40 FATF 40 Recommendations
15

Recommendation 15 · Group D · Preventive Measures

Former: R.8

New technologies & virtual assets

Recommendation 15 makes countries and financial institutions identify and assess the ML/TF risks of new products, business practices, delivery mechanisms and developing technologies — and mitigate them before launch. Since 2019 it explicitly extends to virtual assets and virtual asset service providers (VASPs): they must be licensed or registered, supervised, and apply the same AML/CFT obligations as traditional financial institutions, including Recommendation 16 (the Travel Rule).

Who must comply?

  • Virtual Asset Service Providers (VASPs): exchanges, custodians, transfer services, issuers in initial coin offerings, investment service providers
  • Banks and other financial institutions launching new digital products
  • Fintechs offering AI-driven onboarding, e-wallets, instant payment rails
  • Issuers of stablecoins and tokenised real-world assets
  • DeFi protocol operators where there is a centralised party with control or sufficient influence

Key requirements

  1. 1

    Risk assessment before launch

    Countries and financial institutions must identify and assess ML/TF risks before launching new products, services, business practices or delivery mechanisms — including the use of new or developing technologies for both new and pre-existing products.

  2. 2

    Mitigation measures

    Take appropriate measures to manage and mitigate the identified risks: stronger CDD, transaction monitoring rules, transaction caps, restricted geographies, internal approval gates, staff training.

  3. 3

    Treat virtual assets as 'property' / 'funds'

    For the purposes of applying the FATF Recommendations, countries must treat virtual assets as property, proceeds, funds, funds-or-other-assets or other corresponding value — meaning AML/CFT measures apply equivalently.

  4. 4

    License or register VASPs

    Virtual asset service providers must be licensed or registered in the jurisdiction where they were created. Countries should take action to identify natural or legal persons that carry out VASP activities without the required authorisation and apply effective sanctions.

  5. 5

    Supervise VASPs as financial institutions

    VASPs must be subject to risk-based supervision or monitoring by a competent authority, with adequate powers to compel production of information, conduct on-site inspections and impose dissuasive sanctions for non-compliance.

  6. 6

    Apply preventive measures equivalent to FIs

    VASPs must apply the same AML/CFT obligations as traditional financial institutions: CDD (R.10), record keeping (R.11), PEPs (R.12), correspondent relationships (R.13), reliance on third parties (R.17), suspicious transaction reporting (R.20), tipping-off (R.21), internal controls (R.18), higher-risk countries (R.19) and targeted financial sanctions (R.6 and R.7).

  7. 7

    Travel Rule for virtual asset transfers (R.16)

    When a VASP conducts a virtual asset transfer, it must obtain, hold and immediately submit accurate originator information and required beneficiary information to the beneficiary VASP or financial institution. The current de minimis threshold for the Travel Rule on virtual asset transfers is USD/EUR 1,000.

  8. 8

    International cooperation on VASPs

    Countries must rapidly, constructively and effectively provide international cooperation in relation to ML, TF and proliferation involving virtual assets — extradition, mutual legal assistance, information exchange and asset recovery.

Practical example

Example: Mexican crypto exchange listing a new altcoin

A Mexican exchange registered as a vulnerable activity (Art. 17 Fr. XVI LFPIORPI) plans to list a new altcoin. Before launch the compliance team performs a risk assessment: chain analytics check, sanctions screening, jurisdictional risk, privacy-coin attributes, on-chain volume from grey-list countries. The token's privacy features and high cross-border flow trigger HIGH risk. Mitigations applied: enhanced CDD on customers trading the token, automatic deposit/withdrawal caps, real-time blockchain monitoring with Chainalysis, manual review for transfers above 1,000 USD (Travel Rule), and SAT reporting on every fiat-to-crypto trade above 210 UMA (Art. 17 Fr. XVI threshold). Without these mitigations the listing is blocked by senior management.

How Mexico implements it

Country-specific section in Spanish — Mexican regulatory references (LFPIORPI, CNBV, SAT, UIF).

México implementa la Recomendación 15 a través de tres marcos paralelos según el tipo de operador y producto:

LFPIORPI Art. 17 Fr. XVI — Activos virtuales como actividad vulnerable

El intercambio habitual o profesional de activos virtuales por personas o entidades distintas a las financieras es actividad vulnerable. Umbrales 2026: identificación siempre; aviso 210 UMA ($24,635 MXN) para intercambio fiat-cripto y 4 UMA ($469 MXN) cuando se recibe activo virtual como contraprestación.

Programa Orientación SAT — Tarjetas y Activos Virtuales

Ley Fintech (LRITF Art. 30) — Definición de activo virtual

La Ley para Regular las Instituciones de Tecnología Financiera define activo virtual como representación de valor registrada electrónicamente que no sea moneda de curso legal en México. Banxico autoriza qué activos virtuales pueden operar las ITF y bajo qué condiciones.

Padrón SPPLD y avisos al SAT

Los operadores de Fr. XVI deben darse de alta en el padrón SPPLD del SAT (115 obligados al 28/02/2026) y presentar avisos vía portal. La ENR 2025 clasifica a los activos virtuales como amenaza alta — ~80% de transacciones tienen alguna asociación con actividad ilícita según Chainalysis.

SPPLD: portal antilavado del SAT 2026

Software de cumplimiento Fr. XVI

Las plataformas Fr. XVI requieren mecanismos automatizados (Art. 18 Fr. X reforma julio 2025): perfil transaccional, detección de fragmentación cerca del umbral, cotejo de listas, monitoreo on-chain y generación automática de avisos XML al SAT.

Software PLD para activos virtuales

Milestones

  1. 1990

    Original Recommendation 8 — generic 'new technologies' provision

  2. 2012

    Renumbered as Recommendation 15 in the consolidated framework

  3. 2018

    Public consultation begins on extending FATF standards to virtual assets

  4. 2019

    Interpretive Note formally extends Recommendation 15 to VASPs and the Travel Rule (USD/EUR 1,000)

  5. 2021

    Updated guidance on Travel Rule for VASPs published

  6. 2025

    October 2025 update reinforces VASP supervision and DeFi treatment

Related Recommendations

Other Recommendations in Group D — Preventive Measures

9 R.9 Financial institution secrecy laws 10 R.10 Customer due diligence (CDD) 11 R.11 Record keeping 12 R.12 Politically exposed persons (PEPs) 13 R.13 Correspondent banking 14 R.14 Money or value transfer services (MVTS) 16 R.16 Payment transparency (Travel Rule) 17 R.17 Reliance on third parties 18 R.18 Internal controls & foreign branches 19 R.19 Higher-risk countries 20 R.20 Suspicious transaction reports (STRs) 21 R.21 Tipping-off & confidentiality 22 R.22 DNFBPs: customer due diligence 23 R.23 DNFBPs: other measures

Official citation

FATF (2012-2025), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, Recommendation 15, FATF, Paris, France. Last updated October 2025.

Read the official text on fatf-gafi.org