VASP Licensing Guide
What Is a VASP License?
A Virtual Asset Service Provider (VASP) license authorizes a business to offer crypto-related services — exchange, transfer, custody, or issuance — within a given jurisdiction. The FATF definition of VASP has become the global baseline, though each country implements it differently. Operating without the required license or registration is a criminal offense in most regulated jurisdictions.
The licensing landscape has matured rapidly. As of 2026, over 60 jurisdictions require some form of VASP registration or authorization. This guide covers the major jurisdictions, their requirements, costs, and timelines.
Licensing Requirements by Jurisdiction
European Union — MiCA (Markets in Crypto-Assets)
Since December 30, 2024, all Crypto-Asset Service Providers (CASPs) operating in the EU must be authorized under MiCA (Regulation EU 2023/1114). The application goes through your home member state's National Competent Authority (NCA).
Regulators: National Competent Authorities — BaFin (Germany), AMF (France), CNMV (Spain), CBI (Ireland), AFM (Netherlands), and others. ESMA provides supervisory coordination. EBA oversees significant stablecoin issuers.
Capital requirements by service type:
| CASP Service | Minimum Permanent Capital |
|---|---|
| Advice on crypto-assets | EUR 50,000 |
| Reception and transmission of orders | EUR 50,000 |
| Placing of crypto-assets | EUR 50,000 |
| Execution of orders on behalf of clients | EUR 125,000 |
| Exchange of crypto-assets for funds or other crypto-assets | EUR 125,000 |
| Operation of a trading platform | EUR 150,000 |
| Custody and administration of crypto-assets | EUR 125,000 |
| Transfer services for crypto-assets | EUR 125,000 |
| Portfolio management | EUR 125,000 |
Key requirements:
- Legal entity registered in an EU member state
- At least two directors passing fit-and-proper assessment
- Shareholders with qualifying holdings (10%+) must demonstrate good repute
- Written AML/CFT policies meeting AMLD6 and Transfer of Funds Regulation
- IT security policy, business continuity plan, and outsourcing framework
- Professional indemnity insurance or equivalent guarantee
- Complaints handling procedure published on website
- GDPR compliance and Data Protection Impact Assessments
Timeline: 3-6 months for well-prepared applications. Some NCAs (particularly BaFin and AMF) are processing faster than others.
Cost estimate: EUR 100,000-300,000 in legal and consulting fees, plus application fees (vary by NCA), plus capital requirements.
Key advantage: EU-wide passporting. Once authorized in one member state, notify other NCAs to operate across all 27 EU countries.
See our full MiCA Compliance Checklist for a step-by-step authorization guide.
United States — Federal and State Patchwork
The US has no single federal VASP license. Instead, you face a multi-layered regime:
Federal level:
- FinCEN MSB registration — Mandatory for all money transmitters, including crypto exchanges and payment processors. Free to register, but triggers BSA compliance obligations (AML program, SAR filing, Travel Rule at $3,000+, CTR filing at $10,000+).
- SEC registration — Required if your tokens are securities (Howey Test). Broker-dealer or ATS registration. SEC enforcement has been aggressive against unregistered offerings and exchanges.
- CFTC registration — Required for crypto derivatives. BTC and ETH are classified as commodities. Futures Commission Merchant (FCM) or Swap Dealer registration where applicable.
State level — Money Transmitter Licenses (MTLs):
Most US states require a separate money transmitter license. Key facts:
| Aspect | Range |
|---|---|
| States requiring MTL | ~48 (Montana and South Carolina have exemptions) |
| Application timeline | 3-18 months per state |
| Surety bond | $10,000-$5,000,000 (varies by state and volume) |
| Net worth requirements | $0-$1,000,000+ (varies by state) |
| Annual renewal | Required in most states |
New York BitLicense:
- The most onerous state-level regime
- Issued by the New York Department of Financial Services (NYDFS)
- Requires detailed business plan, AML program, cybersecurity program, consumer protection measures
- Minimum capital determined case-by-case by NYDFS
- Application fee: $5,000
- Processing time: 12-24+ months
- Alternative: Limited Purpose Trust Company charter (e.g., Paxos, Gemini model)
Practical approach: Many startups begin with FinCEN MSB registration (quick) and then pursue state MTLs in priority states based on customer concentration. Consider a staged rollout rather than all 50 states simultaneously. Total cost for full US coverage: USD 1,000,000-5,000,000+ in legal fees, bonds, and compliance infrastructure.
Singapore — MAS Payment Services Act
The Monetary Authority of Singapore (MAS) requires a license under the Payment Services Act 2019 for Digital Payment Token (DPT) services.
License types:
- Standard Payment Institution (SPI) — For smaller operators. Monthly transaction limits.
- Major Payment Institution (MPI) — For operators above SPI thresholds. Most crypto exchanges need this.
MPI license requirements:
- Base capital: SGD 250,000
- Permanent place of business in Singapore
- At least one Singapore-resident executive director
- Fit-and-proper assessment for directors and CEO
- Robust AML/CFT controls meeting MAS Notice PSN02
- Technology Risk Management (TRM) framework per MAS TRM Guidelines
- Business continuity plan
- Cyber hygiene requirements
Additional regulatory bodies:
- ACRA — Company registration and corporate compliance
- MAS — All DPT service regulation, licensing, AML/CFT supervision
Timeline: 6-12 months. MAS has been thorough in its review process.
Cost estimate: SGD 500,000-1,000,000 in total setup costs (legal, compliance build-out, capital).
Key legislation: Payment Services Act 2019, PSN02 AML/CFT Notice, MAS TRM Guidelines.
UAE — VARA, ADGM, and DFSA
The UAE offers multiple licensing pathways depending on where you establish:
VARA (Virtual Assets Regulatory Authority) — Dubai mainland:
- World's first standalone virtual asset regulator
- Seven activity categories: advisory, broker-dealer, custody, exchange, lending, transfer/settlement, VA management and issuance
- Physical presence in Dubai required (excluding DIFC)
- Substantial paid-up capital (amount varies by activity category)
- Comprehensive governance, technology, and cybersecurity frameworks
- AML/CFT compliance with CBUAE requirements
ADGM FSRA (Abu Dhabi Global Market — Financial Services Regulatory Authority):
- Common law jurisdiction (English law)
- Institutional focus
- Financial Services Permission (FSP) for operating a multilateral trading facility, dealing, custody, or managing crypto assets
- Staffed with former FCA and MAS regulators
- Minimum capital: varies by activity (typically USD 250,000-2,000,000)
DFSA (Dubai International Financial Centre):
- Separate free zone regulator
- Crypto Token regime under DFSA rulebook
- Institutional focus with familiar common law framework
UAE regulators:
- SCA — Federal authority for virtual asset supervision (Cabinet Resolution 111/2022)
- VARA — Dubai-specific (excluding DIFC)
- ADGM FSRA — Abu Dhabi free zone
- DFSA — DIFC free zone
Key advantages: No personal or corporate income tax, clear regulatory framework, strategic geographic position between Asia and Europe, growing ecosystem.
Cost estimate: USD 250,000-1,000,000+ depending on license type and scope.
United Kingdom — FCA Registration
The FCA registers crypto asset businesses under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs).
Key facts:
- Registration, not licensing — but the requirements are substantive
- Approximately 85% rejection rate on applications
- Regulator: FCA (Financial Conduct Authority)
- No minimum capital for registration, but FCA assesses financial resources
- Fit-and-proper assessment for beneficial owners, officers, and managers
- Detailed AML/CFT policies and procedures required
- Financial promotions regime applies — all marketing must comply with FCA rules
Additional framework:
- Bank of England / PRA — Prudential standards for banks' crypto exposure, systemic stablecoins
- HM Treasury — Policy and legislation, phased crypto framework under FSMA 2023
Timeline: 6-12 months. The FCA has been deliberately slow and demanding.
Cost estimate: GBP 50,000-200,000 in legal and consulting fees.
Key legislation: MLR 2017, FSMA 2023 (bringing crypto into regulated perimeter), Proceeds of Crime Act 2002.
Japan — JFSA Registration
Regulators:
- JFSA (Japan Financial Services Agency) — CAESP registration, exchange oversight, stablecoin regulation
- JVCEA (Japan Virtual Currency Exchange Association) — Mandatory self-regulatory organization with token listing standards (green/white list system)
Key requirements:
- Registration as a Crypto-Asset Exchange Service Provider (CAESP)
- Minimum net assets: JPY 10,000,000 (approximately USD 70,000)
- Separate management of customer assets (legal requirement since 2020 PSA amendment)
- Cold wallet storage for majority of customer assets
- Annual audit by certified public accountant
- JVCEA membership mandatory
Key legislation: Payment Services Act (amended 2017, 2020), Financial Instruments and Exchange Act.
Hong Kong — SFC VATP License
Regulators:
- SFC (Securities and Futures Commission) — VATP licensing under AMLO Part 5B, Type 1/7 licenses for security tokens
- HKMA — Stablecoin regulation (Stablecoins Ordinance expected 2025-2026)
Key requirements:
- VATP (Virtual Asset Trading Platform) license mandatory since June 2023
- Minimum paid-up share capital: HKD 5,000,000 (approximately USD 640,000)
- Minimum liquid capital requirements
- Insurance or compensation arrangement for customer assets
- Robust cybersecurity framework
Canada — FINTRAC and CSA
Regulators:
- FINTRAC — AML/CFT, MSB registration, transaction reporting
- CSA (Canadian Securities Administrators) — Securities regulation, crypto trading platform registration (Staff Notice 21-327)
Key requirements:
- MSB registration with FINTRAC (mandatory)
- Securities dealer registration with provincial regulators if operating a trading platform
- AML/CFT program meeting PCMLTFA requirements
- Travel Rule compliance (CAD 1,000 threshold)
Key legislation: Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA, 2000).
The Application Process
Regardless of jurisdiction, expect these common steps:
1. Pre-Application Engagement
Most regulators offer preliminary discussions or formal pre-application meetings. Use them. In the UK, the FCA's pre-application process helps identify gaps early. In Singapore, MAS accepts pre-application queries. In the EU, NCAs typically offer guidance meetings. These conversations can save months of back-and-forth during the formal review.
2. Corporate Structuring
Ensure your legal entity, governance, and ownership structure meet local requirements. Key decisions:
- Where to incorporate (must be in the jurisdiction for most licenses)
- Board composition and residency requirements
- Qualifying shareholder disclosure and approval
- Subsidiary vs. branch structure for multi-jurisdictional operations
3. Documentation Preparation
Most applications require:
- Detailed business plan (3-5 year projections)
- AML/CFT policies and procedures manual
- IT security assessment and policies
- Business continuity and disaster recovery plan
- Financial projections and capital adequacy evidence
- Director and key personnel CVs, qualifications, and criminal record checks
- Organizational chart with clear reporting lines
- Outsourcing arrangements and third-party due diligence
- Complaints handling procedure
- Conflicts of interest policy
4. Capital Requirements
Have required capital in place before applying — not conditionally. Regulators want to see capital already deposited, not promissory notes or funding commitments. Capital requirements are ongoing — you must maintain them post-authorization.
5. Submission and Review
| Jurisdiction | Typical Processing Time | Application Fee |
|---|---|---|
| EU (MiCA) | 3-6 months | Varies by NCA (EUR 5,000-25,000) |
| US (FinCEN MSB) | Immediate (online) | Free |
| US (state MTL) | 3-18 months per state | $500-$5,000 per state |
| Singapore (MPI) | 6-12 months | SGD 1,000 |
| UAE (VARA) | 3-6 months | Varies by activity |
| UK (FCA) | 6-12 months | GBP 2,000-10,000 |
| Japan (CAESP) | 6-12 months | Varies |
| Hong Kong (VATP) | 6-18 months | HKD 58,200 |
| Canada (MSB) | 2-3 months | Free |
6. Ongoing Obligations
Licensing is the beginning, not the end. Post-authorization obligations include:
- Annual financial audits
- Periodic regulatory returns (quarterly or annual reporting)
- Material change notifications to the regulator
- Regulatory examinations and on-site inspections
- License renewal (where applicable)
- Continuous compliance with evolving regulations
Cost Summary by Jurisdiction
| Jurisdiction | Capital Required | Legal/Consulting Fees | Total First-Year Cost |
|---|---|---|---|
| EU (MiCA) | EUR 50,000-150,000 | EUR 100,000-300,000 | EUR 200,000-500,000 |
| US (full coverage) | $100,000-5,000,000 (bonds) | $500,000-2,000,000 | $1,000,000-5,000,000+ |
| Singapore | SGD 250,000 | SGD 200,000-500,000 | SGD 500,000-1,000,000 |
| UAE (VARA) | Varies | USD 150,000-500,000 | USD 250,000-1,000,000 |
| UK | Assessed case-by-case | GBP 50,000-200,000 | GBP 100,000-300,000 |
Common Pitfalls
- Applying without engaging local counsel — Regulatory requirements have jurisdiction-specific nuances. Generic international law firms often miss local implementation details.
- Underestimating timeline and cost — Budget 2x what you think. Applications always take longer and cost more.
- Applying everywhere simultaneously — Start in one jurisdiction, establish operations, then expand. The EU's passporting regime makes it particularly efficient to start in one member state.
- Incomplete applications — The single largest cause of delays. Submit a complete package on day one. Every information request from the regulator adds weeks or months.
- Ignoring ongoing obligations — Budget and plan for post-authorization compliance. Many firms invest heavily in getting the license and then underinvest in maintaining compliance.
- Wrong corporate structure — Restructuring after application submission is expensive and time-consuming. Get corporate structuring right before applying.
- Directors who cannot pass fit-and-proper — Vet all directors and key shareholders for regulatory risk before including them in the application. Prior enforcement actions, criminal records, or financial difficulties will cause rejection.
Licensing Strategy for Multi-Jurisdictional Operations
Recommended approach:
- Start with EU (MiCA) — One authorization gives access to 27 countries via passporting. Choose a member state with efficient NCA processing (Ireland, Lithuania, France, and Germany have been active).
- Add Singapore — Clear framework, strong reputation, gateway to APAC.
- Add UK — Important market, but high rejection rate means careful preparation is essential.
- Add US selectively — FinCEN MSB registration immediately, then state MTLs based on customer concentration. Consider not pursuing New York BitLicense initially unless your customer base demands it.
- Add UAE — Growing market with favorable tax treatment and clear regulatory framework.
Resources
- ESMA: MiCA authorization guidance
- FinCEN: MSB registration
- MAS: Payment Services Act licensing
- VARA: Dubai VA license application
- FCA: Crypto registration
- JFSA: CAESP registration
- SFC: VATP licensing
- FINTRAC: MSB registration