Powered By:


In March 2021, the Financial Action Task Force (FATF) updated its Guidance on the risk-based approach to virtual assets and virtual asset service providers (VASPs). Of note, FATF’s updated Guidance provides that certain individuals and entities involved with decentralized or distributed applications may be deemed VASPs, and therefore, potentially subject to anti-money laundering regulations.

FATF’s Guidance was originally published in June 2019, and in July 2020, FATF committed to updating the Guidance going forward. The newly revised Guidance addresses six main areas, including (i) clarifying the definition of virtual asset and VASP; (ii) providing guidance on how FATF Standards should apply to stablecoins; (iii) providing additional guidance on the risks and potential risk mitigants for peer-to-peer transactions; (iv) provide updated guidance on the licensing and registration of VASPs; (v) provide additional guidance for the public and private sectors on the implementation of the Travel Rule; and (vi) include Principles of Information-Sharing and Co-operation Amongst VASP Supervisors.

There are many aspects of the updated FATF Guidance worthy of discussion; however, one in particular has caught the eye of those in the DeFi space. Specifically, FATF’s updated Guidance provides greater clarity on whether and to what extent actors in the DeFi industry qualify as VASPs.

The Guidance notes that a decentralized or distributed application, by itself, is not a VASP under FATF Standards, since those Standards do not apply to the underlying software or technology. However, the Guidance notes that entities involved with decentralized or distributed applications may be deemed VASPs. For example, the Guidance states that the owner or operator of a decentralized or distribution application may be a VASP, since they are conducting the exchange or transfer of virtual assets as a business on behalf of a customer. The Guidance further states that “[t]he owner/operator is likely to be a VASP, even if other parties play a role in the service or portions of the process are automated.”

Additionally, a person that conducts business development for a decentralized or distributed application may be a VASP when they engage as a business in facilitating or conducting certain virtual asset-related activities on behalf of another natural or legal person. FATF makes it clear through the Guidance that “[t]he decentralization of any individual element of operations does not eliminate VASP coverage if the elements of any part of the VASP definition remain in place.”


FATF’s Guidance addresses additional business models that may qualify as the exchange or transfer activities included in the definition of VASP, and the legal or natural persons behind such services or models may therefore be deemed VASPs. Such an expansion of the definition of VASP could have a significant impact on the DeFi industry, particularly if FATF (or a government regulator, for example) determines that those who simply ‘facilitate’ virtual asset activity on behalf of others are engaged in VASP activity.

For example, could a governance token holder of a decentralized software platform potentially be a VASP and subject to regulation? Possibly, but the Guidance does provide that FATF does not seek to regulate as VASPs natural or legal persons that provide ancillary services or products to a virtual asset network, including natural or legal persons that solely engage in the operation of a virtual asset network and do not engage in or facilitate any of the activities or operations of a VASP on behalf of customers. On the other hand, the Guidance does provide that “a party directing the creation and development of the software or platform and launching it for them to provide financial services for profit likely qualifies as a VASP, and is therefore responsible for complying with the relevant AML/CFT obligations. It is the provision of financial services associated with that software application or platform, and not the writing or development of the software itself, which is in scope of the VASP definition.”

Numerous cryptocurrency and blockchain industry groups have already publicly commented on the FATF Guidance, and we will continue to closely follow how and to what extent FATF and regulators respond to those public comments, including the potential impact on DeFi.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm or its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.


Fill out the following form to receive our cryptocurrency news and analysis.

Author's Assets


Andrew Jacobson | Associate

A former enforcement attorney at the New York State Department of Financial Services (DFS), Andrew Jacobson represents individual and institutional clients at Seward & Kissel in connection with complex governmental investigations, regulatory probes, and related civil matters. While at the DFS, Andrew was involved in early cryptocurrency issues and brought some of the most significant enforcement actions for violations of U.S. economic sanctions and anti-money laundering laws.

Andrew has extensive experience advising on matters relating to U.S. economic sanctions, including those administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), and anti-money laundering laws. Andrew serves as Chair of the Export Controls, Sanctions, and Anti-Corruption Subcommittee of the International Bar Association, co-chair of the Virtual Commodity Association’s BSA/AML Committee, and is a member of the Digital Chamber of Commerce’s AML Task Force.

As a member of Seward & Kissel’s Blockchain and Cryptocurrency Group, Andrew regularly advises clients on all aspects of financial crimes compliance and licensing in the virtual asset industry, including:

  • OFAC and FinCEN regulatory requirements, including asset blocking and reporting obligations;

  • Unhosted wallets and risks to software providers and VASPs;

  • Privacy coins, mixers, and other external privacy mechanisms;

  • Technology and open-source user platforms;

  • Ransomware and other cyberattack-related ransom payments;

  • BitLicense and state licensing requirements; and

  • Counterparty due diligence and screening.


“This is certainly a lesson to senior management to take compliance seriously and that there are consequences for individuals who don’t follow the regulatory regime.”

Andrew’s thoughts on BitMEX indictment, as published in Law360 article “BitMEX Case Seen as Blessing in Disguise for Crypto Sector”