skip to Main Content

What are Virtual Assets and Virtual Asset Service Providers, and why do we need to know about the Financial Action Task Force?

FATF Background

Founded in 1989, the Financial Action Task Force (FATF) is an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction. The FATF Recommendations are recognized as the global anti-money laundering (AML) and counter-terrorist financing (CFT) standard. Not only does FATF set recommendations, but it also evaluates countries based on their performance.

In October 2018, the FATF added two new definitions for a virtual asset (VA) and virtual asset service provider (VASP) to its glossary. In 2019, the FATF released its VA guidance and has continued to review and update this guidance based on feedback from the industry. The guidance was last updated in October 2021, and is intended to help national authorities, VASPs, financial institutions and other entities involved in virtual asset activities understand their AML/CFT obligations and how they can effectively comply with these requirements.

FATFs definition of a VA

A virtual asset [VA] is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations. Source: Glossary of the FATF Recommendations

So…What would and what wouldn’t be a VA?

What ARE examples of VAsWhat ARE NOT examples of VAs
  • Bitcoin, Ether, Doge, Litecoin, etc.
  • Stablecoins will either be considered to be a virtual asset or a traditional financial asset depending on its exact nature.
  • Gaming tokens and NFTs when they can be “cashed out” by exchanging the digital currency back to fiat currency or may act as a substitute for fiat currency.
  • Central Bank Digital Currency (characterized as “fiat currency”)
  • NFTs when used as collectibles
  • Venmo
  • PayPal

FATFs definition of a VASP?

Virtual asset service provider [VASP] means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

  • exchange between virtual assets and fiat currencies;
  • exchange between one or more forms of virtual assets;
  • transfer of virtual assets (moves a VA from one virtual asset address or account to another);
  • safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
  • participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset. Source: Glossary of the FATF Recommendations

So…What would and what wouldn’t be a VASP?

Businesses or Services that ARE a VASPBusinesses or Services that ARE NOT a VASP
  • VA exchanges or VA transfer services that facilitate the exchange of VA for fiat currency and/or other forms of VA for remuneration (e.g., for a fee, commission, spread, or other benefit). These models typically accept a wide range of payment methods, including cash, wires, credit cards, and VAs. Includes P2P exchanges.
  • VA escrow services–when the entity providing the service has custody over the funds.
  • Brokerage services that facilitate the issuance and trading of VAs on behalf of a natural or legal person’s users.
  • Order-book exchange services, which bring together orders for buyers and sellers, potentially through the use of a matching engine that matches the buy and sell orders from users.
  • Advanced trading services, which may allow users to access more sophisticated trading techniques, such as trading on margin or algorithm-based trading.
  • Bitcoin ATMs/Kiosks which facilitate the exchange of VAs for fiat currency or other VAs.
  • ICOs (Initial Coin Offerings) which are generally a means to raise funds for new projects from early backers.
  • Mining pools which aside from only transferring virtual assets to the pool members, combine their managing and renting services with the service of hosting virtual currency wallets on behalf of the pool members (i.e. safekeeping of virtual assets according to FATF’s list).
  • Stablecoins: A range of the entities involved in any so-called stablecoin arrangement will have AML/CFT obligations, depending on the stablecoin’s design. A central developer or governance body who establishes the rules governing the stablecoin arrangement (i.e. determines the functions of the stablecoin, who can access the arrangement, whether/how AML/CFT preventive measures are built into the arrangement, manages the stabilization function) may be considered a VASP.
  • DeFi: A DeFi application (i.e. the software program) is not a VASP under the FATF standards. However, creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, could fall under the FATF definition of a VASP.
  • NFTs when used for payment or investment purposes.
  • Consumers: A user who obtains convertible virtual currency and uses it to purchase real or virtual goods or services is not a VASP, therefore is not subject to registration, reporting, and recordkeeping regulations.
  • Peer to peer (P2P) transactions: Where VA transfers occur on a P2P basis, there are no obliged entities involved in preventing or mitigating money laundering risks.
  • Individual miners, if they are mining for their own account.
  • Mining pool operators, if they are only transferring virtual assets to the pool members or contract purchasers to distribute the amount earned to third parties, as these transfers are integral to the provision of services.
  • Order book exchange services/platforms which only allow buyers and sellers of VAs to find each other and does not undertake any of the services in the definition of a VASP.
  • Firms which merely provide ancillary infrastructure to allow another entity to offer this service, such as cloud data storage providers, integrity service providers responsible for verifying the accuracy of signatures, software developers, software programs (i.e. DApps), a DeFi application (the software program) or providers of unhosted wallets (only developing/selling the software and/or hardware wallets), will normally not satisfy the definition of a VASP.

Why is it so important to correctly define a VASP?

Once an entity is classified as a VASP, thus falling within the scope of the FATF standards, this triggers a wide range of regulatory requirements:

  • Must be licensed or registered at minimum in the jurisdiction(s) where they are created. Some jurisdictions have additional requirements at local levels;
  • Requires countries to ensure that VASPs develop, assess, and mitigate AML/CFT preventive program(s) to identify and verify customer identity, set policies, procedures, record keeping, training, reporting, internal controls, compliance officers and independent review;
  • Introduces the “Travel Rule” (Recommendation 16). It requires regulated entities to conduct customer due diligence (Recommendation 10) and ensure that certain information about the parties to a transaction over EUR 1,000 “travel” with the transaction to the receiving entity including: (i) the name of the originator, address or national ID, (ii) the name of the beneficiary; and (iii) an account number for each, where used to process the transaction, or a unique transaction reference number. The Travel Rule should apply to VA transfers between two obliged entities (e.g., two VASPs or a VASP and a traditional financial institution), but will not necessarily applyto transactions between a VASP and an unhosted wallet (a crypto-wallet that is not held with or managed by a third-party financial institution or other regulated entity);
  • Report suspicious transactions under the Bank Secrecy Act or other regulation.

Closing, FATF recommends that VA activities be analyzed based on the services provided rather than whether they fit into the specific wording of the definitions. The guidance notes “countries should not apply their definition based on the nomenclature or terminology which the entity adopts to describe itself or the technology it employs for its activities. The obligations in the FATF standards stem from the underlying financial services offered without regard to an entity’s operational model, technological tools, ledger design or any other operating feature.”

FATF updated guidance Oct 2021:

FATF’s Easy Guide to FATF Standards and Methodology:

Relevant CipherTrace blog post (08 Jan 2021):

Back To Top