Virtual Asset Service Providers (VASPs) are considered higher-risk customers under FATF guidance due to their exposure to anonymity, speed of transactions, and cross-border activity. When onboarding a VASP, a financial institution must conduct a thorough risk assessment to determine whether the relationship aligns with its financial crime risk appetite.

Understanding the percentage of higher-risk clients served by the VASP is critical, as it indicates the level of exposure to illicit activity and the robustness of the VASP’s own risk management practices. A high concentration of higher-risk customers may significantly increase money laundering and terrorist financing risk.

Identifying which registered institutions act on behalf of the VASP, such as wallet providers or exchange operators, is also essential. Reliance on third parties introduces additional risk and requires assessment of those entities’ regulatory status and AML controls.

Finally, knowing who the VASP’s clients are, including the proportion of foreign versus domestic customers, is a core component of geographic and customer risk analysis. Cross-border exposure often elevates risk due to differing regulatory standards.

Data privacy practices and the use of central bank digital currencies, while relevant operational considerations, are not primary determinants of AML risk appetite decisions.