Crypto License Types: Licensing by Activity & Business Model

There is no single "crypto license." You are licensed for the regulated activity you perform, not for being a crypto company. The fastest way to find the right authorisation is to start with your business model, translate it into the regulated activity it constitutes, and let the jurisdiction's regime name the licence. This pillar maps that path across the EU's MiCA, the global FATF baseline, Dubai's VARA, Singapore's MAS, and the United States.

Before any of that, one gate decides which rulebook even applies: is your asset a crypto-asset, or is it a financial instrument? If it is a security token, a derivative, or a fund unit, MiCA steps aside and the traditional securities and markets regime governs instead. Get that fork right and the rest of the map falls into place.

*By Magnus Müller · Reviewed by Magnus Müller · Last updated: 2026-06-14*

What are the types of crypto licenses?

Crypto license types are categories of authorisation keyed to regulated activities, not to companies. Under the EU's MiCA there are ten crypto-asset services, the FATF sets five VASP activities as the global AML floor, and Dubai's VARA licenses eight activities. You hold a licence for each activity you carry out.

The activity buckets that matter in practice are: exchange, dealer or market-maker, custody, broker or OTC desk, payment and transfer, lending, fund and asset management, mining, staking, crypto ATM, security token offering (STO), NFT marketplace, derivatives, and token issuance (ICO). Each maps to a regulated activity, and each activity carries its own article reference and regime, set out in the complete guide to crypto licensing.

You are licensed per activity, not per company

The load-bearing rule of this entire field: licensing follows the regulated activity, never the corporate label. MiCA defines a "crypto-asset service" and then lists the ten services that count under Article 3(1)(16) and points (17) to (26). A firm that runs an exchange and also holds client keys is authorised for two services, not one. So the question is never "do I need a crypto license," it is "which regulated activities am I performing." For a deeper read on the legal categories themselves, see our legal taxonomy of crypto licence types.

The three counts to remember (MiCA 10, FATF 5, VARA 8)

Three numbers anchor the whole comparison. The EU's MiCA defines ten crypto-asset services. The FATF Recommendation 15 standard sets five VASP activities as the AML baseline every servicing business sits under. Dubai's VARA licenses eight activities. Different regimes draw the lines differently, but the same business model usually lands in the same place once you know what activity it constitutes.

First gate: is your asset a crypto-asset or a financial instrument?

Before you classify the activity, classify the asset. If the thing you trade, hold, or issue qualifies as a financial instrument, then MiCA does not apply at all. The EU's traditional markets regime takes over: MiFID II for securities and derivatives, AIFMD or UCITS for fund units. This is set out in the ESMA Guidelines on qualifying crypto-assets as financial instruments, reference ESMA75453128700-1323, dated 19 March 2025. Security tokens, crypto derivatives, and pooled fund units all leave the MiCA lane through this gate.

When MiCA applies (it is a crypto-asset)

If the asset is a genuine crypto-asset and not a financial instrument, you are in the MiCA CASP authorisation lane under Title V. That covers the great majority of exchange, custody, broker, and payment businesses. The MiCA crypto-asset service definitions in Article 3(1) tell you which of the ten services you are performing, and CASP authorisation under MiCA Title V is the route to operating across the EU.

When MiCA does NOT apply (financial instruments)

Three forks send you out of MiCA. A token conferring share or bond-equivalent rights is a transferable security under ESMA Guideline 2 and MiFID II Article 4(1)(44), so the prospectus and securities rules apply. A pooled fund whose token is a unit in a collective investment undertaking falls under ESMA Guideline 4 and the AIFMD or UCITS regime. A crypto derivative contract is assessed against MiFID II Annex I Section C points (4) to (10) under ESMA Guideline 5. In the United States the equivalent forks send you to the SEC for securities and the CFTC for commodities and derivatives.

Infographic 1 placement: the financial-instrument gate diagram sits here, after this intro and before the activity map.

Crypto license types by business model (the activity map)

This is the working map: take your business model, read across to the regulated activity it constitutes, then to the regime and article that governs it. The table below covers all fourteen common models. Where the EU treats an activity outside the CASP regime, the table says so plainly.

Exchange / trading platform license

Running a venue that matches third-party buy and sell interests is "operation of a trading platform" under MiCA Article 3(1)(18). Dubai's VARA classes it as Exchange Services, Singapore's MAS treats it as a DPT service under the Payment Services Act, and in the United States it is a FinCEN money transmitter, an MSB, with possible SEC or CFTC overlay. For the full operating build, see crypto exchange licensing.

Dealer / market-maker (own account)

A dealer or market-maker buys and sells crypto against fiat or other crypto using its own capital, rather than matching third-party orders. Under MiCA this is "exchange of crypto-assets for funds" at Article 3(1)(19) or "exchange of crypto-assets for other crypto-assets" at Article 3(1)(20). The proprietary nature of the trading separates it from running a venue.

Custody / wallet license

Safekeeping clients' crypto, or controlling the means of access such as private keys, is "custody and administration of crypto-assets on behalf of clients" under MiCA Article 3(1)(17). Dubai is stricter: VARA requires custody to be a standalone, segregated legal entity. Singapore covers custody under its DPT regime, and in the United States a custodian that controls value is a FinCEN money transmitter.

Broker / OTC desk license

A broker or OTC desk executes, receives and transmits, or places client orders. MiCA splits this across three services: execution of orders at Article 3(1)(21), reception and transmission of orders at Article 3(1)(23), and placement at Article 3(1)(22). Dubai bundles these under VARA Broker-Dealer Services.

Payment / e-money / transfer license

Moving crypto for clients, running fiat-crypto payment rails, or issuing e-money tokens is regulated activity. MiCA names "transfer services for crypto-assets on behalf of clients" at Article 3(1)(26), with e-money tokens governed by the EMT regime in Title IV. Dubai lists this as Transfer and Settlement Services, Singapore as money-transfer and e-money services, and the United States as a FinCEN MSB. If your model centres on an e-money or stablecoin token, see stablecoin (EMT) issuer licensing.

Lending / borrowing (is it even licensed?)

Crypto lending is one of the most mis-sold "licenses." Taking or extending crypto loans is not one of MiCA's ten CASP services: in the EU it falls under national and credit law instead. Dubai does license it explicitly as VARA Lending and Borrowing Services, while Singapore restricts retail crypto lending under the DTSP regime, limiting it to institutional and accredited investors. VERIFY: confirm the MAS retail-lending restriction against the FSM Act primary text before publishing.

Fund / asset management license

Two different paths apply. A discretionary per-client mandate is "portfolio management of crypto-assets" under MiCA Article 3(1)(25). A pooled fund whose token is a unit in a collective investment undertaking is not MiCA at all: under ESMA Guideline 4 the AIFMD or UCITS fund regime governs. Dubai lists fund work as Management and Investment Services.

Mining (usually not a financial license)

Pure mining validates and secures a proof-of-work network for block rewards. It handles no client assets, so it is not a licensed financial activity under MiCA, FATF, VARA, or MAS. It is governed instead by energy, environmental, tax, and corporate law for the country where the operation sits. MiCA imposes only a sustainability disclosure on consensus mechanisms, not a mining licence. Telling a miner they need a "crypto mining license" is usually wrong.

Staking / staking-as-a-service

Staking is not a named MiCA service. When you stake on a client's behalf, assess the model against MiCA custody at Article 3(1)(17) and the collective-investment-undertaking criteria, because staking-as-a-service can trigger custody and fund-like rules. Singapore is explicit: MAS covers validation services like staking under its DTSP scope and bans retail staking via intermediaries, restricting it to institutional and accredited investors. VERIFY: confirm the MAS staking scope and retail ban against the FSM Act primary text before publishing.

Crypto ATM / kiosk (BTM)

In the United States, the operator of an ATM-like terminal that exchanges cash for crypto is a FinCEN money transmitter and must register as an MSB, per Guidance FIN-2019-G001 of 9 May 2019. In the EU a kiosk performing fiat-crypto exchange is a MiCA exchange service.

STO / security token offering

A security token offering issues tokens conferring share or bond-equivalent rights. That makes the token a transferable security, so it is MiFID II, not MiCA. ESMA Guideline 2 sets the test against MiFID II Article 4(1)(44), bringing prospectus and securities rules into play. In the United States the SEC governs through the Howey analysis. VERIFY: pull the specific Securities Act provision before quoting US regulation numbers.

NFT marketplace

MiCA generally excludes crypto-assets that are unique and not fungible with other crypto-assets, under Article 2(3). But classification is substance over form. ESMA's qualification Guidelines warn against classifying on technical uniqueness alone: fractionalised NFTs, large series, or NFTs that confer financial-instrument rights fall back into MiCA or MiFID II.

Derivatives (futures / options / perps)

Crypto-referenced derivative contracts are MiFID II, not MiCA. ESMA Guideline 5 assesses them against MiFID II Annex I Section C points (4) to (10), and names tokenised perpetual futures explicitly. In the United States the CFTC has jurisdiction over crypto as a commodity. VERIFY: pull the specific Commodity Exchange Act cite before quoting US regulation numbers.

ICO / token issuance (non-security)

Offering "other" crypto-assets, asset-referenced tokens, or e-money tokens to the public is the MiCA issuer and offeror regime under Titles II to IV, which is distinct from the CASP service authorisation and is not one of the ten Article 3(1)(16) services. The FATF treats issuance as VASP activity (v).

How licensed activities compare across regimes

The same activity carries a different name and count depending on the regulator. The counts are worth memorising because they reveal how each regime draws its boundaries.

Infographic 2 placement: the activity-counts comparison columns sit here, near the top of this section.

EU (MiCA): ten crypto-asset services

MiCA frames everything around the ten crypto-asset services in Article 3(1) points (17) to (26): custody, operation of a trading platform, the two exchange services, execution, placement, reception and transmission of orders, advice, portfolio management, and transfer services. A CASP is authorised for each of the services it provides.

Global AML floor (FATF): five VASP activities

The FATF Recommendation 15 standard defines a virtual asset service provider by five activities: exchange between virtual assets and fiat, exchange between virtual assets, transfer of virtual assets, safekeeping or administration, and participation in financial services related to issuance. VERIFY: hand-check the five-activity wording against the FATF Glossary PDF before quoting verbatim, as fatf-gafi.org was bot-blocked during research.

Dubai (VARA): eight licensed activities

Dubai's VARA licenses eight virtual-asset activities: Advisory, Broker-Dealer, Custody, Exchange, Lending and Borrowing, Management and Investment, Transfer and Settlement, and VA Issuance (Category 1). Activities may aggregate under one licence, with one carve-out: custody must be a standalone, segregated entity. See the full picture in our Dubai VARA guide.

Singapore (MAS): PSA DPT service + FSM Act DTSP regime

Singapore runs two layers. The Payment Services Act 2019 DPT service covers buying, selling, and exchange-platform provision for digital payment tokens. The newer FSM Act DTSP regime, in force 30 June 2025, covers dealing, custody, transfer, facilitating exchange, advising, and validation services such as staking, with retail crypto lending and intermediated staking restricted to institutional and accredited investors. VERIFY: re-verify the exact DTSP service list and retail restrictions against MAS primary text, as the explainer page returned a maintenance error during research.

United States: three regulators (FinCEN / SEC / CFTC)

The United States splits crypto across three authorities rather than one regime. FinCEN handles AML and money transmission through MSB registration. The SEC governs anything that is a security. The CFTC governs commodities and derivatives. The same exchange can touch all three depending on what it lists.

How to choose the right crypto license for your business model

Turn the table into a decision flow. Work through these five steps in order and you reach the named licence and jurisdiction at the end.

1. What do you touch? If you issue or offer a token, you are in the issuer regime (MiCA Titles II to IV, or securities law if the token is a security). If you service others' crypto, continue.
2. Is the asset a financial instrument? Share or bond rights make it a security token (MiFID II / SEC). A derivative contract is MiFID II / CFTC. A pooled fund unit is AIFMD / UCITS. Otherwise it is a crypto-asset under MiCA, per the ESMA qualification Guidelines.
3. Which service are you performing? Run a venue (exchange), hold keys (custody), execute or route orders (broker-dealer), move value (payment), lend or yield (lending), manage portfolios or funds, or operate validators (staking). Each maps to its MiCA article above.
4. Physical or niche models. A cash kiosk is a FinCEN MSB. Mining is energy and tax, not a financial licence. An NFT marketplace is MiCA-excluded unless the tokens are financialised.
5. Stack the AML floor and pick a jurisdiction. Every servicing activity also triggers the FATF VASP AML baseline. Then compare licensing jurisdictions, because the same activity carries a different licence name and capital floor in each.

Step 1 - What do you touch? (issue vs service)

Issuing your own token is fundamentally different from servicing other people's crypto. Issuance is the offeror regime under MiCA Titles II to IV, or securities law where the token is a security. Servicing pushes you into the CASP services. Establish this first, because it decides whether you are reading the issuer titles or the service definitions.

Step 2 - Is the asset a financial instrument?

This is the gate from earlier, applied to your specific token. Run the ESMA Guidelines 2, 4, and 5 tests. A "yes" on any of them takes you out of MiCA into MiFID II, AIFMD, the SEC, or the CFTC.

Step 3 - Which service are you performing?

If you are firmly inside MiCA, match the precise service: exchange, custody, broker functions, payment, fund management, or staking-adjacent activity. Use the MiCA Article 3(1) service definitions as the checklist. A multi-service firm holds one authorisation covering several services.

Step 4 - Physical / niche models (ATM, mining, NFT)

The edge cases trip up the most founders. A cash kiosk is a US money transmitter. Mining is governed by energy, tax, and corporate law, not a financial licence. An NFT marketplace is generally outside MiCA unless the tokens are fractionalised or carry financial rights, in which case the ESMA financialisation analysis pulls them back in.

Step 5 - Stack the AML floor and pick a jurisdiction

Whatever prudential licence applies, the FATF Recommendation 15 VASP AML/KYC baseline sits beneath it. Only once the activity and the AML layer are settled do you choose where to apply, because the same activity becomes a MiCA CASP class, a VARA category, a MAS DPT or DTSP service, or a US MSB, SEC, or CFTC registration depending on the jurisdiction.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisors, no commitment. Book a Call

The AML layer sits under every crypto license

No matter which prudential licence you hold, the AML registration layer stacks beneath it. The FATF Recommendation 15 standard sets a VASP AML and KYC baseline that applies to servicing activities regardless of the activity-specific authorisation. An exchange, a custodian, and a payment firm all hold different prudential licences, yet all carry the same VASP AML obligations underneath. Understand the VASP AML baseline before you build, because it shapes onboarding, monitoring, and reporting across every model. The detailed control set lives in our AML/KYC compliance requirements.

Can one company hold multiple crypto licenses?

Yes, and most operating businesses do. Under MiCA a CASP can be authorised for several crypto-asset services in a single authorisation, so one entity can run an exchange and offer custody and execution under one CASP licence. Dubai works similarly: VARA lets activities aggregate under one licence, with the single exception of custody, which must be a standalone, segregated legal entity. The practical implication is that you scope by the bundle of activities you perform, not by entity count.

From our practice

In our advisory work the most common scoping mistake is treating "crypto license" as a single product to acquire, then discovering mid-process that the business performs three regulated activities, not one. A firm that runs a venue, holds client keys, and moves funds is doing exchange, custody, and transfer at once, and each must be in scope from the start. The second recurring error is skipping the financial-instrument gate: a team builds toward a MiCA CASP application only to find their token is a transferable security that needed MiFID II all along. The third is the mining or staking misconception, where operators budget for a "license" that does not exist as a financial authorisation. We avoid these by mapping every activity before any application opens, and by running the financial-instrument test first. The figures and capital floors that attach to each named licence belong on the relevant jurisdiction and requirements pages, not here.