A VASP license is the regulatory authorization that lets a business exchange, transfer, or safeguard virtual assets for customers. Without one, a crypto exchange, custodian, or OTC desk is operating outside the law in nearly every major market.
Regulators have moved fast. Governments on nearly every continent have spent the last few years building AML rules for crypto businesses. Those that skip licensing lose access to banking, institutional partners, and eventually their ability to operate. The requirements, timeline, and cost depend heavily on where you’re licensing. Choosing the wrong jurisdiction can cost you months and six figures.
A VASP license authorizes a business to legally exchange, transfer, custody, or facilitate the issuance of virtual assets on behalf of other people. The letters stand for virtual asset service provider, a label the Financial Action Task Force built into global AML policy back in 2019, when it rewrote Recommendation 15 to pull crypto businesses into rules that had previously only applied to banks and money service businesses.
FATF’s rulebook narrows VASP status down to five specific activities. Swapping crypto for cash counts. So does swapping one token for another, moving crypto between wallets on a client’s behalf, holding someone else’s keys, and helping a project sell or list a token. Do any of that for someone else as a business, and a regulator will treat you as a VASP, regardless of whether your country’s own rulebook happens to use that exact word.
So what is a VASP license in practice? It’s the compliance infrastructure, AML program, governance structure, capital base, and technology stack that convince a regulator you can run this safely. Over 100 countries have built or are building a VASP framework around FATF’s standard, making this one of the broadest compliance regimes in finance.
Any business conducting FATF’s five VASP activities on behalf of a customer needs a license or registration somewhere. In practice, that covers a specific set of businesses.
Three categories sit in gray areas, per Chainalysis. NFT platforms can trigger VASP status if the tokens function as investments rather than collectibles. Stablecoin issuers qualify when their coin is used as a payment or value-transfer instrument. DeFi is the messiest case of the three: FATF holds that whoever actually runs or profits from a protocol can still be on the hook as a VASP, even if the code itself has no central operator, and most countries haven’t settled how to enforce that in practice.
One distinction matters more than people think: software providers and pure “users” of virtual assets don’t need a VASP license. The U.S. Financial Crimes Enforcement Network draws this line clearly. A company that only builds software, without accepting or transmitting value on behalf of others, isn’t a money transmitter under FinCEN’s guidance. The moment that same company starts moving customer funds, it crosses into VASP or MSB territory.
These two terms get used interchangeably, but they’re not the same regulatory bar.
Registering as a VASP is the lighter of the two: you tell your regulator you plan to operate, and often that notice goes in without the regulator reviewing your AML program first. Getting licensed means the regulator digs in before clearance, examining your AML controls, governance, finances, and whether your systems work as claimed, per Chainalysis.
The U.S. illustrates the distinction well. Registering as a money services business with FinCEN by filing Form 107 is a federal filing, not a license. It places you in the AML oversight system but doesn’t authorize operation in any state. Most states still require a separate money transmitter license before you can do business there.
Many jurisdictions are moving from registration toward full licensing as their crypto markets mature. Whichever term your target jurisdiction uses, treat it as a real compliance bar, not a formality.
There’s no single global regulator for virtual assets. FATF sets the international standard through Recommendation 15, and its Recommendation 16 (the Travel Rule), but enforcement happens at the national level, through whichever authority each country designates.
That authority varies enormously. In the United States, FinCEN oversees AML registration federally, while individual states license money transmitters. In the European Union, national competent authorities issue licenses under MiCA, with the European Securities and Markets Authority coordinating supervisory practice. In Singapore, the Monetary Authority of Singapore runs more than one crypto licensing track, including a newer Digital Token Service Provider licensing regime aimed at firms based in Singapore but serving customers elsewhere. In Hong Kong, the Securities and Futures Commission licenses virtual asset trading platforms.
Some countries are still building their regimes from scratch. Kenya passed its Virtual Asset Service Providers Act in 2025 and published draft 2026 regulations that hand licensing authority to a “relevant regulatory authority” working alongside a newly created coordination committee, a sign of how much new VASP regimes are still being written even as older ones mature.
This fragmentation is the central operational headache for any VASP operating across borders. A business compliant in one country can be unlicensed or in breach the moment it serves a customer elsewhere.
“VASP” isn’t a universal label. Regulators in different jurisdictions use different terms for functionally similar authorizations, and mixing them up in a filing or investor deck is an easy way to look like you haven’t done your homework.
Inside the European Union, regulators dropped the term “VASP” altogether and swapped in “CASP,” short for crypto-asset service provider, under the Markets in Crypto-Assets Regulation, with the CASP authorization regime becoming mandatory on December 30, 2024. The transitional window that let previously registered national VASPs keep operating closed for good on July 1, 2026, per ESMA’s public statement on unauthorized providers. One CASP authorization now covers all 27 member states, replacing the old patchwork of national VASP registrations on everything from order-book record-keeping to conflict-of-interest disclosure that CASPs now have to build their compliance programs around.
Other jurisdictions use their own labels entirely. The table below breaks down how the major frameworks compare.
Whichever label your target market uses, the underlying compliance expectations rhyme: KYC, AML monitoring, Travel Rule readiness, and a regulator who wants proof you can do this safely before letting you touch customer money.
VASP license requirements combine two layers: FATF’s baseline AML/CFT standard and whatever your specific jurisdiction adds on top.
At the FATF layer, every VASP must run customer due diligence and KYC before onboarding, apply enhanced due diligence to higher-risk customers like politically exposed persons, monitor transactions and file suspicious activity reports, screen against sanctions lists, and comply with the Travel Rule by sharing originator and beneficiary information on transfers above a set threshold, usually USD/EUR 1,000. Records typically must be kept for at least five years.
At the national layer, requirements get more specific. Kenya’s draft 2026 VASP regulations illustrate what a modern licensing application demands: a full business plan, fit-and-proper checks on every director, senior officer, and beneficial owner, documented proof of source of funds, board-approved AML/CFT, cybersecurity, and risk management policies, minimum paid-up and liquid capital, a dedicated compliance officer with direct board access, and audited financial statements for the past three years. Board composition matters too. Kenya’s draft rules require at least three directors, with one-third independent.
Capital requirements vary sharply by jurisdiction and by activity. MiCA layers a prudential capital requirement on top of the AML obligations that pre-MiCA national VASP regimes focused on, with the exact own-funds threshold tied to which services a CASP is authorized to provide. Singapore takes a similarly tiered approach under its Payment Services Act, requiring higher capital and safeguarding obligations once a provider crosses into Major Payment Institution territory.
Two requirements show up almost everywhere regardless of jurisdiction: a named compliance officer, sometimes paired with a dedicated AML or money-laundering reporting officer, and documented, board-approved policies rather than templates copied from a compliance vendor’s website.
Here’s how to get a VASP license, broken into the steps regulators actually expect.
The specifics shift depending on where you’re licensing. In Dubai, for example, you’d apply directly through the Virtual Assets Regulatory Authority for an activity-specific authorization, exchange, broker-dealer, custody, and so on, rather than a single blanket VASP license. Confirm the exact process, forms, and fees with the regulator or local counsel before you file anything, since most jurisdictions update their requirements at least once a year.
VASP license cost depends heavily on three things: the jurisdiction, the capital requirement tied to your activities, and whether you’re applying fresh or acquiring an existing licensed entity.
Direct application costs typically include a government filing fee plus the larger expense of legal counsel, compliance consultants, and the minimum paid-up capital regulators require. That capital requirement alone can range from the low hundreds of thousands of dollars in some emerging markets to much more when licensing custody or exchange activities in a tier-one jurisdiction.
Buying an existing VASP license is the other path, and pricing there is public in a way direct applications rarely are. Live listings on Acquire.fi’s Licensed Organization Marketplace show the spread: a Brazilian entity still inside its central bank’s VASP transition window was priced at USD 1.6 million, while a fully operational Korean VASP, overseen by the country’s financial intelligence unit and one of only 28 such entities nationwide, carried an USD 8 million ask. Shell entities without an active business behind them go for a fraction of that, usually settling somewhere in the mid six figures.
Whichever path you take, budget for what comes after approval too. Annual audits, ongoing AML monitoring tools, insurance, and compliance staff are recurring costs that don’t show up in a licensing fee schedule but absolutely show up in your burn rate.
A fresh VASP license application typically takes somewhere between three and nine months from filing to approval, though the exact VASP license timeline depends on the regulator, how complete your application is, and how many follow-up questions you get.
Hong Kong’s Securities and Futures Commission, with its two-phase External Assessor review, tends to run toward a year in practice. The EU’s CASP authorization runs faster where a national regulator already has an established review process, though ESMA has confirmed that firms without a submitted application ahead of the July 1, 2026 deadline face a near-impossible path to lawfully continuing EU operations. Public marketplace listings for VASP acquisitions put direct application timelines at roughly three to six months as an optimistic estimate, before accounting for any resubmissions.
Buying a licensed entity instead of applying fresh changes changes the timeline math. Introductions and initial diligence on an acquisition typically take a few weeks, but the regulator’s change-of-control approval, the step that actually transfers licensing authority to the new owner, is usually the longest part of the process and varies by license type and jurisdiction.
Yes. A ready-made VASP license, more precisely, an existing licensed entity acquired specifically for the authorization it already holds, is a real and increasingly common path into a regulated market. Skipping a from-scratch application this way can shave a year or more off your path to market, since you’re not waiting on a regulator to evaluate a brand-new applicant from zero, though how much time it actually saves depends on the jurisdiction and license type.
That speed comes with real strings attached. Most regulators still require formal approval or notification of any change in beneficial ownership before a deal closes, so a ready-made VASP license doesn’t skip regulatory scrutiny. It just moves that scrutiny to a different stage of the process.
Buying an already-licensed entity also means buying its history. A handful of risks come up again and again:
None of that makes a ready-made VASP license a bad idea. It just means the due diligence looks different: less about whether the business model works, more about whether the compliance infrastructure, AML program, past regulatory correspondence, and staff survive the handover intact.
A VASP license isn’t a one-time checkbox. It’s the entry ticket to a compliance obligation that runs for as long as you hold the license, through Travel Rule monitoring, annual audits, and a regulator that can revoke your authorization if you stop meeting the bar that got you licensed in the first place.
If you’re comparing jurisdictions or evaluating whether to build or buy, Acquire.fi’s Licensed Organization Marketplace lists active VASP, CASP, and VARA opportunities by regulator, price, and operational status. Acquire.fi’s team can also run a targeted search across its broker network if the specific entity you need isn’t listed yet. Whichever route you take, loop in local counsel before you file anything, since regulators update VASP requirements often enough that year-old advice can already be out of date.