Digital Assets, Crypto & AML — The VASP Framework

Anqa Compliance — Free AML Training Series | FATF R.15 | Travel Rule | Certificate on Completion

Page 1 of 7

Course Overview

What You Will Learn

  • The FATF definitions of Virtual Asset (VA) and Virtual Asset Service Provider (VASP)
  • FATF Recommendation 15 — history, current obligations, and June 2024 implementation update
  • The Travel Rule for virtual assets: threshold, required information, the Sunrise Issue
  • Red flag indicators for VA money laundering — mixers, chain-hopping, unhosted wallets
  • DeFi, stablecoins, and NFTs under the FATF framework
  • How stablecoins now account for the majority of illicit VA transaction volume
  • The African cryptocurrency landscape and VASP regulation in South Africa, Nigeria, Kenya, and Ethiopia

Why Virtual Assets Matter for All FIs

Virtual assets are no longer a fringe technology. Africa is among the fastest-growing regions for cryptocurrency adoption, driven by remittances, currency instability, unbanked populations, and mobile money integration. Banks, mobile money operators, and traditional FIs are increasingly acting as fiat on-ramps and off-ramps for crypto activity — making their AML controls directly relevant to VASP risk.

Stablecoins: The Dominant Illicit Channel

Chainalysis data (2025) shows that stablecoins now account for approximately 84% of illicit VA transaction volume — surpassing Bitcoin. The shift reflects criminals following user adoption, as stablecoins are now the dominant form of everyday crypto transaction globally.

Course Structure

Module 1: VA and VASP Definitions

FATF definitions, what counts as a VA, CBDCs vs VAs, NFTs and stablecoins, the "as a business" qualifier for VASPs

Not started

Module 2: FATF Recommendation 15

History from June 2019 to June 2025, core R.15 obligations on countries and VASPs, June 2024 implementation update

Not started

Module 3: The Travel Rule

USD/EUR 1,000 threshold, required originator and beneficiary information, the Sunrise Issue, and unhosted wallets

Not started

Module 4: Red Flag Indicators

Mixers and tumblers, chain-hopping, DeFi risks, structuring below Travel Rule thresholds, DPRK-linked addresses

Not started

Module 5: Africa Crypto Landscape

South Africa, Nigeria, Kenya, Ethiopia — regulatory status, mobile money on-ramps, MMM Global Bitcoin Ponzi case study

Not started

Assessment & Certificate

Complete all five modules, then take the 30-question assessment. Pass at 80% or above to generate your personalised certificate of completion.

Page 1 of 7Course Overview

Module 1: Virtual Asset and VASP Definitions

The FATF Definition of Virtual Asset

FATF's Glossary (October 2021 revision) defines a virtual asset as:

"A digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations."

The definition has three key elements: (1) digital representation of value; (2) can be traded or transferred digitally; (3) used for payment or investment. All three must be present.

What Is NOT a Virtual Asset Under FATF?

  • Central Bank Digital Currencies (CBDCs): A CBDC is a digital representation of fiat currency — it is covered as a fiat instrument elsewhere in the Recommendations and is excluded from the VA definition.
  • E-money and digital payment instruments: Already covered under existing money services business or payment institution frameworks.
  • NFTs: Generally not VAs given their unique and non-fungible nature. However, where NFTs are used at scale for payment or investment (e.g., fractionalised NFTs, NFT marketplaces with high volume), a case-by-case analysis is required.
  • Fiat-backed stablecoins: Whether they qualify as VAs depends on their function — this is context-dependent and continues to evolve under FATF guidance.

The FATF Definition of VASP

A Virtual Asset Service Provider is any natural or legal person who as a business conducts one or more of the following activities for or on behalf of another person:

i. VA–Fiat Exchange

Exchanging between virtual assets and fiat currencies (e.g., a crypto exchange that allows buying Bitcoin with USD).

ii. VA–VA Exchange

Exchanging between one or more forms of virtual assets (e.g., swapping Bitcoin for Ethereum).

iii. VA Transfer

Conducting transfers of virtual assets on behalf of others (e.g., a crypto payment processor).

iv. Custody/Administration

Safekeeping and/or administration of virtual assets or instruments enabling control (e.g., a crypto custodian or "hot wallet" provider).

v. ICO/Issuance Services

Participation in and provision of financial services related to an issuer's offer and sale of a virtual asset (e.g., a platform facilitating token sales).

The "As a Business" Qualifier

An individual who occasionally buys and sells cryptocurrency for personal use is NOT a VASP. The "as a business" qualifier means the activity must be conducted commercially, repeatedly, and for profit on behalf of others. A person running a peer-to-peer crypto swap service regularly from their phone may, however, qualify as an unregistered VASP — a growing supervisory challenge.

Page 2 of 7Module 1

Module 2: FATF Recommendation 15

The R.15 Timeline

DateDevelopment
June 2019FATF amended R.15 and its Interpretive Note to explicitly include VASPs. Travel Rule extended to virtual assets.
September 2020FATF published Red Flag Indicators for VA ML/TF.
October 2021Comprehensive updated guidance addressing DeFi, NFTs, stablecoins, Travel Rule implementation, and P2P.
June 2024Targeted update on implementation across jurisdictions — found nearly one-third of high-VA-risk jurisdictions had still not passed Travel Rule legislation.
June 2025Best Practices on Travel Rule Supervision published.

Core R.15 Obligations on Countries

Countries must:

  1. Require VASPs to be licensed or registered with a competent authority.
  2. Ensure VASPs implement AML/CFT programmes.
  3. Ensure VASPs conduct CDD including verifying customers and beneficial owners.
  4. Ensure VASPs monitor transactions for suspicious activity.
  5. Ensure VASPs file STRs/SARs with the FIU.
  6. Ensure VASPs comply with the Travel Rule.
  7. Ensure VASPs screen customers and transactions against sanctions lists.
  8. Designate a competent authority to supervise VASPs.

DeFi, Stablecoins, and NFTs

Decentralised Finance (DeFi)

FATF's October 2021 guidance addresses DeFi directly for the first time. The key principle: a DeFi protocol operator who has sufficient control or influence over the protocol is a VASP and must be licensed and comply with AML/CFT obligations. The "decentralised" label alone does not exempt a protocol from FATF obligations if identifiable controlling persons or entities exist.

Stablecoins

Stablecoins (assets pegged to fiat currencies) have grown dramatically as a proportion of crypto activity. Chainalysis data (2025) shows stablecoins now account for approximately 84% of illicit VA transaction volume — reflecting their dominance in everyday crypto use. This has significant implications for VASP transaction monitoring calibration.

NFTs

Non-fungible tokens are generally not VAs under FATF. However, NFT marketplaces with high transaction volumes may create VASP-like obligations. The primary ML risk of NFTs is wash trading — buying and selling the same NFT between related parties at escalating prices to create the appearance of legitimate value appreciation, allowing criminals to justify proceeds from illicit sources.

Page 3 of 7Module 2

Module 3: The Travel Rule for Virtual Assets

Origin and Extension to VAs

The Travel Rule originates from the US Bank Secrecy Act (FinCEN Funds Transfer Rule). FATF extended it to international wire transfers under R.16. In June 2019, the Interpretive Note to R.15 extended Travel Rule obligations to virtual asset transfers.

Core Travel Rule Obligation

VASPs must obtain, hold, and transmit required originator and beneficiary information for VA transfers at or above the USD/EUR 1,000 threshold. This mirrors the R.16 wire transfer threshold.

Required Information

Originator Information (Sending VASP Must Transmit)

  • Originator's name
  • Originator's account number (wallet address or account identifier)
  • Originator's geographic address, national identity number, customer identification number, or date and place of birth

Beneficiary Information (Receiving VASP Must Obtain and Hold)

  • Beneficiary's name
  • Beneficiary's account number (wallet address or account identifier)

The sending VASP must verify the originator information before transmission. The receiving VASP must verify the beneficiary information before making funds available.

The Sunrise Issue

Unlike wire transfers, which have had decades of global Travel Rule implementation, VA Travel Rule implementation is uneven across jurisdictions. The "Sunrise Issue" refers to the problem that occurs when a VASP in a compliant jurisdiction tries to send Travel Rule data to a counterpart VASP in a jurisdiction that has not yet implemented the Travel Rule.

FATF's October 2021 guidance acknowledges this and provides transitional guidance: VASPs in compliant jurisdictions should still collect and transmit Travel Rule data. The receiving VASP's inability to process it does not excuse the sending VASP from its obligation.

By the June 2024 update, 99 jurisdictions had passed or were passing Travel Rule legislation — but nearly one-third of high-VA-risk jurisdictions had still not enacted it.

Unhosted (Self-Custodied) Wallets

When a VASP transfers VA to or from a self-custodied wallet (a wallet not held with any VASP — controlled directly by the individual), there is no counterpart VASP to transmit Travel Rule data to or receive it from. FATF guidance: countries should apply risk-based measures to manage ML/TF risks for transfers involving unhosted wallets. Many jurisdictions now require VASPs to conduct enhanced due diligence for transfers above threshold to unhosted wallets.

Page 4 of 7Module 3

Module 4: Red Flag Indicators for Virtual Asset ML/TF

FATF Red Flag Indicators (September 2020)

FATF published a dedicated set of VA red flag indicators in September 2020, updated by the October 2021 guidance. These are the primary reference for VASP transaction monitoring calibration.

Mixers and Tumblers

Mixing services pool crypto from multiple users and redistribute to obscure origin. Red flags: customer deposits VA then immediately sends to a known mixing service; interaction with flagged mixer blockchain addresses.

Chain-Hopping

Converting between multiple cryptocurrencies in rapid succession (e.g., Bitcoin → Monero → Ethereum) to break transaction tracing. Particularly suspicious when involving privacy coins (Monero, Zcash, Dash).

Unhosted Wallet Flows

Large volumes flowing to/from unhosted wallets without business justification. Transactions to/from wallets associated with known illicit activity (darknet markets, ransomware, scams).

Structuring

Multiple transactions just below the USD/EUR 1,000 Travel Rule threshold — a classic layering technique applied to crypto, similar to structuring in traditional banking.

Rapid In-and-Out

Receiving VA and immediately converting to fiat or other VA with no holding period — consistent with layering behaviour rather than investment or payment activity.

P2P Platform Reliance

Customer insists on using non-regulated P2P platforms for transactions, avoiding regulated VASPs — suggests deliberate avoidance of AML/CFT controls.

DeFi and Cross-Chain Risks

FATF's October 2021 guidance update addressed the growing use of DeFi protocols and cross-chain bridges in criminal laundering:

  • Cross-chain bridges allow value to move between different blockchain networks. They have become important tools in the criminal ML ecosystem because they break the transaction trail across chains.
  • DeFi protocols are used for "chain-hopping" at scale, enabling criminals to fragment and recombine value across multiple blockchains in seconds.
  • The decentralised nature of many protocols means there is no single controlling entity to file an STR or conduct CDD — a gap that regulators are increasingly focused on.

DPRK-Linked Addresses and High-Risk Wallets

Specific blockchain wallet addresses associated with DPRK's Lazarus Group have been designated by OFAC and flagged by the UN Panel of Experts. VASPs must screen transaction addresses against these designations — customer name screening alone is insufficient for VA compliance.

Blockchain analytics tools (Chainalysis, Elliptic, TRM Labs) provide real-time wallet screening services that flag transactions touching wallets associated with sanctions, darknet markets, ransomware, and other illicit activity. These tools are now considered standard infrastructure for compliant VASP operations.

New Customers — High Immediate Volume

A common red flag: a new customer who immediately sends or receives large volumes of VA within hours or days of account opening, with no plausible explanation for the source or purpose of funds. Combined with other indicators (unhosted wallet transactions, privacy coin swaps), this warrants immediate investigation and potentially an STR filing.

Page 5 of 7Module 4

Module 5: Africa Crypto Landscape & Case Studies

Why Africa Leads in Crypto Adoption

Africa ranks among the world's fastest-growing regions for cryptocurrency adoption. Key drivers include:

  • Remittances: Crypto offers faster and cheaper cross-border transfers than traditional remittance corridors (which carry fees of 6–10%). Nigeria and Ghana are among the world's top P2P crypto trading markets by volume relative to GDP.
  • Currency instability: In Nigeria, Zimbabwe, Ethiopia, and Sudan, citizens have turned to dollar-backed stablecoins to protect savings against inflation and currency devaluation.
  • Unbanked populations: Mobile money platforms (M-Pesa, MTN MoMo, Airtel Money) serve as fiat on-ramps and off-ramps to crypto P2P markets for users without bank accounts.
  • Youth demographics: Africa's young, mobile-first population adopts digital financial tools faster than older demographics in other regions.

Regulatory Landscape by Jurisdiction

CountryStatus (as at 2025)
South AfricaMost developed. FSCA designated crypto as financial products in 2022. VASP licensing under FICA operational from 2023. Exited FATF grey list October 2025.
NigeriaComplex history. CBN initially banned banks from servicing crypto exchanges (2021), partially reversed. SEC Nigeria issued VASP registration framework (2022). Exited FATF grey list October 2025.
KenyaCMA issued guidance on crypto; no comprehensive licensing regime confirmed as at 2024. High P2P adoption with limited formal oversight.
EthiopiaNo confirmed formal VASP licensing regime. National Bank of Ethiopia has issued warnings on crypto. 2021 AML/CFT Proclamation may have VASP implications but implementing regulations are sparse.

Case Study: MMM Global Bitcoin Ponzi Scheme

MMM Global was a Russian-originated Ponzi scheme that spread aggressively into Africa and Asia in 2016–2017 — specifically targeting Nigeria, South Africa, Zimbabwe, Ghana, and the Philippines.

The scheme operated as a "mutual aid community," promising returns of 30–100% per month. Crucially, from 2016 it began requiring participants to contribute using Bitcoin, reducing its exposure to bank account freezes and adding a cryptocurrency layer to the scheme's evasion strategy.

Key compliance lessons from the MMM Bitcoin iteration:

  • Cryptocurrency was used specifically to evade banking-sector AML controls — a deliberate choice by the scheme's operators.
  • High-volume, high-frequency Bitcoin transactions from Nigerian and South African users to overseas wallets represented clear red flags that existing TM systems were not calibrated to detect.
  • Mobile money platforms used as fiat on-ramps meant traditional bank monitoring missed significant portions of the scheme's cash flow.
  • The non-face-to-face, digital nature of the scheme meant digital onboarding signals (device fingerprinting, IP patterns) were the primary available detection channel.

The Compliance Lesson

MMM Global illustrates why VASP compliance obligations cannot be separated from traditional FI AML obligations. Mobile money operators and banks that serve as fiat on-ramps to crypto networks must calibrate transaction monitoring to detect patterns consistent with crypto-Ponzi activity — not just traditional ML typologies.

Page 6 of 7Module 5

Final Assessment

30 questions — Multiple Choice, Scenario-Based, and True/False. Pass mark: 80% (24/30).

Section A: Multiple Choice (15 Questions)

Q1. Under the FATF Glossary, which of the following is explicitly excluded from the definition of a Virtual Asset?

Q2. The "as a business" qualifier in the FATF VASP definition means that:

Q3. In which year did FATF first explicitly extend its Recommendations to cover VASPs through an amendment to R.15?

Q4. The Travel Rule threshold for virtual asset transfers under FATF R.15 is:

Q5. Which of the following information must the sending VASP transmit under the Travel Rule for VA transfers above threshold?

Q6. The "Sunrise Issue" in Travel Rule implementation refers to:

Q7. What percentage of illicit VA transaction volume did Chainalysis (2025) attribute to stablecoins?

Q8. Under FATF's October 2021 guidance, when is a DeFi protocol operator considered a VASP?

Q9. Which blockchain analytics technique involves converting between multiple different cryptocurrencies in rapid succession to break transaction tracing?

Q10. Which African country had the most developed VASP licensing regime as of 2025?

Q11. An unhosted (self-custodied) wallet is one that:

Q12. NFT wash trading is a form of money laundering because it:

Q13. According to FATF's June 2024 update on R.15 implementation, approximately how many jurisdictions had passed or were passing Travel Rule legislation?

Q14. Nigeria's CBN issued which policy in 2021 regarding banks and cryptocurrency exchanges?

Q15. What is the primary ML risk associated with mixing services (tumblers)?

Section B: Scenario-Based Questions (10 Questions)

S1. A new customer on your VASP platform opens an account and within 48 hours transfers USD 50,000 in Bitcoin to an unhosted wallet. The customer cannot explain the source of the Bitcoin. What is the appropriate response?

S2. Your TM system flags a customer who has conducted 19 separate transfers of USD 950 each to the same destination wallet over three days. What ML technique does this suggest?

S3. A customer on your crypto exchange consistently converts received Bitcoin into Monero, then from Monero back into Ethereum within 10 minutes. What red flags does this present?

S4. Your VASP in a Travel Rule-compliant jurisdiction receives a transfer from a counterpart VASP in a jurisdiction that has not yet implemented the Travel Rule. The sending VASP provides no originator information. What should you do?

S5. Your blockchain analytics tool flags that a customer's receiving wallet has received funds from a wallet associated with the Lazarus Group (DPRK). The customer claims ignorance. What is required?

S6. A DeFi protocol is operated by a foundation that controls the protocol's smart contracts and can upgrade them. A user complains it should not need to comply with AML/CFT obligations as it is "decentralised." Is this correct?

S7. A traditional bank in Nigeria notices a customer regularly withdrawing cash, then depositing stablecoins onto a local P2P crypto platform before sending to overseas wallets. What compliance action is warranted?

S8. An NFT marketplace notes that one seller has sold the same NFT to two buyers — one of which is a connected entity — at significantly escalating prices over 30 days, with no clear market justification for the price increase. What does this suggest?

S9. The MMM Global Bitcoin scheme specifically switched to requiring Bitcoin contributions from participants in 2016. What was the primary compliance purpose of this decision from the scheme operators' perspective?

S10. A VASP's TM system is calibrated only for Bitcoin transactions. Given current trends in illicit VA activity, what is the most significant gap in this approach?

Section C: True or False (5 Questions)

TF1. A Central Bank Digital Currency (CBDC) issued by a central bank is a Virtual Asset under the FATF Glossary definition.

TF2. Under FATF's Travel Rule for virtual assets, the information transmission obligation is triggered at USD/EUR 1,000 — the same threshold as the R.16 wire transfer rule.

TF3. A VASP in a Travel Rule-compliant jurisdiction is excused from transmitting originator information if the receiving VASP is in a jurisdiction that has not yet implemented the Travel Rule.

TF4. NFTs are always classified as Virtual Assets under the FATF definition and are subject to full VASP regulation in all circumstances.

TF5. Blockchain analytics tools that screen wallet addresses against sanctions, darknet markets, and ransomware-linked wallets are considered standard compliance infrastructure for VASPs.

Congratulations — you have passed!

Enter your name to generate your certificate of completion.

Certificate of Completion

Anqa Compliance

This certifies that

has successfully completed

Digital Assets, Crypto & AML — The VASP Framework

anqacompliance.com | Free AML Training Series

Page 7 of 7Assessment
All Courses