What Is a Virtual Asset Service Provider (VASP)? FATF Definition and Scope

A virtual asset service provider, or VASP, is any natural or legal person who, as a business and for or on behalf of another person, carries out one or more of five activities defined by the Financial Action Task Force (FATF): exchanging, transferring, or safekeeping virtual assets, or providing financial services around a token sale.

That single sentence carries the entire framework, but the detail is where most businesses get caught out. The term is not marketing language and it is not interchangeable with "crypto company." It is a defined legal concept, written into the FATF Glossary and scoped by FATF Recommendation 15, that determines whether your business must be licensed or registered, supervised for anti-money-laundering purposes, and made subject to the crypto Travel Rule in every country where you operate. If you are weighing whether your exchange, wallet service, OTC desk, or token-sale platform needs a VASP license, the analysis starts with this definition. This guide from Crypto Valley Partners sets out the verbatim FATF text, the five activities in order, the two tests that decide who is in scope, the businesses that are exempt, and how DeFi, NFTs, stablecoins, and peer-to-peer transfers are treated.

What is a virtual asset service provider?

A VASP is any natural or legal person who is not already covered elsewhere in the FATF Recommendations and who, as a business, conducts one or more of five virtual-asset activities for or on behalf of another person. Those activities are exchange between virtual assets and fiat, exchange between virtual assets, transfer, safekeeping or administration, and financial services tied to a token offer or sale. (FATF Glossary)

The reason the definition matters is consequence. Once a business meets it, FATF Recommendation 15 requires the country it operates in to license or register it, supervise it for anti-money-laundering and counter-terrorist-financing compliance, and apply customer due diligence, record-keeping, suspicious-transaction reporting, and the Travel Rule. The label a business chooses for itself is irrelevant. FATF treats the question by function, not by form, technology, or branding (Davis Polk).

The FATF definition, word for word

The FATF Glossary defines the term as follows:

"Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: i. exchange between virtual assets and fiat currencies; ii. exchange between one or more forms of virtual assets; iii. transfer of virtual assets; iv. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; v. participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset."

This five-activity list, set out in the FATF Glossary, is the operative text. It is quoted verbatim across independent legal analysis from Norton Rose Fulbright and Hacken, and we reproduce it here without paraphrase because the precise wording, particularly "instruments enabling control" and "as a business," does the legal work.

The two tests that decide if you are a VASP

Two qualifiers in the definition act as gating tests, and both must be satisfied before any of the five activities pull a business into scope (Notabene).

The first is "as a business." Incidental or one-off activity is not VASP activity. A person who occasionally helps a friend move crypto, outside any commercial undertaking, is not running a VASP.

The second is "for or on behalf of another natural or legal person." Acting purely for yourself is outside the definition. An individual who buys, holds, swaps, or moves their own virtual assets, not as a business and not on behalf of anyone else, is not a VASP. This carve-out is the single most important one and the basis for most of the out-of-scope edge cases below (Davis Polk).

What is a virtual asset (VA) under FATF?

You cannot define a VASP without first defining the asset it deals in. The VASP definition is built directly on top of the virtual-asset definition, so FATF expects both to be read together.

The VA definition and its two exclusions

The FATF Glossary defines a virtual asset as follows:

"A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations."

The definition is deliberately expansive. FATF's 2021 guidance stresses that the term is meant to capture broadly, so that there are no situations in which a relevant financial asset escapes the standards altogether, either as a virtual asset or as a traditional financial asset (Davis Polk).

Two exclusions are baked in at the asset level, before any VASP analysis even runs (Notabene):

• Digital representations of fiat currency, including central-bank digital currencies (CBDCs), are not virtual assets.
• Securities and other financial assets already covered elsewhere in the FATF Recommendations are not virtual assets. They remain regulated under whichever existing Recommendation applies, not under Recommendation 15.

The guiding principle is again function over form: what matters is how an instrument behaves and what already covers it, not what it is called (Norton Rose Fulbright).

What are the five FATF activities that make a business a VASP?

The five activities are the definitional core. We keep FATF's roman-numeral order, give each the verbatim wording, a plain-English gloss, and a concrete example of who performs it.

1. (i) Exchange between virtual assets and fiat currencies. The classic on-ramp and off-ramp, converting crypto to cash and cash to crypto. Performed by centralized exchanges quoting BTC against USD and by OTC desks taking fiat (Norton Rose Fulbright).
2. (ii) Exchange between one or more forms of virtual assets. Crypto-to-crypto swaps, for example ETH for USDT. Performed by an exchange trading pair or a token-swap service that intermediates the trade (Norton Rose Fulbright).
3. (iii) Transfer of virtual assets. Moving a virtual asset from one address or account to another on behalf of a customer. This activity is the trigger for the crypto Travel Rule. Performed by a custodial wallet or exchange processing a withdrawal, or by a payment processor (Notabene).
4. (iv) Safekeeping and administration of virtual assets, or of instruments enabling control over them. Custody. Holding the asset, or holding the private keys that control it. The phrase "instruments enabling control" is what pulls custodial wallet providers in even when they technically hold keys rather than the asset itself. Performed by custodians, custodial wallets, and exchanges holding customer balances (FATF Glossary via Hacken).
5. (v) Financial services for an issuer's token offer or sale. Underwriting, placement, and related financial services around an ICO, IEO, or token sale. Performed by a platform running a token sale for an issuer, or by a launchpad (Norton Rose Fulbright).

The coverage principle is consistent across all five: treatment is by function, not by form, label, or technology. Perform one of these activities as a business for others and you are a VASP, regardless of what you call the operation (Davis Polk).

From our practice

In our licensing work the activity that most often surprises clients is (iv) safekeeping and administration. Founders frequently assume that because they never touch a customer's coins directly, they sit outside the definition. But holding the keys, not just the asset, is enough. The "instruments enabling control" wording means a service that retains the ability to move a customer's assets is performing a VASP activity, even where the architecture was designed to feel custody-light. That single point reshapes more scoping conversations than any other.

Who qualifies as a VASP, and who is exempt?

This is the section most businesses come for. Once the two gating tests and the five activities are clear, the in-scope and out-of-scope picture follows. A business is in scope when it performs at least one of the five activities, as a business, for another person. It is out of scope when it fails one of those conditions or falls within an explicit FATF carve-out (Norton Rose Fulbright).

Businesses that are in scope (textbook VASPs)

The clear cases share one feature: they perform one of the five activities commercially, for customers. Centralized exchanges sit squarely in scope because they handle both crypto-to-fiat and crypto-to-crypto exchange. Custodial wallet providers are in because they hold keys or assets for users. Virtual-asset payment processors and transfer services perform activity (iii). OTC desks and brokers handle exchange. ICO/IEO platforms and token-sale launchpads provide the financial services described in activity (v) (Hacken).

Persons FATF treats as out of scope

The exemptions rest on the "for or on behalf of another" and "as a business" tests, plus explicit FATF statements that it does not seek to regulate persons who merely operate the network or provide ancillary services (Davis Polk).

• Miners, validators, and node operators. Persons who solely operate the network, creating, validating, and broadcasting blocks, are not performing a VASP activity for another and are out of scope.
• Pure software and protocol developers. Writing or publishing software, including DeFi code and unhosted-wallet software, is not itself a VASP activity. The code is not a VASP (but see the DeFi control test below).
• Non-custodial, or "unhosted," wallet makers. Providing software or hardware that lets a user self-custody, where the provider never takes control of the user's assets or keys, is out of scope.
• Ancillary service providers and network infrastructure. FATF does not seek to regulate persons providing ancillary services or products to a virtual-asset network merely for that reason.
• Individuals transacting for themselves. A natural person trading or transferring their own virtual assets, not as a business and not on behalf of another, is not a VASP.
• CBDCs and already-regulated security tokens. These fall out at the virtual-asset definition level, not the VASP level, because they are covered elsewhere in the Recommendations (Notabene).

How FATF treats DeFi, NFTs, stablecoins, and P2P transfers

The hardest cases are the ones a simple checklist cannot resolve. FATF addresses each with a named test, applied case by case, function over label.

DeFi: the "control or sufficient influence" test

The software or protocol itself is not a VASP, and FATF will not regulate code. But creators, owners, operators, or others who maintain "control or sufficient influence" over a DeFi arrangement, its assets, or its financial services may qualify as VASPs, even where the arrangement calls itself decentralized (Davis Polk). FATF's 2021 guidance puts it bluntly: "launching a self-propelling infrastructure to offer VASP services is the same as offering them" (Notabene). You cannot escape the obligation by automating or decentralizing the service. The indicators FATF lists for control or influence include an ongoing business relationship with users, whether a party profits from the service, and whether a party can set or change the arrangement's parameters. In practice, many projects that brand themselves "DeFi" still have at least one party with enough control to be a VASP, and the assessment is always case by case.

NFTs: virtual assets only when used for payment or investment

NFTs are assessed case by case and are generally not virtual assets when they are unique collectibles or digital art. An NFT is a virtual asset if, in practice, it is used for payment or investment purposes, for example when it is fractionalized, used as a payment instrument, or behaves like a financial asset. NFTs that represent other financial assets already covered by the Recommendations are excluded at the asset-definition level. The test is how the NFT is used in practice, not how it is labeled (Davis Polk).

Stablecoins: a central governance body with control likely qualifies

A stablecoin can fall within the virtual-asset definition based on its functionality. Where a central governance or developer body maintains control or influence over the stablecoin arrangement, that body likely qualifies as a VASP, particularly if it also carries out other VASP functions. FATF notes that a range of entities within a single stablecoin arrangement can each be VASPs (Davis Polk).

P2P and unhosted wallets: no obligated VASP, higher risk

True peer-to-peer transfers, sent directly between individuals' unhosted wallets with no intermediary, are not directly subject to FATF obligations because there is no obligated VASP in the chain. FATF nonetheless flags such transfers as higher money-laundering and terrorist-financing risk and tells countries to monitor and mitigate. When a VASP transacts to or from an unhosted wallet, FATF expects it to apply risk-based controls and to collect the required crypto Travel Rule information for transfers above a de-minimis threshold (commonly cited as USD/EUR 1,000, verify) (Notabene).

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisers, no commitment. Book a Call

Does FATF regulate VASPs directly?

A common misconception is that FATF itself licenses or polices VASPs. It does not. Understanding the standard-setter relationship is essential to knowing where your obligations actually come from.

FATF sets the standard; countries do the licensing

FATF is an intergovernmental standard-setter, not a regulator. It writes the global anti-money-laundering and counter-terrorist-financing standards and assesses how well countries implement them, but it issues no licenses and supervises no businesses. Recommendation 15 requires each country to license or register, supervise, and impose AML/CFT obligations on VASPs operating in its jurisdiction (Chainalysis). That is why your obligations crystallize at the national level: FATF defines, countries enforce. To choose a jurisdiction and route, see where to register a VASP, and to understand the licensing process, see how to become a licensed VASP.

What Recommendation 15 requires of VASPs

The core obligations that countries must place on VASPs under Recommendation 15 are consistent worldwide, even if the procedural detail differs (Chainalysis):

• Licensing or registration in the jurisdiction of operation.
• Supervision and monitoring for AML/CFT compliance, not merely registration.
• Customer due diligence.
• Record-keeping.
• Suspicious-transaction reporting.
• The Travel Rule under Recommendation 16.

For the full treatment of these obligations, see our FATF VASP compliance framework. Recommendation 15 was amended in October 2018 to add the VA and VASP definitions, and in June 2019 to add the interpretive note and the Travel Rule, bringing virtual assets fully under AML/CFT supervision (Norton Rose Fulbright).

How the VASP standard developed: a timeline of FATF Recommendation 15

The framework did not arrive all at once. It was assembled across four dated milestones, and global implementation is still uneven.

From 2018 definitions to the 2024/2025 targeted updates

• October 2018. FATF added the virtual-asset and VASP definitions to the glossary under Recommendation 15 (Chainalysis).
• June 2019. FATF issued the interpretive note to Recommendation 15 and extended the Travel Rule to virtual assets (Norton Rose Fulbright).
• October 2021. FATF published updated risk-based guidance covering the DeFi control test, the NFT case-by-case approach, and stablecoins (Davis Polk).
• 2024 and 2025. FATF issued annual targeted updates urging faster implementation of Recommendation 15 (Chainalysis).

Where global implementation stands today

Implementation remains a work in progress. As of 2023, FATF assessment data indicated that roughly 75% of 98 assessed jurisdictions were only partially compliant or non-compliant with Recommendation 15 (figure reported by Chainalysis reading FATF data, verify) (Chainalysis). A 2024 targeted update covering 58 jurisdictions suggested that about a third had not enacted Travel Rule legislation, roughly a sixth lacked any VASP registration or licensing framework, and a similar share had conducted no VASP supervisory inspection (figures as reported by Chainalysis citing the FATF 2024 targeted update, verify). These percentages come from a secondary reading of FATF material because the underlying FATF PDFs were not machine-accessible at research time; they should be browser-confirmed before publication.

VASP vs CASP: how the FATF term relates to MiCA

VASP is the global FATF term. CASP, or crypto-asset service provider, is the European Union's equivalent under the Markets in Crypto-Assets Regulation (MiCA). The two overlap heavily but are not identical: FATF sets a baseline AML/CFT standard for every country, while MiCA creates a full EU authorization and conduct regime with its own activity list and passporting. This page anchors on the FATF definition; for the activity-by-activity comparison and how a VASP analysis maps onto a MiCA CASP authorization, see our dedicated guide on VASP vs CASP under MiCA.

Do you need a VASP license? Next steps

If your business performs one of the five activities, as a business, for others, the FATF framework points to a clear consequence: the country you operate in must license or register and supervise you. The definition on this page tells you whether you are in scope; the next questions are which jurisdiction fits your model and what authorization actually involves. Start with the pillar on how to become a licensed VASP, review the VASP license requirements covering AML, capital, and compliance, and compare routes in our guide to where to register a VASP. There is no public price list here; scoping is matched to your activity set and target markets.