When we talk about VASP – Virtual Asset Service Provider – more concerns than action steps arise. The digital finance sphere sets new rules of game, and to make it fair – companies, startups and associations should discover various policies. We`re here to explain what VASP is to you and make a huge amount of legal words and regulations meaningful to you.
What is VASP & sсope of usage
VASP is broadly defined as an entity or individual that offers services related to the transfer, exchange, or storage of virtual assets, commonly operating within cryptocurrency and blockchain domains.
A more comprehensive definition is provided by the Financial Action Task Force (FATF), an international policy-making body dedicated to combating money laundering and the financing of terrorism. The FATF’s guidelines, though non-binding, serve as global standards in anti-money laundering (AML) and counter-terrorist financing (CFT) policies. In accordance with Guidance for a Risk-Based Approach for Virtual Assets and Virtual Asset Services Provider, a VASP means: any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: exchange between virtual assets and fiat currencies; exchange between one or more forms of virtual assets; transfer of virtual assets; safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
This FATF definition emphasises the range of services that VASPs can provide, from exchanges between fiat and virtual assets to the safekeeping of virtual assets and the facilitation of initial offerings.
VASPs encompass a wide range of businesses within the digital asset sector, such as:
Exchanges – platforms that enable users to trade virtual assets for other assets (fiat currency, as well);
ATMs – entities offering virtual asset ATMs, allowing users to buy or sell virtual assets in exchange for cash;
Wallet custodians – such organisations that store and manage virtual assets on behalf of clients, often providing secure storage solutions and backup for private keys;
Hedge funds – investment funds focusing on virtual assets for high-net-worth individuals, managing portfolios that include diverse digital assets.
Each of these VASP types plays a specialised role in the virtual asset ecosystem, from providing secure storage to facilitating trades and investments, helping drive both market growth and consumer accessibility in the digital economy. These service providers play a key role in facilitating virtual asset transactions for their clients, whether individuals or businesses, and thus are critical in managing both the potential and risks associated with digital assets.
REMINDER:
Virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets.
How are VASP regulated?
The regulation of VASPs varies significantly depending on the jurisdiction, reflecting the different approaches taken by regulatory bodies worldwide. Generally, VASPs are regulated through a combination of AML, CTF, consumer protection, and financial stability rules, with specific regulatory frameworks in place for crypto-assets and related services. However, each jurisdiction has its own set of rules, which can differ in terms of licensing requirements, compliance obligations, and oversight mechanisms.
The FATF’s recommendations have set the standard for global regulatory practices, urging countries to implement measures that ensure VASPs are adequately supervised and compliant with AML and Know Your Customer (KYC) requirements.
In the United States, for instance, VASPs must register with the Financial Crimes Enforcement Network (FinCEN) and comply with the Bank Secrecy Act (BSA).
Similarly, the European Union’s Fifth Anti-Money Laundering Directive (5AMLD) extends AML requirements to cover virtual asset service providers, mandating registration and adherence to robust customer verification processes.
The 5th AML Directive (2018/843) outlined an obligation for all EU member states to regulate virtual assets at the level of local legislation and ensure registration or licensing for VASPs, crypto exchangers and other participants in the cryptocurrency industry. Thus, EU member states have started to allow blockchain businesses to formally register their activities and obtain licences for the exchange or storage of cryptocurrencies, step by step.
The European Union’s regulatory landscape for VASPs is set for further transformation with the introduction of the Markets in Crypto-Assets (MiCA) regulation.
On April 20, 2023, the European Parliament approved MiCA, concluding a years-long negotiation process to establish a single legal structure for crypto-assets and related services. MiCA aims to address several key regulatory needs: it seeks to create a level playing field for cryptocurrency businesses, promote fair competition, and minimise financial and AML/CFT risks.
By January 2025, MiCA will impose mandatory standards on crypto companies, including VASPs, requiring them to obtain authorization to operate and to follow robust transparency and disclosure practices.
Further details about how MiCA will shape the operations and requirements for VASPs within the EU will be discussed in the next section, outlining its transformative impact on the crypto-asset market in EU.
Currently, the specific regulatory requirements for VASPs are also established at the national level within EU member states, allowing each jurisdiction to tailor its regulatory approach according to local market conditions and legislative frameworks.
For instance, in Estonia, the Money Laundering and Terrorist Financing Prevention Act (Rahapesu ja terrorismi rahastamise tõkestamise seadus (RahaPTS)) requires VASPs to adhere to rigorous AML and customer verification obligations. This legislation, among the most stringent in Europe, mandates that VASPs acquire an Estonian Financial Intelligence Unit (FIU) licence.
Similarly, in Lithuania, the Law on Prevention of Money Laundering and Terrorist Financing (Pinigu plovimo ir teroristu finansavimo prevencijos įstatymas) provides the regulatory framework for VASPs operating in the country. This law requires VASPs to implement comprehensive AML and KYC measures, with the Bank of Lithuania overseeing compliance to ensure effective oversight and enforcement.
Trends & upcoming changes in VASP regulations? MiCA impact
Once the MiCA comes into full effect, licensed VASPs operating in the European Union will need to adjust to the new regulatory framework, as MiCA replaces and significantly expands the existing requirements for crypto-asset companies. While MiCA does not directly use the term VASP, it introduces the term CASP (Crypto-Asset Service Provider), which essentially covers the same services and entities that VASPs provide.
All existing VASPs with licences from national regulators will need to adapt to the new MiCA regulations and obtain authorization as CASPs. Companies must go through a registration and certification process according to the new MiCA requirements to ensure compliance with the EU-wide standards.
MiCA will enter into force for crypto exchanges in December 2024, but the licence application submission is expected to open January 1st 2025. The EU Member States have the option of granting currently licensed VASPs up to an additional 18-month “transitional period” during which they may continue to operate without a MiCA licence (“grand-fathering clause”). Thus the current VASPs may potentially operate until as late as 1st July 2026 – the exact date however may vary by jurisdiction based on how each Member State chooses to apply (or not apply) the optional transitional measures per Article 143(3) of MiCA.
NOTE:
The transitional provisions outlined in MiCA apply solely to VASP that were already operating under applicable national laws before 30 December 2024. For VASP planning to start operations after 30 December 2024, they will be required to immediately obtain authorization to operate as a CASP under MiCA.
This means that any entity intending to engage in crypto-asset services after this date will need to comply with the full regulatory framework, including obtaining the necessary licences and adhering to the enhanced market integrity requirements specified by MiCA.
What exactly will CASPs need to do to get MICA approved?
Here are the essential prerequisites:
Have an office location and director within the EU (Article 59 MiCA: Crypto-asset service providers authorised in accordance with Article 63 shall have a registered office in a Member State where they carry out at least part of their crypto-asset services. They shall have their place of effective management in the Union and at least one of the directors shall be resident in the Union).
Meet minimum capital requirements (up to 150,000 EUR that depends on the specific CASP activities).
Have systems for KYC, record-keeping, and monitoring to prevent illicit activities
Ensure secure custody of client assets and funds.
Implement mechanisms for complaints handling, conflicts of interest management, outsourcing oversight, and business continuity.
Additionally, CASPs must submit detailed paperwork covering their services, systems, policies, and structures. Regulators will thoroughly review applications before granting licences.
CASPs involved in the issuance, exchange, or custody of other types of crypto-assets (for example, asset-referenced tokens or e-money tokens) must meet additional requirements, particularly concerning the stability of the token’s value and its backing assets as for the asset-referenced tokens.
There are some insights we have regarding companies VASP management
In terms of MiCA implications, VASPs will have a transition period (length depending on jurisdiction), but as the timeframes are quite narrow we recommend starting preparations already now, e.g. with drafting the required policy documentation as well as setting up local substance such as a physical office and a local team of senior level AML specialists – a successful outcome is best obtained with thorough and timely preparations.
For companies looking to operate as VASPs or whose services meet the criteria for VASP designation, understanding the regulatory landscape is essential for successful market entry and compliance.
Firstly, companies should assess their service offerings to determine if they fall under the regulatory definition of a VASP.
Different jurisdictions require VASPs to obtain specific licences or register with regulatory bodies. With MiCA set to standardise these requirements across the EU by January 2025, companies must prepare for licensing and authorization standards that will apply across all EU member states.
AML and KYC programs are non-negotiable elements for VASPs. Companies must design procedures that align with regulatory standards to identify and verify customers, monitor transactions, and report suspicious activities.
Beyond basic compliance, aligning with industry best practices can improve operational resilience and market reputation: adopt security best practices, including multi-signature wallets, cold storage, and encryption protocols; regularly audit internal processes, particularly AML/KYC programs, to ensure they meet regulatory standards; consider obtaining insurance for digital assets under custody, which can offer added protection and credibility.
What are examples of Virtual Asset Service Providers?
There are examples of VASP amid Europe & US, you can follow them in terms of trends & upcoming changes:
Cryptocurrency exchanges. Platforms like Coinbase, Binance, and Kraken allow users to buy, sell, and trade virtual assets against fiat currencies or other cryptocurrencies.
Wallet providers. Companies such as Ledger, Trezor, and MyEtherWallet provide digital wallets where users can securely store, manage, and transfer virtual assets.
Peer-to-peer platforms. LocalBitcoins and Paxful are examples of peer-to-peer platforms where individuals can buy and sell virtual assets directly with each other, often with the environment providing an escrow service for safety.
Custodial services. BitGo and Gemini Custody specialise in providing secure storage solutions for several virtual assets, typically targeting institutional investors
ATM operators. Bitcoin ATMs, run by various companies, allow individuals to buy or sometimes sell cryptocurrencies in physical locations using cash or cards.
Payment service providers. BitPay and CoinGate are platforms that facilitate merchants in accepting virtual asset payments for goods and services.
Token issuance platforms. Some platforms, like Ethereum, allow for the creation and issuance of new tokens, often used for Initial Coin Offerings (ICOs) or decentralised finance (DeFi) purposes.
DeFi platforms. Environments like Uniswap, MakerDAO, and Compound offer various financial services using virtual assets, from trading to lending, without traditional intermediaries.
Brokers. Entities or individuals that buy and sell virtual assets on behalf of customers, sometimes offering advice or portfolio management.
Case study regarding fines
For the determined violations of international sanctions the Financial Crime Investigation Service (the FCIS) has imposed a record fine of more than EUR 8.23 million on Payeer, a company registered in Lithuania as a depository virtual currency wallet operator and a virtual currency exchange operator (VASP) for violations of international sanctions.
Another fine of more than 1.06 million EUR was imposed on the company for breaches of the Law on the Prevention of Money Laundering and Terrorist Financing (AML/CFT law).
Under the legislation, the company was required to carry out customer identification when providing VASP services, to ensure that services were not provided to sanctioned customers, to close existing accounts, to suspend the entities' disposition of funds or economic resources, and to inform the FCIS of the suspension. The company was found to be in breach of international sanctions laws for more than 1.5 years. During this period, Payeer UAB was found to have had at least 213,000 customers and a revenue of more than 164 million EUR. The FCIS found that the company had violated not only formal, but also substantive requirements of the law and the regulations; the identities of the company's clients were not properly determined and verified deliberately in order to avoid losing a significant part of the revenue. Transactions in breach of sanctions through sanctioned Russian banks were also not terminated. The company's infringements were assessed as serious, the company itself failed to cooperate and provide explanations, resulting in a financial penalty of more than 8.236 million EUR. In addition, breaches of the AML/CFT law have been identified. It was found that the company failed to notify the FCIS of customer operations or transactions in virtual currency equal to or exceeding EUR 15,000, deficiencies in internal policies and internal control procedures related to identification and verification of customers and beneficiaries, risk assessment, risk management, submission of reports and information to the FCIS, etc. were found.
In 2022, for example, the New York Department of Financial Services levied Robinhood Crypto, LLC a $30 million fine against a VASP because its “BSA/AML compliance program, including its transaction monitoring system, has significant deficiencies.” This VASP did not have adequate staffing; did not transition from a manual transaction monitoring system that was adequate to its size, customers, and transaction volume; and did not devote sufficient resources to address risks specific to the company.
In 2020, the Estonian FIU took significant action to enforce AML standards by revoking over 500 licenses from VASPs. This step was taken as part of an effort to control risks associated with insufficient AML measures, businesses with limited or no physical presence in Estonia, and companies inactive in their declared crypto operations. This intervention followed concerns about Estonia's rising role in money laundering cases linked to VASP operations in the country.
The rapid evolution of the digital asset landscape has brought forth a new category of financial intermediaries: VASPs. As the industry matures, regulatory frameworks are adapting to ensure the integrity and security of these services. If you have any concerns on licensing or compliance for VASP - approach us, our team is qualified & empowered to help you with the VASP framework.
Comments