Understanding and Mitigating the Risks of oVASPs: A Summary

In the FATF’s latest report, Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers, it addressed the risks and supervisory challenges linked to oVASPs, provided good practices for VASPs with case studies, and recommended actions for both home and host jurisdictions. 

The report reinforces a key point: AML/CFT risk in the crypto sector is increasingly driven by cross-border regulatory gaps rather than by technology alone. Regulators and compliance teams need to be alert to these supervisory blind spots.  

The blog below provides an overview of the document, focusing on the key findings. 

Understanding oVASPs

Offshore VASPs (oVASPs) are virtual asset service providers (VASPs) that operate from jurisdictions different from where their users are located. For example, a VASP operating from France offering services to users based in the UK. 

According to the industry experts, there are 2 types of oVASPs: unintentional and intentional. 

Unintentional oVASPs are often oblivious to the regulatory frameworks applicable to the activities they undertake. 

Intentional oVASPs intentionally circumvent registration/licensing requirements as part of their business model. Moreover, they position themselves in regions with less or weaker regulatory oversight. This intention allows the VASP to serve customers while avoiding effective AML/CFT supervision. 

These points create opportunities for criminals to move funds across platforms and jurisdictions while avoiding detection.

The Risks Linked to oVASPs

Due to the nature of virtual assets, offering cross-border services is neither unheard of nor poses significant risks, provided it is done in a manner that carefully aligns with AML/CFT frameworks. When this is not the case, loopholes form along with sizeable risks and supervisory challenges. 

Examples of these challenges include oVASPs actively soliciting customers in jurisdictions where they are not authorised to operate and advising users on bypassing restrictions, such as through VPNs or inaccurate location information. 

Others rely on nested exchange arrangements, accessing liquidity and fiat on- and off-ramps through accounts with regulated VASPs. While such arrangements can be legitimate, they can also obscure the identity and activity of underlying customers and limit the host VASP’s visibility over transaction flows.

More broadly, regulatory arbitrage remains a major concern. Offshore platforms may relocate or route customer activity through jurisdictions with weaker regulatory requirements to avoid AML/CFT obligations, such as customer due diligence or Travel Rule compliance. These practices can convert lower compliance costs into competitive pricing advantages and attract customers away from a regulated provider. 

The Supervisory Challenges Linked to oVASPs

Lack of Physical Presence

A common obstacle is the limited or nonexistent physical presence of oVASPs in the jurisdictions where their customers are located. Compliance teams, key personnel, and data infrastructure may be located in entirely different jurisdictions. In some cases, platforms intentionally obscure their location or operate through distributed organisational structures.

Global Pooling of Customers

Another challenge arises from the way some global VASPs structure customer onboarding and account management. Rather than assigning customers to specific regulated entities, platforms may pool customers across multiple jurisdictions within a single group structure. Accounts may be opened through mobile applications with minimal geolocation controls, relying largely on self-reported information.

This approach can obscure which entity within a corporate group is responsible for servicing a customer and complying with AML/CFT obligations. Authorities may therefore struggle to

Jurisdictional Barriers to Enforcement

Enforcement actions are further complicated by jurisdictional fragmentation. Offshore VASPs may maintain separate operational functions, such as customer onboarding, compliance operations, and data storage, across different jurisdictions. When authorities request information, the platform may redirect them to another jurisdiction where the relevant records are held.

In practice, this can require authorities to submit multiple cross-border requests for assistance through formal legal channels. These processes can take months or even longer, delaying investigations and reducing the likelihood of timely asset recovery.

Technological and Structural Complexity

Some oVASPs also integrate privacy-enhancing technologies or services such as mixers, bridges, and decentralised finance protocols. These tools can fragment transaction records, making it more difficult to trace funds or identify the location of relevant operational data.

At the same time, the increasing use of fully digital delivery models, such as mobile applications and web-based platforms, reduces the effectiveness of traditional supervisory tools.

The FATF’s Good Practices for VASPs

The FATF outlines several practices to help jurisdictions mitigate risks posed by oVASPs. These focus on identifying offshore providers, implementing licensing frameworks, enforcing regulatory measures, and strengthening cooperation.

Identifying Offshore VASPs

Authorities should identify entities providing virtual asset services without the required licence or registration, including offshore platforms serving local users. Because oVASPs often operate digitally without a physical presence, detection relies on multiple indicators and intelligence sources. Red flags may include the absence of geo-blocking, use of local language or currency, targeted advertising, support for domestic payment methods, or presence in local app stores.

Authorities can combine tools such as blockchain analytics, open-source intelligence, suspicious transaction reports, and financial institution data to detect offshore activity. Thematic supervisory reviews can also help identify national exposure and common access points used by oVASPs.

Licensing, Enforcement and Cooperation

Jurisdictions may require oVASPs actively serving residents to obtain local licensing or registration. Supervisors may initially engage with such entities to clarify obligations or request compliance.

Where engagement fails, enforcement tools may include public warnings, website or app removals, restrictions on domestic intermediaries, or financial penalties.

Strong domestic coordination and international cooperation between regulators, FIUs, and law enforcement are essential to effectively supervise cross-border VASP activity and address risks linked to offshore providers.

What’s Next for VASPs: Tips from the FATF

The FATF put forward suggestions for VASPs and regulators to reduce and prevent the risks posed by oVASPs.  

For all jurisdictions, authorities should include oVASP activity in their national risk assessments, even when services are provided without a physical presence, and apply a risk-based supervisory approach. Strong domestic coordination and international cooperation between supervisors are also essential.

Home jurisdictions, where oVASPs are incorporated or located, should ensure effective risk-based supervision of VASPs operating globally. This includes having the authority to obtain information on cross-border activities and cooperating with foreign regulators by sharing information and supporting enforcement actions.

Host jurisdictions where oVASPs provide services should consider requiring offshore providers to register or obtain domestic licences, and clearly defining what constitutes active service provision. A prime example of this in action is the EU’s MiCA framework.

For the private sector, financial institutions and VASPs should assess exposure to oVASPs, apply risk-based controls, monitor nested relationships, and avoid business relationships with unlicensed providers.

Access further summaries prepared by 21 Analytics by subscribing to the monthly newsletter. 

Image sources: FATF Report Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers

Please note: This blog provides a high-level summary of the FATF report Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers (oVASPs).

Readers are encouraged to consult the full FATF report for complete context, detailed analysis, and all recommended actions.