Born in 1989, the Financial Action Task Force (FATF) is the de-facto global rule-maker for anti-money-laundering (AML) and counter-terrorist-financing (CTF). Its 39 member jurisdictions don’t carry guns or badges, yet they can isolate an entire country from the global financial grid.

For crypto, the key scripture is Recommendation 15 (R.15), updated in 2019 to rope virtual assets (VAs) and virtual-asset service providers (VASPs) into the same AML net applied to banks. No police raids are needed; peer reviews, grey-list threats, and the quiet fear of correspondent-banking cutoffs turn “soft-law guidance” into hard reality.

• Bahamas stands alone at the top.

• 29 % are “largely compliant” (U.S., U.K., Germany, Singapore).

• 49 % are “partially compliant” (Hong Kong, Netherlands, Turkey).

• 21 % remain non-compliant (Cambodia, Vietnam).

Takeaway: compliance is a moving target. Businesses must geofence wallets and users from the no-go zones or risk being cut off by banks and counterparties.

76 % of surveyed jurisdictions have completed ML/TF risk assessments—up from 71 % last year—yet only 40 have translated those assessments into concrete, risk-based controls. The gap between knowing and doing is still a canyon.

• 62 % allow VAs/VASPs with rules (U.S., EU, Singapore).

• 20 % impose total bans—up sharply from 14 % (China, Egypt).

• 18 % remain undecided, mostly in Southeast Asia and Africa.

Notably, partial bans are trending: 48 % of prohibitionist regimes now outlaw only specific activities (e.g., derivatives or privacy coins) instead of nuking the entire sector.

Eighty-five jurisdictions have Travel-Rule legislation on the books (up from 65), forcing VASPs to share sender/recipient data for transfers over USD 1,000. The catch: self-custody wallets still break the chain of identity, and on-chain anonymity tools make compliance an engineering headache.

Most illicit flows now run through stablecoins, not BTC. Criminals layer funds via mixers, cross-chain bridges, and—most of all—USDT on Tron. Issuer freeze powers and real-time monitoring are about to become table stakes for any serious stablecoin play.

In 2025, DPRK-linked hackers drained USD 1.46 billion from ByBit. Less than 4 % was clawed back. The lesson: without cybersecurity + AML fusion, compliance paperwork is just a welcome mat for thieves. Firms now need real-time attack blocking (e.g., Phalcon) and on-chain KYA analytics to tag DPRK wallets before funds move.

The headline is clear: crypto regulation is graduating from its messy adolescence into something resembling order. Yet the road is zig-zagged.

Most governments know what to do—three quarters have done a risk study—but only a handful actually do it. Technology keeps outrunning statutes, and every new DeFi primitive reopens old loopholes.

FATF’s solution is a slow, coordinated squeeze: universal standards, local implementation, soft guidance backed by hard reputational penalties. For builders and investors, compliance is no longer a cost center; it is the ticket to any market that matters.

Born in 1989, the Financial Action Task Force (FATF) is the de-facto global rule-maker for anti-money-laundering (AML) and counter-terrorist-financing (CTF). Its 39 member jurisdictions don’t carry guns or badges, yet they can isolate an entire country from the global financial grid.

For crypto, the key scripture is Recommendation 15 (R.15), updated in 2019 to rope virtual assets (VAs) and virtual-asset service providers (VASPs) into the same AML net applied to banks. No police raids are needed; peer reviews, grey-list threats, and the quiet fear of correspondent-banking cutoffs turn “soft-law guidance” into hard reality.

• Bahamas stands alone at the top.

• 29 % are “largely compliant” (U.S., U.K., Germany, Singapore).

• 49 % are “partially compliant” (Hong Kong, Netherlands, Turkey).

• 21 % remain non-compliant (Cambodia, Vietnam).

Takeaway: compliance is a moving target. Businesses must geofence wallets and users from the no-go zones or risk being cut off by banks and counterparties.

76 % of surveyed jurisdictions have completed ML/TF risk assessments—up from 71 % last year—yet only 40 have translated those assessments into concrete, risk-based controls. The gap between knowing and doing is still a canyon.

• 62 % allow VAs/VASPs with rules (U.S., EU, Singapore).

• 20 % impose total bans—up sharply from 14 % (China, Egypt).

• 18 % remain undecided, mostly in Southeast Asia and Africa.

Notably, partial bans are trending: 48 % of prohibitionist regimes now outlaw only specific activities (e.g., derivatives or privacy coins) instead of nuking the entire sector.

Eighty-five jurisdictions have Travel-Rule legislation on the books (up from 65), forcing VASPs to share sender/recipient data for transfers over USD 1,000. The catch: self-custody wallets still break the chain of identity, and on-chain anonymity tools make compliance an engineering headache.

Most illicit flows now run through stablecoins, not BTC. Criminals layer funds via mixers, cross-chain bridges, and—most of all—USDT on Tron. Issuer freeze powers and real-time monitoring are about to become table stakes for any serious stablecoin play.

In 2025, DPRK-linked hackers drained USD 1.46 billion from ByBit. Less than 4 % was clawed back. The lesson: without cybersecurity + AML fusion, compliance paperwork is just a welcome mat for thieves. Firms now need real-time attack blocking (e.g., Phalcon) and on-chain KYA analytics to tag DPRK wallets before funds move.

The headline is clear: crypto regulation is graduating from its messy adolescence into something resembling order. Yet the road is zig-zagged.

Most governments know what to do—three quarters have done a risk study—but only a handful actually do it. Technology keeps outrunning statutes, and every new DeFi primitive reopens old loopholes.

FATF’s solution is a slow, coordinated squeeze: universal standards, local implementation, soft guidance backed by hard reputational penalties. For builders and investors, compliance is no longer a cost center; it is the ticket to any market that matters.