VASP license

A VASP license is required for businesses that store, transfer, exchange, or process virtual assets on behalf of clients, where access to client funds or private keys is involved. Regulators treat such activities as regulated financial services due to AML, risk management, and consumer protection requirements.

In particular, a VASP license (also known as a crypto license) is required for the following activities:

1. Exchange and conversion services

• crypto–fiat and crypto–crypto exchange platforms (online exchangers, OTC desks, conversion aggregators);
• cryptocurrency ATMs enabling the purchase or sale of digital assets for cash.

2. Payment and transaction processing

• merchant service providers and crypto payment gateways accepting cryptocurrency payments;
• crypto payment processors transferring funds between users;
• escrow platforms holding assets until settlement.

3. Custody and asset safeguarding

• custodial service providers managing clients’ private keys and account balances;
• platforms or services that retain control over users’ digital assets.

4. Trading platforms and execution services

• spot cryptocurrency exchanges matching orders and holding client funds;
• derivatives exchanges offering futures, options, and perpetual contracts;
• brokers and order execution providers;
• liquidity aggregators routing orders across multiple venues.

5. Asset management and trading automation

• API-based asset managers operating client portfolios on exchanges;
• trading bots executing transactions on behalf of users.

6. Advisory services influencing transactions

• investment advisors whose recommendations or trading signals may lead to execution of transactions with virtual assets.

The general criterion is straightforward: if a company stores, transfers, exchanges, or processes crypto assets on behalf of clients, while controlling access to funds or private keys, obtaining a VASP license becomes a mandatory component of its operational model.

Operating without the required VASP authorization is considered the provision of regulated financial services without a license and may result in regulatory enforcement measures, including restrictions by banks and payment providers, transaction blocking, financial penalties, or prohibition of further business activity.

Not all crypto-related business models automatically fall within the scope of VASP licensing. In certain cases, a VASP license may not be required, depending on the nature of the services provided and the level of control over client assets.

• provides non-custodial wallets, where full control over private keys remains with the user;
• provides consulting, analytical, or informational services that do not initiate or accompany transactions with assets;
• functions as an educational or research platform without access to client funds;
• offers automation tools that do not execute transactions autonomously and do not have the technical capability to manage user assets.

In such models, there is no transfer, storage, or control of third-party assets, which means that the activity does not formally fall under the requirements of VASP licensing.

However, the final assessment always depends on the specific business model and the interpretation of the regulator in the relevant jurisdiction. As a result, a regulatory assessment is strongly recommended to confirm whether VASP licensing obligations apply.

Regulation of virtual assets in Europe is changing faster than ever. It is important to distinguish between the European Union and the wider European area, as the legal regime in these areas is developing along different models.

In EU countries, the term VASP is no longer used. Under the Markets in Crypto-Assets Regulation (MiCA), crypto service providers are transitioning to the CASP licensing framework, with application timelines and transitional periods varying across EU member states. In most EU jurisdictions, MiCA requirements have either already entered into force or will become fully applicable during 2025–2026, depending on national transitional regimes.

At the same time, Europe is not limited to the EU. In Switzerland, United Kingdom, Gibraltar, Jersey, Georgia, and the Republic of Serbia, the VASP model continues to be used and remains the primary form of regulation. These jurisdictions follow Financial Action Task Force (FATF) recommendations and maintain independent regulatory regimes that are not subject to MiCA.

This distribution makes the choice of jurisdiction a strategic decision: companies must consider where CASP applies, where VASP operates, and what requirements will affect their operations, access to banks, and the range of opportunities for providing various types of services related to virtual assets.

The cost and timeline for obtaining a VASP license in Europe vary significantly by jurisdiction. In 2025, total licensing budgets typically range from USD 10,000 in lower-cost jurisdictions such as Bosnia and Herzegovina to USD 165,000 for a direct FINMA license in Switzerland, with approval timelines spanning from 3 to 18 months.

Indicative cost and timeline ranges by jurisdiction (2025):

• Bosnia and Herzegovina: USD 10,000–15,000 (3–6 months);
• Georgia: USD 15,000–30,000 (4–8 months);
• Switzerland (SRO pathway): USD 22,000–55,000 (2–4 months);
• United Kingdom: USD 50,000–100,000 (6–18 months);
• Gibraltar: USD 80,000–120,000 (9–15 months);
• Jersey: USD 100,000–150,000 (8–14 months);
• Switzerland (direct FINMA license): USD 110,000–165,000 (6–12 months).

Total costs typically include legal and consulting fees, regulatory application fees, compliance infrastructure setup, minimum capital requirements (from approximately EUR 25,000 to CHF 5,000,000 depending on jurisdiction and activity), and annual supervisory fees.

Approval timelines depend on regulatory complexity, documentation quality, AML and compliance readiness, banking arrangements, and regulator workload. In practice, companies with established compliance frameworks and complete documentation often achieve approvals faster and at lower overall cost than startups building compliance from scratch.

To obtain a VASP license, crypto businesses must meet a set of core regulatory requirements defined by FATF standards and implemented by national regulators. While specific thresholds vary by jurisdiction, the key requirements are broadly consistent across Europe and comparable jurisdictions.

Core VASP licensing requirements (2025):

1. AML / KYC compliance framework

• Written AML/CTF policies and procedures,
• Customer identification and verification (KYC/CDD),
• Transaction monitoring and suspicious activity reporting (SAR/STR),
• Enterprise-wide risk assessment covering clients, products, geographies, and transaction flows.

2. Minimum capital and financial substance

• Initial capital requirements typically range from €25,000 to CHF 5,000,000, depending on services;
• Ongoing capital adequacy and liquidity monitoring;
• Periodic financial reporting to the regulator;

3. Qualified management and compliance officer.

• Appointment of a qualified AML Compliance Officer (local or approved);
• Fit-and-proper checks for directors and shareholders;
• Mandatory AML/KYC staff training and Know Your Employee (KYE) procedures.

4. Risk management and cybersecurity controls

• IT security and cybersecurity policies;
• Safeguards for client assets and private keys;
• Incident response and data protection procedures.

5. Organizational structure and governance

• Transparent ownership and management structure;
• Clear separation of client assets from company funds;
• Internal controls and conflict-of-interest policies.

6. Record keeping and regulatory reporting

• Retention of transaction, KYC, and audit records (typically 5–10 years);
• Ongoing regulatory reporting and audit readiness.

Many companies encounter problems that can be avoided at an early stage. Below are the most common mistakes that affect timing, cost, and the final result.

1. Underestimation of AML/CTF requirements. Many projects come to licensing without a ready-made KYC system, without a transaction monitoring methodology, and without tools to implement the Travel Rule. The regulator quickly sees the gap between the stated process and actual practice, and the application is stopped at the earliest stage.
2. Weak operational model. Policy files downloaded from the internet do not work. Documents must reflect the specific product, risk logic, transaction routes, key storage architecture, and staff roles. If this is not the case, the regulator perceives the company as unprepared.
3. Wrong choice of jurisdiction. Focusing solely on low registration costs leads to dead-end models: no partner banks, no payment providers, no market access. The jurisdiction must match the scale of the business and the type of services provided.
4. Insufficient technical documentation. The regulator expects a description of the infrastructure, storage schemes, MFA mechanisms, limit logic, event log, and incident response plans. Superficial descriptions lead to additional requests and delays.

Ignoring requirements after licensing.

Some companies focus only on obtaining a license and do not plan for operating expenses: mandatory reports, internal auditors, procedure updates, external audits. This leads to violations after obtaining status and the risk of suspension of

Obtaining a VASP license is no longer a formal compliance step, but a strategic requirement for crypto businesses operating in a regulated global environment. A licensed status confirms compliance with AML/KYC standards, enhances transparency of virtual asset operations, and significantly reduces regulatory and banking risks.

In 2025–2026, as the EU transitions to the MiCA framework and VASP regimes remain applicable outside the EU, choosing the right jurisdiction becomes a key business decision. Switzerland, the UK, and selected European and offshore jurisdictions continue to offer viable VASP models for exchanges, custody providers, and institutional crypto projects operating globally.

A properly structured VASP license enables access to international markets, improves banking and payment provider relationships, and supports long-term scalability without repeated restructuring. In an environment of increasing regulatory scrutiny, licensing is no longer an advantage — it is a prerequisite for building a sustainable and bankable crypto business.