FATF Flags Belgium’s Crypto Gaps: What VASPs Must Do Before the 3-Year Deadline

Belgium’s latest FATF mutual evaluation (2025) delivers a stark warning: despite some AML/CFT improvements since 2015, the country is failing to adequately oversee the crypto sector. The FATF found that no authority in Belgium is designated to license or supervise virtual asset service providers (VASPs), leaving this “very high-risk sector” essentially unsupervised. As a result, the detection of illicit activities involving crypto remains severely limited. FATF has directly recommended that Belgium “adopt, as soon as possible,” a legal framework to designate a competent authority for VASP licensing and supervision, addressing this glaring gap. The clock is now ticking: Belgium has been given 3 years to fix these issues, or face intensified scrutiny and potential further action. This article critically examines the FATF’s findings on Belgium’s crypto oversight, compares Belgium’s approach to its peers, and outlines what Belgian crypto firms should do now, not later, to meet global standards and build trust with regulators.

FATF’s 2025 Evaluation: Weak VASP Supervision in the Spotlight

In its December 2025 report, the FATF flagged major deficiencies in Belgium’s supervision of virtual assets, calling for urgent action. The most critical finding was the absence of any designated regulator to oversee and license VASPs. FATF noted that Belgium has “no authority” appointed to supervise VASPs, effectively leaving cryptocurrency exchanges, wallet providers, and other crypto businesses outside the normal perimeter of AML oversight. This lapse is especially alarming given that the FATF identifies virtual assets as a prominent and increasing risk area for money laundering and terrorist financing in Belgium. By failing to empower a competent authority over this sector, Belgium has been out of step with FATF Recommendation 15, which since 2019 explicitly requires countries to regulate and supervise VASPs. In fact, Belgium was rated “Non-Compliant” on this key Recommendation in the evaluation, a very poor mark that underscores the seriousness of the gap.

Importantly, Belgium did take some initial steps under EU law (5AMLD): a 2020 law introduced a registration requirement for VASPs and designated the FSMA (Financial Services and Markets Authority) as the supervisor for their AML obligations. However, the FATF’s assessment suggests this measure is insufficient. A mere registration regime, without a comprehensive licensing framework or proactive supervision, has not translated into effective oversight. FATF essentially views Belgium’s current setup as inadequate to manage the risks: the sector remains only lightly regulated and enforcement is minimal. The FATF has therefore urged Belgium to enact a robust legislative or regulatory framework to formally empower a VASP supervisory authority as soon as possible. In practice, this means Belgium needs to move from the passive registration system to an active licensing and supervision regime for crypto service providers, with clear authority and resources to monitor compliance.

FATF’s message is clear that time is of the essence. Following the mutual evaluation, Belgium was handed a roadmap of key actions to complete within three years, and establishing an effective VASP supervisory mechanism is at the top of the list. The country has been placed in “enhanced follow-up”, meaning FATF will closely track Belgium’s progress and could apply greater pressure if improvements falter. In FATF terms, failure to substantially address these gaps within the 3-year window could result in even more severe consequences, such as public identification of strategic deficiencies or inclusion on the FATF’s increased monitoring list (the “grey list”). Belgium cannot afford to delay; the next three years are essentially a countdown to either demonstrate credible reform or risk international reputational damage.

Beyond VASP Licensing: Other Crypto/AML Gaps Highlighted by FATF

While the lack of a VASP supervisor was the headline issue, FATF’s evaluation uncovered additional weaknesses in Belgium’s AML/CFT regime related to crypto and financial intelligence. These gaps further underscore why Belgian authorities and VASPs must step up their game:

• Limited Detection and Reporting of Crypto Misuse: The report found that Belgian authorities’ detection of illicit financial activity is “limited, particularly for […] virtual assets.” In practice, this suggests that suspicious transactions involving crypto are under-reported or under-identified. The quality and quantity of Suspicious Transaction Reports (STRs) from the crypto sector may not be commensurate with its risk. A weak reporting culture or lack of guidance can result in low-quality STRs that fail to give the FIU actionable intelligence. Improving the quality of STRs, especially from VASPs, is crucial so that red flags in crypto transactions are spotted and shared with authorities in a timely manner.
• Enforcement and Sanctions Are Lacking: FATF criticized Belgium’s supervisory authorities for an “very limited use of administrative sanctions” in AML enforcement. Even when violations occur, penalties or corrective actions are rare, and decisions are often unpublished, diluting any deterrence. This observation likely applies across sectors, including crypto: if VASPs (or other financial actors) are not being penalized for non-compliance, there is little incentive for them to toe the line. Weak enforcement undermines the credibility of the AML regime. FATF recommends strengthening the use of sanctions and publicly signaling consequences for non-compliance. For crypto businesses, this foreshadows that a tougher enforcement stance is looming: once a competent authority is in place, we can expect far more scrutiny and punitive actions for firms that flout AML rules.
• FIU Constraints and Communication Issues: Belgium’s Financial Intelligence Unit (CTIF) is a linchpin for analyzing STRs and disseminating leads, but FATF noted that the FIU’s technical tools are outdated and information-sharing is suboptimal. In particular, “the IT tools currently available to the FIU, and use of financial intelligence by competent authorities, are insufficient.”. This indicates that even when STRs are filed, the FIU may struggle to analyze large volumes or complex crypto-related data, and law enforcement may not be fully leveraging those financial intelligence reports. There may also be limited feedback from the FIU to reporting entities (like banks or VASPs) about STR quality. Overall, FATF’s findings suggest a need for better communication and technology to connect the dots: the FIU must be equipped to process crypto-related reports (which can be technically challenging), and it should coordinate more effectively with prosecutors and police so that leads turn into investigations. For VASPs, this could mean more engagement with the FIU, expect clearer guidance on how to report suspicious crypto transactions and more feedback if reports are deemed incomplete or low quality.

In summary, the FATF report paints a picture of a crypto AML ecosystem that is not yet firing on all cylinders in Belgium. There are regulatory gaps (no supervisor), enforcement gaps (almost no sanctions applied), and intelligence gaps (subpar STR reporting and FIU follow-through). These weaknesses compound each other, e.g., without a supervisor, VASPs may not even know how to comply properly, leading to poor STRs; without strong FIU capabilities, even good STRs might not be used effectively. The next section looks at how Belgium’s inertia on crypto oversight compares to other jurisdictions and upcoming regulations.

Belgium Lags Behind Peers (France, Lithuania) and EU’s MiCA Regime

Belgium’s slow progress in establishing a robust VASP oversight framework has left it behind some of its European peers and unprepared for new EU-wide rules. In contrast, countries like France and Lithuania have moved faster to regulate crypto services and integrate them into their AML supervision. For example, France has required crypto exchanges and custodians to register with the AMF (Financial Markets Authority) and comply with AML controls since 2019, and is now transitioning toward a full licensing regime for crypto service providers ahead of MiCA. Lithuania similarly tightened its laws in recent years, implementing strict licensing, minimum capital, and governance requirements for crypto companies, making its regime one of the more robust in Europe. These countries identified crypto’s risks early and acted, which not only earned them better marks in FATF evaluations but also fostered greater trust between regulators and the crypto industry.

Belgium, by comparison, is playing catch-up. As noted, it wasn’t until 2022 that Belgium even put basic AML requirements on crypto firms via FSMA registration. And crucially, Belgium delayed designating any single authority with an explicit crypto mandate. This stands in contrast to the expectations under the forthcoming EU Markets in Crypto-Assets (MiCA) regulation, which requires each member state to appoint national supervisors for crypto-asset service providers (CASPs) to handle licensing, supervision, and enforcement. MiCA was finalized in mid-2023 and became fully applicable across the EU on 30 December 2024, meaning the legal framework for comprehensive crypto regulation is now in place at the European level. Yet, while EU law applies directly, Belgium is still finalizing the domestic framework to assign supervision and licensing authority to the FSMA. In other words, even after MiCA’s effective date, Belgium hadn’t clearly empowered its regulators to issue licenses or oversee crypto businesses under the new regime.

This delay creates real competitive and compliance implications. Other EU jurisdictions are already attracting crypto firms by offering clear regulatory pathways (e.g. France’s AMF has granted dozens of registrations, Lithuania’s authority has issued licenses to exchanges, etc.). Belgian VASPs risk falling behind if they cannot demonstrate equivalent standards. Moreover, foreign CASPs will be able to “passport” their MiCA licenses across Europe; if Belgium doesn’t expedite its framework, domestic companies could be leapfrogged by incoming competitors who are MiCA-compliant and supervised elsewhere. The FATF evaluation’s criticism adds pressure on Belgium to align with international and EU norms promptly. Indeed, only in October 2025 did the Belgian Parliament pass a “Crypto Bill” to implement MiCA’s requirements, finally designating the FSMA (and the central bank, for certain tokens) as the competent authorities, a move intended to fill a crucial gap in Belgium’s regulatory framework. This belated action underscores how far behind Belgium was in addressing crypto oversight; the country is now scrambling to meet both FATF and MiCA expectations in parallel.

The takeaway for Belgian crypto firms and observers is that regulatory change is imminent and inevitable. Belgium has essentially been given a grace period of up to three years to get its house in order, not only to satisfy FATF, but also to implement EU law. During this period, we can expect new laws, regulations, and stricter supervision to roll out. For example, once the FSMA is fully empowered under MiCA and updated national laws, it will likely require VASPs to obtain licenses (or registrations under stricter criteria), enforce the Travel Rule for crypto transactions, scrutinize AML programs, and coordinate with the Belgian FIU on monitoring crypto flows. The relatively lax environment up to now will tighten considerably, converging with what we see in France or other proactive jurisdictions. Belgian VASPs should not mistake this temporary lull for a safe haven, the tide is turning, and firms that prepare early for compliance will fare much better than those that wait until the last minute.

Proactive Compliance: How Belgian VASPs Can Meet FATF Standards Now

For crypto businesses operating in Belgium, exchanges, trading platforms, wallet providers, ATMs, etc., the message is clear: don’t wait for the law to compel action. By the time Belgium formally mandates compliance through new regulations or MiCA licenses, it may be too late to build the necessary controls and culture from scratch. Instead, VASPs should proactively align with FATF-aligned standards right now, both to mitigate risks and to demonstrate goodwill to regulators. Proactive compliance not only prepares you for inevitable regulation, but it also positions your company as a responsible actor (making it easier to gain licensing when the regime kicks in). Key steps VASPs should take include:

• Implement a Robust AML Program: Adopt internal controls equivalent to those of a regulated financial institution. This means conducting thorough KYC (know-your-customer) checks on all customers, performing ongoing due diligence, and having clear policies to prevent and detect money laundering and terrorist financing. A risk-based approach is essential; higher-risk customers or transactions (e.g. large crypto transfers from mixers or high-risk jurisdictions) should trigger enhanced scrutiny.
• Real-Time Transaction Monitoring: Use modern tools to continuously monitor transactions on your platform for suspicious patterns or red flags. Given the speed of crypto movements, real-time or near-real-time monitoring is crucial to identify things like structuring, rapid in/out transfers, or unusual trading spikes. Flagright offer real-time monitoring systems that can ingest crypto transaction data and alert compliance teams to anomalies instantly.
• Risk-Based Rules and Analytics: Develop a set of risk-based rules and scoring models to automatically evaluate customer and transaction risk. For instance, assign higher risk scores to transactions involving privacy coins or to users who frequently transact just below reporting thresholds. These rules should be calibrated and refined over time. Advanced compliance platforms provide risk scoring engines and customizable rule sets that allow VASPs to tailor detection scenarios to their business model while meeting FATF’s risk-based approach principle.
• Sanctions Screening: Ensure you are screening all customers and transactions against relevant sanctions lists (UN, EU, US OFAC, etc.) and watchlists. Given the global nature of crypto, your platform could be misused by sanctioned actors or terrorist financiers. A robust screening solution is a must, one that can handle cryptocurrency wallet addresses too, flagging any addresses associated with sanctioned entities or darknet markets. Automated sanctions screening, integrated into onboarding and transaction processing, will help you stay clear of prohibited dealings and will likely be expected by Belgian regulators.
• STR Reporting and Quality Controls: Establish internal processes to investigate and report suspicious transactions to Belgium’s FIU (CTIF) promptly, even if not yet strictly required by law for VASPs. Focus on STR quality, make sure your reports contain sufficient detail and analysis (not just raw data dumps). By filing high-quality STRs, you demonstrate your commitment to compliance and contribute to the broader intelligence effort. Keep audit logs of all investigations and decisions on whether or not to file STRs, as this evidences your judgement and good faith. FATF places emphasis on the quality, not just quantity, of STRs, so invest in training your compliance staff to recognize crypto-specific red flags and articulate them clearly in reports.
• Integrated Governance and Audit Trails: As your compliance measures expand, maintain strong governance. This includes clearly defined compliance officer roles, regular AML training for staff, and oversight by senior management. Document everything, risk assessments, customer risk ratings, monitoring alerts, STR filings, in an auditable manner. Having integrated case management and audit trails (often a feature in compliance software like Flagright) will allow you to demonstrate to regulators exactly what you did and when. It also helps in internal reviews and improving your program over time. Regulators, when they come knocking, will expect to see that you have an ongoing governance process around AML, not a one-time setup.

Many of these steps can be facilitated by RegTech solutions. For instance, Flagright supports VASPs by providing a unified platform with real-time transaction monitoring, configurable risk-based rules and scoring, sanctions and watchlist screening, automated suspicious activity flagging, and case management with audit trails. Such technology allows even lean compliance teams to enforce FATF-grade controls effectively. Flagright’s tools can also generate regulatory reports (like STR/SAR filings) and ensure that all compliance actions are logged for future inspection. By leveraging these solutions, crypto companies can quickly uplift their compliance maturity to international standards, rather than having to build everything in-house.

Conclusion: Don’t Wait, Act Now to Build Trust and Compliance

Belgium’s crypto industry stands at a critical juncture. The FATF has issued a tough evaluation, and the government now has a three-year deadline to overhaul its approach to VASPs. But the onus isn’t only on regulators. Virtual asset service providers themselves must recognize that stronger oversight is not a matter of if but when. Those who act early, by voluntarily adhering to FATF’s guidance and embracing a culture of compliance, will not only avoid the scramble to meet new laws, but will also earn credibility with authorities and customers alike. Each VASP that upgrades its AML controls today contributes to closing Belgium’s crypto gap and shows regulators that the industry can be a responsible partner.

In the coming months and years, we can expect Belgium to roll out licensing requirements, stricter supervision, and perhaps public enforcement actions to send a message. VASPs should treat the FATF findings as a forecast of what’s to come. Now is the time to invest in compliance infrastructure (people, processes, and technology like Flagright’s platform) and to instill robust risk management practices. Doing so not only anticipates the regulatory wave, it also helps protect your business from being exploited by illicit actors in the interim.

Belgium may have been slow off the mark, but the race is far from over. With FATF and EU pressure mounting, the next three years will likely transform the crypto regulatory landscape. By acting now, Belgian crypto firms can turn this challenge into an opportunity to professionalize their operations, gain a competitive edge, and build trust with regulators and customers. The cost of waiting until the last minute could be lost licenses, penalties, or even being forced out of the market. Conversely, proactive compliance is an investment in long-term viability. As the saying goes, “the best time to plant a tree was 20 years ago; the second-best time is now.” The FATF has flagged the issues, it’s up to Belgian VASPs to address them before the deadline, rather than after. By doing so, they will not only meet the upcoming standards but help shed the “grey” cloud hanging over Belgium’s crypto sector, ensuring it can thrive in a fully regulated, reputable manner.