Virtual Asset Service Provider Registration

VASP registration is the primary pathway for crypto businesses seeking international recognition and banking partnerships. VASP status signals compliance with FATF standards across 200+ jurisdictions. Registration differs from licensing - registration establishes status without full regulatory oversight in some jurisdictions, while licensing provides full authorization. Many jurisdictions offer registration-only pathways (simpler), though banking access may be limited compared to full licensing.

VASPs include exchanges, custodians, wallet providers, payment processors, and protocol developers receiving fees for asset management. Personal users, miners, non-professional NFT creators, and open-source developers typically avoid classification. However, FATF guidance now captures protocol developers with treasury management authority, governance control, or ongoing revenue. The test: does the entity control virtual assets or facilitate transactions? Passive investors avoid classification; active protocol developers fall within scope.

FATF Recommendation 15 (updated June 2023): Key requirements: KYC (Know Your Customer), Travel Rule (exchange customer info between VASPs for transactions), transaction monitoring, and suspicious activity reporting. Travel Rule is the marquee requirement - VASPs transferring assets must transmit originating and beneficiary customer information to receiving VASP, consistent with correspondent banking.

Travel Rule implementation: FATF mandated January 2025, though many jurisdictions extended to 2026. Most major exchanges partially implemented; smaller platforms still developing compliance. Transaction monitoring systems must detect suspicious patterns (structuring, rapid turnover, sanctions-origin). Risk-based approach permits tiered monitoring by transaction size and customer risk profile.

Sanctions screening and beneficial ownership: Screen customers and transaction counterparties against OFAC, EU, UN lists using automated tools with manual review for matches. Identify ultimate beneficial owners of entities conducting transactions through full corporate ownership chains.

Registration-only: Establishes VASP status under FATF standards without full regulatory oversight or operational authority. Some LATAM and African markets maintain VASP registries with limited supervision. Proves compliance but doesn't authorize business activities. Banking problem: institutions hesitate to partner with registration-only entities lacking ongoing oversight.

Full licensing: Developed jurisdictions (Singapore, Cayman, EU) incorporate VASP requirements within broader regulatory framework. Grants operational authority, requires capital maintenance, compliance officer, audits, and examinations. Costs exceed registration-only but provide regulatory certainty and banking access.

When to choose each: Seek institutional capital, banking partnerships, or developed-market legitimacy? Use full licensing. Consumer platform with sufficient customer base to operate independently? Registration-only remains viable.

Singapore (MAS): Registration establishes VASP status. Full licensing grants money transmission or capital markets authority. Requirements: director qualification (fit/proper test), financial records, transaction reporting (30 days), beneficial ownership. Capital: SGD 100k-$500k.

Cayman Islands (CIMA): VASP registration requires: compliance officer, AML/KYC procedures, beneficial ownership identification, transaction monitoring. Annual fees: $15k-$50k. Money transmitter licensing separate from VASP registration with additional capital/operational requirements.

EU (MiCA): "Crypto Asset Service Provider" requires authorization from national competent authority. Capital minimum: €50k. Custody rules, organizational requirements, transaction reporting.

UK (FCA): Maintains cryptoassets register. Requirements: FCA registration, compliance officer, KYC, beneficial ownership documentation, transaction reporting (30 days).

Emerging markets: Many lack formal VASP registration but regulate VASPs through AML frameworks. Verify requirements in your operational jurisdictions.

Standard application package: Business plan (services, customer base, tech), compliance program (AML/KYC, transaction monitoring, sanctions screening), director/officer information (background, experience, fit/proper status), financial information (capital adequacy, projections).

AML/KYC procedures: Customer identification, verification methods, ongoing due diligence, beneficial ownership verification. Documented risk-based approach varying requirements by customer profile.

Compliance officer: 3+ years AML/financial compliance experience. Must have independent authority, board reporting, documented role/responsibilities. Some jurisdictions specify certifications.

Beneficial ownership register: Ultimate beneficial owners of entities opening accounts, conducting high-value transactions, or holding assets. Include: name, address, citizenship, ownership %, decision-making authority.

Technology documentation: Transaction monitoring tools, sanctions screening databases, transaction logging, audit trails. Many jurisdictions require third-party attestations for transaction monitoring systems.

Typical timelines: Registration-only: 4-8 weeks. Full licensing: 3-6 months. Stages: application submission → 2-4 week initial review → follow-up requests (2-3 weeks) → applicant response (4 weeks) → approval (4-8 weeks). Incomplete applications delay substantially. Common deficiencies: inadequate AML, unclear technology, insufficient beneficial ownership documentation. Most authorities request supplemental info rather than rejecting.

Banking partnerships: Separate due diligence (4-12 weeks) after VASP approval. Banks conduct compliance assessment, technology review, operational audit. Total timeline from VASP approval to banking: 2-3 months.

Fast-track: Some jurisdictions expedite for qualified applicants (institutional credibility, track record). Reduced to 6-8 weeks but requires enhanced documentation. Additional cost: $10k-$30k. Often worth it for time-sensitive projects.

Reporting: Quarterly or annual suspicious activity reporting. Suspicious transaction reports due 24-48 hours after identification. Beneficial ownership updates due 30 days after changes.

Compliance officer: Must maintain independent authority: establish policies, conduct audits, engage regulators independently, escalate concerns without retaliation.

Transaction monitoring: Real-time systems detecting suspicious patterns. Flag: high-frequency transfers to new recipients, structuring, sanctions-origin, counterparty risk.

Record retention: 5-7 years for transaction records, customer ID, beneficial ownership. Accessible to regulators within 10-30 business days.

Regulatory examination: Periodic reviews (typically annual for licensees, less frequent for registration-only). Assess compliance adequacy, monitoring effectiveness, remediation of prior deficiencies.

Continuous disclosure: Notify regulators within 10-30 days of material changes: service expansion, ownership changes, personnel changes, compliance incidents. Some jurisdictions require advance notification.