VASP authorisation.
A VASP (Virtual Asset Service Provider) licence is the regulatory authorisation required to operate a crypto exchange, digital asset custody service, OTC trading desk, or virtual asset brokerage. VASP licensing requirements are set by national regulators aligned with FATF Recommendation 15 and are mandatory in all major financial centres.
Standard
FATF R.15
Globally aligned baseline
Top Tier
Singapore MAS
DPT u00b7 6u201312 months
UAE Route
VARA / DMCC
3u20136 months
EU Framework
MiCA CASP
From Dec 2024
01 — Engagement fit
Where this service
Where this service
compounds.
We work best with operators who treat this work as part of the product, not as an obstacle. Here is where we deliver — and where we may not be the right call.
Ideal engagement
When we deliver outsized value
Crypto exchanges and OTC trading desks
Any business buying, selling, or exchanging virtual assets on behalf of clients u2014 whether a centralised exchange, OTC desk, or broker u2014 requires VASP authorisation. Singapore MAS, UAE VARA, and Hong Kong HKVAC are the Tier-1 options; Lithuania FNTT and Seychelles FSA offer faster, lighter-touch frameworks.
Digital asset custody providers
Businesses holding virtual assets on behalf of clients u2014 hardware wallets, hot wallet custody, or institutional custody infrastructure u2014 require VASP authorisation covering the custody activity specifically. Singapore MAS and Switzerland FINMA are the strongest institutional credentials for custody operations.
Crypto-to-fiat payment processors
Businesses converting crypto to fiat as part of a payment or settlement flow require VASP authorisation (for the crypto side) plus a payment institution licence (for the fiat side). We structure both in parallel.
Look elsewhere
When we may not be the right fit
Anonymity-focused or privacy coin businesses
Privacy coin exchanges, mixers, and anonymous transaction facilitation are not businesses we structure. All VASP regimes are AML-aligned u2014 any business model built around circumventing transaction monitoring or travel rule compliance is incompatible with VASP authorisation.
Operators wanting a VASP label without AML infrastructure
VASP authorisation is an AML compliance credential first and foremost. A VASP without a functioning KYC/CDD programme, travel rule compliance, and transaction monitoring is not compliant u2014 and the licence will not survive supervisory examination.
Businesses targeting the US market primarily
The US does not have a federal VASP licence u2014 US crypto regulation is fragmented across FinCEN MSB registration, state money transmitter licences, and SEC/CFTC registration for securities/derivatives. We handle US structuring separately from VASP advisory.
02 — What you receive
Concrete
Concrete
deliverables.
Every engagement is scoped against a defined deliverable set. No "best-efforts" billing — the package is what you get, capped variations agreed in writing.
VASP activity classification & jurisdiction analysis
Assessment of your specific virtual asset services (exchange, custody, transfer, brokerage, advisory) and a comparison of Singapore MAS, UAE VARA, Lithuania, Seychelles, and other VASP regimes against your business model.
Entity formation & local substance
Incorporation of the VASP entity in the selected jurisdiction, with compliant directors, MLRO, and the local substance required for VASP authorisation.
Regulatory application management
Full VASP application prepared and filed u2014 business plan, AML/CTF framework, technology security assessment, and key-person submissions.
AML/CTF & Travel Rule compliance programme
A FATF-aligned AML programme including customer due diligence, enhanced due diligence for high-risk clients, suspicious transaction reporting, and Travel Rule compliance for virtual asset transfers.
Banking & fiat on/off ramp infrastructure
Introduction to banking channels and EMI providers that service VASP-licensed businesses u2014 one of the most significant operational challenges for crypto operators.
Ongoing compliance & supervisory readiness
Annual compliance reviews, regulatory change monitoring, and examination readiness u2014 sustaining VASP authorisation through its operational life.
03 — Engagement cadence
How the work
How the work
actually moves.
A typical engagement runs along the phases below. Where we are joining mid-stream — into an existing application or a live operation — we adapt from the relevant entry point.
Activity scope & VASP classification
Weeks 1u20133Define virtual asset services in scope (exchange, custody, transfer, brokerage). Select VASP regime and jurisdiction.
Entity formation & AML programme build
Weeks 3u201310Incorporate the entity. Build the AML/CTF programme, travel rule compliance framework, and technology security documentation.
VASP application review
Months 2u201312Seychelles / Estonia / Lithuania: 2u20134 months. UAE VARA / Singapore MAS: 6u201312 months. Hong Kong / Switzerland: 6u201312 months.
Authorisation & operational go-live
Month 3u201312VASP authorisation granted. Banking, payment infrastructure, and operational AML programme activated.
"A VASP licence without banking infrastructure is a certificate on a wall. Crypto-friendly banking is the hardest part of the whole engagement — we solve both together." — — GSS Legal, VASP Licensing
04 — Common questions
Before
Before
we start.
The questions we get on every diagnostic call. If yours isn't here, raise it in the consultation.
A Virtual Asset Service Provider (VASP) licence is the regulatory authorisation required to operate a crypto exchange, digital asset custody service, virtual asset brokerage, or related service. The VASP concept originates from FATF Recommendation 15, which requires countries to regulate and supervise virtual asset service providers with the same AML/CFT rigour as traditional financial institutions. All major financial centres now have VASP licensing frameworks.
Singapore MAS (DPT licence) is the gold standard for institutional VASP operations u2014 recognised globally, requires genuine substance, and takes 6u201312 months. UAE VARA (Dubai) is the most rapidly growing VASP hub with clear regulatory pathways and 3u20136 months to licence. For EU market access, Lithuania FNTT is the most popular MiCA-transitioning CASP. Seychelles and Mauritius offer lighter offshore VASP frameworks for non-EU/Asia-Pacific operations.
VASP is the generic FATF term for virtual asset service providers. MiCA CASP (Crypto Asset Service Provider) is the EU-specific licence under the Markets in Crypto-Assets Regulation, which took full effect in December 2024. A MiCA CASP licence provides a single EU passport across all 27 member states. VASP licences in Singapore, UAE, or Hong Kong are jurisdiction-specific u2014 they don't provide EU access. Operators wanting EU plus Asia typically hold both.
VASPs under FATF-aligned regimes must implement: customer due diligence (KYC/CDD) for all clients; enhanced due diligence for high-risk clients and politically exposed persons; transaction monitoring; suspicious transaction reporting; and Travel Rule compliance (transmitting originator and beneficiary information for virtual asset transfers above threshold). AML programme quality is the primary factor in VASP application success or rejection.
Some jurisdictions issue combined licences covering both virtual assets and traditional financial instruments u2014 Labuan FSA and Mauritius FSC both accommodate multi-activity structures. Most Tier-1 VASP regimes (MAS, VARA, HKVAC) are crypto-specific u2014 the FX activity would require a separate broker licence or be structured in a different entity. We design the correct multi-entity structure where both activities are in scope.
Ready when you are
Tell us where
Tell us where
you want to
operate.
Forty-five minutes with a partner. Jurisdiction memo within seven days. No retainer required to start.
45 min
First call with a partner.
No retainer required.
No retainer required.