March 22, 2026
Methodology About Contact
TOKENIZATION COMPLIANCE
The Vanderbilt Terminal for Digital Asset Compliance
INDEPENDENT GLOBAL INTELLIGENCE FOR COMPLIANCE & REGULATION
MiCA Licensed CASPs: 12 ▲ Deadline Jul 2026 | AML Fines (2026): $2.1B ▲ Global Crypto | KYC Verifications: 890M ▲ 2025 Global | Travel Rule: 72% ▲ VASP Compliance | SEC No-Action: 4 Letters ▲ Tokenized Securities | Compliance Software: $1.8B ▲ Market Size | VASP Registrations: 3,400+ ▲ Global | 1099-DA Deadline: Jan 2027 ▼ First Filing | MiCA Licensed CASPs: 12 ▲ Deadline Jul 2026 | AML Fines (2026): $2.1B ▲ Global Crypto | KYC Verifications: 890M ▲ 2025 Global | Travel Rule: 72% ▲ VASP Compliance | SEC No-Action: 4 Letters ▲ Tokenized Securities | Compliance Software: $1.8B ▲ Market Size | VASP Registrations: 3,400+ ▲ Global | 1099-DA Deadline: Jan 2027 ▼ First Filing |
Encyclopedia

What Is a VASP? Virtual Asset Service Provider Definition and Requirements

Clear definition of VASP covering FATF classification, regulated activities, licensing requirements, and compliance obligations for virtual asset service providers.

Advertisement

What Is a VASP?

A VASP (Virtual Asset Service Provider) is the FATF’s designation for any business that conducts exchange, transfer, safekeeping, or administration of virtual assets on behalf of another person, triggering mandatory AML/CFT compliance obligations including licensing, customer due diligence, transaction monitoring, and Travel Rule compliance.

Detailed Explanation

The Financial Action Task Force (FATF) introduced the VASP definition in its Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs, first published in June 2019 and revised in October 2021. The definition encompasses five specific activities conducted “as a business” on behalf of another natural or legal person: (1) exchange between virtual assets and fiat currencies, (2) exchange between one or more forms of virtual assets, (3) transfer of virtual assets (meaning conducting a transaction on behalf of another person that moves a virtual asset from one address to another), (4) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets (custody), and (5) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset (token issuance facilitation).

The VASP designation carries significant regulatory consequences because it brings the designated entity within the scope of FATF Recommendations 10-23, which cover customer due diligence, record keeping, suspicious transaction reporting, and — critically — Recommendation 16, the Travel Rule for virtual asset transfers. As of March 2026, 78 of the FATF’s 206 member and associate member jurisdictions have implemented VASP-specific AML/CFT regulations, according to the FATF’s latest compliance assessment. An additional 43 jurisdictions have regulations in draft or parliamentary consideration. The remaining jurisdictions either prohibit virtual assets entirely or have not yet legislated.

The boundary of the VASP definition remains one of the most contested questions in crypto regulation. The FATF’s 2021 guidance addresses DeFi specifically, stating that owners/operators of a DeFi protocol may qualify as VASPs if they maintain “control or sufficient influence” over the protocol, even if the underlying software operates autonomously. This principle has been adopted unevenly across jurisdictions. The EU’s MiCA regulation explicitly excludes “fully decentralized” protocols from CASP requirements but does not define the threshold for “full decentralization.” Singapore’s MAS treats DeFi front-end operators as digital payment token service providers subject to licensing. The US has not adopted a formal VASP definition but FinCEN’s existing MSB (Money Services Business) framework captures most VASP activities through money transmission licensing.

How It Works in Practice

When a business is classified as a VASP, it must build and maintain a comprehensive AML/CFT compliance program before commencing operations. In practice, this means establishing seven core functions. First, appointing a designated compliance officer with appropriate authority and resources — MiCA requires this individual to be a member of or report directly to the management body. Second, conducting a business-wide risk assessment that identifies ML/TF risks specific to the entity’s products, customer base, geographic exposure, and delivery channels. Third, implementing KYC/customer due diligence procedures that verify customer identity before establishing a business relationship and on an ongoing basis, with enhanced due diligence for high-risk customers (politically exposed persons, customers from high-risk jurisdictions, customers transacting above defined thresholds).

Fourth, deploying transaction monitoring systems that detect suspicious activity patterns including structuring, rapid movement of funds, transactions involving high-risk jurisdictions, and exposure to sanctioned addresses or known illicit services. Fifth, implementing sanctions screening against all applicable sanctions lists (OFAC SDN, EU Consolidated, UN, and jurisdiction-specific lists). Sixth, establishing Travel Rule compliance for virtual asset transfers — under FATF Recommendation 16, the originating VASP must obtain and transmit originator and beneficiary information to the beneficiary VASP for transfers above the applicable threshold (USD/EUR 1,000 in most jurisdictions). Seventh, filing suspicious activity reports (SARs) or suspicious transaction reports (STRs) with the relevant Financial Intelligence Unit when monitoring identifies activity that gives rise to a suspicion of money laundering or terrorist financing.

The operational burden of VASP compliance varies significantly by jurisdiction and business model. A centralized crypto exchange operating in the EU under MiCA faces the full CASP compliance regime, including market abuse surveillance, white paper requirements for listed tokens, and complaint handling procedures — in addition to the core AML/CFT obligations. A custody-only VASP in Singapore faces a narrower set of requirements focused on AML/CFT and cybersecurity. Deloitte’s 2025 Global Crypto Compliance Survey found that the median VASP allocates 8% of gross revenue to compliance, with staffing ratios of approximately 1 compliance professional per 2,000 active customers.

Regulatory Requirements by Jurisdiction

United States: The US does not use the term “VASP” in statute. Instead, FinCEN regulates crypto businesses as Money Services Businesses (MSBs) under the Bank Secrecy Act (BSA), requiring registration with FinCEN and compliance with BSA/AML requirements including SAR filing, Currency Transaction Report (CTR) filing for transactions exceeding $10,000, and customer identification programs. State-level money transmitter licensing is required in most states (49 of 50, excluding Montana). The SEC regulates entities dealing in digital assets that qualify as securities under the Howey test. The OCC has authority over federally chartered stablecoin issuers under the GENIUS Act (August 2025). The patchwork of federal and state requirements means a US crypto exchange may hold FinCEN MSB registration, state money transmitter licenses in 49 states, and potentially SEC broker-dealer or ATS registration.

European Union: MiCA uses the term CASP (Crypto-Asset Service Provider) rather than VASP, but the regulatory substance is equivalent. MiCA Article 59 defines ten crypto-asset services requiring CASP authorization: custody, operation of a trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of orders, placing of crypto-assets, reception and transmission of orders, providing advice, providing portfolio management, and providing transfer services. CASP authorization requires minimum capital (EUR 50,000-150,000 depending on services), fitness and propriety assessments, AML/CFT compliance, and ongoing supervisory reporting. Authorization is passportable across all 27 EU member states.

United Kingdom: The FCA maintains the UK’s crypto-asset registration regime under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended). All firms carrying on crypto-asset activity in the UK must register with the FCA. The FCA has rejected over 85% of registration applications since the regime’s inception, primarily due to inadequate AML/CFT controls. The UK government has proposed comprehensive crypto regulation under the Financial Services and Markets Act 2000, expected to introduce a licensing regime closer to MiCA by 2027.

Singapore: MAS regulates VASPs as Digital Payment Token (DPT) Service Providers under the Payment Services Act 2019 (amended 2021). DPT service providers must obtain a Major Payment Institution (MPI) license from MAS, comply with AML/CFT requirements under MAS Notice PSN02, implement Travel Rule compliance, and maintain minimum base capital of SGD 250,000. MAS has been selective in granting licenses, with 19 entities holding MPI licenses for DPT services as of March 2026 out of over 170 applications received.

Common Challenges and Solutions

The most common challenge in VASP compliance is determining whether a specific business activity falls within the VASP definition. Peer-to-peer trading platforms, non-custodial wallet providers, DeFi protocol operators, NFT marketplace operators, and mining pool operators all occupy grey zones where VASP classification depends on jurisdictional interpretation. The recommended approach is to conduct a regulatory perimeter analysis for each jurisdiction where the business operates, mapping specific product features (custody vs. non-custody, intermediated vs. peer-to-peer, fungible vs. non-fungible) against the local VASP or equivalent definition. Legal opinions from qualified counsel in each jurisdiction should be obtained and documented.

Cross-jurisdictional compliance is the second major challenge. A VASP operating in five jurisdictions may face five different registration requirements, five different KYC thresholds, five different SAR filing obligations, and five different Travel Rule implementations. The solution is a compliance architecture that implements the strictest requirement as the global baseline and adds jurisdiction-specific overlays where local requirements deviate. For example, implementing KYC verification for all customers at the EUR 0 threshold (MiCA standard) satisfies the less restrictive US requirement ($3,000 CDD threshold under FinCEN’s CDD rule) and Singapore’s requirement (any transaction).

Travel Rule compliance remains the most technically challenging VASP obligation. Transmitting originator and beneficiary information between VASPs requires a common messaging protocol and counterparty discovery mechanism. Notabene has emerged as the dominant Travel Rule network with 170+ connected VASPs, but interoperability between competing protocols (OpenVASP, TRISA, Sygna Bridge) remains incomplete. VASPs should implement Travel Rule solutions that support multiple protocols and participate in the largest available network to maximize counterparty coverage.

Advertisement
Advertisement
Key Data
MiCA Licensed CASPs 12
AML Fines (2026) $2.1B
KYC Verifications 890M
Travel Rule 72%
Related Entries
What Is a Risk-Based Approach? AML Compliance Methodology Explained
What Is a Suspicious Activity Report (SAR)? Filing Requirements Explained
What Is AML Compliance? Anti-Money Laundering for Digital Assets Explained
What Is Beneficial Ownership? UBO Requirements for Crypto Compliance
What Is KYC Verification? Know Your Customer for Crypto Explained

Institutional Access

Coming Soon