On 3 March 2026, the Financial Action Task Force published its Targeted Report on Stablecoins and Unhosted Wallets — a 42-page analysis that changes the compliance calculus for every payment operator touching digital assets. The headline finding is striking: 84% of illicit crypto activity now involves stablecoins. FATF's message to regulators, governments, and payment businesses is unambiguous — stablecoins are no longer an emerging risk on the periphery of financial crime. They are the dominant vehicle. And most jurisdictions are still behind.
In This Article
The FATF Targeted Report on Stablecoins and Unhosted Wallets is not a theoretical warning about future risks. It is a data-driven assessment of how financial crime is operating right now. The 84% figure — representing the share of on-chain illicit activity that now involves stablecoins — reflects a structural shift in how bad actors use digital assets. Stablecoins have displaced volatile cryptocurrencies as the preferred instrument for money laundering and terrorist financing on-chain because they combine the programmability and transferability of crypto with the price stability that makes them suitable for storing and moving large values without the volatility risk that Bitcoin or Ether would introduce.
FATF's analysis identifies two categories of stablecoin risk that together explain the 84% finding. The first is the use of stablecoins to move value across borders rapidly, in large amounts, without engaging any AML-obliged intermediary — particularly through peer-to-peer transfers via unhosted wallets. The second is the concentration of stablecoin issuance in a small number of entities, most of which operate outside the regulatory perimeters of FATF's member jurisdictions or in jurisdictions that have not yet implemented the FATF Standards for virtual assets.
Figure 1: FATF March 2026 targeted report headline statistics — stablecoins as the dominant instrument for on-chain financial crime
FATF's report identifies peer-to-peer transfers through unhosted wallets as the primary mechanism through which stablecoins bypass AML controls. An unhosted wallet — also known as a self-custodied or non-custodial wallet — is a crypto wallet where the private keys are held by the user rather than by a regulated intermediary. This means that transfers between unhosted wallets do not pass through any entity subject to AML/CTF obligations — no KYC is performed, no transaction monitoring is applied, and no suspicious matter reports are filed.
The scale of the problem stems from the combination of two characteristics that stablecoins uniquely offer. First, they maintain stable value, making them practical for storing and transferring significant sums without the holder bearing price risk. Second, they can be transferred peer-to-peer on public blockchains with minimal friction and near-instant settlement — properties that were originally designed to make them useful for legitimate payments but that equally serve illicit ones. FATF warns explicitly that if stablecoin mass adoption continues on its current trajectory without corresponding regulatory infrastructure, the AML risks will amplify in proportion.
Figure 2: Four structural characteristics of unhosted wallet stablecoin transfers that create gaps in AML frameworks
One of the most operationally significant recommendations in the FATF report is its call for governments to require stablecoin issuers to adopt enforceable risk-based technical and governance controls. FATF specifically identifies three categories of issuer capability that it considers essential: the ability to freeze tokens in circulation, the ability to burn tokens — permanently removing them from supply — and the ability to withdraw tokens from secondary market circulation in response to identified financial crime risk or regulatory direction.
These requirements represent a fundamental shift in what FATF expects from stablecoin infrastructure. The freeze-burn-withdraw framework treats stablecoin issuers as regulated financial actors with ongoing obligations — not simply as technology providers who create tokens and step back. It requires that the issuer retain meaningful control over the token even after it enters secondary market circulation, and that this control can be exercised in a legally enforceable way in response to AML or sanctions concerns raised by a competent authority.
Figure 3: Current stablecoin issuer posture vs FATF's required standard for enforceable governance and technical controls
FATF's report does not arrive in a regulatory vacuum. It lands at a moment when the three most significant regulatory jurisdictions for digital assets — the European Union, the United States, and the jurisdictions covered by FATF's member country framework — are all moving, at different speeds and with different architectures, toward stablecoin-specific regulatory frameworks. The direction of travel is unambiguous. The question for payment operators is not whether stablecoin regulation will tighten but how quickly, and what specific obligations will apply in the corridors and markets they operate in.
FATF's timing is also deliberate. The report was published in March 2026, approximately fifteen months after the EU's Markets in Crypto-Assets (MiCA) regulation came into force in December 2024 — giving FATF and the broader policy community a body of evidence about early implementation experience. It also arrives shortly after the US Office of the Comptroller of the Currency issued its first rulemaking under the GENIUS Act — legislation that represents the most significant federal stablecoin regulatory action in US history. FATF has positioned its report to inform and accelerate the remaining regulatory work still needed across both its member jurisdictions and the broader international community.
The EU's MiCA regulation, in force since December 2024, establishes a comprehensive licensing and regulatory framework for issuers of asset-referenced tokens and e-money tokens — the two categories that cover most stablecoins of commercial significance. MiCA requires stablecoin issuers operating in EU markets to hold an authorisation from a competent authority, maintain adequate reserve assets, implement robust governance arrangements, and comply with AML and CTF obligations including customer due diligence and transaction reporting. Issuers of significant stablecoins — defined by transaction volume and user base thresholds — face additional supervisory requirements and capital obligations.
In the United States, the GENIUS Act establishes the first federal framework specifically for payment stablecoins — coins pegged to the US dollar and intended for use in payment transactions. The OCC's first rulemaking under the Act sets out the licensing requirements for stablecoin issuers operating under federal oversight, the reserve standards that must be maintained, and the AML obligations that attach to issuance and distribution. Critically, the GENIUS Act framework aligns with FATF's position on issuer controls — requiring that payment stablecoin issuers have the technical capability to comply with law enforcement requests, including the ability to freeze or block transactions in response to valid legal process.
| Jurisdiction | Framework | Status (March 2026) |
|---|---|---|
| European Union | MiCA — Markets in Crypto-Assets Regulation | In force — December 2024 |
| United States | GENIUS Act + OCC rulemaking | Active — first rulemaking issued February 2026 |
| United Kingdom | HM Treasury stablecoin regime (FCA oversight) | Consultation advanced — implementation pending |
| Singapore | MAS Stablecoin Regulatory Framework | In force — August 2023 (early mover) |
| Most FATF Members | Varies — FATF Recommendation 15 implementation | Behind — FATF report identifies significant gaps |
Figure 4: Global stablecoin regulatory framework status as of March 2026 — the implementation gap FATF is seeking to close
For payment operators handling cross-border flows, FATF's report creates both an immediate compliance obligation and a medium-term strategic question. The immediate obligation is straightforward: if your operation touches stablecoins — directly, through customer transactions, or through counterparty exposure — your AML framework needs to be reviewed and updated against the risk profile that FATF has now formally documented.
This is not limited to operators who are themselves issuing or distributing stablecoins. It extends to any payment business that processes transactions from customers who hold stablecoin positions, that uses stablecoin rails for settlement or liquidity, or that has correspondent or counterparty relationships with entities active in stablecoin markets. In each of these situations, your exposure to stablecoin-related AML risk is real, and your AML framework should reflect that exposure explicitly.
Figure 5: Four channels through which stablecoin AML risk enters a cross-border payment operation — even for operators not directly issuing stablecoins
The practical compliance response to FATF's report is not to panic or to avoid stablecoins entirely — it is to ensure that your AML programme reflects the stablecoin risk profile accurately and that the controls you have in place are proportionate to your actual exposure. The following framework represents the key dimensions that need to be reviewed and updated.
Figure 6: Five-part AML framework update for payment operators responding to FATF's March 2026 stablecoin targeted report
The compliance landscape for cross-border payment operators is becoming more demanding, more specific, and more dynamic as regulators respond to FATF's analysis and implement stablecoin-specific frameworks across major markets. Operators who build their compliance infrastructure on manual processes and periodically updated spreadsheet-based risk assessments will struggle to keep pace with the speed at which regulatory expectations are now moving.
If you are building or scaling a cross-border payment operation that needs to navigate this evolving regulatory environment, RemitSo's compliance-first infrastructure is designed to support AML programme management, transaction monitoring, counterparty due diligence workflows, and jurisdiction-level risk scoring within a single integrated platform — giving operators the operational control and audit-ready documentation that regulators increasingly expect as a baseline.
FATF's Targeted Report on Stablecoins and Unhosted Wallets, published on 3 March 2026, found that 84% of on-chain illicit crypto activity now involves stablecoins — making them the dominant instrument for money laundering and terrorist financing in the digital asset space. The 42-page report identifies peer-to-peer transfers through unhosted wallets as the primary mechanism through which stablecoins bypass AML controls, and concludes that only a limited number of FATF member jurisdictions have implemented targeted regulatory frameworks to address stablecoin-specific ML/TF risk. The report urges governments to require stablecoin issuers to adopt enforceable governance and technical controls including the ability to freeze, burn, and withdraw tokens.
Unhosted wallets — also known as self-custodied or non-custodial wallets — allow users to transfer stablecoins peer-to-peer without engaging any AML-obliged intermediary. This means no KYC is performed, no transaction monitoring is applied, and no suspicious matter reports are filed. The sender and recipient are identified only by cryptographic addresses, not verified identities. When combined with the price stability of stablecoins — which makes them practical for large-value transfers without price risk — unhosted wallet transfers create a mechanism for moving significant sums across borders that is structurally outside the AML framework. FATF warns that mass adoption of stablecoins without corresponding regulatory controls would amplify these risks significantly.
FATF urges governments to require stablecoin issuers to retain three enforceable technical capabilities in relation to tokens in circulation. Freeze means the issuer can immobilise specific tokens on regulatory direction — preventing them from being transferred or redeemed. Burn means the issuer can permanently destroy tokens, eliminating their value and removing them from circulation entirely. Withdraw means the issuer can recall tokens from secondary market circulation in response to identified financial crime risk. Together these capabilities mean the issuer retains meaningful control over the token even after it has entered secondary market circulation — a fundamental change from the current model where most issuers have limited ability to intervene once tokens are distributed.
The EU's Markets in Crypto-Assets (MiCA) regulation, in force since December 2024, establishes a comprehensive licensing and regulatory framework for stablecoin issuers operating in EU markets. It requires issuers of asset-referenced tokens and e-money tokens to hold authorisation from a competent national authority, maintain adequate reserve assets, implement robust governance arrangements, and comply with AML and CTF obligations. Issuers of significant stablecoins — defined by transaction volume and user base thresholds — face additional supervisory requirements and capital obligations. MiCA was the first major jurisdiction-level regulatory framework to directly address stablecoin-specific risks at the scale that FATF's report has now confirmed as material.
Yes — significantly. The report's implications extend to any payment operator that touches stablecoins indirectly, including those whose customers fund cross-border payments from stablecoin holdings, operators that use stablecoin rails for settlement or liquidity, and operators with counterparty or correspondent relationships with entities active in stablecoin markets. Additionally, banking partners and correspondent institutions are increasingly scrutinising their clients' stablecoin exposure — operators without documented stablecoin risk policies may face de-risking from banking relationships as partners implement FATF-aligned due diligence frameworks. Regulators conducting AML examinations following the report will also expect licensees to demonstrate awareness of stablecoin risk regardless of whether the operator considers itself a stablecoin business.
The GENIUS Act is US legislation that establishes the first federal regulatory framework specifically for payment stablecoins — coins pegged to the US dollar and intended for use in payment transactions. The OCC issued its first rulemaking under the Act in February 2026, setting out licensing requirements for stablecoin issuers, reserve standards, and AML obligations. Critically, the framework aligns with FATF's position on issuer controls — requiring that payment stablecoin issuers maintain the technical capability to comply with law enforcement requests, including the ability to freeze or block transactions in response to valid legal process. The GENIUS Act represents the most significant federal stablecoin regulatory action in US history and signals that US regulators are converging with FATF and MiCA on the core principle that stablecoins require the same rigour as traditional payment instruments.
Transaction monitoring rules should be configured to flag patterns consistent with stablecoin-facilitated layering and placement. This includes large or structured transactions where source-of-funds indicators point to digital asset accounts, unusual velocity patterns from customers with declared crypto holdings, transactions originating from or destined for jurisdictions with high stablecoin activity and weak regulatory frameworks, and customers whose transaction patterns show sudden large inflows that are inconsistent with their declared customer profile. These rules should be documented as a specific stablecoin risk sub-module within your broader transaction monitoring framework, with the FATF report providing the evidential basis for the risk assessment underpinning the rules.
Following FATF's March 2026 report, your AML programme documentation should include an explicit stablecoin risk section that references the report's findings, maps your operation's actual exposure to stablecoin ML/TF risk across customer, settlement, counterparty, and geographic dimensions, documents the monitoring rules and due diligence procedures you have in place or have updated to address that exposure, and records the date and basis of the formal programme review triggered by the report. This documentation demonstrates to examiners that your AML programme is current, risk-based, and responsive to material developments in the financial crime risk environment — which is precisely what regulators will be looking for in examinations conducted after this report's publication.
