Paris [France], March 10 : A new report from the Financial Action Task Force highlights how gaps in oversight of offshore Virtual Asset Service Providers (oVASPs) are exploited to facilitate large-scale fraud, money laundering, and terrorism financing. It also presents good practices to detect, license or register and supervise oVASPs, as well as sanction non-compliant ones.
Offshore VASPs are VASPs created under the laws of one jurisdiction, with or without a physical presence, that provide services to clients residing in another jurisdiction. The report analyses how oVASPs structure their activities to avoid or evade regulatory obligations and how illicit actors exploit these vulnerabilities.
Understanding and Mitigating the Risks of Offshore VASPs identifies that under half (46%) of jurisdictions have adopted an activity-based approach to regulation and supervision - this means jurisdictions extending licensing or registration requirements to VASPs based on the activities they perform in their jurisdiction, regardless of where those VASPs are created or located.
This brings activities provided in their markets by offshore providers under counter-illicit finance supervision.
Differences in how jurisdictions regulate oVASPs can create gaps that criminals exploit and which significantly complicate authorities' abilities to effectively supervise and cooperate internationally. The report describes methods used to obscure the movement of illicit proceeds, including by dispersing victim funds across multiple addresses, routing transactions through layered intermediary wallets, and using multiple blockchains or bridges to increase obfuscation.
The report highlights how oVASPs have been used to convert illicit proceeds from scam compounds, provide financial support to terrorist groups, and how nested relationships can be misused, whereby offshore, unlicenced VASPs access services from a licensed VASP by posing as a private individual customer.
FATF President Elisa de Anda Madrazo said: "This report exposes how oVASPS create blind spots that criminals are clearly exploiting, to scam vulnerable people through fraud or fuel terror around the world. I urge all countries and the private sector to act on the good practice we have identified - as virtual assets move across borders in seconds, strong compliance, supervision and international cooperation are essential to address these risks."
Identified measures for jurisdictions to mitigate risks include: Detecting, licensing or registering oVASPs using activity-based approach.
Enforce sanctions for non-compliance with AML/CFT/CPF obligations.
Build a shared understanding and improve coordination through inter-agency task forces and public-private partnerships.
Use to the fullest extent possible supervisor to supervisor channels and FIU to FIU cooperation to speed up access to information and coordinate enforcement.
The report also highlights the important role that financial institutions and VASPs can have in addressing risks linked to oVASPs. It recommends that they assess their exposure to unlicensed or unregistered oVASPs, apply clear and consistent AML/CFT/CPF rules across all entities in their group, ensure that no group entity operates as an oVASP abroad outside regulatory oversight, and refrain from establishing or maintaining business relationships with unlicensed or unregistered providers.
The report identifies case studies that highlight innovative approaches to mitigating risks, including: In a high-profile investment fraud scheme, analysis by Nigeria's FIU identified how oVASPs and opaque corporate structures were used to facilitate large-scale fraud, cross-border movement of illicit proceeds, and financial obfuscation, with victim funds channelled through multiple intermediary "funnel addresses".
The analysis showed that offshore VASPs were used as final cash-out points. One global VASP-linked wallet held approximately USD 600 million at the time of analysis. Indonesia's FIU identified VA-based financial support to terrorist groups in Syria involving several foundations and individuals in Indonesia. Terrorist financiers were found to be using oVASPs to convert between different types of virtual assets and to rapidly cover their traces before funds were moved to unhosted wallets.
Nigerian supervisors (SEC), through the country's FIU and the Egmont Group platform (FIU.net) obtained critical information from foreign counterparts on the beneficial ownership of oVASPs, allowing them to confirm criminal investigations involving suspected oVASP operators and identify real-world identities behind wallets flagged through blockchain analytics.
Following the introduction of clear rules for oVASPs promoting services to UK residents and to address persistent non-compliance by oVASPs, the UK's Financial Conduct Authority has undertaken a series of enforcement and disruption measures, including driving the takedown of more than 1000 scam websites.
Strengthened multi-agency coordination: New Zealand's Virtual Assets Investigation Resource Group (VAIRG) and India's multi-agency VA Sub-Group show how formal mechanisms for cross-government coordination support knowledge-sharing, identification of oVASPs, and more coherent supervisory and enforcement strategies.
Cross-border supervisory and enforcement cooperation: Direct collaboration between the Cayman Islands Monetary Authority and Abu Dhabi Global Market Financial Services Regulatory Authority uncovered governance failures, unlicensed activities, and misuse of structures across jurisdictions, resulting in cancellation of registration, significant penalties, and sanctions on individuals.
Collaboration with social-media and online service providers: India's Sahyog portal demonstrates how structured channels with platforms enable quicker action against unlawful content, including the takedown of websites linked to unregistered oVASPs.