FATF Virtual Asset Guidance: The Anti-Money Laundering Rules That Every Jurisdiction Must Follow

The Financial Action Task Force does not pass laws. It has no enforcement authority. It cannot fine financial institutions or prosecute money launderers. What it can do — and what makes it the single most consistently effective driver of crypto AML legislation globally — is put countries on a list.

The FATF grey list (formally, the list of “Jurisdictions under Increased Monitoring”) is a public designation that a country has strategic deficiencies in its AML and counter-terrorist financing framework. The consequences of grey listing are significant without any direct FATF action: correspondent banks become reluctant to maintain relationships with institutions in grey-listed jurisdictions, international investors reprice risk upward, credit rating agencies take note, and development finance institutions often restrict activity. For countries integrated into the international financial system, the reputational and economic cost of grey listing is substantial enough that FATF standards function as effective mandates even without legal force behind them.

FATF’s Structure and Membership

FATF is an intergovernmental body established in 1989 by the G7. It currently has 39 members — 37 member jurisdictions plus the European Commission and the Gulf Co-operation Council — plus a network of FATF-style regional bodies that extend its reach to over 200 jurisdictions globally. The regional bodies (MONEYVAL in Europe, ESAAMLG in East and Southern Africa, APG in Asia-Pacific, and others) conduct mutual evaluations of their member countries against FATF standards.

Current FATF President Elisa de Anda Madrazo of Mexico took office in 2024, continuing FATF’s rotation of the presidency among member countries. The presidency brings agenda-setting influence — de Anda Madrazo has emphasised implementation follow-through, particularly on virtual asset standards where the gap between legislation and operational enforcement remains large.

Recommendation 15 and the VASP Framework

Recommendation 15 is the standard that defines FATF’s expectations for virtual asset service providers. Its current form — incorporating amendments made in 2019, 2021, and 2024 — requires countries to regulate VASPs (a category that encompasses crypto exchanges, custodians, peer-to-peer trading platforms, and wallet service providers that have custody of customer assets) as they would regulate financial institutions.

The VASP framework requires countries to license or register VASPs, require VASPs to implement customer due diligence (know-your-customer) processes, establish suspicious transaction reporting obligations for VASPs, and apply the Travel Rule to cross-VASP transfers above the threshold. Countries must also subject VASPs to supervisory oversight — not merely pass legislation requiring compliance, but actually monitor whether VASPs are complying.

The definition of virtual assets in the FATF framework has been contested and refined through successive guidance documents. The 2021 updated guidance expanded the definition to capture non-fungible tokens where they function as investment assets and to clarify how DeFi protocols should be treated — focusing on whether a natural or legal person has control over the protocol even if it appears fully automated. The 2024 updated guidance addressed implementation gaps that had emerged through mutual evaluations, particularly around travel rule data matching and the treatment of unhosted wallets.

The Grey List: How It Works

Countries enter the grey list through FATF’s mutual evaluation process. Every FATF member country, and every country within a FATF-style regional body, undergoes periodic mutual evaluation — an intensive peer review process where evaluators from other jurisdictions assess both the technical compliance of the country’s legal framework and the effectiveness of its AML system in practice.

Countries with significant deficiencies in technical compliance or effectiveness are subject to a follow-up process. Those with the most serious deficiencies — or who fail to remediate deficiencies within agreed timelines — are placed under increased monitoring (grey list) or, in the most extreme cases, on the black list (the list of High-Risk Jurisdictions subject to a Call for Action). Countries currently on the black list face calls for enhanced due diligence and, in some cases, countermeasures from FATF members.

For virtual assets, mutual evaluation findings have been consistently critical. Most countries have passed some form of VASP licensing legislation. Far fewer have built effective supervisory capacity to monitor whether licensed VASPs are actually implementing AML controls. The gap between law-on-paper and law-in-practice is the central challenge FATF has identified in crypto AML implementation.

The 6th Targeted Update and June 2025 Findings

FATF’s 6th targeted update on virtual asset guidance, published in June 2025, provided the most comprehensive picture yet of global travel rule implementation. The headline finding — that 73% of jurisdictions have passed Travel Rule legislation — represents substantial progress from near-zero five years earlier. But the implementation finding is more sobering: legislative passage does not translate to operational implementation, and many jurisdictions with Travel Rule legislation in place have not yet built the supervisory capacity or industry infrastructure to make the rule function in practice.

The update identified several persistent challenges. The sunrise problem — the compliance gap that arises when a transaction involves one jurisdiction with the Travel Rule and one without — continues to create data gaps in the global transaction monitoring system. The unhosted wallet challenge — how to apply the Travel Rule when crypto moves from a VASP to a self-custodied wallet — remains technically and legally unresolved, with different jurisdictions adopting different approaches that are not mutually compatible.

The North Korea Illustration

The $1.5 billion hack of the Bybit exchange in February 2025 — attributed by multiple governments to North Korea’s Lazarus Group — became the most vivid illustration of Travel Rule implementation gaps in the post-2025 guidance landscape. North Korea’s crypto-hacking operations exploit two specific weaknesses: the ability to move large sums through unhosted wallets without triggering Travel Rule data sharing, and the availability of mixing and bridging services that obscure transaction trails.

The Bybit hack demonstrated that even where Travel Rule legislation exists, the absence of operational implementation — data sharing infrastructure between VASPs, compliance monitoring systems, and supervisory follow-through — means that state-level threat actors can move hundreds of millions of dollars through the crypto system without generating the data trail that the Travel Rule was designed to create. FATF’s June 2025 update cited the Bybit case explicitly as evidence that implementation urgency is not merely theoretical.

For FATF President de Anda Madrazo, the case reinforced the message that legislative compliance without operational implementation is insufficient — and that the mutual evaluation process needs to weight effective implementation more heavily than formal legal compliance.