Meet Dr. Marcus Hartmann
Dr. Marcus Hartmann has spent over two decades at the intersection of financial law and emerging technology. Based in Zug — Switzerland's Crypto Valley — he has guided startups, trading platforms, and institutional investors through the full spectrum of VASP licensing: from FINMA FinTech notifications to MiCA CASP applications and offshore structuring across 60+ jurisdictions.
He joined CryptoLicenses.net as Senior Licensing Advisor after a decade leading the fintech practice of a Swiss-regulated law firm, where he managed regulatory mandates in the UAE, Singapore, Liechtenstein, and the Cayman Islands.
- Six-step path: choose your business model → select jurisdiction → form company → obtain license → open bank account → launch operations
- Minimum realistic budget is €15,000–50,000 for simple models (Estonia/Lithuania VASP); complex models in UAE or Singapore require €100,000–400,000+
- Total timeline from decision to live operations: 3–12 months depending on jurisdiction and complexity
- Switzerland, Estonia, and UAE (Dubai) are the most popular startup hubs in 2026 for crypto businesses
- 80% of crypto startups fail at the banking step — securing a corporate bank account is harder than getting the license itself
- Hiring a real MLRO (not a nominee) and building a genuine AML program from day one is non-negotiable under every major regulatory framework
The Six Steps to Starting a Crypto Business
The crypto industry in 2026 is a legitimate financial services sector — with the compliance burden to match. The era of launching a token or exchange from a beach with a Cayman Islands shell company ended with the global rollout of MiCA, FATF Travel Rule enforcement, and aggressive banking de-risking. Today, starting a crypto business is structurally similar to starting a regulated fintech or payments company.
That is not a reason to be deterred. It is a reason to plan carefully. Entrepreneurs who understand the six-step process from the beginning — and budget and timeline accordingly — have a much higher success rate than those who underestimate the legal and compliance infrastructure required. This guide gives you the honest picture.
Choose Your Business Model
Before you select a jurisdiction or talk to a lawyer, you need a precise definition of what your business will do. Different crypto business models attract entirely different regulatory frameworks, capital requirements, and compliance obligations — and the wrong classification can add 12 months and €200,000 to your setup costs.
The most common crypto business models in 2026 and their regulatory implications:
| Business Type | Description | Key Regulation | Complexity | Capital Req. |
|---|---|---|---|---|
| Centralised Exchange (CEX) | Order-book exchange with fiat on/off ramps | MiCA CASP / VASP | Very High | €150k–1M+ |
| Decentralised Exchange (DEX) | Smart contract-based swaps, no custody | Partial MiCA exemption | High | Variable |
| OTC Desk | Large block trades, bilateral settlement | VASP / broker regulation | Medium | €50k–200k |
| Wallet Provider | Non-custodial or custodial wallet app | MiCA (custodial only) | Low–Medium | €50k–150k |
| Crypto Payment Processor | Merchant payment acceptance in crypto | PSD2 + MiCA CASP | Medium–High | €125k+ |
| Crypto Broker | Execute trades on behalf of clients | MiCA / MiFID II | High | €150k+ |
| Custody Service | Safekeeping of client crypto assets | MiCA CASP Class 3 | Very High | €150k–500k |
| DeFi Protocol | Lending, yield, AMM — no central operator | Evolving / grey area | High | Low (but legal risk) |
Critical decision point: Whether you hold client funds (custody) or not is the single most important question. Custodial models attract the highest capital requirements and the strictest ongoing compliance obligations. If you can design your model to be non-custodial, you significantly reduce your regulatory burden.
Select Your Jurisdiction
Jurisdiction selection is a multi-variable decision, not a simple cost comparison. The cheapest jurisdiction is rarely the right choice — what matters is whether that jurisdiction lets you serve your actual target customers, access banking, and maintain credibility with institutional partners.
Use this decision matrix to narrow your options:
Most serious jurisdictions require real local substance — a genuine office, locally resident key management, and board meetings held in-country. If you are based in Germany, incorporating in Estonia makes operational sense. If you are in Singapore, UAE VARA is a viable alternative. Jurisdictions that do not require local substance (offshore registrations) offer minimal credibility with banks and institutional clients.
An EU MiCA licence lets you serve all 27 EU member states through passporting. A UAE VARA licence covers the Dubai and MENA market. A Singapore MAS licence covers Southeast Asia and institutional APAC. For truly global operations, you typically need 2–3 licences. Critically, most major jurisdictions require geo-blocking of markets where you have no licence — operating globally from a single offshore entity is no longer viable.
Your jurisdiction heavily influences your banking options. Estonian and Lithuanian entities can access EU banking networks and SEPA. UAE entities bank with regional banks but struggle to access European payment rails. Singapore entities access APAC banking. The rule of thumb: bank where you are licensed, and choose your jurisdiction partly based on where you can get banking. Misalignment between licence jurisdiction and banking jurisdiction is the most common cause of the 80% banking failure rate.
Be honest about this. Total capital requirement includes: setup and advisory costs + statutory minimum share capital + operational runway for 12–18 months while you build revenue. With €50,000 total available, your realistic options are Estonia VASP or Lithuania VASP. With €200,000, add UAE VARA and Gibraltar. With €500,000+, Singapore MAS becomes viable. Do not start a Singapore application with €150,000 — you will run out of money before approval.
| Jurisdiction | Regulator | Timeline | Min. Capital | Best For |
|---|---|---|---|---|
| 🇪🇪 Estonia | FIU (Finantsinspektsioon) | 3–4 months | €100,000 | EU digital hub, strong e-residency ecosystem |
| 🇱🇹 Lithuania | Bank of Lithuania | 8–12 weeks | €125,000 | EU hub, EMI integration, fast processing |
| 🇦🇪 UAE (VARA) | VARA | 3–5 months | USD 100k–1M | MENA market, 0% personal tax, growing ecosystem |
| 🇬🇮 Gibraltar | GFSC | 3–4 months | GBP 100,000+ | UK-adjacent, DLT specialists, institutional reputation |
| 🇰🇾 Cayman Islands | CIMA | 2–4 months | Variable | Fund structures, DeFi, offshore holding layer |
| 🇨🇭 Switzerland (Zug) | FINMA | 6–12 months | CHF 300,000+ | Token issuance, institutional DeFi, prestige |
"Jurisdiction selection is the single most consequential decision in setting up a crypto business, and most founders get it wrong by optimising for cost alone. The right jurisdiction is one where you can actually serve your target customers, pass banking due diligence, and demonstrate genuine substance — not just a registration address. In 2026, Swiss FINMA oversight and EU MiCA authorisation remain the gold standard for institutional credibility."
— Dr. Marcus Hartmann, Senior Licensing Advisor
Form Your Company
Every crypto licence requires a locally incorporated legal entity. You cannot apply for a licence through a holding company in another jurisdiction — you need the entity to be incorporated in the jurisdiction where you are seeking the licence. Incorporation is usually the fastest step (3–10 business days), but the decisions you make here have long-term consequences.
The most common entity types for crypto businesses are: OÜ (Estonia — private limited company, excellent for EU operations), UAB (Lithuania — similar to an OÜ, widely used for fintech), LLC/FZ-LLC (UAE — free zone entity required for VARA), Ltd (Gibraltar — standard limited company), AG/SA (Switzerland — required for certain FINMA activities with minimum CHF 100,000 capital), Ltd (Cayman — used for fund structures and holding layers).
Most early-stage crypto businesses choose an OÜ or UAB for EU operations due to low cost, fast setup, and strong EU banking access. The choice between Estonian and Lithuanian entity often comes down to where your operational team is based and which banking relationships you have access to.
A registered office address is the minimum legal requirement. However, for licensing purposes, most regulators expect genuine operational substance — not just a mailbox address at a shared workspace. UAE VARA requires a physical office lease. Singapore MAS will reject applications where the management clearly operates offshore. Even for lighter-touch EU registrations, inspectors have become more willing to conduct on-site reviews.
Plan your substance requirements before you incorporate. If your team is entirely remote, you need a credible plan for how you will establish local operations. Co-working spaces with dedicated desks are acceptable for most EU jurisdictions at the startup stage; a physical office is required for UAE, Singapore, and Switzerland.
Minimum share capital must be deposited in a bank account in the company's name before incorporation can be completed in most jurisdictions. This creates a chicken-and-egg problem: you need a bank account to deposit capital, but you need the company to open a bank account. The typical solution is to open a temporary account at a bank that works with pre-incorporation entities, or to use a payment service provider account for the initial deposit.
Note that minimum statutory share capital is not the same as the ongoing capital requirements for your licence. For example, Estonia requires a €2,500 minimum share capital for an OÜ, but the FIU licence requires €100,000 in own funds. Plan for both.
Obtain Your Licence
Licensing is the most document-intensive phase of starting a crypto business. The quality of your application package — not just its completeness — determines how quickly you get approved and whether you attract follow-up queries. Rushed or generic applications consistently add 3–6 months to timelines.
Every director, shareholder above a threshold (typically 10–25%), and key function holder (MLRO, CEO, CTO in some jurisdictions) must provide a full KYC package: passport, proof of address, CV/resume, criminal background check (apostilled), source of wealth declaration, and professional references. Gathering these documents from founders in multiple countries typically takes 4–8 weeks — start immediately.
This is the single most important document package and the most common cause of application failure. You need: a Business-Wide Risk Assessment (BWRA), Customer Due Diligence (CDD) procedures, Enhanced Due Diligence (EDD) criteria, a Transaction Monitoring Policy with defined red flags, SAR/STR filing procedures, Travel Rule compliance procedures, sanctions screening policy, staff training program, and an independent audit procedure. Each must be tailored to your specific business model — templates will be rejected.
The business plan for a crypto licence application is not a startup pitch deck — it is a regulatory document. It must include: a precise description of all services to be offered, the client onboarding process, transaction flow diagrams, governance structure, risk management framework, IT/cybersecurity overview, outsourcing arrangements, financial projections for 3–5 years, and a description of how you will comply with each applicable regulatory requirement. For UAE VARA and Singapore MAS, this document is typically 60–100 pages.
The Money Laundering Reporting Officer (MLRO) is a mandatory appointment in every jurisdiction. This person must have genuine compliance expertise, understand your business model in detail, and in many jurisdictions must be locally resident. Their CV, qualifications, criminal check, and a personal statement are submitted as part of the application. Regulators increasingly conduct interviews with MLRO candidates — prepare them thoroughly.
Once your package is complete, submit via the regulator's portal or directly to the relevant authority. Respond to all Requests for Information (RFIs) within the specified deadline — partial responses or missed deadlines reset the review clock in most jurisdictions. Maintain a single point of contact with the regulator (usually your in-country legal counsel) and do not make material changes to your business plan or ownership structure during the review without notifying the regulator in advance.
Upon approval, you will receive the formal licence or authorisation document. At this point, set up your ongoing compliance infrastructure immediately: transaction monitoring system, SAR filing channel, regulatory reporting calendar, AML audit schedule, and staff training program. Do not launch operations before your compliance infrastructure is operational — regulators increasingly conduct surprise inspections in the first 6 months after licensing.
| Jurisdiction | Licence Type | Typical Timeline | First-Year Cost |
|---|---|---|---|
| 🇪🇪 Estonia | VASP (FIU) | 3–4 months | €15,000–30,000 |
| 🇱🇹 Lithuania | VASP (Bank of Lithuania) | 2–3 months | €15,000–30,000 |
| 🇬🇮 Gibraltar | DLT Provider (GFSC) | 3–4 months | GBP 30,000–60,000 |
| 🇦🇪 UAE VARA | VARA VASP | 3–5 months | USD 60,000–120,000 |
| 🇨🇭 Switzerland | FINMA Banking/VASP | 6–12 months | CHF 100,000–300,000 |
| 🇸🇬 Singapore | MAS MPI Licence | 6–12 months | SGD 150,000–350,000 |
Open a Corporate Bank Account
This is where 80% of crypto startups hit their biggest obstacle. Obtaining a crypto licence is difficult but navigable — there is a defined process with a defined outcome. Opening a corporate bank account for a crypto business is a sales process, and banks can say no without explanation at any point, even after months of due diligence.
Understanding what banks look for is the difference between a 3-month banking process and an 18-month one.
Banks evaluate crypto businesses against a risk framework, not just a checklist. The factors they weight most heavily: Licence status — a valid licence in a reputable jurisdiction is the minimum threshold. AML program quality — they will review your AML policies and sometimes ask for your MLRO to attend a meeting. Source of funds — clear documentation of where your operating capital came from (investors, founders' funds, revenue). Business plan credibility — a realistic, conservative plan with clear customer acquisition and revenue logic. Beneficial owner background — full KYC on all significant shareholders; any adverse media or PEP connections are deal-breakers. Transaction volume projections — banks are more comfortable with conservative, phased volume growth than aggressive projections.
Tier 1 EU banks: Rare but possible for well-capitalised, licensed businesses. Typically requires 12–18 months of operating history, audited accounts, and introductions. Not a realistic first-banking option for most startups.
Neo-banks and EMIs: Revolut Business, Wise, Nium, ClearJunction, and similar providers are the practical first-banking layer for most EU crypto startups. They offer SEPA access, multi-currency accounts, and are accustomed to crypto-adjacent businesses. Expect enhanced due diligence but reasonable approval rates for licensed entities.
Specialist crypto-friendly banks: SEBA Bank (Switzerland), Sygnum Bank (Switzerland), BCB Group (UK), Signature-equivalent services in UAE and Singapore. These are purpose-built for crypto businesses and offer the most complete service stack — but typically require minimum balances of €500,000+ and cater to established businesses.
The most effective ways to improve your chances: get licensed before you apply for banking (not after); have your AML program independently reviewed before presenting to banks; introduce yourself through a warm referral from an existing customer or adviser; start with a smaller EMI or neo-bank to establish a 6-month operating history before approaching tier-1 banks; maintain conservative transaction volume in your first year; ensure your beneficial owners have clean backgrounds with no adverse media.
Not sure which licence fits your business? Get a free 30-minute consultation with our advisors. We'll review your model and recommend the right jurisdiction.
Get Free Consultation →"Banking is the hidden bottleneck of every crypto startup — and 80% of the failures I see happen here, not in licensing. The pattern is always the same: founders get licensed, then discover no bank will open an account for them because their AML documentation is template-quality, their beneficial owners have undisclosed media history, or they applied to a tier-1 bank before establishing any operating track record. Apply to three or four providers simultaneously, start with EMIs, and treat the banking process as seriously as the licensing process."
— Dr. Marcus Hartmann, Senior Licensing Advisor
Build Your Tech Stack
The technology infrastructure for a regulated crypto business is not just about your exchange engine or wallet app. Compliance technology is now as important as core product technology — and regulators will ask about it in detail during the licensing process. Building your tech stack correctly from the beginning saves significant remediation costs later.
| Layer | Function | Leading Solutions | Approx. Cost/mo |
|---|---|---|---|
| KYC / Identity Verification | Customer onboarding, ID checks, liveness | Sumsub, Onfido, Jumio, Veriff | €500–5,000 |
| AML / Transaction Monitoring | Rule-based and AI monitoring, alert management | ComplyAdvantage, Chainalysis, Elliptic | €1,000–8,000 |
| Blockchain Analytics | On-chain risk scoring, wallet screening | Chainalysis, TRM Labs, Merkle Science | €2,000–10,000 |
| Travel Rule | VASP-to-VASP originator/beneficiary data | Notabene, Sygna, 21 Analytics | €500–3,000 |
| Core Exchange Engine | Order book, matching, liquidity | AlphaPoint, B2Broker, DXmatch, custom | €3,000–30,000 |
| Custody Solution | Multi-sig key management, cold storage | Fireblocks, BitGo, Copper, Qredo | €2,000–20,000 |
| Regulatory Reporting | SAR filing, regulator dashboards, audit logs | CUBE, Actico, custom builds | €500–5,000 |
Build vs buy: For compliance technology, always buy. Building a proprietary KYC system or blockchain analytics tool is a 12–18 month engineering project that detracts from your core product. Regulators expect to see established, audited third-party compliance tools. Proprietary compliance systems require extensive validation and are viewed with scepticism during licence applications.
Hire Your Core Team
The minimum viable team for a licensed crypto business in 2026 is larger than most founders expect. Regulators want to see genuine human capital — not a two-person team with outsourced everything. Here is a pragmatic view of what to hire vs outsource at each stage.
Go-to-Market & Launch
Launching a regulated crypto business has specific marketing and communication constraints that unlicensed crypto projects do not face. Understanding these restrictions before you launch prevents costly enforcement actions and reputational damage.
Under EU MiCA and most other frameworks, crypto asset marketing communications must be fair, clear, and not misleading. Specific restrictions: no guaranteed return claims of any kind; risk warnings must be prominently displayed in all marketing materials (MiCA mandates specific wording); performance data must include historical disclaimer; promotions targeting retail clients require additional disclosures in many jurisdictions. The FCA (UK) requires all crypto marketing to be approved by an authorised person — this applies to global businesses targeting UK users, even via social media.
Your website and platform must display: your company's full registered name and company number; the jurisdiction where you are licensed and the regulator's name and website; your licence number; a link to your terms of service and privacy policy (GDPR-compliant for EU businesses); risk disclosure statement; complaint handling procedure; and contact details for both customer service and regulatory queries. Missing disclosures are the most common first-inspection finding and result in formal warnings even for otherwise compliant businesses.
If your business involves issuing a crypto asset (token), MiCA requires a formal crypto asset whitepaper to be filed with the regulator and published before any public offering. The whitepaper must include: detailed description of the issuer, the project, the rights attached to the token, the technology used, the associated risks, and financial information. For asset-referenced tokens and e-money tokens, authorisation before issuance is required. Allow 3–6 months for whitepaper preparation and regulatory review before planning any token launch.
Announce banking, technology, and institutional partnerships only after they are formally contracted — not during negotiations. Pre-announcing partnerships that fall through is both a reputational risk and can attract regulatory scrutiny if it influences retail investor behaviour. Plan a soft launch with a limited user group before full public launch: this allows you to test your KYC/AML processes, identify transaction monitoring gaps, and train your team on real cases before scaling. The soft launch phase should last 4–8 weeks.
First-Year Compliance Calendar
Once licensed and launched, your ongoing compliance obligations begin immediately. Missing filing deadlines or failing to maintain required records can result in licence suspension even for otherwise well-run businesses. Use this calendar as a baseline — your specific jurisdiction may have additional requirements.
- Transaction monitoring review — clear open alerts, document decisions
- SAR/STR review — file any outstanding suspicious activity reports
- Sanctions screening list update — update screening lists (OFAC, EU, UN)
- Regulatory change monitoring — check for new guidance from your regulator
- Banking reconciliation — reconcile client segregated funds with your records
- Staff AML training log — record completion of any training sessions
- AML risk assessment review — update your Business-Wide Risk Assessment for any material changes
- CDD file review — sample review of customer files for completeness and currency
- Travel Rule compliance check — verify all applicable transfers have compliant data
- Management information report — prepare compliance MI for board/management review
- Regulatory reporting (where applicable) — some jurisdictions require quarterly filings
- Vendor and outsourcing review — review third-party service provider performance and compliance
- Independent AML audit — engage external compliance firm to audit your AML program
- Annual report to regulator — statutory filing required in most jurisdictions
- Audited financial statements — required in all major licensing jurisdictions
- Capital adequacy review — confirm ongoing compliance with minimum capital requirements
- Full policy suite review — update all AML/KYC policies for regulatory changes
- Licence renewal (where applicable) — some jurisdictions require annual or biannual licence renewal
- Staff AML training — annual full AML training for all relevant staff, documented
- Material change notification — notify regulator of changes to ownership, business model, or key staff
- MLRO or senior management change — prior approval typically required in most jurisdictions
- Regulatory investigation or enquiry — respond within specified timeframe, document all interactions
- Data breach — GDPR requires 72-hour notification to data protection authority
- Major technology change — some jurisdictions require prior notification of significant IT changes
Starting a Crypto Business — Common Questions
Sources & Official References
- FINMA — FinTech Licence: Requirements and Authorisation
- FINMA — At a Glance: List of Crypto Services and Regulatory Classification
- FINMA Guidance 01/2026 — Risks Associated with the Custody of Crypto-Based Assets
- FINMA — FinTech Financial Services Providers: Overview
- Swiss Federal Act on Combating Money Laundering and Terrorist Financing (AMLA)