FATF June 2025 Update: Analysis of Virtual Asset Standards Implementation and Supervisory Guidance
- James Ross
- Jun 30, 2025
- 4 min read
Executive Summary
In June 2025, the Financial Action Task Force (FATF) released two significant reports concerning the global regulation of virtual assets (VAs) and virtual asset service providers (VASPs). The first is a targeted update on the implementation of Recommendation 15 (R.15), and the second provides detailed guidance on "Best Practices on Travel Rule Supervision." The reports collectively indicate that while there is incremental progress in global AML/CFT compliance for the VA sector, significant deficiencies persist. The slow pace of implementation, particularly concerning the Travel Rule, continues to create opportunities for illicit actors. Consequently, the FATF is urging jurisdictions to accelerate their supervisory and enforcement efforts, signalling a forthcoming period of intensified regulatory scrutiny for the industry.
1. Key Findings on Global Implementation of Recommendation 15
The FATF's sixth review of R.15 implementation reveals a continued, albeit slow, improvement in compliance across the global network.
Overall Compliance Levels: As of April 2025, 29% of assessed jurisdictions are rated "largely compliant," an increase from 25% in 2024. The proportion of "non-compliant" jurisdictions has decreased from 25% to 21%. However, only one jurisdiction has achieved a "fully compliant" rating, underscoring the substantial work that remains to be done.
Risk Assessments: The number of jurisdictions that have conducted ML/TF risk assessments for VAs and VASPs has risen to 76%, up from 71% in 2024. A key challenge remains the effective translation of these assessments into adequate, risk-based supervisory frameworks.
Regulatory Approaches: The majority of jurisdictions (62%) have opted to permit and regulate VASPs. Concurrently, there is a steady increase in jurisdictions choosing a full or partial prohibition, now at 20%. The FATF notes the significant challenge associated with the effective enforcement of such bans.
Licensing and Supervision: A notable gap persists between legislative requirements and operational realities. While 96 jurisdictions have established a legal requirement for VASP licensing or registration, only 76 have a VASP licensed or registered in practice. A primary challenge cited is the identification and supervision of offshore VASPs.
The Travel Rule (R.15, para. 7(b)): Progress on Travel Rule implementation remains a critical concern. Although 73% of relevant jurisdictions (85 of 117) have passed enabling legislation, a significant global gap exists. Enforcement is limited, with 59% of these jurisdictions having taken no enforcement action to date. The "Sunrise Issue"—where compliant VASPs face challenges interacting with counterparts in non-compliant jurisdictions—is identified as the single most significant obstacle.
2. Emerging Risks and Illicit Finance Typologies
The reports identify several escalating risks and trends in the use of virtual assets for illicit purposes.
Stablecoins: The use of stablecoins by illicit actors, including terrorist financing networks and state-sponsored groups such as the DPRK, has increased. It is estimated that a majority of all on-chain illegal activity now involves stablecoins. Illicit actors frequently use stablecoins in conjunction with anonymity-enhancing tools and layer funds through dormant accounts.
Theft and Scams: The scale of VA-related theft and fraud remains significant. The report identifies the DPRK's theft of $1.46 billion from VASP ByBit in 2025 as a critical incident. Additionally, a trend towards the professionalisation of scams is noted, including "scam-as-a-service" models and sophisticated investment scams, such as "pig butchering."
Decentralised Finance (DeFi): The identification of entities exercising control over a DeFi arrangement remains a significant challenge for regulators. Approximately 48% of advanced jurisdictions now require specific DeFi arrangements to be licensed as VASPs; however, 75% of those jurisdictions have not successfully identified any qualifying entities.
3. Implications for Firms (VASPs and Financial Institutions)
The findings from the FATF reports have direct and significant implications for firms operating in or exposed to the virtual asset sector.
Increased Regulatory and Supervisory Pressure: The FATF's emphasis on the need to "rapidly operationalise" regulatory frameworks signals that jurisdictions will be under pressure to intensify supervision and enforcement. Firms should anticipate more rigorous examinations.
Travel Rule Compliance as a Priority: The persistent gaps in Travel Rule implementation are a "serious concern" for the FATF. Firms must ensure they have a robust, effective, and fully operational Travel Rule solution in place. This area will be a primary focus during regulatory inspections.
The Criticality of Stablecoin Risk Management: Given that a majority of on-chain illicit activity involves stablecoins, firms must implement enhanced risk mitigation measures. This includes conducting enhanced due diligence on transactions involving stablecoins, particularly those combined with anonymity-enhancing services.
Intensifying Scrutiny of DeFi Protocols: Firms offering services related to DeFi protocols should prepare for greater regulatory scrutiny regarding governance and control. Firms must be ready to demonstrate how they identify and manage the associated AML/CFT risks within these structures.
Navigating a Fragmented Global Landscape: The inconsistent global implementation of R.15 creates a complex compliance environment. Firms with cross-border operations must actively manage the risks associated with counterparties in jurisdictions with weak or non-existent AML/CFT regimes for VAs.
Convergence of Cybersecurity and AML/CFT: The scale of theft and fraud underscores the importance of robust security and fraud prevention systems. These are no longer solely commercial risks but are now significant AML/CFT concerns, as the proceeds are laundered through the VA ecosystem. Firms must integrate these functions into their broader financial crime compliance frameworks.
Comments