2025-12-08

Assessing national risks related to virtual assets

Indicators for Virtual Assets

This feature appears in the 2025 Basel AML Index Public Edition report. Download the full report and related resources.

Key takeaways

Understanding national risks linked to virtual assets is now essential, as their use has moved from niche to mainstream and is increasingly exploited for financial crime. 

Risk assessments are inherently challenging as (a) virtual assets are borderless by design, (b) large parts of the ecosystem fall outside regulation and (c) reliable national-level data remains limited. 

Illicit activity involving virtual assets does not take place in isolation: offenders exploit the same weaknesses – corruption, fraud, weak supervision and poor enforcement – that already undermine the wider financial system. 

The Basel AML Index provides valuable indicators to assess both a jurisdiction’s structural vulnerabilities and its capacity to counter threats related to financial crimes in general, including those related to virtual assets, even though it does not include a dedicated virtual assets risk indicator. 

Note: in this article we use the term virtual assets in line with the FATF’s definition of “any digital representation of value that can be digitally traded, transferred or used for payment”. The terms crypto, cryptoassets, digital assets, digital currencies, etc. form part of this loose family, though they are often defined differently in different contexts – a factor that also complicates risk assessments and data analysis.

Why assessing risks related to virtual assets matters 

Governments and private firms alike are under growing pressure to understand the risks associated with virtual assets. What was once a niche is becoming a mainstream part of financial markets and a common feature in all forms of financial crime.

As the virtual assets industry continues to mature, national authorities that lack a clear understanding of the risks find themselves on the back foot when drafting legislation, supervising market participants or countering financial crime.

For financial institutions, a clear picture of jurisdiction-level risk is essential for customer due diligence, transaction monitoring, calibrating controls and taking strategic decisions about where or where not to operate. Financial institutions that misjudge these risks leave themselves exposed to illicit finance, reputational harm and potential regulatory action.

Why jurisdiction-level risk assessments are difficult

1. A borderless system by design

Unlike bank accounts or trust funds, virtual asset wallets or addresses do not have a meaningful jurisdictional location. There is no crypto equivalent of “a bank account in Switzerland”. A wallet can be accessed anywhere and may be controlled by a person or entity whose location is unknown or easily obscured. Large parts of the virtual asset ecosystem also fall outside the boundaries of traditional financial regulation. Self-hosted wallets, peer-to-peer transfers, decentralised finance (DeFi) protocols and informal over-the-counter (OTC) brokers create pockets of activity that are largely invisible. Any jurisdiction-level assessment will inevitably be incomplete.

The activities of virtual asset service providers (VASPs) further complicate matters. A VASP may be established in one jurisdiction while primarily serving customers in another. In the absence of harmonised legislation or cooperation among supervisors, many operate across numerous markets with minimal physical presence or regulatory engagement.

2. Data is limited, patchy and uncertain

Reliable quantitative data on financial crime risks related to virtual assets at the national level is scarce. In addition to the issue of contrasting definitions and the technology’s borderless nature, several factors contribute to this lack.

First, commercial blockchain analytics providers publish broad indicators of virtual asset adoption and estimates of illicit usage. These can be helpful for spotting trends but require careful interpretation. They rely on estimates and proxies, including web traffic to exchanges or intermediaries, and do not provide precise amounts or reliably distinguish licit from illicit activity.

Second, it is reasonable to assume that where adoption rises, illicit activity will also increase, simply because criminals use the same infrastructure as legitimate users. However, such relationships cannot be measured with confidence.

Third, at the government level, many jurisdictions still lack a coordinated approach across authorities to collect, share and analyse statistics on money laundering and related financial crimes. In many jurisdictions, data on virtual assets is either not gathered consistently or not collected at all.

Without reliable data on virtual assets usage and risks, national risk assessments may become detached from real-world threats. The result: regulation and supervision that is either insufficient or unnecessarily burdensome.

How the Basel AML Index can be used

For the above reasons, the Basel AML Index does not offer a dedicated indicator for virtual assets. Nevertheless, the Index data is still useful because illicit activity involving virtual assets typically exploits the same underlying weaknesses that enable money laundering, corruption, fraud and other financial crimes in the traditional financial system. Where protections against fraud are weak, for example, where supervision is lacking or where enforcement of regulations is inconsistent or politically compromised, opportunities to misuse virtual assets for illegal purposes tend to expand.

Two components of risk 

In line with the holistic methodology of the Basel AML Index and most AML/CFT risk assessment frameworks, evaluating jurisdiction-level risk related to virtual assets centres on two elements:

a) vulnerability to the illicit use of virtual assets; and b) capacity to mitigate and respond to these threats. 

Relevant indicators

The following graphic highlights indicators of the Basel AML Index that are relevant for assessing either structural vulnerabilities that illicit actors may exploit, or a jurisdiction’s capacity to counter threats. These can be viewed individually in the Expert Edition.

Indicators visible in the Basel AML Index Edition that are particularly relevant to assessing national risks relating to virtual assets.

FATF data

Using the Expert Edition Plus subscription and its quantitative analysis of the latest FATF mutual evaluation and follow-up reports, Basel AML Index users can gain rapid insights into whether a jurisdiction’s AML/CFT framework provides it with the capacity to counter threats related to financial crimes generally, including those involving virtual assets. FATF Recommendations that may be highly relevant for this include:

  • R.15 (new technologies)
  • R.16 (payment transparency)
  • R.26 & 27 (regulation and supervision)
  • R.29–31 (law enforcement)
  • R.36–40 (international cooperation)

An additional useful source of information for jurisdiction-level risk assessments is the FATF’s 2025 Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers. This report summarises progress in implementing FATF Recommendation 15 by FATF members and additional jurisdictions with materially important global virtual asset activity. “Materially important” refers to the presence of large VASPs (accounting for more than 0.25 percent of global trading) and/or a large virtual asset user base.

Where to start

For jurisdictions at an early stage of assessing national risks related to virtual assets, the World Bank’s AML/CFT National Risk Assessment on Virtual Assets and Virtual Asset Service Providers: Guidance Manual (published in October 2025) is a strong starting point. It covers both threats and vulnerabilities, as well as the effectiveness of mitigation measures.

Additional useful resources include:

Back to all news