The architecture of global financial regulation is undergoing a structural transformation, driven by the rapid proliferation of digital assets their inherently borderless nature. In March 2026, the FATF released a landmark analytical report titled "Understanding and Mitigating the Risks of Off-shore Virtual Asset Service Providers". While the industry grapples with the complexities of unhosted wallets and decentralized finance, the structural conduits enabling a significant portion of illicit cross-border flows remain unregulated or under-regulated offshore virtual asset service providers (oVASPs).
The regulatory challenges surrounding oVASPs stem from a foundational implementation gap across the global network. In 2019, the FATF expanded Recommendation 15 (R.15) to cover Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs), mandating that jurisdictions identify, assess, and mitigate money laundering, terrorist financing, and proliferation financing (ML/TF/PF) risks within the sector. Jurisdictions were required to license or register VASPs, subject them to risk-based supervision, and enforce compliance measures comparable to those expected of traditional financial institutions. However, implementation has remained highly fragmented.
As of April 2025, FATF compliance surveys reveal a concerning regulatory gap:
This uneven implementation has birthed a regulatory asymmetry wherein oVASPs leverage jurisdictional arbitrage to operate from regions with nascent or non-existent AML/CFT frameworks, while actively targeting and servicing clients in highly regulated markets.
One major challenge highlighted in the report is the provision of cross-border services whereby a VASP established in its home state actively provides services in another state with or without a physical presence. The central regulatory friction occurs when an oVASP actively provides these services without being licensed or registered in the host jurisdiction, thereby increasing exposure to ML/TF risks, distorting market competition, and undermining the effectiveness of the host's domestic legal frameworks.
An oVASP deliberately targets foreign markets through aggressive localization, effectively bypassing the host jurisdiction's regulatory requirements. Industry analyses and FATF typologies categorize these entities into two categories. The first category comprises of unintentional oVASPs, which are entities that fail to comprehend the extraterritorial scope of foreign financial regulations. Conversely, intentional oVASPs are entities that deliberately engineer their corporate structures, technological infrastructure, and customer onboarding processes to circumvent licensing requirements and AML/CFT obligations.
Intentional oVASPs employ sophisticated corporate structuring to obfuscate ultimate beneficial ownership and diffuse operational liability. Core corporate functions are deliberately geographically isolated from the host jurisdictions where the primary customer base resides. This architectural distance severely limits the ability of domestic competent authorities to compel the production KYC and CDD data, execute subpoenas, or impose administrative sanctions.
To maintain the illusion of regulatory adherence, some intentional oVASPs engage in the deployment of nominal compliance officers within host jurisdictions. These individuals typically lack the requisite seniority, possess severely restricted access to global CDD repositories, and are deprived of direct reporting lines to senior management or the board of directors. Consequently, when host supervisors or Financial Intelligence Units (FIUs) issue requests for information regarding suspicious transaction reports, the localized compliance function serves as a bureaucratic buffer, resulting in deliberate delays.
A predominant mechanism utilized by oVASPs to bypass market-entry barriers is the establishment of nested exchange arrangements. In a nested structure, an unlicensed oVASP secures liquidity, trading execution, and critical fiat-to-crypto on/off-ramps by opening an account within a larger, fully regulated onshore "host" VASP. Operating analogously to high-risk downstream correspondent banking relationships, the oVASP often misrepresents its institutional nature, posing as a high-net-worth retail client or a proprietary trading algorithm to evade institutional enhanced due diligence. Because the nested oVASP maintains its own independent, off-chain ledger of its underlying retail users, the regulated host VASP is blinded to the true originators and beneficiaries of the transaction flows.
Beyond nested accounts, oVASPs utilize global customer pooling to fracture the chain of regulatory accountability. Customers are onboarded via decentralized mobile applications or web interfaces equipped with negligible geographic controls, often relying solely on basic IP address logging or unverified self-declarations. Once onboarded, users are not assigned to a localized, regulated subsidiary; instead, their assets and transaction histories are pooled into offshore, group-level entities. When domestic FIUs investigate local fraud or money laundering networks, the local subsidiary of the VASP routinely denies jurisdiction, arguing that the accounts in question are legally serviced by a separate corporate branch incorporated in a third-party, zero-regulation jurisdiction.
The fundamental limitation of host-country enforcement is that it is reactive in nature. True mitigation of oVASP risks necessitates proactive, structural intervention by the home jurisdiction where the oVASP is legally incorporated. However, the efficacy of international cooperation is severely hampered by systemic implementation delays, widely referred to as the "Sunrise Issue".
FATF Recommendation 16, known as the Travel Rule, requires VASPs to securely transmit originator and beneficiary data alongside virtual asset transfers. When an oVASP is incorporated in a jurisdiction that has failed to codify the Travel Rule into domestic law, it operates in a legislative blind spot. Host regulators and onshore VASPs lack the legal mechanism to compel the transmission of this critical metadata.
Information sharing between host and home supervisors is also frequently affected by operational delays. When an oVASP utilizes complex group structures, it routinely deflects host-country information requests by claiming that user data is legally controlled by a different subsidiary in a third country. Law enforcement agencies report that formal mutual assistance requests are excessively rigid and slow for the velocity of digital asset investigations, often taking up to a year to yield basic subscriber information.
To combat the systematic circumvention engineered by oVASPs, progressive regulatory regimes have transitioned from a strictly territorial approach to an activity-based licensing structures. Under the flexibility provided by FATF INR.15.3, jurisdictions may mandate that any VASP offering products to domestic consumers—regardless of physical incorporation—must register locally and submit to full AML/CFT supervision. However, the legal operationalization of what constitutes the "active provision of VASP services" remains complex and highly varied across the global network.
The establishment of a physical presence requirement represents the most robust countermeasure against oVASP evasion. By legally requiring oVASPs to appoint resident Executive Directors and domestic compliance officers with full, unrestricted access to the VASP's global CDD databases, regulators ensure that a legally accountable individual is physically within the reach of domestic law enforcement. With MICA, the EU has also taken the full licencing route to ensure a highly regulated environment which intends to be identical throughout the EU, ensuring a high level of transparency, regulatory predictability and AM/CFT standards to combat risks associated with VASPs.
FIUs must also use thematic reviews to properly develop and understand strategic risks that the VASP sector is posing to the jurisdiction. Through these reviews, the FIUs would be able to analyse the various typologies and risk metrics which VASPs are specifically exposed to as well as markers highlighted by specific customer activity.
The foundational challenge for host jurisdictions is the identification of unregistered oVASP activity. Because oVASPs operate primarily through digital channels and obscure their geographic footprints, traditional supervisory reporting mechanisms are inadequate. Supervisors must systematically scan for operators that indicate an oVASP is intentionally piercing the regulatory framework.
To map the exposure of domestic retail investors to oVASPs, authorities increasingly rely on blockchain intelligence platforms which utilize advanced algorithms to deanonymize blockchain ledgers, linking alphanumeric wallet addresses to real-world virtual asset service providers. However, on-chain data must be cross-referenced with traditional financial intelligence to legally prove the active provision of services. In response to the escalating threat, proactive jurisdictions are institutionalizing these detection capabilities.
When oVASPs ignore supervisory warnings and persistently violate territorial boundaries, regulators must transition from compliance monitoring to outright disruption. Lacking the jurisdictional authority to raid an offshore headquarters, host countries rely on gatekeeping to stop the oVASP's domestic revenue streams. Authorities issue directives to domestic banks and payment service providers, strictly prohibiting the processing of fiat deposits or withdrawals linked to blacklisted oVASPs.
The analytical framework provided by the FATF's March 2026 report fundamentally alters the compliance obligations of traditional financial institutions, correspondent banks, and payment processors. The era of treating virtual asset risk as an isolated, siloed operational hazard is over. The risks generated by oVASPs bleed directly into the fiat payment rails and correspondent banking networks that underpin global commerce.
Financial institutions must urgently recalibrate their enterprise-wide AML/CFT risk assessments to incorporate the specific typologies of oVASP exploitation. It is no longer sufficient to merely screen direct clients against sanctions lists; institutions must trace the digital lineage of incoming fiat deposits. If a traditional bank processes payments for a domestic payment aggregator that, in turn, provides fiat off-ramps for an unregistered oVASP, the bank is inadvertently facilitating jurisdictional arbitrage and potential money laundering. To prevent oVASPs from accessing domestic markets through the backdoor of regulated local exchanges, host supervisors must rigorously enforce FATF Recommendation 13, which governs correspondent banking and nested VASP relationships.
Domestic VASPs and traditional financial institutions must perform exhaustive due diligence on the respondent oVASP's AML/CFT framework, assess the quality of its home-country supervision, and ensure that the respondent oVASP has the technological capability to instantly provide underlying CDD data upon request, overcoming cross-border data privacy shields. Failure by a domestic entity to effectively gatekeep nested access renders it liable for the illicit flows processed by the offshore parasite, exposing the domestic entity to severe regulatory penalties.
For global financial conglomerates operating proprietary virtual asset trading desks or custody solutions, FATF Recommendation 18 dictates the rigorous implementation of group-wide AML/CFT controls. An institution cannot operate a fully compliant exchange in a highly regulated market while allowing an offshore subsidiary in a zero-regulation jurisdiction to pool customer assets and bypass the Travel Rule. Internal audit and compliance functions must ensure that rigorous enhanced due diligence and transparent data-sharing protocols span the entirety of the corporate structure, effectively eliminating the internal regulatory arbitrage that intentional oVASPs seek to exploit.
The FATF’s exhaustive report on oVASPs serves as a definitive warning to both sovereign regulators and the global financial industry: the era of unchecked jurisdictional arbitrage in the virtual asset sector is drawing to a close. The systemic exploitation of regulatory asymmetries by intentional oVASPs—resulting in massive fraud, the circumvention of sovereign tax regimes, and the financing of state-sponsored cybercrime—demands a unified, aggressive, and technologically sophisticated response. By synthesizing aggressive digital surveillance, stringent nested-exchange controls, and rapid, diagonal international cooperation, the global financial community must collaboratively enclose the regulatory perimeter, protecting the integrity of the financial system from the borderless threat of oVASPs.
For any additional information or assistance, please contact us at info@gtg.com.mt
Author: Dr Josef Cachia Fenech Gonzi