FATF Recommendation 15 , The Global Standard Nobody Fully Implements
FATF told every country to regulate Virtual Asset Service Providers in 2019. Seven years later, adoption is still patchy. Here’s what R.15 actually requires , and where the gaps remain.
In October 2018, the Financial Action Task Force amended its 40 Recommendations to explicitly bring virtual assets and the businesses that handle them into the global anti-money-laundering framework. Recommendation 15 became the legal anchor for an entirely new regulated sector. Yet in its own 2024 annual compliance report, FATF acknowledged that fewer than half of jurisdictions had achieved even “largely compliant” status with the measures the standard requires. That gap , between what is written and what is enforced , is exactly what every compliance professional in the VASP space must understand.
What Is FATF Recommendation 15?
Recommendation 15 originally dealt with new technologies more broadly , it required countries to identify and assess money-laundering and terrorist-financing risks emerging from new technologies. The June 2019 amendment overhauled R.15 to add a dedicated framework for virtual assets (VAs) and Virtual Asset Service Providers (VASPs).
This was not a soft suggestion. The amendment required member jurisdictions to:
- Define VASPs in national law and subject them to AML/CFT obligations
- Require VASPs to register or obtain a license before operating
- Apply the full suite of FATF Recommendations , including the Travel Rule , to VASP activity
- Ensure VASPs are supervised or monitored by a competent authority
- Implement targeted financial sanctions and sanctions screening obligations
Countries should ensure that virtual asset service providers are regulated for AML/CFT purposes, and licensed or registered and subject to effective systems for monitoring or supervision. , FATF Recommendation 15, 2019 Amendment
The October 2021 Updated Guidance refined the framework considerably , clarifying the treatment of DeFi protocols, NFTs, stablecoins, and addressing evolving interpretive questions raised by industry and regulators alike.
A Brief Legislative Timeline
R.15 introduced focusing on new technology risk assessment , no specific VASP language yet.
VASPs brought formally within the AML/CFT framework. Travel Rule obligations applied to virtual asset transfers.
FATF acknowledges slow adoption; pushes jurisdictions to accelerate licensing regimes and Travel Rule implementation.
Expanded 110-page guidance issued covering DeFi, NFTs, stablecoins, P2P transactions, and unhosted wallets.
FATF mutual evaluation rounds continue to expose patchy VASP regulation across most regions. Grey list pressure intensifies.
The Four Pillars of R.15 Compliance
Breaking down the full scope of Recommendation 15, there are four interconnected compliance requirements that every VASP , and every regulator , must address.
VASPs must be licensed or registered with a competent national authority before commencing operations. Countries must prohibit unlicensed entities.
Full application of FATF Recommendations including CDD, EDD, record-keeping, suspicious transaction reporting, and PEP screening.
Originating VASPs must collect and transmit beneficiary and originator information for VA transfers above USD/EUR 1,000.
VASPs must screen customers and counterparties against targeted financial sanctions lists. Real-time screening of wallet addresses is expected.
Pillar 1: Licensing and Registration
FATF requires jurisdictions to set up a licensing or registration mechanism specifically for VASPs. This is more nuanced than it sounds:
- Fit and proper tests: Beneficial owners, senior managers, and key controllers of VASPs must meet integrity standards.
- Prohibition on unlicensed activity: Countries must make it a criminal or administrative offence to operate as a VASP without authorization.
- Extraterritorial reach: A VASP licensed in Country A but offering services to residents of Country B may be subject to Country B’s registration requirements too , a persistent compliance headache.
- De-registration/suspension powers: Regulators must have the ability to revoke licenses for non-compliance, not merely impose fines.
FATF permits both licensing (a more intensive pre-authorization review) and lighter-touch registration. Critically, neither model exempts the VASP from ongoing AML/CFT supervision. Many jurisdictions have opted for registration first and plan to move toward full licensing , a transition that often stalls.
Pillar 2: AML/CFT Obligations in Practice
For VASPs, the core AML/CFT obligations mirror those applied to traditional financial institutions, but their practical application in the crypto context creates unique challenges:
- Customer Due Diligence (CDD): Identity verification at onboarding, ongoing monitoring of transaction behavior, and risk-based enhanced due diligence (EDD) for high-risk customers.
- Beneficial Ownership: For corporate clients, VASPs must identify and verify the ultimate beneficial owner , not merely the legal entity.
- Suspicious Transaction Reporting (STR): VASPs are required to file STRs with Financial Intelligence Units (FIUs) when they suspect funds are proceeds of crime or linked to terrorism financing.
- Record-Keeping: Transaction records and CDD documentation must be retained for at least five years following the end of a customer relationship.
- Staff Training: AML officers must be competent and empowered; compliance cannot be a checkbox exercise.
Unlike bank accounts, blockchain addresses carry no inherent identity. This means VASPs must work harder to attribute on-chain activity to known customers , using blockchain analytics tools, IP geolocation, behavioral analytics, and transaction monitoring platforms that recognize suspicious patterns like chain-hopping, mixer use, and layering techniques.
Pillar 3: The VASP Travel Rule Explained
The Travel Rule , originally from the banking world , is arguably the most technically complex and least consistently implemented element of R.15. Applied to virtual assets, it requires the following:
-
Originating VASP Collects Information
For transfers at or above USD/EUR 1,000, the originating VASP must collect the originator’s name, account number (or wallet address), physical address (or national ID / date and place of birth), and the beneficiary’s name and wallet address.
-
Information Transmitted to Beneficiary VASP
The collected data must be transmitted to the beneficiary VASP immediately and securely. FATF does not mandate a specific protocol , this has led to competing interoperability solutions like TRISA, OpenVASP, Sygna, and others.
-
Beneficiary VASP Screens and Records
The receiving VASP must take reasonable measures to identify and verify the originator information, screen against sanctions lists, and retain records for the required period.
-
Sunrise Problem Management
Where a counterparty VASP operates in a jurisdiction that has not yet implemented the Travel Rule, the originating VASP must apply risk-based measures , this “sunrise problem” remains unresolved for many cross-border transactions.
No single Travel Rule messaging standard has achieved global dominance. The VASP ecosystem currently uses a fragmented patchwork of protocols , TRISA, OpenVASP, Sygna Bridge, VerifyVASP, and others , that do not always communicate with each other. FATF’s technology-neutral stance, while intentionally flexible, has inadvertently slowed harmonization.
Pillar 4: Sanctions Screening for VASPs
VASPs are required to implement targeted financial sanctions (TFS) screening as part of their AML/CFT frameworks. In practice, this means:
- Customer screening: All customers , and their beneficial owners , must be screened against UNSC, OFAC, EU, UK, and local sanctions lists at onboarding and on an ongoing basis.
- On-chain address screening: Regulators increasingly expect VASPs to screen wallet addresses against blockchain analytics databases that flag addresses linked to sanctioned entities, ransomware wallets, or terrorist-linked funds.
- Real-time blocking: Unlike traditional finance where batch screening may suffice, the 24/7, near-instantaneous nature of blockchain transactions means VASPs must implement real-time screening with automated blocking capabilities.
- Sanctions hits and escalation: When a match is identified, VASPs must have documented escalation procedures, freeze mechanisms, and reporting obligations to their relevant authority.
Bitfinex, BitMEX, Binance, Kraken, and several other major exchanges have faced multi-million dollar enforcement actions in recent years for sanctions screening failures, BSA violations, and inadequate AML programs. Regulators are no longer treating crypto as a novelty , enforcement is real, global, and escalating.
The Implementation Gap: Where Countries Are Falling Short
FATF’s own data makes uncomfortable reading. The organization’s 2024 review of VASP regulation found persistent and significant gaps across all four pillars , with the Travel Rule and sanctions screening showing the most acute weaknesses.
| R.15 Requirement | Global Adoption Status | Primary Barrier | Risk Level |
|---|---|---|---|
| VASP Licensing / Registration | Partial | Slow legislative reform; definitional ambiguity | Medium |
| CDD / KYC Obligations | Mostly Adopted | Inconsistent enforcement quality | Medium |
| Suspicious Transaction Reporting | Partial | Under-reporting; low FIU crypto expertise | Medium–High |
| Travel Rule Implementation | Limited | Technical complexity; sunrise problem; no standard protocol | High |
| Sanctions / TFS Screening | Limited | On-chain screening tools; real-time capability gap | High |
| DeFi / Unhosted Wallets | Very Limited | Legal and technical uncertainty; no settled framework | Very High |
Regional Breakdown: Who’s Ahead, Who’s Behind?
| Region / Jurisdiction | Licensing | Travel Rule | Overall R.15 Status |
|---|---|---|---|
| European Union (MiCA / AMLR) | Advanced | Implemented | Leading |
| United States | Fragmented | Partial | Developing |
| United Kingdom | Registration only | Implemented | Progressing |
| Singapore / Hong Kong | Advanced | Implemented | Leading (APAC) |
| UAE / Dubai (VARA) | Advanced | Partial | Progressing |
| Sub-Saharan Africa | Nascent | Not implemented | Early stage |
| Latin America | Mixed | Minimal | Mixed |
| Central Asia / CIS | Limited | Not implemented | Lagging |
⚠️ The Five Most Persistent Compliance Gaps (FATF Data)
- Lack of legal clarity on which entities qualify as VASPs , particularly for DeFi protocols and P2P platforms
- Travel Rule interoperability: no dominant protocol means cross-border data transmission remains inconsistent
- Inadequate supervision resources , national regulators often lack technical staff to assess VASP compliance
- Unhosted / self-custodied wallet interactions: no consistent framework for how VASPs handle transfers to/from non-custodial wallets
- Low quality STR reporting: VASPs file STRs but FIUs lack analytical capacity to action them effectively
What the October 2021 Updated Guidance Added
The 2021 guidance was a significant expansion, addressing questions that the 2019 amendment left open. Key clarifications for compliance teams include:
DeFi and the “Who Is the VASP?” Question
FATF confirmed that decentralization does not automatically exempt a protocol from VASP obligations. Where a natural or legal person maintains control or sufficient influence over a DeFi protocol , even if the software operates autonomously , that person may qualify as a VASP and be subject to R.15. This is a challenging standard to enforce, but it represents FATF’s clear regulatory intent.
NFTs: Functional Analysis Required
Non-fungible tokens are not automatically outside the scope of virtual asset regulation. FATF requires a functional analysis: if an NFT is used primarily as a financial instrument rather than a unique digital collectible, it may fall within the definition of a virtual asset. Platforms trading high-value NFTs should consider seeking legal opinions on their regulatory exposure.
Stablecoins: Heightened Risk
Stablecoins , particularly those designed for global scale , are flagged as potentially presenting elevated ML/TF risks due to their speed, global reach, and use in cross-border transactions. The guidance specifically calls out the need for robust AML/CFT controls at stablecoin issuers and at VASPs handling significant stablecoin volumes.
Review your product lineup against the 2021 guidance functional definitions. A product that clearly falls outside “virtual asset” today may be reclassified as regulatory interpretations evolve , especially for NFTs, tokenized real-world assets (RWAs), and protocol governance tokens that confer economic rights.
What R.15 Means for VASP Compliance Teams
Whether you are building a compliance program from scratch or auditing an existing one, R.15 defines the baseline. Here is how it maps to practical day-to-day obligations:
A qualified Money Laundering Reporting Officer must be appointed. The compliance function must have board-level visibility and independent reporting lines.
R.15 compliance at scale requires blockchain analytics tools (Chainalysis, Elliptic, TRM Labs etc.) for transaction monitoring and wallet screening.
VASPs must subscribe to or build a Travel Rule messaging solution. Vendor selection should consider which protocols your major counterparties use.
A documented risk-based AML/CFT program , covering CDD, EDD, sanctions, STR, and Travel Rule , is not optional. It is the first thing examiners request.
Key Takeaway
Understanding Recommendation 15 is not a nice-to-have for anyone working in VASP compliance , it is the essential baseline. Every national regulation your jurisdiction has enacted (MiCA, UK MLRs, MAS PSA, FinCEN rules, VARA frameworks) flows from the R.15 architecture. The gaps in global adoption are not an invitation to arbitrage; they are a regulatory risk in themselves. Jurisdictions on the FATF grey list face diplomatic and financial pressure that directly affects the VASPs operating within them.
Frequently Asked Questions
What exactly is a VASP under FATF’s definition?
A Virtual Asset Service Provider is any natural or legal person who, as a business, conducts one or more of the following: exchange between virtual assets and fiat currencies; exchange between one or more forms of virtual assets; transfer of virtual assets; safekeeping or administration of virtual assets; and participation in, and provision of, financial services related to an issuer’s offer or sale of virtual assets. The key word is “business” , incidental or purely personal activity is generally excluded, though regulators interpret this threshold differently.
Does R.15 apply to DeFi protocols?
Potentially yes, depending on the degree of control maintained by developers, governance token holders, or administrators. FATF’s 2021 guidance confirmed that if a “responsible person” exercises control or sufficient influence over a DeFi protocol, they may qualify as a VASP. Fully automated, truly decentralized protocols with no controlling party exist in a regulatory grey zone , but FATF has signaled that claiming decentralization as a shield is not a compliant strategy.
What threshold triggers the Travel Rule for crypto transactions?
FATF sets the threshold at USD/EUR 1,000 (or equivalent in any virtual asset). Below this threshold, VASPs must still collect originator and beneficiary information, but are not required to transmit it , they must however retain it and provide it on request to law enforcement. Some jurisdictions (notably the EU under TFR) have imposed a zero threshold, requiring Travel Rule data for all transfers regardless of amount.
What is the “sunrise problem” in Travel Rule compliance?
The sunrise problem refers to the challenge that arises when a VASP in a jurisdiction that has implemented the Travel Rule tries to send compliant Travel Rule data to a VASP in a jurisdiction that has not yet enacted the requirement. The receiving VASP may have no system to receive or process the data. FATF’s guidance suggests that originating VASPs must apply risk-based measures in these situations , which in practice often means enhanced due diligence on the counterparty or, in high-risk cases, declining the transaction.
How does FATF enforce R.15 compliance against member countries?
FATF enforces compliance indirectly through its Mutual Evaluation process , periodic peer reviews that assess each jurisdiction’s legal framework and the effectiveness of its AML/CFT system. Countries found to have significant R.15 deficiencies can be placed on the “grey list” (Jurisdictions Under Increased Monitoring), which carries substantial reputational and economic consequences. Grey-listed countries face pressure from correspondent banks, international investors, and diplomatic channels to accelerate reforms.
Are NFT platforms subject to VASP regulation?
It depends on the NFT’s function. FATF applies a functional test: if an NFT operates more like a financial instrument , conferring fractional ownership, being used primarily for speculation, or functioning as a payment mechanism , it may fall within the virtual asset definition and subject the platform to VASP obligations. Platforms trading unique, non-fungible digital art collectibles in low volumes are generally considered lower risk, but high-volume trading platforms handling NFTs with financial characteristics should seek specific regulatory guidance.
Conclusion: R.15 Is the Floor, Not the Ceiling
FATF Recommendation 15 represents the global minimum standard for regulating virtual assets and the service providers that handle them. It is not a perfect framework , its technology-neutral approach creates implementation ambiguity, the Travel Rule remains technically fragmented, and the treatment of DeFi and unhosted wallets is still evolving.
But it is the framework. Every national regulator is building from it. Every mutual evaluation scores against it. Every grey-listing decision references it. For compliance professionals working in the VASP space, deep fluency with R.15 , its four core pillars, the 2021 guidance updates, and the persistent global gaps , is not optional background knowledge. It is the job.
The countries and VASPs that treat R.15 as the floor to build upon, rather than the ceiling to reach, are the ones that will navigate the next phase of regulatory tightening without existential risk. Those that continue to arbitrage the implementation gaps are betting against a tide that FATF, regulators, and enforcement agencies are working, year by year, to close.
“In your jurisdiction, which R.15 requirement has been the hardest to implement , and why?”
