HOME
/
Blogs
/
VASP License: What Investors andCrypto Businesses Need to Know in 2026

VASP License: What Investors andCrypto Businesses Need to Know in 2026

Jan Strandberg
July 14, 2026
5 min read

A VASP license is the regulatory authorization that lets a business exchange, transfer, or safeguard virtual assets for customers. Without one, a crypto exchange, custodian, or OTC desk is operating outside the law in nearly every major market.

Regulators have moved fast. Governments on nearly every continent have spent the last few years building AML rules for crypto businesses. Those that skip licensing lose access to banking, institutional partners, and eventually their ability to operate. The requirements, timeline, and cost depend heavily on where you’re licensing. Choosing the wrong jurisdiction can cost you months and six figures.

What is a VASP license?

A VASP license authorizes a business to legally exchange, transfer, custody, or facilitate the issuance of virtual assets on behalf of other people. The letters stand for virtual asset service provider, a label the Financial Action Task Force built into global AML policy back in 2019, when it rewrote Recommendation 15 to pull crypto businesses into rules that had previously only applied to banks and money service businesses.

FATF’s rulebook narrows VASP status down to five specific activities. Swapping crypto for cash counts. So does swapping one token for another, moving crypto between wallets on a client’s behalf, holding someone else’s keys, and helping a project sell or list a token. Do any of that for someone else as a business, and a regulator will treat you as a VASP, regardless of whether your country’s own rulebook happens to use that exact word.

So what is a VASP license in practice? It’s the compliance infrastructure, AML program, governance structure, capital base, and technology stack that convince a regulator you can run this safely. Over 100 countries have built or are building a VASP framework around FATF’s standard, making this one of the broadest compliance regimes in finance.

Who needs a VASP license?

Any business conducting FATF’s five VASP activities on behalf of a customer needs a license or registration somewhere. In practice, that covers a specific set of businesses.

  • Centralized exchanges that let people buy, sell, or swap crypto for fiat or other tokens.
  • Custodial wallet providers that hold private keys on a customer’s behalf. If customers control their own keys instead, that’s a non-custodial setup, and it typically sits outside VASP scope, since nobody else is handling the asset for them.
  • OTC desks and brokers facilitating large trades for institutional counterparties.
  • Payment processors that move virtual assets between parties, including crypto remittance platforms.
  • Token issuers and ICO platforms providing financial services tied to a token’s sale.

Three categories sit in gray areas, per Chainalysis. NFT platforms can trigger VASP status if the tokens function as investments rather than collectibles. Stablecoin issuers qualify when their coin is used as a payment or value-transfer instrument. DeFi is the messiest case of the three: FATF holds that whoever actually runs or profits from a protocol can still be on the hook as a VASP, even if the code itself has no central operator, and most countries haven’t settled how to enforce that in practice.

One distinction matters more than people think: software providers and pure “users” of virtual assets don’t need a VASP license. The U.S. Financial Crimes Enforcement Network draws this line clearly. A company that only builds software, without accepting or transmitting value on behalf of others, isn’t a money transmitter under FinCEN’s guidance. The moment that same company starts moving customer funds, it crosses into VASP or MSB territory.

What’s the difference between VASP licensing and VASP registration?

These two terms get used interchangeably, but they’re not the same regulatory bar.

Registering as a VASP is the lighter of the two: you tell your regulator you plan to operate, and often that notice goes in without the regulator reviewing your AML program first. Getting licensed means the regulator digs in before clearance, examining your AML controls, governance, finances, and whether your systems work as claimed, per Chainalysis.

The U.S. illustrates the distinction well. Registering as a money services business with FinCEN by filing Form 107 is a federal filing, not a license. It places you in the AML oversight system but doesn’t authorize operation in any state. Most states still require a separate money transmitter license before you can do business there.

Many jurisdictions are moving from registration toward full licensing as their crypto markets mature. Whichever term your target jurisdiction uses, treat it as a real compliance bar, not a formality.

Who regulates a VASP license?

There’s no single global regulator for virtual assets. FATF sets the international standard through Recommendation 15, and its Recommendation 16 (the Travel Rule), but enforcement happens at the national level, through whichever authority each country designates.

That authority varies enormously. In the United States, FinCEN oversees AML registration federally, while individual states license money transmitters. In the European Union, national competent authorities issue licenses under MiCA, with the European Securities and Markets Authority coordinating supervisory practice. In Singapore, the Monetary Authority of Singapore runs more than one crypto licensing track, including a newer Digital Token Service Provider licensing regime aimed at firms based in Singapore but serving customers elsewhere. In Hong Kong, the Securities and Futures Commission licenses virtual asset trading platforms.

Some countries are still building their regimes from scratch. Kenya passed its Virtual Asset Service Providers Act in 2025 and published draft 2026 regulations that hand licensing authority to a “relevant regulatory authority” working alongside a newly created coordination committee, a sign of how much new VASP regimes are still being written even as older ones mature.

This fragmentation is the central operational headache for any VASP operating across borders. A business compliant in one country can be unlicensed or in breach the moment it serves a customer elsewhere.

How does a VASP license compare to a CASP license and other global equivalents?

“VASP” isn’t a universal label. Regulators in different jurisdictions use different terms for functionally similar authorizations, and mixing them up in a filing or investor deck is an easy way to look like you haven’t done your homework.

Inside the European Union, regulators dropped the term “VASP” altogether and swapped in “CASP,” short for crypto-asset service provider, under the Markets in Crypto-Assets Regulation, with the CASP authorization regime becoming mandatory on December 30, 2024. The transitional window that let previously registered national VASPs keep operating closed for good on July 1, 2026, per ESMA’s public statement on unauthorized providers. One CASP authorization now covers all 27 member states, replacing the old patchwork of national VASP registrations on everything from order-book record-keeping to conflict-of-interest disclosure that CASPs now have to build their compliance programs around.

Other jurisdictions use their own labels entirely. The table below breaks down how the major frameworks compare.


Regulator Governing framework Cross-border reach Distinguishing feature
VASP (global baseline) National authorities, varies by country FATF Recommendation 15 None, jurisdiction by jurisdiction Baseline AML/CFT term most countries build their own regime around
CASP (European Union) National competent authorities, coordinated by ESMA MiCA (Markets in Crypto-Assets Regulation) Full EU/EEA passporting One authorization covers all 27 member states
MSB / MTL (United States) FinCEN (federal), plus state regulators Bank Secrecy Act None, state by state Federal registration plus separate state money transmitter licenses
DPT license (Singapore) Monetary Authority of Singapore Payment Services Act None, single jurisdiction Two tiers (Standard and Major Payment Institution) based on transaction volume
VATP (Hong Kong) Securities and Futures Commission Anti-Money Laundering and Counter-Terrorist Financing Ordinance None, single jurisdiction Requires two independent External Assessor reports before licensing
VARA authorization (Dubai, UAE) Virtual Assets Regulatory Authority Dubai Virtual Assets Law Dubai only Activity-specific categories such as exchange, broker-dealer, and custody

Whichever label your target market uses, the underlying compliance expectations rhyme: KYC, AML monitoring, Travel Rule readiness, and a regulator who wants proof you can do this safely before letting you touch customer money.

What are the VASP license requirements?

VASP license requirements combine two layers: FATF’s baseline AML/CFT standard and whatever your specific jurisdiction adds on top.

At the FATF layer, every VASP must run customer due diligence and KYC before onboarding, apply enhanced due diligence to higher-risk customers like politically exposed persons, monitor transactions and file suspicious activity reports, screen against sanctions lists, and comply with the Travel Rule by sharing originator and beneficiary information on transfers above a set threshold, usually USD/EUR 1,000. Records typically must be kept for at least five years.

At the national layer, requirements get more specific. Kenya’s draft 2026 VASP regulations illustrate what a modern licensing application demands: a full business plan, fit-and-proper checks on every director, senior officer, and beneficial owner, documented proof of source of funds, board-approved AML/CFT, cybersecurity, and risk management policies, minimum paid-up and liquid capital, a dedicated compliance officer with direct board access, and audited financial statements for the past three years. Board composition matters too. Kenya’s draft rules require at least three directors, with one-third independent.

Capital requirements vary sharply by jurisdiction and by activity. MiCA layers a prudential capital requirement on top of the AML obligations that pre-MiCA national VASP regimes focused on, with the exact own-funds threshold tied to which services a CASP is authorized to provide. Singapore takes a similarly tiered approach under its Payment Services Act, requiring higher capital and safeguarding obligations once a provider crosses into Major Payment Institution territory.

Two requirements show up almost everywhere regardless of jurisdiction: a named compliance officer, sometimes paired with a dedicated AML or money-laundering reporting officer, and documented, board-approved policies rather than templates copied from a compliance vendor’s website.

How do you get a VASP license?

Here’s how to get a VASP license, broken into the steps regulators actually expect.

  1. Incorporate a legal entity in your target jurisdiction or confirm an existing entity meets local substance requirements. Many regulators now expect a real office and local staff, not just a registered-agent address.
  2. Build your compliance stack before applying. That means AML/CFT policies, a risk management framework, a cybersecurity policy, and a documented Travel Rule solution, not a plan to build one after approval.
  3. Assemble the application package: business plan, fit-and-proper documentation for directors and major shareholders, proof of source of funds, and evidence of minimum capital.
  4. Submit to the relevant regulator and expect follow-up questions. Hong Kong’s Securities and Futures Commission, for instance, requires two rounds of independent “External Assessor” reports, one reviewing your proposed systems and controls, a second confirming you actually built what you proposed, before it will grant a license.
  5. Once licensed, stay licensed. Ongoing reporting, audits, and capital maintenance start the day you’re approved, not the day of your first renewal.

The specifics shift depending on where you’re licensing. In Dubai, for example, you’d apply directly through the Virtual Assets Regulatory Authority for an activity-specific authorization, exchange, broker-dealer, custody, and so on, rather than a single blanket VASP license. Confirm the exact process, forms, and fees with the regulator or local counsel before you file anything, since most jurisdictions update their requirements at least once a year.

What does a VASP license cost?

VASP license cost depends heavily on three things: the jurisdiction, the capital requirement tied to your activities, and whether you’re applying fresh or acquiring an existing licensed entity.

Direct application costs typically include a government filing fee plus the larger expense of legal counsel, compliance consultants, and the minimum paid-up capital regulators require. That capital requirement alone can range from the low hundreds of thousands of dollars in some emerging markets to much more when licensing custody or exchange activities in a tier-one jurisdiction.

Buying an existing VASP license is the other path, and pricing there is public in a way direct applications rarely are. Live listings on Acquire.fi’s Licensed Organization Marketplace show the spread: a Brazilian entity still inside its central bank’s VASP transition window was priced at USD 1.6 million, while a fully operational Korean VASP, overseen by the country’s financial intelligence unit and one of only 28 such entities nationwide, carried an USD 8 million ask. Shell entities without an active business behind them go for a fraction of that, usually settling somewhere in the mid six figures.

Whichever path you take, budget for what comes after approval too. Annual audits, ongoing AML monitoring tools, insurance, and compliance staff are recurring costs that don’t show up in a licensing fee schedule but absolutely show up in your burn rate.

How long does a VASP license take to get?

A fresh VASP license application typically takes somewhere between three and nine months from filing to approval, though the exact VASP license timeline depends on the regulator, how complete your application is, and how many follow-up questions you get.

Hong Kong’s Securities and Futures Commission, with its two-phase External Assessor review, tends to run toward a year in practice. The EU’s CASP authorization runs faster where a national regulator already has an established review process, though ESMA has confirmed that firms without a submitted application ahead of the July 1, 2026 deadline face a near-impossible path to lawfully continuing EU operations. Public marketplace listings for VASP acquisitions put direct application timelines at roughly three to six months as an optimistic estimate, before accounting for any resubmissions.

Buying a licensed entity instead of applying fresh changes changes the timeline math. Introductions and initial diligence on an acquisition typically take a few weeks, but the regulator’s change-of-control approval, the step that actually transfers licensing authority to the new owner, is usually the longest part of the process and varies by license type and jurisdiction.

Can you buy a ready-made VASP license?

Yes. A ready-made VASP license, more precisely, an existing licensed entity acquired specifically for the authorization it already holds, is a real and increasingly common path into a regulated market. Skipping a from-scratch application this way can shave a year or more off your path to market, since you’re not waiting on a regulator to evaluate a brand-new applicant from zero, though how much time it actually saves depends on the jurisdiction and license type.

That speed comes with real strings attached. Most regulators still require formal approval or notification of any change in beneficial ownership before a deal closes, so a ready-made VASP license doesn’t skip regulatory scrutiny. It just moves that scrutiny to a different stage of the process.

Buying an already-licensed entity also means buying its history. A handful of risks come up again and again:

  • Prior violations, complaints, or open investigations transfer with the entity and become the new owner’s problem.
  • Regulators often examine newly acquired entities more closely right after a change of control, and any gaps they find are the buyer’s liability, not the seller’s.
  • The license might not actually cover what the buyer wants to do, because crypto and fintech authorizations are tied to specific activities rather than working as a general permission slip.
  • Some licenses stay valid only as long as a named compliance officer or principal remains attached to the entity. Lose that person soon after the deal closes, and the buyer can be out of compliance within a couple of months.
  • If the license sat unused for a year or more before the sale, expect the regulator to re-examine the entity before letting it resume operating.

None of that makes a ready-made VASP license a bad idea. It just means the due diligence looks different: less about whether the business model works, more about whether the compliance infrastructure, AML program, past regulatory correspondence, and staff survive the handover intact.

A VASP license isn’t a one-time checkbox. It’s the entry ticket to a compliance obligation that runs for as long as you hold the license, through Travel Rule monitoring, annual audits, and a regulator that can revoke your authorization if you stop meeting the bar that got you licensed in the first place.

If you’re comparing jurisdictions or evaluating whether to build or buy, Acquire.fi’s Licensed Organization Marketplace lists active VASP, CASP, and VARA opportunities by regulator, price, and operational status. Acquire.fi’s team can also run a targeted search across its broker network if the specific entity you need isn’t listed yet. Whichever route you take, loop in local counsel before you file anything, since regulators update VASP requirements often enough that year-old advice can already be out of date.

Sources

Share this post
About the Author
Jan Strandberg is the Founder and CEO of Acquire.Fi. He brings over a decade of experience scaling high-growth ventures in fintech and crypto.

Before founding Acquire.Fi, Jan was Co-Founder of YIELD App and the Head of Marketing at Paxful, where he played a central role in the business’s growth and profitability. Jan's strategic vision and sharp instinct for what drives sustainable growth in emerging markets have defined his career and turned early-stage platforms into category leaders.
Top 5 most recent blogs
Buy and sell secondaries
Trade SAFT, SAFE notes, locked tokens, and other digital assets in the public Secondaries and OTC marketplace
Acquire a frontier tech business
Browse our curated list of frontier tech businesses and projects available for acquisition; including revenue-generating crypto platforms, DeFi projects, and licensed financial organizations.