Meet Dr. Marcus Hartmann
Dr. Marcus Hartmann has spent over two decades at the intersection of financial law and emerging technology. Based in Zug — Switzerland's Crypto Valley — he has guided startups, trading platforms, and institutional investors through the full spectrum of VASP licensing: from FINMA FinTech notifications to MiCA CASP applications and offshore structuring across 60+ jurisdictions.
He joined CryptoLicenses.net as Senior Licensing Advisor after a decade leading the fintech practice of a Swiss-regulated law firm, where he managed regulatory mandates in the UAE, Singapore, Liechtenstein, and the Cayman Islands.
- Operating a crypto exchange, custodian, or broker without a licence is illegal in most jurisdictions and carries criminal penalties
- There is no single "best" licence — the right choice depends on your market, capital, and growth timeline
- EU MiCA licences are now the gold standard for European market access, with passporting across 27 countries
- Fast licences (Poland, Slovakia) take 4–8 weeks; comprehensive licences (Singapore, Hong Kong) take 6–18 months
- AML/KYC compliance documentation is the most common cause of application failure and delay
- Working with specialist advisors reduces timelines by 30–50% and significantly improves approval rates
Why Crypto Licensing is Non-Negotiable in 2026
In 2018, it was possible to operate a crypto exchange in many parts of the world with minimal regulatory oversight. That era is long over. By 2026, virtually every major market — the EU under MiCA, the UK under FCA, the UAE under VARA, Singapore under MAS, Hong Kong under SFC, and the US — has implemented mandatory licensing for crypto asset service providers. Over 60 jurisdictions globally now require registration or authorisation before offering VASP or CASP services.
The consequences of operating without a licence are serious: criminal charges for directors and owners, asset freezes, banking termination, forced shutdown, and reputational damage that ends businesses permanently. FATF member countries are required to implement and enforce crypto licensing frameworks, and in 2026 that enforcement has become more systematic, better resourced, and cross-border.
Beyond the legal imperative, a crypto licence is a commercial necessity. Institutional clients will not use an unlicensed platform. Regulated banks and payment processors will not onboard unlicensed crypto businesses. Venture capital and private equity investors require regulatory compliance before committing capital. The FINMA-regulated environment in Switzerland, for example, provides direct access to Swiss banking infrastructure — one of the most significant competitive advantages in the industry. The cost of not having a licence is almost always higher than the cost of getting one.
Choose Your Jurisdiction
Jurisdiction selection is the most consequential decision in the licensing process. The wrong choice can mean 12 months wasted, hundreds of thousands spent, or a licence that doesn't actually allow you to serve your target customers.
The key variables to weigh are: (1) Market access — does the licence allow you to serve your target customers? (2) Capital requirements — how much do you need in the company? (3) Timeline — when do you need to be live? (4) Credibility — does the licence satisfy your institutional partners and investors? (5) Cost — total first-year cost including government fees, advisory, and running costs.
| Jurisdiction | Regulator | Timeline | Min. Capital | Best For |
|---|---|---|---|---|
| 🇵🇱 Poland (MiCA) | KNF | 4–8 weeks | EUR 50–150k | Fast EU access, small exchanges |
| 🇸🇰 Slovakia | NBS | 4–6 weeks | EUR 5k | Fastest EU entry, minimal capital |
| 🇱🇹 Lithuania | Bank of Lithuania | 8–12 weeks | EUR 125k | EU hub, EMI integration |
| 🇪🇪 Estonia | FIU | 3–4 months | EUR 100k | Digital economy, EU passporting |
| 🇬🇮 Gibraltar | GFSC | 3–4 months | GBP 100k+ | UK-adjacent, DLT specialist |
| 🇦🇪 UAE (VARA) | VARA | 3–5 months | USD 100k–1M | MENA market, 0% personal tax |
| 🇸🇬 Singapore | MAS | 6–12 months | SGD 250k+ | Asia credibility, institutional |
| 🇭🇰 Hong Kong | SFC | 9–18 months | HKD 5M+ | China-adjacent, institutional |
| 🇸🇻 El Salvador | BCR | 2–4 weeks | USD 50k BTC reserve | Bitcoin-native, fast launch |
| 🇵🇦 Panama | Varied | 4–8 weeks | Low | LatAm access, light regulation |
"Jurisdiction selection is the most consequential decision in the licensing process. I see too many companies choose a jurisdiction based on price alone, only to find that their target banking partners or institutional clients won't work with that licence. The real cost of a cheap licence is often paid in year two."
— Dr. Marcus Hartmann, Senior Licensing Advisor
The 7-Step Licensing Process
Before filing anything, you need a precise definition of what services you will offer. Regulators are not interested in vague descriptions — they want to understand exactly what you do, who your clients are, how transactions flow, and what risks arise.
Key questions to answer: Will you hold client funds (custody) or just execute orders? Will you offer services to retail clients or professionals only? Will you accept fiat deposits? What geographic markets will you serve? What is your transaction volume in Year 1, 2, and 3?
This is not just a compliance exercise — your answers determine which licence type you need (affecting capital requirements by 3x or more) and which jurisdictions are viable.
Every jurisdiction requires the applicant to be a locally incorporated entity. You cannot apply for a Polish crypto licence through a Cayman Islands holding company — you need a Polish sp. z o.o. For Singapore, you need a Singapore Pte. Ltd. For UAE VARA, you need a Dubai-registered entity.
Local incorporation typically takes 3–10 business days for straightforward company setups (longer if there are complications with bank accounts). Key steps: draft articles of association, appoint directors, deposit share capital, register with the local companies registry, and obtain tax identification numbers.
Critically, many jurisdictions also require real operational substance — not just a registered address, but a physical office, local key management, and genuine business operations. This is particularly important for Singapore MAS, UAE VARA, and most EU MiCA applications. Plan substance requirements before incorporation.
This is the step most applicants underestimate — and the most common cause of application rejection or delay. Regulators do not want to see generic AML policy templates downloaded from the internet. They want policies tailored to your specific business model, product, and risk profile.
A comprehensive AML/KYC program includes: (1) a Business-Wide Risk Assessment (BWRA), (2) Customer Due Diligence (CDD) procedures for standard, simplified, and enhanced scenarios, (3) a transaction monitoring policy with clear red flags and escalation procedures, (4) Suspicious Activity Report (SAR/STR) filing procedures, (5) Travel Rule compliance procedures, (6) sanctions screening policies, (7) staff training program, (8) annual AML audit procedure.
You also need to appoint an Anti-Money Laundering Compliance Officer (AMLCO / MLRO). In many jurisdictions (Poland, UAE, UK), this person must be locally resident. Their CV, qualifications, and criminal background check are submitted as part of the application.
Not sure which licence fits your business? Get a free 30-minute consultation with our advisors. We'll review your model and recommend the right jurisdiction.
Get Free Consultation →The application package varies significantly by jurisdiction, but typically includes: the completed application form, corporate documents (articles of association, certificate of incorporation, register of directors and shareholders), KYC packages for all directors, key managers, and ultimate beneficial owners (UBOs), a business plan / programme of operations, AML/KYC policy suite, financial projections (3–5 years), evidence of capital adequacy, technology documentation (for custodians and exchanges), and a description of outsourcing arrangements.
For premium jurisdictions like Singapore MAS or UAE VARA, the business plan is often a 60–100 page document covering governance, risk management, technology architecture, and regulatory compliance frameworks. At this level, specialised advisors who know current regulator expectations pay for themselves many times over.
Once you submit, the regulator's clock starts. Most regulators acknowledge receipt within 5–10 business days and may request additional information (RFI / clarification request) before formally starting the review clock. Respond to all RFIs promptly and completely — partial responses reset the clock.
The review period varies: 4–8 weeks for Poland VASP registration; 3 months for MiCA CASP (mandated maximum); 6–12 months for MAS; no maximum for some UAE processes. During this period, maintain close communication with your in-country legal representatives. Do not make material changes to your business plan or ownership structure without notifying the regulator.
Many regulators now request in-person meetings with company principals as part of the review. For UAE VARA and Singapore MAS, these meetings are standard and the outcome can significantly influence the approval decision. Prepare thoroughly — treat it as a board-level regulatory interview.
Getting the licence is the beginning, not the end. Every jurisdiction imposes ongoing compliance obligations, and regulators are increasingly active in supervising licensed entities — not just approving them. Failure to meet ongoing requirements can result in licence suspension, revocation, and personal liability for directors.
Standard ongoing obligations include: transaction monitoring and SAR filing, periodic financial and compliance reporting to the regulator, annual AML audit by an independent compliance professional, maintaining and updating AML/KYC policies as regulations evolve, notifying the regulator of material changes (ownership, business model, key staff), Travel Rule compliance for all applicable transfers, and annual audited accounts.
For EU MiCA CASPs specifically, there are additional ongoing requirements around client asset safeguarding, complaint handling, conflicts of interest management, and market abuse prevention. Build these into your compliance budget from day one.
"Regulators across every jurisdiction — whether FINMA in Bern, MAS in Singapore, or VARA in Dubai — are all looking for the same thing: a compliance function that is real, funded, and empowered. A part-time AML officer with a generic policy template will not pass a fit-and-proper assessment in 2026."
— Dr. Marcus Hartmann, Senior Licensing Advisor
Crypto Licence Costs — Realistic Numbers by Jurisdiction
The following table shows realistic total first-year costs for each jurisdiction type, including incorporation, government fees, AML program, advisory, and running costs. Capital requirements are shown separately as they are not a cost (they remain in the company). For a full breakdown with hidden fees and ROI analysis, see our dedicated Crypto Licence Cost Guide.
| Jurisdiction | Year 1 Cost (excl. capital) | Capital Required | Annual Ongoing |
|---|---|---|---|
| 🇸🇰 Slovakia VASP | EUR 6,000–10,000 | EUR 5,000 | EUR 3,000–6,000 |
| 🇵🇱 Poland VASP / MiCA | EUR 8,000–15,000 | EUR 50–150k (MiCA) | EUR 5,000–10,000 |
| 🇱🇹 Lithuania VASP | EUR 15,000–30,000 | EUR 125,000 | EUR 8,000–15,000 |
| 🇬🇮 Gibraltar DLT | GBP 30,000–60,000 | GBP 100,000+ | GBP 20,000–40,000 |
| 🇦🇪 UAE VARA Dubai | USD 60,000–120,000 | USD 100k–1M+ | USD 30,000–60,000 |
| 🇸🇬 Singapore MAS MPI | SGD 150,000–350,000 | SGD 450,000 | SGD 80,000–200,000 |
| 🇭🇰 Hong Kong SFC VATP | HKD 600,000–1.5M | HKD 5M+ | HKD 400,000–800,000 |
Advisory fees included: The costs above include professional advisory fees for an end-to-end managed engagement. DIY applications with just local lawyers are possible but typically take 2–3x longer and have significantly lower approval rates, especially for Singapore, UAE VARA, and Hong Kong.
7 Mistakes That Kill Applications
Getting a Crypto License — Common Questions
Sources & Official References
