In its most recent report, the Financial Action Task Force (FATF) advised on significant money laundering risks arising from bad actors leveraging offshore virtual asset service providers (oVASPs) that leverage gaps in national frameworks across the world to their own benefit.
This week’s newsletter will focus on some of the report highlights, but first, let’s set the stage for today’s narrative.
Setting the stage
At a minimum, VASPs should be required to be licensed or registered in a jurisdiction where they are created.
The FATF standards also allow jurisdictions to extend those licensing or registration requirements to VASPs that offer services to customers in, or conduct operations from, their jurisdiction, regardless of where the VASP is located.
The subtle distinction in regulatory approach is that such activity-based extension is optional, not mandatory.
The result is a fragmented landscape, particularly when it comes to licensing entities operating across borders. Some jurisdictions regulate offshore activity. For example, Singapore has taken a proactive stance, imposing a licensing requirement regardless of where solicitation is done from. Hong Kong considers the firm to be actively marketing, if it runs mass media programs or internet activities that target local populous.
At the same time, there are many other jurisdictions that focus only on firms physically present, or are still tailoring their approach.
And where fragmentation exists, arbitrage follows.
What regulatory arbitrage looks like in practice?
Now, back to the report. The document introduces the concept of offshore virtual asset service providers (oVASPs), denoting the firms that are established in one jurisdiction, which provide services in other jurisdictions, often without local licensing or presence.
In practice, these firms:
incorporate in jurisdictions with lighter or less developed AML/CFT frameworks
serve customers globally through digital platforms
maintain compliance, data, and management functions outside the markets they target
actively market into jurisdictions where they are not supervised
Business model revolves around the idea of separating where you are regulated from where your users are.
Why it works?
1. Diverging implementation
As discussed earlier today, the FATF framework does not require jurisdictions to license offshore providers serving their market.
2. Borderless delivery
Crypto services are inherently cross-border.
3. Cost asymmetry
Licensing requires adherence to CDD requirements along with ongoing monitoring and reporting. And compliance can be expensive. On the other hand, unlicensed businesses have lower fees, faster onboarding and fewer restrictions overall.
Concrete examples
The report gives several illustrations that bring this to life.
In India, the introduction of a tax regime on virtual assets led to a migration of trading activity from regulated domestic platforms to offshore providers.
Those offshore platforms:
onboarded users with limited or no KYC
used domestic payment rails to move funds
operated outside local AML/CFT obligations
According to the report, these entities were able to “transform lower compliance costs into attractive pricing.” No wonder: less regulation, better pricing, more users.
Another recurring pattern is “nested” access, where offshore providers plug into regulated firms to access liquidity or fiat rails, effectively borrowing legitimacy without being supervised themselves.
Furthermore, offshore providers often:
fragment operations across multiple jurisdictions
pool customers globally, making it unclear which entity is responsible
route data and compliance functions elsewhere
delay or resist responding to foreign authorities
In some cases, even identifying who is responsible for a customer becomes difficult. Notably, Japan addressed this by requiring Binance to migrate all Japanese resident accounts from its global platform to a locally registered Binance Japan. The process involved renewed KYC checks.
What’s next
Good question. If regulatory arbitrage is the problem, the natural response is to close the gap between where firms operate and where they are supervised.
Jurisdictions should be moving toward asserting control over activities that target their markets, regardless of where the provider is incorporated. This shift may not be happening uniformly, but the pressure is building.
At the same time, attention is expanding beyond licensing alone. Control points such as payment rails, app distribution, and marketing channels are increasingly being viewed as levers for enforcement. Where direct supervision is difficult, access can be restricted.
Financial institutions are also being drawn more directly into the equation. Where offshore providers rely on regulated entities for liquidity, fiat access, or settlement, those relationships are becoming a focus of scrutiny.
Ultimately, no single jurisdiction can address this in isolation. The effectiveness of any response will depend on how closely supervisory approaches converge and how willing authorities are to coordinate across borders.
Recommendations
The report encourages jurisdictions to take a proactive stance, requiring oVASPs to be licensed or registered domestically. This includes clearly defining what constitutes “active provision of services with indicators such as targeted marketing, use of local language or currency, and the use of domestic payment rails.
Financial institutions and other VASPs must act as gatekeepers, applying risk-based controls to nested relationships, where an oVASP may use an account at a regulated entity to access the financial system.
As always, I am happy to exchange views and compare notes if this topic is of any interest. Please feel free to reach out at alexey [at] atyurin.com
Alexey
