The Financial Action Task Force (FATF)'s March 2026 report on stablecoins and unhosted wallets is simultaneously alarming and clarifying. It formally documents the architecture of a compliance failure that we at Notabene have been watching for years.

The report finds that stablecoins now represent 84% of illicit virtual asset transaction volume, surpassing Bitcoin. As of March 2026, there are 259 stablecoins in circulation, with a combined market cap exceeding $300 billion. They're faster, more stable, and more liquid than Bitcoin—exactly the properties that make stablecoins useful for legitimate commerce. The problem is that these same properties make stablecoins attractive to DPRK state hackers, Iranian proliferation financiers, and professional money launderers.

FATF illustrates these dynamics in the infographic below, highlighting the growing role of stablecoins and the increasing use of peer-to-peer transactions through unhosted wallets.

The report notes that stablecoins are increasingly used in peer-to-peer transactions via unhosted wallets, which are not operated by third-party service providers and can fall outside traditional counter-illicit finance controls.

The real story here isn't the stablecoin adoption curve. it's the gap in the compliance framework built to contain it.

The Unhosted Wallet Problem

The FATF report doesn't frame stablecoins as the problem. Its focus is on how they move. Peer-to-peer (P2P) transactions via unhosted wallets are the critical vulnerability the report identifies, and within the current FATF framework, there's no regulatory solution to close it.

By design, P2P transactions between individuals using self-custody wallets fall outside AML/CFT obligations. This allows users to send and receive crypto assets without relying on a regulated intermediary like an exchange or custodian**.** No intermediary means no obliged entity responsible for customer due diligence, transaction monitoring, or suspicious activity reporting. The transaction is visible on-chain, but functionally invisible to competent authorities until it reaches an off-ramp.

This is a structural feature of the framework as written, not an implementation gap.

The FATF acknowledges this honestly. Their guidance as it pertains to Travel Rule coverage on this is clear: obligations fall on VASPs, not individuals. Secondary market P2P transactions don't trigger compliance requirements. However, the report documents case after case of threat actors exploiting this exact dynamic: layering in unhosted wallets, chain-hopping across blockchains, structuring transactions to stay functionally distant from any Travel Rule-covered wallet, then converting to fiat through unlicensed OTC brokers in jurisdictions with weak AML/CFT controls.

What the Report Gets Right

The FATF report makes clear that this is not a detection problem that can be solved with better analytics. The mitigation measures recommended such as identity verification of wallet owner, whitelisting (allow-listing), blacklisting (deny-listing), programmable smart contract controls, blockchain forensics, supervisory colleges, and public-private partnerships are all legitimate tools, and some jurisdictions are already putting them to use:

• Switzerland plans to implement on-chain allow-listing.
• France is deploying blockchain analytics.
• Japan has introduced explicit requirements on stablecoin issuers and intermediaries.
• Singapore has mandated enhanced due diligence for unhosted wallet transfers.

The progress is real, but the problem is that all of these measures are reactive. They freeze addresses after the fact, monitor secondary market circulation, catch exits - but they don't prevent the transaction from happening in the first place.

The Travel Rule Problem

The FATF report is careful but clear on a critical vulnerability: the Travel Rule framework struggles with unhosted wallet scenarios in precisely the way that matters for stablecoin misuse.

The report reiterates that Recommendation 15 and the Travel Rule remain the foundation of crypto AML compliance. Under FATF standards, jurisdictions must ensure that virtual asset service providers (VASPs) are licensed or registered, conduct customer due diligence, monitor transactions, and report suspicious activity, and that they transmit originator and beneficiary information for qualifying transfers. ****It's designed to ensure that compliance-aware intermediaries have visibility and can apply controls. The FATF guidance makes clear that even when a VASP customer is transferring to an unhosted wallet, the VASP must collect beneficiary information.

The problem is what happens next or more precisely, what doesn't.

When a VASP's customer transfers to an unhosted wallet, the VASP now has beneficiary information about an address it doesn't control. That address, in turn, may then transfer to another unhosted wallet. And another. And another. The report calls this the "transactionally distant" problem: threat actors create chains of unhosted wallets that are multiple hops away from any Travel Rule-covered wallet, deliberately fragmenting the transaction trail.

The VASP at the origin can report the first transfer, but once stablecoins land in an unhosted wallet, they're effectively outside the obligated entity network. A VASP monitoring its customer's outbound transfer to an unhosted wallet has limited visibility into what happens downstream. When stablecoins pass through five, ten, or twenty unhosted wallet hops before reaching an off-ramp, no single obliged entity has sight of the full transaction chain. Most importantly, no single obliged entity is responsible for filing a suspicious activity report on the layered transfers that occur outside the Travel Rule-covered ecosystem.

This is a major structural limitation of Travel Rule implementation. The Travel Rule was designed for transfers between obliged entities. It creates visibility at the edges—when stablecoins enter and exit the regulated perimeter—but it has no mechanism to create compliance visibility for movements within the unhosted wallet space.

The FATF acknowledges this by noting that stablecoin issuers may need to play a complementary role, using their ability to freeze or monitor addresses based on information from law enforcement. That ability is reactive, not preventive.

The Authorization Gap

This is where I keep returning to the question that animates much of our work at Notabene: what if the framework required authorization before the transaction, not just information exchange after?

The Travel Rule, as currently implemented, is fundamentally about information exchange and reporting the originator and beneficiary details flowing from one VASP to another, with suspicious activity reporting happening after transfers are processed. Unhosted wallet transactions bypass meaningful compliance precisely because once funds reach an unhosted wallet, they leave the obligated entity network entirely. Travel Rule visibility ends.

The framework needs to evolve beyond information exchange and toward pre-transaction authorization—specifically for flows involving unhosted wallets or chains of unhosted transfers.

The Transaction Authorization Protocol (TAP), an open standard protocol that embeds compliance directly into transaction settlement, is designed to solve exactly this problem. It complements the Travel Rule by adding an authorization layer that operates at the point of settlement, not just at the point of information exchange.

What Needs to Happen

The FATF report makes clear recommendations for jurisdictions: establish comprehensive legal frameworks, impose clear AML/CFT obligations on stablecoin issuers, assess and mitigate P2P risks, leverage advanced tools, and foster public-private collaboration.

But the report also, implicitly, shows the limits of the current approach. The existing framework allows for supervisory oversight of stablecoin issuers, enhanced due diligence for unhosted wallet transfers, mandatatory blockchain analytics, and address freezing.

None of these can prevent a compliant intermediary's customer from transferring stablecoins to an unhosted wallet controlled by a sanctioned entity, because the customer is acting on their own behalf, using tools available to them, and the transaction doesn't directly involve an obliged entity.

Notabene propose a two-fold response:

1.  Push harder on implementing and strengthening the Travel Rule in the stablecoin ecosystem. The FATF requires VASPs to collect beneficiary information even for unhosted wallet transfers. But compliance with this requirement is uneven, and the tools for monitoring downstream transfers are limited. Jurisdictions need stronger enforcement of Travel Rule obligations, clearer standards for what beneficiary verification means for unhosted wallets, and better mechanisms for VASPs to share risk assessments when they know a customer is transferring to high-risk addresses.

2. The framework needs to evolve beyond the Travel Rule's information-exchange model, and toward pre-transaction authorization. The Transaction Authorization Protocol, also known as TAP — is a framework that embed compliance checks directly into transaction settlement—can close the visibility gap that the Travel Rule inevitably creates. Where the Travel Rule ensures that originator and beneficiary information is collected and reported, TAP would add a gate: real-time verification, risk assessment, and approval before settlement, with compliance rules embedded in the transaction itself.

The Travel Rule works when both parties are in the obligated entity ecosystem. TAP is designed specifically for the edge cases of transfers to unhosted wallets, cross-chain movements, and higher-risk scenarios where the Travel Rule's reach is limited.

For stablecoin issuers, this means embedding compliance logic into smart contracts that can enforce authorization requirements at the protocol level. A transfer to an unhosted wallet could trigger cryptographic ownership proof before settlement.  Rules can be enforced not just through monitoring and remediation, but through the transaction mechanics itself.

This shifts responsibility from surveillance to prevention, and from ex-post reporting to ex-ante controls.

The DPRK's use of Tether to finance weapons procurement, Iranian actors converting stablecoins for components, terrorist financiers using densely structured wallet hops to move funds—these cases share a common thread. The privacy, liquidity, and pseudonymity built into the unhosted wallet architecture have become properties that existing compliance frameworks can't adequately address. The March 2026 FATF report documents this gap with precision.

The solution is not to abandon the Travel Rule, but to build solutions that extend its reach. Stronger enforcement of Travel Rule obligations on unhosted wallet transfers and open frameworks that bring compliance controls into the settlement layer itself are how we actually close this gap.

‍