Virtual Asset Service Providers: Global Regulatory Frameworks

The regulatory landscape for virtual asset service providers has transformed since FATF revised its Recommendations in 2019 to explicitly include VASPs within the AML/CFT framework. Five years on, the global picture is one of significant and uneven progress: some jurisdictions have implemented comprehensive VASP licensing regimes with sophisticated ongoing supervision; others have VASP registration frameworks that provide a compliance baseline but limited supervisory depth; and a substantial number of jurisdictions still have no effective VASP-specific AML/CFT regime in place. For VASPs operating across borders and for financial institutions that deal with VASPs as clients or counterparties, understanding which regime applies where — and what it requires — is a necessary compliance competency.

The FATF VASP Definition

FATF's Recommendation 15 and its Interpretive Note define a VASP as any natural or legal person who conducts one or more of the following activities as a business for or on behalf of another person: exchange between virtual assets and fiat currencies; exchange between one or more forms of virtual assets; transfer of virtual assets; safekeeping or administration of virtual assets or instruments enabling control over virtual assets; and participation in and provision of financial services related to an issuer's offer or sale of a virtual asset.

The definition is deliberately broad and technology-neutral. It captures centralised and decentralised exchanges, custodial wallet providers, peer-to-peer platforms (in certain circumstances), and intermediaries involved in initial token offerings. Critically, the definition focuses on the activity and the business model, not the technology — a DeFi protocol may or may not constitute a VASP depending on whether it involves a natural or legal person that conducts the covered activities as a business. FATF's 2021 Updated Guidance on VASPs includes analysis of DeFi arrangements and NFT platforms to assist jurisdictions in determining whether these novel structures fall within the VASP definition.

UK: FCA Crypto Asset Registration

The UK's current crypto asset AML regime is based on registration rather than full authorisation. Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended), UK-based crypto asset businesses that conduct cryptoasset exchange provider or custodian wallet provider activities must register with the FCA. Registration requires the firm to demonstrate that it has adequate AML/CFT systems and controls and that its beneficial owners, directors, and senior managers are fit and proper.

The FCA's approach to crypto registration has been notably restrictive. Between January 2020 and 2024, the FCA received hundreds of registration applications and approved only a fraction — rejecting or refusing to progress applications from firms whose AML/CFT frameworks did not meet the required standard. The FCA's public statistics indicate that many applicants withdrew their applications during the process rather than face formal rejection. This approach has created a relatively small registered population of crypto firms in the UK that have cleared a meaningful compliance bar.

The UK government has been developing a comprehensive crypto asset authorisation regime that would go beyond AML registration to cover market conduct, consumer protection, and prudential requirements for crypto exchanges and custodians. The Financial Services and Markets Act 2023 provided the legislative foundation for this regime, and the FCA published a series of discussion papers and consultation documents in 2023–2025. Full implementation is expected in 2026–2027.

EU: MiCA and CASP Requirements

The EU's Markets in Crypto-Assets Regulation (MiCA), which began applying in full from December 2024, creates a comprehensive licensing framework for crypto asset service providers (CASPs) operating in the EU. CASPs must obtain authorisation from their home member state's competent authority before providing crypto asset services, and the authorisation passport across the EU single market once granted. MiCA covers a defined list of crypto asset services including: custody and administration of crypto assets; operation of a trading platform; exchange of crypto assets; execution of orders; placement of crypto assets; reception and transmission of orders; and providing transfer services.

Under MiCA, CASPs are subject not only to AML/CFT requirements (which continue to be governed by the EU's separate AML framework including the AMLR and 6AMLD) but also to conduct of business requirements, disclosure obligations, and — for larger CASPs classified as "significant" — enhanced prudential and supervisory obligations including potential direct supervision by ESMA.

The VASP Travel Rule Challenge

FATF Recommendation 16 (the Travel Rule) applies to VASPs: when a VASP transfers virtual assets on behalf of a customer, it must collect, verify, and transmit originator and beneficiary information to the receiving VASP. The implementation of the Travel Rule for virtual assets is technically more complex than for traditional wire transfers, because blockchain transactions do not natively carry payer/payee identifying information within the transaction data itself.

Three main technical solutions have emerged: TRISA (Travel Rule Information Sharing Architecture), an open-source peer-to-peer protocol; the Travel Rule Protocol (TRP); and various commercial solutions from providers including Notabene, Sygna, and others. The "sunrise problem" — the challenge that Travel Rule compliance depends on counterparty VASPs also having implemented Travel Rule capability — remains a significant operational issue, particularly for transactions involving VASPs in jurisdictions that have not yet implemented the Travel Rule. VASPs in the UK (Travel Rule implemented September 2023) and EU (Transfer of Funds Regulation applying from 30 December 2024 with a €0 threshold for all crypto-asset transfers) now face the practical challenge of handling transactions where the counterparty VASP is in a non-implementing jurisdiction.