FATF Updates Virtual Asset Travel Rule Guidance for DeFi Protocols

The Financial Action Task Force published a targeted report on stablecoins and unhosted wallets on 3 March 2026, the first in a series of papers under the VACG Work Programme covering DeFi, offshore VASPs, and stablecoin risks. A DeFi-focused paper is expected by June 2026, and the next full Targeted Update on virtual asset compliance will follow later this year.

What the stablecoins report actually says

The March 2026 report zeroes in on peer-to-peer stablecoin transfers via unhosted wallets as a growing channel for money laundering, terrorist financing, and proliferation financing. Stablecoins now account for 84% of illicit virtual asset transaction volume according to Chainalysis data from 2025, with over 250 stablecoins in circulation and a combined market capitalisation exceeding $300 billion. The DPRK's $1.46 billion theft from ByBit in 2025, of which only 3.8% has been recovered, served as the report's central case study for why existing controls are failing.

For DeFi protocols, the critical issue remains the owner/operator test introduced in FATF's 2021 Updated Guidance and reinforced in the June 2025 Targeted Update. FATF's position: a DeFi application itself is not a VASP, but any person who "maintains control or sufficient influence" over the arrangement likely is. The ability to update smart contract code, freeze funds, or collect protocol fees can trigger VASP classification. By FATF's own assessment, roughly 88% of DeFi projects have identifiable controllers who could fall within the definition.

Travel Rule compliance sits at 73%, enforcement at 41%

The June 2025 update found that 73% of the 138 assessed jurisdictions had passed Travel Rule legislation, up from 69% the prior year. But passing a law and enforcing it are different things: 59% of jurisdictions had yet to enforce their own rules. Only 29% were rated "largely compliant" with Recommendation 15, and just 33% required VASP licensing in practice.

Interoperability remains the practical barrier. FATF does not mandate a specific technology solution for Travel Rule data exchange, which has produced a fragmented landscape of competing protocols (TRISA, OpenVASP, Shyft, Sygna). VASPs in jurisdictions that enforce the rule face the "sunrise problem": they must transmit originator and beneficiary data to counterparties that may have no legal obligation to receive it, no technical infrastructure to process it, and no regulatory incentive to build one.

Next deadline: mid-2026 DeFi paper

FATF's VACG Work Programme calls for targeted papers on stablecoins, DeFi, and offshore VASPs between October 2025 and June 2026. The stablecoins paper is done. The DeFi paper, expected by June 2026, will likely address whether protocols with governance tokens, DAOs with treasury management functions, or cross-chain bridges qualify as VASPs under the owner/operator framework. A new Targeted Update reporting on R.15 implementation progress is also scheduled for 2026, alongside an updated public table flagging jurisdictions with materially significant VASP activity that have failed to implement the standards.