Andorra -- Licensing Requirements Regulatory Overview

**Exchange between digital assets and fiat currencies:** This covers cryptocurrency exchanges that allow users to buy and sell crypto with traditional money (EUR, USD, etc.).

Exchange between one or more digital assets: This covers crypto-to-crypto exchanges, but modern regulatory frameworks now also include fiat-to-crypto transactions, crypto ETF/ETP creation and redemption models, and broker-dealer or clearing functions as part of digital asset exchange definitions.

**Custody and administration of digital assets on behalf of third parties:** This covers services where an entity holds or controls private keys for virtual assets on behalf of clients.

If a payment processor's activities involve the direct handling, exchange, or custody of digital assets (e.g., accepting crypto payments on behalf of merchants and converting them to fiat, or holding crypto for settlement), they will fall under the VASP licensing requirements for exchange and/or custody services.

If a payment processor *only* facilitates fiat currency transactions that are *related* to virtual asset services (e.g., processing a credit card payment to a crypto exchange, but never touching the crypto itself), they might fall under traditional payment services regulations (requiring a payment institution license) rather than a VASP license, but the specifics would depend on the exact service model and AFA interpretation. Generally, if there's any direct interaction with the virtual asset, a VASP license is needed.

Transfer of digital assets is subject to active regulatory development and finalization, with basis transfer rules still being refined and not yet settled like traditional securities.

Issuance and placement of digital assets that qualify as 'digital securities' (e.g., certain STOs, security tokens) remain subject to SEC securities regulation, but other digital assets such as utility tokens, meme coins, and non-security asset-backed tokens are not covered under federal securities laws.

Provision of financial advice related to digital assets is now subject to specific statutory registration and compliance obligations under the Digital Asset Market Clarity Act and IRS mandatory reporting requirements, making the prior generic advisory claim outdated.

VASP licensing rules in relevant jurisdictions require minimum capital that can vary by the services offered and by the applicable regulatory regime; however, the original claim’s specific attribution to Law 35/2022 is not verified from the provided evidence and appears outdated or jurisdiction-dependent.

Under MiCA, the €125,000 minimum capital requirement applies to Class 2 crypto-asset service providers that provide custody and administration of crypto-assets on behalf of clients, typically together with other Class 2 services; it is not a standalone Andorra-specific rule.

**EUR 125,000:** For services related to the custody and administration of virtual assets on behalf of third parties.

Higher amounts may be required depending on the volume and complexity of operations, or if combined with other licensed activities.

In addition to initial capital, VASPs must maintain sufficient regulatory capital to cover operational risks and ensure continuous solvency.

**AML/KYC (Anti-Money Laundering / Know Your Customer):**

Andorra is committed to international AML/CFT standards, including those set by the Financial Action Task Force (FATF). VASPs are subject to strict AML/KYC obligations, which align with **Law 14/2017, of 22 June, on preventing money laundering and terrorist financing**.

Key AML/KYC requirements in jurisdiction AD are undergoing fundamental reform under FinCEN's April 7, 2026, Notice of Proposed Rulemaking, shifting from static checklists toward risk-based, effective programs; existing requirements under the BSA and CDD Rule remain in effect until final rules are adopted.

Customer Due Diligence (CDD): Implementing appropriate risk-based procedures for identifying and verifying the identity of clients (individuals and legal entities).

**Ongoing Monitoring:** Continuous monitoring of business relationships and transactions to detect unusual or suspicious activities.

**Risk Assessment:** Conducting a comprehensive risk assessment of their business, clients, products, and geographies.

**Suspicious Activity Reporting (SAR):** Reporting suspicious transactions to the Unitat d'Inteligència Financera d'Andorra (UIFAND).

**Record Keeping:** Maintaining records of client identification, transactions, and due diligence for a specified period.

**Designation of an AML Officer:** Appointing a qualified AML officer responsible for overseeing compliance.

A significant local presence is typically required. This often includes:

**Physical office:** Establishing an operational base in Andorra.

**Local management:** Having key management personnel (e.g., CEO, board members) and decision-making functions physically located in Andorra.

Directors and key employees for licensing in Andorra may qualify under various residency pathways, including passive residency (Golden Visa) which does not require active physical presence or a specific plan for residency. Active residency still requires physical presence for at least 183 days per year, but the claim that a 'clear plan' is universally required is now overly broad and outdated due to legislative changes in 2022 and 2025.

**Adequate resources:** Demonstrating sufficient human and technical resources locally to carry out the licensed activities.

Governance and internal controls now incorporate AI-driven oversight and explicit ESG reporting mandates under recalibrated SEC enforcement.

**Fit & Proper Requirements:** Shareholders, directors, and key management personnel must meet "fit and proper" criteria, demonstrating integrity, competence, and financial soundness.

**Robust Internal Policies:** Implementing comprehensive policies and procedures for risk management, operational resilience, IT security, data protection, and customer complaint handling.

Regular internal and external audits are required for compliance and financial soundness, but under the 2025 FDICIA Final Rule, banks under $1 billion in assets are exempt from mandatory external audits in the U.S. federal banking context.

**IT Security and Operational Resilience:**

Implementing robust IT security measures to protect client assets and data.

Having clear business continuity and disaster recovery plans.

**Pre-Application Contact:** It is often advisable to engage in preliminary discussions with the AFA to understand specific requirements and obtain initial guidance.

**Preparation of Application Dossier:** The applicant must prepare a comprehensive application package, which typically includes:

**Detailed Business Plan:** Outlining the proposed services, target market, operational model, and growth strategy.

**Financial Projections:** Multi-year financial forecasts, including projected revenues, expenses, and capital adequacy.

**Legal Structure:** Documentation of the legal entity to be established in Andorra.

**Governance Framework:** Details of the organizational structure, roles, responsibilities, and internal controls.

**AML/CFT Manual:** Comprehensive policies and procedures for AML/KYC compliance.

**Risk Management Framework:** Strategies for identifying, assessing, monitoring, and mitigating various risks (operational, financial, reputational, cyber).

**IT Security Policies:** Documentation of technology infrastructure, data protection, and cybersecurity measures.

**Resumes and "Fit & Proper" Documentation:** For all key personnel, including directors and senior management.

Proof of Funds: Evidence of meeting dynamic capital requirements or specific minimum thresholds, which vary by regulatory regime and are subject to ongoing adjustment (e.g., Basel III Endgame buffers, sector-specific boosts, or annually updated immigration minimums).

Shareholder information includes detailed beneficial ownership data, identity verification, and ongoing reporting obligations under the Corporate Transparency Act and SEC Exchange Act Sections 13(d) and 13(g), not merely basic structure or owner details.

The complete application dossier is submitted to USCIS, but the submission method may now be electronic for certain employment-based applications, and the term 'AFA' is an outdated reference to the legacy Immigration and Naturalization Service (INS) rather than the current USCIS structure.

The AFA review and due diligence process has been modified under a deregulatory update, with steps described as 'simplifying the application process,' reducing the previous 'thorough review' standard.

Requests for additional information or clarifications.

Meetings with the applicant's management team.

On-site visits (if applicable) under the relevant AD jurisdiction are no longer governed by the superseded directive; the specific AD (2024-21-02) has been replaced, altering the regulatory requirement.

Background checks on key personnel and shareholders.

**Decision:** The AFA will issue a decision to grant or deny the license. If granted, the license will typically include specific conditions and ongoing obligations.

**Post-Licensing Obligations:** Licensed VASPs must continuously comply with all regulatory requirements, including periodic reporting to the AFA, ongoing AML/KYC obligations, and maintaining capital adequacy.

**Ley 35/2022, de 1 de diciembre, de representación digital de activos financieros y otros activos fungibles (Law 35/2022, of December 1, on the digital representation of financial assets and other fungible assets):**

**Autoritat Financera Andorrana (AFA) Official Website:**

The AFA is the primary regulator. Its website contains information on regulated entities, legislation, and supervisory guidelines.

**Ley 14/2017, de 22 de junio, de prevención del blanqueo de dinero y la financiación del terrorismo (Law 14/2017, of 22 June, on preventing money laundering and terrorist financing):**

FinCEN has proposed a new, risk-based AML/CFT program rule for all financial institutions including VASPs, but the rule is not yet final and the existing general AML/CFT law remains in effect pending finalization.

**Represents rights typical of traditional securities:** This includes shares, bonds, or other instruments that confer rights of ownership, debt, or participation in the capital or profits of an entity.

**Is issued, transferred, and stored using Distributed Ledger Technology (DLT) or similar technologies.**

Equity tokens may represent ownership stakes in a company, but true equity tokens require direct issuer approval and SEC registration; many tokenized instruments now involve revenue-sharing or cash-flow rights rather than formal equity ownership, and voting, dividend, and asset claim rights depend on the specific legal structure and regulatory compliance.

**Debt Tokens:** Tokens representing debt instruments, such as bonds or loans, where holders are entitled to receive interest payments and/or the return of principal.

**Revenue/Profit Share Tokens:** Tokens that grant holders a right to a portion of the issuer's future revenues or profits, without necessarily conferring direct ownership.

**Security Tokens Offerings (STOs):** Issuances where the underlying digital asset explicitly represents a claim on an asset or stream of income, making it fall under securities law.

**Payment Tokens (Cryptocurrencies):** Tokens primarily intended as a means of exchange (e.g., Bitcoin, Ethereum when used purely as currency).

**Utility Tokens:** Tokens designed to provide access to a specific product or service within a DLT network or ecosystem (e.g., a token granting access to cloud storage, gaming features).

**Stablecoins:** Tokens designed to maintain a stable value relative to a fiat currency or other asset, although their specific features may sometimes lead to them being classified under different regulatory categories (e.g., e-money tokens or financial instruments if they grant specific financial rights).

**Authorization and Supervision:** Issuers of DLT-based securities and providers of services related to them (e.g., trading venues, custodians) must be authorized and supervised by the **Autoritat Financera Andorrana (AFA)**.

**Prospectus Requirements:** The public offering of DLT-based securities generally requires the publication of a prospectus approved by the AFA, similar to traditional securities offerings. This prospectus must contain all necessary information for investors to make an informed decision.

**Transparency and Disclosure:** Issuers are subject to ongoing transparency and disclosure obligations, including periodic financial reporting and disclosure of significant events.

**Fit and Proper Requirements:** Management and significant shareholders of entities involved in issuing or servicing DLT-based securities must meet "fit and proper" criteria.

Small offerings: Offerings below $10 million, as defined by SEC Rule 504 in Regulation D, or as further specified by applicable state-level micropurchase thresholds.

**Offerings to qualified/professional investors:** Where the investors are deemed sophisticated enough not to require the full protection of a prospectus.

Private placements: Offerings to a limited number of accredited investors, though modern exemptions like Rule 506(c) allow general solicitation to an unlimited number of accredited investors.

DLT-based securities can only be traded on regulated DLT-based trading venues or platforms that have been authorized by a recognized financial regulator (e.g., FINRA in the U.S.); these venues must comply with rules regarding market integrity, transparency, investor protection, and operational resilience.

**Market Abuse Rules:** Standard market abuse regulations, including prohibitions against insider trading and market manipulation, apply to DLT-based securities.

**Post-Trade Transparency:** Rules regarding trade reporting and post-trade transparency (e.g., public disclosure of transaction prices and volumes) are expected to apply.

**Custody:** Entities providing custody services for DLT-based securities must also be authorized and supervised by the AFA, adhering to robust security and operational standards.

**Imposing administrative fines:** For violations of regulatory requirements.

**Issuing cease-and-desist orders:** To stop unauthorized activities.

Revoking licenses or authorizations has expanded beyond serious breaches to include procedural failures, certification lapses, and national security concerns such as foreign adversary control.

Publicly sanctioning individuals or entities is used as a national security and foreign policy tool, not primarily for market transparency and deterrence.

**Requiring restitution or compensation:** To affected investors in certain cases.

Llei 24/2022, del 30 de juny, regulates blockchain and cryptocurrencies in Andorra, not Law 15/2022.

*(Note: This is in Catalan, the official language of Andorra)*

*(You may need to navigate the AFA website to find specific regulations or guidance related to digital assets as they are published).*

**Autoritat Financera Andorrana (AFA) – Andorran Financial Authority**

**Role:** The AFA is the primary regulatory and supervisory body for the financial system in Andorra, including DLT-based activities. It is responsible for authorizing and supervising entities operating under the DLT law, ensuring compliance with prudential and conduct-of-business rules, and enforcing AML/CFT regulations. The AFA was established through the merger of the Institut Nacional Andorrà de Finances (INAF) and the Agència Andorrana de Resolució d’Entitats Bancàries (AREB).

The UAE's Securities and Commodities Authority (SCA), in coordination with Dubai's Virtual Assets Regulatory Authority (VARA) and other relevant authorities, is responsible for establishing the unified legal and regulatory framework for virtual assets and DLT across the UAE, including Abu Dhabi.

**Llei 22/2022, del 21 de juliol, de representació digital d'actius mitjançant la utilització de tecnologia de registre distribuït**

**English Translation:** Law 22/2022, of July 21, on the digital representation of assets through the use of distributed ledger technology.

The Airworthiness Directive dated July 21, 2022, has been superseded by a newer directive effective as of August 18, 2025.

URL (Official Gazette - Butlletí Oficial del Principat d'Andorra - BOPA): https://www.bopa.ad/bopa/034024/Documents/Sumari_22_2022.pdf (This links to the full text of the law in Catalan).

Establishes the legal framework for the issuance, representation, transfer, and custody of assets using DLT.

Defines various types of digital assets, including "digital value assets" (e.g., utility tokens, payment tokens) and "digital financial instruments" (e.g., security tokens, representing traditional financial assets).

Mandates authorization by the AFA for entities wishing to engage in activities related to digital financial instruments, such as their issuance, public offering, or operation of trading platforms.

Proposed regulations from April 2026 would reorganize AML/CFT obligations, governance rules, and technological requirements for DLT service providers, shifting toward a risk-based framework rather than maintaining the previously strict, static mandates.

The regulatory framework involves ongoing adoption, revision, or urging of implementing regulations by government bodies to specify requirements for various activities.

**Permitted, but Strictly Regulated and Licensed:**

Andorra's stance is that crypto trading and exchanges (specifically those dealing with "digital financial instruments" or certain regulated "digital value assets") are permitted activities, but they fall under the strict licensing and supervisory regime of the AFA, as outlined in Law 22/2022.

Entities wishing to operate a crypto exchange (i.e., a trading platform for digital financial instruments or regulated digital value assets) or provide services such as custody, brokerage, or issuance of these assets must obtain a specific authorization from the AFA.

These entities are subject to comprehensive regulatory requirements, including:

**Authorization and Licensing:** Detailed application process with business plans, governance structures, and capital requirements.

**AML/CFT Compliance:** Robust anti-money laundering and counter-terrorist financing measures, including customer due diligence (CDD), transaction monitoring, and suspicious activity reporting. Andorra follows international standards set by FATF.

**Investor Protection:** Rules regarding transparency, disclosure, and fair trading practices.

**Operational Resilience:** Requirements for IT security, risk management, and business continuity.