According to FATF's updated guidance for a risk-based approach to virtual assets and virtual asset service providers, even a non-custodial service can be deemed a 'Virtual Asset Service Provider' – and therefore a money transmitter – if it has "control or sufficient influence [...] over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users."

A DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology (see paragraph 82 below). However, creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. This is the case, even if other parties play a role in the service or portions of the process are automated. Owners/operators can often be distinguished by their relationship to the activities being undertaken. For example, there may be control or sufficient influence over assets or over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users, even if this is exercised through a smart contract or in some cases voting protocols. Countries may wish to consider other factors as well, such as whether any party profits from the service or has the ability to set or change parameters to identify the owner/operator of a DeFi arrangement. These are not the only characteristics that may make the owner/operator a VASP, but they are illustrative. Depending on its operation, there may also be additional VASPs that interact with a DeFi arrangement.

A person that creates or sells a software application or a VA platform (i.e., a software developer) may therefore not constitute a VASP, when solely creating or selling the application or platform. Using the application or platform to engage in VASP functions, as a business on behalf of others, however, would change this determination. In addition, a party directing the creation and development of the software or platform, so that they can provide VASP services as a business for or on behalf of another person, likely also qualifies as a VASP, in particular if they retain control or sufficient influence over the assets, software, protocol, or platform or any ongoing business relationship with users of the software even if this is exercised through a smart contract. Such a VASP is therefore responsible for complying with the relevant AML/CFT obligations. As such, they should undertake ML/TF risk assessments prior to the launch or use of the software or platform and take appropriate measures to mitigate the risks in an ongoing and forward-looking manner.