VASP License: How to Become a Licensed Virtual Asset Service Provider

A VASP license is a national authorization or registration that lets a virtual asset service provider operate legally under the global anti-money-laundering baseline set by the Financial Action Task Force (FATF). There is no single worldwide VASP license. Instead, each country licenses or registers VASPs and supervises them through a competent authority, following one shared standard.

That single sentence already resolves the biggest source of confusion. Founders and compliance officers searching for a "VASP license" often expect one credential they can apply for once and use everywhere. The reality is layered: FATF writes the rules, individual countries implement them, and the form ranges from a light-touch AML registration to a full financial-services authorisation such as the EU's CASP regime under MiCA. This pillar explains what a VASP is, the five activities that put you in scope, what obligations you carry, and the step-by-step path to becoming licensed, then points you to the country, requirement and cost detail in our supporting guides.

What is a VASP license? (Virtual Asset Service Provider, defined)

A VASP license is the authorization or registration a country grants to a Virtual Asset Service Provider so it can lawfully conduct crypto-asset business under FATF's AML/CFT standard. FATF Recommendation 15 requires every country to license or register VASPs and to supervise them through a competent authority, applying the same preventive measures used for financial institutions S1, S3.

The key word is "national." FATF is a standard-setter, not a regulator that issues licenses. It defines what a virtual asset and a VASP are, sets the obligations, and then expects member jurisdictions to put a licensing or registration regime in place. As a result, the documents, capital and timelines you face depend entirely on where you apply, even though the underlying duties are largely the same. For the full definitional deep-dive, see our guide to what is a VASP (FATF definition).

The FATF definition of a virtual asset (VA)

FATF defines a virtual asset, verbatim, as "a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes" S1, S2. The definition deliberately excludes digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations. In other words, a tokenised version of something already regulated does not become a "virtual asset" simply because it sits on a blockchain.

The FATF definition of a VASP

FATF defines a virtual asset service provider, verbatim, as "any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person" S1, S2. Three phrases carry the weight. "As a business" excludes one-off personal dealings. "For or on behalf of another" excludes activity you do purely for your own account. And "one or more of the following activities" points to the five-activity test that follows.

Why there is no single global "VASP license"

There is no global VASP license because FATF only sets the standard, while national competent authorities license, register and supervise S5. A business that conducts the same activity in Estonia, Lithuania and the UAE will face three different application processes, three sets of capital and substance rules, and three supervisory relationships, even though all three regimes trace back to FATF Recommendation 15. This is exactly why "where do I apply" matters as much as "do I qualify," and why the FATF crypto guidelines are the right starting point rather than any single country's product page.

The five FATF activities that make you a VASP

You are a VASP if, as a business and on behalf of another person, you conduct any one of FATF's five activities. The list is functional, not technical, and you should always treat all five together S1, S2:

1. Exchange between virtual assets and fiat currencies
2. Exchange between one or more forms of virtual assets
3. Transfer of virtual assets
4. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets
5. Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset

A common error in secondary summaries is to drop activity three, "transfer." Never do that. The transfer activity is precisely what triggers the FATF Travel Rule under Recommendation 16, so a business that only moves virtual assets for clients is still a VASP and still carries Travel Rule duties.

The activity-based (functional) test, not a technology test

The VASP test is functional, not technology-based. If you conduct any of the five activities as a business for or on behalf of another person, you are a VASP regardless of the technology you use or the label you give your product S1, S2. FATF's risk-based-approach guidance focuses on entities with control over virtual assets and excludes parties that merely provide ancillary infrastructure, such as cloud or hardware providers and certain non-custodial software S2. The 2023 and 2025 targeted updates extend the analysis to DeFi, peer-to-peer transactions, NFTs, self-hosted wallets and stablecoins, so emerging models cannot assume they sit outside the perimeter S3.

Are you a VASP? A quick decision check

The fastest way to self-assess is to walk your business model against the five activities, then apply the "as a business, for or on behalf of another person" gate. If you hold or move clients' virtual assets, swap them, or arrange financial services around a token issuance, you are almost certainly in scope. If you only supply infrastructure that others use to do those things, and you never take control of client assets, you may sit outside the definition. The decision tree below maps the most common models. For a verdict on your specific setup, the VASP license requirements guide breaks each activity down further.

Do you need a license or just a registration?

FATF requires VASPs to be licensed or registered and supervised, but it leaves the exact form to each country. Some jurisdictions use a light-touch AML registration, others require a full authorisation such as the EU's CASP licence under MiCA S5, S6. The distinction is not cosmetic. A registration typically checks AML controls and fit-and-proper status; a full licence adds prudential capital, governance and conduct requirements, and usually a longer review.

License vs registration vs MiCA CASP authorisation

Three regime types now coexist. A pure AML registration confirms that you meet the FATF baseline and is the lightest path. A full national licence layers prudential and conduct obligations on top of the AML floor. And inside the EU, the CASP authorisation under MiCA replaces national VASP registration entirely with a single, passportable financial-services licence. Choosing among them is a strategic decision about cost, time and market access, which is why it sits at the front of the registration process rather than the end. Our guide on where to register a VASP compares the live regimes side by side.

Where must a VASP be licensed or registered?

Under FATF, a VASP must, at minimum, be licensed or registered in the jurisdiction where it is created or incorporated; a host state may also require licensing or registration where services are offered to its residents S5. In practice this means your country of incorporation sets the baseline obligation, while expansion into new markets can trigger additional local registration. VERIFY: the precise INR.15 "jurisdiction of creation" wording should be confirmed against the FATF Glossary before publishing as a direct quote (see Open questions).

How to become a licensed VASP: step-by-step

Becoming a licensed VASP follows a consistent nine-step path, even though the detail of each step is set nationally. The sequence below is jurisdiction-agnostic; map it to your chosen country once you have picked a regime S1, S3, S5.

Step 1, Confirm you are a VASP (map the five activities)

Start by mapping your business model against the five FATF activities. If you conduct any one of them as a business for clients, you are in scope and must be licensed or registered somewhere S1, S2. Getting this gate right early prevents the expensive mistake of designing a product first and discovering the regulatory perimeter later.

Steps 2–3, Choose a jurisdiction and incorporate a local entity

Pick a jurisdiction, then confirm its competent authority and regime type: pure AML registration, full licence, or MiCA CASP. Next, incorporate a local legal entity and meet the substance requirements, which typically include a registered office and, in many regimes, a local or resident AML officer. Jurisdiction choice drives everything downstream, so weigh cost, timeline, capital and market access together. Our where to register a VASP comparison and the per-country guides for Lithuania and Estonia lay out the live options.

Steps 4–6, Capital, AML/CFT programme, key personnel

Meet any capital or financial requirement the jurisdiction imposes; these range from EUR 0 in pure-registration regimes to six-figure amounts in licensed regimes. Then build the AML/CFT programme: written policies, a business-wide risk assessment, CDD/KYC procedures, transaction monitoring, sanctions screening, recordkeeping, a Travel Rule solution and STR reporting lines. Finally, appoint and vet your key personnel, an MLRO and management board, all of whom must pass fit-and-proper checks. The full breakdown sits in our VASP license requirements guide, and budgeting detail in VASP license cost.

Steps 7–9, File, regulator review, ongoing supervision

File the application with the regulator, which usually means corporate documents, a business plan, the AML manual, ownership and UBO disclosure, source-of-funds evidence and background checks, plus the state fee. The regulator then reviews the file, may ask you to remediate gaps or attend an interview, and grants the registration or licence. From there you enter ongoing supervision: periodic reporting, audits or inspections, renewals and change-of-control notifications. Becoming a VASP is therefore not a one-time event but the start of a continuing compliance relationship.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisers at Crypto Valley Partners. No commitment, just a clear read on your scope and the fastest compliant route. Book a Call

What AML obligations does a VASP have?

A VASP carries the same core AML/CFT obligations as a financial institution. FATF expects every VASP to run customer due diligence, identify beneficial owners, monitor transactions, screen against sanctions and PEP lists, report suspicious transactions, keep records and transmit Travel Rule data S1, S3. These duties apply continuously, not just at onboarding, and they are what supervisors test in inspections. A complete framework lives in our AML/KYC compliance program guide.

Customer due diligence (CDD/KYC) and enhanced due diligence

Customer due diligence is the foundation. A VASP must verify customer identity at onboarding and apply enhanced due diligence for higher-risk customers, products or geographies S1, S3. Risk-rating each relationship determines how much scrutiny it receives, and that rating must be revisited as behaviour changes. Weak CDD is the most common reason supervisors flag remediation, so it is worth over-engineering rather than under-engineering at launch.

UBO identification, monitoring, sanctions and STR reporting

Beyond onboarding, a VASP must identify ultimate beneficial owners, run ongoing transaction monitoring, screen customers and counterparties against sanctions and PEP lists, and file suspicious transaction reports with the national Financial Intelligence Unit. All of this must be supported by recordkeeping that lets a regulator reconstruct activity after the fact S1, S3. These obligations operate as a system: monitoring surfaces anomalies, screening blocks prohibited parties, and STR filing escalates genuine suspicion to the authorities.

The MLRO / AML compliance officer requirement

Almost every regime requires a VASP to appoint a Money Laundering Reporting Officer, also called an AML compliance officer. Many jurisdictions go further and require that officer to be dedicated, local or resident; Lithuania, for example, mandates a dedicated AML officer within the company [S9](#sources). The MLRO owns the AML programme, signs off on STR filings and is the regulator's point of contact, so the appointment is a fit-and-proper decision in its own right, not an administrative formality.

The FATF Travel Rule (Recommendation 16) explained

The FATF Travel Rule is the application of Recommendation 16 to virtual-asset transfers. It requires VASPs to obtain, hold and transmit originator and beneficiary information for transfers above a set threshold, so that crypto transfers carry the same identifying data as traditional wire transfers S1, S4. Because the data moves off-chain between the sending and receiving VASPs, the rule depends on counterparties cooperating, which is where most of the friction lies. We summarise it here and cover the mechanics in full in our guide to the crypto Travel Rule. VERIFY: the exact INR.16 data-element wording is taken from a secondary paraphrase and should be confirmed against INR.16 before publishing as a quote (see Open questions).

The Travel Rule threshold and national variants

FATF's recommended de-minimis threshold is USD/EUR 1,000, but national thresholds vary. The EU has moved toward no threshold for many transfers, the US uses USD 3,000, Canada uses CAD 1,000 and New Zealand uses NZD 1,000 S4, S3. The table below summarises the main variants.

What information must travel with a transfer?

For transfers at or above the threshold, the originating VASP must obtain, hold and transmit the originator's data, and the beneficiary VASP must obtain and hold the beneficiary's data S4:

• Originator: name; account number or unique transaction reference; full physical address (or a national identity number, customer ID, or date and place of birth); date of birth for natural persons; BIC, LEI or unique official identifier.
• Beneficiary: name; account number or unique transaction reference; and where applicable country and town or city, plus BIC, LEI or unique official identifier.

Below the threshold, name and account number or reference are still required for both parties, but verification is not mandatory unless money laundering or terrorist financing is suspected S4.

The "sunrise problem"

The "sunrise problem" describes the gap that arises when a VASP in a jurisdiction that enforces the Travel Rule must transact with a counterparty in a jurisdiction that has not yet implemented it. The compliant VASP still has to gather and hold the required data, but the counterparty may be unable or unwilling to receive or send it, creating an operational friction that persists until global rollout catches up S4. Until then, VASPs manage it through counterparty due diligence and documented policies for non-compliant jurisdictions.

VASP vs CASP: how MiCA changed the picture

VASP and CASP are not interchangeable. A VASP registration is the AML floor set by FATF; a CASP authorisation under the EU's MiCA regulation is the full financial-services licence built on top of it S6. MiCA built on FATF's foundation but went substantially further, creating a complete authorisation that covers prudential, conduct and AML requirements rather than AML alone. The practical effect inside the EU is that national VASP regimes are being switched off and replaced. See the VASP vs CASP differences guide for the full comparison.

VASP (FATF) vs CASP (EU MiCA) at a glance

Facts in the table are drawn from the brief S6.

The EU sunset: national VASP regimes being replaced

CASP rules have applied since 30 December 2024, and EU member states including Estonia, Lithuania and Poland are sunsetting their national VASP or VCSP registration regimes in favour of MiCA CASP authorisation S6, S7. For operators this is a migration, not a one-off filing: a legacy registration obtained before the cutover must usually be converted to a CASP authorisation by a national deadline or the operator must cease activity. If you are weighing an EU base, read registering a VASP in Poland and the country comparison before committing.

VASP registration by country: examples and capital

Because FATF only sets the floor, the figures that matter to your budget are national. The table below shows two representative legacy regimes and where they now stand under MiCA. For the full list of live jurisdictions, see where to register a VASP.

Figures above are drawn from the brief [S8, S9](#sources). VERIFY: national capital figures come from legal and industry sources rather than statute text and should be confirmed against the Estonian AML Act and the Lithuanian AML/CTF Law before publishing as fact (see Open questions).

Estonia (legacy VCSP, now MiCA CASP)

Estonia's legacy regime ran through the Financial Intelligence Unit, with supervision moving to Finantsinspektsioon under MiCA. Minimum share capital was EUR 100,000, rising to EUR 250,000 for providers offering virtual-asset transfer services, the management board needed at least two members, and all key persons had to pass fit-and-proper tests covering criminal record, education and experience [S8](#sources). Estonia stopped accepting new VCSP authorisations from 30 December 2024, and existing authorisations expire on 1 July 2026, after which operators must hold a MiCA CASP authorisation or cease activity S7. Our VASP registration in Estonia guide covers the transition in detail.

Lithuania (legacy VASP, transitioning to CASP)

Lithuania tied legacy supervision to the Register of Legal Entities for formal and AML conditions, with the Bank of Lithuania acting as the MiCA CASP competent authority. Authorised share capital was set at EUR 125,000 from 1 November 2022, and the company had to appoint a dedicated AML officer with a local presence S9, S10. A transitional VASP registration under pre-MiCA conditions was available until 30 December 2025, after which all operators must hold CASP authorisation. The full process sits in our VASP registration in Lithuania guide.

Non-EU options where AML-only VASP registration still exists

While the EU consolidates around CASP, AML-only VASP registration still exists in a number of non-EU jurisdictions, which can suit businesses that need a compliant base without the full prudential weight of MiCA. These regimes keep the FATF baseline, license or register the activity, and apply AML/CFT supervision, but they vary widely in capital, timeline and market reach. We do not quote specific figures here to avoid stating numbers outside their source regime; the live, comparable list is maintained in where to register a VASP.

Key dates: the VASP-to-CASP transition timeline

The transition from national VASP regimes to MiCA CASP authorisation has a clear chronology, and missing a deadline can mean a forced wind-down. The dated milestones below come from the brief S3, S6, S7, S9.

• 2018/2019: FATF adds VASPs to Recommendation 15, extending AML/CFT measures to virtual assets.
• October 2021: FATF updates its risk-based-approach guidance for virtual assets and VASPs.
• 30 December 2024: MiCA CASP rules apply; Estonia stops accepting new VCSP authorisations.
• 30 December 2025: Lithuania's transitional VASP registration window ends.
• 1 July 2026: Estonia's legacy VCSP/VASP authorisations expire; operators must hold a MiCA CASP authorisation or cease.
• 2024/2025: FATF targeted updates extend scope to DeFi, P2P, NFTs and stablecoins and push Travel Rule rollout.

VASP compliance landscape: where the world stands

Global VASP supervision is still uneven. According to the FATF report cited by Chainalysis, of 58 assessed jurisdictions roughly 17 percent (10) had no VASP licensing framework, around 33 percent (19) had not implemented the Travel Rule, and about 28 percent (16) had no enforcement, with the Bahamas the only jurisdiction rated fully compliant S5. These figures are as of the FATF March 2024 report and may have shifted in the 2025 targeted update, so treat them as a vintage snapshot rather than the current count. VERIFY: pull the latest implementation statistics from the 2025 FATF targeted update before publishing (see Open questions). The practical takeaway for founders is that picking a jurisdiction with a mature, enforced regime reduces the risk of sudden regulatory tightening later.

How Crypto Valley Partners helps you become a VASP

Crypto Valley Partners is based at Aegeristrasse 5, 6300 Zug, Switzerland, in the heart of Crypto Valley, and works with founders, exchange operators and compliance teams who need to become licensed VASPs across multiple jurisdictions. Our approach is straightforward: confirm whether you are a VASP against the five activities, match your business model to the right regime type, and then run the application and ongoing-compliance work end to end.

From our practice, the projects that move fastest are the ones that settle jurisdiction and scope before drafting a single application document, and the ones that stall are usually those that designed a product without checking the regulatory perimeter first. We do not publish fixed prices because the right structure, and its cost, depends on your activities, target markets and the regime you choose. We do give you a clear, written read on your scope, the realistic timeline and the documents you will need, so there are no surprises later. To see the full picture before you start, read our pillar on crypto licensing worldwide or learn more in the FATF crypto guidelines guide.