In March 2026, the Financial Action Task Force (FATF) issued a landmark report that should sit at the top of every compliance officer’s reading list. Stablecoins now account for 84 percent of all illicit virtual asset transaction volume, a staggering figure that signals a fundamental shift in how criminals move money globally. For VASPs, fintechs and financial institutions, this report makes one thing clear: stablecoin AML compliance is a regulatory imperative.
This article breaks down the FATF’s key findings, explains why unhosted wallets are creating serious compliance blind spots and outlines the practical steps that regulated entities must take to align with FATF Recommendation 15. Whether you operate a crypto exchange, a money service business or a bank with crypto-linked client exposure, the guidance in this report may affect you directly.
What the FATF’s March 2026 Stablecoin Report Found
On 3 March 2026, FATF published its Targeted Report on Stablecoins and Unhosted Wallets – Peer-to-Peer Transactions. The report examines how the rapid growth of stablecoins has created new money laundering and terrorist financing risks – risks that existing AML frameworks have not fully addressed.
The scale of the problem is striking. Stablecoins are no longer a niche product. By mid 2025, over 250 stablecoins were in circulation globally, with a combined market capitalisation exceeding USD 300 billion. Their appeal is obvious: they maintain price stability, settle near-instantly and operate across borders without a traditional financial intermediary. Unfortunately, these same features make them attractive to criminals.
Who Is Exploiting Stablecoins?
The FATF report identifies several categories of threat actors. State-linked cybercriminal groups, including those with ties to the Democratic People’s Republic of Korea (DPRK), have adopted stablecoins as a primary vehicle for laundering ransomware proceeds and funds from phishing attacks. Additionally, actors linked to Iranian sanctions evasion schemes are using stablecoins to move value outside the reach of traditional controls. These are not theoretical risks. They are documented patterns that regulators are now moving to close.
The Unhosted Wallet Problem in Stablecoin AML Compliance
At the core of FATF’s concern is the use of unhosted wallets for peer-to-peer (P2P) stablecoin transactions. Unlike transactions processed through a regulated VASP, P2P transfers via unhosted wallets occur directly between individuals, bypassing any regulated intermediary entirely.
This creates a critical compliance blind spot. When a transaction flows through a licensed exchange, the Travel Rule requires that originator and beneficiary information accompany the transfer. However, when a user moves stablecoins from an exchange to an unhosted wallet and then to another unhosted wallet, that chain of information breaks down. Regulated VASPs have no visibility into what happens after the funds leave their platform.
The FATF report also highlights a specific technical challenge: stablecoin issuers may face difficulties controlling cross-chain activity. A stablecoin that is bridged from one blockchain to another can effectively exit the compliance controls applied on the original chain. This means that even entities that invest in strong on-chain monitoring may find that their controls have limited reach once a token crosses to a different network.
Why This Is Harder Than It Looks
Many compliance teams assume that blockchain transparency solves the AML problem for crypto assets. In practice, the situation is more complex. Transaction mixing, chain-hopping and the use of privacy-enhancing protocols can obscure the origins of stablecoin flows even when the underlying blockchain is public. Therefore, simply reviewing on-chain data is not sufficient. Regulators expect firms to combine on-chain analytics with robust customer due diligence and transaction monitoring programmes.
FATF Recommendation 15: The Core Standard for Stablecoin AML Compliance
FATF Recommendation 15 sets out the requirements that countries and regulated entities must apply to virtual assets and virtual asset service providers. The March 2026 report makes a clear call: all relevant participants in stablecoin arrangements, including stablecoin issuers, intermediary VASPs and financial institutions, should be subject to explicit AML/CFT obligations under this standard.
In practical terms, Recommendation 15 requires countries to ensure that VASPs are licensed or registered, subject to AML/CFT controls and supervised by a competent authority. Furthermore, it demands that VASPs apply the Travel Rule, meaning that customer identifying information must flow with the transaction whenever the transfer exceeds the applicable threshold. Learn more about the FATF’s virtual asset standards here.
The Travel Rule and Stablecoins
The Travel Rule has been a compliance flashpoint for the crypto industry since FATF first applied it to virtual assets in 2019. A June 2025 FATF update refined the standard, placing greater emphasis on ensuring that originator and beneficiary data remains intact throughout the payment chain, not just at the point of sending.
For stablecoins specifically, this means that VASPs cannot simply collect data at the point of withdrawal. They must also verify the destination and, where possible, confirm that the counterparty VASP applies equivalent standards. This is particularly challenging in jurisdictions where the Travel Rule is not yet law. Industry estimates suggest that by January 2026, 73 percent of countries had enacted Travel Rule legislation, but that leaves a significant portion of the global market operating without equivalent controls.
The Enforcement Backdrop: Why Regulators Are Serious
The FATF report does not exist in isolation. It coincides with a sharp increase in AML enforcement activity globally. On 6 March 2026, the US Financial Crimes Enforcement Network (FinCEN) announced an USD 80 million civil money penalty against broker-dealer Canaccord Genuity LLC, the largest Bank Secrecy Act (BSA) penalty ever imposed on a broker-dealer. The firm admitted to willfully failing to maintain an effective AML programme, conduct adequate due diligence on high-risk customers and file at least 160 required Suspicious Activity Reports (SARs). You can read more details about FinCEN’s enforcement actions on their official site.
The Canaccord case illustrates a lesson that applies equally to crypto firms: under-resourcing compliance is not a cost-saving measure. It is a liability. Canaccord’s compliance function relied on just four people to review a high volume of trade surveillance reports and they could not keep pace. As a result, high-risk customers with reported ties to microcap fraud schemes, Russian oligarchs and OFAC-designated individuals accessed the US financial system without appropriate controls.
Regulators in multiple jurisdictions are applying the same scrutiny to VASPs. Crypto firms that have historically operated with lean compliance teams should view this enforcement environment as a clear signal that expectations have materially shifted.
What VASPs and Financial Institutions Must Do Now
The FATF’s 2026 report provides a framework for action. The steps below represent the priorities that regulated entities should address to strengthen their stablecoin AML compliance posture.
Conduct a Stablecoin-Specific Risk Assessment
Most AML programmes were designed with fiat currency in mind. Even those updated for crypto may not specifically address stablecoin risk. Firms should conduct a targeted risk assessment examining: which stablecoins they accept or facilitate, the proportion of P2P versus exchange-to-exchange flows and their exposure to unhosted wallet transactions. This assessment should feed directly into the firm’s AML risk appetite statement and transaction monitoring calibration.
Implement Unhosted Wallet Controls
Firms should establish controls for transactions involving unhosted wallets. Under best practice, this includes: collecting and verifying the wallet address, applying enhanced due diligence for transfers above defined thresholds and using blockchain analytics tools to assess wallet risk before processing. Several jurisdictions, including the EU under its Markets in Crypto-Assets (MiCA) framework and CBUAE guidance in the UAE, already require such controls for crypto transfers to self-hosted wallets.
Strengthen Travel Rule Compliance
VASPs must implement a capable Travel Rule solution that collects, transmits and verifies required originator and beneficiary information. Furthermore, they must have a process for handling transfers involving counterparty VASPs in jurisdictions that have not yet enacted the Travel Rule. Regulators expect firms to apply risk-based measures in these cases, which typically means enhanced due diligence and, in some cases, declining the transaction.
Upgrade Transaction Monitoring for Cross-Chain Activity
As the FATF report highlights, cross-chain bridging creates monitoring gaps. Firms should review their transaction monitoring systems to ensure they can flag suspicious cross-chain activity, not just on-chain transfers within a single network. This may require investment in specialist blockchain analytics solutions that cover multiple chains and bridge protocols.
Train Your Compliance Team on Stablecoin Typologies
AML training programmes should be updated to cover stablecoin-specific money laundering typologies. This includes chain-hopping, layering through DeFi protocols and the use of stablecoins to convert proceeds from ransomware or phishing attacks. A team that understands these typologies is far better positioned to identify suspicious activity and file timely SARs.
The Global Regulatory Trajectory: What Comes Next
The March 2026 FATF report is part of a broader regulatory trajectory. In the EU, the Anti-Money Laundering Authority (AMLA) must deliver draft Regulatory Technical Standards by July 2026, standards that will directly shape how KYC and AML controls are applied across the EU’s MiCA regime. In the UAE, the Central Bank of the UAE (CBUAE) has signalled continued vigilance on virtual asset risks. In India, the Financial Intelligence Unit (FIU-IND) continues to expand its oversight of virtual asset reporting entities.
Consequently, VASPs operating across multiple jurisdictions face a complex and rapidly evolving compliance landscape. What meets the standard in one jurisdiction may fall short in another. Moreover, FATF has signalled that it will continue stepping up monitoring and public pressure on jurisdictions that lag in Travel Rule implementation, meaning that even firms operating in slower-moving markets should prepare for tightened standards ahead.
Conclusion
The FATF’s March 2026 targeted report on stablecoins and unhosted wallets is a clear regulatory signal. Stablecoins have become an increasingly prominent vehicle for illicit finance and regulators expect the industry to respond with commensurate controls. This means conducting stablecoin-specific risk assessments, tightening unhosted wallet procedures, implementing robust Travel Rule solutions and investing in transaction monitoring that covers cross-chain activity.
The enforcement environment reinforces the urgency. Record penalties for AML failures, from FinCEN to the FCA to AUSTRAC, show that under-resourcing compliance carries serious consequences. Firms that act now to close the gaps identified in the FATF report will be in a far stronger position as regulatory expectations continue to rise.
To find out how Compliance7 can help your business navigate AML compliance and VASP regulatory requirements, visit compliance7.com or book a free consultation with our team today.
This article is for informational purposes only and does not constitute legal or regulatory advice. For guidance specific to your business, consult a qualified compliance professional.
