Croatia -- Licensing Requirements Regulatory Overview

Croatia, as an EU member state, implements the EU's anti-money laundering (AML) framework, specifically the 5th and 6th Anti-Money Laundering Directives (AMLD5 and AMLD6). This means that Virtual Asset Service Providers (VASPs) are currently subject to an AML registration regime rather than a full financial services licensing regime.

However, it's critical to note the upcoming impact of the EU's Markets in Crypto-Assets (MiCA) Regulation, which will introduce a harmonized licensing framework across the EU for Crypto-Asset Service Providers (CASPs).

Cryptocurrency/Virtual Asset Licensing Requirements in Croatia

1. Regulatory Framework & Key Authorities

The primary legislation governing virtual assets for AML purposes in Croatia is the Anti-Money Laundering and Terrorist Financing Act (Zakon o sprječavanju pranja novca i financiranja terorizma). This Act transposes the relevant EU AML Directives into Croatian law.

Key Regulatory Bodies:

• Office for Anti-Money Laundering (Ured za sprječavanje pranja novca – USPN): This is the primary authority responsible for supervising the implementation of AML/CFT measures by obliged entities, including VASPs. They maintain the register of VASPs.
  • Website: https://mup.gov.hr/ured-za-sprjecavanje-pranja-novca/5223 (Croatian Ministry of Interior page for USPN)
• Croatian Financial Services Supervisory Agency (Hrvatska agencija za nadzor financijskih usluga – HANFA): While USPN handles the AML registration, HANFA, as the financial regulator, may also have a role in interpreting certain crypto-assets as financial instruments under existing securities laws, or in providing guidance, particularly concerning future MiCA implementation.
  • Website: https://www.hanfa.hr/
• National Bank of Croatia (Hrvatska narodna banka – HNB): As the central bank, HNB monitors financial stability and may have views on crypto-assets impacting the traditional financial system.
  • Website: https://www.hnb.hr/en/

Relevant EU Legislation:

• Directive (EU) 2018/843 (AMLD5): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.156.01.0043.01.ENG
• Directive (EU) 2015/849 (AMLD4), as amended by AMLD5 and AMLD6: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L0849
• Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114 (Note: MiCA has a phased implementation, with most provisions for CASPs applying from 30 December 2025).

2. Registration vs. Licensing Regime (Current & Future)

• Current Regime (Pre-MiCA): Croatia operates a registration regime for VASPs, primarily for AML/CFT supervision. This means entities providing virtual asset services must register with the USPN and comply with AML obligations. It is not a full financial services license in the traditional sense, but an AML registration.
• Future Regime (Post-MiCA): From December 30, 2025, MiCA will introduce a harmonized licensing regime across the EU. Entities providing "crypto-asset services" (as defined by MiCA) will require a license from a competent national authority (likely HANFA in Croatia, in coordination with USPN for AML aspects) in one EU member state, which will then allow them to operate across the entire EU ("passporting"). This will replace the national AML registrations for the services covered by MiCA.

3. Required Licenses/Registrations by Service Type

Under the current Croatian Anti-Money Laundering and Terrorist Financing Act, services defined as "virtual asset services" that require registration include:

• Exchanges (Fiat-to-Crypto and Crypto-to-Crypto):
  • Services related to the exchange between virtual assets and fiat currencies.
  • Services related to the exchange between one or more types of virtual assets.
  • These services fall squarely within the VASP definition and require registration with the USPN.
• Custody Providers:
  • Services related to the safekeeping and administration of virtual assets or instruments enabling control over virtual assets (e.g., private keys).
  • This is explicitly defined as a VASP service and requires USPN registration.
• Payment Processors (involving virtual assets directly):
  • If a payment processor directly facilitates transactions in virtual assets on behalf of customers (e.g., receiving crypto from a customer and sending fiat to a merchant, or vice-versa), they would likely fall under the VASP definition of "transferring virtual assets" and require registration.
  • If a payment processor only handles fiat currency for a crypto business (e.g., processing credit card payments for a crypto exchange, but not touching the crypto itself), they would generally be regulated under traditional payment services laws (PSD2 framework) and would need a payment institution or e-money institution license/authorization, which is a different regulatory scope. The focus here is on direct virtual asset involvement.

Other VASP activities also requiring registration:

• Transferring virtual assets.
• Providing financial services in connection with the issuance and sale of virtual assets (e.g., acting as an initial coin offering (ICO) advisor or placement agent, if handling funds/assets).

4. Key Requirements for Registration (Pre-MiCA)

The requirements primarily stem from AML/CFT obligations:

• Local Presence:
  • Generally, a legal entity incorporated in Croatia is required to apply for registration.
  • A registered office in Croatia is necessary.
• AML/KYC Framework: This is the most critical aspect:
  • AML/CFT Policies and Procedures: Comprehensive internal rules and procedures for customer due diligence (CDD), enhanced due diligence (EDD), ongoing monitoring, record-keeping, and reporting suspicious transactions.
  • Risk Assessment: A robust risk assessment methodology for identifying and mitigating money laundering and terrorist financing risks associated with the VASP's operations, customers, products, and geographies.
  • Designated AML Officer: Appointment of a qualified and experienced individual responsible for AML/CFT compliance, reporting directly to the management board. This officer must be based in Croatia.
  • Staff Training: Regular training programs for all relevant employees on AML/CFT obligations.
  • Transaction Monitoring: Systems and procedures for real-time or post-transaction monitoring to detect unusual or suspicious activities.
  • Reporting Obligations: Procedures for reporting suspicious transaction reports (STRs) to the USPN.
• Management & Governance:
  • Fit and Proper Requirements: The management board members and significant shareholders must pass "fit and proper" tests, demonstrating good repute, honesty, integrity, and competence.
  • Robust internal governance arrangements, including clear lines of responsibility.
• Capital Requirements:
  • Under the current AML registration regime, there are no specific, high capital requirements explicitly prescribed solely for VASP registration, unlike for traditional financial licenses.
  • However, the entity must demonstrate sufficient financial resources to operate responsibly and meet its obligations, indicating financial solvency and operational capacity.
  • Note for MiCA: MiCA will introduce specific minimum capital requirements for CASPs, varying based on the type of service. These will be substantial.
• IT Security: Robust IT systems and security measures to protect customer data and assets, prevent cyberattacks, and ensure operational continuity.
• Data Protection: Compliance with the General Data Protection Regulation (GDPR) regarding the processing of personal data.

5. Application Process (General Steps)

The application process for VASP registration with the USPN typically involves:

1. Establish a Croatian Legal Entity: Incorporate a company in Croatia (e.g., a d.o.o. – limited liability company).
2. Develop Comprehensive Policies and Procedures: Prepare all required AML/CFT policies, risk assessments, internal rules, and IT security frameworks.
3. Appoint Key Personnel: Designate a qualified AML Officer and ensure management meets fit and proper criteria.
4. Prepare Application Documentation: Compile a detailed application package, including:
   • Company registration documents.
   • Business plan, outlining services, target market, and operational model.
   • Detailed AML/CFT manual, risk assessments, and internal control procedures.
   • Proof of IT security measures.
   • Information on management, shareholders, and AML officer (CVs, background checks, fit and proper declarations).
   • Proof of sufficient financial resources/solvency.
5. Submit Application: Submit the complete application package to the USPN.
6. Review and Communication: The USPN will review the application, potentially request additional information or clarifications, and may conduct interviews.
7. Registration: Upon successful review and approval, the entity will be registered as a VASP.

Important Considerations:

• Evolving Landscape: The regulatory landscape for virtual assets is rapidly evolving, especially with MiCA coming into full effect. Entities should stay informed of updates.
• Professional Advice: Given the complexity and evolving nature of regulations, it is highly recommended to seek legal and compliance advice from professionals specializing in Croatian and EU financial services law before commencing operations.