The FATF on Stablecoins and Self-Hosted Wallets: Part 1

The Financial Action Task Force (FATF) recently released their Targeted Report on Stablecoins and Unhosted Wallets. The document examined stablecoins, discussing the threats and vulnerabilities associated with them, along with best practices to mitigate their misuse, including a section on peer-to-peer (P2P) transactions and self-hosted wallets. 

This blog, to be read in conjunction with The FATF on Stablecoins and Self-Hosted Wallets: Part 2, explores why stablecoins are increasingly viewed as a money-laundering and terrorist-financing risk, how jurisdictions are responding, and what this means in practice for virtual asset service providers (VASPs).

TL;DR 

• By mid-2025, over 250 stablecoins were in circulation, with a total market capitalisation exceeding USD 300 billion and daily volumes surpassing Bitcoin.

• The FATF identifies stablecoins as the most commonly used virtual asset in illicit transactions.

• The key vulnerability lies in P2P transfers via self-hosted wallets, where AML/CFT-obliged intermediaries are not involved.

• Stablecoins are virtual assets under the FATF’s standards, meaning VASP obligations apply wherever qualifying services are provided.

• Jurisdictions are tightening frameworks, particularly around self-hosted wallet interactions, even if no uniform technical verification standard exists.

Stablecoins, P2P Risks and Regulatory Responses

Why Stablecoins Pose a Heightened ML/FT Risk 

Stablecoins have expanded rapidly in scale and integration across both the virtual asset ecosystem and the traditional financial system. 

By mid-2025, more than 250 stablecoins were in circulation, with total market capitalisation exceeding USD 300 billion and daily trading volumes surpassing Bitcoin. The market is dominated by fiat-backed, centrally governed stablecoins, primarily USD-referenced, operating across multiple blockchains.

Interestingly, the risk stablecoins pose is not in their existence, but rather in their features: price stability, liquidity, and interoperability make them attractive for illicit use, and this stability increases their suitability for P2P transactions, especially via self-hosted wallets. 

In fact, based on the FATF’s findings, they have become the most commonly used virtual asset in illicit transactions. Although some misuse is direct, they are often embedded within complex transaction chains designed to obscure the origin and destination of funds.

P2P transactions conducted without AML/CFT-obliged intermediaries, such as VASPs, represent a significant vulnerability, especially when layered across multiple wallets; they reduce transparency and regulatory oversight. Stablecoins also pose asset-specific risks as they increasingly integrate with traditional finance. 

The FATF has stressed the need for jurisdictions to monitor whether stablecoins achieve widespread adoption without reliance on traditional on- and off-ramps, and whether reliable data on P2P transaction volumes can be obtained.

The FATF’s Requirements for VASPs and Stablecoins 

The FATF defines virtual assets as digital representations of value that can be traded, transferred, and used for payment or investment purposes; therefore, given their characteristics, stablecoins fall under this definition. 

Additionally, under the FATF’s Recommendation 15, jurisdictions are required to:  

“a. identify, assess and understand the ML/TF/PF risks emerging from virtual assets and VASPs. 

b. ensure that VASPs are required to be licensed or registered in the jurisdiction where they are created.  

c. apply sanctions to natural or legal persons that carry out VASP activities without the requisite license or registration. 

d. ensure that VASPs are subject to supervision. 

e. apply proportionate and dissuasive sanctions to VASPs that fail to comply with AML/CFT/CPF requirements. 

f. ensure that targeted financial sanctions obligations apply to VASPs.” 

In other words, if an entity conducts any stablecoin activities that include the exchange, transfer, or custody, it may qualify as a financial institution, and compliance expectations may apply depending on the entity’s jurisdiction.   

How Jurisdictions Are Responding to Stablecoins and Self-hosted Wallet Transactions Across the Globe 

With the rapid development of the stablecoin ecosystem, we have seen many jurisdictions adapt their regulatory frameworks accordingly.

In the EU, MiCA has established a dedicated framework for stablecoin governance, going so far as to redefine stablecoins to avoid compliance loopholes. In parallel, the EU has extended its Travel Rule (TFR) to cover self-hosted wallet transactions involving a regulated entity, requiring CASPs to apply risk-based measures when transacting with such wallets. 

In Switzerland, regulators require financial institutions to verify wallet ownership via a technical means to mitigate the risks associated with self-hosted wallets. 

Other jurisdictions have introduced thresholds or enhanced due diligence measures for transactions involving self-hosted wallets. 

What this Means in Practice for VASPs

Stablecoins are no longer treated as a niche subset of crypto assets. They are now recognised by the FATF as a core risk area within the virtual asset ecosystem, particularly in P2P contexts involving self-hosted wallets.

For VASPs, this translates into three practical realities:

First, stablecoin exposure is supervisory exposure. If your platform supports stablecoins, regulators will expect your risk assessment to explicitly address their liquidity, cross-chain functionality and P2P use.

Second, self-hosted wallet interaction is now a focal point. While the FATF does not prescribe a technical standard for ownership verification, jurisdictions are increasingly expecting VASPs to demonstrate how they assess and mitigate risks associated with self-hosted wallet transfers. 

Third, technology and governance controls are becoming differentiators. From blockchain analytics integration to transaction monitoring tailored to stablecoin typologies, regulators are looking for evidence of proactive mitigation.

Regulations have evolved, and stablecoins are now being treated as virtual assets; therefore, the associated risks must be controlled wherever an intermediary is involved.

Sources

21 Analytics. Regulatory Frameworks that Include Self-hosted Wallets.
Available at: https://www.21analytics.co/blog/regulatory-frameworks-self-hosted-wallets/

21 Analytics. Stablecoins in the EU: What Has Changed?
Available at: https://www.21analytics.co/blog/stablecoins-in-the-eu/

FATF. Interpretive Note to Recommendation 15 (INR.15).
Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf

FATF. FATF Recommendations -  International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation.
Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf

FATF. Targeted Report on Stablecoins and Unhosted Wallets – Peer-to-Peer Transactions.
Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/publications/targeted-report-on-stablecoins-and-unhosted-wallets.pdf.coredownload.inline.pdf