Virtual Asset Service Providers (VASP): Definition and Role

11 hours ago
6 min read

Who Qualifies as a Virtual Asset Service Provider

The concept of a VASP is foundational in cryptocurrency regulation. According to the FATF virtual asset service providers definition, this term designates entities subject to AML/CTF frameworks, mandatory registration, and the requirement to secure a virtual asset service provider license.

Exchanges and trading platforms

Platforms facilitating the exchange of cryptocurrency for fiat or other cryptoassets strictly align with the exchange category of this definition. Regarding decentralized finance (DeFi), the FATF applies a functional approach. The DeFi software itself (the application) is not a VASP, as FATF standards do not apply to technology per se. But the people behind it (creators/owners/operators, or anyone with control or “sufficient influence”) can be treated as VASPs if they are providing or actively facilitating VASP services as a business, even if the product markets itself as decentralised.

Custody and wallet providers

If you hold or control customers’ private keys, or otherwise provide “safekeeping and/or administration” of virtual assets (or tools that enable control), you are typically in classic VASP territory. This is why custodial wallet providers and institutional custody setups are commonly regulated: the provider becomes the “control point” where AML/CTF measures (KYC, monitoring, reporting) can be applied. FATF explicitly expects VASPs to be regulated and supervised as part of AML/CTF frameworks.

Crypto brokers and intermediaries

Not every VASP looks like a “big exchange”. If you act as an intermediary, especially in relation to distribution, placement, brokering, or other financial services tied to token offerings you can still fall into the VASP definition. FATF includes “participation in and provision of financial services related to an issuer’s offer and/or sale” of a virtual asset.

If you help clients access liquidity, route orders, arrange swaps, or otherwise “make the deal happen” as a business for them, regulators often treat you closer to a broker/intermediary function, even if your frontend looks like a simple “swap” widget. FATF also notes that these roles can appear in different structures (including more decentralised models) and should be assessed by function.

Virtual Asset Service Providers Examples

Crypto exchanges as VASPs

Prominent virtual asset service providers examples include cryptocurrency exchanges. A typical VASP exchange is any business that:

lets users convert crypto to fiat or crypto to crypto,
runs matching/order execution (even if partially automated),
and provides these services as a business for customers.

Even if the exchange doesn’t “touch” every element of the transaction, FATF stresses that a provider can still qualify as a VASP if it conducts the exchange activity as a business for another person.

Digital asset custody providers

If a company holds assets (or the practical ability to move them) on behalf of customers (retail or institutional) it usually fits the custody limb of the VASP definition (“safekeeping and/or administration”). This also includes scenarios where the provider offers an integrated custody, trading and settlement stack, because that combination often involves exchange and transfer services too.

Crypto payment platforms

If your product helps merchants accept crypto, converts incoming crypto to fiat (or to stablecoins), or provides a “pay with crypto” flow that transfers value on behalf of a user, regulators commonly look at it as a VASP-style transfer service. FATF treats transfers broadly and also connects them to the AML “wire transfer” logic (the “travel rule”).

Compliance Requirements for VASPs

Virtual asset service provider risking and risk controls

Virtual asset service provider risking dictates how an entity identifies and manages money laundering and terrorist financing exposures. Instead of one-size-fits-all rules, a risk-based approach is used: the higher the risk, the stricter the checks and controls.

Regulators expect exactly this logic. A company must not merely comply with requirements in a formal sense, but clearly identify where risks arise in customers, products, transactions, or geography and build its AML system accordingly.

In practice, this means:

clear customer onboarding rules,
enhanced checks for high-risk cases,
analysis of wallets and addresses,
constant transaction monitoring,
adequate protection of customer assets.

AML and transaction monitoring obligations

Transaction monitoring is where compliance obligations become operational: it is the ongoing process of identifying suspicious activity patterns and escalating them through internal channels and, where required, to the relevant authorities.

Core obligations commonly applicable to VASPs include:

Under FinCEN guidance, persons engaged in accepting and transmitting convertible virtual currency are treated as money transmitters and are subject to full AML program requirements, including recordkeeping, transaction monitoring, and the filing of Suspicious Activity Reports (SARs) and other applicable reports.
FATF requires VASPs to apply wire transfer–like obligations to virtual asset transactions (commonly referred to as the Travel Rule) encompassing the collection and transmission of originator and beneficiary data, identification and reporting of suspicious transfers, and enforcement of sanctions-related obligations.
In the EU, the recast Funds Transfer Regulation (TFR) extends these requirements to crypto-asset transfers, mandating originator and beneficiary information across transactions, with enhanced obligations for transfers involving self-hosted addresses above specified thresholds.

Why VASPs Are Regulated

Financial crime prevention

FATF’s guidance stresses that new technologies create innovation opportunities, but also new opportunities for criminals and terrorists to launder proceeds or finance illicit activities, so the risk-based approach is central. That’s also why the travel rule exists: regulators want key information about who is sending and receiving transfers, plus monitoring/screening to catch suspicious activity and comply with sanctions. In U.S. practice, FinCEN’s framework treats certain crypto money transmission activities like other money transmission: requiring AML programs designed to prevent misuse and requiring reporting such as suspicious activity reports (and other reports where applicable).

International regulatory frameworks

Most countries’ crypto AML regimes are shaped by a combination of:

FATF standards (especially the principle that VASPs should be licensed/registered and supervised, and that VA transfers should follow travel rule logic);
regional frameworks, such as the EU’s MiCA regime for CASPs and the EU rules on information accompanying transfers of funds and certain crypto-asset transfers;
national supervisory regimes, like the UK FCA registration for in-scope cryptoasset AML businesses, with ongoing reporting requirements.

Virtual Asset Service Provider License

When a VASP license is required

Securing a virtual asset service provider license is generally mandatory when providing FATF-defined VASP activities (exchange, transfer, custody) as a commercial service. It is also required when targeting jurisdictions with strict regulatory regimes, irrespective of corporate location. In practice, the EU's MiCA framework requires crypto-asset service providers (CASPs) to obtain authorization. The UK FCA mandates AML registration, while US FinCEN requires federal money transmitter registration.

Key requirements for obtaining a VASP license

While the details vary by jurisdiction, regulators generally require evidence that a crypto service can be operated safely, transparently, and with effective controls.

For EU CASP authorisation files under MiCA-related standards work, European Securities and Markets Authority materials highlight requirements and expectations around:

corporate documents and identifiers, registration details, and (where relevant) the trading name;
a detailed programme of operations (including organisational structure, strategy, and operational capacity);
resilience/stress scenarios and prudential safeguards (client protection angle);
governance arrangements and internal controls;
business continuity and disaster recovery (including cyber disruption scenarios);
AML/CTF mechanisms, systems, policies, and procedures (aligned to EU AML rules); fit and proper / good repute information about management and qualifying holders, including background and source-of-funds considerations;
cybersecurity and ICT security arrangements;
segregation/safeguarding of client assets and funds.

In the UK AML registration context, FCA application materials show regulators focus heavily on whether a firm can demonstrate internal AML controls, including customer due diligence policies, monitoring for suspicious transactions, reporting processes, training, and a responsible compliance lead.

FAQ

What is a virtual asset service provider?

A VASP is a business that conducts virtual asset activities such as exchange, transfer, or custody, for or on behalf of another person.

Who needs a VASP license?

Any business providing crypto exchange, transfer, or custody services as a professional activity generally requires a license or registration. This applies if you operate in or target jurisdictions with mandatory regimes, such as MiCA in the EU or FinCEN in the US.

What are examples of VASPs?

Virtual asset service providers examples include:

Exchanges: Coinbase, Binance, and Kraken.
Wallet Providers: Services offering storage solutions for virtual assets.
Custodians: Entities that safeguard virtual assets on behalf of their clients, ensuring security and proper management.
Payment Processors: Facilitate transactions using virtual assets, making it easier for merchants to accept cryptocurrencies as payment.