Policy & Regulation

FATF’s Updated Guidance Tells Regulators to Focus on Business Models Over Technology and Terminology

On October 28, 2021, the Financial Action Task Force (FATF) released its updated guidance for how member jurisdictions should regulate cryptocurrency businesses. Back in March, FATF released a draft version of today’s guidance for industry review — you can read our comments on that release here. Today’s guidance largely mirrors the March proposal, with the key theme being FATF’s focus on regulating cryptocurrency businesses as VASPs based on their function and business model, rather than their underlying technology, self-described business category, or custodial status. Below, we’ll break down the most important provisions of FATF’s guidance and tell you how Chainalysis can help you meet your compliance obligations.

Reminder on key terms: VAs and VASPs

In all of its guidance related to cryptocurrencies, FATF uses the terms virtual assets (VAs) and virtual asset service providers (VASPs) to define which assets and businesses should be covered by the standards they set out. FATF defines a VA as “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes.” This definition includes most conventional cryptocurrencies, but as we’ll explore below, FATF says that jurisdictions should only regulate certain types of assets, such as NFTs, as VAs on a case-by-case basis depending on how they’re used.

A VASP, on the other hand, is defined as any person or business who conducts one or more of the following “virtual asset activities” on behalf of other people or services:

  • Exchange between virtual assets and fiat currencies;
  • Exchange between one or more forms of virtual assets;
  • Transfer of virtual assets;
  • Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
  • Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

That definition of VASP covers nearly all centralized cryptocurrency services, and as of this latest guidance, also includes DeFi protocols. We’ll dive more into FATF’s rationale for that classification below, as well as other important parts of the new guidance.

DeFi protocols

Many in the cryptocurrency industry have historically argued that non-custodial cryptocurrency platforms like DeFi protocols shouldn’t be regulated as VASPs because they never actually hold users’ funds, but rather facilitate the transfer of funds directly between users’ personal wallets. DeFi protocols achieve this through underlying smart contracts that autonomously execute transactions between users’ wallets based on the code in the smart contracts. However, while they may be non-custodial, FATF’s latest guidance nevertheless says that DeFi protocols can still be regulated as VASPs if they’re fulfilling VASP-like functions, such as facilitating the exchange or transmission of VAs.

However, in recognition of how DeFi protocols’ ability to run autonomously separates them from centralized services, FATF says that the software or technology behind a given DeFi protocol would not be regulated as a VASP. Instead, the “owner/operator” of the protocol would be. FATF provides guidance on how to identify the owner/operators of a given protocol, stating it is likely anyone “who profits from the use of the service or asset, who established and can change the rules, who can make decisions affecting operations, who generated and drove the creation and launch of a product or service, who maintains an ongoing business relationship with a contracting party or another person who possesses and controls the data on its operations, and who could shut down the product or service.” So, while DeFi protocols themselves may be decentralized, the individual or group controlling and profiting from it is responsible for meeting AML/CFT obligations.

FATF’s guidance means that DeFi protocols’ owners and operators will soon be required to enact the same compliance protocols as centralized services, such as collecting KYC information from new users, monitoring transactions, and reporting suspicious activity. Chainalysis KYT can help, and many leading DeFi platforms already use Chainalysis solutions. Our best-in-class blockchain dataset has enabled compliance teams at centralized services to get automatic, real-time alerts on user transactions with risky or illicit addresses, so that they can move quickly to complete the necessary reporting and recordkeeping. We look forward to extending this ability to decentralized platforms as jurisdictions enact FATF’s latest recommendations.


FATF’s guidance also tells regulators when and how they should identify and regulate non-fungible tokens (NFTs) as VAs. This is one of the few areas where the new guidance differs from the proposed guidance released in March, in that the proposed guidance never actually mentioned NFTs by name, though it did seem to allude to them by description.

The new guidance clarifies that, by default, NFTs are not considered VAs based on their general use. However, FATF encourages jurisdictions to evaluate NFTs on a case-by-case basis and regulate them as VAs when their use conforms to the VA definition. Specifically, FATF says, “Some NFTs that on their face do not appear to constitute VAs may fall under the VA definition if they are to be used for payment or investment purposes in practice.”

FATF’s approach to NFTs mirrors its approach to other cryptocurrency assets and businesses in that the emphasis is on how NFTs are used functionally, rather than the underlying technology or the NFT label. A challenge for NFT markets will be identifying which NFTs meet the FATF functional definition of a VA, for instance, through reliable reference data incorporated into the NFT.  For those NFTs that do meet the functional definition or otherwise follow FATF guidance as a best practice in an abundance of compliance caution, Chainalysis partners with a number of NFT platforms, including Dapper Labs, and our compliance and monitoring solutions will enable VASPs that support NFTs to meet their compliance obligations under the new guidance.


While FATF previously designated stablecoins as VAs, the latest guidance also recommends that the governing board or central developers of any given stablecoin issuer be regulated as a VASP. More specifically, FATF defines this governing body as anyone who “establishes or

participates in the establishment of the rules governing the stablecoin arrangement,” which includes those who help determine the stablecoin’s function, price stabilization mechanisms, or integration into telecommunications platforms. This isn’t a new idea — in the United States, FinCEN has treated stablecoin issuers as VASPs since 2019.

The guidance here resembles that for determining who receives the VASP designation for a DeFi protocol, in that the focus is on identifying those in control of the stablecoin regardless of the stablecoin’s underlying technology or purpose. FATF makes the rationale quite clear, stating: “​​Additionally, this is not meant to implicate those only developing software code, but rather the persons involved in stablecoin arrangements that conduct or provide financial services covered by the limbs of the VASP definition.”

Travel Rule and personal wallets

The Travel Rule, also known as FATF Recommendation 16, aims to stop money laundering by minimizing the anonymity of large cryptocurrency transactions. The Travel Rule has long applied to fiat transactions, and in 2018, FATF stated that countries should also apply the rule to cryptocurrency businesses, and mandate that VASPs obtain, hold and exchange information about the originators and beneficiaries of cryptocurrency transfers with other VASPs and above $1,000 USD.

FATF’s latest guidance expands the Travel Rule, recommending that it apply not only to VASP to VASP transactions, but also those between personal wallets and VASPs. This means that, if jurisdictions implement these recommendations as written, VASPs will be required to obtain from their customer the required originator and beneficiary information on transactions from personal wallets. Many have argued that this expansion is not necessary, and will complicate an already difficult Travel Rule implementation process for VASPs. However, FATF sees significant potential AML/CFT risk in personal wallet transactions — paragraphs 105 to 107 of the latest guidance outline how jurisdictions should monitor this risk and impose additional regulations as necessary — so it’s unsurprising that the task force recommends this Travel Rule expansion.

FATF also makes one important exception for Travel Rule compliance. If a VASP has reason to believe that its counterparty VASP would be unable to store customer information securely, it can decline to send that information, provided that the AML/CFT risk of the transaction in question is small enough. This provision was also included in FATF’s proposed guidance released in March.

FATF’s latest guidance makes clear that it expects member jurisdictions to implement Travel Rule enforcement as soon as possible. However, many VASPs are not yet fully compliant with the Travel Rule as currently written because of the technical challenges related to fully implementing its requirements. FATF appears sympathetic to these difficulties in its latest guidance, stating: “Countries may wish to take a staged approach to enforcement of travel rule requirements to ensure that their VASPs have sufficient time to implement the necessary systems, but should continue to ensure that VASPs have alternative measures in place to suitably mitigate the ML/TF risks arising from VA transfers in the interim.” In other words, while FATF wants jurisdictions to implement Travel Rule enforcement soon, it’s encouraging regulators to be flexible and roll these enforcements out gradually so that VASPs can adopt the tools necessary for compliance.

Chainalysis is willing and able to help in this regard. VASPs can leverage our Notabene and Sygna integrations now to meet their Travel Rule obligations. These solutions allow VASPs to identify transactions that meet the rule’s requirements, pull users’ KYC information, and send it to VASP counterparties as the transactions are completed. Our solutions enable all of this to happen instantly, which is essential to avoid compromising user experience.

How Chainalysis helps you meet your obligations

Chainalysis is an integral part of any AML risk mitigation strategy. Our tools automatically detect and alert compliance teams to patterns of potential high-risk activity, from anomalous transactions and scams, to darknet markets and addresses included as identifiers on OFAC’s sanctions list. Users can customize their alerts to their specific risk appetite to satisfy VA transaction monitoring obligations. When high risk activity is flagged, users can conduct enhanced due diligence using Chainalysis Reactor to further investigate the activity and determine what other steps might be necessary, such as submitting a suspicious transaction report.

We look forward to working not just with cryptocurrency businesses, but also with financial institutions and regulators to ensure all sides meet their compliance obligations as jurisdictions roll out FATF’s recommended policies. If you’d like to learn more about how we can help, please contact us here.