The Financial Action Task Force (FATF) has published a report examining how gaps in the regulation and supervision of offshore Virtual Asset Service Providers (oVASPs) are being exploited to facilitate large-scale fraud, money laundering, and terrorism financing.
The report, released on 11 March 2026, also sets out good practices for jurisdictions to detect, license, supervise, and sanction non-compliant providers.
Offshore VASPs are defined as providers created under the laws of one jurisdiction that serve clients residing in another, with or without a physical presence in the target market. The FATF report identifies that fewer than half of jurisdictions, more specifically 46%, have adopted an activity-based approach to regulation, meaning they apply licensing or registration requirements to VASPs based on the activities performed in their market, regardless of where the provider is incorporated. This regulatory gap creates blind spots that bad actors actively exploit.
Identified vulnerabilities and case studies
The report describes methods used to obscure illicit fund flows, including dispersing victim funds across multiple addresses, routing transactions through layered intermediary wallets, and using multiple blockchains or cross-chain bridges to increase obfuscation. It also highlights the misuse of nested relationships, whereby unlicensed offshore VASPs access services from licensed providers by posing as private individual customers.
Furthermore, case studies illustrate the scale of the problem. Nigeria's financial intelligence unit identified a high-profile investment fraud scheme in which oVASPs and opaque corporate structures were used to move illicit proceeds across borders, with one global VASP-linked wallet holding approximately USD 600 million at the time of analysis. Indonesia's financial intelligence unit identified virtual asset-based financial support to terrorist groups in Syria, with terrorist financiers using oVASPs to convert between asset types and rapidly obscure transaction trails. In the UK, the FCA has undertaken enforcement measures following the introduction of clearer rules for oVASPs serving UK residents, including driving the takedown of more than 1,000 scam websites.
The FATF recommends that jurisdictions adopt activity-based regulation, enforce sanctions for non-compliance, build inter-agency coordination, and use supervisor-to-supervisor and financial intelligence unit channels to accelerate information sharing and enforcement cooperation.
