In June 2025, FATF released its sixth targeted update report on the regulation of crypto assets, with a shocking conclusion:

Only one jurisdiction globally has achieved FATF's "full compliance" standard for virtual asset regulation, while a staggering 20% of countries remain "non-compliant." Meanwhile, North Korean hackers stole a record $1.46 billion in crypto assets, stablecoins have become a new favorite for money laundering, and regulation in the DeFi sector remains shrouded in uncertainty.

Behind this seemingly chaotic global crypto regulatory landscape, there is an "invisible hand" quietly shaping the rules of the game for the entire industry - it is the FATF.

This article will delve into the six key findings of the FATF's latest report, reveal the 27 countries currently on its "blacklist and graylist," and preview the key changes in crypto regulation expected in 2026. Together, we'll help you understand the "source code" of global regulation.

Who is FATF? The global anti-money laundering standard setter

Established in 1989, the Financial Action Task Force (FATF) is the leading global standard-setting body for anti-money laundering and counter-terrorist financing. This intergovernmental organization, comprised of 39 member countries and regional organizations, has developed the FATF Recommendations, considered the "golden rule" for global AML/CFT.

For the crypto industry, the most critical document of the FATF is Recommendation 15 (R.15), which included virtual assets and VASPs into the anti-money laundering regulatory framework for the first time in 2019: VASPs need to fulfill compliance obligations such as customer due diligence, transaction monitoring, and suspicious transaction reporting like traditional financial institutions.

FATF is not a police force, yet it forced Binance to pay a $4.3 billion fine; FATF has no army, yet it can "isolate" an entire country from the international financial system; FATF does not make laws, yet it forces 205 jurisdictions to legislate according to its standards.

Why can an international organization without law enforcement powers play such a key role in global crypto regulation?

The answer is simple: in this decentralized world of crypto, the FATF has become the centralised global standard-setter. As regulators around the world grapple with how to manage this emerging industry, FATF's Regulation R.15 has become their shared "reference answer". Whether it's the US FinCEN, the EU's AMLD6, Singapore's MAS, or Hong Kong's recently passed Stablecoin Ordinance, the shadow of FATF standards can be seen behind them.

Interestingly, the FATF, through its unique "soft law" mechanisms—peer review and the "grey list" system—has transformed its previously non-binding recommendations into "hard rules" that countries must adhere to. What does being on the FATF gray list entail? Turkey and Cambodia are well aware of the implications: disruptions to international remittances, withdrawal of foreign capital, and credit rating downgrades—a price no country is willing to bear.

For crypto practitioners, understanding the FATF is like understanding the "source code" of global regulation. Knowing that regulatory rules in various countries are based on the same set of "localized" FATF standards allows you to better anticipate regulatory trends, plan compliance systems in advance, and conduct business globally.

FATF 2025 Report: Six Key Findings

In June 2025, FATF released the sixth "Targeted Update Report on the Implementation of FATF Standards on Virtual Assets and Virtual Asset Service Providers".

Through in-depth research across 163 jurisdictions, the FATF decodes the true state of global crypto compliance through six key findings.

????Finding 1: Global compliance progress is slow but steady

As of April 2025, of the 138 jurisdictions assessed:

• Only 1 jurisdiction is fully compliant: The Bahamas
• 29% are generally compliant, a slight increase from 25% in 2024, including: the United States, the United Kingdom, Germany, and Singapore
• 49% are partially compliant, including: Hong Kong, the Netherlands, and Türkiye
• 21% are non-compliant, down from 25% in 2024, including: Cambodia, Vietnam

BlockSec Interpretation:

The compliance list is constantly being adjusted. For businesses using crypto payments, timely adjusting strategies based on FATF guidance and identifying wallet addresses and users from non-compliant countries presents a new challenge.

????Finding 2: How to deal with risks is the main challenge

76% of surveyed jurisdictions report having conducted ML/TF risk assessments on VA/VASPs, up from 71% in 2024. However, the question is:

• Many jurisdictions have completed risk assessments but continue to struggle to implement preventive measures
• Only 40 jurisdictions met the requirement to "assess risk and take a risk-based approach", including Switzerland, Japan, etc.

BlockSec Interpretation:

????Many countries' risk assessments remain at the reporting level, lacking an implementation mechanism to translate assessment results into concrete measures. Both countries and crypto companies need to establish a dynamic, flexible, and enforceable risk management system.

????Finding 3: Increasing differentiation in regulatory pathways

• 62% of jurisdictions have chosen to allow VAs and VASPs to operate, including the United States and major EU countries.
• 20% chose to completely ban encryption activities, a significant increase from 14% in 2024, including China, Egypt,
• 18% have yet to decide on the regulatory direction, including some Southeast Asian and African countries

Of particular note is the growing trend toward partial prohibitions (rather than complete bans): 48% of prohibitive jurisdictions choose to partially prohibit specific VA/VASP activities rather than adopting a blanket ban.

BlockSec Interpretation:

Regulatory fragmentation means that cross-border compliance will become more complex. Companies will need to develop differentiated compliance strategies for different markets.

????Finding 4: Breakthrough progress in the implementation of the Travel Rule

73% of jurisdictions (85) have passed legislation implementing the Travel Rule. While this proportion appears to be the same as in 2024, the absolute number has increased from 65 to 85, demonstrating substantial progress.

The Travel Rule requires VASPs to obtain, store, and transmit specific remitter and beneficiary information when transferring virtual assets, which is equivalent to extending the KYC requirements of traditional finance to the crypto field.

BlockSec Interpretation:

While the global adoption of the Travel Rule is a significant trend, it still faces significant challenges in the crypto world: the anonymity of blockchain allows anyone to easily create multiple wallet addresses without requiring real-name association. While customers of centralized services (such as centralized exchanges) may submit KYC information, for users of self-custody wallets, obtaining identity information is difficult, and even if obtained, it can be difficult to verify authenticity.

???? Finding 5: Stablecoins are becoming a new favorite for money laundering

The report specifically notes that stablecoins are becoming the tool of choice for a wide range of illicit actors:

• Most on-chain illegal activity now involves stablecoins
• Criminals use stablecoins with anonymity-enhancing tools (such as mixers and cross-chain bridges) to layer funds.
• USDT usage on the Tron network is particularly favored by illicit actors.

BlockSec Interpretation:

????Stablecoin regulation will become a key focus in 2025-2026. The issuer's ability to freeze and monitor will play an increasingly important role. Regarding the KYC controversy surrounding Hong Kong's stablecoins, please see our in-depth analysis: Is real-name registration required for holding stablecoins? The true boundaries of Hong Kong's stablecoin KYC obligations.

????Finding 6: North Korean hackers set a new record

In 2025, North Korean hackers stole $1.46 billion worth of virtual assets from the cryptocurrency exchange ByBit, setting a record for the largest single theft. Ultimately, less than 4% of the stolen funds were recovered.

BlockSec Interpretation:

???? Cybersecurity and AML/CFT compliance require equal attention. Having a compliance framework without security protections alone will still make a company a target for hackers. Crypto companies need to establish a "double insurance" defense system: on the cybersecurity side, deploy real-time monitoring and automated attack blocking systems (such as the Phalcon Security app) to identify and intercept attacks as soon as they occur; and on the compliance monitoring side, implement a comprehensive KYA solution that uses on-chain behavioral analysis to identify wallet address tags associated with North Korean hacker groups.

Looking at these six findings, a clear thread emerges: global crypto regulation is moving from a "chaotic period" to a "orderly period", but this process is far more tortuous than expected.

What's thought-provoking is the significant gap between knowledge and action—most countries know what to do (76% have completed risk assessments), but few actually follow through (only 29% are essentially compliant). This also reflects the fundamental challenge of crypto regulation: in a sector characterized by rapid technological evolution and constant innovation, how can we establish a regulatory system that is both effective and responsive to innovation?

The FATF's answer is incremental reform combined with global coordination. By setting unified standards while allowing for localized implementation, and by employing soft constraints coupled with hard consequences, the FATF is guiding the world toward a new regulatory landscape characterized by "harmony yet diversity." For crypto companies, this means compliance is no longer an option but a ticket to entry; no longer a cost center but a source of competitive advantage.

Are countries divided into black and gray? 27 countries are on the list

If the FATF is the "gatekeeper" of the global financial system, then the Blacklist and Graylist are its "wanted warrants." The twice-yearly updates to the lists trigger chain reactions in global financial markets.

The "Big Three" of the blacklist

• North Korea: A "holdout" since 2011, the mastermind behind the $1.46 billion ByBit theft
• Iran: Nuclear issue compounded by terrorist financing risks, complete financial isolation
• Myanmar: Added to the list after the 2022 coup, its regulatory vacuum has become a haven for money laundering

Any financial transactions with blacklisted countries are "high-voltage lines" - at the very least, regulatory penalties will be imposed, and at worst, account freezes and settlement interruptions will be imposed.

Three major trends in greylisting

• Africa is the hardest hit area: 12 countries are on the list, and South Africa, as the light of Africa, still makes the list
• Crypto hot spots are in a dilemma: Nigeria (second in the world in P2P transaction volume) and Vietnam (top three in crypto adoption) are seriously lagging behind in regulation.
• The plight of offshore centers: The British Virgin Islands and Monaco are paying the price for their past lax regulation: international remittance costs have increased by 30-50%, foreign investment has decreased by 20-40%, and credit ratings have been downgraded.

FATF's 2026 Regulatory Spoiler

Looking back at the FATF’s reporting history:

• 2019 Travel Rule Guidelines ???? 50+ countries have enacted legislation within 2 years
• The 2020 Stablecoin Report???? triggered a wave of global regulation

It’s like a regulatory “playbook” – knowing the focus 6-12 months in advance allows you to get ahead of regulatory changes.

Three major FATF reports are about to be released

1. Stablecoin Special Report (Q1 2026)

Key points: reserve transparency standards, de-anchoring responsibility definition, and cross-chain supervision

2. Offshore VASP Report (2025-2026)

Key points: The boundaries of "long-arm jurisdiction," data localization, and cross-border law enforcement

3. DeFi Regulatory Guidelines (2025-2026)

Key points: Identification of responsible parties, DAO legal status, and smart contract audits

???? An interesting discovery

FATF's report releases often follow a "seasonal pattern" - important reports are mostly released in June and October.

Astute compliance teams will closely monitor these two milestones, obtaining and responding to information promptly. In the race for regulatory compliance, information is time, and time is advantage. Companies that anticipate regulatory trends will naturally gain a first-mover advantage in market competition.

The latest FATF report highlights a clear trend: global crypto regulation is shifting from "unbridled growth" to "regulated development." While only one jurisdiction has achieved full compliance, this demonstrates the immense potential for growth and market opportunities in the crypto world.