The FATF’s 2026 Offshore VASP Report: Key Findings EveryCrypto Business Should Know

Part 1 of 2 — read Part 2: The FATF’s Offshore VASP Report: What It Means for CARF Compliance.

In March 2026, the Financial Action Task Force (FATF) published Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers — its most detailed examination to date of VASPs that incorporate in one jurisdiction but serve customers in others. The report is a turning point: it documents how cross-border crypto activity is actually being exploited, identifies structural weaknesses in how jurisdictions regulate it, and tells authorities and firms what to do about it.

This is Part 1 of a two-part series. Here we walk through what the report found. In Part 2 we cover what the FATF report means for CARF compliance and what RCASPs should do in response.

What is an offshore VASP (oVASP)?

An offshore VASP is a Virtual Asset Service Provider created under the laws of one jurisdiction — its home jurisdiction — that provides services to clients in other jurisdictions, with or without a physical presence in those markets. FATF refers to these entities as “offshore VASPs” or “oVASPs.”

The definition is deliberately broad. It captures large exchanges, OTC desks, liquidity providers, brokers and trading platforms that operate remotely — including firms that don’t think of themselves as “offshore” but, by virtue of serving customers outside their country of incorporation, fall squarely within FATF’s oVASP framework. This is not a niche category. Many of the most significant crypto businesses serve users across multiple jurisdictions and need to consider whether their cross-border activities make them an oVASP.

What did the FATF’s 2026 offshore VASP report find?

The report’s findings are detailed and sobering. They fall into three groups: a global regulatory gap, documented illicit-finance cases, and specific evasion techniques used by oVASPs and the people behind them.

Why is the regulatory gap so significant? (The 46%finding)

Among jurisdictions that have introduced VASP registration or licensing regimes, only 46% have adopted what FATF calls an “activity-based approach.” In those jurisdictions, licensing or registration applies based on the services provided into the market, regardless of where the provider is incorporated. The other 54% of jurisdictions only regulate providers physically located in their territory.

The effect is a large global blind spot. Many authorities still cannot reliably identify the offshore providers actively serving their residents, and often lack a clear legal basis to require them to register or obtain a licence locally. For compliant firms in well-regulated jurisdictions, that creates an uneven playing field — they carry the cost of regulation while some offshore competitors continue to serve the same customers with little or no domestic oversight.

What does the report say about illicit finance?

The report sets out concrete cases of oVASPs being used to channel proceeds from fraud, cybercrime and other illicit activity, and to facilitate serious financial crime. The case studies show how offshore business models, weak licensing regimes, and fragmented supervision have allowed large volumes of suspicious transactions to move through lightly regulated platforms.

These are not hypothetical risks. They are real enforcement scenarios — and they mirror the patterns that CARF’s due-diligence and reporting requirements are designed to uncover. Supervisors and tax authorities will increasingly look for these risks when they review both AML and CARF reporting.

What are nested relationships and regulatory arbitrage?

A nested relationship is one in which an offshore, unlicensed VASP gains access to a licensed VASP’s services by presenting itself as a regular customer. The licensed VASP believes it is dealing with a single client, while in reality it is providing the gateway through which the unlicensed entity serves its own user base. FATF flags this as a particularly insidious risk because it hides an entire business behind one apparently ordinary account.

The report also describes how oVASPs exploit regulatory arbitrage. Some structure their operations so that core corporate functions, data and onboarding sit in jurisdictions with weak or underdeveloped virtual-asset frameworks, while actively soliciting customers elsewhere. Others route flows through multiple entities, obfuscation services, and cross-chain techniques in ways that make it harder for authorities to trace activity and enforce local requirements such as customer due diligence or Travel Rule compliance.

Whom does the report affect?

In principle, every crypto-asset business operating across borders. The most immediate audience is large exchanges, OTC desks, brokers and platforms — but the implications go wider. The report’s emphasis on regulating all entities that provide VASP-like services, regardless of formal licensing status, draws funds, family offices, payment companies, fiduciaries and individual intermediaries into the conversation too.

What’s next?

The FATF report doesn’t, by itself, create new legal obligations — CARF and the domestic rules implementing it do that. But the report materially raises the supervisory and reputational stakes for any firm operating across borders. In Part 2, we set out exactly what the report means for CARF compliance and the practical steps every RCASP should take now.

Not sure whether CARF applies to you? Take our free RCASP status assessment — it walks through the determination in a few mouse clicks. Sign-up first for your free account here: https://carftools.com/flow/are-you-an-rcasp-for-carf

Frequently Asked Questions

What is an offshore VASP?

A Virtual Asset Service Provider incorporated in one jurisdiction that provides services to clients in other jurisdictions, with or without a local physical presence. FATF calls these oVASPs.

When was the FATF offshore VASP report published?

In March 2026, under the title Understanding and Mitigating the Risks of Offshore Virtual Asset Service Providers.

What is the FATF’s 46% finding?

Only 46% of jurisdictions with a VASP registration or licensing regime regulate based on the services provided into their market (an “activity-based approach”). The rest only regulate firms physically located in their territory.

What is a nested relationship in crypto compliance?

An arrangement where an unlicensed offshore VASP gains access to a licensed VASP’s services by posing as an ordinary customer, then uses that access as a gateway to serve its own users.

Does the FATF report create new legal obligations?

No. The report is supervisory guidance. Legal obligations come from CARF and the domestic rules implementing it, but the report significantly raises supervisory and reputational expectations.

Disclaimer: This article is intended for general informational purposes only and does not constitute legal or regulatory advice. Parties should seek qualified legal counsel regarding their specific obligations under the applicable CARF/DAC8 regulations.