This guide covers what a VASP is and who qualifies, what AML obligations apply across key jurisdictions, the core compliance requirements every VASP must meet, and how to build a program that holds up to regulatory scrutiny.
TL;DR
- VASPs are entities that exchange, transfer, safekeep, or facilitate financial services around virtual assets on behalf of customers
- AML programs must cover KYC/CDD, enhanced due diligence, transaction monitoring, Travel Rule compliance, SAR filing, and record-keeping — each carrying distinct implementation requirements
- Requirements differ by jurisdiction — US (FinCEN/BSA), EU (MiCA), UK (FCA), and Canada (FINTRAC) each carry distinct rules
- VASPs must perform due diligence on counterparty VASPs, not just on their own customers
- Non-compliance consequences range from billion-dollar fines and license revocations to personal criminal liability for executives
What Is a VASP? Definition, Examples, and Who Qualifies
FATF's 2021 updated guidance defines a VASP as any natural or legal person that conducts one or more of the following activities as a business, for or on behalf of another person:
- Exchange between virtual assets and fiat currencies
- Exchange between one or more forms of virtual assets
- Transfer of virtual assets
- Safekeeping or administration of virtual assets or instruments enabling control over them
- Participation in and provision of financial services related to an issuer's offer or sale of a virtual asset
FATF is the global standard-setter, not a binding regulator, but its guidance directly shapes national legislation worldwide.
Who Qualifies?
Entities that clearly fall within the VASP perimeter include:
- Centralized crypto exchanges (CEXs) that facilitate buy/sell transactions
- Custodial wallet providers that hold private keys on behalf of users
- OTC desks facilitating large off-exchange trades
- Crypto payment processors enabling merchants to accept digital assets
The platform itself isn't what triggers VASP status — the activity does. Owners and operators who conduct exchange or transfer on behalf of customers typically qualify, even if the underlying software doesn't.
DeFi protocols occupy a contested gray area. FATF's position is that operators or developers who retain meaningful control or profit from a platform may qualify as VASPs, regardless of how decentralized the technology appears.
Terminology Varies by Jurisdiction
| Jurisdiction | Term Used | Key Distinction |
|---|---|---|
| FATF (global) | VASP | Baseline definition |
| EU (MiCA) | CASP (Crypto-Asset Service Provider) | Expanded obligations vs. VASP baseline |
| US (FinCEN) | MSB (Money Services Business) | Focused on money transmission activity |
| UK (FCA) | Cryptoasset business | Registration-based framework |
| Canada (FINTRAC) | MSB dealing in virtual currency | Aligned with broader MSB regime |
Note: All CASPs are VASPs by definition, but MiCA imposes additional authorization and conduct requirements that go beyond the FATF baseline — making EU registration a higher bar than most other jurisdictions.
VASP AML Obligations: The Global Regulatory Framework
FATF Recommendation 15 establishes the global baseline: countries must ensure VASPs are licensed or registered and subject to AML/CFT obligations equivalent to those applied to traditional financial institutions. The heavier the ML/TF risk profile of a VASP's services and customer base, the more demanding the obligations — in practice, this means exchanges and custodians face stricter scrutiny than peer-to-peer platforms.
adding direct EU-level oversight that bypasses member state regulators for the largest players.
UK — FCA Registration
Crypto businesses operating in the UK must register with the Financial Conduct Authority under the Money Laundering Regulations 2017. The FCA expects detailed evidence of AML governance, CDD/EDD procedures, transaction monitoring, SAR processes, sanctions controls, and training programs in every registration application. UK SARs are submitted to the National Crime Agency. CDD and transaction records must be retained for five years after the relationship ends.
Canada — FINTRAC and PCMLTFA
Canadian VASPs are classified as MSBs dealing in virtual currency and must register with FINTRAC under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Obligations include a full AML compliance program, KYC/EDD, Suspicious Transaction Reports (STRs) to FINTRAC, and compliance with the Travel Rule for virtual currency transfers of CAD 1,000 or more. Large virtual currency transaction reports are required for receipts of CAD 10,000 or more.
The Core AML Requirements Every VASP Must Meet
Customer Due Diligence (CDD) and KYC
VASPs must verify customer identity before establishing a relationship — collecting name, date of birth, address, and validating government-issued ID. The FATF CDD threshold for occasional virtual asset transactions is USD/EUR 1,000. Risk-based CDD means verification depth scales with assessed customer risk.
Enhanced Due Diligence (EDD)
EDD is triggered by:
- Customers from high-risk jurisdictions
- Politically Exposed Persons (PEPs)
- Large or complex transaction volumes
- Opaque ownership structures
EDD involves source-of-funds documentation, sanctions and adverse media screening, and heightened ongoing monitoring. Failing to apply EDD where required is one of the most common enforcement triggers in crypto AML cases.
Transaction Monitoring and Ongoing Monitoring
VASPs must continuously monitor customer activity to detect patterns inconsistent with expected behavior — repeated high-value transfers to newly created wallets, activity linked to sanctioned addresses, or unusual layering patterns.
Automated blockchain analytics tools are now a regulatory expectation for on-chain monitoring, per NYDFS guidance. Manual review belongs on escalated alerts — not routine screening.
The Travel Rule
FATF Recommendation 16 requires VASPs to collect and transmit originator and beneficiary information alongside virtual asset transfers above a defined threshold. Required data includes:
- Originator name and account/wallet details
- Originator address, national identity number, or date and place of birth
- Beneficiary name and account/wallet details
Thresholds by jurisdiction: USD/EUR 1,000 (FATF baseline), CAD 1,000 (Canada). The EU's recast Transfer of Funds Regulation applies crypto-asset transfer information rules under a framework that does not replicate the FATF de minimis model.
The Travel Rule is technically and operationally complex: it requires interoperability with counterparty VASPs and Travel Rule-compliant messaging solutions.
Suspicious Activity Reporting and Record-Keeping
When a VASP identifies activity that may involve illicit behavior — structuring, transfers to known illicit wallets, or unusual layering — it must file a report with the relevant financial intelligence unit.
| Jurisdiction | Reporting Body | Report Type | Retention Period |
|---|---|---|---|
| US | FinCEN | SARs | 5 years |
| UK | National Crime Agency | SARs | 5 years |
| Canada | FINTRAC | STRs | 5 years |
| EU | National FIUs | Varies by member state | 5 years (minimum) |
Transaction records, KYC documentation, and due diligence files must be retained for five years after the relationship ends.
Counterparty VASP Due Diligence: The KYC-Your-VASP Obligation
When a VASP's customer sends funds to a wallet held at another VASP, the sending VASP carries exposure to that counterparty's risk profile. FATF's 2021 guidance formalized the expectation that VASPs must perform due diligence on counterparty VASPs before transmitting Travel Rule data. This mirrors the correspondent banking due diligence long required of traditional banks under Recommendation 13.
What to Collect in Counterparty VASP Due Diligence
- Evidence of regulatory registration or licensing
- Jurisdictions of operation
- Adverse media or prior regulatory enforcement history
- Quality of the counterparty's AML/CFT controls — whether they perform KYC, maintain a documented AML policy, or facilitate transactions with high-risk or sanctioned entities
- Transaction volume and exposure data, including any links to illicit activity
How to Apply It
FATF's model is risk-based, not transactional. Screen a counterparty VASP before transacting with it for the first time, then refresh based on risk signals: changes in ownership, jurisdiction, licensing status, adverse media, or unusual transaction behavior. A counterparty operating in a high-risk jurisdiction or offering privacy coins warrants deeper review and tighter controls on the relationship.
Several industry groups are standardizing counterparty VASP questionnaires modeled on the Wolfsberg Group's Correspondent Banking Due Diligence Questionnaire. Purpose-built VASP screening tools now exist as well, cutting the manual workload for compliance teams significantly.
Penalties and Consequences for Non-Compliant VASPs
The enforcement record makes the stakes clear.
| Entity | Year | Penalty | Key Failures |
|---|---|---|---|
| Binance | 2023 | $4B+ (DOJ/FinCEN/OFAC/CFTC) | BSA violations, failure to register as MTB, AML program failures, sanctions violations |
| Coinbase | 2023 | $100M (NYDFS) | Compliance program failures violating NY Banking Law and virtual currency rules |
| BitMEX | 2022 | $100M (DOJ) | Willfully failing to implement and maintain an adequate AML program |
| Kraken | 2022 | $362,158 (OFAC) | Apparent sanctions violations involving services to users in Iran |
| Bitzlato | 2023 | Founder guilty plea | Operating an unlicensed money transmitting business |
Individual Criminal Liability
The BitMEX case made personal criminal exposure concrete. Executives Arthur Hayes, Benjamin Delo, Samuel Reed, and Gregory Dwyer each faced individual charges for BSA violations tied to firm-wide compliance failures. Compliance officers and senior management carry that same exposure — it doesn't stop at the corporate entity.
Secondary Business Consequences
Beyond direct penalties, AML failures trigger cascading effects:
- Loss of banking relationships (de-banking)
- Partner and sponsor bank offboarding
- Investor concerns and due diligence complications
- Reputational damage that can permanently impair operating capacity
- Required retention of independent compliance monitors at company expense
Building a Robust VASP AML Compliance Program
Step 1: Conduct a Jurisdictional Risk Assessment First
Before building any compliance infrastructure, map your services, user base, transaction types, and jurisdictions of operation. This determines which regulatory regimes apply, which licenses or registrations are required, and what the baseline obligations are. Building a compliance program misaligned with actual regulatory exposure is a costly mistake that many early-stage crypto firms make.
Step 2: Build the Four Pillars
Every VASP needs:
- Written AML/CFT policies and procedures: documented, board-approved, and updated as regulatory requirements evolve
- KYC and customer onboarding workflows: covering CDD at onboarding, EDD triggers, and risk-tiered verification processes
- Transaction monitoring framework: defined alert thresholds, escalation paths, SAR/STR filing procedures, and blockchain analytics integration
- Record-keeping system: meeting jurisdiction-specific retention requirements (five years minimum across most key markets)
As transaction volumes scale, these pillars must scale with them. Schedule independent audits at least annually to identify gaps before regulators do.
Each pillar also needs an owner — which brings the next step into focus.
Step 3: Appoint Qualified Compliance Leadership Early
Most jurisdictions require a designated compliance officer with genuine authority and relevant experience:
- US: BSA Officer (FinCEN)
- UK: MLRO — Money Laundering Reporting Officer (FCA)
- Canada: CAMLO — Chief Anti-Money Laundering Officer (FINTRAC)
Regulators verify these individuals are genuinely named, qualified, and empowered — not just listed on an org chart.
For crypto startups and growth-stage companies that cannot yet justify a full-time hire, fractional compliance leadership provides a practical solution. Fraxtional places dedicated directors in named CCO, MLRO, CAMLO, and BSA Officer roles — delivering embedded, accountable leadership on a monthly retainer basis.
The team holds ACAMS, Certified Bitcoin Professional, and Certified Ethereum Professional credentials, and covers FinCEN, FCA, FINTRAC, and MiCA frameworks across the US, UK, Canada, and EU. The model satisfies regulatory expectations for qualified oversight without the cost of a full-time executive hire.
Frequently Asked Questions
What does VASP stand for?
VASP stands for Virtual Asset Service Provider — a term introduced by FATF to describe any entity that conducts exchange, transfer, safekeeping, or financial services around virtual assets such as cryptocurrency on behalf of customers.
What is VASP compliance?
VASP compliance refers to the legal and regulatory obligations a VASP must meet to operate lawfully — including registration, a written AML/KYC program, transaction monitoring, Travel Rule adherence, SAR filing, and record-keeping. Failing to meet these obligations exposes the business and its executives to enforcement action.
What are the requirements for VASP?
Core requirements cover two areas: registration or licensing with the relevant national authority (FinCEN in the US, FCA in the UK, FINTRAC in Canada, or national regulators under MiCA in the EU); and a written AML program covering KYC/CDD, EDD, transaction monitoring, SAR filing, and record retention.
What is an example of a VASP?
Common examples include:
- Centralized exchanges where users buy and sell Bitcoin or other digital assets
- Custodial wallet providers that hold private keys on behalf of users
- OTC desks facilitating large off-exchange crypto trades
- Crypto payment processors enabling businesses to accept digital asset payments
What is the Travel Rule for VASPs?
The Travel Rule (FATF Recommendation 16) requires VASPs to collect and pass originator and beneficiary information — name, account or wallet details, and in some cases physical address — to the receiving VASP for transfers above a jurisdictional threshold, typically USD/EUR 1,000.
Is DeFi subject to VASP regulations?
Decentralized applications themselves are not classified as VASPs under FATF standards. Owners, operators, or developers who deploy and profit from a DeFi platform that facilitates virtual asset exchange or transfer on behalf of others may qualify as VASPs, though. Regulators in the US, EU, and UK have each issued guidance signaling closer examination of these arrangements.
