The Financial Action Task Force has published a new report warning that offshore virtual asset service providers, or oVASPs, are becoming a major weak point in global crypto oversight. FATF says these firms exploit gaps between jurisdictions to help facilitate large-scale fraud, money laundering, and terrorist financing.
The report’s message is straightforward: crypto moves across borders in seconds, but supervision still does not. That mismatch is giving bad actors room to hide.
What FATF means by an “offshore VASP”
FATF defines offshore VASPs as crypto firms created under the laws of one jurisdiction, with or without a physical presence there, that offer services to customers living in another jurisdiction. In practice, that often means a company is serving users in a market where it is not properly licensed, registered, or supervised.
According to FATF, these structures are often designed to avoid or evade regulatory obligations, and criminals take advantage of that weakness.
Why FATF says this is a real problem for crypto
FATF says less than half of jurisdictions, just 46%, have adopted an activity-based approach to regulating and supervising VASPs. That approach means a country applies licensing or registration rules based on the services a firm provides in its market, no matter where the firm is incorporated. FATF argues that without this model, offshore providers can operate in a country’s market while staying outside its AML supervision.
The report says these regulatory differences create gaps that criminals use to move money, complicate supervision, and slow down cooperation between authorities.
How dirty money gets hidden
FATF highlights several common obfuscation tactics. These include splitting victim funds across many addresses, routing transactions through layered intermediary wallets, and moving funds across multiple blockchains or bridges to make tracing harder.
In simple terms: the more fragmented the route, the harder it is for investigators to follow the money quickly. That is one reason offshore providers remain attractive in scam and laundering chains.
What kinds of abuse FATF found
The report says offshore VASPs have been used as cash-out points for large fraud schemes, as conversion rails for terrorist financing, and as a way to hide beneficial ownership and real control. FATF also warns about nested relationships, where an unlicensed offshore crypto firm quietly accesses services from a licensed VASP by pretending to be a normal private customer.
That matters because the licensed platform may think it is serving one retail user, when in reality it is indirectly servicing a whole offshore crypto business.
The case studies FATF used
FATF points to several concrete examples. In Nigeria, the country’s FIU traced a major investment fraud scheme where offshore VASPs and opaque corporate structures helped move victim funds across borders; one global VASP-linked wallet held roughly $600 million at the time of analysis. In Indonesia, authorities identified terrorist financing involving offshore crypto firms used to convert between assets before funds moved to unhosted wallets. FATF also highlights UK enforcement action against offshore firms marketing to UK residents, including the takedown of more than 1,000 scam websites.
The report also cites cross-border enforcement cooperation between the Cayman Islands Monetary Authority and Abu Dhabi Global Market Financial Services Regulatory Authority, saying that joint work uncovered governance failures, unlicensed activity, and misuse of offshore structures.
What FATF wants governments to do
FATF’s recommendations are not abstract. It says countries should detect, license, or register offshore VASPs using an activity-based approach; sanction non-compliant firms; improve coordination through inter-agency task forces and public-private partnerships; and make fuller use of supervisor-to-supervisor and FIU-to-FIU channels to speed up information-sharing and enforcement.
The clear theme is that waiting for offshore firms to “voluntarily comply” is not enough. FATF wants faster identification, faster licensing demands, and faster penalties when firms ignore the rules.
What FATF wants exchanges, banks, and VASPs to do
FATF says private-sector firms also need to tighten up. It recommends that financial institutions and VASPs assess their exposure to unlicensed or unregistered offshore providers, apply consistent AML/CFT/CPF rules across all entities in their group, make sure no group company is quietly operating offshore without oversight, and avoid doing business with unlicensed or unregistered providers.
That is a strong message for large crypto groups: FATF is not only looking at direct customer risk, but also at how firms manage affiliates, group entities, and hidden offshore exposure.
Why it matters for crypto
- FATF is making offshore crypto firms a top compliance issue, not a side topic.
- The report raises pressure on jurisdictions that still do not regulate crypto firms based on the services they actually offer locally.
- Large exchanges and payment firms may face more scrutiny over nested relationships and hidden offshore exposure.
- Cross-chain routing, bridges, and layered wallets are being described more clearly as part of the laundering problem, not just a technical feature of crypto markets.
What to watch next
- Whether more countries adopt FATF’s activity-based licensing model for offshore crypto firms.
- Faster enforcement actions against offshore platforms serving customers without local registration.
- More due diligence by major VASPs on counterparties, affiliates, and suspicious “retail” accounts that may actually be nested offshore businesses.
- Follow-on FATF work tying offshore VASP risks to other hot areas such as stablecoins, unhosted wallets, and DeFi-linked market structures.