What the FATF’s Offshore VASP Report Means for CARF Compliance: A PracticalAction Plan

Part 2 of 2 —first read Part 1: The FATF’s 2026 Offshore VASP Report: Key Findings Every Crypto Business Should Know.

The Financial Action Task Force’s 2026 offshore VASP report doesn’t, by itself, create new legal obligations—CARF and the domestic rules implementing CARF do that. But the report significantly raises the supervisory and reputational stakes for any firm operating across borders, and it tells authorities exactly where to look next.

This is Part 2 of a two-part series. Part 1 sets out what the report found (read it here). In this piece we cover what those findings mean for CARF compliance and the practical steps every RCASP should take now.

Quick recap. The report identified a large global regulatory gap (only 46% of jurisdictions with a VASP regime regulate based on the services provided into their market), documented real cases of oVASPs used for illicit finance, and exposed nested relationships and regulatory arbitrage as the techniques most often used to evade compliance. That’s the backdrop.

What does the FATF oVASP report mean for CARF compliance?

CARF and FATF’s oVASP work address two sides of the same underlying problem: crypto-asset businesses that operate across borders without adequate oversight. FATF is focused on money laundering, terrorist financing and proliferation financing; CARF is focused on tax transparency. But the operational controls both frameworks expect from intermediaries overlap heavily. The report reinforces CARF in four specific ways:

• Registration and visibility. CARF requires RCASPs to register with their domestic tax authority and to report on relevant users and transactions. An RCASP that fails to register doesn’t only breach domestic CARF rules, it also looks exactly like the unregistered offshore provider that FATF has flagged as a systemic risk.

• Due diligence and nested relationships. CARF’s self-certifications, reasonableness tests, and change-of-circumstance monitoring help detect when an account is being used as a front for a separate business.

• Cross-border transparency. CARF feeds structured, standardised data on crypto users and transactions into the automatic-exchange-of-information architecture, giving authorities, and indirectly other regulators, a clearer view of cross-border activity.

• Governance and accountability. Both frameworks increasingly converge on board oversight and senior-management responsibility for compliance.

What does FATF recommend for home jurisdictions?

Home jurisdictions, where oVASPs are created or located, are encouraged to ensure effective, risk-based supervision of all VASPs in their territory, including those that operate internationally. Authorities should be able to obtain information on cross-border activities, identify unlicensed providers, and cooperate promptly with foreign counterparts. For RCASPs, this signals that domestic regulators will increasingly focus on the global footprint of the firms they supervise, not just their narrow domestic activity.

What does the FATF report recommend for host jurisdictions?

Host jurisdictions, where customers are located, are encouraged to extend licensing or registration requirements to offshore providers that actively serve customers in their market, even without a physical presence. FATF stresses defining what “active provision” means in practice. Examples include targeted marketing, use of local payment rails, or systematic onboarding of residents. For firms that serve clients in multiple countries, the message is clear: registration in the home jurisdiction alone may no longer be enough.

What does FATF recommend for the private sector?

The report’s instructions to VASPs and financial institutions are direct. Firms should assess their exposure to unregistered or unlicensed oVASPs, apply consistent AML and CFT standards across all entities in a group, ensure no group entity deliberately operates outside regulatory oversight, and refuse to establish or maintain relationships with VASPs that won’t register or obtain a licence where required. For RCASPs, counterparty risk is now a core CARF and AML concern, not a back-office afterthought. Why is the regulatory perimeter wider than you think?

Under CARF, an entity can be a Reporting Crypto-Asset Service Provider if it effectuates exchange transactions in relevant crypto-assets for or on behalf of customers, even if it does not consider itself a “crypto business” and even if it holds no VASP licence. In some jurisdictions, the CARF definition of an RCASP is broader than the local VASP licensing definition. FATF’s push to regulate all VASP-like activity, regardless of formal licensing status, points the same way.

The result is that funds, family offices, OTC desks, trustees, payment companies and intermediaries can find themselves with full CARF obligations without realising it.

What should RCASPs do now? (7 practical steps)

1.       Complete registration in your home jurisdiction. Operating unregistered where a regime exists is a key FATF risk indicator and the most obvious flag a supervisor will look for.

2.       Map your multi-jurisdictional exposure. Identify where your customers are located and which of those jurisdictions are implementing CARF. Determine where you may need to register, perform due diligence, or report in addition to your home jurisdiction.

3.       Review counterparty-risk procedures. Confirm that you can identify counterparties that are themselves oVASPs operating without appropriate registration or licensing. Scrutinise nested relationships carefully, particularly where transaction patterns or volumes don’t look like typical retail behaviour.

4.       Implement CARF due-diligence procedures. Self-certifications, reasonableness tests, and change-of-circumstance monitoring, aligned with CARF’s requirements. Where you already have CRS, AML or KYC procedures, gap-analyse them for crypto-specific risk factors.

5.       Assess group-wide compliance. If your RCASP is part of a group, ensure consistent AML, CFT and CARF standards across entities. FATF’s work highlights the risk of one group entity operating in a lightly regulated way while benefiting from the reputation of better-regulated affiliates.

6.       Brief the board and senior management. Directors and senior officers should understand the FATF oVASP report, the direction of travel it signals, and how CARF and AML expectations interact for your business.

7.       Conduct an RCASP status assessment. If your entity is involved in crypto-asset activities and has not formally determined whether it is an RCASP, do it now. And document it!

Why compliance is now a competitive advantage

The FATF report is more than a regulatory warning. It is a signal that authorities are focusing on cross-border crypto activity and expect tighter control over who provides services to whom and under what conditions. In that environment, robust compliance becomes a differentiator: counterparties, institutional clients, banking partners and regulators will favour RCASPs that can demonstrate a clear understanding of their global footprint, strong governance, and well-implemented CARF and AML controls. Entities that treat compliance as a strategic investment rather than a minimum cost will be better placed as the regulatory perimeter closes.

Start your status assessment —it’s free and takes just a few mouse clicks. Sign-up first for your free account here: https://carftools.com/flow/are-you-an-rcasp-for-carf

CARFtools provides practical tools to help you confirm your status, design your CARF controls, and align them with FATF expectations on oVASPs.

Frequently Asked Questions

Does the FATF offshore VASP report create new legal obligations?

No. The report is supervisory guidance. Legal obligations come from CARF and the domestic rules implementing it, but the report significantly raises supervisory and reputational expectations.

What should an RCASP do in response to the FATF report?

Confirm registration in the home jurisdiction, map multi-jurisdictional exposure, review counterparty-risk procedures, implement CARF due-diligence, assess group-wide compliance, brief the board, and conduct a formal RCASP status assessment.

How are FATF (AML) and CARF (tax) requirements connected?

They address the same problem from different angles. The operational controls each framework expects, from registration, due diligence, counterparty risk and governance, overlap significantly.

Am I an RCASP under CARF?

You are likely an RCASP if, as a business, you provide a service that effectuates exchange transactions in relevant crypto-assets for or on behalf of customers, even if you are not a licensed VASP. CARF status is activity-based.

What is the wider regulatory perimeter under CARF?

CARF can capture funds, family offices, OTC desks, trustees, payment companies and intermediaries that don’t consider themselves crypto businesses. In some jurisdictions, the CARF definition is broader than the local VASP licensing definition.

Disclaimer: This article is intended for general informational purposes only and does not constitute legal or regulatory advice. Parties should seek qualified legal counsel regarding their specific obligations under the applicable CARF/DAC8 regulations.