Introduction

If you work in crypto compliance in the United States, you have probably heard of the FATF.

You may have seen it mentioned in AML policies, regulatory updates, Travel Rule discussions, or training materials. But many people still find the topic confusing.

What exactly is the FATF?

Does it make US law?

Why does it matter to a crypto exchange, wallet provider, broker, payment company, or digital asset startup?

The short answer is this: the FATF sets the global standards that shape many crypto AML rules around the world. It does not directly regulate your business in the United States. But its standards influence how countries, including the US, build their anti-money laundering and counter-terrorist financing rules.

For US crypto compliance teams, FATF standards help explain the “why” behind many daily compliance tasks. These include customer due diligence, transaction monitoring, sanctions screening, suspicious activity reporting, record keeping, Travel Rule compliance and risk-based controls.

This guide explains the FATF standards for virtual assets in simple terms. It also shows how they connect to US crypto compliance and what they mean for Virtual Asset Service Providers, often called VASPs.

What is the FATF?

FATF stands for the Financial Action Task Force.

It is an inter-governmental body that sets international standards for fighting money laundering, terrorist financing and other financial crime risks.

A simple way to understand the FATF is this:

The FATF does not usually write the exact laws that businesses follow. Instead, it creates global standards that countries are expected to apply through their own laws and regulations.

These standards are used by governments, regulators, financial institutions and compliance teams across the world.

For the crypto sector, the FATF matters because virtual assets move across borders. A customer in one country can send digital assets to another country within minutes. Criminals can also use exchanges, wallets, mixers, bridges, stablecoins and decentralised platforms to move value quickly.

This makes global coordination important. If one country has strong AML rules but another country has weak controls, criminals may try to use the weaker jurisdiction. FATF standards are designed to reduce those gaps.

What are FATF Recommendations?

The FATF has 40 Recommendations.

These Recommendations are the global benchmark for AML/CFT. AML means anti-money laundering. CFT means counter-terrorist financing.

The Recommendations cover many areas, including:

·         Customer due diligence

·         Record keeping

·         Suspicious transaction reporting

·         Sanctions controls

·         Beneficial ownership

·         Wire transfers

·         Risk-based supervision

·         International cooperation

·         Regulation of financial institutions and certain non-financial businesses

For crypto compliance teams, the most important Recommendation is Recommendation 15.

 

Why Recommendation 15 matters for virtual assets

Recommendation 15 deals with new technologies.

It was updated to cover virtual assets and Virtual Asset Service Providers. This is why it is central to crypto AML compliance.

Recommendation 15 expects countries to identify, assess and manage the money laundering and terrorist financing risks linked to virtual assets. It also expects countries to regulate VASPs and make sure they are licensed or registered where required.

In simple terms, Recommendation 15 says crypto activity should not sit outside the financial crime compliance framework.

VASPs should not be able to operate without proper controls. They should have AML/CFT programmes. They should monitor risk. They should collect customer information. They should report suspicious activity. They should keep records. They should apply the Travel Rule where relevant.

This is why Recommendation 15 is often seen as the foundation for global crypto compliance.

What is a Virtual Asset?

A virtual asset is a digital representation of value that can be traded, transferred or used for payment or investment purposes.

In practical crypto compliance work, this can include many digital assets, such as:

·         Bitcoin

·         Ether

·         Stablecoins

·         Certain exchange tokens

·         Some payment tokens

·         Other transferable digital assets

The exact treatment can depend on the asset and the jurisdiction. Compliance teams should not assume that every digital asset is treated the same way.

For example, a stablecoin used for payments may create different risks from a governance token used inside a protocol. A privacy coin may create different monitoring challenges from a transparent blockchain asset.

The key point is that FATF standards focus on financial crime risk. If a digital asset can be used to move or store value, it may create AML/CFT concerns.

What is a VASP?

VASP stands for Virtual Asset Service Provider.

A VASP is a business that provides certain services involving virtual assets. This may include exchanging, transferring, safeguarding, administering or enabling control over virtual assets.

Common examples include:

·         Crypto exchanges

·         Custodial wallet providers

·         Crypto brokers

·         Some payment processors

·         Certain trading platforms

·         Businesses that transfer virtual assets on behalf of customers

The word “VASP” is a FATF term. In the United States, businesses may also come across terms such as Money Services Business, money transmitter, financial institution, broker, exchange, or other regulatory categories.

This is important. A business may be called a VASP in FATF language, but in the US it may need to consider FinCEN rules, state money transmitter licensing, OFAC sanctions requirements, SEC or CFTC issues, and other legal obligations depending on its activities.

FATF standards and US crypto compliance

The FATF does not directly enforce rules against US crypto companies. US regulators do that.

In the United States, FinCEN is one of the key agencies for AML rules affecting many crypto businesses. FinCEN administers and enforces rules under the Bank Secrecy Act framework.

Many crypto businesses that accept and transmit convertible virtual currency may be treated as money transmitters under FinCEN rules. This can create duties such as MSB registration, AML programme requirements, suspicious activity reporting and record keeping.

State-level money transmitter licensing may also apply depending on the business model and where the company operates.

So, FATF standards are not the same as US law. But they influence the global direction of regulation. They help explain why US rules focus so heavily on AML programmes, customer checks, monitoring, reporting and cross-border risk.

Key FATF requirements for VASPs

Below are the main FATF requirements that US crypto compliance teams should understand.

1. Registration or licensing

FATF standards expect countries to license or register VASPs.

This helps regulators know who is operating in the market. It also helps prevent anonymous or unregulated crypto businesses from providing financial services without oversight.

For US teams, this connects to the need to understand whether the business must register with FinCEN as an MSB. It may also connect to state money transmitter licences.

This is not just an admin task. Registration and licensing are part of the wider control framework. They help regulators supervise businesses, check compliance standards and take action when firms fail to meet requirements.

A crypto business should clearly understand:

·         What services it provides

·         Which legal entity provides those services

·         Where its customers are located

·         Whether it has custody or control over customer assets

·         Whether it accepts and transmits value

·         Which federal and state obligations apply

A common mistake is assuming that a crypto company is “just a technology platform.” Regulators usually look at what the business actually does, not only how it describes itself.

2. AML/CFT programme

FATF standards expect VASPs to have AML/CFT controls that match their risks.

For a US crypto business, this usually means having a written AML compliance programme. The programme should not be a generic document copied from another company. It should match the company’s products, customers, geography, transaction types and risk exposure.

A strong crypto AML programme should include:

·         Written policies and procedures

·         A named compliance officer or responsible person

·         Customer due diligence processes

·         Sanctions screening

·         Transaction monitoring

·         Suspicious activity escalation

·         Record keeping

·         Employee training

·         Independent testing or review

·         Risk assessment updates

The programme should also be practical. Staff should know what to do when an alert appears, when a wallet looks risky, when a customer gives inconsistent information, or when a transaction involves a high-risk jurisdiction.

Good compliance is not just having a policy. It is making sure the policy works in real situations.

3. Customer Due Diligence and KYC

Customer Due Diligence, often called CDD, is one of the most important parts of FATF standards.

In crypto, CDD usually includes knowing who the customer is, understanding the purpose of the account, and checking whether the activity makes sense.

For individuals, this may involve collecting details such as:

·         Full name

·         Date of birth

·         Residential address

·         Identification document

·         Source of funds information where needed

For business customers, it may involve collecting:

·         Company name

·         Registration details

·         Business address

·         Ownership structure

·         Beneficial owner information

·         Nature of business

·         Expected transaction activity

KYC is not only about onboarding. It also matters after the account is open.

A customer may pass KYC at the start but later show unusual behaviour. For example, they may suddenly receive funds from high-risk wallets, interact with mixers, send funds to sanctioned exposure points, or make transactions that do not fit their profile.

This is why ongoing monitoring is important.

4. Enhanced Due Diligence for higher-risk customers

FATF standards support a risk-based approach. This means higher-risk customers and activities should receive stronger checks.

Enhanced Due Diligence, or EDD, may be needed when a customer presents higher risk.

Examples of higher-risk factors may include:

·         Links to high-risk jurisdictions

·         Use of privacy-enhancing tools

·         Exposure to darknet markets

·         Links to sanctioned wallets

·         Complex ownership structures

·         High transaction volume with unclear purpose

·         Politically exposed persons

·         Inconsistent source of funds information

·         Rapid movement of funds through multiple wallets

EDD does not mean automatically rejecting every high-risk customer. It means gathering more information, understanding the risk, and deciding whether the business can manage it safely.

EDD may include asking for source of funds, source of wealth, business records, invoices, wallet ownership evidence or a clearer explanation of the transaction purpose.

The most important thing is documentation. If your team makes a decision, the reason should be recorded clearly.

5. Record keeping

FATF standards expect VASPs to keep proper records.

In crypto compliance, records are very important because investigations may happen months or years after a transaction. If the business cannot explain what happened, who was involved, what checks were completed and why a decision was made, it may face regulatory problems.

Useful records may include:

·         Customer identity documents

·         KYC verification results

·         Risk ratings

·         Wallet screening results

·         Transaction monitoring alerts

·         Analyst notes

·         Escalation decisions

·         SAR filing decisions

·         Travel Rule information

·         Communication with customers

·         Evidence used for EDD

Good record keeping also helps internal teams. It makes audits easier. It helps new analysts understand past decisions. It supports quality control and helps the business improve its compliance framework.

6. Suspicious activity reporting

FATF standards expect suspicious transactions to be reported to the relevant authorities.

In the United States, this often connects to Suspicious Activity Reports, known as SARs, filed with FinCEN where required.

A SAR may be needed when there is suspected money laundering, terrorist financing, fraud, sanctions evasion or other suspicious activity.

In crypto, suspicious activity may include:

·         Funds linked to darknet marketplaces

·         Use of mixers or tumblers to hide the source of funds

·         Rapid movement of assets through many wallets

·         Transactions linked to scams or ransomware

·         Structuring activity to avoid thresholds

·         Customer behaviour that does not match the stated profile

·         Attempts to avoid KYC

·         Exposure to sanctioned entities or high-risk jurisdictions

SAR work requires good judgement. Not every unusual transaction is suspicious. But every alert should be reviewed properly.

A strong compliance team should know how to identify red flags, investigate blockchain activity, document findings and escalate concerns.

7. The Travel Rule

The Travel Rule is one of the most important FATF issues for crypto businesses.

It requires certain information about the originator and beneficiary to travel with a qualifying transfer between regulated entities.

In simple terms, when one VASP sends virtual assets to another VASP, required customer information may need to be shared.

The goal is to reduce anonymous transfers and help law enforcement trace suspicious activity.

For US crypto teams, Travel Rule compliance can involve:

·         Identifying whether the transfer is in scope

·         Collecting required customer information

·         Identifying the receiving VASP

·         Sending information securely

·         Receiving and checking information from another VASP

·         Handling missing or incomplete data

·         Keeping records of the transfer

The Travel Rule can be difficult because not every country has implemented it in the same way. Some VASPs are ready to receive the data. Others are not. Some countries have strong requirements. Others are still developing their rules.

This creates operational challenges for compliance teams, especially when dealing with cross-border transfers.

 

FATF and the risk-based approach

The risk-based approach is one of the most important FATF principles.

It means compliance teams should focus more attention on higher-risk customers, products, jurisdictions and transactions.

This does not mean ignoring low-risk customers. It means using time and resources wisely.

For example:

A low-risk customer may be an individual in a lower-risk jurisdiction who completes KYC, uses a small account, and shows normal trading behaviour.

A higher-risk customer may be a business with complex ownership, links to a high-risk country, high transaction volume, and exposure to wallets with suspicious history.

The second customer needs more review.

A risk-based approach helps compliance teams avoid two problems.

The first problem is doing too little. This can allow criminals to abuse the platform.

The second problem is doing too much in the wrong places. This can waste resources and slow down legitimate customers.

A good risk-based framework should consider:

·         Customer risk

·         Product risk

·         Geographic risk

·         Transaction risk

·         Blockchain exposure risk

·         Delivery channel risk

Sanctions risk

·         Fraud risk

The framework should also be updated. Crypto risks change quickly. New typologies appear. Criminals use new methods. Products such as stablecoins, DeFi protocols, bridges and self-hosted wallets can create new challenges.

 

How FATF standards become US compliance obligations

A common misunderstanding is that FATF directly creates US law.

It does not.

The process is more indirect.

First, the FATF sets a global standard. Then countries decide how to implement that standard through national laws, rules and supervisory frameworks.

In the US, this may involve agencies such as the Treasury Department, FinCEN, OFAC, banking regulators and other authorities depending on the activity.

For a crypto compliance team, the practical chain looks like this:

FATF sets the international direction.

US regulators interpret and apply relevant requirements through US law and guidance.

Crypto businesses build policies, systems and controls to meet those obligations.

Compliance teams operate those controls every day.

This is why understanding FATF is useful. It helps you see where regulation is going, not just where it is today.

Real-world scenario: US exchange with an international transfer

Imagine you work for a US crypto exchange.

A verified customer wants to send 50,000 USD worth of Bitcoin to a wallet connected to a VASP in a country on the FATF grey list.

Your first step is to identify the risk.

The country risk is higher because the jurisdiction has AML/CFT weaknesses. The transaction value is also significant. You check whether the receiving VASP is known, regulated and able to handle Travel Rule information.

Next, you review the customer profile.

Does the transfer fit the customer’s normal activity? Has the customer sent similar amounts before? Is there a clear purpose for the transfer? Is the source of funds known?

Then you screen the wallet.

You check for exposure to sanctioned entities, darknet markets, scams, ransomware, mixers or other high-risk activity.

If the review raises concerns, you may apply Enhanced Due Diligence. You may ask for more information about the purpose of the transfer and source of funds.

You also consider Travel Rule requirements. If the transfer is in scope, you need to send the required originator and beneficiary information securely to the receiving VASP.

Finally, you document the decision.

If the activity is suspicious, you escalate it internally and consider whether a SAR is required.

This is how FATF concepts become real compliance work.

Common mistakes US crypto teams should avoid

Crypto compliance teams should avoid treating FATF as a theoretical topic. The standards are practical and influence real controls.

Here are common mistakes to avoid.

Mistake 1: Treating all customers the same

A flat compliance process can create problems. Low-risk customers may face unnecessary friction, while high-risk customers may not receive enough review.

Use a proper risk-based approach.

Mistake 2: Relying only on onboarding KYC

KYC at onboarding is not enough. Customer behaviour can change. Wallet exposure can change. Transaction patterns can change.

Ongoing monitoring is essential.

Mistake 3: Weak Travel Rule procedures

The Travel Rule needs clear workflows. Staff should know when it applies, what information is needed, how to handle missing information and when to escalate.

Mistake 4: Poor documentation

If a decision is not documented, it is difficult to defend. Clear records are essential for audits, regulatory reviews and internal quality checks.

Mistake 5: Ignoring global developments

Crypto is global. A US business may deal with customers, wallets, platforms and counterparties in other jurisdictions. FATF updates can signal future regulatory expectations.

Practical checklist for FATF-aligned crypto compliance

Use this checklist as a simple starting point.

Your business should be able to answer these questions:

·         Do we know whether we are a VASP, MSB or money transmitter?

·         Have we checked federal and state registration or licensing requirements?

·         Do we have a written AML programme?

·         Have we appointed a responsible compliance officer?

·         Do we conduct customer due diligence?

·         Do we apply enhanced due diligence for higher-risk customers?

·         Do we screen customers and wallets for sanctions risk?

·         Do we monitor transactions for suspicious activity?

·         Do we have SAR escalation and filing procedures?

·         Do we keep complete records?

·         Do we have a Travel Rule process?

·         Do staff receive crypto AML training?

·         Do we update our risk assessment regularly?

·         Do we review FATF grey list and black list updates?

·         Do we test our controls independently?

This checklist is not a full legal review. But it gives compliance teams a useful structure.

Why FATF knowledge helps US compliance professionals

Understanding FATF standards helps US compliance professionals in several ways.

First, it explains the purpose behind the rules. AML controls are not just paperwork. They are part of a global effort to stop money laundering, terrorist financing, sanctions evasion, fraud and other financial crime.

Second, it helps teams prepare for change. FATF often highlights emerging risks before local rules fully develop. This can help businesses prepare early.

Third, it improves international risk management. If your company works with customers or counterparties in other countries, FATF knowledge helps you assess cross-border risk.

Fourth, it supports stronger internal training. Staff can understand not only what to do, but why it matters.

Finally, it builds trust. A crypto business that follows global compliance standards is more credible with banks, partners, regulators and customers.

Conclusion

The FATF sets the global standard for virtual asset compliance.

Its standards do not directly replace US law, but they strongly influence how countries regulate crypto businesses. For US teams, FATF standards connect closely to many daily compliance duties, including AML programmes, KYC, transaction monitoring, suspicious activity reporting, sanctions controls, record keeping, Travel Rule compliance and risk-based reviews.

The most important FATF standard for crypto is Recommendation 15. It expects countries to regulate virtual assets and VASPs, and it expects VASPs to manage financial crime risk properly.

For compliance professionals, understanding FATF is not optional background knowledge. It is a practical skill. It helps you understand why the rules exist, how global standards shape US obligations and how to build better controls inside a crypto business.

To learn how to apply these standards in real compliance work, explore our FATF Standards For Virtual Assets Explained For US Teams course. This course gives you a practical, step-by-step introduction to FATF standards, VASP obligations, crypto AML controls and US compliance expectations.

Recommended Course : FATF Standards For Virtual Assets Explained For US Teams

FAQs

What is the FATF?

The FATF is the Financial Action Task Force. It sets global standards for fighting money laundering, terrorist financing and related financial crime risks.

What is the most important FATF Recommendation for crypto?

Recommendation 15 is the most important FATF Recommendation for virtual assets and VASPs. It expects countries to regulate virtual asset activity and apply AML/CFT controls to VASPs.

Does FATF make US crypto law?

No. FATF does not directly make US law. It creates international standards. US regulators and lawmakers decide how to apply relevant rules through US laws, regulations and guidance.

What is a VASP?

A VASP is a Virtual Asset Service Provider. This can include certain crypto exchanges, custodial wallet providers, brokers and other businesses that provide services involving virtual assets.

How does FATF affect US crypto exchanges?

FATF standards influence the global compliance framework. For US crypto exchanges, this connects to AML programmes, KYC, transaction monitoring, SARs, Travel Rule processes, sanctions controls and risk-based compliance.

What is the Travel Rule in crypto?

The Travel Rule requires certain customer information to travel with qualifying transfers between regulated entities. In crypto, this often means sharing originator and beneficiary information between VASPs.

What is the FATF grey list?

The FATF grey list includes jurisdictions under increased monitoring because they have strategic weaknesses in their AML/CFT systems. Crypto businesses should consider grey-listed jurisdictions in their risk assessments.

What is the risk-based approach?

The risk-based approach means focusing more compliance resources on higher-risk customers, products, countries and transactions. It helps businesses manage risk more effectively.

Is FATF compliance enough for a US crypto business?

No. FATF knowledge is important, but US businesses must also follow applicable US federal and state requirements. This may include FinCEN rules, OFAC sanctions obligations, state licensing rules and other regulatory duties depending on the business model.

Who should learn FATF standards for virtual assets?

Crypto compliance analysts, AML officers, KYC teams, sanctions screening teams, transaction monitoring analysts, product teams, legal teams and VASP leadership should all understand FATF standards.