Crypto License: The Complete Guide to Cryptocurrency Licensing Worldwide

A crypto license is an authorization or registration from a financial regulator that allows a business to provide crypto-asset services such as exchange, custody or transfer. There is no single global crypto license. Instead, the Financial Action Task Force (FATF) sets an anti-money-laundering baseline, and each country or region licenses crypto firms under its own rules.

That single fact reshapes almost every decision a founder, exchange operator or compliance officer makes. You are not buying one product called "a crypto license." You are choosing a jurisdiction, an activity category and a regulator, and then meeting the requirements that regulator publishes. This guide explains how crypto licensing works worldwide: the FATF baseline, the EU MiCA regime, the major national frameworks, the activities that trigger a licence, and the core requirements to obtain one. Where you need to go deeper, it routes you to focused pages on crypto licence types by activity, what a crypto license costs and the step-by-step application process.

What Is a Crypto License? (Definition and the "No Single Global Licence" Reality)

A crypto license is an authorization, registration or licence issued by a national or regional financial regulator that permits a business to provide crypto-asset services on a professional basis. The common global baseline is the FATF requirement that countries license or register virtual asset service providers (VASPs) and subject them to anti-money-laundering and counter-terrorist-financing supervision.

The phrase "crypto license" implies a single document you can apply for once and use everywhere. In reality it describes a patchwork. The European Union licenses crypto-asset service providers under MiCA. Germany authorizes crypto custody under its Banking Act. Switzerland uses FinTech, banking and DLT trading facility licences. Singapore licenses Digital Payment Token services. Dubai operates a dedicated virtual assets regime. The United States has no single federal licence at all. Understanding which of these applies to your business model is the first and most consequential step.

Why there is no worldwide crypto license

FATF is an intergovernmental standard-setter, not a licensing authority. It tells member countries what outcomes to achieve, then each country writes and enforces its own law. FATF Recommendation 15 requires countries to license or register VASPs and to supervise them through a competent national authority. Crucially, countries are not permitted to rely on a self-regulatory body for that supervision. The result is a global baseline expressed through dozens of national regimes, which is why a Swiss FinTech licence, a German custody authorization and a Singapore DPT licence are different instruments even though they sit on the same FATF foundation.

License vs registration vs authorization (terms used interchangeably)

These three words are often treated as synonyms, but the legal weight differs. A registration is usually a lighter, AML-focused gate: in the United Kingdom, the FCA requires in-scope cryptoasset firms to be registered under the Money Laundering Regulations before operating. An authorization is usually a fuller, prudential approval: under MiCA, a crypto-asset service provider must be authorized as a CASP. When a regulator says "registration," expect AML and fit-and-proper checks. When it says "authorization" or "licence," expect capital, governance and ongoing prudential obligations as well.

How Crypto Licensing Works: The FATF Global Baseline

Every national crypto regime sits on top of one shared layer: the FATF standards. FATF does not issue licences, but it defines who must be licensed, what activities count, and what AML obligations apply. This is the conceptual spine of crypto licensing worldwide, and it explains why even very different jurisdictions converge on the same core requirements.

FATF Recommendation 15 and the 2019 Interpretive Note

FATF Recommendation 15 was updated in 2019 to apply AML and CFT measures to virtual assets and VASPs, and an Interpretive Note to Recommendation 15 was adopted in June 2019. The standard requires countries to license or register VASPs and to subject them to supervision or monitoring by a competent national authority. As noted above, a country cannot rely on a self-regulatory body for that supervision. This is the legal reason that "is a crypto license required by law" is, in most regulated markets, answered yes.

The five VASP activity categories

FATF defines a VASP by reference to five categories of activity. To qualify, an entity must be acting as a business for or on behalf of another person and actively facilitating these activities. The five categories are:

• Exchange between virtual assets and fiat currencies.
• Exchange between one or more forms of virtual assets.
• Transfer of virtual assets.
• Safekeeping and/or administration of virtual assets or instruments enabling control over them (custody).
• Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

These categories, drawn from the FATF guidance, are the template most national regimes adapt. If your business does any of them as a service for others, you are almost certainly within scope of a licensing or registration requirement somewhere. To see how this maps onto a full licensing programme, read how VASP licensing works.

The Travel Rule and the global implementation gap

The FATF Travel Rule requires VASPs to securely collect and transmit originator and beneficiary information when transferring virtual assets, mirroring the long-standing rules for wire transfers. Implementation, however, lags behind the standard. FATF reports that nearly one third of survey respondents had not yet passed Travel Rule legislation. For a licensed firm, the practical takeaway is that Travel Rule compliance is now an expected control in most regimes even where local enforcement is still maturing, and it should be built into your AML programme from day one.

VASP vs CASP vs DPT vs MSB: A Crypto Licence Terminology Decoder

One of the biggest sources of confusion is vocabulary. Different regulators use different labels for broadly the same underlying activities. "VASP" is the FATF and global term, also used by Dubai's VARA. "CASP" is the EU MiCA term. "DPT service provider" is the Singapore label. "MSB" (money services business) is a US federal category. Once you map these labels to activities, the patchwork becomes far easier to navigate.

*Infographic 1 (terminology decoder) sits here.*

How the same activities map across regimes

The table below aligns the same core activities across the four most common labels. The activity is the constant; the label and the regulator change with the jurisdiction.

The EU's MiCA lists ten CASP services in Article 3, while Dubai's VARA licenses seven activity categories plus issuance and FATF defines five VASP activities. The number of categories differs, but the activities overlap heavily. This is why a firm planning the same business in two jurisdictions can face two very different application packs for what is, commercially, the same product.

What Types of Crypto Licence Exist? (Licensing by Activity)

Because there is no single licence, the cleanest way to think about types is by activity rather than by country. Most regimes regulate the same functional categories, and your business model determines which ones you need. A trading platform needs exchange permissions; a wallet provider needs custody permissions; a payments firm needs transfer permissions. For a deeper breakdown, see crypto licence types by activity.

Exchange, custody, broker-dealer, transfer and settlement

These are the core functional categories common across regimes. Exchange covers swapping crypto for fiat or for other crypto. Custody covers safekeeping and administration of assets or the keys that control them. Broker-dealer and transfer and settlement cover intermediation and the movement of value between parties. Under MiCA these appear among the ten Article 3 services, and they map directly onto FATF's five VASP activities. In Dubai, custody is treated as especially sensitive: VARA requires custody to be a segregated, standalone legal entity with its own licence.

Advisory, portfolio management, lending and issuance

Beyond the core, regimes regulate advisory and portfolio management, lending and borrowing, and the issuance of crypto-assets. MiCA's Article 3 list expressly includes advice on crypto-assets and portfolio management, while VARA's categories include Advisory Services, Lending and Borrowing Services, Management and Investment Services, and VA Issuance. Issuance, especially of stablecoins, often triggers additional rules layered on top of the service licence. The practical point is that combining activities usually means combining permissions, which changes both the application scope and the capital you must hold.

Crypto Licensing by Region: A Worldwide Overview

This section gives a snapshot of the major regimes. Each one is a node under the FATF baseline, with its own regulator, vocabulary and numeric thresholds. The table summarizes the landscape; the regime-by-regime detail follows. For a side-by-side view across more jurisdictions, see the crypto license comparison matrix.

European Union: MiCA and the CASP authorization

MiCA is Regulation (EU) 2023/1114, "Markets in Crypto-Assets," and it entered into force in June 2023. It creates a single EU authorization, the CASP, covering ten crypto-asset services in Article 3. The headline benefit is passporting: a CASP authorized in one EU Member State can offer its services across all 27 markets without a separate licence in each country. To understand the regime in full, read the EU MiCA regime.

*Infographic 2 (MiCA application timeline ribbon) sits here.*

The application calendar matters as much as the rules. Under Article 149, the stablecoin rules in Title III (asset-referenced tokens) and Title IV (e-money tokens) apply from 30 June 2024, and the CASP authorization rules in Title V apply from 30 December 2024. A transitional, or grandfathering, period for firms already operating before MiCA application runs through 1 July 2026. After that cliff, firms relying on legacy national regimes must hold full CASP authorization to keep serving EU clients.

Switzerland: FINMA FinTech, banking and DLT licences

Switzerland regulates technology-neutrally, so the relevant authorizations are the FinTech licence, the banking licence and the DLT trading facility licence. The FinTech licence allows accepting public deposits up to a maximum of CHF 100 million, or collective custody of crypto-based assets, without operating as a full bank. Above that threshold, a banking licence is required, and a banking licence is also needed if a firm accepts deposits from more than 20 clients or advertises deposit-taking.

Trading in virtual currencies and operating a payment system fall under the Anti-Money Laundering Act (AMLA). Firms subject to AMLA must join a Self-Regulatory Organisation (SRO), verify client identity, check beneficial ownership, and report suspicious transactions. There are narrow exemptions, for example accepting a maximum of CHF 3,000 per person for an explicit product or service purchase. For the full picture, see the crypto license requirements in Switzerland.

Germany: BaFin crypto custody and MiCAR CASP

Germany added crypto custody business to its Banking Act (KWG) as a financial service, and since 1 January 2020 providers need BaFin authorization. Crypto custody is the custody, management and protection of crypto-assets or private cryptographic keys for others. An authorization application must show initial capital of at least EUR 150,000 plus reliable owners and qualified managing directors.

MiCAR now sits on top of this. Anyone operating in Germany as a CASP must apply to BaFin, with Title V rules applicable from 30 December 2024. Firms holding crypto-custody or financial-services authorization on 29 December 2024, and that are not CRR credit institutions, may use the simplified procedure under Article 143(6) of MiCAR.

United Kingdom: FCA cryptoasset registration

In the United Kingdom, the FCA has been the AML and CTF supervisor since 10 January 2020 for firms conducting in-scope cryptoasset activities, and such firms must be registered with the FCA under the Money Laundering Regulations before operating. The FCA categorizes tokens: security tokens and e-money tokens are regulated, while utility and exchange tokens such as Bitcoin are currently unregulated.

Marketing is also tightly controlled. The financial promotions regime for qualifying cryptoassets took effect on 8 October 2023, and crypto promotions to UK consumers must follow one of four legal routes. Notably, this applies to overseas firms marketing to UK consumers too. The UK is also developing a broader cryptoasset authorization regime; that future framework is still evolving and is not yet fixed (see Open questions).

Singapore: MAS and the Payment Services Act

Singapore regulates crypto under the Payment Services Act 2019, which covers seven types of payment service including the Digital Payment Token (DPT) service. Providers must hold a licence, and licence tiers under the Act include money-changing, standard payment institution and major payment institution.

DPT service providers must implement robust AML and CFT controls, including KYC with beneficial-owner identification, account reviews and suspicious-transaction monitoring. New DPT licence or variation applications require an Independent External Auditor Assessment covering AML, CFT and consumer protection. MAS has also expanded user-protection and financial-stability requirements for DPT providers.

Dubai (UAE): VARA's dedicated VASP regime

Dubai created the Virtual Assets Regulatory Authority (VARA), described as the world's first independent regulator for virtual assets and the sole authority regulating virtual assets across Dubai's mainland and free zones, except the DIFC, which is regulated separately. It operates under the Virtual Assets and Related Activities Regulations 2023.

VARA issues licences across seven regulated activity categories plus VA issuance: Advisory, Broker-Dealer, Custody, Exchange, Lending and Borrowing, Management and Investment, and Transfer and Settlement Services. A firm can aggregate multiple activities under a single licence, with one important exception: custody must be a segregated, standalone legal entity with its own licence.

United States: a patchwork, not a single licence

The United States has no single federal crypto licence. The SEC applies federal securities laws via the Howey test, which asks whether there is an investment of money in a common enterprise with a reasonable expectation of profits from the efforts of others, to decide whether a crypto-asset is an investment-contract security. The SEC's 2025 position is that most crypto assets are not themselves securities, but an asset can be subject to an investment contract when sold with promises of managerial effort, and secondary-market trading does not by itself constitute a securities transaction.

Beyond securities law, firms may need state money-transmitter licences and FinCEN money-services-business registration. A 2025 SEC Crypto Task Force is developing a token taxonomy anchored in Howey and held its inaugural roundtable in March 2025. Because these positions come from policy statements rather than final rules, anyone licensing in the US should confirm the current state-by-state and FinCEN requirements directly (see Open questions).

What Are the Requirements to Get a Crypto Licence?

Although the documents differ, the underlying requirements rhyme across regimes. Most regulators want to see four things: a serious AML and KYC programme, a properly regulated corporate structure, fit-and-proper owners and managers, and adequate capital. The detail and the numbers vary, but the shape is consistent worldwide. For the full walkthrough, follow the step-by-step application process.

AML/KYC program and a regulated corporate structure

Every regime starts from AML. FATF requires VASPs to be licensed or registered and AML-supervised, and national rules translate that into concrete controls. Switzerland, for example, requires AMLA firms to join an SRO, verify client identity, check beneficial ownership and report suspicious transactions. You will need a registered legal entity, documented AML and KYC policies, and a structure that fits the activity you intend to perform. To build the compliance layer, see our crypto compliance and AML guide.

Minimum capital and fit-and-proper management

Capital thresholds vary by regime and activity. A concrete example is Germany, where a crypto custody authorization application must show initial capital of at least EUR 150,000 alongside reliable owners and qualified managing directors. Regulators assess management on a fit-and-proper basis, looking at experience, integrity and the absence of disqualifying history. Plan your shareholding and board with these tests in mind from the outset, because a weak governance file is one of the most common reasons applications stall.

Substance, compliance officer and ongoing obligations

A licence is not a one-time event. Regimes expect ongoing substance, a qualified compliance officer or money-laundering reporting officer, periodic reporting, and Travel Rule compliance on transfers. Some regimes add specific assurance steps: Singapore requires an Independent External Auditor Assessment for new DPT applications. Budget for these continuing obligations, not just the application, because they drive much of the real cost of staying licensed.

How Much Does a Crypto Licence Cost and Where Should You Start?

Cost is the question every applicant asks first, and it is the one with the least honest answer online. There is no single price, because there is no single licence. Cost depends on the jurisdiction, the activities, the capital you must hold, and the ongoing compliance you must staff. The right approach is to build a budget from each regulator's published thresholds, not from a marketing number. For a structured breakdown, see what a crypto license costs.

Why "cheapest" or "easiest" needs a bottom-up, regulator-by-regulator view

Be cautious of any source that ranks jurisdictions as "cheapest," "fastest" or "easiest." No authoritative primary source ranks crypto jurisdictions; any honest comparison must be built bottom-up from each regulator's published capital and AML thresholds. A regime that looks cheap on paper may demand heavy ongoing substance, and a regime with higher capital may be faster and more credible for your market. If affordability is your priority, compare the underlying numbers rather than the headlines, starting with our view on the most affordable jurisdictions.

Choosing a jurisdiction for your business model

The best jurisdiction is the one that fits your activity, your target market and the substance you can realistically maintain. An EU-focused exchange benefits from MiCA passporting; a custody-led business must weigh segregation rules like Dubai's; a Swiss-domiciled firm gains credibility but accepts FINMA's deposit thresholds. Map your activities to regimes first, then weigh cost, timeline and reputation. To work through the options, compare jurisdictions and review the crypto-friendly countries for business.

How Crypto Valley Partners Helps You Get Licensed

Crypto Valley Partners AG is based in Zug, Switzerland, at the heart of Crypto Valley, and advises founders, exchange operators and compliance teams on obtaining and maintaining crypto licences worldwide. The firm's focus is the same breadth this guide reflects: matching your business model to the right regime, then guiding the application and compliance build end to end.

From our practice, the projects that move fastest are the ones that resolve jurisdiction and activity scope before drafting a single application. Teams that decide late, or assume a single global licence exists, lose time reworking capital structures and AML policies. We front-load those decisions so the application file is right the first time. We do not publish prices, because a credible figure can only follow a scoping conversation about your activities, market and substance.

From jurisdiction selection to authorization

A typical engagement starts with jurisdiction selection mapped to your activity mix, then moves through corporate structuring, AML and KYC programme design, the fit-and-proper file for owners and managers, and the formal application to the regulator. After authorization, we support ongoing obligations: reporting, Travel Rule controls, audits and renewals. To see the path in detail, read the step-by-step application process and the broader view of how VASP licensing works.