admissions@cyberlawacademy.com | +91-XXXXXXXXXX
Legal Services
Part 2 of 8

FATF Recommendations on Virtual Assets

Master FATF Recommendation 15 on Virtual Assets and Virtual Asset Service Providers (VASPs), including the Travel Rule, risk-based approach, and India's compliance requirements under the FATF mutual evaluation framework.

Reading Time: ~50 minutes 7 Sections FATF Recommendation 15

7.2.1 Introduction to FATF and Virtual Assets

The Financial Action Task Force (FATF) is the global standard-setting body for anti-money laundering and counter-terrorism financing (AML/CFT). FATF's recommendations on virtual assets, particularly Recommendation 15 and its Interpretive Note, form the foundation for cryptocurrency regulation worldwide. Understanding FATF standards is essential because India's PMLA framework and FIU-IND requirements are designed to comply with these international standards.

What is FATF?

The Financial Action Task Force was established in 1989 by the G7 Summit in Paris. It is an inter-governmental body that sets international standards to prevent money laundering, terrorist financing, and other threats to the integrity of the international financial system. Key facts about FATF:

  • Membership: 39 members including India (joined 2010), plus 2 regional organizations (European Commission, Gulf Cooperation Council)
  • Standards: 40 Recommendations covering AML/CFT requirements for financial institutions, designated non-financial businesses, and professions
  • Mutual Evaluations: Peer reviews assessing member countries' compliance with FATF standards
  • Grey List/Black List: Lists of jurisdictions with strategic deficiencies in AML/CFT frameworks
*Key Concept: Soft Law with Hard Consequences

FATF Recommendations are technically "soft law" - they are not binding international treaties. However, they have hard consequences. Countries on FATF's grey list face increased scrutiny, higher compliance costs for cross-border transactions, and potential economic isolation. This makes FATF compliance a priority for all member nations including India.

FATF's Evolution on Virtual Assets

FATF's approach to virtual assets has evolved significantly:

  • 2014: First FATF report on virtual currencies recognizing AML/CFT risks
  • 2015: Guidance for a Risk-Based Approach to Virtual Currencies
  • 2018: Amendment to Recommendation 15 to explicitly cover virtual assets
  • 2019: Interpretive Note to Recommendation 15 with detailed VASP requirements including the "Travel Rule"
  • 2021: Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs
  • 2023: Continued focus on DeFi, peer-to-peer transactions, and implementation gaps

Why FATF Matters for Indian Crypto Law

India's cryptocurrency regulatory framework is directly shaped by FATF requirements:

  • PMLA March 2023 Amendment: Bringing VDA Service Providers under PMLA directly implements FATF Recommendation 15
  • FIU-IND Requirements: STR/CTR reporting requirements mirror FATF standards
  • KYC/CDD Obligations: Customer due diligence requirements align with FATF Recommendations
  • Mutual Evaluation Pressure: India's next FATF mutual evaluation creates pressure for robust crypto regulation
!India's FATF Standing

India successfully exited FATF's grey list in 2010 and has since maintained a positive compliance record. However, FATF's 2024 mutual evaluation of India will assess whether India's virtual asset regulations meet FATF standards. Deficiencies could result in recommendations requiring legislative or regulatory changes, making FATF compliance a driver of Indian crypto regulation.

7.2.2 FATF Recommendation 15: New Technologies

Recommendation 15 addresses the risks associated with new technologies, including virtual assets. The 2018 amendments explicitly brought virtual assets and Virtual Asset Service Providers (VASPs) within FATF's AML/CFT framework, requiring countries to apply the full range of FATF Recommendations to this sector.

"Countries and financial institutions should identify and assess the money laundering or terrorist financing risks that may arise in relation to (a) the development of new products and new business practices, including new delivery mechanisms, and (b) the use of new or developing technologies for both new and pre-existing products. Countries should ensure that virtual asset service providers are regulated for AML/CFT purposes, and licensed or registered." FATF Recommendation 15 (as amended, 2018)

Core Requirements of Recommendation 15

Recommendation 15 establishes several key requirements for virtual assets:

1. Risk Assessment

  • Countries must identify and assess ML/TF risks associated with virtual assets
  • Risk assessment must inform regulatory approach and supervisory intensity
  • VASPs must conduct their own institutional risk assessments

2. Licensing or Registration

  • VASPs must be licensed or registered in the jurisdiction where they are created
  • If operating in another jurisdiction, they may need additional registration there
  • Licensing/registration must be administered by competent authority

3. Application of FATF Recommendations

  • Recommendations 10-21 (preventive measures) apply to VASPs
  • Customer Due Diligence (Recommendation 10)
  • Record Keeping (Recommendation 11)
  • Suspicious Transaction Reporting (Recommendation 20)
  • Wire Transfer Rules including Travel Rule (Recommendation 16)

4. Supervision

  • Countries must designate competent authorities to supervise VASPs
  • Supervisors must have adequate powers including inspection and sanction authority
  • Risk-based supervision approach

5. Sanctions

  • Effective, proportionate, and dissuasive sanctions for non-compliance
  • Criminal sanctions for operating as VASP without license/registration
  • Administrative sanctions for AML/CFT violations
FATF RequirementIndia ImplementationRelevant Provision
VASP RegistrationFIU-IND RegistrationPMLA Rules, March 2023 Amendment
Customer Due DiligenceKYC/CDD RequirementsPMLA Rules, Rule 9
Record Keeping5-year retentionPMLA Rules, Rule 3
STR FilingSTR to FIU-INDPMLA Section 12
SupervisionFIU-IND oversightPMLA Chapter IV
SanctionsPenalties under PMLAPMLA Sections 13, 63

7.2.3 Virtual Asset and VASP Definitions

FATF provides specific definitions for "virtual asset" and "virtual asset service provider" that form the basis for regulatory scope. Understanding these definitions is crucial for determining which entities and activities fall within the regulatory perimeter.

Virtual Asset (FATF Definition)
A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.

Scope of Virtual Asset Definition

The FATF virtual asset definition is intentionally broad and functional:

  • Includes: Cryptocurrencies (Bitcoin, Ethereum), utility tokens with transferable value, stablecoins, certain NFTs with payment/investment functions
  • Excludes: Digital fiat (CBDCs), securities tokens (covered by securities law), closed-loop items (non-transferable loyalty points)
  • NFT Analysis: NFTs are generally outside scope unless used for payment/investment or are "virtual assets in practice"
Virtual Asset Service Provider (VASP)
A VASP is any natural or legal person who as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: (i) exchange between virtual assets and fiat currencies; (ii) exchange between one or more forms of virtual assets; (iii) transfer of virtual assets; (iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; (v) participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

Five VASP Activities Explained

1. Fiat-VA Exchange

Exchange between virtual assets and fiat currencies. This captures cryptocurrency exchanges offering INR-to-crypto trading. Key considerations:

  • Centralized exchanges with fiat on-ramps
  • P2P platforms facilitating fiat-crypto exchange
  • Crypto ATMs (kiosks)

2. VA-VA Exchange

Exchange between one or more forms of virtual assets. This captures crypto-to-crypto trading:

  • Crypto exchanges offering trading pairs (BTC/ETH, etc.)
  • Decentralized exchange aggregators operated by identifiable entities
  • Swap services

3. Transfer of Virtual Assets

Conducting transfer of virtual assets on behalf of another person. This is broader than custody:

  • Wallet providers that execute transfers
  • Payment service providers using crypto
  • Does NOT include software-only unhosted wallet providers (self-custody)

4. Safekeeping/Administration (Custody)

Safekeeping and/or administration of virtual assets or instruments enabling control:

  • Custodians holding private keys for customers
  • Exchanges holding customer funds
  • Institutional custody providers

5. Participation in Issuance/Sale

Participation in and provision of financial services related to issuer's offer/sale:

  • ICO/IEO platforms
  • Token launchpads
  • Underwriters of token offerings
*Key Concept: "As a Business" Requirement

The VASP definition requires activities to be conducted "as a business." This means individual users conducting personal transactions are not VASPs. However, persons who provide VASP services for commercial purpose - even if not formally incorporated - may be captured. The "as a business" threshold varies by jurisdiction but generally includes consideration of frequency, volume, and commercial intent.

Comparison: FATF VASP vs. India VDA SP

AspectFATF VASPIndia VDA SP (PMLA Rules)
Fiat-VA ExchangeCoveredCovered
VA-VA ExchangeCoveredCovered
VA TransferCoveredCovered
CustodyCoveredCovered
Issuance ServicesCoveredCovered
Definition Alignment-Near-identical to FATF
!India's FATF Alignment

India's March 2023 PMLA amendment uses language nearly identical to FATF's VASP definition. This deliberate alignment demonstrates India's commitment to FATF compliance and provides interpretive guidance - when questions arise about scope, FATF guidance can inform interpretation of Indian rules.

7.2.4 The Travel Rule (Recommendation 16)

The "Travel Rule" is one of the most significant and challenging FATF requirements for VASPs. It requires VASPs to obtain, hold, and transmit originator and beneficiary information with virtual asset transfers, similar to wire transfer rules for banks. Implementation of the Travel Rule is a major focus of global crypto regulation.

Travel Rule Requirements

Under FATF Recommendation 16 as applied to virtual assets, VASPs must:

For Originating VASPs (Sender's Side)

  • Obtain and hold originator information (name, account number/wallet address, physical address or national identity number or customer identification number or date and place of birth)
  • Obtain beneficiary information (name, account number/wallet address)
  • Submit this information to the beneficiary VASP
  • Make information available to appropriate authorities upon request

For Beneficiary VASPs (Receiver's Side)

  • Obtain originator and beneficiary information from the originating VASP
  • Verify beneficiary information against customer records
  • Apply risk-based measures for transfers with missing or incomplete information
  • Consider rejecting transfers or filing STRs if information cannot be obtained

Threshold for Travel Rule

FATF recommends the Travel Rule apply to virtual asset transfers above USD 1,000/EUR 1,000. Countries may set lower thresholds. Below the threshold, VASPs should still collect information but may not need to transmit it with every transaction.

!Technical Challenge: Travel Rule Implementation

Unlike traditional wire transfers where banks use established messaging systems (SWIFT), there is no universal protocol for Travel Rule compliance in crypto. Multiple competing solutions exist (TRISA, Shyft, Notabene, Sygna). VASPs must implement technical solutions to exchange information, creating interoperability challenges. India has not yet mandated specific Travel Rule implementation, but this is expected as part of ongoing FATF alignment.

Travel Rule Challenges in Crypto

Unhosted Wallets

Transfers to/from unhosted (self-custody) wallets pose a fundamental challenge:

  • No counterparty VASP to receive information
  • FATF recommends VASPs collect information about the person conducting the unhosted wallet transaction
  • Some jurisdictions prohibit or restrict unhosted wallet transactions
  • India has not imposed unhosted wallet restrictions but may require enhanced due diligence

Privacy Concerns

  • Travel Rule requires sharing personal data between VASPs
  • Data protection concerns under DPDPA and international privacy laws
  • Balance between AML compliance and privacy rights

Cross-Border Complications

  • Different jurisdictions have different thresholds and requirements
  • Transfers between jurisdictions with different Travel Rule implementations
  • Sunrise period issues - some countries implementing before others
ScenarioTravel Rule ObligationChallenge
VASP to VASP (same jurisdiction)Full Travel Rule appliesProtocol interoperability
VASP to VASP (cross-border)Full Travel Rule appliesDifferent jurisdictional requirements
VASP to Unhosted WalletCollect unhosted wallet holder infoVerification of unhosted wallet holder
Unhosted to VASPCollect sender info at receiving VASPReliance on customer declaration

7.2.5 Risk-Based Approach for Virtual Assets

FATF's risk-based approach (RBA) requires countries and VASPs to identify, assess, and mitigate money laundering and terrorist financing risks associated with virtual assets. Rather than one-size-fits-all rules, the RBA allows calibrated responses based on risk levels.

Country-Level Risk Assessment

Countries must conduct national risk assessments (NRAs) covering virtual assets:

  • Threat Assessment: Identify how criminals may use virtual assets for ML/TF
  • Vulnerability Assessment: Identify weaknesses in the regulatory framework
  • Consequence Assessment: Evaluate potential harm from ML/TF through virtual assets
  • Risk Rating: Assign overall risk level (high/medium/low)

VASP-Level Risk Assessment

VASPs must conduct institutional risk assessments covering:

Customer Risk

  • Customer types (retail, institutional, high-net-worth)
  • Customer geography (high-risk jurisdictions)
  • Source of funds/wealth
  • Transaction patterns and behavior

Product/Service Risk

  • Privacy coins vs. transparent cryptocurrencies
  • DeFi protocol interactions
  • Mixer/tumbler usage
  • Cross-chain transactions

Geographic Risk

  • Customers from FATF grey list/black list countries
  • Transactions involving sanctioned jurisdictions
  • Countries with weak AML/CFT frameworks

Channel/Delivery Risk

  • Non-face-to-face onboarding
  • Anonymous account access
  • Third-party reliance for KYC

Risk Mitigation Measures

Risk LevelCDD MeasuresMonitoringSTR Threshold
Low RiskSimplified CDD permissibleStandard monitoringStandard threshold
Medium RiskStandard CDD requiredEnhanced monitoringLower threshold
High RiskEnhanced Due Diligence (EDD)Real-time monitoringVery low threshold
*Key Concept: Enhanced Due Diligence Triggers

EDD is required for high-risk situations including: customers from FATF grey/black list countries, PEPs (Politically Exposed Persons), transactions involving mixers/privacy coins, large value transactions inconsistent with customer profile, and transactions flagged by blockchain analytics as involving illicit addresses.

7.2.6 India's FATF Compliance Status

India's compliance with FATF standards is evaluated through mutual evaluations. Understanding India's current compliance status and areas requiring improvement helps practitioners anticipate regulatory developments in the crypto space.

India's FATF Membership

Key facts about India's FATF membership:

  • Membership: Full FATF member since 2010
  • Previous Evaluation: 3rd Round Mutual Evaluation completed in 2010
  • Current Evaluation: 4th Round Mutual Evaluation scheduled for 2024
  • Regional Body: Also member of Asia/Pacific Group on Money Laundering (APG)

Compliance with Virtual Asset Requirements

India has taken significant steps toward FATF compliance for virtual assets:

Implemented Measures

  • VASP Registration: FIU-IND registration requirement implemented via March 2023 PMLA amendment
  • CDD Requirements: KYC/CDD obligations under PMLA Rules applicable to VDA SPs
  • STR Reporting: STR filing requirements to FIU-IND
  • Record Keeping: 5-year record retention requirement
  • Supervision: FIU-IND designated as supervisor for VDA SPs

Areas Requiring Development

  • Travel Rule: India has not yet mandated Travel Rule implementation
  • Beneficial Ownership: Detailed guidance for VA-specific beneficial ownership verification
  • DeFi Regulation: Framework for decentralized protocols and unhosted wallets
  • Enforcement: Track record of enforcement actions against non-compliant VASPs
!FIU-IND Action Against Offshore VASPs

In late 2023 and early 2024, FIU-IND issued show cause notices to several offshore VASPs (Binance, KuCoin, Huobi, and others) for operating in India without FIU-IND registration. This enforcement action demonstrates India's commitment to implementing FATF standards and requiring all VASPs serving Indian customers to comply with Indian AML/CFT requirements, regardless of where they are incorporated.

Mutual Evaluation Preparation

India's 4th Round Mutual Evaluation will assess:

  • Technical Compliance: Whether India's laws and regulations meet FATF standards
  • Effectiveness: Whether the AML/CFT system actually works in practice
  • 11 Immediate Outcomes: Including IO.1 (risk understanding), IO.3 (supervision), IO.4 (preventive measures)

For virtual assets specifically, evaluators will assess whether India:

  • Has identified and assessed VA/VASP risks
  • Has licensing/registration regime for VASPs
  • Applies FATF Recommendations to VASPs
  • Supervises VASPs effectively
  • Has sanctioned non-compliant VASPs

7.2.7 Practical Implementation for Indian VASPs

This section provides practical guidance for Indian crypto platforms seeking to implement FATF-compliant AML/CFT programs. While specific regulatory guidance continues to evolve, these principles provide a foundation for compliance.

Building a FATF-Compliant Program

1. Governance Structure

  • Board/Senior Management: Approval of AML policy, oversight of compliance
  • Principal Officer: Designated under PMLA, responsible for STR filing
  • Designated Director: Board-level accountability for AML compliance
  • Compliance Team: Day-to-day compliance operations

2. Risk Assessment Process

  1. Document Risk Methodology: Written risk assessment methodology covering customer, product, geography, and channel risks
  2. Conduct Initial Assessment: Comprehensive risk assessment before commencing operations
  3. Annual Review: Update risk assessment at least annually or upon material changes
  4. Board Approval: Risk assessment approved by Board/senior management

3. Customer Due Diligence Program

  • Customer Identification: Name, address, date of birth, PAN/Aadhaar
  • Verification: Documentary verification against official documents
  • Beneficial Ownership: For corporate customers, identify natural persons with 25%+ ownership or control
  • Purpose Assessment: Understand intended use of account
  • Risk Rating: Assign customer risk rating (high/medium/low)
  • Ongoing Review: Periodic refresh of customer information and risk rating

4. Transaction Monitoring

  • Rule-Based Alerts: Automated alerts for suspicious patterns (structuring, rapid movement, etc.)
  • Blockchain Analytics: Screen transactions against known illicit addresses
  • Behavioral Analytics: Detect anomalies from customer's established patterns
  • Alert Investigation: Process for investigating and dispositioning alerts
  • STR Filing: Escalation to Principal Officer and FIU-IND filing

5. Training Program

  • Initial training for all staff on AML basics
  • Role-specific training for compliance, customer service, operations
  • Annual refresher training
  • Crypto-specific training on blockchain analytics, typologies

6. Record Keeping

  • Customer identification records: 5 years after relationship ends
  • Transaction records: 5 years from transaction date
  • Alert investigation records: 5 years from disposition
  • STR records: Indefinite retention

Key Takeaways from Part 2

  • FATF drives global crypto regulation - India's PMLA framework directly implements FATF Recommendation 15
  • VASP definition covers five activities - Fiat exchange, VA exchange, transfer, custody, and issuance services
  • Travel Rule is coming - While not yet mandated in India, Travel Rule implementation is expected
  • Risk-based approach is central - VASPs must assess and mitigate risks, not just follow rules
  • India's mutual evaluation matters - 2024 FATF evaluation will assess India's VA/VASP framework
  • Compliance programs must be comprehensive - Governance, risk assessment, CDD, monitoring, training, and record keeping