COMPLIANCE INSIGHTS · MARCH 2026
In March 2026, the Financial Action Task Force published what may be its most consequential report for the payments industry in years. Titled Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers, the document delivers a clear and urgent message: unregulated offshore crypto exchanges and digital asset platforms are creating dangerous blind spots in the global financial system — and licensed money transfer operators are directly in the firing line. This article unpacks what the report means, how these offshore platforms are being exploited, and critically — what licensed MTOs must do to protect themselves.
In This Article
An offshore virtual asset service provider (oVASP) is a crypto exchange or digital asset platform that is incorporated in one jurisdiction but actively serves customers in another — typically without holding a local licence, registering with local regulators, or meeting local KYC and AML requirements. Think unlicensed crypto brokers operating out of low-supervision jurisdictions. Platforms that accept customers from Europe, GCC countries, or Southeast Asia while being entirely invisible to the regulators in those markets.
The FATF report is explicit about how they operate: oVASPs often intentionally structure their activities to place themselves beyond the effective reach of regulators. They exploit differences in how jurisdictions regulate digital assets — incorporating in permissive jurisdictions, routing transactions through multiple intermediaries, and offering services into markets where they have no regulatory footprint. And when they need access to regulated payment infrastructure to convert digital assets into fiat currency — to cash out — they come through licensed MTOs.
The reason licensed MTOs must care about oVASPs is structural: these platforms cannot function without access to regulated financial infrastructure at the point of cash-out. When a criminal network uses an oVASP to launder proceeds through multiple wallet layers and blockchains, it ultimately needs to convert those proceeds into fiat currency. That conversion happens through a regulated financial institution — and in many cases, that institution is a licensed money transfer operator whose KYC checks were not designed to detect a business posing as an individual customer.
The most alarming finding in the FATF report for licensed operators is the explicit identification of what it calls nested relationships. This is not a novel concept to compliance professionals, but the March 2026 report documents it with a clarity and specificity that changes it from a background risk to a named enforcement concern.
Unlicensed, offshore crypto platforms are accessing regulated payment rails by posing as ordinary individual customers. They open accounts with licensed MTOs. They pass basic KYC — because their individual-facing documentation looks like any retail customer. They move funds. And because they present as retail clients rather than as the unregistered financial businesses they actually are, their transactions bypass the enhanced due diligence that would ordinarily apply to a business relationship with a payments provider.
Figure 1: The four-stage nested relationship exploit — how oVASPs use individual accounts at licensed MTOs to cash out illicit crypto proceeds through regulated payment infrastructure.
The FATF's March 2026 oVASP report is best understood alongside the FATF's 2025 Targeted Update on the Implementation of Standards on Virtual Assets and VASPs (published June 2025) — these two documents together define the full scope of the problem that licensed operators are navigating. Below are the verified statistics, with their correct source attribution.
| Statistic | Figure | Source | What It Means for MTOs |
|---|---|---|---|
| Activity-based regulation adoption | Only 46% of jurisdictions have adopted an activity-based approach to VASP oversight | FATF, Understanding and Mitigating the Risks of Offshore VASPs, March 2026 | The majority of jurisdictions cannot capture offshore platforms serving their domestic markets — meaning oVASPs in your customer base may face zero regulatory scrutiny in their home jurisdiction |
| Travel Rule legislation | 73% of jurisdictions have passed Travel Rule legislation (2025 survey) | FATF, Targeted Update on Implementation of FATF Standards on VAs and VASPs, June 2025 | 27% have not — and even among the 73% who have, 59% had yet to issue enforcement findings at the time of the survey. Travel Rule gaps remain wide, which is exactly what oVASPs exploit. |
| Illicit on-chain fraud activity | ~$51 billion in illicit on-chain activity related to fraud and scams in 2024 | Industry estimate cited by FATF, Targeted Update, June 2025; referenced again in March 2026 oVASP report context | Fraud proceeds at this scale need cash-out infrastructure. Licensed MTOs are a primary target because they sit at the fiat exit point of the crypto laundering chain. |
| Largest single VASP theft | $1.46 billion stolen from ByBit by DPRK-linked actors — only 3.8% recovered | FATF, Targeted Update, June 2025 | State-level actors are using virtual asset infrastructure with sophistication that outpaces enforcement recovery capability. The stolen funds flow through layering networks that include oVASPs. |
| UK FCA enforcement against oVASPs | More than 1,000 scam websites taken down following introduction of clear rules for oVASPs promoting services to UK residents | FATF, Understanding and Mitigating the Risks of Offshore VASPs, March 2026 — citing FCA enforcement action | Regulators are acting. The FCA's enforcement record demonstrates that activity-based licensing combined with enforcement produces results — and that the oVASP problem is solvable with the right regulatory tools. |
| oVASP nested wallet scale | One global VASP-linked wallet held approximately USD $600 million at time of analysis in a documented investment fraud case | FATF, Understanding and Mitigating the Risks of Offshore VASPs, March 2026 — Nigeria FIU case study | The funds moving through these nested accounts are not small — a single oVASP-linked wallet can hold hundreds of millions of dollars, much of which will need to exit through licensed infrastructure. |
Figure 2: Key statistics from FATF's 2025 Targeted Update and March 2026 oVASP report — with correct source attribution for each figure. Note: the $51B, 73%, and $1.46B figures are from the June 2025 Targeted Update, not the March 2026 oVASP report specifically — both documents are part of the same FATF work programme on virtual assets.
The March 2026 oVASP report sets out a clear agenda for regulators worldwide. The practical consequence for licensed MTOs is that the regulatory environment is about to become significantly more demanding across every major market.
Figure 3: Three tracks of the FATF's regulatory agenda on oVASPs — what each means for compliance-focused licensed MTOs.
The March 2026 report is not a description of theoretical future risks. It is a documentation of what is already happening in the markets that licensed MTOs operate in. Three case studies from the report are particularly relevant to MTO operators.
Figure 4: Two documented FATF case studies from the March 2026 oVASP report — Nigeria (investment fraud) and Indonesia (terrorist financing). Both involve oVASPs as the key mechanism for accessing regulated infrastructure. Source: FATF, Understanding and Mitigating the Risks of Offshore VASPs, March 2026.
The FATF's March 2026 report creates an implicit compliance expectation for licensed MTOs that goes beyond the specific legal obligations in any single jurisdiction's AML/CTF framework. When a regulator reads this report and then examines your compliance programme, the question they will be asking is: how does this operator manage the risk that unlicensed platforms are using individual accounts to access its payment rails?
Figure 5: Five compliance obligations for licensed MTOs in response to FATF's March 2026 oVASP report — each addresses a specific dimension of the nested relationship risk identified in the report.
RemitSo is a white-label compliance and payments infrastructure platform built specifically for licensed money transfer operators. Every feature in the compliance stack is designed to address the precise risks the FATF report identifies — and to give your compliance team the visibility and control they need as regulatory pressure intensifies.
Figure 6: Six RemitSo compliance infrastructure capabilities mapped to the specific risks identified in FATF's March 2026 oVASP report.
The FATF report is not a warning for the future. It is a description of what is already happening in the market you operate in. Unregistered offshore crypto platforms are already moving money through regulated infrastructure. Some of them may already be in your customer base. The jurisdictions FATF is pressuring — across GCC, Europe, and Southeast Asia — are exactly the markets RemitSo is built for. Licensed MTOs that invest in robust compliance infrastructure now will be positioned as trusted, regulator-preferred operators when the crackdown intensifies. Book a demo at remitso.com →
Need Expert Guidance on Money Transmitter Compliance?
An offshore virtual asset service provider (oVASP) is a crypto exchange or digital asset platform that is incorporated in one jurisdiction but serves customers in another without holding a local licence or meeting local AML/CTF requirements. FATF is concerned about them because they exploit regulatory gaps between jurisdictions — operating with minimal oversight, beyond the reach of the regulators in the markets where they actually serve customers. The March 2026 FATF report documents how oVASPs have been used to facilitate large-scale investment fraud (Nigeria case study), terrorist financing (Indonesia case study), and conversion of illicit proceeds across multiple blockchain layers. The specific concern for licensed financial institutions including MTOs is the "nested relationship" exploit — where oVASPs access regulated payment infrastructure by posing as individual retail customers, bypassing the enhanced due diligence that would apply to an overt business relationship with an unregistered financial entity.
A nested relationship — as described in FATF's March 2026 oVASP report — occurs when an unlicensed, offshore crypto platform accesses the services of a licensed financial institution, including an MTO, by posing as a private individual customer rather than disclosing that it is an unregistered financial business. The oVASP (or an individual acting on its behalf) opens a retail account, passes standard individual KYC checks, and uses the account to aggregate and transfer funds on behalf of the oVASP's actual customers. Because the account appears to be a legitimate retail customer, it does not trigger the enhanced due diligence that would be applied if the oVASP declared itself as a business seeking access to payment infrastructure. The FATF report identifies nested relationships as one of the primary mechanisms through which oVASPs access regulated financial infrastructure — and therefore one of the primary risk vectors that licensed MTOs must address in their compliance programmes.
FATF reports do not create direct legal obligations — FATF is an intergovernmental standard-setting body, not a regulator with direct enforcement power over individual businesses. However, FATF guidance establishes the authoritative standard against which national regulators assess the adequacy of compliance programmes. When a licensed MTO's regulator — whether AUSTRAC in Australia, the FCA in the UK, or a GCC financial intelligence unit — reviews its compliance programme, FATF guidance is the reference point they use to determine whether the programme adequately addresses known ML/TF risks. If the March 2026 report identifies oVASP nested relationships as a documented, named ML/TF risk vector, and your compliance programme does not address it, your programme has a gap by reference to the authoritative guidance that was publicly available to you. The practical obligation is clear: update your risk assessment and controls to address oVASP exposure — even though the precise legal mechanism that requires you to do so will vary by jurisdiction.
Activity-based licensing is a regulatory approach under which a platform is required to obtain a licence in a jurisdiction based on the services it provides to customers in that jurisdiction — regardless of where the platform is incorporated. Under this model, an offshore crypto exchange that serves Australian, EU, or GCC customers would need to register with those jurisdictions' regulators even if it is incorporated in a permissive jurisdiction with no regulatory requirements. Currently, only 46% of jurisdictions have adopted this approach, according to FATF's March 2026 report — which is why oVASPs operating from low-regulation jurisdictions can serve customers in regulated markets without any compliance obligations in those markets. FATF is pushing all member jurisdictions to adopt activity-based licensing, and the pressure to do so has become explicit with the March 2026 report. When this approach is adopted more widely, the regulatory perimeter will effectively close around oVASPs — but licensed MTOs need to manage their exposure to oVASPs now, not wait for that regulatory change.
Both figures are from FATF's 2025 Targeted Update on Implementation of the FATF Standards on Virtual Assets and VASPs, published in June 2025 — not from the March 2026 oVASP-specific report, which is a different document in the same FATF work programme. The $51 billion figure is an industry estimate cited by FATF for illicit on-chain activity related to fraud and scams in 2024. The $1.46 billion figure is the value stolen from the VASP ByBit by DPRK-linked actors — the largest single virtual asset theft in history at the time of publication, with only 3.8% recovered. The 73% figure (jurisdictions passing Travel Rule legislation) is also from the June 2025 Targeted Update. The 46% figure (jurisdictions with activity-based licensing) is from the March 2026 oVASP report specifically. RemitSo has verified all figures against their primary FATF sources.
The minimum programme update required in response to FATF's March 2026 oVASP report has five components. First, update your ML/TF risk assessment to include oVASP nested relationship risk as a specifically addressed risk vector — document the risk, its likelihood given your customer base and corridors, and the controls you apply to mitigate it. Second, add business entity detection indicators to your KYC and EDD processes — transaction volumes inconsistent with a retail profile, fund flows from known crypto exchange addresses, and high-frequency low-value transfer patterns are the primary signals. Third, calibrate your transaction monitoring rules to include velocity and pattern checks specifically designed to surface oVASP-type activity. Fourth, ensure your travel rule compliance is current — where it applies, travel rule data is a detection input as well as a reporting obligation. Fifth, document all of the above so that when your regulator asks how you manage oVASP exposure, you have a complete, auditable answer ready. The documented response to a known risk is itself a key component of what regulators will assess.
The UK's Financial Conduct Authority is cited in the March 2026 FATF report as a case study in effective oVASP enforcement. Following the introduction of clear rules requiring oVASPs promoting services to UK residents to register with the FCA and meet UK AML/CTF requirements — an activity-based licensing approach — the FCA undertook a series of enforcement and disruption measures that resulted in the takedown of more than 1,000 scam websites. The FATF specifically highlights this as an example of what activity-based licensing combined with active enforcement can achieve. The lesson for licensed MTOs in other jurisdictions is twofold: first, the regulatory tools to manage oVASP risk are being actively developed and used — the risk of operating in a market where your regulator adopts the FCA's approach without having addressed your oVASP exposure first is very real. Second, the 1,000+ scam site takedowns demonstrate the scale of oVASP activity in a single major market — the same activity is present in every market where FATF members operate.
Yes — and this is one of the most important points in the FATF report for traditional remittance operators who consider themselves entirely separate from the crypto sector. The oVASP risk to licensed MTOs does not require the MTO to handle crypto directly. The risk arises at the cash-out point — the moment an oVASP converts illicit crypto proceeds into fiat currency through a licensed financial institution. The MTO's role is as the regulated fiat exit point. The MTO does not need to be aware that it is handling crypto-origin funds for the risk to materialise — which is precisely why the nested relationship exploit works. The oVASP presents as an individual retail customer making what appears to be a normal remittance. The MTO processes a fiat-denominated transfer. But the funds being transferred originated as illicit crypto proceeds and have passed through the oVASP's layering process before arriving at the MTO. Every licensed MTO that handles fiat remittances is potentially exposed — the crypto component is upstream, out of sight, but the compliance and reputational risk is very much with the licensed operator at the cash-out stage.
Sources: FATF, Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers, March 2026; FATF, Targeted Update on Implementation of the FATF Standards on Virtual Assets and VASPs, June 2025; FATF Plenary Outcomes, February 2026. Statistical figures are attributed to their specific source documents throughout this article.
