16 July 2026
FATF ¦ Seventh Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs
FATF’s 2026 virtual assets update exposes persistent gaps in AML/CFT enforcement
The FATF’s seventh targeted update on virtual assets and virtual asset service providers shows that jurisdictions have continued to move forward on Recommendation 15 , but the pace of progress still falls short of what is needed to address real-world abuse. More countries have carried out risk assessments, more have defined how they intend to regulate the sector, and more have passed Travel Rule legislation. Yet the report makes clear that implementation often stops at the legal drafting stage. Turning rules into effective supervision, enforcement, and disruption of illicit activity remains the core problem.
That gap matters because the virtual asset ecosystem is not a niche compliance topic. It is a central part of the financial crime landscape, used for fraud, laundering, sanctions evasion, terrorist financing, and proliferation financing. The FATF’s findings show a sector that is expanding faster than many jurisdictions can supervise it, with criminals exploiting uneven rules, weak oversight, and cross-border frictions.
Risk assessments are increasing, but not driving action
One of the clearest signs of progress is the rising number of jurisdictions that say they have conducted a virtual asset and VASP risk assessment. In the 2026 survey, 86% of respondents reported having done so, up from 76% in 2025. On paper, this is a meaningful step. In practice, the FATF warns that many jurisdictions still struggle to convert those assessments into risk-based controls, supervision plans, and enforcement priorities.
That distinction is important. A risk assessment is only useful if it changes behaviour. The report shows that many jurisdictions have not yet used their findings to shape preventive measures, allocate resources, or target high-risk actors. This is especially problematic where authorities have chosen to prohibit virtual asset activity. A prohibition without active detection and enforcement can create a false sense of security while illicit providers continue to operate in the shadows.
Regulatory choices are becoming clearer, but not always effective
The report notes that more jurisdictions now know whether they intend to permit, restrict, or prohibit virtual asset activity. Most respondents said they permit virtual assets and VASPs, while a smaller but growing share have opted for partial or full prohibition. The FATF does not reject prohibition as a policy choice, but it warns that bans are only as strong as the ability to detect violations and apply sanctions.
That warning is well founded. Jurisdictions that prohibit virtual asset activity often do not take enough supervisory or enforcement action against unlicensed operators. In other words, the legal position may be clear, but the operational response is not. The result is a gap between policy and practice that criminals are quick to exploit.
The report also shows that many jurisdictions are still struggling to identify the natural or legal persons actually conducting VASP activity. That is a basic but difficult compliance issue, especially when firms operate across borders, use intermediaries, or present themselves as something other than what they are.
Licensing and registration remain uneven in practice
Licensing and registration are among the most important tools in the FATF framework, yet the report shows that operational implementation is still patchy. Most respondents that do not prohibit VASPs said they require licensing or registration. Even so, fewer jurisdictions reported having actually licensed or registered VASPs in practice.
This difference matters because a rule on paper does not create supervision by itself. It takes institutional capacity, clear definitions, proper intake procedures, and active oversight to make a licensing regime work. The FATF also notes that many jurisdictions continue to struggle with offshore VASPs that target local customers without having a meaningful local presence. More than a third of jurisdictions with licensing or registration frameworks have adopted a broader approach to capture some offshore activity, which reflects how difficult it is to regulate firms that are physically outside the jurisdiction but economically active within it.
The Travel Rule is spreading, but enforcement still lags
The FATF’s Travel Rule remains one of the most important transparency measures in the virtual asset space. It requires VASPs and financial institutions to obtain, hold, and transmit originator and beneficiary information for transfers. In the 2026 survey, 83% of respondents said they have passed legislation implementing the Travel Rule, a clear rise from the previous year.
Still, legislation is only the start. The report says that enforcement experience is limited, with almost half of jurisdictions that introduced Travel Rule legislation not yet taking Travel Rule-related supervisory or enforcement action. That is a serious concern, because a transparency rule without testing, supervision, and consequences risks becoming a symbolic measure rather than an effective control.
Jurisdictions should move quickly from legal adoption to operational use. VASPs should not assume that Travel Rule compliance is a long-term optional project. Regulators are clearly expecting real-world implementation, not just policy statements.
Criminal misuse is becoming more industrialised
The report’s most alarming findings are in the risk section. Virtual assets are increasingly embedded in highly organised criminal operations. The FATF highlights the growth of scam centres linked to organised crime groups, especially “pig butchering” frauds, where victims are manipulated over time into transferring money to fraudulent investment platforms. These schemes generate huge illicit proceeds and then move that money through complex chains involving unhosted wallets, OTC brokers, and weakly supervised entities.
The report also points to major cross-over risks between fraud, money laundering, sanctions evasion, terrorist financing, and proliferation financing. In one example, a Cambodia-based financial services conglomerate allegedly laundered billions in illicit proceeds while also being exploited by DPRK-linked actors to move stolen virtual assets connected to cyber theft and proliferation-related activity. That kind of convergence is exactly what makes virtual asset crime so hard to control. The same infrastructure can serve multiple illicit purposes at once.
Stablecoins are now a major concern
Stablecoins feature prominently in the FATF’s update. The report describes their growing use in fraud, terrorist financing, and sanctions evasion, and notes that some criminal networks are now deliberately designing stablecoin structures to resist freezing or other law enforcement action. That is a notable shift. It shows that illicit actors are not just using existing products, but also adapting the products themselves to reduce traceability and increase resilience against intervention.
The FATF also underscores a key compliance issue: not all stablecoin systems offer the same control features. Some legitimate issuers can freeze, block, or even seize or burn tokens in response to lawful requests. Criminal-linked structures may try to build around those controls. That means regulators and VASPs cannot assume that issuer-level safeguards will always be available. They need clear expectations for stablecoin issuance, strong AML/CFT controls, and technical capacity to respond to lawful orders.
Unhosted wallets and P2P transfers remain a structural weak point
Peer-to-peer transfers via unhosted wallets continue to present elevated risk. The problem is not that public blockchains are invisible. It is that they are pseudonymous and can be used to create layers of distance between the original source of funds and the final destination. The absence of an obliged intermediary in many P2P transfers leaves a structural gap in the AML/CFT framework.
The FATF says most jurisdictions view these transactions as high risk, but only a minority collect and assess market metrics to understand the scale of the risk. That is a practical weakness. Without data, monitoring becomes guesswork. And without monitoring, risk-based controls are hard to justify or improve.
Offshore VASPs remain a pressure point
The report frequently mentions offshore VASPs because they are at the intersection of regulatory arbitrage and weak enforcement. These firms can target users in other jurisdictions, offer lower compliance standards and exploit social media, affiliate schemes, VPNs and misleading onboarding practices to attract customers. Some even misrepresent themselves as ordinary retail users when accessing host VASP services, which can hide the true nature and scale of their activities.
The FATF is clear that effective supervision requires more than formal territorial rules. Authorities need the ability to detect offshore operators, understand their business models, and take action where they exploit local markets without meeting local obligations. That may require warnings, access restrictions, takedowns, and coordinated action with foreign counterparts.
DeFi remains difficult to regulate, but the risk is real
Decentralised finance (DeFi) remains one of the toughest areas for supervisors. The FATF again notes the difficulty of identifying who controls or sufficiently influences DeFi arrangements. Only a small number of jurisdictions have imposed licensing or registration requirements in practice, and enforcement action is rare.
That said, the report is careful not to treat DeFi as beyond the reach of regulation. Where identifiable controllers exist, or where an arrangement is centralised in practice, the FATF Standards may apply. The problem is not the absence of legal theory. It is the difficulty of applying that theory to rapidly changing structures, cross-border systems, and technical setups that are designed to avoid traditional points of control.
The private sector has to do more too
VASPs, stablecoin issuers, and qualifying DeFi arrangements should strengthen AML/CFT/CPF controls, apply the Travel Rule properly, and improve monitoring of high-risk activity. That includes enhanced due diligence (EDD) for unhosted wallets and offshore counterparties, stronger blockchain analytics, better wallet screening, and faster escalation of suspicious patterns.
The report also stresses the importance of cooperation with authorities and with other private-sector actors. That includes sharing typologies, red flags, and operational intelligence. In a sector where funds can move across chains and borders in seconds, information sharing is not a nice-to-have. It is part of the control environment.
The key message for compliance teams
The FATF’s July 2026 update is a warning that the virtual asset sector has entered a more mature and more dangerous phase of financial crime risk. The problems are no longer limited to whether a jurisdiction has a law in place. The real question is whether the law is enforced, whether supervisors can identify the actors involved, and whether the private sector can stop abuse quickly enough to matter.
Virtual asset risk should be treated as a live financial crime issue, not a future regulatory topic. The highest-risk areas now include stablecoins, P2P transfers through unhosted wallets, offshore VASPs, cross-chain activity, and DeFi structures with identifiable controllers. The FATF is signalling that supervision, enforcement, and public-private cooperation will all need to tighten if the sector is to be brought under effective control.
Dive deeper
- FATF ¦ Seventh Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs ¦ Link