Regulating the Illicit Use of Virtual Assets: What to Look for in 2022

January 20, 2022
7 minutes

According to a recent report, crimes involving virtual assets (“VAs”) nearly doubled in 2021, with illicit gains reaching a high of $14 billion.1 At the same time, the use of VAs for legitimate purposes also grew significantly. According to the report, VA transaction volume ballooned to $15.8 trillion in 2021, an increase of 567% from 2020.2 While illicit VA activity comprised only 0.15% of total VA transactions, a decrease from 0.62% in 2020,3 the increase in overall use of VAs and net increase in its use for illicit activity demonstrates the need more than ever for effective anti-money laundering/counterterrorist financing (“AML/CTF”) regulation.

This alert provides a brief overview of some of the latest guidance on AML/CTF and sanctions regulation from the Financial Action Task Force (“FATF”), the United States, the European Union and the United Kingdom.

I. Financial Action Task Force

In October 2021, the FATF released its Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (the “FATF Guidance”). This follows from its 2019 guidance setting out FATF’s views on how governments should apply the FATF recommendations for financial institutions to VAs and virtual asset service providers (“VASPs”), as well as from its 2014 and 2015 guidance on applying a risk-based approach (“RBA”) to virtual currencies. The updated FATF Guidance incorporated feedback from public consultations, and in particular sought to clarify the definitions of VAs and VASPs, set out FATF’s approach to decentralized finance (“DeFi”) and peer-to-peer transactions (“P2P”), and update guidance on implementation of the “travel rule.”4

FATF stresses that countries should define VAs and VASPs expansively and cover all financial assets and service providers – those not already covered by FATF’s definitions (e.g., of financial institutions) – that meet the relevant criteria set out in the guidance. Governments should focus on the substance of an asset or service and not on the technology or the naming convention being used.5 In general, DeFi would not be considered to fall under the scope of FATF recommendations; however, where persons “maintain control or sufficient influence in the DeFi arrangements,” they “may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services.”6 Thus, the FATF Guidance makes clear that substance should trump form in deciding whether to apply AML/CTF requirements to VAs and VASPs. FATF states that P2P transactions similarly do not fall within the scope of the FATF recommendations, but nonetheless directs countries to evaluate the risks posed by P2P and consider other tools to address these risks.

Where an entity is considered regulated and within scope for the FATF recommendations, it must implement basic AML/CTF controls requirements, including requirements to identify and verify customer identity through KYC/CDD, and monitor for and report suspicious transactions. Another cornerstone of AML/CTF regulations is the “travel rule” that applies to wire transfers – it requires regulated entities to ensure that certain information about the parties to a transaction “travel” with the transaction to the receiving entity.7 According to FATF, the travel rule should apply to VA transfers between two obliged entities (e.g., two VASPs or a VASP and a traditional financial institution), where transactions have a threshold of USD/EUR 1,000 or more. It will not necessarily apply, however, in FATF’s view, to transactions between a VASP and an unhosted wallet. An unhosted wallet is a crypto-wallet that is not held with or managed by a third-party financial institution or other regulated entity (e.g., one meeting the definition of a VASP).

The FATF Guidance also states that countries should also require VASPs to implement controls to comply with applicable sanctions, noting that the travel rule is a critical piece for recipient entities to meet this requirement. There are many challenges for VASPs seeking to implement AML/CTF and sanctions requirements (in particular the travel rule); these are outside of the scope of this alert, but FATF expects countries to “take into account the unique nature of VA transfers and the future control framework for travel rule solutions.”8

II. United States

The United States Treasury’s Financial Crimes Enforcement Network (“FinCEN”) released guidance in 2019 seeking to apply money service business (“MSB”) rules to VASPs.9 For these entities, this guidance requires registration with FinCEN, and compliance with recordkeeping, reporting and CDD requirements, including application of the travel rule required by the Bank Secrecy Act (“BSA Travel Rule”). The threshold for application of the BSA Travel Rule under FinCEN guidance is USD $3,000.10 As per FATF’s guidance, FinCEN rules did not initially apply to unhosted wallets.11 But FinCEN has sought to close what it sees as a gap, and in January 2021 FinCEN proposed a rule to require unhosted wallets to comply with AML/CTF requirements, including the travel rule.12 In response to significant public and industry feedback, FinCEN reopened the comment period and we are still awaiting final rulemaking related to BSA requirements for unhosted wallets.

The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) has also become increasingly involved in addressing risks posed by VAs and VASPs. In September 2021, OFAC sanctioned cryptocurrency exchange SUEX OTC for facilitation of ransomware payments using virtual currencies.13 In November 2021, OFAC sanctioned another virtual currency exchange, Chatex, and three related entities for their role in facilitating ransomware payments.14 OFAC also entered into settlement agreements with BitPay, Inc. and BitGo, Inc. for roughly $500,000 and $100,000 respectively for providing digital currency services in potential violation of multiple sanctions programs.15 OFAC also published sanctions guidance for the virtual currency industry in October 2021 (see our previous post here). These actions further highlight the need for VASPs and other companies using VAs to implement requirements to collect information on and screen counterparties to comply with both AML/CTF and sanctions requirements.

III. European Union

In July 2021, the European Commission presented comprehensive legislative proposals to bolster the EU’s AML/CTF rules (see our previous post here). Among other things, these proposals sought to extend AML/CTF rules to all service providers offering digital currencies. Several individual member states have already implemented their own regulations and/or guidance for VAs and VASPs, including specific AML/CTF and sanctions requirements.16 Certain VASPs became designated as regulated financial institutions under and therefore subject to requirements of the 5th EU money laundering directive in January 2020, but the proposals would further extend coverage of AML/CTF requirements.

At the end of November 2021, the EU Council published a proposal for discussion to align EU AML/CTF requirements with FATF standards, in particular to apply the travel rule to transfers over €1,000 by requiring VASPs to comply with rules applicable to payment service providers/wire transfers.17 The proposal would also expand the definitions of VAs and VASPs in line with the FATF Guidance.18 In addition, the proposal introduces requirements for VA transfers between VASPs and unhosted wallets. VASPs are also expected to be required to register in the EU to be able to operate; however, final rules are still outstanding.

IV. United Kingdom

The United Kingdom has regulated VASPs and VAs since 2020 through the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (“MLRs”), as amended. The U.K. defines VAs based on the characteristics of each asset and considers entities like exchange providers, issuers and custodian wallet providers to be VASPs.19

Cryptoasset businesses operating in the UK that filed for registration with the FCA by December 2020 were allowed to continue operating under a temporary registration regime until July 2021.20 However, as of June 2021, only five crypto companies were registered with the FCA as a large number of firms were unable to meet the MLR requirements (see our previous post here).21 In July 2021, HM Treasury ran a consultation on amending the UK’s AML/CTF regulations, which proposed, among other things, to require the travel rule for any VA transfer above GBP £1,000 (see our previous post here).22 According to the consultation document, unhosted wallets would in general remain uncovered, in line with the FATF Guidance.23

At the beginning of 2022, members of Parliament and the House of Lords announced formation of the Crypto and Digital Assets Group to serve as a forum to discuss regulations for the VA market, supporting innovation alongside implementation of prudential and AML/CTF regulations.24

Sanctions risks of VAs are also on the radar of the UK’s Office of Foreign Sanctions Implementation (“OFSI”). In his introduction on the OFSI blog, new OFSI director Giles Thomson highlighted OFSI’s plan to respond to the “needs of the industry” particularly by ensuring there is understanding of sanctions compliance in “emerging issues such as the increasing use of crypto assets.”25

V. Conclusion

We are expecting significant activity this year from governments seeking to regulate VAs and VASPs. AML/CTF and sanctions regulations are only one piece of the puzzle – for example, HM Treasury recently released a consultation on draft regulations on crypto-advertising,26 and similar debates and attempts to regulate VA advertising are occurring elsewhere,27 in addition to questions about treatment under prudential, securities and tax regulations.

For firms dealing with or looking to enter into the virtual currency space, please contact the Ropes & Gray team.

  1. See Crypto Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in Value, All-Time Low in Share of All Cryptocurrency Activity, Chainalysis (Jan. 6, 2022),
  2. Id.
  3. Id.
  4. See FATF, Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, 27 (Oct. 28, 2021),
  5. Note that not all jurisdictions use the term “virtual assets,” but we do so in this alert for consistency.
  6. Id.
  7. According to FATF, the originator should send the name, account number, and address of the originator of the VAs.
  8. Id. at 64.
  9. FinCEN applies BSA rules to “persons creating, obtaining, distributing, exchanging, accepting, or transmitting virtual currencies,” which FinCEN refers to as “exchangers” and “administrators” (rather than VASPs). An “exchanger” is a person “who is engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency.” An “administrator” is a person “who is engaged as a business in issuing (putting into circulation) a virtual currency, and who has the authority to redeem (to withdraw from circulation) such virtual currency.” See U.S. Treas. Dep’t., Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies, 13 (May 9, 2019),
  10. See U.S. Treas. Dep’t., Requirements for Certain Transactions Involving Certain Convertible Virtual Currency or Digital Assets (Dec. 18, 2020),
  11. By contrast to the FATF Guidance, however, P2P exchangers can be regulated in the U.S. under the BSA as “money transmitters”; see, e.g., Press Release, FinCEN Penalizes Peer-to-Peer Virtual Currency Exchange for Violations of Anti-Money Laundering Laws (Apr. 18, 2019),
  12. See K2 Integrity, Proposed Rules for Transactions with Unhosted Virtual Currency Wallets, JD Supra (Jan. 6. 2021),
  13. See Press Release, Treasury Takes Robust Actions to Counter Ransomware, U.S. Dep’t Treas. (Sept. 21, 2021),
  14. See Press Release, Treasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware Operators and Virtual Currency Exchange, U.S. Dep’t Treas. (Nov. 8, 2021),
  15. See Press Release, Settlement Agreement between the U.S. Department of the Treasury’s Office of Foreign Assets Control and BitPay, Inc., U.S. Dep’t Treas. (Feb. 8, 2021),
  16. See, e.g., Gesetz zur Umsetzung der Änderungsrichtlinie zur Vierten EU-Geldwäscherichtlinie, Deutscher Bundestag (Jan. 1, 2020),; see also Consultatie concept Q&A, sanctiewetscreening door aanbieders van cryptodiensten, DeNederlandscheBank (Nov. 19, 2021),
  17. General Secretariat of the Council, Proposal for a Regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets, Couns. of the Eur. Union, 11, para. 27 (Nov. 29, 2021),
  18. Id. at 4, para. 8.
  19. See Cryptoassets: AML/CTF Regime, FCA (Nov. 11, 2021),
  20. Id.
  21. See Ryan Browne, Many cryptocurrency firms are not meeting money laundering rules, UK watchdog warns, CNBC (June 3, 2021),
  22. See Amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 Statutory Instrument 2022, HM Treas. (July 22, 2021),
  23. Id.
  24. See Joshua Oliver, Crypto industry boosts political clout with Westminster group, Fin. Times (Jan. 7, 2021),
  25. Giles Thomson, An introduction from new OFSI director Giles Thomson, Blog OFSI (Feb. 4, 2021),
  26. See Government to strengthen rules on misleading cryptocurrency adverts, HM Treas. (Jan. 18, 2022),
  27. See e.g., Eliza Gkritsi, Singapore Looks to Curb Crypto Ads, CoinDesk (Jan. 17, 2022),; Jesus Aguado, Spain moves to rein in crypto-asset advertising, Reuters (Jan. 17, 2022),