps between jurisdictions, enabling faster and more opaque movement of virtual assets and increasing the risk of money laundering, terrorist financing and sanctions evasion. Effective mitigation requires coordinated action across home and host supervisors, timely international cooperation, and active participation from banks and regulated VASPs to block unlicensed providers.

Practical steps include clear rules on what constitutes active provision into a market, stronger local presence requirements where licensing is imposed, and a mix of detection tools – blockchain analytics, STRs and open-source monitoring – to identify problematic actors. Graduated enforcement and robust information-sharing channels are essential to deter abuse and preserve the integrity of the financial system."

Key typologies and risks

Several recurring misuse patterns elevate the risk of money laundering, terrorist financing and proliferation financing:

• Active targeting and circumvention. oVASPs advertise and actively solicit customers in jurisdictions where they are not licensed. They encourage workarounds – VPNs, false information or surrogate marketing – making it harder for supervisors and consumers to distinguish authorised from unauthorised providers.
• Nested and intermediated relationships. oVASPs often access liquidity, trading, custody and fiat on- and off-ramps through accounts at regulated onshore VASPs or through intermediaries. These “nested” relationships can hide the identity of the underlying actor and the true nature of transactions. Host VASPs may bear regulatory and reputational risk if they cannot exercise adequate due diligence or lack visibility into the underlying customers.
• Global pooling of customers. Service models that pool account servicing at group or platform level across jurisdictions obscure which legal entity is responsible for AML/CFT/CPF obligations and slow down investigations.
• Regulatory arbitrage. Incorporating or routing operations through jurisdictions with weak or no virtual asset frameworks allows providers to offer lower compliance-cost pricing that undercuts regulated competitors and increases systemic exposure to illicit finance.
• Use in complex ML/TF/PF schemes. oVASPs have been leveraged as entry and layering points in large fraud networks, scam compounds, ransomware and state-sponsored or sanctioned activity. They are also used to move small-value funds for terrorist financing with speed and opacity.

Operational challenges for supervisors and investigators

Supervision and enforcement encounter multiple barriers. Many oVASPs lack meaningful physical presence in the jurisdictions they serve, or they present nominal local representatives who cannot access the data and systems authorities need. Where data and accounts are held abroad or across multiple entities, domestic authorities face delays because they must pursue co-operation through foreign supervisors, FIUs or mutual legal assistance channels. The uneven global implementation of cross-border transparency measures – the “Sunrise issue ” for the Travel Rule – creates additional blind spots for tracing originator and beneficiary data on cross-border transfers.

Good practices to detect and reduce oVASP risk

The FATF’s report synthesises practical approaches used by jurisdictions and industry.

These include:

• Building diverse detection toolkits. Relying on a single source is often insufficient. Effective detection combines blockchain and ledger analytics with open-source intelligence, web scraping, monitoring of app stores and social media, suspicious transaction reports from domestic VASPs and banks, and tips from the public. The best results come when analytic tools are used alongside traditional supervisory intelligence and reporting: analytics can identify on-chain flows and clusters, while STRs and OSINT reveal on-ramps, marketing and local customer links.
• Thematic reviews and targeted outreach. Supervisors can perform desk-based or hybrid thematic reviews that map exposure to oVASPs, identify common access points (nested accounts, payment rails, intermediaries) and test whether domestic VASPs and banks apply adequate controls. Where intelligence indicates likely local servicing, supervisors should directly engage the oVASP to clarify nexus and, if appropriate, require registration, licensing or cessation of activity.
• Clarifying and enforcing territorial scope. Jurisdictions that choose to bring oVASPs into scope should clearly define what “active provision” of services means – for example, targeted marketing in local language, app availability in the jurisdiction’s app stores, use of local payment rails, onboarding of residents, or deriving a material share of turnover from domestic users. Clear statutory or regulatory markers reduce disputes and support enforcement.
• Requiring sufficient local presence and accountability. Where licensing is required, setting expectations so that compliance officers or principal officers are actually based in-jurisdiction, have access to full customer records, and possess the seniority to act independently strengthens enforceability. Verification at the licensing stage and ongoing assessment of the independence and effectiveness of local compliance functions are essential.
• Applying gatekeeping measures. When outreach fails or non-compliance persists, host jurisdictions can enlist intermediaries – banks, payment service providers, app stores, domain registrars and online platforms – to restrict access. Measures that have been effective include public blacklists and whitelists, takedown requests for unauthorised apps and websites, civil litigation against persistent promoters, and targeted guidance to obliged entities to refuse service to unlicensed oVASPs.
• Coordinated domestic responses. Because oVASP activity intersects AML/CFT/CPF supervision, securities oversight, payment regulation, tax, consumer protection and cybercrime, formal multi-agency coordination mechanisms enable faster, coherent action. Inter-agency task forces and public–private forums are useful to share trends, typologies and operational leads.
• Strengthening international cooperation. Supervisor-to-supervisor and FIU-to-FIU channels are critical. Bilateral MOUs, participation in supervisory roundtables and use of platforms such as Egmont for FIU cooperation shorten response times. Home supervisors must be prepared to obtain and share information about entities incorporated in their jurisdiction, and to take action – remedial, administrative or enforcement – where a VASP’s overseas conduct harms other jurisdictions.

Enforcement tools and graduated responses

Effective mitigation typically combines public warnings, remedial plans, market-access restrictions and proportionate sanctions. Jurisdictions with experience show that graduated action – beginning with warnings and outreach and escalating to app and domain takedowns, restrictions on intermediaries, civil litigation, financial penalties or criminal prosecutions – achieves both deterrence and consumer protection objectives. Home jurisdictions remain central: robust supervision and timely enforcement by the VASP’s jurisdiction of incorporation are often decisive in disrupting abusive offshore operations.

What home jurisdictions must do

The FATF report underscores that home jurisdictions bear primary responsibility for licensing, supervision and enforcement of VASPs created or located in their territory. They should ensure risk-based supervision that considers the VASP’s global footprint, be able to compel and share information rapidly with foreign counterparts, and proactively alert host jurisdictions when significant activity affects other markets. Where a VASP’s global operations reveal governance or compliance failures, supervisors should take timely remedial or punitive action.

What host jurisdictions should consider

Host jurisdictions should include oVASP activity in national VA risk assessments and decide – consistent with Interpretive Note to Recommendation 15 (new technologies) INR.15.3 – whether to adopt activity-based licensing. Where licensing is required, authorities should define active provision clearly, require adequate in-jurisdiction presence when appropriate, use thematic reviews to detect embedded risks and apply gatekeeping measures to protect local consumers and maintain a level playing field.

Responsibilities for the private sector

Banks, payment institutions and VASPs play a gatekeeping role. They should identify exposure to oVASPs through risk-based due diligence, be alert to nested relationships and unusual routing patterns, and apply group-wide controls for global activities. Obliged entities should notify supervisors when they detect unlicensed oVASPs and avoid establishing or continuing business relationships with such providers.

Conclusions

Offshore VASPs will continue to be a focal point for illicit-finance risk while regulatory implementation and supervisory capacity vary across jurisdictions. The FATF’s analysis shows that a combination of detection capabilities, clear territorial rules, robust home-jurisdiction supervision, targeted host-jurisdiction measures and strengthened international cooperation forms the most effective defence. Public and private sector actors must work together – sharing intelligence, tightening onboarding and nested-relationship controls, and using available enforcement levers – to limit the space where oVASPs can be misused and to protect consumers and the integrity of the global financial system.

Dive deeper

• FATF ¦ Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers (oVASPs) ¦ Link