Skip to content

Risk-based approach to Supervision or Monitoring of VASPs (Virtual Asset Service Provider)

Risk-based approach and what it entails

When tackling AML/CFT (Anti-Money Laundering/Countering the Financing of Terrorism), the risk-based approach aims to build those measures to prevent or mitigate that are equal to the ML/TF (Money Laundering/Terrorist Financing) risks identified by the relevant countries and obliged entities. When it comes to supervision, this approach applies to how the resources are allocated by the supervisory authorities.

A country’s policy, legal and regulatory approach should result in an effective risk-based regime that is adopted by a country. Also, the financial sector policy objectives should be reflected in the national policy, legal and regulatory framework.

When tackling money laundering and terrorist financing, a country should strive to reach high levels of financial inclusion, stability, integrity and consumer protection whilst also factoring in market competition.

VASPs (Virtual Asset Service Providers) come into play at this point. The FATF (Financial Action Task Force) not only recommends but requires the regulation of VASPs for anti-money laundering and in the fight against the financing of terrorism, both those licenced as well as those registered, and subject to valid systems for their monitoring or supervision.

The role and importance of supervisors (for VSAP’s)

Supervisors also need to develop a better and deeper understanding of the VASP market, its format and the part it plays not only in the financial system but also in the country’s economy, so as to be able to perform more accurate assessments of any potential risk in the sector. In their line of work, supervisors should make use of an array of available sources so that the ML/TF risks linked with VA (Virtual Asset) products, services and activities as well as those with VASPs are identified and assessed adequately.

When such understanding is understood not to be complete, it may be deemed fit for the competent authorities to intervene and adopt a more targeted sectoral risk assessment in relation to the virtual assets sphere. This so that a better understanding can be developed and utilised in the risk assessments.

Important factors to be kept in mind

When taking into account anything related with VAs and VASPs, be it products, services or activities, the level of risk needs to be factored in. Business models, corporate governance arrangements, information related to finances and accounting, modes of delivery, customer delineations, geographic location, countries where the operations take place and the level of adherence with AML/CFT measures all come into play.

The controls in place, as well as the quality of the risk management policy adopted by a VASP and the proper functioning of its internal oversight, are all important aspects that the supervisor needs to be aware of.

Obtaining the required information and periodic reviews

The relevant and required information may be obtained via prudential supervisors where VASPs or those involved with VA activities are subject to prudential regulations. Information can also be extracted via the sharing of examination findings and collaborations with banks, insurance companies, securities providers and investment companies.

Regular reviews of the assessments of risk profiles of both the VASP sector and VASPS by the supervisors themselves are important so that any possible new threats may be detected and dealt with.

The FATF lists 6 main ways in which information may be shared when related to VA risks, be it both in the public and private realm:

  • ML/TF risk assessments;
  • Various categorisations and methods which money launderers or terrorist financiers resort to when they exploit VASPs, specific VA mechanisms or VAs in a broad manner;
  • General evaluations about the quality and utility of STRs (Suspicious Transaction Reports) and other pertinent reports;
  • Information on indicators that may give rise to suspicion associated with VA activities or VASP transactions;
  • Targeted unclassified intelligence, only when it is appropriate to be made use of; and
  • Anyone concerned, be it a country, person or organisation whose assets or transactions should be frozen as per targeted financial sanctions as found in the FATF recommendations, more precisely Recommendation 6.

Approaches adopted by supervisors

The FATF proposes 3 main ways in which they can adjust their approach so as to achieve the most possible when it comes to supervision and monitoring.

  • Adjusting the type of AML/CFT supervision or monitoring: supervisors should employ a variety of offsite and onsite access; there are times when offsite supervision and monitoring is not enough and would need to be beefed up with onsite access too. There are also instances where offsite supervision and monitoring suffices and resources should be engaged on higher risk VASPs. Offsite supervision and monitoring may include analysis of information, both obtained via research and provided by the VASP itself, controls and checks via reputable means and skype or similar calls, amongst others;
  • Adjusting the frequency and nature of ongoing AML/CFT supervision or monitoring: this can be modified on an ongoing basis according to the risks that are identified and as issues arise. Other variables come into play too, such as geographic location, the type of transaction, be it virtual or fiat, the products or services offered amongst others; and
  • Adjusting the intensity of AML/CFT supervision or monitoring: supervisors should decide on the type and intensity of assessment in agreement with the risks that have been determined. All this to ensure that VASPs policies and procedures do actually prevent abuse by the VASPs themselves.

Supervisors should be flexible enough to adapt and update their ML/TF risk assessments and when appropriate, they should disclose their recommendations to the VASPs so that they, in turn, can improve the quality of their risk-based approaches.


All this is being done due to the changes adopted by the FATF in October 2018 to its Recommendations and also the Interpretive Note in June 2019, to specifically clarify regarding the application of these recommendations in regard to virtual assets and virtual assets providers and all that revolves around them.


The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment.

Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on telegram
Share on email

More posts of the author

Company Formation in Malta or Cyprus

Reasons for a Relocation of residence and/ or company headquarters Who hasn’t dreamed of living on a beautiful Mediterranean island? Good weather almost year-round, crystal

Read More »

Ask your question now! Send a message to the author.

Author of the post

Philipp M. Sauerborn

More Expert Articles

Ordinary Legislative Procedure

How decisions are made at an EU Level

The standard decision-making procedure is known as ‘Ordinary Legislative Procedure’, meaning that the directly elected European Parliament has to approve EU legislation together with the Council of Europe. The EU

Read Expert Articles