What Is a VASP? Virtual Asset Service Provider Definition & Requirements 2026

Lead Expert

Meet Dr. Marcus Hartmann

Dr. Marcus Hartmann

Senior Licensing Advisor · Zug, Switzerland

LL.M. International Financial Law · Dr. iur. · Zurich Bar

Dr. Marcus Hartmann has spent over two decades at the intersection of financial law and emerging technology. Based in Zug — Switzerland's Crypto Valley — he has guided startups, trading platforms, and institutional investors through the full spectrum of VASP licensing: from FINMA FinTech notifications to MiCA CASP applications and offshore structuring across 60+ jurisdictions.

He joined CryptoLicenses.net as Senior Licensing Advisor after a decade leading the fintech practice of a Swiss-regulated law firm, where he managed regulatory mandates in the UAE, Singapore, Liechtenstein, and the Cayman Islands.

22 years in financial services regulation

400+ crypto licensing mandates across 60+ jurisdictions

Certified AML Officer (ACAMS), FINMA-registered

Fluent in English, German, and French

View Full Profile →

This guide was researched and written by Dr. Marcus Hartmann, Senior Licensing Advisor at CryptoLicenses.net.

Key Takeaways

A VASP is any business that exchanges, transfers, or custodies virtual assets on behalf of others — as defined by the Financial Action Task Force (FATF)
VASP status triggers mandatory AML/KYC registration in 60+ jurisdictions worldwide
The Travel Rule applies to VASPs: transfers above $1,000 require sender and recipient data to be shared between VASPs
Under EU MiCA, the equivalent term is CASP (Crypto-Asset Service Provider) — same concept, different regulatory label
Operating as an unregistered VASP carries criminal liability in most jurisdictions, including the EU, UK, Singapore, and UAE
DeFi protocols may qualify as VASPs depending on the degree of decentralisation and the presence of an identifiable operator

Section 1 — Definition

What Is a VASP? The FATF Definition

The term VASP was introduced by the Financial Action Task Force (FATF) in its 2019 revision of Recommendation 15. FATF defines a Virtual Asset Service Provider as any natural or legal person that, as a business, conducts one or more of the following activities for or on behalf of another person: exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, transfer of virtual assets, safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets, and participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

The definition is deliberately broad. It is not limited to centralised exchanges. Any business that touches virtual assets in a service capacity — whether as a broker, custodian, payment processor, or token issuer — is likely to fall within the VASP perimeter. The test is whether the activity is conducted as a business and on behalf of others. Personal use of crypto does not make you a VASP.

FATF Recommendations are not law by themselves — they are international standards adopted by 200+ member jurisdictions through their domestic legislation. However, because FATF membership covers virtually every significant financial centre, and because non-compliance with FATF standards results in grey-listing or blacklisting (with severe banking consequences), the standard has effectively become global law for any business operating in or serving regulated markets.

Five Core VASP Activities

The following five categories of activity, when conducted as a business on behalf of clients, make an entity a VASP under FATF standards:

Exchange between virtual assets and fiat currencies (buying and selling crypto for money)
Exchange between one or more forms of virtual assets (crypto-to-crypto swaps, conversions)
Transfer of virtual assets (sending crypto on behalf of clients — payment processors, remittance providers)
Safekeeping or administration of virtual assets (custodian wallets, key management services)
Participation in financial services related to the issuance or sale of a virtual asset (IEOs, token launchpads, placement agents)

Key principle: You do not need to be a licensed exchange to be a VASP. A payment processor, an NFT marketplace that facilitates primary sales, a DeFi aggregator with an identifiable operator, or a company that holds crypto on behalf of clients — all may qualify as VASPs and must register with the relevant authority.

Section 2 — Terminology

VASP vs CASP — Same Concept, Different Names

One of the most common points of confusion in crypto regulation is the relationship between VASP and CASP. They refer to substantially the same category of business, but originate from different regulatory frameworks. Understanding the distinction matters when determining which rules apply to your business and in which jurisdiction.

Dimension	VASP	CASP
Stands for	Virtual Asset Service Provider	Crypto-Asset Service Provider
Source framework	FATF Recommendation 15 (global)	EU MiCA Regulation (EU-specific)
Geographic scope	200+ FATF member jurisdictions	27 EU member states
Primary focus	AML/CFT — preventing money laundering and terrorist financing	Full regulatory framework — investor protection, market integrity, AML
Regulatory outcome	Registration / licence with AML authority	Authorisation as CASP — mandatory from Dec 2024
Travel Rule	Applies to VASPs (FATF Rec. 16)	Applies to CASPs (EU Transfer of Funds Regulation)
Who uses the term	FATF, UK FCA, UAE VARA, Singapore MAS, most non-EU jurisdictions	EU regulators (ESMA, EBA), national competent authorities within EU

In practice: if you are a crypto business operating in the EU, you will encounter the CASP designation under MiCA. If you operate globally or in non-EU markets, VASP is the applicable term. Both trigger equivalent AML/KYC obligations and both require formal registration or authorisation with a financial regulator.

"The VASP definition under FATF Recommendation 15 is deliberately broad — and that breadth is intentional. Regulators wanted to capture not just exchanges but any business model that touches virtual assets as a service. In my practice, I regularly see companies that assumed they were not VASPs — NFT platforms, DeFi aggregators, crypto payroll services — and were surprised to find they had been operating as unregistered VASPs for years. The first question any crypto founder should ask is: am I a VASP?"
— Dr. Marcus Hartmann, Senior Licensing Advisor

Section 3 — Business Types

Types of VASPs — Which Category Are You?

FATF does not prescribe a closed list of VASP sub-types, but regulators and industry bodies have converged on the following categories. Each category has distinct compliance implications and may require different licence types in some jurisdictions.

1

Cryptocurrency Exchange

A platform that allows users to buy, sell, or trade virtual assets — either against fiat (on-ramp/off-ramp) or crypto-to-crypto. This is the most common VASP type and the primary target of most crypto licensing regimes. Includes spot exchanges, derivatives platforms, and OTC desks. All require VASP registration. Some jurisdictions — notably Singapore MAS and Hong Kong SFC — require separate licence categories for derivatives trading.

2

P2P Platform / Marketplace

Platforms that facilitate peer-to-peer trading of virtual assets without operating as the counterparty themselves. Even if the platform does not hold assets, providing the infrastructure for users to exchange virtual assets as a business activity typically qualifies as a VASP. FATF guidance explicitly states that P2P platforms with an identifiable operator must comply with AML/KYC obligations.

3

Custodian Wallet Provider

A business that holds private keys on behalf of customers — providing wallet services where the provider, not the user, controls the cryptographic keys. This is a core VASP category in every jurisdiction. Custodians are subject to the highest level of AML scrutiny, capital requirements, and safeguarding obligations (particularly under EU MiCA, which mandates client asset segregation for custodians).

4

Crypto Broker / Dealer

A business that buys and sells virtual assets on its own account while providing liquidity or execution services to clients. This includes market makers, OTC brokers, and proprietary trading firms that also provide client-facing services. The VASP classification applies when client service is part of the business model — pure proprietary trading with no client service component may fall outside the VASP perimeter in some jurisdictions.

5

DeFi Protocol (When Regulated)

FATF guidance is clear that decentralisation does not automatically exclude a protocol from VASP classification. If a DeFi protocol has an identifiable creator, operator, or owner who controls the protocol — including through governance tokens, upgrade keys, or fee collection — regulators may treat that entity as a VASP. True, fully decentralised protocols with no single point of control remain in a grey zone, but regulators in the UK, EU, and US are actively closing this gap.

6

NFT Platforms (When Considered VASP)

FATF has stated that NFT platforms are not automatically VASPs — NFTs that are unique digital collectibles without financial functionality fall outside the standard VASP definition. However, NFT platforms that facilitate large-scale primary sales of tokens with investment characteristics, or that enable secondary market trading in fractionalized NFTs, may cross into VASP territory. Regulators in Germany, the UK, and South Korea have signalled increasing scrutiny of NFT marketplaces.

Section 4 — Compliance Framework

FATF Requirements for VASPs

FATF Recommendation 15, updated in 2019, sets out the baseline obligations for VASPs. These requirements are implemented through domestic legislation by each FATF member jurisdiction — the specific rules differ, but the substance is consistent across all major financial centres.

Recommendation 15 — Core Obligations

Under Recommendation 15, countries are required to ensure that VASPs are regulated for AML/CFT purposes, licensed or registered, and subject to effective systems for monitoring or supervision. VASPs must implement AML/CFT programmes equivalent to those required of financial institutions.

Obligation	What It Requires	Timing
Registration / Authorisation	Obtain licence or registration from the national financial authority before providing VASP services	Before operations begin
Customer Due Diligence (CDD/KYC)	Identify and verify customers, understand the nature of their business, apply enhanced due diligence for high-risk clients	At onboarding and ongoing
Transaction Monitoring	Monitor transactions for suspicious patterns; file Suspicious Activity Reports (SARs) with the FIU	Ongoing — real-time or near real-time
Travel Rule Compliance	Share originator and beneficiary data with counterpart VASPs for transfers exceeding $1,000 / EUR 1,000	Per-transaction requirement
Record Keeping	Maintain transaction records and customer identification data for a minimum of 5 years (7 years in some jurisdictions)	Ongoing — audit-ready
Compliance Officer / MLRO	Appoint a qualified Money Laundering Reporting Officer responsible for AML programme management and SAR filing	Before operations begin
AML Policy Documentation	Maintain a written AML/CFT policy, risk assessment, and procedure manual — updated at least annually	Ongoing — annual review minimum

Sanctions screening: In addition to FATF obligations, VASPs must screen customers and transactions against OFAC, EU, UN, and domestic sanctions lists. Sanction violations are treated separately from AML failures and carry strict liability in most jurisdictions — meaning no intent needs to be proven.

Section 5 — Jurisdictions

VASP Registration by Jurisdiction

The following table summarises VASP registration requirements across key jurisdictions. Requirements, timelines, and capital thresholds are accurate as of March 2026 but are subject to regulatory updates. Always verify current requirements with a qualified local advisor before initiating an application.

Jurisdiction	Regulator	Regime	Timeline	Capital Requirement
🇪🇪 Estonia	FIU (Rahapesu Andmebüroo)	VASP registration; MiCA transition in progress	2–4 months	EUR 100,000
🇬🇧 United Kingdom	FCA (Financial Conduct Authority)	Crypto asset registration under MLRs 2017	3–6 months	No fixed minimum (capital adequacy assessed)
🇱🇹 Lithuania	FNTT (Financial Crime Investigation Service)	VASP registration; MiCA CASP authorisation pathway	2–3 months	EUR 125,000
🇩🇪 Germany	BaFin (Federal Financial Supervisory Authority)	Crypto custody licence (Section 1 KWG); MiCA CASP	6–12 months	EUR 730,000+ (custody)
🇦🇪 UAE (Dubai)	VARA (Virtual Assets Regulatory Authority)	VASP licence — full or MVP authorisation	3–6 months	AED 500,000–2M+ depending on activity
🇸🇬 Singapore	MAS (Monetary Authority of Singapore)	Major/Standard Payment Institution licence under PSA	6–12 months	SGD 250,000–1M depending on activities
🇵🇱 Poland	KNF (Polish Financial Supervision Authority)	VASP registration in Virtual Currency Activities Register	4–8 weeks	No fixed minimum
🇭🇰 Hong Kong	SFC (Securities and Futures Commission)	VATP licence (Virtual Asset Trading Platform)	9–18 months	HKD 5,000,000+

Note that within the EU, the MiCA framework has been phasing in since June 2023 and is now the primary regulatory framework for all crypto businesses. Existing national VASP registrations (e.g., Poland, Lithuania, Estonia) provide grandfathering periods that vary by country, but full MiCA CASP authorisation is required for continued EU market access. Businesses that registered under legacy national regimes must transition to MiCA authorisation or cease EU operations.

Section 6 — Travel Rule

The Travel Rule — VASP-to-VASP Data Sharing

The Travel Rule is one of the most operationally significant obligations for VASPs. Derived from FATF Recommendation 16 (originally designed for wire transfers between banks), it requires that VASPs collect and transmit originator and beneficiary information alongside virtual asset transfers above the $1,000 threshold.

The rule is called the "Travel Rule" because the information must travel with the transaction — the sending VASP must pass customer data to the receiving VASP as part of the transfer process. Unlike in the traditional banking world, where SWIFT messaging carries this data automatically, the crypto industry lacked a standardised infrastructure for VASP-to-VASP data sharing, which led to the development of several competing protocols.

What Data Must Travel?

Data Category	Originator (Sender)	Beneficiary (Receiver)
Name	Full legal name — required	Full legal name — required
Account / Wallet Address	Account number or virtual asset wallet address	Account number or virtual asset wallet address
Physical Address	National ID number, date of birth, or physical address	National ID, customer ID, or date and place of birth (where available)

Travel Rule Compliance Tools (2026)

Three main protocols have emerged as the leading infrastructure solutions for Travel Rule compliance between VASPs. Each has a different adoption base and technical approach, and many VASPs implement multiple solutions to maximise counterpart coverage:

TRISA

TRISA (Travel Rule Information Sharing Architecture)

Open-source, decentralised protocol developed by CipherTrace. Uses PKI certificate-based identity verification. Strong adoption among regulated VASPs in the US, UK, and APAC. Free to join; requires a TRISA certificate issued after KYB verification.

OpenVASP

Ethereum-based, open-source protocol initiated by Bitcoin Suisse. Uses blockchain-anchored VASP codes for decentralised discovery. Adopted by several European banks and exchanges. Technically complex but offers strong privacy characteristics for VASP-to-VASP messaging.

VerifyVASP

Commercial platform with strong adoption in Asia-Pacific, particularly South Korea and Japan. Managed service model — lower technical overhead but involves a central operator. Supports both FATF Travel Rule and Korean-specific SPECIFIC Act requirements. Endorsed by Korea's DAXA self-regulatory body.

Unhosted wallets: The Travel Rule as written applies to VASP-to-VASP transfers. Transfers to unhosted wallets (self-custody addresses not held by a VASP) are treated differently across jurisdictions. The EU Transfer of Funds Regulation requires VASPs to collect beneficiary information for transfers to unhosted wallets above EUR 1,000, even when no counterpart VASP is involved. The UK FCA has similar requirements under its own regime.

◆ Need Help?

Not sure which licence fits your business? Get a free 30-minute consultation with our advisors. We'll review your model and recommend the right jurisdiction.

Get Free Consultation →

"The Travel Rule is the compliance challenge that separates serious VASPs from box-checkers. Implementing it correctly requires not just policy — it requires interoperable technical infrastructure, counterparty VASP discovery, sanctions screening on both sides of the transfer, and documented escalation procedures for unhosted wallet transfers. VASPs that built their Travel Rule solution in a hurry are now discovering the gaps during supervisory examinations. Build it properly from the start."
— Dr. Marcus Hartmann, Senior Licensing Advisor

Section 7 — Self-Assessment

Is Your Business a VASP?

Use the following decision checklist to assess whether your business meets the FATF definition of a VASP. A "yes" answer to any of the core questions indicates you are likely operating as a VASP and must register with the relevant authority in each jurisdiction where you operate or have clients. This checklist is a starting point — always confirm with a qualified legal advisor before concluding you are or are not a VASP.

?

Do you exchange virtual assets for fiat currency (or vice versa) on behalf of customers?

Yes → You are a VASP. Applies to: on-ramps, off-ramps, ATM operators, OTC desks, retail exchanges.

?

Do you exchange one virtual asset for another on behalf of customers?

Yes → You are a VASP. Applies to: crypto swap services, DEX aggregators with an identifiable operator, trading platforms.

?

Do you transfer virtual assets on behalf of others?

Yes → You are a VASP. Applies to: crypto payment processors, remittance services, payroll-in-crypto providers, any service moving crypto between wallets for clients.

?

Do you hold or control virtual assets on behalf of others (custody)?

Yes → You are a VASP. Applies to: custodian wallets, exchange hot/cold wallets holding client assets, staking-as-a-service where you hold keys, asset managers holding crypto on behalf of investors.

?

Do you participate in the issuance or sale of virtual assets for others?

Yes → You are likely a VASP. Applies to: token launchpads, IEO platforms, placement agents for token offerings, issuance agents acting on behalf of a token issuer.

?

Are your activities purely personal (not as a business, not on behalf of others)?

Yes → You are NOT a VASP. Personal crypto usage, self-custody, and private investment activities do not fall within the VASP definition. Mining and staking solely for your own account are also typically excluded.

If you answered yes to any of questions 1–5: You are operating as a VASP and must register with the financial intelligence unit or financial regulator in every jurisdiction where you are incorporated or where you actively serve customers. Failure to register carries criminal liability in most jurisdictions, including fines, business closure orders, and personal liability for directors and officers.

Related Resources

Continue Reading

Related Guides

What Is a Crypto License? Complete Guide 2026

Related Services

FAQ

VASP — Common Questions Answered

A VASP (Virtual Asset Service Provider) is any natural or legal person that conducts, as a business, one or more of the following activities for others: exchanging virtual assets for fiat or other virtual assets, transferring virtual assets, custodying virtual assets, or participating in the issuance of virtual assets. The definition comes from the Financial Action Task Force (FATF) Recommendation 15 (2019) and has been adopted by 60+ jurisdictions worldwide. Being a VASP triggers mandatory AML/KYC registration requirements.

VASP and CASP refer to substantially the same category of crypto business, but come from different regulatory frameworks. VASP is the FATF global standard — used by the UK FCA, UAE VARA, Singapore MAS, and most non-EU jurisdictions. CASP (Crypto-Asset Service Provider) is the EU's term under the MiCA regulation. If you operate in the EU, you will be classified as a CASP and must obtain a MiCA authorisation. Outside the EU, you are a VASP and must register under the relevant national VASP regime. In both cases, AML/KYC obligations, Travel Rule compliance, and regulatory oversight requirements are materially the same.

It depends on the degree of decentralisation. FATF guidance (2021 Updated Guidance) explicitly states that DeFi protocols are not automatically excluded from VASP classification. If a DeFi protocol has an identifiable owner or operator who maintains control — for example, through admin keys, upgrade mechanisms, governance token majority, or fee collection — then that person or entity may be classified as a VASP. Fully decentralised protocols with no single point of control remain in a grey area, but regulators in the EU (ESMA), UK (FCA), and US (CFTC, FinCEN) are actively developing frameworks that will bring more DeFi activity within the regulatory perimeter. If you operate or develop a DeFi protocol, seek specific legal advice before launch.

When a customer at VASP A sends virtual assets to a customer at VASP B, and the transfer value exceeds $1,000 (or EUR 1,000 in the EU), VASP A must send the originator's name, wallet address, and one additional identifier (such as national ID number, date of birth, or physical address) to VASP B before or simultaneously with the transaction. VASP B must verify the beneficiary information and can refuse the transaction if the information is incomplete or inconsistent. In practice, VASPs implement this through Travel Rule protocols such as TRISA, OpenVASP, or VerifyVASP, which create secure messaging channels between registered VASPs. The main compliance challenge is the "sunrise problem" — what to do when the counterpart VASP is in a jurisdiction that has not yet enforced the Travel Rule.

VASP registration varies by jurisdiction but typically involves: (1) incorporating a legal entity in the jurisdiction, (2) appointing a qualified AML/compliance officer (MLRO), (3) drafting an AML/KYC policy tailored to your specific business model, (4) preparing a business plan, technical description, and risk assessment, (5) submitting a registration application to the relevant authority (e.g., FIU in Estonia, FCA in the UK, FNTT in Lithuania), and (6) paying any applicable government fees. Timelines range from 4 weeks (Poland, Slovakia) to 12+ months (Singapore MAS, Hong Kong SFC). Capital requirements range from none (some EU registrations) to several million USD for premium licences. Working with a specialist VASP advisory firm significantly improves success rates and compresses timelines.

Penalties for unlicensed VASP operation are severe and increasing globally. In the UK, operating without FCA registration carries up to 2 years imprisonment and/or an unlimited fine. In the EU (under MiCA), unlicensed CASP activity can result in fines of up to EUR 5 million or 3% of annual turnover, plus business shutdown orders. In the UAE, operating without a VARA licence can result in fines of up to AED 50 million and criminal prosecution. In the US, operating without FinCEN registration as an MSB (Money Services Business) — which applies to most VASPs serving US customers — carries fines of up to $1 million per day of violation. Beyond financial penalties, unregistered VASPs typically lose access to banking services, cannot list on regulated exchanges, and face reputational damage that is difficult to recover from.

References

What Is a VASP? Definition, Types & Registration Requirements in 2026