FATF Stablecoins and Unhosted Wallets Report: AML/CFT Implications for EU Firms

Last updated: April 2026

If your compliance team treats stablecoin transactions the same way it treats other crypto-asset transfers, the FATF just explained why that is not enough. On 3 March 2026, the Financial Action Task Force published its “Targeted Report on Stablecoins and Unhosted Wallets – Peer-to-Peer Transactions.” The report is not a new standard. It does not create binding obligations. But it reframes where FATF expects jurisdictions and firms to focus their AML/CFT controls, and for EU firms already operating under MiCA and the Transfer of Funds Regulation, the signal is hard to ignore.

The core message: stablecoins have become the dominant vehicle for illicit virtual asset flows, and peer-to-peer transfers through unhosted wallets are the gap that existing controls fail to close. FATF is pushing jurisdictions toward stablecoin-specific supervisory frameworks and pointing to issuer-level programmable controls, including freezing and deny-listing, as “good practices.” For crypto-asset service providers (CASPs), banks with crypto exposure, and payment institutions handling e-money tokens, this report changes the compliance conversation.

Related reading: MiCA Reporting Obligations for CASPs and Token Issuers

What the FATF Report Actually Says

The report reflects developments through the end of 2025. FATF documents more than 250 stablecoins in circulation, with aggregate market capitalisation exceeding USD 300 billion by mid-2025. It cites Chainalysis data showing stablecoins accounted for roughly 84% of all illicit virtual asset transaction volume in 2025. TRM Labs estimated that illicit entities received USD 141 billion in stablecoins that year, the highest level observed in five years.

Three points matter for EU compliance teams.

First, FATF identifies peer-to-peer transfers via unhosted wallets as the “key vulnerability” in the stablecoin ecosystem. These transactions often happen without customer due diligence, transaction monitoring, or a clearly responsible reporting entity. The report calls this the “secondary-market gap” because illicit activity is increasingly moving to the secondary market, away from the point of issuance or initial exchange.

Second, the report observes that only a limited number of jurisdictions have implemented targeted regulatory frameworks for entities operating within the stablecoin ecosystem. FATF does not require jurisdictions to go beyond the existing Updated Guidance for Virtual Assets and VASPs (October 2021). But it strongly encourages jurisdictions that are developing stablecoin-specific rules to embed freezing and programmable controls into their AML/CFT frameworks.

Third, FATF explicitly endorses issuer-level controls. Freezing renders stablecoins economically immobilised on-chain. Deny-listing blocks specific wallet addresses from transacting. These are framed as tools capable of disrupting illicit flows where intermediaries are absent. The report notes that freezing can be applied even where wallet holders are unidentified, making it a blunt but effective intervention when attribution is incomplete.

Where Teams Commonly Misread This Report

The first mistake is dismissing it as a non-EU document. FATF recommendations are the global baseline that EU legislation transposes. Regulation (EU) 2023/1113 (the Transfer of Funds Regulation, or TFR) and MiCA both explicitly align with FATF standards. When FATF shifts emphasis, EU supervisory expectations eventually follow. The EBA and ESMA have already cited FATF guidance in their technical standards under MiCA. A firm that reads this report as advisory only is misreading the direction of supervisory travel.

The second mistake is assuming the report only applies to stablecoin issuers. It does not. FATF addresses the entire ecosystem: issuers, exchanges, custodians, and entities that facilitate secondary-market transfers. If your platform allows users to send or receive stablecoins, you are within scope. If your bank provides fiat on-ramp or off-ramp services for stablecoin activity, you are within scope.

The third mistake is treating “unhosted wallet” exposure as a binary compliance question (allow or block). FATF is asking for something more granular: risk-based controls that account for the specific ML/TF risks of P2P stablecoin transfers, not just a blanket policy on self-hosted wallets.

How This Intersects with MiCA and the Transfer of Funds Regulation

MiCA and Stablecoin Issuer Obligations

Regulation (EU) 2023/1114 (MiCA) creates a licensing and supervisory framework for asset-referenced tokens (ARTs) and e-money tokens (EMTs), which are the EU’s regulatory categories for most stablecoins. MiCA already imposes requirements on issuers: authorisation, reserve management, redemption rights, and governance standards.

What MiCA does not do, at least not yet, is mandate issuer-level programmable AML controls like freezing or deny-listing. The FATF report fills that gap by framing these as good practice. Expect the EBA and national competent authorities to start asking stablecoin issuers whether they have the technical capability to freeze tokens on-chain. The question is moving from “can you do this?” to “why haven’t you?”

For issuers authorised in Luxembourg under CSSF supervision, this has practical implications. CSSF has historically been explicit about expecting firms to demonstrate that their AML/CFT controls are proportionate to the risks of their products. If your stablecoin can be transferred P2P through unhosted wallets and you have no on-chain mechanism to intervene when required, that proportionality argument becomes difficult to sustain.

The Transfer of Funds Regulation and Unhosted Wallet Transfers

Regulation (EU) 2023/1113 extends the travel rule to crypto-asset transfers. CASPs must collect and transmit originator and beneficiary information for transfers above EUR 1,000. For transfers below EUR 1,000, CASPs must still verify that the originator or beneficiary is not subject to sanctions or restrictive measures.

The TFR already treats unhosted wallet transfers with specific scrutiny. Under Article 14, when a CASP transfers crypto-assets to or from a wallet not hosted by a CASP (an unhosted wallet), additional measures apply. For transfers exceeding EUR 1,000, the CASP must verify the identity of the person controlling the unhosted wallet and assess whether the wallet is associated with the customer.

The FATF report reinforces why those rules exist. P2P stablecoin transfers via unhosted wallets are exactly the scenario where traditional AML gatekeeping breaks down. The real challenge for compliance teams is not the EUR 1,000 threshold itself. It is the volume of smaller transfers that individually fall below the threshold but collectively represent significant exposure. FATF’s emphasis on the secondary-market gap suggests supervisors will scrutinise how CASPs aggregate and monitor sub-threshold activity involving stablecoins and unhosted wallets.

The Upcoming EU AML Package

The EU AML package, including the Anti-Money Laundering Regulation (AMLR) and the sixth Anti-Money Laundering Directive (AMLD6), brings CASPs under the same AML/CFT obligations as banks and other financial institutions. The new Anti-Money Laundering Authority (AMLA), based in Frankfurt, will have direct supervisory powers over the highest-risk obliged entities, including CASPs meeting certain thresholds.

The FATF report gives AMLA and national supervisors a clear reference point. Firms that cannot demonstrate risk-based controls for stablecoin P2P exposure will face questions during their first supervisory engagement under the new framework. The transition period is narrowing.

Practical Implications for EU Compliance Teams

Reassessing Stablecoin Risk Ratings

Most firm-wide risk assessments still treat “crypto-assets” as a single category. The FATF report makes clear that stablecoins carry a distinct and higher risk profile compared to volatile crypto-assets like Bitcoin or Ether. Stablecoins are preferred for illicit purposes precisely because they maintain a stable value, enabling storage and transfer of value without the price volatility that makes other crypto-assets inconvenient for laundering.

Risk assessments should differentiate between stablecoin types. An EMT authorised under MiCA with full reserves held at an EU credit institution presents a different risk profile from a stablecoin issued outside the EU with opaque reserve backing. The FATF report does not make this distinction explicitly, but European supervisors will.

I see firms lump all stablecoins into the same risk bucket because they share the “stablecoin” label. That produces control frameworks that are either too restrictive for lower-risk tokens or too permissive for higher-risk ones. The operational fix is straightforward: separate risk scoring for regulated versus unregulated stablecoins, with enhanced due diligence triggers for unregulated tokens linked to high-risk jurisdictions.

Governance Around Freezing and Deny-Listing

If you issue a stablecoin or operate a platform that interfaces with stablecoin issuers, FATF is telling you to build governance around programmable controls. This does not mean implementing a freeze button and waiting for law enforcement requests. It means having a documented process for: when freezing can be initiated, who authorises it, how it interacts with redemption obligations under MiCA, and how you handle disputes.

Circle’s late March 2026 freeze of USDC across 16 operational wallets, apparently linked to a sealed US civil case, illustrates the risk of getting governance wrong. Some of the frozen wallets appeared to be ordinary business wallets. Five were later unfrozen after public scrutiny. Without clear governance, freezing becomes a liability risk rather than a compliance tool.

For EU firms, the intersection with MiCA’s redemption requirements (Article 49 for EMTs) creates a specific tension. An EMT issuer must redeem tokens at par value at any time. If the same issuer freezes tokens based on a law enforcement request, the holder’s redemption rights are effectively suspended. The legal basis for that suspension needs to be explicit. “We froze because FATF said it’s good practice” is not a legal basis.

Monitoring P2P and Secondary-Market Activity

The FATF report’s focus on secondary-market P2P transfers creates a practical monitoring challenge. CASPs can monitor on-platform activity. They cannot directly monitor what happens after a customer withdraws stablecoins to an unhosted wallet. But supervisors will increasingly expect firms to use blockchain analytics to assess post-withdrawal patterns.

At a minimum, compliance teams should be monitoring: whether customer withdrawals to unhosted wallets are followed by rapid P2P redistribution patterns, whether the receiving addresses are associated with known illicit activity, and whether customers are structuring withdrawals to avoid the EUR 1,000 TFR threshold.

I work with transaction monitoring systems that were built for traditional payment flows. Adapting them for on-chain stablecoin analytics is not a configuration change. It requires integration with blockchain analytics providers and rules that account for the speed and finality of on-chain transfers. Firms that have not started this integration are behind.

Suspicious Transaction Reporting

The FATF report will likely increase supervisory expectations around STR quality for stablecoin-related activity. In Luxembourg, STRs are filed with the Cellule de Renseignement Financier (CRF) via goAML. The existing framework does not need to change. What changes is the specificity supervisors will expect in STR narratives involving stablecoins.

A common weakness in crypto-related STRs is vague language about “suspicious patterns” without operational detail. Supervisors will expect STRs to identify: the specific stablecoin involved, whether the transfer was on-chain P2P or through a CASP, the blockchain analytics evidence supporting the suspicion, and the customer’s stated rationale for using an unhosted wallet. Filing a defensible STR for stablecoin activity requires blockchain forensics capability, not just rules-based alert generation.

Luxembourg Angle

Luxembourg has a growing CASP population under CSSF supervision. The CSSF’s 2026 supervisory priorities for the investment fund sector, published on 31 March 2026, flagged DORA and liquidity as primary focus areas. Crypto-asset supervision was not highlighted in that particular document, but the CSSF has been active in the crypto-AML space. Its annual AML/CFT data collection exercise, which requires CASPs and other obliged entities to report detailed data on their AML frameworks, already includes questions on crypto-asset exposure and unhosted wallet policies.

For Luxembourg-based CASPs and banks with crypto exposure, the FATF report reinforces what CSSF has been signalling: that stablecoin activity requires controls that go beyond generic crypto-asset policies. The CSSF’s approach has been to evaluate proportionality at the product level, not the entity level. A firm that offers stablecoin custody and transfer services will face different supervisory expectations than one that only provides crypto-to-fiat exchange for volatile assets.

The CSSF also participates in the EBA’s work on AML/CFT technical standards for CASPs under MiCA. Firms supervised in Luxembourg should expect the CSSF to integrate FATF’s stablecoin-specific findings into their supervisory engagement within the next 12 months.

What This Report Does Not Mean

It does not mean EU firms must immediately implement on-chain freezing capability. FATF recommendations are not self-executing law. EU legislation determines what is legally required, and the current MiCA and TFR texts do not mandate issuer-level freezing.

It does not mean unhosted wallets are prohibited or that firms should block all transfers to self-hosted wallets. The TFR explicitly contemplates transfers to unhosted wallets and sets out specific conditions, not a ban. FATF’s report is about the risks of P2P transfers, not about eliminating self-custody.

It does not mean that stablecoins are inherently higher risk than cash. The report documents that stablecoins are increasingly used for illicit flows, but it also acknowledges their legitimate uses. The 84% figure from Chainalysis measures the share of illicit crypto activity that uses stablecoins, not the share of stablecoin activity that is illicit. Compliance teams should be careful not to conflate the two.

Where EU Supervisory Expectations Are Heading

The FATF report is a signal, not a surprise. ESMA and the EBA are developing Level 2 measures under MiCA that will operationalise many of these expectations. The EBA’s draft regulatory technical standards on enhanced due diligence for high-risk transactions already reference FATF typologies. AMLA’s operational launch will add another layer of supervisory coordination.

Firms should prepare for: stablecoin-specific questions in supervisory reviews, expectations around blockchain analytics integration, enhanced scrutiny of unhosted wallet policies, and governance frameworks for any on-chain intervention capabilities. The firms that treat this report as a roadmap rather than a footnote will be better positioned when the supervisory conversations start.

Related Articles

MiCA Reporting Obligations for CASPs and Token Issuers – What MiCA requires from crypto-asset service providers and token issuers in terms of ongoing reporting and disclosures.

The EU AML Regulation – What Changes for Luxembourg – How the new Anti-Money Laundering Regulation reshapes obligations for Luxembourg-based financial institutions.

AML Reporting in Luxembourg – Practical guide to STR filing, goAML, and AML reporting obligations for Luxembourg obliged entities.

CARF Crypto Tax Reporting – The OECD’s Crypto-Asset Reporting Framework and its implications for crypto-asset service providers.

CSSF AML/CFT Data Collection 2026 – What the CSSF’s annual AML data collection exercise requires and how to prepare.

Sources and References

FATF, “Targeted Report on Stablecoins and Unhosted Wallets – Peer-to-Peer Transactions,” 3 March 2026. https://www.fatf-gafi.org/en/publications/Virtualassets/targeted-report-stablecoins-unhosted-wallets.html

Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1114

Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets (recast) (TFR). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1113

FATF, “Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers,” October 2021. https://www.fatf-gafi.org/en/publications/Fatfrecommendations/guidance-rba-virtual-assets-2021.html

Chainalysis, “Assessing the FATF Targeted Report: The Shift Toward Secondary Market Monitoring for Stablecoins,” March 2026. https://www.chainalysis.com/blog/fatf-targeted-report-secondary-market-monitoring-stablecoins-march-2026/

CSSF, “The CSSF’s 2026 priorities for supervising the investment fund sector,” 31 March 2026. https://www.cssf.lu/en/2026/03/the-cssfs-2026-priorities-for-supervising-the-investment-fund-sector/

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.