What the FATF's New Stablecoin Report Means for Builders and Compliance Teams

FATF recommendations have a pattern of becoming licensing conditions. This one will be no different.

The FATF’s Travel Rule went from recommendation to enforceable law within a few years in early-mover jurisdictions like Switzerland and Singapore. On March 3, FATF published the stablecoin equivalent - which means the clock has started.

FATF recommendations have a well-established pattern: they start as guidance, then waterfall into country-level regulations, licensing conditions, and enforcement priorities. We saw it with the Travel Rule, now passed into law in 73% of jurisdictions. We saw it with VASP registration requirements, where 90% of jurisdictions have now enacted or are enacting licensing frameworks. Stablecoin-specific requirements are next, and this report lays out exactly what they will look like. The Targeted Report on Stablecoins and Unhosted Wallets is the most significant stablecoin-focused compliance guidance to date. 

The builders who will define the next phase of the stablecoin market will be those who treat these recommendations as a foundational. The compliance architecture they design today is the one of the best competitive advantages to have at hand when, inevitably, the country-level requirements arrive.

What Triggered the FATF Response

The numbers explain why FATF acted now. As of mid-2025, over 250 stablecoins were in circulation with a combined market cap exceeding $300 billion. Stablecoin transaction volume reached $33 trillion in 2025, up 72% year over year. Stablecoins now represent 30% of all on-chain virtual asset transaction volume, and daily transfer volume has surpassed Bitcoin.

The same properties that make stablecoins powerful for legitimate use (speed, stability, availability, global reach) make them attractive for illicit use. For context, in 2020 Bitcoin accounted for roughly 70% of illicit crypto flows and stablecoins just 15%. Those positions have completely reversed in five years - and the FATF noticed. So did regulators worldwide. 

The Core Risk: Unhosted Wallets and P2P Transactions

FATF's sharpest focus is on the gap that peer-to-peer transactions create in the AML/CFT framework. When stablecoins move directly between unhosted wallets, no obliged intermediary is involved. That means no KYC, no suspicious transaction reporting, no travel rule compliance, no recordkeeping that regulators can audit. Regulators will want to close that gap, and likely sooner than most builders expect.

The report documents how threat actors are already exploiting this: layering transactions through multiple unhosted wallets, chain-hopping across blockchains, and using stablecoins like USDT on Tron to pay for prohibited goods without ever touching a regulated on- or off-ramp. The case studies include DPRK-linked groups, drug trafficking networks, and terrorist financing operations actively using stablecoin infrastructure.

What FATF Expects and What Builders Should Be Designing Now

The report identifies several controls that are likely to become regulatory requirements. Builders should be designing these into their systems now rather than retrofitting later:

Smart contract-level controls. FATF explicitly endorses allow-listing, deny-listing, freezing, and burn capabilities embedded directly in stablecoin smart contracts. Switzerland's approach of requiring unhosted wallet verification before allow-listing is highlighted as a model. These capabilities are significantly harder to implement once the architecture is set.

Enhanced due diligence for unhosted wallet interactions. Regulators in Singapore, Germany, and elsewhere are already requiring VASPs to verify wallet ownership, apply transaction limits, and conduct blockchain forensics before processing redemptions to unhosted wallets. Platforms that route or settle stablecoin flows will face similar expectations.

Blockchain analytics integration. The report encourages (and some jurisdictions already require) stablecoin issuers and intermediaries to use on-chain monitoring tools to detect exposure to high-risk addresses. This is rapidly becoming a baseline licensing expectation.

24/7 law enforcement contact capabilities. FATF recommends that stablecoin issuers maintain a dedicated, around-the-clock contact point for law enforcement to request expedited freezes. This is an operational infrastructure requirement that will take real engineering to stand up.

Compliance Architecture as Competitive Advantage

Most compliance teams in crypto are still operating reactively: waiting for final rules, then scrambling to retrofit. That approach worked when the regulatory surface was small. It does not work when FATF is signaling requirements across smart contract design, wallet verification, law enforcement cooperation, and cross-chain monitoring simultaneously – which is what has happened now.

The teams that will scale best when country-level rules land are the ones already building these controls into their architecture as core infrastructure from day one. These are design decisions that become exponentially harder to implement after launch.

At Sphere Labs, this is how we've approached infrastructure from the start. Our compliance architecture was designed to accommodate exactly the kind of controls this report describes, because the trajectory was clear well before the report was published. Few teams have had that runway, and it is part of why we believe compliance-native design will separate the projects that scale from those that stall.

The window to build proactively is open now. It will not stay open long.

The full FATF report is available here