FATF Report on Offshore VASPs: Addressing the Cross-Border Supervisory Gap in Crypto Markets

Over the past several years, regulation of crypto-asset services has progressed. Jurisdictions around the world have imposed anti-money laundering obligations, introduced authorisation frameworks for virtual asset service providers, and increasingly treat crypto intermediaries in ways that resemble financial institutions. 

Yet despite this progress, one structural challenge remains difficult to address. Crypto services operate across borders by design, while regulation remains tied to national jurisdictions. A platform incorporated in one country can offer services to users located across the world through a website or mobile application. When this happens outside a licensing framework, authorities face a fundamental question: who is responsible for supervising the activity?

This issue has become increasingly visible with the rise of offshore virtual asset service providers, often referred to as offshore VASPs or oVASPs. These providers operate from one jurisdiction while offering services to customers located elsewhere, sometimes without being licensed or supervised in the markets they serve. In some cases this structure reflects uncertainty about how foreign regulatory rules apply. In others, it is an intentional feature of the business model. Understanding how offshore VASPs operate, and why they create supervisory challenges, is therefore becoming an important part of regulatory discussions around the world.

The topic has recently received renewed attention at the international level. In March 2026, the Financial Action Task Force published a report examining the risks associated with offshore VASPs and the supervisory challenges they present. The publication followed closely after two other FATF papers addressing stablecoins and unhosted wallets, reflecting the organisation’s growing focus on cross-border risks in the crypto ecosystem

What Is an Offshore VASP?

The concept of an offshore VASP is relatively straightforward. An offshore VASP is a provider that is created or located in one jurisdiction but provides services to clients located in other jurisdictions.

In regulatory discussions two locations are typically relevant. The first is the home jurisdiction, meaning the country where the provider is incorporated or physically established. The second is the host jurisdiction, where the customers using the service reside.

Under the FATF standards, jurisdictions are required to ensure that VASPs are licensed or registered in the jurisdiction where they are created. At the same time, the standards allow, but do not require, countries to extend licensing requirements to offshore providers that offer services to their residents.

This flexibility has resulted in a wide range of national approaches. Some jurisdictions require foreign crypto platforms to obtain authorisation if they actively serve local customers. Others regulate only providers established within their territory. The result is a fragmented regulatory landscape in which crypto businesses may face very different expectations depending on where they operate.

How Offshore VASPs Operate

In practice, offshore VASPs appear in several forms, but certain characteristics appear frequently.

Many offshore platforms maintain little or no physical presence in the jurisdictions where their users are located. Customer onboarding, trading, and account management take place entirely through digital interfaces. Management teams, compliance functions, and technical infrastructure may be located elsewhere, which can limit the ability of foreign regulators to engage directly with the provider.

Another common feature is the pooling of customers within global corporate structures. In some cases a user in one country may technically be serviced by a legal entity registered in another jurisdiction within the same corporate group. From the perspective of regulators, this can make it difficult to determine which entity holds responsibility for compliance obligations such as customer identification, transaction monitoring, or suspicious activity reporting.

Offshore VASPs also frequently rely on digital marketing strategies to reach users in foreign markets. Promotion may take place through social media channels, influencer partnerships, or targeted advertising campaigns. Platforms may also offer interfaces in local languages or enable deposits through domestic payment systems. Even without a physical presence, such activity demonstrates that services are intentionally directed toward users in a particular jurisdiction.

Another operational structure involves nested exchange relationships. In these arrangements an offshore VASP opens accounts with a regulated exchange in another jurisdiction and allows its own customers to trade through those accounts. From the perspective of the regulated exchange, activity may appear to come from a limited number of institutional accounts, even though a much larger user base may be accessing the service indirectly.

These types of arrangements can make it harder for authorities to determine where responsibility for compliance obligations ultimately lies.

Regulatory Arbitrage and Jurisdiction Shopping

The emergence of offshore VASPs is closely linked to differences between national regulatory frameworks.

Crypto regulation remains uneven across jurisdictions. Some countries have introduced comprehensive licensing regimes and supervisory frameworks, while others have only limited requirements or none at all. These differences create incentives for businesses to structure their operations in ways that reduce regulatory obligations.

Operating from a jurisdiction with lighter regulation can lower compliance costs and administrative burdens. Platforms may be able to onboard customers more quickly, require less identity verification, or offer services that would not be permitted in more strictly regulated environments. In competitive markets these differences can translate into lower fees or faster access to trading services.

Real-world experience illustrates how regulatory differences can influence market behavior. When India introduced a tax framework for virtual asset transactions, including a one-percent withholding tax on certain transfers, many traders shifted activity from domestic exchanges to offshore platforms that were not subject to the same requirements.

The trading activity did not disappear. Instead, it moved to jurisdictions where the regulatory burden was lower. This dynamic demonstrates how regulatory divergence can redirect activity across borders rather than eliminate it.

The Supervisory Gap

Offshore VASPs expose several structural gaps in existing regulatory frameworks.

One challenge arises from licensing rules. When a platform is incorporated in one jurisdiction but serves customers elsewhere, the host jurisdiction may not require the provider to obtain authorisation. As a result, local users may access services that are not supervised by domestic authorities.

Another challenge involves enforcement. When regulators investigate financial crime they often need access to transaction records, account information, and customer identity data. If these records are held by an entity located in another jurisdiction, obtaining them may require international legal cooperation. Mutual legal assistance procedures can be slow, sometimes taking months or longer.

Information gaps also emerge when offshore providers operate through complex corporate structures. Customer data, operational control, and compliance functions may be distributed across multiple jurisdictions. Authorities seeking information may be directed from one entity to another, complicating investigations and delaying access to relevant records.

Taken together, these factors create a supervisory gap in which services may be widely used within a jurisdiction even though local regulators have limited oversight of the provider.

FATF Recommendations for Jurisdictions

Recognising the growing risks associated with offshore VASP activity, the FATF report outlines a number of measures aimed at improving oversight and reducing regulatory gaps. These recommendations emphasise the need for coordinated action by both the jurisdictions where VASPs are established and the jurisdictions where their services are used.

For all jurisdictions, a key priority is improving the ability to identify offshore providers operating in domestic markets without appropriate authorisation. This may involve monitoring online promotion, analysing blockchain activity, and gathering intelligence from regulated VASPs and financial institutions.

The report also highlights the role of home jurisdictions, where VASPs are incorporated or located. These authorities are expected to ensure effective licensing regimes, risk-based supervision, and the ability to obtain relevant information and enforce compliance with anti-money laundering obligations.

At the same time, host jurisdictions, where customers are located, may consider requiring authorisation for offshore providers that actively target local users or use domestic payment channels. Strengthening international cooperation between supervisors, financial intelligence units, and law enforcement authorities is also critical, given the cross-border nature of offshore VASP activity.

Supervisory Responses

Regulators have begun to develop practical responses to the risks associated with offshore VASPs.

One important approach involves improving the detection of offshore activity. Supervisory authorities increasingly rely on blockchain analytics, open-source intelligence, and information received from regulated exchanges and financial institutions. Suspicious transaction reports can also provide valuable insights into how offshore platforms are being used within domestic markets.

Some regulators have conducted market-wide reviews to estimate how much activity involving domestic users flows through offshore providers. These exercises help authorities understand the scale of exposure and identify potential vulnerabilities in existing regulatory frameworks.

Another area receiving attention is the role of regulated exchanges and financial institutions as gatekeepers. Where a licensed VASP provides services to another VASP, supervisory expectations may resemble those applied in correspondent banking relationships. Providers may be required to conduct due diligence on their counterparties to ensure that adequate compliance controls are in place.

Jurisdictions that require licensing for foreign providers often clarify the circumstances in which a VASP is considered to be providing services within their territory. Indicators may include targeted marketing, onboarding of local customers, or the use of domestic payment systems. Clear rules help regulators enforce licensing requirements more effectively.

Conclusion

Offshore VASPs illustrate a broader challenge in regulating digital financial services. Crypto platforms can operate across borders with relative ease, while regulatory authority remains tied to national jurisdictions. When providers structure their operations across multiple jurisdictions, supervisory responsibility can become difficult to determine.

Addressing these challenges will require continued cooperation between regulatory authorities, financial intelligence units, and law-enforcement agencies. Clearer licensing rules, improved monitoring of cross-border activity, and stronger information-sharing mechanisms will all play a role.

As crypto markets continue to expand internationally, managing the risks associated with offshore service models will remain an important priority for regulators and policymakers. The objective is not to prevent cross-border services altogether, but to ensure that platforms offering services to users operate within frameworks that provide effective oversight and protection against financial crime.