In June 2025, FATF released its sixth targeted update report on crypto asset regulation, with shocking conclusions:
Globally, only one jurisdiction has achieved FATF's 'full compliance' standard in virtual asset regulation, while as much as 20% of countries remain in a 'non-compliant' state. Meanwhile, North Korean hackers have set a record by stealing $1.46 billion worth of crypto assets, stablecoins have become the new favorite for money laundering, and regulation in the DeFi sector remains a fog...
Behind this seemingly chaotic global crypto regulatory landscape, there is an 'invisible hand' quietly shaping the rules of the game for the entire industry—FATF.
This article will deeply interpret the six key findings of the latest FATF report, reveal the latest 'black and gray list' countries of 27 nations, and look forward to important changes in crypto regulation in 2026. It will help you understand the 'source code' of global regulation.
Who is FATF? The global anti-money laundering 'standard setter'.
FATF (Financial Action Task Force) was established in 1989 and is the authoritative standard-setting body in the global anti-money laundering and counter-terrorist financing field. This intergovernmental organization composed of 39 member countries and regional organizations has its anti-money laundering recommendations (FATF Recommendations) regarded as the 'golden rule' of global AML/CFT.
For the crypto industry, the most crucial FATF document is Recommendation 15 (R.15), which first included virtual assets and VASPs into the anti-money laundering regulatory framework in 2019: VASPs need to fulfill compliance obligations such as customer due diligence, transaction monitoring, and suspicious transaction reporting like traditional financial institutions.
FATF is not the police, yet it made Binance pay a $4.3 billion fine; FATF has no army, yet it can isolate entire countries from the international financial system; FATF does not make laws, yet it compels 205 jurisdictions to legislate according to its standards.
Why can an international organization without enforcement power play such a key role in global crypto regulation?
The answer is simple: in this decentralized crypto world, FATF has become the 'centralized' global standard setter. While national regulators are still exploring how to manage this emerging industry, FATF's R.15 has become their common 'reference answer'. Whether it is the U.S. FinCEN, the EU's AMLD6, Singapore's MAS, or the recently passed stablecoin regulations in Hong Kong, the shadow of FATF standards can be seen behind them.
Interestingly, FATF has transformed its originally non-binding recommendations into 'hard rules' that countries must comply with through its unique 'soft law' mechanism—peer reviews and the 'gray list' system. What does it mean to be on FATF's gray list? Turkey and Cambodia should be very clear—international remittances are hindered, foreign investment withdraws, credit ratings are downgraded... No country wants to bear such costs.
For crypto practitioners, understanding FATF means understanding the 'source code' of global regulation. When you realize that the regulatory rules of various countries are based on the same set of FATF standards 'localized', you can better anticipate regulatory trends and lay out compliance systems in advance to conduct business globally.
Interpretation of the 2025 FATF latest report: Six key findings
In June 2025, FATF released the sixth (targeted update report on the implementation of FATF standards for virtual assets and virtual asset service providers).
Through in-depth research on 163 jurisdictions, FATF decodes the real state of global crypto compliance through six key findings.
???? Finding One: Global compliance progress is slow but stable.
As of April 2025, among the 138 jurisdictions that have been assessed:
Only one jurisdiction is fully compliant: The Bahamas
29% are basically compliant, slightly up from 25% in 2024, including: the United States, the United Kingdom, Germany, Singapore
49% are partially compliant, including: Hong Kong, the Netherlands, Turkey
21% are non-compliant, a decrease from 25% in 2024, including: Cambodia, Vietnam
BlockSec Interpretation:
???? The compliance list is continuously and dynamically adjusted. For companies using crypto payments, how to adjust strategies in a timely manner according to FATF's guidelines, identify wallet addresses and users belonging to non-compliant countries, is a new challenge that must be faced.
???? Finding Two: How to cope with risks is the main challenge
76% of surveyed jurisdictions reported having conducted ML/TF risk assessments for VAs/VASPs, up from 71% in 2024. But the problem is:
Many jurisdictions have completed risk assessments, but still face significant difficulties in implementing preventive measures.
Only 40 jurisdictions met the requirements for 'assessing risks and adopting a risk-based approach', including Switzerland, Japan, and others.
BlockSec Interpretation:
???? Many countries' risk assessments remain at the report level, lacking an execution mechanism to translate assessment results into concrete measures. Both countries and crypto companies need to establish a dynamic, flexible, and executable risk management system.
???? Finding Three: Regulatory path differentiation intensifies.
62% of jurisdictions choose to allow VAs and VASPs to operate, including the United States and major EU countries.
20% choose to completely prohibit crypto activities, a significant increase from 14% in 2024, including China and Egypt.
18% have yet to decide on regulatory direction, including some Southeast Asian and African countries.
It is particularly noteworthy that partial prohibitions (rather than total prohibitions) are becoming a trend: 48% of jurisdictions that prohibit certain VA/VASP activities choose partial prohibitions rather than a one-size-fits-all approach.
BlockSec Interpretation:
???? Regulatory differentiation means that the complexity of cross-border compliance will further increase. Companies need to develop differentiated compliance strategies for different markets.
???? Finding Four: Breakthroughs in the implementation of the Travel Rule.
73% of jurisdictions (85 in total) have passed legislation to implement the Travel Rule. Although this proportion seems unchanged from 2024, the absolute number has increased from 65 to 85, showing substantial progress.
The Travel Rule requires VASPs to obtain, retain, and transmit specific remitter and payee information when transferring virtual assets, effectively extending traditional financial KYC requirements into the crypto field.
BlockSec Interpretation:
???? The global promotion of the Travel Rule is an important trend, but it still faces huge challenges in the crypto world: the anonymous nature of blockchain allows anyone to easily create multiple wallet addresses without any real-name association. Customers using centralized services (like centralized exchange customers) may submit KYC information, but for self-custody users, obtaining identity information is difficult, and even if obtained, it is hard to verify its authenticity.
???? Finding Five: Stablecoins have become the new favorite for money laundering.
The report particularly points out that stablecoins are becoming the preferred tool for various illegal actors:
Most illegal activities on-chain now involve stablecoins
Criminals use stablecoins in conjunction with anonymity-enhancing tools (such as mixers and cross-chain bridges) for fund layering
USDT is particularly favored by illegal actors on the Tron network
BlockSec Interpretation:
???? Regulation of stablecoins will become a key focus in 2025-2026. The freezing and monitoring capabilities of issuers will play an increasingly important role. For more on the KYC controversy regarding stablecoins in Hong Kong, please see our in-depth interpretation: Is real-name verification required for holding coins? The true boundaries of Hong Kong stablecoin KYC obligations.
???? Finding Six: North Korean hackers set a new record.
In 2025, North Korean hackers stole $1.46 billion worth of virtual assets from the crypto exchange ByBit, setting a record for a single theft. Ultimately, less than 4% of the stolen funds were recovered.
BlockSec Interpretation:
???? Cybersecurity and AML/CFT compliance need to be prioritized equally. A framework for compliance without security measures will still be a target for hackers. Crypto companies need to establish a 'dual insurance' protection system: on the cybersecurity level, deploy real-time monitoring and automatic attack blocking systems (like Phalcon Security APP) to identify and intercept attacks at the first moment they occur; on the compliance monitoring level, adopt a complete KYA solution to identify and label wallet addresses related to North Korean hacker organizations through on-chain behavior analysis.
Looking across these six findings, a clear thread emerges: global crypto regulation is moving from 'chaotic period' to 'orderly period', but this process is far more tortuous than expected.
It is thought-provoking to see the huge gap of 'knowing and doing'—most countries know what to do (76% have completed risk assessments), but very few actually do it (only 29% are basically compliant). This also reflects the fundamental challenge of crypto regulation: in a field where technology rapidly iterates and business models continuously innovate, how to establish a regulatory system that is both effective and does not stifle innovation?
FATF's answer is: gradual reform + global collaboration. By setting unified standards but allowing localized implementation, and combining soft constraints with hard consequences, FATF is guiding the world towards a new regulatory pattern of 'harmony in difference'. For crypto businesses, this means compliance is no longer optional but a ticket to entry; it is no longer a cost center but a source of competitive advantage.
Are countries also classified as black or gray? 27 countries are on the list
If FATF is the 'gatekeeper' of the global financial system, then the gray and black lists are its 'wanted notices'. The biannual updates of the lists trigger a chain reaction in the global financial market.
The 'big three' of the black list.
North Korea: A 'stubborn' case since 2011, the mastermind behind the $1.46 billion ByBit theft.
Iran: Nuclear issues combined with terrorist financing risks, completely isolated financial system.
Myanmar: Listed after the 2022 coup, regulatory vacuum becomes a money laundering paradise.
Any financial dealings with blacklisted countries are 'high pressure'—light penalties result in regulatory fines, while heavy penalties can lead to account freezes and settlement interruptions.
Three major trends of the gray list.
Africa has become a major disaster area: 12 countries are on the list, with South Africa still being recognized as the 'light of Africa'.
Crypto hotspots facing awkward situations: Nigeria (2nd in global P2P trading volume), Vietnam (top three in crypto adoption) have significant regulatory lag.
Offshore centers in dilemma: The British Virgin Islands and Monaco are paying the price for past lenient regulation: international remittance costs increased by 30-50%, foreign investment decreased by 20-40%, credit ratings downgraded.
FATF's 2026 regulatory 'spoilers'.
A review of the history of FATF's reports:
In 2019, the Travel Rule guidelines???? led to legislation in 50+ countries within 2 years.
The 2020 stablecoin report???? triggered a global regulatory wave.
Like a regulatory 'script'—understanding key focuses 6-12 months in advance can give an advantage before regulatory changes occur.
FATF's three major reports are about to be released.
1. Stablecoin Special Report (Q1 2026)
Core highlights: Reserve transparency standards, de-pegging responsibility definition, cross-chain regulation.
2. Offshore VASP Report (2025-2026)
Core highlights: 'Long-arm jurisdiction' boundaries, data localization, cross-border law enforcement
3. DeFi Regulatory Guidelines (2025-2026)
Core highlights: Identification of responsible parties, legal status of DAOs, auditing of smart contracts
???? An interesting finding
FATF's report release often has a 'seasonal pattern'—important reports are mostly published in June and October.
Smart compliance teams will closely monitor these two time points, obtaining information and responding promptly. In the race for regulatory compliance, information equals time, and time equals advantage. Companies that anticipate regulatory trends will naturally gain a first-mover advantage in market competition.
The latest FATF report gives a clear trend: global crypto regulation is moving from 'wild growth' to 'regulated development'. Currently, although only one jurisdiction has achieved full compliance, it also indicates the huge growth space and market opportunities in the crypto world.
