How to Choose a VASP License: Jurisdictions, Costs & Compliance

If you’re building an exchange, wallet, on/off-ramp, or tokenized-assets stack, your license choice sets the ceiling for growth. Pick the wrong home and you’ll fight for bank accounts, stall launches, or re-license later at 10× the cost. Pick the right one and you’ll scale faster, pass audits, and win enterprise trust.

This guide covers what a VASP license is, who needs one, how to choose a jurisdiction, and common pitfalls. We close with quick snapshots of the EU (MiCA/CASP), Switzerland, UAE (VARA/ADGM), Hong Kong, and Singapore.

What is a VASP license?

A VASP license (or equivalent authorization) is the legal permission for crypto businesses to perform regulated activities: exchange, custody, transfers, brokerage/dealing, order execution, platform operation, and in some places issuance/placement and advice/portfolio management.

Globally, most regimes align – formally or informally – with FATF standards (including the Travel Rule – sharing sender/recipient information for VA transfers), and expect ongoing AML/CFT, governance, reporting, audits, and consumer-protection controls – not just a one-time registration.

Who needs a VASP license?

If you do any of the following for customers, you’re likely in scope and should plan to license before launch (exact definitions vary by country):

• Custody/administration of crypto-assets
• Operation of a trading platform / order-book / MTF
• Exchange of crypto-assets for fiat or other crypto-assets
• Execution of orders/dealing/brokerage in virtual assets
• Placement/issuing services (e.g., ICO/IEO support, where permitted)
• Investment advice or portfolio management on crypto-assets
• Transfer/remittance services in crypto-assets

How to choose a jurisdiction?

Start with what you’ll offer → where you’ll operate → what’s required. Then choose the option that balances speed to approval, reliable banking, and long-term fit.

1. Your services today and tomorrow
   Map features to regulated activities (custody, exchange, brokerage, payments, staking/lending, token issuance, portfolio mgmt). Some services trigger higher capital, audits, and more intrusive prudential oversight. If staking, leverage, derivatives, or retail trading is on your roadmap, plan for it now.
2. Target markets + passporting
   a) EU (MiCA) gives passporting across EU/EEA once authorized – one license, many markets.
   b) Outside the EU, expect market-by-market authorization (e.g., HK SFC VATP, MAS PSA, VARA/ADGM).
3. Regulatory reputation & investor confidence
   A well-regarded supervisor + clear rulebook = smoother banking, easier enterprise sales, and less investor friction. Reputation compounds.
4. Cost to obtain + cost to keep
   Budget beyond filing fees: minimum capital/own funds, application & supervisory fees, local directors/MLRO, office/substance, audits, Travel Rule & AML tooling, legal/consulting. Opex matters more than the initial filing fee.
5. Speed to market
   Approval depends on queue, completeness, and whether approvals are staged (in-principle → full). Even “fast” is still months. If timeline is critical, run pre-filing Q&A with the regulator.
6. Banking & fiat access
   A license helps but doesn’t guarantee accounts/rails. Some places are more bankable in practice. Start bank/EMI conversations in parallel with your filing.
7. Tax environment
   Compare corporate tax, VAT/GST, withholding, and treatment of token issuance, staking yield, capital gains. Structure early to avoid migrations later.
8. Ecosystem & talent
   You’ll need experienced MLROs/compliance leads, external auditors, Travel Rule and chain-analytics providers, and counsel who’ve done this before – ideally in-market.

Popular jurisdictions for VASP licensing

Different jurisdictions fit different products and roadmaps. The table below highlights services covered, indicative budgets, approval timelines, and banking reality at a glance.

Jurisdiction	Key Services Covered	Costs (Setup & Annual)	Processing Time	Banking / Fiat Outlook	Notes
EU (MiCA/CASP)	Exchange; trading platforms; custody & administration; reception/transmission & execution of orders; placing; portfolio management; advice.	Own funds: €50k / €125k / €150k (service‑dependent). NCA application fees vary (often hourly). Annual: supervisory levies + ongoing compliance.	≈4–9 months end‑to‑end (varies by NCA; statutory clocks apply once complete).	Good when licensed; SEPA via banks/EMIs; EU passporting supports scale.	Single authorisation with EU/EEA passporting; replaces most national VASP regimes after transitions.
Switzerland	Exchange; custody; asset management; payments; token issuance (via FINMA/SRO). DLT trading facility available.	No single “VASP licence”. Fees are time‑based; route‑dependent. FinTech licence allows deposits up to CHF 100m (non‑interest). Annual: varies by licence/SRO.	≈6–12+ months depending on licence route and application quality.	Strong for well‑governed entities; multiple Swiss banks active in crypto services.	Activity‑specific regimes (banking/FinTech, securities firm, DLT facility) or AML SRO supervision for some intermediaries.
UAE (VARA / ADGM)	VARA: Exchange, Broker‑Dealer, Custody, Lending & Borrowing, Payments. ADGM: MTF, brokerage, custody.	Application + capital (activity‑based) + office/substance. Annual: supervisory fees & compliance operations.	≈4–9 months typical, depending on scope and readiness. Phased approvals (IPA → final).	Improving access; local banks increasingly support licensed entities.	Robust free‑zone rulebooks; fast‑evolving ecosystem.
Hong Kong	VATP licence for trading platforms; dealing in VAs; VA custody under AMLO/SFO framework.	Paid‑up capital ≥ HKD 5m + liquid‑capital obligations. Annual: audits & ongoing supervision.	≈6–12+ months depending on completeness/complexity.	Risk‑based support encouraged by HKMA; rails available via local banks for licensed firms.	Retail trading permitted for eligible tokens with strict investor‑protection & AML controls.
Singapore	PSA DPT services: dealing/exchange, facilitation, custody (SPI/MPI classes).	Base capital: SPI ≥ S$100k; MPI ≥ S$250k (security deposit applies). Annual: significant ongoing obligations & audits.	≈6–12+ months. Highly selective; DTSP licences granted only in extremely limited cases.	No prohibition on banks serving DPT firms (risk‑based); rails via local banks/EMIs (e.g., DBS).	Stringent retail safeguards; phased enhancements through 2024–2025.

TL;DR of the table

EU (MiCA/CASP)
Best for EU scale. Passporting across EU/EEA once authorised; own-funds €50k–€150k; timelines ~4–9 months depending on NCA. Strong bankability if compliant; heavier ongoing disclosure/governance.

Switzerland
High-trust, institution-friendly. Activity-specific pathways (FINMA/SRO); timelines ~6–12+ months; costs depend on route. Strong banking rails; no single ‘VASP’ licence.

UAE (VARA/ADGM)
Fast-evolving hub with clear activity categories and phased approvals. Expect meaningful capital/substance and ~4–9 months to launch. Banking access improving; strong regional positioning.

Hong Kong
Premium, retail-enabled VATP regime. Paid-up capital ≥ HKD 5m, strict safeguards; timelines ~6–12+ months. Good bank access for licensed firms; strong for Asia growth.

Singapore
Selective, institutional-grade PSA regime. SPI ≥ S$100k / MPI ≥ S$250k, stringent consumer/tech-risk rules; timelines ~6–12+ months. Bank rails via local majors; best for quality-first scaling.

Common mistakes to avoid

• Optimizing for the cheapest sticker price. Low initial fees can mask heavy ongoing compliance — or limit your future product scope.
• Underestimating ongoing AML/Travel Rule obligations. Budget for tooling (KYC, screening, chain analytics, Travel Rule), audits, and dedicated compliance staff.
• Mis-scoping your license. Operating outside permitted activities risks enforcement, forced exits, or license revocation.
• Betting on reverse solicitation. It’s not a growth strategy; most web presence/ads count as solicitation. Assume you’ll need a license where your users are.
• Neglecting regulator engagement. Silence kills timelines. Proactive Q&A and transparent remediation earn trust.
• Under-capitalizing. Minimum capital ≠ operating buffer. Add runway for audits, tech hardening, and market shocks.
• Banking as an afterthought. Line up bank/EMI partners early; your compliance maturity and governance decide the outcome.

Step-by-step: from idea to authorized launch

1. Define your regulated activities (now + 12–24 months out).
2. Pick target markets and decide: one global base with passporting (EU) vs. multiple local authorizations.
3. Engage specialists early (regulatory counsel, MLRO, audit).
4. Draft your compliance stack: AML program, Travel Rule solution, sanctions screening, fraud/market-abuse monitoring, custody controls, incident response.
5. Assemble documentation: business plan, financials/capital, governance, key personnel fit-and-proper, IT/cyber & cloud controls, outsourcing, risk assessment.
6. Run a pre-filing gap check with the regulator’s checklist/Q&A.
7. File + respond quickly to regulator queries; expect staged approvals.
8. Stand-up operations (local substance, policies, training, reporting cadences) before go-live.

Key takeaways

• Choose your regulatory home for product scope, markets, and bankability – not just filing fees.
• EU CASP is the default for serious EU coverage and scale.
• Switzerland, Singapore, Hong Kong, UAE are high-trust hubs with commensurate rigor – great for institutional and regional strategies.
• Licensing is a starting line, not the finish. Budget for ongoing compliance – that’s what unlocks banking, sustained passporting, and scale. Treat it as an investment, not a cost.

Compliance doesn’t have to slow growth. Hacken helps you pick the right license, stand up controls, and stay audit-ready from day one.
Want a tailored path for your product and markets? Let’s talk →