Offshore VASPs: FATF’s 2026 oVASP Risk Report Explained — The Complete Compliance Guide for VASPs, CASPs and Financial Institutions

1. What Is an Offshore VASP (oVASP)?

The term offshore VASP (oVASP) is not a casual industry label — it now carries a precise regulatory definition under the FATF’s March 2026 report on Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers.

An oVASP is a Virtual Asset Service Provider that is created under the laws of one jurisdiction (the “home jurisdiction”) but actively provides services to clients residing or domiciled in other jurisdictions (the “host jurisdictions”) — with or without a physical presence in those host markets.

The critical word here is actively. An oVASP is not simply a VASP that happens to have foreign customers. It is one that:

• Deliberately solicits clients in markets where it holds no licence or registration
• Onboards users in host jurisdictions despite local licensing requirements
• Routes transactions through domestic payment infrastructure without regulatory authorisation
• Sometimes explicitly advises users on how to circumvent local KYC controls — for example, by using VPNs or providing false information

This distinction between unintentional oVASPs (those that misunderstand applicable rules) and intentional oVASPs (those that deliberately design their business model around regulatory evasion) runs through the entire FATF analysis and carries significant compliance implications for every regulated financial institution that transacts with or banks crypto businesses.

If your firm processes payments for, provides correspondent banking to, or accepts deposits from virtual asset businesses, the oVASP risk framework applies to you — not just to crypto exchanges.

---

2. Why FATF Published This Report — and Why It Matters Now

FATF’s March 2026 report represents the culmination of dedicated work launched by the FATF Virtual Assets Contact Group (VACG) in October 2025. It builds on a series of annual targeted updates published since 2022 tracking compliance with Recommendation 15 (R.15), the foundational FATF standard governing VAs and VASPs.

The impetus for this specific report is straightforward: despite years of progress in building domestic VASP regimes, the global regulatory patchwork has created structural gaps that sophisticated actors — and sometimes unsophisticated ones — are systematically exploiting.

Three converging pressures drove FATF to act:

Fragmented implementation of R.15. As of April 2025, 138 jurisdictions have been assessed for R.15 compliance. While 29% are now largely compliant (up from 25% in 2024), 49% remain only partially compliant, and 21% are still non-compliant. This means roughly 70% of assessed jurisdictions have meaningful gaps in their VASP oversight frameworks — creating the regulatory arbitrage opportunities that oVASPs exploit.

High-profile enforcement failures. The $504 million OKX settlement, the $4.3 billion Binance resolution, and the $1.5 billion Bybit theft (where DPRK exploited the platform in a context FATF identifies as involving unregistered VASP activity in relevant jurisdictions) demonstrated that the consequences of inadequate oVASP oversight are not theoretical. They are measured in billions.

Growing complexity of oVASP business models. As more jurisdictions tighten their VASP regimes, offshore providers have adopted increasingly sophisticated structures — nested exchange arrangements, global customer pooling, distributed corporate ownership, and the use of privacy-enhancing technologies — to remain outside effective supervision while continuing to serve customers in regulated markets.

For compliance officers at VASPs, CASPs, payment institutions, and traditional financial institutions that interact with the crypto sector, this report is not background reading. It is an operational document that directly shapes what your regulator will expect of you.

---

3. The Global State of VASP Regulation in 2025

Understanding where the global VASP regulatory landscape stands is essential context for grasping the oVASP risk. FATF’s 2025 survey data paints a nuanced picture.

Compliance with Recommendation 15 (as of April 2025):

Compliance Level	2024	2025
Compliant	~1%	~1%
Largely Compliant	25% (32/130)	29% (40/138)
Partially Compliant	50% (65/130)	49% (68/138)
Non-Compliant	25% (32/130)	21% (29/138)

The direction of travel is positive — more jurisdictions are achieving larger compliance and fewer are non-compliant. However, the fundamental challenge remains: the majority of jurisdictions assessed are still not fully implementing FATF’s VASP standards.

The activity-based licensing gap. Of the 80 jurisdictions that have introduced a VASP registration or licensing requirement, only 46% (37 jurisdictions) have adopted an activity-based approach — meaning they require oVASPs to register or obtain a licence when they actively provide services into the market, regardless of physical presence. The remaining 54% apply only the core FATF standard: licensing is required only when a VASP is physically created or located in their jurisdiction.

This divergence has direct consequences. A VASP incorporated in a jurisdiction that does not require activity-based licensing can legally serve customers in dozens of countries that do require local registration — from those customers’ perspective, they are using an unregulated, unsupervised provider.

Jurisdictions with notable activity-based approaches include the UK (FCA registration required for any firm providing crypto asset services by way of business in the UK), the EU under MiCA, Hong Kong, Singapore, South Africa, India, and Argentina. Each has operationalised “active provision of services” differently, creating additional complexity for VASPs seeking to understand their cross-border obligations.

For VASPs operating or seeking to operate across multiple jurisdictions — whether in the UAE, the UK, EU member states, or Pakistan — the matrix of applicable registration obligations has never been more complex.

---

4. How Offshore VASPs Structure Their Operations {#how-ovasps-structure}

The FATF report provides unusually detailed insight into the operational models oVASPs use. Understanding these structures is essential for compliance teams at regulated financial institutions — because many of these structures are specifically designed to be difficult to detect.

Customer acquisition tactics used by oVASPs include:

• Online platforms and mobile applications with no geo-blocking, or geo-blocking that is trivially circumvented with VPNs
• Targeted advertising through social media platforms, encrypted messaging apps (Telegram, WhatsApp), and decentralised communication channels
• Affiliate and referral schemes that use local intermediaries to acquire customers while maintaining corporate distance
• Sponsorship of local events and use of local influencers to build brand recognition
• Platform content in local languages and denominated in local currencies — a deliberately chosen signal to local users that the platform is accessible to them

Corporate and compliance structure. Core functions — senior management, compliance operations, data infrastructure — are kept outside the jurisdictions where customers reside. This is not accidental. It limits the ability of domestic supervisors to:

• Engage meaningfully with the entity
• Access customer KYC/CDD data
• Issue enforceable orders
• Compel information for investigations

In some cases, oVASPs appoint nominal or “dummy” compliance officers in host jurisdictions — individuals with insufficient seniority, no access to customer data, and no real authority to act. FATF explicitly flags this as a supervisory concern, noting that when supervisors request information, these nominal officers frequently cannot respond meaningfully.

Global customer pooling is another structural feature FATF highlights. Rather than assigning customers to a locally supervised entity, some VASPs manage all customer accounts through a global platform or group-level arrangement. When regulators request information about specific customers, the VASP can claim that the customer is serviced through a different group entity in another jurisdiction — creating an endless jurisdictional loop that can delay information access by months or, in reported cases, up to a year.

Nested exchange arrangements deserve particular attention. An oVASP that cannot obtain a licence directly may instead open accounts at regulated, onshore VASPs — posing as retail customers. Through these nested arrangements, the oVASP effectively accesses domestic liquidity, payment rails, and fiat on/off-ramps without submitting to local regulatory oversight. The regulated host VASP carries the AML/CFT exposure without necessarily being aware of it.

This is directly analogous to correspondent banking risk, and FATF explicitly invokes Recommendation 13 — the correspondent banking standard — as the applicable framework for managing nested VASP relationships.

---

5. The Core Vulnerabilities FATF Has Identified

The FATF report organises its vulnerability analysis around several interconnected themes. Each one should map directly to your institution’s risk assessment framework.

Lack of Adequate Physical Presence

OVASPs frequently structure themselves to have no meaningful physical footprint in the jurisdictions they serve. When supervisors attempt to engage — sending information requests, issuing compliance directions, seeking KYC records — they find either no one to contact or nominal representatives with no real authority.

The compliance implications are clear: if your institution is processing payments for a VASP and cannot readily identify a genuine compliance function in the relevant jurisdiction, that should register as a significant red flag.

Global Pooling of Customers

As described above, the deliberate allocation of customers to different group entities across multiple jurisdictions is used to obscure which legal entity is responsible for AML/CFT obligations in respect of any given customer. France’s FIU and Spain’s SEPBLAC have both documented cases where VASPs, when responding to information requests, redirect authorities to a different group entity — often one based in a jurisdiction with weak or no VASP regulation.

Regulatory Arbitrage

Some oVASPs deliberately incorporate or route activity through jurisdictions with weak AML/CFT frameworks, enabling them to offer lower compliance costs (passed on to customers as better pricing), no KYC requirements, and anonymity features that regulated domestic VASPs cannot legally offer.

The Indian market provides a clear illustration. Following the introduction of a crypto taxation regime in 2022, a significant portion of Indian trading volume migrated from regulated domestic VASPs to offshore platforms — which then aggressively marketed their minimal KYC requirements and encouraged VPN use to circumvent Indian regulations.

The Nested Exchange Problem

FATF’s analysis of nested exchanges draws heavily on documented cases involving both small operators and global giants. The pattern is consistent: an oVASP gains access to a regulated market by opening accounts at a licensed host VASP, misrepresents itself as a retail user, and processes transaction volumes that are wildly inconsistent with a retail customer’s profile — but which represent a small enough share of the host VASP’s overall volume to avoid triggering automated alerts.

FIU Estonia documented exactly this pattern: an offshore, unlicensed VASP gained access to an Estonian-licensed VASP by onboarding as a private individual. The trading patterns — high frequency, repetitive timing, algorithmic trading indicators — eventually gave it away. But the detection came late.

---

6. Key Typologies and ML/TF/PF Risk Scenarios

The FATF report identifies several interconnected typologies through which oVASPs are used to facilitate financial crime. These are not hypothetical risk scenarios — each is supported by documented case studies from FIUs and law enforcement agencies across multiple jurisdictions.

Active Targeting and Circumvention

Offshore VASPs actively market services in jurisdictions where they hold no licence, including in markets where VA activity is restricted or prohibited. They advise users on circumvention techniques — VPN usage, false information provision, use of intermediary accounts. Marketing through social media, encrypted messaging platforms, and affiliate schemes closely resembles tactics used in online fraud schemes.

Nested and Intermediated Arrangements

As described above, nested arrangements allow oVASPs to access regulated infrastructure without direct regulatory oversight. The Binance case represents the high-water mark of this typology: through inadequately monitored nested sub-account arrangements, OFAC-designated entities including Garantex and Suex operated within Binance’s platform. Binance agreed to cease all anonymous sub-account arrangements as part of its enforcement resolution.

Use of oVASPs in Complex ML/TF/PF Schemes

The FATF documents a range of sophisticated money laundering and terrorism financing cases involving oVASPs. In Nigeria, a large-scale investment fraud scheme used oVASPs as cash-out points — with one global VASP-linked wallet holding approximately $600 million at the time of analysis. In India, funds from scam compounds were converted to virtual assets via unregulated oVASPs, transferred to registered Indian VASPs, and then off-ramped through domestic accounts.

For terrorism financing, FINTRAC’s reporting in Canada identified a case where a Canada-based individual was conducting transactions with a foreign VASP located in an active conflict zone controlled by a listed terrorist entity. The individual was subsequently convicted of fundraising for a terrorist group. In Indonesia, PPATK identified VA-based financial support to terrorist groups in Syria involving several foundations and individuals. Following initial arrests, collection continued and funds were sent to foreign terrorist fighters in Syria — amounting to approximately $35,500 — via Binance. Additionally, funds were transferred from a local regulated VASP to offshore platforms including KuCoin and CoinEx. The oVASPs in this case were exploited for anonymity through nominee accounts and falsified credentials, the ability to convert between different VA types including altcoins and DeFi tokens, and as intermediary steps before funds moved to non-custodial wallets, mixers, and privacy coins.

These cases confirm what the FATF’s red flag indicators for MLRO compliance have long identified: the combination of cross-border virtual asset transactions, opaque ownership structures, and platforms with minimal KYC creates infrastructure that is equally accessible to money launderers and terrorist financers.

The DPRK Threat and State-Level Exploitation

Perhaps the most significant escalation documented in the FATF report is the state-level exploitation of oVASPs. The April 2025 VACG highlighted the Bybit theft as a case study in DPRK’s sophisticated operational methods — FATF notes DPRK’s use of Bybit in a context where it was operating as an unregistered VASP in relevant jurisdictions, combined with OTC traders, mixers, bridges, and extensive wallet fragmentation to increase investigative complexity and time sensitivity.

State-sponsored actors at this level of capability represent a qualitatively different threat than organised crime. The use of oVASPs as entry points into the global financial system is a deliberate strategic choice — and one that your institution’s VASP-related risk assessment must account for.

---

7. Real-World Enforcement Cases: OKX, Binance, and Beyond

The FATF report is unusually frank in naming specific enforcement cases. These are not presented as outliers — they are presented as illustrations of systemic vulnerabilities that the current regulatory architecture enables.

OKX: $504 Million and a Guilty Plea

In February 2025, Aux Cayes Fintech Co. Ltd. (OKX), a Seychelles-incorporated entity and one of the world’s largest crypto exchanges, pleaded guilty to operating an unlicensed money-transmitting business in the United States. Despite an official policy purporting to block US users, OKX actively targeted and served US retail and institutional customers from 2017 through 2022 without FinCEN registration.

Critically, OKX knew that serving US customers required MSB registration — it simply chose not to register. From 2017 to November 2022, OKX allowed customers to open accounts and trade without any KYC process. Even after introducing KYC controls, OKX staff continued to advise US customers on how to provide false information to bypass its own restrictions.

OKX agreed to pay over $504 million in penalties. The case is a textbook example of an intentional oVASP — a deliberate business decision to serve a regulated market without regulatory authorisation.

Binance: $4.3 Billion Resolution

The Binance case remains the largest VASP enforcement resolution in history. As the world’s largest exchange, Binance served US customers at significant scale without FinCEN MSB registration, failed to maintain an adequate AML programme, and through inadequate nested sub-account controls, enabled OFAC-designated entities including Garantex and Suex to operate within its platform.

Binance agreed to pay penalties totalling over $4.3 billion across FinCEN, OFAC, DOJ, and CFTC resolutions. The case demonstrates that even global market leaders with sophisticated compliance functions can carry systematic oVASP-related liability when the business model prioritises growth over regulatory compliance.

For VASP compliance officers reviewing their AML programme design, the Binance case provides a detailed blueprint of what adequate nested relationship controls should look like — and what happens when they don’t exist.

The Cayman-ADGM Governance Case

A less publicised but instructive enforcement case involved co-operation between the Cayman Islands Monetary Authority (CIMA) and the ADGM’s Financial Services Regulatory Authority (FSRA). CIMA identified governance failures at a VASP previously registered in the Cayman Islands — specifically, a UBO misusing their director position to override AML/CFT controls. The VASP was routing fiat-to-VA conversion transactions through an unlicensed ADGM-based SPV.

CIMA cancelled the VASP’s registration. The FSRA imposed financial penalties totalling $8.85 million and banned the UBO. The case illustrates both the risk of complex cross-border group structures and the value of international supervisory co-operation when it works effectively.

---

8. FATF’s Good Practices: Regulatory Detection, Supervision and Enforcement Toolkit for Offshore VASPs {#good-practices}

The most operationally valuable sections of the FATF report describe the detection, supervision, and enforcement tools that leading jurisdictions are deploying against oVASPs. For compliance professionals, understanding what regulators can and will do is as important as understanding what the rules require.

Identifying oVASPs: Red Flags and Detection Tools

FATF identifies a comprehensive set of red flags that supervisors use to detect oVASP activity:

• No geo-blocking on the VASP’s platform, or geo-blocking that is easily circumvented
• Localised content — platform available in local language, denominated in local currency
• App store presence with reviews from local users, evidencing an active domestic customer base
• Domestic payment rail access — ability to on-ramp/off-ramp via domestic payment methods (e.g., India’s UPI, or UK bank transfers)
• Local influencer marketing through social media platforms
• Sponsorship of local events
• Video tutorials specifically instructing domestic users on how to trade

Detection tools deployed by leading jurisdictions include:

• Blockchain analytics to trace transaction flows (AUSTRAC, NFIU, New Zealand’s DIA)
• Web scraping and OSINT to identify advertising and promotional activity by unlicensed entities
• STRs from regulated VASPs and FIs — onshore VASPs detecting and reporting unusual deposit patterns from offshore wallets
• App store monitoring — Japan’s JFSA requested Apple Japan and Google Play to remove apps of oVASPs that continued operating despite warning letters
• Thematic reviews — New Zealand conducted a 2025 thematic review identifying 20 oVASPs actively serving NZ residents; 12 of 20 disputed that NZ AML/CFT rules applied

Licensing and Registration: The Activity-Based Approach in Practice

Several jurisdictions have operationalised activity-based licensing in instructive ways:

Hong Kong defines “actively marketing” to the public of HKC, and the SFC considers factors including marketing means, language, and currency used. No oVASP may promote services to HK consumers without SFC licensing.

MiCA (EU) requires authorisation for any VASP providing services within the Union. The reverse solicitation exemption is narrow — it applies only where the client, without any prior solicitation, initiates the relationship. Any preceding offer to the public triggers licensing obligations. See our detailed guide to MiCA regulation for 2026.

Argentina has introduced explicit quantitative triggers: a foreign VASP is subject to registration if it derives more than 20% of its global turnover from activities involving Argentine residents, or if it uses Argentine domain extensions, or maintains commercial arrangements enabling receipt of funds from Argentine residents.

Singapore requires licensing for VASPs that either carry on business in Singapore or are incorporated in Singapore — and applies a highly prudential approach to granting licences to Singapore-incorporated VASPs that only serve overseas customers, recognising the risk of regulatory arbitrage.

Enforcement Toolkit

The enforcement toolkit FATF documents is graduated and multi-layered:

• Public warnings and market alerts (France’s AMF blacklist, incorporated into IOSCO’s i-scan tool; Singapore’s dual public lists of licensed VASPs and unlicensed entities)
• Website and app-store takedowns (FCA issued 60+ app removal requests to Google and Apple; Japan’s JFSA did similarly in early 2025; India’s Sahyog portal has facilitated 85 URL takedowns)
• Restrictions on domestic intermediary access (Nigeria’s Central Bank guidelines preventing local FIs from servicing unlicensed oVASPs)
• Civil litigation (FCA commenced civil litigation against one oVASP for unlawful promotion)
• Criminal prosecution (the OKX and Binance cases)

The FCA’s approach is particularly instructive for UK-regulated firms. Since October 2023, financial promotions rules apply to qualifying crypto assets regardless of where the promotion originates — so a foreign VASP promoting services to UK consumers without FCA registration is committing a criminal offence under section 21 of FSMA. The FCA has issued over 2,300 alerts on illegal promotions and driven the takedown of more than 1,000 scam websites.

For VASPs seeking to understand what a genuine AML audit looks like in this context, our independent AML review guide and AML audit checklist provide detailed frameworks.

For UK EMIs and payment institutions navigating this environment, ComplyFactor’s analysis of SPI vs API FCA audit expectations and EMI safeguarding audit requirements is directly relevant.

---

9. What the Travel Rule “Sunrise Issue” Means for oVASP Risk

The Travel Rule remains one of the most significant unresolved challenges in VASP compliance — and the FATF report identifies the “Sunrise Issue” as a direct enabler of oVASP-related financial crime.

The Sunrise Issue refers to the fragmented, staggered implementation of Travel Rule legislation across jurisdictions. While a growing number of jurisdictions have enacted Travel Rule requirements, implementation timelines and operational practices remain inconsistent. This means that where an oVASP operates from a jurisdiction that has not yet implemented the Travel Rule, its counterparties in compliant jurisdictions face a fundamental dilemma: they cannot obtain originator and beneficiary information for cross-border transfers, but are also not legally prohibited from transacting with the entity.

The Nigerian FIU documented a large fraud investigation where illicit funds moved into oVASPs located in jurisdictions without Travel Rule implementation. Even after identifying the movement of proceeds into specific wallet addresses at several global VASPs, investigators could not obtain originator and beneficiary information — either because it was absent from transaction data or because information requests to foreign VASPs and FIUs went unanswered.

The practical implication for compliance officers is this: Travel Rule compliance must be paired with counterparty due diligence on the VASP’s regulatory status in its home jurisdiction. Sending Travel Rule data to an oVASP that has no obligation to retain or use it achieves nothing from an AML/CFT perspective.

Our guide to Crypto Travel Rules provides a practical breakdown of current obligations and best practices across key jurisdictions.

---

10. What This Means for Your VASP Compliance Programme

The FATF oVASP report has direct, practical implications for how VASPs, CASPs, payment institutions, and financial institutions structure their compliance programmes. The following are the key operational takeaways.

For Regulated VASPs and CASPs

Review your counterparty due diligence framework. Apply Recommendation 13 correspondent-style due diligence to every VASP you onboard as a customer. This means understanding their business model, their customer base, their AML/CFT framework, and their regulatory status in every jurisdiction they serve. It is not sufficient to check that they hold a licence somewhere — you need to understand whether they are operating compliantly in the markets they actually serve.

Audit your nested relationship controls. FATF explicitly identifies inadequate oversight of nested arrangements as a primary vulnerability. Your KYC process for VASP customers should include behavioural monitoring — transaction volumes, trading patterns, timing regularity — that can detect when an account registered to a retail customer is actually an intermediary VASP.

Map your own cross-border obligations. If your VASP serves customers in multiple jurisdictions, conduct a formal analysis of where activity-based licensing requirements are triggered. In the UK, EU (MiCA), Singapore, India, South Africa, and Argentina, active provision of services to domestic residents requires local registration — regardless of where you are incorporated. VASP AML compliance best practices and our ultimate VASP compliance guide cover this in detail.

Strengthen your STR process. FATF repeatedly highlights Suspicious Transaction Reporting from regulated VASPs as a primary detection tool for oVASP activity. If your STR process is not specifically calibrated to detect indicators of nested oVASP activity — unusual deposit patterns from offshore wallets, transactions involving high-risk jurisdictions, accounts with demographics inconsistent with their claimed profile — it needs to be.

For MLROs at Financial Institutions

Update your VASP-related risk assessment. The FATF report constitutes a material update to the risk landscape for any financial institution that transacts with crypto businesses. Your firm’s AML risk assessment should reflect the specific risk categories FATF has identified: oVASPs as customers or counterparties, nested exchange arrangements, global customer pooling, and exposure to jurisdictions without VASP regulation.

Apply enhanced due diligence for oVASP indicators. Any VASP customer that: (a) lacks a meaningful physical compliance function, (b) appears to serve customers in markets where it is not licensed, or (c) has transaction volumes inconsistent with a retail customer profile should trigger enhanced due diligence. The indicators FATF documents are operationalisable as internal red flag typologies.

Engage your MLRO on group-level AML obligations. If your institution is part of a group with VASP-related entities, Recommendation 18 requires group-wide AML/CFT controls. Your MLRO needs to understand how global customer pooling and cross-border entity structures within your own group might create compliance vulnerabilities.

For firms seeking expert support in these areas, ComplyFactor’s outsourced MLRO services and AML advisory team regularly assist VASPs and financial institutions with exactly this kind of risk framework development.

---

11. FATF’s Recommended Actions: Jurisdiction-by-Jurisdiction Breakdown

FATF concludes its March 2026 report with a structured set of recommended actions. These are not soft guidance — given that FATF mutual evaluation outcomes directly shape countries’ access to correspondent banking and international financial markets, these recommendations carry significant force.

For All Jurisdictions

• Include oVASP activity in national ML/TF/PF risk assessments — including activity conducted without physical presence
• Establish or improve domestic co-ordination mechanisms between AML/CFT supervisors, FIUs, securities regulators, law enforcement, tax authorities, and consumer protection agencies
• Co-operate with foreign competent authorities to the maximum extent possible, including proactively sharing information about VASPs providing services into other markets

For Home Jurisdictions (Where oVASPs Are Created or Located)

• Conduct comprehensive risk-based supervision of VASPs, including assessment of their global activities — not just domestic operations
• Ensure supervisors have powers to obtain information on activities conducted abroad
• Co-operate swiftly with foreign counterparts requesting information about VASPs under domestic supervision
• Proactively notify host jurisdiction supervisors when a domestically-supervised VASP is providing material services into that market

For Host Jurisdictions (Where oVASPs Are Actively Serving Customers)

• Use the flexibility under INR.15.3 to require activity-based licensing — meaning oVASPs that actively provide services to local residents must obtain domestic authorisation
• Clearly define what constitutes “active provision of services” — including targeted marketing, onboarding of residents, use of domestic payment rails, and maintenance of local infrastructure
• Deploy a graduated enforcement toolkit: public warnings, app-store takedowns, domestic intermediary access restrictions, civil litigation, and criminal prosecution
• Require migration of resident customer accounts to locally licensed entities where global customer pooling creates supervision gaps

For the Private Sector (VASPs and Financial Institutions)

• Conduct group-wide risk assessments incorporating oVASP exposure
• Apply R.13 controls to nested VASP relationships — the same correspondent banking framework you apply to cross-border FI relationships
• Apply group-wide AML/CFT controls under R.18
• Notify your home regulator when you identify an oVASP operating without registration — and refrain from maintaining business relationships with unregistered or unlicensed VASPs

---

12. How ComplyFactor Helps VASPs Navigate Offshore Compliance Risk

The FATF oVASP report makes clear that the regulatory stakes for virtual asset businesses have never been higher. From the OKX guilty plea to the Binance $4.3 billion resolution to DPRK’s exploitation of unregistered platforms, the enforcement landscape is no longer theoretical.

ComplyFactor is a specialist compliance advisory firm that works with VASPs, CASPs, payment institutions, MSBs, and fintech businesses across the UK, UAE, EU, Canada, Switzerland, Pakistan, and Australia. Our services are specifically designed to address the compliance challenges the FATF has identified.

MLRO Outsourcing for VASPs — If your VASP requires a qualified, in-jurisdiction Money Laundering Reporting Officer, our global MLRO services provide exactly that. We have placed MLROs across multiple jurisdictions with deep VASP-specific expertise. An effective MLRO is not a checkbox — it is a genuine compliance function with real authority, real access to customer data, and real accountability. The FATF report is explicit that nominal or “dummy” compliance officers are a supervisory red flag.

AML Compliance Programme Development — We build and implement AML/CFT compliance programmes specifically calibrated to the risk profiles of virtual asset businesses, incorporating all the elements FATF now expects: risk-based customer due diligence, nested relationship controls, Travel Rule compliance, group-wide AML oversight, and a robust STR process.

Independent AML Audits — Our AML audit services provide the independent assurance that regulators across every major jurisdiction now expect. Whether you are preparing for an FCA review, an AUSTRAC compliance assessment, a FINTRAC examination, or a FINMA audit, our team brings jurisdiction-specific expertise. See our AML audit requirements guide for 2025 for a detailed breakdown of what each regulator expects.

VASP Licensing and Registration — Navigating the matrix of cross-border VASP registration obligations — including activity-based licensing in the UK, EU, UAE, Singapore, and emerging markets — requires jurisdictional expertise combined with regulatory relationship management. ComplyFactor has supported VASP licensing across multiple jurisdictions, including DFSA licensing in the DIFC, VARA compliance in the UAE, FCA registration in the UK, and PVARA licensing in Pakistan.

Regulatory Business Plan Development — A key part of any licensing application, a well-constructed regulatory business plan must demonstrate that your AML/CFT framework is commensurate with your risk profile. Our guide to writing a regulatory business plan covers the UK, UAE, and Singapore specifically.

Contact ComplyFactor today to discuss how we can help your VASP navigate the evolving oVASP compliance landscape.

---

13. Frequently Asked Questions

What is an offshore VASP (oVASP) according to FATF?

Under FATF’s March 2026 report, an oVASP is a Virtual Asset Service Provider created under the laws of one jurisdiction (the home jurisdiction) that provides services to clients domiciled or residing in other jurisdictions (host jurisdictions), either with or without a physical presence in those markets. The key risk FATF identifies is where oVASPs actively serve host-jurisdiction customers without being licensed or registered locally.

Does the FATF require all jurisdictions to license offshore VASPs?

No. FATF’s Interpretive Note 15.3 permits jurisdictions to extend licensing requirements to oVASPs that actively serve local customers, but does not mandate it. However, all jurisdictions — regardless of whether they have extended licensing to oVASPs — are required to identify unlicensed VASP activity and apply appropriate sanctions. As of 2025, approximately 46% of jurisdictions with VASP regimes have adopted activity-based approaches.

What is the “Sunrise Issue” in VASP compliance?

The Sunrise Issue refers to the fragmented, uneven implementation of the Travel Rule across jurisdictions. Where an oVASP operates from a jurisdiction that has not implemented the Travel Rule, counterparties cannot obtain originator and beneficiary information for cross-border transfers, creating monitoring blind spots that increase ML/TF/PF risk.

What is a nested VASP relationship, and why does it matter?

A nested VASP relationship is one where a VASP (the “nested” entity) accesses trading infrastructure, liquidity, custody, or fiat on/off-ramps by opening accounts at a regulated host VASP, rather than obtaining its own regulatory authorisation. FATF invokes Recommendation 13 — the correspondent banking framework — as the applicable standard for managing these relationships. Regulated VASPs that fail to apply adequate R.13 controls to nested relationships face significant AML/CFT enforcement exposure.

How should my VASP respond to the FATF oVASP report?

At a minimum, you should: (1) map your cross-border service footprint and identify jurisdictions where activity-based licensing may be triggered; (2) review your KYC/CDD processes for VASP counterparties using R.13 as a framework; (3) audit your nested relationship controls; (4) update your AML risk assessment to incorporate oVASP-specific typologies; and (5) ensure your MLRO has genuine authority, access, and seniority. ComplyFactor can assist with all of these steps — contact us here.

What penalties have regulators imposed on oVASPs?

Documented enforcement outcomes include: OKX — $504 million in penalties and a guilty plea (US, February 2025); Binance — $4.3 billion across US regulatory and criminal resolutions (2023); Cayman/ADGM governance case — $8.85 million in penalties plus a UBO ban (2023). These cases are not outliers — they represent the upper end of a wide spectrum of enforcement actions that regulators across the UK, EU, India, Nigeria, Japan, and Singapore are actively pursuing.

Does operating an offshore VASP structure automatically trigger regulatory obligations?

It depends on the host jurisdiction’s regulatory framework. In jurisdictions with activity-based licensing — including the UK, EU (MiCA), Singapore, India, South Africa, and Argentina — actively providing services to residents triggers registration or licensing obligations regardless of where the VASP is incorporated. In jurisdictions applying only the baseline FATF standard, incorporation or physical location determines the licensing obligation. However, all jurisdictions are required to identify and sanction unlicensed VASP activity, meaning oVASPs face enforcement risk even in markets without explicit activity-based licensing.

---

Key Takeaways

The FATF’s March 2026 report on offshore VASPs is a landmark document in the evolution of virtual asset regulation. Its key messages are unambiguous:

• Regulatory arbitrage through offshore VASP structures is a documented, systematic ML/TF/PF risk — not a theoretical concern
• The enforcement consequences are severe, well-documented, and accelerating
• Regulated financial institutions and VASPs that maintain relationships with oVASPs without adequate due diligence face their own enforcement exposure
• FATF expects regulators to deploy a broad toolkit — from thematic reviews and blockchain analytics to app-store takedowns and criminal prosecution
• Every VASP and CASP needs to map its own cross-border obligations and ensure its compliance programme addresses the specific vulnerabilities FATF has identified

If you are not certain whether your VASP or your institution’s VASP-related risk framework is adequate to the current standard, that uncertainty itself is the answer. Reach out to ComplyFactor — we will help you find out.

---

Does the UK’s FCA apply its rules to offshore VASPs marketing to UK consumers?

Yes — and with significant teeth. Since October 2023, UK financial promotions rules apply to qualifying crypto assets regardless of where the promotion originates. An offshore VASP that promotes services to UK consumers without FCA registration commits a criminal offence under section 21 of FSMA, even if the promotion originates from outside the UK. The FCA has issued over 2,300 illegal promotion alerts and driven 1,000+ scam website takedowns. FCA-regulated payment institutions and banks are explicitly warned that partnering with unregistered oVASPs illegally promoting to UK consumers creates their own regulatory exposure — including potential ML offences if benefits from illegal promotions constitute criminal property.

What should a VASP’s AML compliance programme include specifically to address oVASP risk?

Your AML programme should include: (1) VASP-specific customer risk categorisation that distinguishes between directly regulated VASPs, VASPs in weakly regulated jurisdictions, and VASPs with no traceable regulatory status; (2) nested relationship controls applying R.13 correspondent-style due diligence; (3) behavioural monitoring parameters calibrated to detect automated/commercial trading patterns inconsistent with retail customer profiles; (4) Travel Rule counterparty verification that includes checks on the regulatory status of the counterparty VASP; and (5) an STR process with specific typologies for oVASP-related activity. Our complete AML programme blueprint covers the full design and implementation process.

This article is based on the FATF report “Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers”, published March 2026. ComplyFactor is an independent compliance advisory firm and is not affiliated with FATF or any regulatory body. This article does not constitute legal advice.