Virtual Assets 101 — VASPs, Wallets & the Travel Rule *(OUTLINE + BULLET BODY)*

What unsettles compliance teams about crypto is that the value moves without a bank in the middle. There's no correspondent, no SWIFT message, no familiar paper trail — just a string of characters and a public ledger most people can't read. The reassuring part, and the part the CAMS® exam rewards, is that the rules didn't get thrown out. FATF took the same standards that govern banks and mapped them onto crypto — same risk-based approach, same customer due diligence, same Travel Rule, just running on different rails. This lecture builds your vocabulary: what a virtual asset is, who a VASP is, the all-important hosted-versus-unhosted wallet distinction, and the Travel Rule for crypto under FATF Recommendation 16.

- **FATF definition:** a **virtual asset (VA)** is a **digital representation of value that can be digitally traded or transferred and used for payment or investment** — and that is **not** a digital representation of fiat currency, securities, or other financial assets already covered elsewhere in the FATF standards. Source: FATF Glossary; **FATF Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs (2021)**. - Examples in scope: Bitcoin, Ether, and most tokens used as payment or investment. The term is **technology-neutral** — FATF describes the function (digital value transferable for payment/investment), not a specific coin. - **Out of scope as "VAs":** central bank digital currencies (CBDCs are treated as fiat) and digital representations of already-regulated securities. Know that the label depends on **function**, not the word "crypto." - Key risk features: **pseudonymity** (addresses aren't names), **speed and borderlessness** (settlement in minutes, globally), and **disintermediation** (no bank gatekeeper by default).

- **FATF definition of a VASP:** any natural or legal person who, as a business, conducts one or more of these activities **for or on behalf of another person**: (1) **exchange** between virtual assets and fiat; (2) **exchange** between one or more forms of virtual assets; (3) **transfer** of virtual assets; (4) **safekeeping/administration** of virtual assets or instruments enabling control over them (custody); and (5) **participation in and provision of financial services related to an issuer's offer/sale** of a virtual asset. - Plain English: centralized **exchanges**, **custodial wallet providers**, and crypto **transfer/brokerage** services are VASPs. They are the regulated chokepoints — the "banks" of the crypto world. - FATF says VASPs must be **licensed or registered**, **supervised**, and must apply the **full AML/CFT toolkit**: risk-based approach, CDD, recordkeeping, suspicious-transaction reporting, sanctions screening, and the Travel Rule. - In the U.S., many VASPs are **money services businesses (MSBs)** under FinCEN guidance (2013 and 2019), so they must **register with FinCEN** and run a BSA program. Naming the source: **FinCEN 2019 guidance on convertible virtual currencies**.

- A **wallet** holds the cryptographic **private keys** that control virtual assets. "Not your keys, not your coins" — control of the keys = control of the funds. - **Hosted / custodial wallet:** a **VASP holds the private keys** on the customer's behalf (like a bank holding your deposit). Because a regulated intermediary is in the middle, the VASP can do **KYC**, monitor, screen, and apply the Travel Rule. **Higher visibility, lower anonymity.** - **Unhosted / self-hosted / self-custody wallet:** the **user holds their own private keys**, with no intermediary. There's no VASP to perform CDD on the wallet itself. **Lower visibility, higher anonymity** — a key red-flag context. - **Risk point:** transfers between a VASP and an **unhosted wallet** are a recognized higher-risk scenario, because the counterparty isn't a CDD'd customer of any institution. FATF expects VASPs to apply **enhanced measures** (e.g., collecting/verifying unhosted-wallet counterparty information on a risk basis) for such transactions. - Exam cue: "**unhosted wallet**" / "**self-custody**" / "**private key held by the user**" signals reduced transparency and elevated risk.

- **FATF Recommendation 16 — the "Travel Rule"** — originally written for wire transfers, was **extended to virtual asset transfers** in 2019. It requires VASPs to **obtain, hold, and transmit required originator and beneficiary information** when sending virtual assets. - Required information broadly mirrors wires: **originator (sender) name, account/wallet identifier, and physical/other identifying info**, plus **beneficiary (recipient) name and account/wallet identifier** — passed to the **beneficiary VASP** alongside the transfer. - FATF applies the Travel Rule to VA transfers **at or above a de minimis threshold of USD/EUR 1,000** (countries may set lower); below that, reduced information may apply but VASPs still collect names and wallet identifiers. - This is **VASP-to-VASP**: the obligation runs between regulated providers. It cannot force an **unhosted wallet** to transmit data — which is exactly why unhosted-wallet transactions are flagged as higher risk and handled with extra diligence. - **Implementation challenge — the "sunrise issue":** countries adopted the rule at different times, so a VASP in a compliant jurisdiction may transact with a counterparty in a non-compliant one. Industry messaging standards (the broad concept of interoperable Travel Rule protocols) emerged to pass the data. Know the *concept*: standardized, secure exchange of originator/beneficiary data between VASPs. - Tie-back: this is the **same Travel Rule idea** as the BSA funds-transfer rule from Lecture 31 ($3,000 for wires) — FATF Recommendation 16 is the international standard; the crypto extension just applies it to virtual-asset rails (≈ $1,000 de minimis).

- FATF treats virtual assets under the **same risk-based approach** as everything else: identify and assess the risk, then apply proportionate controls. New technology does **not** mean new principles. - VASPs must be **registered/licensed and supervised**, conduct **CDD**, **screen against sanctions lists** (OFAC and others), **monitor** for suspicious activity, **report** it, and comply with the **Travel Rule**. - FATF's guidance also covers **stablecoins**, **peer-to-peer (P2P) transactions**, and **decentralized arrangements** — flagging that activity moving **outside** regulated VASPs (true P2P, some DeFi) is a coverage gap, which we'll dig into next lecture.

Strip away the jargon and Domain 6 starts to feel familiar. A virtual asset is a digital representation of value transferable for payment or investment; a VASP is a business that exchanges, transfers, or custodies it for others — and FATF expects VASPs to act like regulated financial institutions, with licensing, CDD, screening, and reporting. The one distinction to over-learn is hosted versus unhosted: when a VASP holds the keys, you get transparency and the Travel Rule works; when the user holds their own keys, transparency drops and risk rises. And the crypto Travel Rule — FATF Recommendation 16, extended to VAs in 2019, roughly a thousand-dollar threshold — forces sender and recipient information to travel between VASPs. Next, we look at how launderers actually exploit these rails: mixers, chain-hopping, peel chains, DeFi, privacy coins, and NFT wash trading.