Norway -- Licensing Requirements Regulatory Overview

Norway, as an EEA member state, implements EU directives and regulations. Currently, the primary regulatory framework for Virtual Asset Service Providers (VASPs) in Norway is driven by anti-money laundering and counter-terrorist financing (AML/CTF) legislation, specifically incorporating elements of the EU's 5th Anti-Money Laundering Directive (AML5D).

It's crucial to note that while the EU's comprehensive Markets in Crypto-Assets Regulation (MiCA) has been finalized and entered into force in the EU (with most provisions applicable from December 2024 and June 2025), its implementation in Norway through the EEA Agreement is pending but expected. This will significantly shift the regulatory landscape from an AML-focused registration regime to a full licensing regime.

Regulatory Authority

The primary regulatory authority for Virtual Asset Service Providers (VASPs) in Norway is Finanstilsynet (The Financial Supervisory Authority of Norway).

• Finanstilsynet Website (English): https://www.finanstilsynet.no/en/

Registration vs. Licensing Regime

Currently, Norway operates primarily a registration regime for VASPs for AML/CTF purposes, rather than a full licensing regime in the traditional sense (like for banks or investment firms), unless the VASP's activities explicitly cross over into regulated traditional financial services (e.g., holding fiat funds in a way that qualifies as a payment service).

This means that companies offering virtual asset services must register with Finanstilsynet and comply with specific AML/CTF requirements.

Scope of Regulated Activities (VASP Definition)

Under Norwegian AML legislation (the Money Laundering Act - Hvitvaskingsloven), a "virtual asset service provider" is defined broadly to include entities that, on behalf of or for a customer, provide one or more of the following services related to virtual assets:

1. Exchange between virtual assets and fiat currencies.
2. Exchange between one or more virtual assets.
3. Transfer of virtual assets.
4. Custody and/or administration of virtual assets on behalf of clients.
5. Participation in and provision of financial services related to an issuer's offer and/or sale of virtual assets.

Required Licenses/Registrations for Specific Entities

Based on the current AML-driven framework:

1. Exchanges (Crypto-to-fiat, Crypto-to-crypto)

• Required: Registration as a VASP with Finanstilsynet.
• Reason: Directly falls under the definition of "exchange between virtual assets and fiat currencies" and/or "exchange between one or more virtual assets."

2. Custody Providers

• Required: Registration as a VASP with Finanstilsynet.
• Reason: Directly falls under the definition of "custody and/or administration of virtual assets on behalf of clients."

3. Payment Processors

This category requires a nuanced approach, as it depends on the exact nature of the services:

• If the processor only handles virtual asset transactions (e.g., enabling merchants to accept crypto payments, but not converting to fiat or holding fiat funds on behalf of customers/merchants):
  • Required: Registration as a VASP with Finanstilsynet. This is because the service likely involves the "transfer of virtual assets" or "exchange between virtual assets."
• If the processor also handles fiat currency payments or holds fiat funds for customers/merchants (even if originating from crypto sales):
  • Required: In addition to VASP registration (if applicable for crypto aspects), a Payment Institution license under the Financial Contracts Act (Finansavtaleloven) and related regulations might be required. This is a significantly more demanding license covering traditional payment services. Finanstilsynet assesses such activities on a case-by-case basis to determine if they constitute payment services.

Key Requirements for VASP Registration

1. AML/CTF Compliance: This is the cornerstone of the current regime. Applicants must demonstrate robust policies and procedures, including:

   • Risk-Based Approach: A documented assessment of money laundering and terrorist financing risks specific to their business model.
   • Customer Due Diligence (CDD) / Know Your Customer (KYC):
     • Identification and verification of customers and beneficial owners (e.g., using official ID, electronic verification).
     • Ongoing monitoring of business relationships.
     • Enhanced due diligence for high-risk customers or transactions.
   • Transaction Monitoring: Systems and processes to monitor transactions for suspicious activity.
   • Reporting: Reporting of suspicious transactions (STRs) to Økokrim (the National Authority for Investigation and Prosecution of Economic and Environmental Crime).
     • Økokrim Website (English): https://www.okokrim.no/en/
   • Internal Controls: Robust internal procedures, controls, and risk management systems.
   • AML Officer: Appointment of a qualified and experienced AML compliance officer (often based in Norway).
   • Employee Training: Regular training for relevant employees on AML/CTF obligations.
   • Record-Keeping: Maintenance of records for prescribed periods.

2. Capital Requirements:

   • For VASP registration alone, there isn't a specific, high initial capital requirement mandated by law, unlike for banks or payment institutions. However, the entity must demonstrate sufficient financial resources to operate the business safely and effectively, and to meet its AML compliance obligations.
   • If a Payment Institution license is also required, then specific initial capital requirements (e.g., minimum €20,000 to €125,000 depending on services) and ongoing own funds requirements will apply.

3. Local Presence:

   • Yes, generally required. The entity seeking VASP registration must be a legal entity incorporated in Norway (e.g., as a Norwegian limited company - AS).
   • Key management, board members, and the AML officer are typically expected to reside in Norway to ensure effective local supervision and oversight.

4. Fit & Proper Requirements:

   • Owners, directors, and key personnel (especially the AML Officer) must meet "fit and proper" criteria. This involves assessments of their competence, integrity, reputation, and absence of criminal records.

5. Operational Requirements:

   • Appropriate governance arrangements, risk management frameworks, and internal control mechanisms.
   • Robust IT systems, cybersecurity measures, and business continuity plans relevant to the services offered.

Application Process

The application process for VASP registration with Finanstilsynet typically involves the following steps:

1. Company Incorporation: Establish a legal entity in Norway (e.g., an AS - aksjeselskap).
2. Preparation of Documentation: Compile a comprehensive application package, which typically includes:
   • Company registration documents.
   • Detailed business plan outlining services, target market, and operational model.
   • Articles of association.
   • Organizational chart.
   • Resumes/CVs and "fit and proper" declarations for directors, key management, and significant owners.
   • A comprehensive AML/CTF manual, including detailed policies, procedures, risk assessment, KYC/CDD procedures, transaction monitoring framework, and suspicious activity reporting process.
   • Information on IT systems, cybersecurity, and data protection.
   • Proof of sufficient financial resources.
3. Submission: The application, along with all supporting documentation, is submitted to Finanstilsynet.
4. Review and Dialogue: Finanstilsynet reviews the application, which can be a thorough process. They may request additional information, clarifications, or amendments to the submitted documents.
5. Decision: Finanstilsynet issues a decision. If approved, the entity is added to Finanstilsynet's public register of supervised entities for AML purposes.
6. Ongoing Compliance: Registered VASPs are subject to ongoing supervision by Finanstilsynet and must continuously comply with all AML/CTF obligations and report any significant changes to their business or organization.

Specific Regulatory References

• Money Laundering Act (Hvitvaskingsloven): This is the key piece of legislation that transposes the EU's AML directives into Norwegian law, defining VASPs and their obligations. You would typically refer to the consolidated Norwegian version of the Act (search "Lov om tiltak mot hvitvasking og terrorfinansiering (hvitvaskingsloven)").
• Regulations on Anti-Money Laundering and Terrorist Financing (Hvitvaskingsforskriften): Provides more detailed rules and guidance.
• Finanstilsynet's Regulations and Guidance: Finanstilsynet issues various circulars, guidance notes, and regulations related to AML/CTF. It's best to consult their website directly for the latest publications.
  • Finanstilsynet AML Topic Page: https://www.finanstilsynet.no/en/topic/money-laundering/
  • Finanstilsynet as Supervisory Authority for Money Laundering: https://www.finanstilsynet.no/en/finanstilsynet-is-the-supervisory-authority-for-money-laundering/

Impact of MiCA (Future Outlook)

Once MiCA is implemented in Norway (expected through the EEA Agreement), the regulatory landscape will undergo a significant transformation:

• Full Licensing Regime: MiCA introduces a comprehensive licensing regime for Crypto-Asset Service Providers (CASPs), requiring authorization from Finanstilsynet (or another EEA competent authority with passporting rights).
• Broader Scope: MiCA covers not just AML, but also market integrity, governance requirements, operational resilience, consumer protection, and requirements for the issuance and admission to trading of various types of crypto-assets (e.g., asset-referenced tokens, e-money tokens).
• Passporting: Licensed CASPs in one EEA member state will be able to "passport" their services across the entire EEA, including Norway.
• Increased Requirements: The capital, organizational, and operational requirements under MiCA will generally be more extensive than the current AML-focused registration regime.

Businesses currently operating or planning to operate in Norway's crypto space should closely monitor the implementation of MiCA and prepare for these upcoming changes.

Disclaimer: This information is for general informational purposes only and does not constitute legal or regulatory advice. Specific advice should be sought from qualified legal professionals experienced in Norwegian financial and cryptocurrency regulation.