FATF ¦ R.15 New Tech­no­lo­gies

Recommendation 15: Managing Risks from New Technologies in Financial Crime Prevention

Financial crime controls must keep pace with innovation. Recommendation 15 directs countries and financial institutions to identify, assess and manage the money laundering, terrorist financing and proliferation financing risks that arise from new products, business practices and technologies. The guidance is especially important for virtual assets (VAs) and virtual asset service providers (VASPs), where rapid technological change has outpaced many regulatory frameworks and created new channels for illicit finance.

Assessing risk before launch

Recommendation 15 requires risk assessment to occur before a new product, delivery mechanism or technology is launched. That means firms must evaluate how a proposed offering could be abused, the likely threat actors, the jurisdictions and counterparties involved, and which controls will be effective. For regulators, the obligation is to ensure markets do not become safe havens for criminal innovation by requiring documentation of those risk assessments and by supervising their implementation. The expectation is not a one-off checklist but a proportionate, documented process that informs design, operational procedures and ongoing monitoring.

Virtual assets treated as value and subject to FATF measures

The interpretive note clarifies that virtual assets should be regarded as property, proceeds, funds or their corresponding value, so the FATF framework applies. Countries must identify and understand money laundering, terrorist financing and proliferation risks arising from virtual asset activity and VASP operations, then apply a risk-based approach proportionate to those risks. Where risks are identified, countries must require VASPs to take effective actions to mitigate them. This establishes parity between traditional financial instruments and virtual assets for the purposes of AML/CFT obligations.

Licensing, registration and preventing criminal control

Recommendation 15 sets a clear baseline: VASPs must be licensed or registered at minimum in the jurisdiction where they are created or where a natural person’s business is located. Jurisdictions may go further and require licensing where VASPs offer services to customers in the jurisdiction or operate from it. Competent authorities must take measures to prevent criminals or their associates from holding significant or controlling interests in VASPs or serving in management roles. Where unlicensed activity is detected, countries must identify the entities involved and apply appropriate sanctions. The framework allows existing licensed financial institutions that perform VASP activities under their existing license to be treated under their existing supervision rather than subject to a separate VASP licensing regime.

Bastian Schwind-Wagner _Follow

"Recommendation 15 anchors innovation to responsible risk management. It compels both countries and firms to assess and mitigate AML/CFT risks before new technologies or products go live. This is essential as virtual assets increasingly intersect with traditional finance.

Effective implementation hinges on licensing VASPs, robust supervision, and clear information requirements for transfers. Paired with proportionate sanctions and strong cross‑border cooperation, these measures deter abuse while allowing compliant businesses to thrive."

Supervision, monitoring and supervisory powers

VASPs must be subject to regulation and effective supervision or monitoring for AML/CFT, and they must implement the relevant FATF Recommendations. Supervisors should apply risk-based supervision and have adequate powers to inspect, compel information and impose sanctions, including withdrawing, restricting or suspending a license or registration. The interpretive note emphasizes that supervisors should be empowered to ensure VASP compliance with preventive measures and to take corrective or disciplinary action when shortcomings are identified.

Sanctions and accountability

Countries must provide a range of effective, proportionate and dissuasive sanctions — criminal, civil or administrative — against VASPs and their senior management when AML/CFT requirements are breached. Sanctions should be sufficient to change business behaviour and deter misconduct, consistent with Recommendation 35. This focus on corporate and managerial responsibility aims to close accountability gaps that could otherwise allow systemic weaknesses to persist.

Preventive measures that apply to VASPs

The preventive measures laid out in Recommendations 10 to 21 apply to VASPs, with specific qualifications. Notably, the occasional transaction threshold for customer due diligence at VASPs is USD/EUR 1,000. Originating VASPs must obtain and hold accurate originator and beneficiary information on virtual asset transfers and submit that information to the beneficiary VASP or financial institution immediately and securely. Beneficiary VASPs must obtain and retain the same information and make it available to competent authorities upon request. These information-sharing obligations mirror correspondent banking expectations for transfers and are essential to traceability and effective investigation.

International cooperation and supervisory information exchange

Recommendation 15 stresses rapid, constructive and broad international cooperation on money laundering, predicate offences and terrorist financing related to virtual assets. Supervisors should exchange information promptly and constructively with foreign counterparts, regardless of differences in supervisory structures or how VASPs are defined in different jurisdictions. Cross-border cooperation is crucial because virtual asset flows often cross multiple legal regimes within minutes.

Practical implications for industry and policy makers

For financial institutions and VASPs, Recommendation 15 means embedding robust risk assessment and mitigation into product development, technology adoption and day-to-day operations. That includes threat modeling, enhanced transaction monitoring tuned to new patterns of abuse, robust KYC and beneficial ownership controls, secure data practices for recordkeeping and information sharing, and governance structures that prevent criminal control. For policymakers, the priority is to establish clear licensing/registration regimes, supervisory mandates, enforcement capabilities and international arrangements that enable prompt information exchange.

Conclusion: risk-based regulation for innovation

Recommendation 15 balances the need to support innovation with the necessity of preventing misuse. By requiring pre-launch risk assessments, licensing and effective supervision for VASPs, mandated information requirements for transfers, and strong international cooperation, the FATF framework creates a practical roadmap. Effective implementation depends on translating these principles into detailed regulatory standards, supervisory capacity and industry practices that keep pace with technological change while safeguarding the integrity of the financial system.

Dive deeper

• FATF ¦ The FATF Recommendations ¦ Link
• FATF ¦ Luxembourg’s measures to combat money laundering and terrorist financing ¦ Link