- Operating a crypto exchange, custodian, or broker without a licence is illegal in most jurisdictions and carries criminal penalties
- There is no single "best" licence — the right choice depends on your market, capital, and growth timeline
- EU MiCA licences are now the gold standard for European market access, with passporting across 27 countries
- Fast licences (Poland, Slovakia) take 4–8 weeks; complete licences (Singapore, Hong Kong) take 6–18 months
- AML/KYC compliance documentation is the most common cause of application failure and delay
- Working with specialist advisors reduces timelines by 30–50% and significantly improves approval rates
Why is Crypto Licensing Non-Negotiable in 2026?
In 2018, it was possible to operate a crypto exchange in many parts of the world with minimal regulatory oversight. That era is over. By 2025, virtually every major market — the EU, UK, UAE, Singapore, Hong Kong, the US — has implemented or is implementing a mandatory licensing regime for crypto asset service providers.
The consequences of operating without a licence are serious: criminal charges for directors and owners, asset freezes, banking termination, forced shutdown, and reputational damage that typically ends a business permanently. FATF member countries (which include most of the world's major economies) are required to implement crypto licensing frameworks, and enforcement is accelerating.
Beyond the legal imperative, a crypto licence is increasingly a commercial necessity. Institutional clients will not use an unlicensed platform. Regulated banks and payment processors will not bank unlicensed crypto businesses. Venture capital and private equity investors expect regulatory compliance as a prerequisite for investment. The cost of not having a licence is often higher than the cost of getting one.
Choose Your Jurisdiction
Jurisdiction selection is the most consequential decision in the licensing process. The wrong choice can mean 12 months wasted, hundreds of thousands spent, or a licence that doesn't actually allow you to serve your target customers.
The key variables to weigh are: (1) Market access — does the licence allow you to serve your target customers? (2) Capital requirements — how much do you need in the company? (3) Timeline — when do you need to be live? (4) Credibility — does the licence satisfy your institutional partners and investors? (5) Cost — total first-year cost including government fees, advisory, and running costs.
| Jurisdiction | Regulator | Timeline | Min. Capital | Best For |
|---|---|---|---|---|
| 🇵🇱 Poland (MiCA) | KNF | 4–8 weeks | EUR 50–150k | Fast EU access, small exchanges |
| 🇸🇰 Slovakia | NBS | 4–6 weeks | EUR 5k | Fastest EU entry, minimal capital |
| 🇱🇹 Lithuania | Bank of Lithuania | 8–12 weeks | EUR 125k | EU hub, EMI integration |
| 🇪🇪 Estonia | FIU | 3–4 months | EUR 100k | Digital economy, EU passporting |
| 🇬🇮 Gibraltar | GFSC | 3–4 months | GBP 100k+ | UK-adjacent, DLT specialist |
| 🇦🇪 UAE (VARA) | VARA | 3–5 months | USD 100k–1M | MENA market, 0% personal tax |
| 🇸🇬 Singapore | MAS | 6–12 months | SGD 250k+ | Asia credibility, institutional |
| 🇭🇰 Hong Kong | SFC | 9–18 months | HKD 5M+ | China-adjacent, institutional |
| 🇸🇻 El Salvador | BCR | 2–4 weeks | USD 50k BTC reserve | Bitcoin-native, fast launch |
| 🇵🇦 Panama | Varied | 4–8 weeks | Low | LatAm access, light regulation |
The 7-Step Licensing Process
Before filing anything, you need a precise definition of what services you will offer. Regulators are not interested in vague descriptions — they want to understand exactly what you do, who your clients are, how transactions flow, and what risks arise.
Key questions to answer: Will you hold client funds (custody) or just execute orders? Will you offer services to retail clients or professionals only? Will you accept fiat deposits? What geographic markets will you serve? What is your transaction volume in Year 1, 2, and 3?
This is not just a compliance exercise — your answers determine which licence type you need (affecting capital requirements by 3x or more) and which jurisdictions are viable.
Every jurisdiction requires the applicant to be a locally incorporated entity. You cannot apply for a Polish crypto licence through a Cayman Islands holding company — you need a Polish sp. z o.o. For Singapore, you need a Singapore Pte. Ltd. For UAE VARA, you need a Dubai-registered entity.
Local incorporation typically takes 3–10 business days for straightforward company setups (longer if there are complications with bank accounts). Key steps: draft articles of association, appoint directors, deposit share capital, register with the local companies registry, and obtain tax identification numbers.
Critically, many jurisdictions also require real operational substance — not just a registered address, but a physical office, local key management, and genuine business operations. This is particularly important for Singapore MAS, UAE VARA, and most EU MiCA applications. Plan substance requirements before incorporation.
This is the step most applicants underestimate — and the most common cause of application rejection or delay. Regulators do not want to see generic AML policy templates downloaded from the internet. They want policies tailored to your specific business model, product, and risk profile.
A complete AML/KYC program includes: (1) a Business-Wide Risk Assessment (BWRA), (2) Customer Due Diligence (CDD) procedures for standard, simplified, and enhanced scenarios, (3) a transaction monitoring policy with clear red flags and escalation procedures, (4) Suspicious Activity Report (SAR/STR) filing procedures, (5) Travel Rule compliance procedures, (6) sanctions screening policies, (7) staff training program, (8) annual AML audit procedure.
You also need to appoint an Anti-Money Laundering Compliance Officer (AMLCO / MLRO). In many jurisdictions (Poland, UAE, UK), this person must be locally resident. Their CV, qualifications, and criminal background check are submitted as part of the application.
The application package varies significantly by jurisdiction, but typically includes: the completed application form, corporate documents (articles of association, certificate of incorporation, register of directors and shareholders), KYC packages for all directors, key managers, and ultimate beneficial owners (UBOs), a business plan / programme of operations, AML/KYC policy suite, financial projections (3–5 years), evidence of capital adequacy, technology documentation (for custodians and exchanges), and a description of outsourcing arrangements.
For premium jurisdictions like Singapore MAS or UAE VARA, the business plan is often a 60–100 page document covering governance, risk management, technology architecture, and regulatory compliance frameworks. At this level, specialised advisors who know current regulator expectations pay for themselves many times over.
Once you submit, the regulator's clock starts. Most regulators acknowledge receipt within 5–10 business days and may request additional information (RFI / clarification request) before formally starting the review clock. Respond to all RFIs promptly and completely — partial responses reset the clock.
The review period varies: 4–8 weeks for Poland VASP registration; 3 months for MiCA CASP (mandated maximum); 6–12 months for MAS; no maximum for some UAE processes. During this period, maintain close communication with your in-country legal representatives. Do not make material changes to your business plan or ownership structure without notifying the regulator.
Many regulators now request in-person meetings with company principals as part of the review. For UAE VARA and Singapore MAS, these meetings are standard and the outcome can significantly influence the approval decision. Prepare thoroughly — treat it as a board-level regulatory interview.
Getting the licence is the beginning, not the end. Every jurisdiction imposes ongoing compliance obligations, and regulators are increasingly active in supervising licensed entities — not just approving them. Failure to meet ongoing requirements can result in licence suspension, revocation, and personal liability for directors.
Standard ongoing obligations include: transaction monitoring and SAR filing, periodic financial and compliance reporting to the regulator, annual AML audit by an independent compliance professional, maintaining and updating AML/KYC policies as regulations evolve, notifying the regulator of material changes (ownership, business model, key staff), Travel Rule compliance for all applicable transfers, and annual audited accounts.
For EU MiCA CASPs specifically, there are additional ongoing requirements around client asset safeguarding, complaint handling, conflicts of interest management, and market abuse prevention. Build these into your compliance budget from day one.
Crypto Licence Costs — Realistic Numbers by Jurisdiction
The following table shows realistic total first-year costs for each jurisdiction type, including incorporation, government fees, AML program, advisory, and running costs. Capital requirements are shown separately as they are not a cost (they remain in the company).
| Jurisdiction | Year 1 Cost (excl. capital) | Capital Required | Annual Ongoing |
|---|---|---|---|
| 🇸🇰 Slovakia VASP | EUR 6,000–10,000 | EUR 5,000 | EUR 3,000–6,000 |
| 🇵🇱 Poland VASP / MiCA | EUR 8,000–15,000 | EUR 50–150k (MiCA) | EUR 5,000–10,000 |
| 🇱🇹 Lithuania VASP | EUR 15,000–30,000 | EUR 125,000 | EUR 8,000–15,000 |
| 🇬🇮 Gibraltar DLT | GBP 30,000–60,000 | GBP 100,000+ | GBP 20,000–40,000 |
| 🇦🇪 UAE VARA Dubai | USD 60,000–120,000 | USD 100k–1M+ | USD 30,000–60,000 |
| 🇸🇬 Singapore MAS MPI | SGD 150,000–350,000 | SGD 450,000 | SGD 80,000–200,000 |
| 🇭🇰 Hong Kong SFC VATP | HKD 600,000–1.5M | HKD 5M+ | HKD 400,000–800,000 |
Advisory fees included: The costs above include professional advisory fees for an end-to-end managed engagement. DIY applications with just local lawyers are possible but typically take 2–3x longer and have significantly lower approval rates, especially for Singapore, UAE VARA, and Hong Kong.