Insights
>
Articles
30
April
2026
Articles

Registered Somewhere, Active Everywhere: What the FATF's oVASP Report Means for Compliance Teams

An overview of how offshore VASPs operate across jurisdictions and what the FATF’s findings mean for compliance teams managing cross-border risk.

Red flag on the beach

Introduction

Introduction

In March 2026, the FATF published Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers, its first dedicated report on offshore VASPs, entities incorporated in one jurisdiction that actively serve customers in others, often without any local licence or registration in the markets where they operate.

The report's findings are direct: existing compliance tools, including blockchain analytics, are insufficient on their own to identify this activity. Detecting offshore VASPs requires off-chain data, including regulatory records, open-source information, and market signals.

Most compliance programs are structurally blind to offshore VASP risk because they do not capture where services are offered. The practical question for consideration by compliance teams - is this VASP permitted to serve this customer, in this country, for this service?

Finding 1: Regulatory Footprint Is Not Service Footprint

The FATF's core finding is that a VASP's regulatory footprint may not reflect its customer-facing footprint.

Of the jurisdictions that have introduced VASP registration or licensing requirements, fewer than half (46%) apply them on an activity basis. [1] An activity-based approach allows a jurisdiction to capture VASPs actively targeting its market, regardless of where they are incorporated or physically located. The remaining jurisdictions require licensing only for VASPs incorporated or have a physical presence within their borders. In some, cross-border service is permitted where a customer initiates contact independently, without prior solicitation.[2] Active marketing, onboarding, and targeting without local registration is where oVASP risk concentrates.

Where a VASP is licensed or registered tells you where it has a regulatory relationship. However, registration alone does not tell you which jurisdictions it is servicing Those two remain far apart, and the space between them is where compliance risk sits.

Finding 2: On-Chain Analytics Alone Cannot Identify oVASPs

The report states directly that blockchain analytics tools are"generally insufficient on a standalone basis to identify oVASP activity." [3]

On-chain data is an essential tool for tracing transaction flows and identifying wallet exposure to illicit funds and supporting investigations. It does not tell you:

  • Whether a VASP is actively targeting customers in a jurisdiction where it holds no licence
  • Whether a VASP's group structure routes customers through associated entities in high-risk or sanctioned jurisdictions
  • Whether what appears to be a customer in a nested relationship is actually an unlicensed VASP
  • Whether a counterparty is permitted to provide the relevant service in the customer’s country


VASPnet surfaces risk before a transaction reaches the chain, using off-chain signals to identify exposure at the onboarding stage.

Finding 3: Being Regulated in One Jurisdiction Is Not A Passport To Serve Every Market

Paragraph 47 of the report sets out indicators that a VASP may be actively targeting a jurisdiction:

  • Absence of geo-blocking
  • Use of local language or currency
  • Availability in local app stores, with domestic user reviews
  • On/off-ramps via domestic payment methods
  • Local influencer marketing and event sponsorship
  • Surrogate marketing for expanded reach
  • Tutorial content directed at a specific market [4]


The report also notes that affiliate schemes and online promotion are commonly used by oVASPs to reach customers, including through social media and encrypted messaging applications. [5]

For a VASP to be considered "offering" services in a jurisdiction, those services generally need to be promoted or marketed there. If you can document that activity systematically, you have the basis for a well-grounded assessment of where a VASP is offering services for regulatory purposes.

VASPindex generates probability scores for 66,788+ entities across 86 countries, sourced direct from 124 regulators, drawing on company registers, media coverage, and online activity: many of the same public signals the FATF identifies as essential for oVASP detection.

Among the top 100 VASPs, 44% are regulated in at least one jurisdiction while also holding a warning or facing enforcement action in another, a pattern that on-chain analytics cannot detect. [6]

Finding 4: The Right Questions to Ask About Payment Counterparties

The exposure for financial institutions is broader than crypto-native relationships. Banks processing payments where the counterparty is a VASP orVASP-adjacent business, including wire transfers and card payments, carry oVASP risk whether or not it is visible on-chain.

The FATF documents cases where oVASPs accessed the financial system by misrepresenting themselves as retail customers, and investigations where illicit funds moved through global VASP groups whose customer attribution was deliberately spread across jurisdictions. [7]

Many nested VASPs are not illicit actors and trade as formally registered entities. Their activity runs through the infrastructure of a larger service provider, making them difficult to detect on-chain and leaving no obvious trace at the point of the bank’s exposure. On-chain analytics are poorly suited to identifying the geography of activity. Group entities share infrastructure. A transaction processed through a group entity in one jurisdiction may look the same on-chain regardless of where the underlying customer is located. [8]

Obliged entities need answers to three questions for any VASP relationship, regardless of whether the payment is crypto, wire, or card:

  1. Are any affiliates or nested counterparties located in sanctioned, high-risk, or weakly supervised jurisdictions?
  2. Where is this VASP
    a. headquartered;
    b. actively offering services;
    c. operating from?
  3. Does it hold appropriate authorisation in each market where authorisation is required, including the jurisdiction of incorporation and where your customer is based?

 

Finding 5: Group Structures and Nested Exposure Create Hidden Risk

Several of the report’s case studies rely on a mix of on-chain and off-chain obfuscation. Customers are routed through different legal entities, and accounts are attributed to whichever group entity creates the most friction for information requests.

At the same time, global omnibus wallet infrastructure obscures geographic exposure, making it difficult to determine where services are actually being provided. [9]

Box 3 illustrates this: FIUs in France and Spain were redirected to group entities in other jurisdictions. Some of these entities were VASPs with no AML/CFT/CPF obligations at all. [10]

Investigations are often delayed when entity names differ across jurisdictions and requests fail to specify the correct legal entity. Due diligence on a VASP relationship means due diligence on the group.

This means asking:

  • Which legal entity are customers onboarded to, and which entity is responsible for operational compliance?
  • Which entity is providing the relevant service?
  • Where are affiliates incorporated?
  • What is the regulatory status of each entity?
  • Are any related parties operating in jurisdictions without AML/CFT/CPF frameworks?

Global wallet infrastructure and cross-entity routing create a compliance blind spot that requires both on-chain nor off-chain tools to resolve.


77% of regulated VASPs in the VASPnet database are regulated under a tier 4 regime, defined by relatively weak or non-existent supervision, including 10% that are present in a high-risk jurisdiction. [11] This risk is difficult to identify without group-level data.

 

Figure 1: A single VASP group with entities across multiple jurisdictions, many of which are flagged by regulators or not permitted to operate.

VASPnet tracks group affiliations, permitted activities, and regulatory status across jurisdictions in one place.

Finding 6: The "Not Authorised" Gap Is a Data Problem

Most jurisdictions do not provide usable public data to identify unauthorised VASPs.

Figure 2: Only 28% of jurisdictions publish dedicated warnings and actions lists that clearly identify crypto-asset activity, while the majority provide incomplete or no usable data.

The FATF report identifies a persistent gap: many jurisdictions lack clear public registers of entities not authorised to operate in their market. Without them, financial institutions cannot efficiently cross-check counterparties, and consumers have no straightforward way to verify a VASP's status.

The report points to good practice: France's AMF maintains a public blacklist of unauthorised entities alongside a whitelist of authorised providers. Singapore's MAS publishes a list of VASPs who may have been wrongly perceived as authorised. Japan's JFSA publishes details of VASPs operating without registration. [12]

Useful, but each is jurisdiction-specific and inconsistently maintained.Understanding the risk tied to a global VASP operating across dozens of markets cannot be assessed from a snapshot of a public register.

VASPnet consolidates fragmented public registers into a single, cross-jurisdictional view, giving banks and compliance teams visibility into where a VASP is authorised and where it is active without authorisation.

Better public registers from regulators make this job easier for everyone. We support the FATF's call for wider disclosure of "not authorised" lists.

Between 2024 and 2026, the number of jurisdictions publishing a dedicated warnings and actions list clarifying crypto-asset activities grew from 25 out of 99 countries to 37 out of 131. Progress is being made, but 60 jurisdictions still publish no warnings or enforcement actions at all.

Figure 3: Change in public availability of unauthorised VASP warning and enforcement data, 2024-2026. Although more jurisdictions now publish dedicated warnings and actions lists, most still do not provide complete or easily usable data. Note: 2024 data covers 99 countries; 2026 data covers 131 countries. Source: VASPnet, VASPdata, April 2026.

What Comes Next

The FATF's recommended actions for the private sector are clear. Obliged entities should assess group-wide VASP exposure, apply risk-based controls, and avoid relationships with unregistered or unlicensed entities.[13]

Doing that requires knowing where a VASP is operating, not just where it is registered. Off-chain, public data intelligence, used alongside on-chain tools, is the only reliable way to answer that question.

For every VASP counterparty, a compliance practitioner should ask:

‘Regulated where, active where, permitted where, and through which legal entity?’

Compliance teams need to shift from entity-level checks and assess the jurisdictional and regulatory permissions behind the activity. That means identifying where a VASP is actively offering services and where customer exposure actually occurs, before a transaction reaches the chain.

For access to more comprehensive data on the world’s regulated VASPs, please write to us at contact@vaspnet.com.

[1] FATF, Understanding and Mitigating the Risks of Offshore VirtualAsset Service Providers, March 2026, paragraphs 31 to 33

[2] Financial ServicesAgency of Japan, Payment Services Act (revised 2020). Crypto asset exchange service providers are required to segregate customer assets, with at least 95% held in cold wallets, and foreign providers must establish a local entity in Japan.

[3] FATF, Understanding and Mitigating the Risks of Offshore VirtualAsset Service Providers, March 2026, paragraphs 31 to 34

[4] FATF, Understanding and Mitigating the Risks of Offshore VirtualAsset Service Providers, March 2026, Box 3

[5]VASPnet, VASPdata, April 2026. Tier 4 isa VASPnet proprietary classification denoting jurisdictions with relatively weak or non-existent virtual asset supervision.

[6] FATF, Understanding and Mitigating the Risks of Offshore VirtualAsset Service Providers, March 2026, Box 13

[7] FATF, Understanding and Mitigating the Risks of Offshore VirtualAsset Service Providers, March 2026, paragraph 88

[8] Financial Services Agency of Japan, Payment Services Act (revised 2020). Crypto asset exchange service providers are required to segregate customer assets, with at least 95% held in cold wallets, and foreign providers must establish a local entity in Japan.

[9] FATF, Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers, March 2026, paragraphs 31 to 34

[10] FATF, Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers, March 2026, Box 3

[11] VASPnet, VASPdata, April 2026. Tier 4 is a VASPnet proprietary classification denoting jurisdictions with relatively weak or non-existent virtual asset supervision.

[12] 12 FATF, Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers, March 2026, Box 13

[13] FATF, Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers, March 2026, paragraph 88

Previous
Next
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link
Text Link