Bosnia and Herzegovina -- Licensing Requirements Regulatory Overview

**No specific "crypto custody license" exists.** Unlike some EU countries with dedicated VASP (Virtual Asset Service Provider) licensing regimes that explicitly cover custody, BiH has not yet introduced such a license.

**AML Registration for VASPs:** The primary regulatory requirement for entities providing services related to virtual assets, including those that might engage in custody (e.g., exchanges holding client funds), stems from the AML/CFT framework. BiH has aligned its AML legislation with FATF recommendations, which includes treating Virtual Asset Service Providers (VASPs) as obliged entities.

The **Law on Prevention of Money Laundering and Terrorist Financing (Zakon o sprečavanju pranja novca i finansiranja terorističkih aktivnosti)** mandates that VASPs, which would typically include entities offering custodial services for virtual assets, must register with the relevant authority (likely the Financial Intelligence Unit - FIU BiH) and implement robust AML/CFT procedures, including Know Your Customer (KYC) checks.

**Law on Prevention of Money Laundering and Terrorist Financing of Bosnia and Herzegovina (Official Gazette of BiH, No. 100/17, 36/18, 55/19, 32/22, 12/23, 12/24)**. While an official English translation with a direct government URL for the latest consolidated version can be hard to pinpoint, the law is accessible via official legislative databases. The Ministry of Security often publishes updates or related information.

**Ministry of Security of BiH (responsible for AML policy):** http://www.msb.gov.ba/?lang=en (You may need to navigate to legislative sections to find the specific law).

The Financial Intelligence Department (FID) within the State Investigation and Protection Agency (SIPA), not an independent FIU BiH, is the key AML/CFT enforcement body and likely first point of contact for VASP registration in Bosnia and Herzegovina.

**No specific rules for digital assets.** Given the absence of a dedicated custody framework, there are no specific legal mandates requiring the segregation of client digital assets from the custodian's proprietary assets.

**General Fiduciary Principles (by analogy):** While not legally binding for crypto, general principles of good corporate governance and financial trust would suggest that responsible custodians *should* segregate assets. However, this is currently a best practice rather than a regulatory requirement in BiH for digital assets.

**No specific requirements.** There are no explicit regulatory requirements for digital asset custodians in BiH to hold specific insurance or bonding to cover potential losses from hacks, operational failures, or other risks.

**No specific mandates.** BiH law does not currently mandate the use of cold storage (offline storage) for digital assets under custody. Responsible custodians would typically employ a combination of cold and hot storage for security reasons, but this is an operational choice rather than a regulatory obligation.

**No specific definition.** BiH law does not currently define what constitutes a "qualified custodian" for digital assets. Without a dedicated custody framework, such definitions are absent.

**EU Alignment and MiCA:** This is the most significant pending development. Bosnia and Herzegovina is an **EU candidate country**. As such, it is expected to gradually align its legislation with the EU acquis communautaire. The European Union's **Markets in Crypto-Assets (MiCA) Regulation** (Regulation (EU) 2023/1114) entered into force in June 2023, with most provisions becoming applicable from December 2024 and June 2025.

MiCA includes comprehensive provisions for **custody services for crypto-assets**, requiring authorization for crypto-asset service providers (CASPs) offering such services, robust organizational and prudential requirements, rules on segregation of client assets, liability for loss of crypto-assets, and more.

**Future Impact:** While MiCA does not directly apply to BiH, it is highly probable that BiH will eventually seek to transpose or align its national legislation with MiCA's standards as part of its EU accession process. This will involve introducing a dedicated licensing regime for CASPs, including specific rules for custody, which will address all the points raised in your question.

**Timeline:** The process of drafting, adopting, and implementing such comprehensive legislation would likely take several years after a formal commitment to MiCA alignment is made.

**Reference for MiCA (for understanding future direction):**

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):** https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

**Central Bank of Bosnia and Herzegovina (CBBH):** http://www.cbbh.ba/?lang=en (Primarily regulates traditional financial institutions, but may be involved in broader financial stability discussions regarding crypto).

**Ministry of Security of Bosnia and Herzegovina:** http://www.msb.gov.ba/?lang=en (Oversees AML/CFT policy and the FIU).

**Financial Intelligence Unit of BiH (FIU BiH):** A key player in AML/CFT enforcement, likely the first point of contact for VASP registration under current law.

**Securities Commission of the Federation of Bosnia and Herzegovina:** https://www.komvp.gov.ba/

**Securities Commission of Republika Srpska:** https://www.komvp.gov.rs/

Bosnia and Herzegovina now has a state-level AML/CFT framework that expressly covers virtual asset/virtual currency service providers, and Republika Srpska has a dedicated registration/notification regime for virtual currency service providers administered by the RS Securities Commission. While there is still no MiCA-style, fully harmonized crypto-asset licensing law at the state level, RS does operate a specific regulatory and registration regime for crypto businesses, so it is no longer correct to say that BiH operates under ‘no specific licensing regime’ or lacks any mandated authority for crypto businesses.

For virtual asset service providers, AML/CTF registration is no longer best described as an informal or merely ‘implied’ reporting registration. In line with FATF standards and recent reforms (including Australia’s Tranche 2 and comparable EU/Ireland approaches), VASPs are explicitly required to register with the competent AML/CTF authority (e.g., AUSTRAC or the Central Bank) before providing designated services, and must comply with a comprehensive set of ongoing AML/CTF obligations. While this registration is technically for AML/CTF purposes rather than a full prudential or conduct-of-business licence, it is a formal, mandatory regime with significant, licence-like compliance and enforcement requirements—not simply an implied reporting status.

**Custody Providers:** There is no specific license for virtual asset custody providers. General commercial law applies to business registration, but not for the specific service of crypto custody.

Crypto Payment Processors: If processing pure crypto-to-crypto payments without fiat involvement, no specific license is typically required. However, accepting fiat payments or converting between fiat and crypto requires licenses such as PSP under PSD2/MiCA CASP in the EU, or money transmitter/state licenses in the US.

In many jurisdictions, including BA, regulators have increasingly moved away from forcing VASPs to fit into existing payment‑ or e‑money‑institution categories and instead are introducing dedicated VASP licensing regimes, with their own prudential and capital requirements tailored to virtual‑asset risks; as these specific VASP frameworks take hold, traditional payment/e‑money capital requirements no longer generally apply by default to VASPs, though they can still apply in cases where a VASP also performs regulated payment or e‑money services.

AML and KYC obligations remain core and widely applicable elements of financial regulation, but they form one part of a broader, risk‑based compliance program that also includes sanctions screening, transaction monitoring, beneficial ownership transparency, reporting, and other controls; regulators no longer single out AML/KYC as the uniquely ‘most critical’ or universally dominant area across all financial activities.

Implement **Customer Due Diligence (CDD)** measures (Know Your Customer - KYC) for clients, including identity verification, beneficial ownership identification, and understanding the purpose of the business relationship.

**Monitor transactions** for suspicious activities.

Report suspicious transactions to the Financial Intelligence Agency (FIA), Botswana’s financial intelligence unit (FIU).

Maintain required records for the periods specified in applicable laws, regulations, and retention schedules; these periods vary by record type and jurisdiction (often 3–7 years for many business and financial records, around 5 years for many BSA/AML and similar regulatory records, and longer or permanent only for certain categories such as some medical, corporate, or ownership records), rather than a uniform 10‑year default.

Obligated entities in Bosnia & Herzegovina must appoint an AML officer and conduct internal AML/CFT training as part of a broader set of detailed compliance obligations introduced by the 2026 AML Rulebook implementing the Law on the Prevention of Money Laundering and Terrorist Financing.

The FIA/SIPPA is the primary authority for overseeing AML/CTF compliance.

Bosnia and Herzegovina has no single dedicated crypto licensing law, but fragmented regulations apply, and some sources indicate that obtaining a crypto license is necessary for legal operation, which may imply local presence requirements.

To conduct ongoing commercial operations in Bosnia and Herzegovina, a foreign business must register a presence in the country (typically a local company such as a d.o.o. or a registered branch), which entails registration with the competent court and subsequent registrations with tax and other authorities; a branch is not a separate legal entity but can also be used to operate a business with a registered office and local representative, so it is not strictly required to establish a separate Bosnian legal entity in all cases.

The process now primarily involves registering through the unified e-Registration platform (eRegistracija) run by the Indirect Taxation Authority, which has streamlined and digitized the steps including legal entity creation, tax identification, and permits.

**AML Registration/Compliance:** Any entity dealing with virtual assets is expected to implement an internal AML program and be prepared to register as a reporting entity with the FIA/SIPPA if they meet the criteria for "reporting entities" under the AML Law. There isn't an "application" for this, but rather an obligation to comply and report.

The main anti–money laundering (AML) authority in Bosnia & Herzegovina is the Financial Intelligence Department (FID) within the State Investigation and Protection Agency (SIPA), not a separate Financial Intelligence Agency (FIA).

Website: https://www.fipa.gov.ba/ (This official site, now hosted under the fipa.gov.ba domain with language options including English and local languages, contains information on the agency’s mandate and services.)

Banking agencies are primary supervisors of traditional insured depository institutions (such as banks and savings associations) but their regulatory and supervisory activities increasingly extend to certain nonbank financial firms and broader financial stability concerns, so their remit is no longer confined exclusively to traditional institutions.

Banking Agency of the Federation of Bosnia and Herzegovina: https://www.fba.ba/

Banking Agency of Republika Srpska: https://www.abrs.ba/

These agencies would be relevant if a crypto service attempts to integrate with traditional banking services and seeks licenses like those for payment institutions.

**Note:** Finding an official, up-to-date consolidated English translation with direct links to the *latest* official gazette entries online can be challenging for BiH legislation. However, the law is public.