Photo by Harshit Suryawanshi / Unsplash

FATF Recommendation 15 Explained: What Sri Lanka's Crypto Industry Needs to Know in 2026

Jul 14, 2026

By the Digital Asset Intelligence Team, CeylonCash


Introduction

As Sri Lanka moves closer to establishing a formal regulatory framework for Virtual Asset Service Providers (VASPs), understanding the global standards behind these regulations has become essential.

While many discussions focus on licensing, KYC, or the Travel Rule, they all originate from one source: Recommendation 15 issued by the Financial Action Task Force (FATF).

Recommendation 15 is not a law. It does not regulate crypto businesses directly. Instead, it serves as the global blueprint that countries use when designing their own anti-money laundering (AML) and counter-terrorism financing (CFT) regulations for the virtual asset industry.

With Sri Lanka recently passing significant amendments to its AML/CFT legislation and progressing toward a VASP framework, understanding Recommendation 15 is no longer optional for exchanges, wallet providers, payment companies, custodians, and fintech startups.

This guide explains what Recommendation 15 means, why it matters, and how Sri Lankan businesses should prepare.


What is FATF?

The Financial Action Task Force (FATF) is an international organization established in 1989 to develop global standards against:

  • Money Laundering (AML)
  • Terrorist Financing (CFT)
  • Proliferation Financing

Unlike many regulators, FATF does not issue licenses or regulate businesses directly.

Instead, it sets international standards that member countries commit to implementing through their own legislation.

Today, almost every country's crypto regulations are influenced by FATF recommendations.


Why Recommendation 15 Changed Crypto Forever

Before 2018, FATF's Recommendation 15 primarily addressed risks associated with new financial technologies.

In 2018, FATF officially expanded Recommendation 15 to include:

  • Virtual Assets (VA)
  • Virtual Asset Service Providers (VASPs)

This single change brought cryptocurrencies into the global AML/CFT framework.

Since then, countries around the world have been required to regulate crypto businesses similarly to banks and financial institutions.


Recommendation 15 in Simple Terms

Recommendation 15 requires countries to:

  • Identify risks associated with crypto assets
  • Regulate businesses providing crypto services
  • Supervise those businesses
  • Apply AML/CFT controls
  • Implement customer due diligence
  • Report suspicious transactions
  • Introduce the Travel Rule
  • Maintain ongoing supervision

Rather than creating one specific crypto law, Recommendation 15 establishes the foundation upon which crypto regulation is built.


What is a Virtual Asset?

According to FATF, a Virtual Asset is:

A digital representation of value that can be digitally traded, transferred, or used for payment or investment.

This definition includes:

  • Bitcoin
  • Ethereum
  • Stablecoins
  • Utility tokens used for payments
  • Investment tokens

It generally excludes:

  • Fiat currency
  • Central Bank Digital Currencies (CBDCs)
  • Traditional securities already regulated under financial laws

The important point is that FATF focuses on how an asset functions, not what it is called.

Calling something a "utility token" does not automatically remove it from regulation.


What is a VASP?

A Virtual Asset Service Provider (VASP) is any business that performs crypto-related services on behalf of customers.

Common examples include:

  • Cryptocurrency exchanges
  • Custodial wallet providers
  • Crypto payment processors
  • OTC trading desks
  • Crypto custody providers
  • Businesses facilitating crypto transfers
  • Companies participating in token issuance

Simply developing blockchain software does not automatically make a company a VASP.

The determining factor is whether the business controls or manages customer assets as part of its services.


Why VASP Classification Matters

Being classified as a VASP triggers numerous regulatory obligations.

These include:

  • Licensing or registration
  • AML compliance programs
  • KYC
  • KYB
  • Transaction monitoring
  • Wallet screening
  • Suspicious transaction reporting
  • Travel Rule compliance
  • Independent audits
  • Record keeping

For businesses, the question is no longer:

"Do we deal with crypto?"

Instead, it becomes:

"Are we performing regulated VASP activities?"


FATF Compliance Is Much More Than KYC

Many businesses mistakenly believe that implementing customer verification completes their compliance journey.

In reality, KYC is only one component.

A FATF-aligned compliance program includes:

Risk Assessment

Understanding risks associated with:

  • Customers
  • Products
  • Countries
  • Transactions
  • Blockchain exposure

Customer Due Diligence

Verifying:

  • Identity
  • Beneficial ownership
  • Source of funds where required
  • Customer risk level

Transaction Monitoring

Monitoring customer behavior after onboarding.

Questions include:

  • Are transactions unusual?
  • Is activity inconsistent?
  • Are high-risk wallets involved?

Blockchain Analytics (KYT)

Crypto introduces risks traditional finance cannot detect.

Businesses increasingly use blockchain analytics to identify exposure to:

  • Sanctioned wallets
  • Mixers
  • Darknet markets
  • Scam wallets
  • Terrorist financing
  • Fraud networks
  • Stolen funds

This is where Know Your Transaction (KYT) becomes essential.


Sanctions Screening

Businesses must screen:

  • Customers
  • Wallets
  • Counterparties

against global sanctions lists.


Suspicious Transaction Reporting

When suspicious activity is identified, businesses must report it to the relevant Financial Intelligence Unit (FIU).


Record Keeping

Documentation must be maintained for regulatory review.

This includes:

  • Customer files
  • Risk assessments
  • Transaction history
  • Investigation notes

Understanding the Travel Rule

The Travel Rule often receives the most attention.

However, it represents only one section of Recommendation 15.

The Travel Rule requires regulated VASPs to exchange information about:

  • Sender
  • Recipient
  • Originating VASP
  • Beneficiary VASP

when transferring virtual assets between regulated entities.

The objective is to provide law enforcement and regulators with information similar to traditional bank wire transfers.


Recommendation 15 Is Not the Law

One of the biggest misconceptions is believing FATF regulations are directly enforceable.

They are not.

Instead:

FATF Recommendations

National Legislation

Local Regulators

Business Compliance

Every country implements Recommendation 15 differently.

Examples include:

  • European Union through MiCA, AMLR, and the Transfer of Funds Regulation
  • United States through FinCEN and the Bank Secrecy Act
  • United Kingdom through the FCA
  • Singapore through the Payment Services Act
  • UAE through VARA and federal AML legislation

Sri Lanka will similarly develop its own implementation aligned with FATF expectations.


What This Means for Sri Lanka

Sri Lanka has already begun strengthening its AML/CFT framework.

Recent developments include:

  • Amendments to the Prevention of Money Laundering Act
  • Amendments to the Financial Transactions Reporting Act
  • Amendments to Counter Terrorism Financing legislation
  • Ongoing work toward regulating Virtual Asset Service Providers
  • Increased focus on FATF Mutual Evaluation readiness

These developments indicate that crypto businesses should begin preparing now rather than waiting for licensing regulations to be finalized.


Practical Steps for Sri Lankan Crypto Businesses

Businesses operating in Sri Lanka should consider preparing by:

  • Conducting an enterprise-wide AML risk assessment
  • Identifying whether they qualify as a VASP
  • Implementing KYC and KYB procedures
  • Introducing blockchain transaction monitoring
  • Screening wallets against sanctions and illicit activity
  • Preparing for Travel Rule implementation
  • Creating internal AML policies
  • Appointing a compliance officer
  • Maintaining comprehensive audit trails
  • Training employees on AML/CFT obligations

Preparation today will significantly reduce future compliance costs.


The Role of Blockchain Analytics

Traditional AML systems were designed for banks.

Crypto requires additional visibility into blockchain transactions.

Modern blockchain analytics platforms help organizations:

  • Assess wallet risk
  • Identify exposure to illicit funds
  • Monitor transaction behavior
  • Support Suspicious Transaction Reports (STRs)
  • Demonstrate compliance during audits

As regulation evolves, blockchain intelligence is becoming a core component of crypto compliance.


Final Thoughts

Recommendation 15 has become the global foundation for crypto regulation.

Whether a company operates an exchange, payment gateway, custody solution, OTC desk, or fintech platform, understanding these standards is essential.

For Sri Lanka, the direction is becoming increasingly clear. The country is aligning with international AML/CFT expectations while developing its own framework for regulating virtual asset service providers.

Rather than viewing compliance as a regulatory burden, businesses should see it as an investment in trust, institutional readiness, and long-term growth.

Organizations that build strong governance, effective AML controls, and transparent operations today will be better positioned to work with banks, institutional partners, regulators, and international markets tomorrow.


About DAIT

The Digital Asset Intelligence Team (DAIT) by CeylonCash is a research and intelligence initiative focused on virtual asset regulation, blockchain investigations, AML/CFT compliance, and digital asset policy in Sri Lanka. Through research papers, regulatory analysis, technical guides, and industry insights, DAIT aims to bridge the gap between policymakers, financial institutions, regulators, and the digital asset ecosystem while supporting the responsible growth of Web3 in Sri Lanka.