What Is a Virtual Asset Service Provider (VASP) in Crypto?
TL;DR
A Virtual Asset Service Provider (VASP) is an entity offering services involving cryptocurrencies or digital assets. Typical VASP services include:
- Exchanging virtual assets (VAs) for fiat currencies
- Trading virtual assets for other virtual assets
- Transferring virtual assets
- Safekeeping or administering virtual assets
- Facilitating financial services related to virtual asset issuance or sales
Knowing whether your company’s activities fall within the VASP category – and under which jurisdiction – is key to mitigating regulatory risks while achieving business goals.
Official Definitions from Global Regulatory Bodies
FATF Guidance
The Financial Action Task Force (FATF) defines virtual assets as digital representations of value that can be transferred, stored, or traded digitally and used for payment or investment purposes (excluding fiat currencies or traditional securities).
According to the FATF Glossary (2018–21), a VASP includes any individual or entity that engages in one or more of the following:
- Exchange between virtual assets and fiat currencies
- Exchange between different virtual assets
- Transfer of virtual assets
- Safekeeping or administration of virtual assets
- Providing financial services related to an issuer’s offer and/or sale of virtual assets
FATF is not a regulator, but a global policy-making body. It sets international standards to combat money laundering and terrorist financing (AML/CFT), which are then adopted and enforced by national authorities.
While FATF guidance is not binding, it significantly shapes national regulatory approaches around the world.
EU MiCA Framework and CASPs
In the European Union, the Markets in Crypto-Assets (MiCA) regulation introduces a local equivalent of VASP: the Crypto-Asset Service Provider (CASP).
MiCA defines a CASP as a legal person providing professional crypto‑asset services, such as custody, exchange services, trading platform operations, order execution, investment advice, and portfolio management.
While similar in scope to the FATF’s definition, CASP includes additional regulated services, such as:
- Custody and administration of crypto assets
- Operation of a trading platform
- Execution of orders
- Placement and reception/transmission of orders
- Providing investment advice or portfolio management
MiCA aims to harmonize crypto regulation across all EU member states. CASPs must meet extensive compliance obligations – licensing, governance, risk management, AML/CFT protocols, and consumer protection.
Different types of operations may find MiCA more or less favorable. For example, DeFi interfaces may struggle under CASP licensing requirements, while centralized exchanges or custodians benefit from regulatory clarity.
The EU’s MiCA introduces significant compliance obligations. Learn more about how to align your crypto business with MiCA regulations through Hacken’s dedicated crypto compliance services.
US FinCEN and Money Services Business (MSB)
In the U.S., crypto-related service providers fall under the Money Services Business (MSB) regime regulated by the Financial Crimes Enforcement Network (FinCEN).
MSBs must comply with the Bank Secrecy Act (BSA), which imposes rigorous requirements:
- Registration with FinCEN
- AML/KYC programs
- Suspicious Activity Report (SAR) filing
- Ongoing risk assessments
While the MSB framework is relatively broad, its interpretation often mirrors FATF guidance. The U.S. remains a complex jurisdiction for crypto, especially for startups targeting nationwide operations.
CASP vs. VASP: What’s The Difference?
Think of VASP as the global umbrella term (per FATF), and CASP as the EU-specific implementation under MiCA.
A CASP includes all traditional VASP activities but expands the regulatory perimeter to encompass investment-related services and consumer protections.
Simply put, all CASPs are VASPs, but not all VASPs qualify as CASPs under EU’s expanded requirements.
In practice:
- If you’re providing custody, trading, or investment advisory services in the EU, you’ll need CASP authorization.
- If you operate globally, you may still fall under VASP definitions in other regions.
Who Needs to Register as a VASP?
If your company conducts any of the following, you’re likely a VASP and subject to regulation:
- Centralized Crypto Exchanges (CEXs): Buy/sell trading venues for digital assets
- Custodial Wallet Providers: Entities that hold private keys on behalf of users
- OTC Desks: Facilitating large off-exchange trades
- Crypto Payment Processors: Managing crypto transactions for businesses and consumers
The exact registration requirements depend on where and how you operate.
Global Regulatory Context for VASPs
Once you’ve confirmed that your business qualifies as a VASP, the next step is choosing where and how to operate legally.
While the Financial Action Task Force (FATF) provides a global policy framework for anti-money laundering and counter-terrorist financing (AML/CFT), implementation varies significantly across jurisdictions.
Some regions offer unified crypto-specific regulation, while others apply legacy financial rules.
Understanding these differences isn’t just a compliance exercise – it’s a strategic decision that should align with your business model, operational footprint, and long-term goals.
EU: MiCA’s Unified Approach
MiCA introduces the EU’s first unified framework for crypto regulation. CASPs must:
- Obtain regulatory authorization
- Operate under AML/CFT policies
- Maintain clear risk and governance structures
- Provide user protection mechanisms
MiCA is particularly appealing for businesses targeting multiple EU markets, offering legal clarity and passporting.
Looking ahead, the EU Anti-Money Laundering Authority (AMLA) – set to launch in 2026 – will further strengthen oversight by directly supervising major cross-border CASPs for AML/CFT compliance.
United States: FinCEN + State Requirements
In the U.S., regulatory obligations exist on both federal and state levels. In addition to FinCEN:
- New York (BitLicense): Requires state licensing for digital asset activities
- California, Texas, and others: May impose their own registration or money transmission rules
For U.S.-based crypto businesses, it’s crucial to plan regulatory engagement from the outset – not retroactively.
Other Jurisdictions at a Glance
- Singapore (MAS): The Monetary Authority of Singapore requires licensing for digital payment token service providers, focusing heavily on AML and tech risk management. Ideal for infrastructure or custody-focused businesses with strong AML systems.
- UAE (VARA): Dubai’s Virtual Assets Regulatory Authority enforces strict licensing and compliance standards for virtual asset service providers operating within its jurisdiction.Learn more about cryptocurrency regulation in the UAE.
- UK (FCA): The Financial Conduct Authority mandates comprehensive registration and AML/KYC adherence for crypto businesses, with particular attention to consumer protection. Registering with the FCA is mandatory for most crypto companies operating in the UK.
Each jurisdiction offers different strengths – your business model should guide the choice.
What Are the Core Compliance Requirements for VASPs?
VASPs must comply with the following requirements in most jurisdictions:
- KYC & AML Procedures: Identity verification, onboarding, and transaction monitoring.
- Travel Rule Compliance: Sharing transaction data with counterparties when thresholds are met.
- Licensing: Applying for regulatory authorization where applicable.
- Record-Keeping: Maintaining records of transactions and user interactions.
- Suspicious Activity Reporting: Filing reports on unusual or potentially illicit behavior.
How to Become a Compliant VASP
Here’s our recommended approach:
- Start With Your Business Model: Define your service offering, jurisdictions of operation, user base, and risk appetite.
- Select The Right Jurisdiction: Choose a location where regulatory frameworks align with your growth strategy.
- Engage Legal & Compliance Experts: Early consultation can prevent costly rework or enforcement actions.
- Build Internal Controls: Draft AML/CFT policies, user verification processes, and transaction monitoring systems.
- Prepare Documentation: Most regulators require business plans, risk assessments, governance frameworks, and compliance policies.
- Register With Regulators: File the appropriate registrations or license applications with financial authorities in your chosen jurisdiction(s). This may include both national and regional filings.
- Monitor Regulatory Changes: Especially if you operate cross-border.
Common mistakes to avoid:
- Designing your business around regulatory constraints instead of growth goals
- Assuming compliance is a one-time exercise
- Underestimating capital or human resources needed for compliance
- Ignoring cybersecurity obligations (a growing enforcement focus)
Get the free CASP/VASP Licensing & Compliance Handbook to understand your obligations under MiCA and DORA frameworks.
👉 Download the Full Handbook (PDF):
Conclusion
There’s no one-size-fits-all answer for VASP compliance. What works for a European custody provider may not suit a U.S.-based trading platform or a global DeFi aggregator.
At Hacken, we help Web3 companies translate complex regulatory frameworks into actionable plans that support both compliance and growth.
Need help choosing the right jurisdiction or mapping your VASP obligations? Let’s talk →
Table of contents
Tell us about your project
Read next:
More related- Mastering Cosmos Security: Best Practices for Appchain Builders
18 min read
Discover
- Real-World OP Fault-Proof Vulnerabilities & Fixes
8 min read
Discover