A Virtual Asset Service Provider (VASP) is a business that exchanges, transfers, or custodies crypto on behalf of others. Most jurisdictions now require VASPs to obtain a license, meeting capital, governance, AML/KYC, custody, and reporting standards. Licensing is the entry ticket to operating legally, and unlicensed operation carries serious legal risk.
VASP licensing is the gateway to operating a legitimate crypto business. As regulation matured, the days of launching an exchange or custody service without authorization ended; most jurisdictions now require a Virtual Asset Service Provider license with substantial requirements. This guide explains what a VASP is, what licensing demands, and how a business approaches the authorization process.
What is a VASP?
A Virtual Asset Service Provider — a business that exchanges, transfers, custodies, or facilitates trading of crypto on behalf of others, such as exchanges, custodians, and brokers.
Why is licensing required?
To ensure VASPs meet standards for financial soundness, governance, AML/KYC, and asset protection, bringing crypto services under the same supervision as other financial businesses.
What does licensing require?
Typically minimum capital, fit-and-proper management, a full AML/KYC program, custody safeguards, governance controls, and ongoing reporting and supervision.
What is a Virtual Asset Service Provider?
A Virtual Asset Service Provider, or VASP, is a business that provides crypto services to others — exchanging crypto for fiat or other crypto, transferring it, custodying it, or facilitating trading. The term, drawn from international standards, captures the intermediaries that connect users to the crypto economy.
The VASP concept defines who falls under crypto regulation’s core obligations. Exchanges, custodians, brokers, and similar intermediaries are VASPs because they handle crypto on behalf of customers, making them natural points for regulatory oversight and financial-crime controls. The classification matters because being a VASP triggers licensing, AML/KYC, and reporting duties, including the Travel Rule covered in our AML/KYC guide. Determining whether a business is a VASP is therefore the first regulatory question any crypto venture must answer.
Why do jurisdictions require VASP licensing?
Jurisdictions require VASP licensing to ensure crypto intermediaries are financially sound, well-governed, and equipped to prevent financial crime and protect customer assets. Licensing brings crypto services under the same supervisory framework applied to banks and other financial businesses.
The rationale parallels why banks are licensed: businesses holding and moving other people’s money must meet standards that protect customers and the financial system. A VASP that fails — through insolvency, fraud, or a security breach — can cause significant customer losses, as crypto history has repeatedly shown. Licensing addresses this by requiring financial soundness, competent management, and proper controls before a business may operate, and by subjecting it to ongoing supervision. This brings crypto intermediaries up to the standards expected of regulated finance, consistent with the maturation our adoption trends guide describes.
What requirements must a VASP meet to be licensed?
A VASP typically must meet requirements for minimum capital, fit-and-proper management, a comprehensive AML/KYC program, secure custody of client assets, governance and risk controls, and ongoing reporting. The specifics vary by jurisdiction but cluster around financial soundness and customer protection.
The common requirements include holding minimum capital to absorb losses and demonstrate seriousness; ensuring directors and major owners pass a fit-and-proper assessment of competence and integrity; operating a full AML/KYC program; safeguarding client crypto through secure custody meeting standards like those in our custody guide; maintaining governance and risk-management controls; and reporting regularly to the regulator. Meeting these demands real investment in people, systems, and capital — a barrier that filters out undercapitalized or unserious operators, which is part of the regulatory intent.
How does licensing differ across jurisdictions?
VASP licensing differs significantly across jurisdictions in scope, cost, and rigor. Some, like the EU under MiCA, offer a passportable license valid across the bloc; others require separate licenses per country; and crypto-friendly jurisdictions may offer clearer or faster paths than restrictive ones.
The fragmentation that characterizes crypto regulation generally, covered in our global landscape guide, extends to licensing. Under MiCA, a VASP authorized in one EU member state can passport across all of them, a major efficiency, as our MiCA guide explains. Elsewhere, a business expanding internationally may need separate authorizations in each jurisdiction, each with its own requirements and timeline. The variation means jurisdiction selection is a strategic decision: where a business bases itself and seeks licensing shapes its cost, reach, and regulatory burden.
What are the risks of operating without a license?
Operating as an unlicensed VASP carries serious risks: regulatory enforcement, fines, criminal liability, forced shutdown, and exclusion from banking relationships. Unlicensed operation also undermines customer and partner trust and can taint the business permanently.
Regulators treat unlicensed crypto operation as a significant violation, and enforcement can be swift and severe — including penalties, orders to cease operations, and criminal charges against principals. Beyond direct enforcement, unlicensed status cuts a business off from banking partners wary of regulatory risk, and it deters serious institutional customers who require licensed counterparties. In a maturing industry, operating without proper authorization is increasingly untenable, which is why licensing has become a prerequisite rather than an option for legitimate crypto businesses.
How should a business approach VASP licensing?
A business approaches VASP licensing by determining whether it qualifies as a VASP, selecting target jurisdictions strategically, engaging specialist legal and compliance advisers, preparing the required capital and systems, and submitting a thorough application. The process is demanding and benefits from expert guidance.
The roadmap begins with confirming VASP status and choosing where to seek licensing based on the business’s markets, the jurisdiction’s requirements, and benefits like EU passporting. From there, the business assembles the necessary capital, builds the AML/KYC, custody, and governance systems regulators require, and prepares a comprehensive application demonstrating compliance. Given the complexity and the consequences of error, specialist legal and compliance support is essential throughout — the same professional-guidance principle our crypto finance hub applies to every significant regulatory undertaking. Done properly, licensing transforms a crypto venture from a legal risk into a legitimate, trusted business.
What ongoing obligations come with a VASP license?
A VASP license brings ongoing obligations: maintaining capital and controls, filing regular reports, conducting audits, updating the regulator on material changes, and continuously meeting AML/KYC and custody standards. Licensing is not a one-time hurdle but an enduring compliance relationship.
Obtaining a license is the beginning, not the end, of regulatory obligation. A licensed VASP must continuously satisfy the conditions of its authorization — maintaining required capital, keeping controls effective, submitting periodic reports, undergoing audits, and notifying the regulator of significant changes such as new owners or services. Failure to maintain these standards can lead to enforcement or loss of the license. This ongoing nature means a VASP must resource compliance as a permanent function, the same sustained discipline our AML/KYC guide describes for financial-crime controls.
How does VASP licensing relate to AML obligations?
VASP licensing and AML obligations are deeply intertwined: a functioning AML/KYC program is typically a prerequisite for obtaining a license, and maintaining it is a continuing license condition. Licensing formalizes the supervisory relationship through which AML compliance is enforced.
AML compliance and licensing reinforce each other. Regulators generally require evidence of a robust AML/KYC program — covering identity verification, monitoring, sanctions screening, and the Travel Rule — before granting a license, and they use the licensing relationship to supervise ongoing AML performance. A VASP that lets its AML controls lapse risks its license. This integration means a business cannot treat licensing and AML as separate projects; they are two aspects of the same regulated status, as our AML/KYC guide explains in depth.
Should a startup pursue licensing before or after launch?
A crypto startup that qualifies as a VASP should generally secure licensing before offering services, because operating unlicensed exposes it to enforcement, banking exclusion, and reputational harm. Building compliance and capital into the launch plan from the outset is far safer than retrofitting it.
The temptation to launch first and regulate later is dangerous for a business that qualifies as a VASP. Operating without authorization where it is required can trigger enforcement before the business even establishes itself, and it deters the banking partners and institutional customers serious crypto ventures need. The sounder path treats licensing, capital, and compliance systems as launch prerequisites rather than afterthoughts, accepting the time and cost as the price of building a legitimate business. This proactive stance reflects the disciplined, advice-led approach our crypto finance hub recommends for every regulatory undertaking.
How does VASP licensing build customer and partner trust?
VASP licensing signals legitimacy, attracting customers, banking partners, and institutional counterparties who require regulated providers. In a market scarred by failures and fraud, authorization is a competitive advantage that distinguishes serious businesses from risky or illicit operators.
Beyond legal necessity, a license is a trust signal. Customers increasingly prefer regulated providers after a history of exchange collapses and frauds; banks will partner only with licensed, compliant businesses; and institutional clients require regulated counterparties to satisfy their own mandates, as our adoption guide explains. In this environment, licensing transforms from a burden into a differentiator, opening relationships and markets closed to unlicensed operators. The businesses that invest in proper authorization position themselves to capture the institutional and mainstream demand that defines the maturing crypto market, the structural shift our crypto finance hub tracks across every pillar.
What is the future of VASP licensing?
VASP licensing is likely to become more standardized and widespread as more jurisdictions adopt frameworks and international coordination grows. The trend points toward licensing being a universal expectation for crypto intermediaries, with regional regimes like the EU’s reducing friction through passporting.
The trajectory mirrors the broader maturation of crypto regulation. As comprehensive frameworks spread and international standards drive convergence, obtaining a license is becoming the default expectation rather than the exception for crypto intermediaries worldwide. Regional approaches that allow a single authorization to cover multiple countries, like MiCA’s passporting covered in our MiCA guide, reduce the burden of operating across borders. For businesses, this means planning for a future where proper licensing is simply the cost of operating legitimately, consistent with the regulated, institutional crypto landscape the entire crypto finance hub describes.
Frequently Asked Questions
What businesses count as VASPs?
Exchanges, custodians, brokers, and businesses that exchange, transfer, custody, or facilitate trading of crypto for others. Pure software providers that never handle customer assets may fall outside the definition.
Can one license cover multiple countries?
Within the EU, MiCA authorization passports across member states. Elsewhere, businesses generally need separate licenses per jurisdiction, though some regions are developing regional approaches.
How long does VASP licensing take?
It varies widely by jurisdiction but often takes months of preparation and review, requiring significant capital and fully built compliance systems before approval.
Do decentralized platforms need a VASP license?
This is legally uncertain. Licensing targets identifiable intermediaries; truly decentralized arrangements without a responsible operator occupy a gray area regulators continue to examine.
Discover more from Kurums | Business Intelligence
Subscribe to get the latest posts sent to your email.