VASPs, Cryptoassets, and Related Products

The VASP Framework and the Travel Rule

A virtual asset service provider (VASP) is any business that exchanges virtual assets for fiat or other assets, transfers virtual assets, or provides custody. The Financial Action Task Force brought VASPs into AML scope through Recommendation 15 in 2018-2019 and applies the Recommendation 16 'Travel Rule' to virtual asset transfers. Under the Travel Rule, the originating VASP must collect and transmit originator and beneficiary information — name, account/wallet identifier, and originator address or ID — on transfers at or above USD/EUR 1,000, and must apply the same logic to linked transactions that aggregate to USD 1,000.

Key vocabulary the exam expects: a hosted wallet is custodied by a VASP that performs KYC; an unhosted (self-custody) wallet is controlled directly by a user and presents counterparty-risk and Travel Rule challenges because there is no obliged institution on the other side. Stablecoins (fiat-pegged tokens) and DeFi (decentralized finance) protocols extend this risk further.

This material sits in Understanding the Risks and Methods of Financial Crime on the CAMS blueprint. Recall the exam mechanics: 120 questions, 3.5 hours, passing score of 75, no guessing penalty, delivered by Pearson VUE. Questions ask you to apply the Travel Rule threshold or pick the right control, not just define a term.

Obfuscation Typologies and Red Flags

Launderers use technical methods to break the link between a wallet and a real identity. Match each method to its purpose:

Red flags include: deposits immediately routed to or from a mixer, transactions just below the USD 1,000 Travel Rule line, structuring across many freshly created wallets, conversions into privacy coins, use of a virtual private network (VPN) or Tor to mask geography during onboarding, and a sudden spike in transfers to a sanctioned or high-risk jurisdiction. Wallet exposure to ransomware, darknet markets, or sanctioned mixers is a strong suspicious indicator even when the customer's own behavior looks routine.

Controls and Blockchain Analytics

The blockchain's transparency is a control asset, not only a risk. Blockchain analytics firms label addresses, cluster wallets controlled by one entity, and score the risk of incoming and outgoing exposure, letting a VASP trace funds that pseudonymous addresses might appear to hide. A risk-based VASP program combines:

• KYC at onboarding plus ongoing CDD, with EDD for high-value or high-risk-geography users.
• Travel Rule compliance via interoperable messaging protocols so originator/beneficiary data accompanies transfers at or above USD/EUR 1,000.
• Wallet screening against sanctions lists and known illicit-address databases (OFAC has designated specific wallet addresses and mixers).
• Transaction monitoring tuned to mixer exposure, chain-hopping velocity, and structuring across new wallets.
• Counterparty assessment distinguishing VASP-to-VASP transfers (another obliged institution) from transfers to unhosted wallets.

Worked scenario: A customer receives crypto from a wallet that analytics flags as having direct exposure to a sanctioned mixer, then attempts to off-ramp to fiat the same day. The CAMS-correct action is to halt the withdrawal pending review, document the analytics finding, escalate for a possible sanctions and suspicious-activity report, and screen the counterparty — not to release funds because the customer passed KYC at onboarding. Onboarding identity does not cleanse tainted source funds.

DeFi, Stablecoins, NFTs, and Exam Pitfalls

The virtual-asset frontier extends well beyond exchanges. Decentralized finance (DeFi) protocols let users lend, swap, and earn yield through smart contracts with no obvious intermediary, raising the question of who, if anyone, is the obliged VASP — FATF guidance looks to the persons who maintain control or sufficient influence over the protocol. Stablecoins pegged to fiat are attractive for layering because they combine crypto's speed with price stability, and large issuers now sit squarely within sanctions and freezing expectations.

Non-fungible tokens (NFTs) and tokenized assets can be used for wash trading: a launderer sells an NFT to a wallet they also control at an inflated price to fabricate clean proceeds.

The exam reliably tests a few crisp facts and distinctions. Know that the Travel Rule threshold is USD/EUR 1,000, not the USD 10,000 bank cash figure — mixing these up is a classic error. Know the difference between a hosted wallet (a VASP performs KYC) and an unhosted/self-custody wallet (no obliged counterparty), because the correct control differs. Recognize that OFAC has sanctioned specific wallet addresses and mixing services, so screening must extend to on-chain identifiers, not only names.

Common traps: believing pseudonymity makes blockchain untraceable (analytics and address clustering frequently defeat it); assuming a privacy coin or a single mixer hop is automatically illegal rather than a heightened-risk indicator to investigate; and releasing funds simply because the account holder is verified, when the source of the funds is tainted.

A CAMS-ready answer separates customer identity from transaction provenance, applies the USD/EUR 1,000 Travel Rule trigger correctly, treats sanctioned-address exposure as a hard stop, and reaches for proportionate escalation — documenting the analytics evidence — rather than either ignoring the flag or taking an action (like converting to a privacy coin) that would itself obscure the trail.