What FATF Actually Said About the Companies That Build the Rails
- FATF Recommendation 15 defines a VASP by four specific activities — software infrastructure providers meet none of them.
- Non-custodial, usage-based SaaS architecture sits structurally outside the VASP perimeter under current guidance.
- Operators deploying on Fexr infrastructure retain their own compliance obligations — this briefing helps them understand the distinction.
When enterprise legal teams encounter a platform that touches blockchain infrastructure, their first instinct is often to ask: "Are you a Virtual Asset Service Provider?" It's a reasonable question. But it conflates what a VASP is — under the internationally recognised FATF framework — with what a software infrastructure company does. The two are not the same, and the distinction matters enormously for how a bank, regulator, or compliance officer should evaluate a vendor.
What FATF Actually Says
The Financial Action Task Force (FATF) defines a VASP in its Recommendation 15 as any natural or legal person that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- Exchange between virtual assets and fiat currencies
- Exchange between one or more forms of virtual assets
- Transfer of virtual assets
- Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets
- Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset
The operative phrase throughout is "for or on behalf of another person." This is not incidental language — it is the jurisdictional anchor that separates a service provider from a tool maker.
Where Software Infrastructure Falls
A B2B SaaS provider that deploys non-custodial smart contract infrastructure does not exchange, transfer, or safekeep virtual assets. It does not hold private keys. It does not initiate transactions. It builds the rails — and then hands those rails entirely to the operator and their end users.
The analogy is a company that manufactures and licenses point-of-sale terminals. That company is not a payment processor. It does not hold merchant funds, settle transactions, or assume liability for what flows through its hardware. It charges a licence fee for the tool. The merchant assumes the regulatory relationship with their acquirer and their customers.
The same logic applies here. Fexr builds and licences smart contract deployment tooling. The operator configures it, deploys it, and governs it. Fexr charges a consumption-based software licensing fee. No assets move through Fexr. Fexr holds no keys.
The "Facilitation" Question
FATF guidance does acknowledge that facilitation can, in some circumstances, bring an entity within scope. The key test is whether the entity has "control or sufficient influence" over the virtual asset activity. FATF's 2021 Updated Guidance for a Risk-Based Approach specifically notes that developers of self-executing smart contracts where the developer has no ongoing control are generally not VASPs.
Fexr's architecture is designed precisely around this line. Once a contract is deployed, Fexr retains zero admin keys, zero upgrade privileges, and zero custodial control. The operator governs the contract. The smart contract logic executes autonomously. Fexr's architecture is designed to prevent Fexr from reversing, modifying, or intervening in any transaction, with no admin keys or upgrade privileges retained post-deployment.
How Other Major Jurisdictions Reach the Same Conclusion
The non-VASP status of non-custodial software infrastructure is not a position unique to FATF's international guidance. Regulators in several of the world's most active fintech jurisdictions have issued guidance reaching broadly consistent conclusions through their own legal frameworks — giving the principle a degree of cross-jurisdictional consistency that enterprise legal teams can reference, though each jurisdiction's position remains subject to its own interpretation and evolution.
In the European Union, the Markets in Crypto-Assets Regulation (MiCA) defines a Crypto-Asset Service Provider (CASP) by reference to specific services — exchange, transfer, safekeeping, and advice — performed for clients. MiCA's recital language explicitly distinguishes between the provision of CASP services and the provision of software or technical infrastructure that enables others to provide those services. A B2B deployment platform that charges a usage-based software licensing fee and holds no client assets does not become a CASP under MiCA simply because its tooling is used to build compliant programmes.
In Singapore, the Monetary Authority of Singapore has published guidance under the Payment Services Act distinguishing between persons who carry on a business of providing digital payment token services and persons who provide ancillary software or infrastructure services to those who do. MAS has been explicit that software vendors occupying the latter category are not captured by the digital payment token licensing regime.
In the United Kingdom, the FCA's cryptoasset registration regime and its guidance under the Money Laundering Regulations focuses on persons carrying on specified cryptoasset activities by way of business. The FCA has acknowledged that software companies whose tools are used by regulated firms are not thereby conducting regulated activities, provided they are not exercising discretion over client assets or transactions.
The convergence across FATF, the EU, Singapore, and the UK reflects a deliberate regulatory design choice: holding toolmakers to the same licensing standard as service providers would either drive infrastructure development offshore or create compliance overhead that is structurally disproportionate to the risk posed by non-custodial, non-transacting technology vendors.
What This Means for Operators
Understanding Fexr's non-VASP status does not eliminate an operator's own compliance obligations. Operators deploying loyalty or participation infrastructure that involves virtual assets must conduct their own legal analysis in their jurisdiction. What this briefing establishes is that the infrastructure provider — Fexr Technologies — is not inserting a VASP layer beneath your program. You are not inheriting Fexr's regulatory status, because Fexr does not have a VASP regulatory status to inherit.
For operators in regulated industries or jurisdictions with clear virtual asset frameworks (UAE, Singapore, EU under MiCA), this distinction simplifies the vendor due diligence conversation considerably. The question is not "does your vendor have a VASP licence?" The question is "does your vendor custody assets or control transactions?" Based on Fexr's published architecture and contractual terms, the answer, for Fexr, is no on all three counts.
What Operators Should Monitor as Guidance Evolves
FATF Recommendation 15 guidance is not static. The most substantial recent update was the 2021 Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs, which introduced clarifications on DeFi protocols, NFT platforms, and stablecoin arrangements. Further updates are expected as market structures continue to evolve and regulators respond to new products and services.
The conditions that would bring a non-custodial infrastructure provider within VASP scope are predictable in advance. The key variables are control and economic benefit. If an infrastructure provider begins to exercise ongoing administrative control over deployed contracts — holding an upgrade key, controlling fee parameters, or retaining the ability to reverse transactions — the facilitation analysis shifts materially. Similarly, if revenue becomes linked to the value of assets processed — rather than units of software consumption — the economic profile begins to resemble financial intermediation rather than software supply.
Operators evaluating infrastructure vendors should look not only at current architecture but at the governance model embedded in the contracts themselves. Verifiable, on-chain proof that no admin key exists is a more durable assurance than a contractual representation that one will not be used. As FATF guidance matures and on-chain verification tools improve, the verifiability of decentralisation and non-control will increasingly become the standard against which VASP status is assessed — not only in the operator's own legal analysis, but in banking due diligence and regulatory examination.
The Practical Takeaway
If your legal team receives a question about VASP status, the response is straightforward: Fexr Technologies is a B2B SaaS infrastructure provider operating under a consumption-based Usage-Based Software Licensing fee model. It does not exchange, transfer, or safekeep virtual assets for or on behalf of any person. Its smart contract infrastructure is non-custodial by design, with no admin keys or upgrade privileges retained post-deployment. Under FATF Recommendation 15 and its associated guidance, this architecture is designed to fall outside the VASP activity definition — though operators should seek their own jurisdictional counsel where a formal determination is required.
That response should be in writing, on the vendor's own domain, backed by the legal counsel who helped design the structure. Which is precisely why this briefing exists.