CASP and VASP are not interchangeable labels. CASP is the European Union’s licensing category under the Markets in Crypto-Assets Regulation, while VASP is the global anti-money laundering designation created by the Financial Action Task Force. Get the CASP vs VASP distinction wrong, and you risk applying for the wrong license, missing a compliance deadline, or losing the right to serve EU customers altogether.
For a founder scaling a crypto exchange, custodian, or payments platform, this isn’t a technicality. It determines which regulator reviews your business, how much capital you need, and whether one license lets you operate across 27 countries or just one. By the end of this guide, you’ll know exactly what is CASP, what is VASP, and which one your business actually needs.
The fastest way to see the CASP vs VASP split is side by side. Here’s how the two categories compare across the traits that matter most for a licensing decision:
That table captures the headline differences. The sections below unpack each row, starting with the two definitions themselves.
CASP stands for Crypto-Asset Service Provider. It’s the license category the European Union created under the Markets in Crypto-Assets Regulation, known as MiCA, which entered into force on 29 June 2023.
A CASP license covers a wide set of crypto-asset services, including custody and administration, operating a trading platform, exchanging crypto-assets for cash or other tokens, and giving crypto advice or portfolio management. To qualify, a firm needs a registered office and an effective place of management inside an EU or EEA member state, plus at least one EU-resident director.
Scale changes the picture too. A CASP with more than 15 million active users gets classified as a “Significant CASP,” and the European Securities and Markets Authority gains intervention powers over that firm on top of its national regulator’s oversight, per the same Clifford Chance analysis. Once authorized, though, a CASP can serve customers across all 27 EU member states under a single license, and that one fact is the biggest practical advantage CASP holds over VASP.
VASP stands for Virtual Asset Service Provider. It’s the term the Financial Action Task Force, or FATF, built into its global standards in 2019, when it updated Recommendation 15 to bring crypto businesses under the same anti-money laundering expectations as banks and other financial institutions.
Under FATF’s definition, a VASP is any business that, on behalf of a customer, exchanges virtual assets for fiat currency, exchanges between different virtual assets, transfers virtual assets, provides safekeeping or administration of virtual assets, or takes part in a token issuer’s offer or sale.
FATF isn’t a lawmaking body, and it doesn’t issue licenses itself. Recommendation 15 and its Interpretive Note set a global standard that individual countries then write into their own domestic law, which is exactly why VASP registration requirements differ from one country to the next even though they all trace back to the same FATF source.
The EU needed a term that covered more than anti-money laundering. FATF’s VASP concept was purpose-built to fight money laundering and terrorist financing, and it stops there. MiCA needed to cover market conduct, consumer protection, capital adequacy, and governance on top of AML, so the European Securities and Markets Authority frames MiCA as the single rulebook that standardizes how crypto-assets get treated across the entire bloc, not simply an AML overlay bolted onto existing national law.
Coining a new term also let the EU signal that this designation carries the weight of directly binding law rather than a recommendation each country interprets on its own. Before MiCA, a VASP registration in France looked nothing like a VASP registration in Germany or Malta, even though all three were nominally implementing the same FATF standard. CASP standardizes that picture across the whole bloc in a way the word “VASP” was never designed to do, since VASP was always meant to flex to local law by definition.
VASP vs CASP comes down to scope, geography, and legal weight. VASP is a global AML floor. CASP is a full EU market authorization that happens to include AML as one requirement among many others.
A few differences stand out for founders comparing the two:
None of this makes a VASP registration worthless. It’s still the operative standard everywhere outside the EU, and for many business models it’s genuinely sufficient. It’s simply a lighter, narrower standard than CASP authorization, built for a different job.
No, and that gap explains a lot of the confusion between VASP and CASP. FATF Recommendations are standards that jurisdictions around the world commit to implementing through their own domestic law. They carry real diplomatic and reputational weight, since a country judged non-compliant can end up facing enhanced monitoring, but FATF itself has no power to fine a business or revoke a license.
MiCA works differently because it’s a regulation, not a recommendation. Once the EU adopted it, MiCA took direct legal effect in every member state without any country needing to pass its own implementing law first. That’s part of why a CASP license means the same thing in Germany as it does in Malta, while a VASP registration can mean very different things from one country to the next despite tracing back to the same FATF standard.
The gap between the two shows up in FATF’s own numbers. FATF found that many jurisdictions, including some with materially important virtual asset activity, still hadn’t put basic VASP licensing, supervision, or Travel Rule enforcement fully in place years after the standard was adopted. MiCA doesn’t have that problem, because compliance isn’t optional once you’re authorized as an EU CASP.
Registration and authorization sound similar. VASP vs CASP shows they aren’t. A VASP registration is usually a notification process: you tell your regulator or financial intelligence unit that you’re operating, you commit to AML controls, and the regulator logs your business without necessarily reviewing whether your systems, capital, or management are genuinely sound.
CASP authorization is a substantive review. ESMA’s supervisory briefing on CASP authorization makes clear that national competent authorities treat every CASP as carrying meaningful risk regardless of size, and they evaluate the executive team’s time commitment, the business model’s conflicts of interest, and how much of the operation gets outsourced before granting a license. A CASP serving more than 200,000 active users outside its home country faces even heavier scrutiny under that same briefing.
CASPs also carry technical obligations that most VASP regimes never touch. Once authorized, a CASP has to keep standardized, machine-readable order book records and identify clients and tokens using internationally recognized identifier codes, under the data standards ESMA has published to support MiCA’s record-keeping rules. That gap in rigor is exactly why a MiCA authorization takes longer and costs more to obtain than a typical VASP registration.
No. A VASP registration stays tied to the country that issued it, and FATF’s framework leaves it to each jurisdiction to decide how to license and supervise the VASPs operating within its own borders. Nothing in that framework grants automatic recognition anywhere else, so a business registered as a VASP in one country still needs a fresh registration, or at minimum a fresh legal review, before it can serve customers in the next one.
CASP works the opposite way. Once a firm is authorized as a CASP in its home EU member state, it can notify that state’s regulator of its intent to serve other EU countries, and the home regulator passes that notification on to the host countries without triggering a second substantive review. One authorization, 27 markets, no repeat applications.
For a founder weighing where to get licensed first, this is often the deciding factor. A VASP registration solves one market at a time. A CASP license solves 27 of them at once.
You’re on borrowed time, and across the EU that time has already run out. MiCA’s CASP authorization regime became mandatory bloc-wide on 30 December 2024. Member states could let existing VASP-registered or nationally licensed firms keep operating under a grandfathering clause while their CASP application was pending, but that grace period had a hard ceiling of 18 months, which ended on 1 July 2026.
That deadline has now passed. ESMA has made its position clear in a statement on the end of MiCA’s transitional periods: unauthorized firms serving EU customers are now violating EU law and have to shut those services down, full stop. Firms based outside the EU can’t lean on a VASP registration to solicit or serve EU clients either, outside a narrow reverse-solicitation exception, and authorized CASPs can’t outsource custody to any entity that isn’t itself an authorized CASP.
If your business is still running on a legacy VASP or national registration in the EU, the practical choices are limited. Finish your CASP application immediately, operate through a group entity that already holds a CASP passport, or wind down your EU-facing services in an orderly way that protects existing clients. There’s no fourth option left on the table.
Yes, and plenty of founders buy “ready-made” CASP and VASP licenses specifically to skip the queue. Buying an already-licensed entity, sometimes called a shell or a ready-made license, transfers the corporate structure and its existing regulatory standing to a new owner, which can shave months off a fresh licensing timeline compared with applying from zero.
Regulators still get the final word, though. Almost every jurisdiction makes you notify the regulator, or get its sign-off, before a new owner can actually take the reins, so buying a license skips the application queue, not the regulatory review itself. Some CASP and VASP licenses also require designated compliance officers or principals to stay on after the sale, and a shell that’s sat non-operational for a year or more usually gets re-examined before it can resume service.
Acquiring a license means inheriting its history too. Past violations, open investigations, and unresolved customer complaints stay attached to the entity, and regulators tend to look closely at newly acquired licenses for exactly that reason. Before buying either a CASP or a VASP, confirm the license actually covers the activities you plan to run, since crypto and fintech licenses are activity-specific rather than general purpose.
Map your target markets before you pick a license. If the EU is part of your roadmap, a CASP application, or a CASP acquisition, is the only path that gives you passporting across all 27 member states from a single authorization. If your near-term markets still run on FATF-aligned VASP frameworks, a lighter registration may be enough for now, but plan for that bar to rise as more jurisdictions move toward MiCA-style standards over time.
Confirm the current status of any license before you rely on it, whether it’s your own or one you’re buying. Get that verification done before you sign anything, not after.