The Financial Action Task Force (FATF) has recently published a report focusing on the vulnerabilities in regulating and supervising offshore Virtual Asset Service Providers (oVASPs), which are exploited to conduct large-scale fraud, money laundering, and terrorism financing.

This report, released on March 11, 2026, outlines good practices for jurisdictions to detect, license, supervise, and sanction non-compliant providers.

An oVASP is defined as a provider established under the laws of one jurisdiction that serves clients residing in another, potentially without having a physical presence in the target market. The FATF found that only 46% of jurisdictions have adopted an activity-based approach to regulation, requiring licensing or registration for VASPs based on their activities within the local market.

Highlighted Vulnerabilities and Case Studies

The report details methods used to obscure illicit fund flows. These include dispersing funds across numerous addresses, routing transactions through intermediary wallets to create layers of complexity, and using multiple blockchains or cross-chain bridges for increased anonymity.

Moreover, the misuse of nested relationships is pointed out, where unlicensed offshore VASPs may exploit licensed providers by posing as private individuals. This technique allows them to access essential services that would otherwise be denied due to regulatory requirements.

Case studies illustrate the scale of this issue. Nigeria’s financial intelligence unit uncovered a significant investment fraud scheme involving oVASPs and complex corporate structures, with one wallet holding nearly USD 600 million at the time of analysis. Indonesia’s financial intelligence unit identified virtual asset-based financial support to terrorist groups in Syria, where terrorists used oVASPs to convert between different asset types rapidly and obscure transaction trails.

In the UK, the Financial Conduct Authority (FCA) has taken enforcement actions following the introduction of clearer rules for oVASPs serving UK residents. These measures have led to the removal of more than 1,000 scam websites.

The FATF recommends that jurisdictions adopt activity-based regulation, enforce sanctions for non-compliance, enhance inter-agency coordination, and facilitate information sharing through supervisor-to-supervisor and financial intelligence unit channels to improve cooperation in enforcement.