FATF Recommendation 15 Explained: What Sri Lanka's Crypto Industry Needs to Know in 2026
By the Digital Asset Intelligence Team, CeylonCash
Introduction
As Sri Lanka moves closer to establishing a formal regulatory framework for Virtual Asset Service Providers (VASPs), understanding the global standards behind these regulations has become essential.
While many discussions focus on licensing, KYC, or the Travel Rule, they all originate from one source: Recommendation 15 issued by the Financial Action Task Force (FATF).
Recommendation 15 is not a law. It does not regulate crypto businesses directly. Instead, it serves as the global blueprint that countries use when designing their own anti-money laundering (AML) and counter-terrorism financing (CFT) regulations for the virtual asset industry.
With Sri Lanka recently passing significant amendments to its AML/CFT legislation and progressing toward a VASP framework, understanding Recommendation 15 is no longer optional for exchanges, wallet providers, payment companies, custodians, and fintech startups.
This guide explains what Recommendation 15 means, why it matters, and how Sri Lankan businesses should prepare.
What is FATF?
The Financial Action Task Force (FATF) is an international organization established in 1989 to develop global standards against:
- Money Laundering (AML)
- Terrorist Financing (CFT)
- Proliferation Financing
Unlike many regulators, FATF does not issue licenses or regulate businesses directly.
Instead, it sets international standards that member countries commit to implementing through their own legislation.
Today, almost every country's crypto regulations are influenced by FATF recommendations.
Why Recommendation 15 Changed Crypto Forever
Before 2018, FATF's Recommendation 15 primarily addressed risks associated with new financial technologies.
In 2018, FATF officially expanded Recommendation 15 to include:
- Virtual Assets (VA)
- Virtual Asset Service Providers (VASPs)
This single change brought cryptocurrencies into the global AML/CFT framework.
Since then, countries around the world have been required to regulate crypto businesses similarly to banks and financial institutions.
Recommendation 15 in Simple Terms
Recommendation 15 requires countries to:
- Identify risks associated with crypto assets
- Regulate businesses providing crypto services
- Supervise those businesses
- Apply AML/CFT controls
- Implement customer due diligence
- Report suspicious transactions
- Introduce the Travel Rule
- Maintain ongoing supervision
Rather than creating one specific crypto law, Recommendation 15 establishes the foundation upon which crypto regulation is built.
What is a Virtual Asset?
According to FATF, a Virtual Asset is:
A digital representation of value that can be digitally traded, transferred, or used for payment or investment.
This definition includes:
- Bitcoin
- Ethereum
- Stablecoins
- Utility tokens used for payments
- Investment tokens
It generally excludes:
- Fiat currency
- Central Bank Digital Currencies (CBDCs)
- Traditional securities already regulated under financial laws
The important point is that FATF focuses on how an asset functions, not what it is called.
Calling something a "utility token" does not automatically remove it from regulation.
What is a VASP?
A Virtual Asset Service Provider (VASP) is any business that performs crypto-related services on behalf of customers.
Common examples include:
- Cryptocurrency exchanges
- Custodial wallet providers
- Crypto payment processors
- OTC trading desks
- Crypto custody providers
- Businesses facilitating crypto transfers
- Companies participating in token issuance
Simply developing blockchain software does not automatically make a company a VASP.
The determining factor is whether the business controls or manages customer assets as part of its services.
Why VASP Classification Matters
Being classified as a VASP triggers numerous regulatory obligations.
These include:
- Licensing or registration
- AML compliance programs
- KYC
- KYB
- Transaction monitoring
- Wallet screening
- Suspicious transaction reporting
- Travel Rule compliance
- Independent audits
- Record keeping
For businesses, the question is no longer:
"Do we deal with crypto?"
Instead, it becomes:
"Are we performing regulated VASP activities?"
FATF Compliance Is Much More Than KYC
Many businesses mistakenly believe that implementing customer verification completes their compliance journey.
In reality, KYC is only one component.
A FATF-aligned compliance program includes:
Risk Assessment
Understanding risks associated with:
- Customers
- Products
- Countries
- Transactions
- Blockchain exposure
Customer Due Diligence
Verifying:
- Identity
- Beneficial ownership
- Source of funds where required
- Customer risk level
Transaction Monitoring
Monitoring customer behavior after onboarding.
Questions include:
- Are transactions unusual?
- Is activity inconsistent?
- Are high-risk wallets involved?
Blockchain Analytics (KYT)
Crypto introduces risks traditional finance cannot detect.
Businesses increasingly use blockchain analytics to identify exposure to:
- Sanctioned wallets
- Mixers
- Darknet markets
- Scam wallets
- Terrorist financing
- Fraud networks
- Stolen funds
This is where Know Your Transaction (KYT) becomes essential.
Sanctions Screening
Businesses must screen:
- Customers
- Wallets
- Counterparties
against global sanctions lists.
Suspicious Transaction Reporting
When suspicious activity is identified, businesses must report it to the relevant Financial Intelligence Unit (FIU).
Record Keeping
Documentation must be maintained for regulatory review.
This includes:
- Customer files
- Risk assessments
- Transaction history
- Investigation notes
Understanding the Travel Rule
The Travel Rule often receives the most attention.
However, it represents only one section of Recommendation 15.
The Travel Rule requires regulated VASPs to exchange information about:
- Sender
- Recipient
- Originating VASP
- Beneficiary VASP
when transferring virtual assets between regulated entities.
The objective is to provide law enforcement and regulators with information similar to traditional bank wire transfers.
Recommendation 15 Is Not the Law
One of the biggest misconceptions is believing FATF regulations are directly enforceable.
They are not.
Instead:
FATF Recommendations
↓
National Legislation
↓
Local Regulators
↓
Business Compliance
Every country implements Recommendation 15 differently.
Examples include:
- European Union through MiCA, AMLR, and the Transfer of Funds Regulation
- United States through FinCEN and the Bank Secrecy Act
- United Kingdom through the FCA
- Singapore through the Payment Services Act
- UAE through VARA and federal AML legislation
Sri Lanka will similarly develop its own implementation aligned with FATF expectations.
What This Means for Sri Lanka
Sri Lanka has already begun strengthening its AML/CFT framework.
Recent developments include:
- Amendments to the Prevention of Money Laundering Act
- Amendments to the Financial Transactions Reporting Act
- Amendments to Counter Terrorism Financing legislation
- Ongoing work toward regulating Virtual Asset Service Providers
- Increased focus on FATF Mutual Evaluation readiness
These developments indicate that crypto businesses should begin preparing now rather than waiting for licensing regulations to be finalized.
Practical Steps for Sri Lankan Crypto Businesses
Businesses operating in Sri Lanka should consider preparing by:
- Conducting an enterprise-wide AML risk assessment
- Identifying whether they qualify as a VASP
- Implementing KYC and KYB procedures
- Introducing blockchain transaction monitoring
- Screening wallets against sanctions and illicit activity
- Preparing for Travel Rule implementation
- Creating internal AML policies
- Appointing a compliance officer
- Maintaining comprehensive audit trails
- Training employees on AML/CFT obligations
Preparation today will significantly reduce future compliance costs.
The Role of Blockchain Analytics
Traditional AML systems were designed for banks.
Crypto requires additional visibility into blockchain transactions.
Modern blockchain analytics platforms help organizations:
- Assess wallet risk
- Identify exposure to illicit funds
- Monitor transaction behavior
- Support Suspicious Transaction Reports (STRs)
- Demonstrate compliance during audits
As regulation evolves, blockchain intelligence is becoming a core component of crypto compliance.
Final Thoughts
Recommendation 15 has become the global foundation for crypto regulation.
Whether a company operates an exchange, payment gateway, custody solution, OTC desk, or fintech platform, understanding these standards is essential.
For Sri Lanka, the direction is becoming increasingly clear. The country is aligning with international AML/CFT expectations while developing its own framework for regulating virtual asset service providers.
Rather than viewing compliance as a regulatory burden, businesses should see it as an investment in trust, institutional readiness, and long-term growth.
Organizations that build strong governance, effective AML controls, and transparent operations today will be better positioned to work with banks, institutional partners, regulators, and international markets tomorrow.
About DAIT
The Digital Asset Intelligence Team (DAIT) by CeylonCash is a research and intelligence initiative focused on virtual asset regulation, blockchain investigations, AML/CFT compliance, and digital asset policy in Sri Lanka. Through research papers, regulatory analysis, technical guides, and industry insights, DAIT aims to bridge the gap between policymakers, financial institutions, regulators, and the digital asset ecosystem while supporting the responsible growth of Web3 in Sri Lanka.