Understanding Virtual Asset Service Providers (VASPs)

Introduction

Many crypto exchanges, wallet custodians, and payment processors are operating as regulated entities without knowing it. The designation is "Virtual Asset Service Provider" — and it carries enforceable compliance obligations equivalent to traditional financial institutions.

The challenge is that VASP status isn't always obvious. Many fintech platforms and embedded finance companies qualify without realizing it — and regulators aren't waiting for businesses to figure it out. Binance's $4+ billion DOJ resolution and Coinbase's $100 million NYDFS penalty are reminders that enforcement is real and substantial.

Understanding your VASP status before regulators do is the starting point. This guide covers the FATF definition of a VASP, which business models qualify, the global regulatory frameworks that apply, and the core AML/KYC requirements companies must meet, giving you a practical foundation for understanding where your obligations begin.

TLDR

  • A VASP is any entity that exchanges, transfers, or safeguards virtual assets on behalf of users, a FATF-established definition that triggers AML/CFT obligations.
  • Crypto exchanges, custodial wallet providers, OTC desks, and crypto ATM operators all qualify.
  • VASPs must implement KYC, transaction monitoring, SAR filing, and record-keeping programs equivalent to banks.
  • Rules vary by jurisdiction: FinCEN/BSA governs the US, FCA/MLRs the UK, and MiCA the EU.
  • Non-compliance carries real costs: fines, license revocation, and termination of banking relationships.

What Is a Virtual Asset Service Provider?

The FATF Definition

FATF's Updated Guidance defines a VASP as any natural or legal person who, as a business, conducts one or more of the following for or on behalf of another person:

  1. Exchange between virtual assets and fiat currencies
  2. Exchange between one or more forms of virtual assets
  3. Transfer of virtual assets
  4. Safekeeping and/or administration of virtual assets
  5. Participation in financial services related to an issuer's offer or sale of a virtual asset

5 FATF VASP qualifying activities definition process infographic

"Virtual assets" covers digital representations of value that can be traded, transferred, or used for payment or investment — including Bitcoin, Ether, stablecoins, certain NFTs, and governance tokens. Fiat currencies and central bank digital currencies are explicitly excluded.

Why the Designation Matters

VASP status moves a company from "unregulated technology provider" to regulated financial entity. That means the same AML/CFT (Counter-Financing of Terrorism) framework that governs banks now applies to you — including:

  • Customer due diligence (KYC/CDD) on all users
  • Suspicious activity reporting (SARs) to regulators
  • Documented AML/CFT compliance program requirements

A Common Misconception

Building software that interacts with virtual assets does not automatically make a company a VASP. It's the provision of services on behalf of customers — exchange, transfer, custody — that triggers the designation.

A non-custodial wallet developer that only sells software typically falls outside the VASP definition. A company that holds keys and moves funds on behalf of users does.

The EU uses a different term: MiCA regulation calls these entities CASPs (Crypto Asset Service Providers) rather than VASPs. The core activities overlap — exchange, transfer, and custody — but MiCA adds a distinct authorization and conduct framework specific to the EU market.

Types of VASPs and Real-World Examples

Who Qualifies

Business Model Example Why It Qualifies
Cryptocurrency exchanges Coinbase, Kraken Exchange crypto for fiat and crypto-to-crypto
Custodial wallet providers BitGo, exchange wallets Hold private keys on behalf of users
OTC desks & payment processors B2B crypto payment platforms Facilitate large or merchant-facing transfers
Crypto ATM operators Bitcoin ATM networks Enable cash-to-crypto and crypto-to-cash
Crypto hedge funds & asset managers Pooled digital asset funds Manage virtual assets on behalf of clients

VASP business model types comparison table with qualifying criteria and examples

Who Typically Doesn't Qualify

  • Non-custodial wallet software developers — if they only provide software without holding or transmitting assets
  • DeFi protocol developers — in most jurisdictions, the software itself isn't a VASP, though creators who maintain control over a protocol may qualify
  • Users trading for their own account — personal investing isn't a business service to others

That said, DeFi is an evolving area. FATF has stated that creators or operators who maintain "sufficient control or influence" over a DeFi arrangement could be treated as VASPs. Always conduct jurisdiction-specific analysis before assuming non-VASP status.

The Unexpected VASP Problem

Many fintech companies — particularly embedded finance platforms and banks offering crypto on-ramp features or stablecoin wallets — qualify as VASPs without realizing it until regulators ask. If your business touches virtual assets on behalf of customers in any of the five ways above, determining VASP status should happen before launch, not after a regulatory inquiry.

The VASP Regulatory Landscape: FATF, MiCA, and Beyond

FATF as the Global Foundation

FATF Recommendation 15 established the global standard: countries must ensure VASPs are licensed or registered, supervised, and subject to the same financial crime controls as traditional financial institutions. FATF has 40 member jurisdictions, but its 2024 targeted update found that 75% of jurisdictions were only partially compliant or non-compliant with VASP-specific requirements — a significant implementation gap.

The Travel Rule

FATF Recommendation 16 requires VASPs to collect and transmit originator and beneficiary information for virtual asset transfers above $1,000/€1,000. By 2025, FATF reported 99 jurisdictions had passed or were passing Travel Rule legislation — but implementation remains uneven.

One practical friction point: the US applies a higher threshold of $3,000 under 31 CFR 1010.410. That mismatch with the FATF standard is something global VASPs must manage jurisdiction by jurisdiction.

US Framework

The US has no single federal VASP license. Applicable requirements depend on what services you offer:

  • FinCEN/BSA: Most VASPs that transmit virtual assets must register as Money Services Businesses (MSBs) under the Bank Secrecy Act
  • SEC: Applies if the digital asset qualifies as a security under the Howey investment contract test
  • CFTC — Virtual currencies like Bitcoin are treated as commodities, giving the CFTC derivatives jurisdiction and anti-fraud authority in spot markets
  • NYDFS BitLicense — Required for any entity conducting virtual currency business activity in New York

EU and UK Frameworks

EU: The Fifth AML Directive (5AMLD) brought crypto exchanges and custodial wallet providers under national AML registration requirements. MiCA, adopted May 2023, replaced that patchwork with a single CASP licensing regime — one authorization that works across all 27 member states. Stablecoin provisions applied from June 2024. Most CASP licensing requirements followed in December 2024, with a transitional period extending to July 2026 for firms already operating under national law.

UK: Post-Brexit, VASPs must register with the FCA under the Money Laundering Regulations and demonstrate adequate AML/CTF controls. FCA registration is a legal requirement — not optional.

The Cost of Getting It Wrong

Regulators are actively enforcing. Recent examples:

  • Binance (2023): DOJ resolution totaling over $4 billion; FinCEN assessed a $3.4 billion civil money penalty
  • Coinbase (2023): NYDFS consent order — $50 million civil penalty plus $50 million compliance remediation investment
  • KuCoin (2025): Guilty plea for unlicensed money transmission; penalties exceeding $297 million
  • BitMEX (2025): $100 million fine for willfully failing to implement an adequate AML program

VASP regulatory enforcement penalties timeline Binance Coinbase KuCoin BitMEX fines

These aren't edge cases — they reflect sustained enforcement pressure across every major jurisdiction. For VASPs operating across the US, EU, and UK, the compliance burden is real and the cost of delay is measurable.

Core AML/KYC Compliance Requirements for VASPs

Customer Due Diligence (CDD)

VASPs must verify customer identity before establishing a business relationship. Standard CDD involves:

  • Collecting name, date of birth, and address
  • Verifying identity against official documents
  • Assessing the customer's risk profile

Higher-risk customers — politically exposed persons (PEPs), high-volume users, customers from elevated-risk jurisdictions — require Enhanced Due Diligence (EDD), which can include source-of-funds documentation and additional screening.

Ongoing Transaction Monitoring

KYC at onboarding isn't enough. VASPs must continuously monitor customer activity for anomalies, including:

  • Structuring patterns designed to avoid reporting thresholds
  • Rapid fund movement across newly created wallets
  • Transfer patterns consistent with known layering typologies
  • Sudden activity inconsistent with the customer's profile

Blockchain analytics tools now support this function, providing transaction tracing and risk scoring at scale.

Suspicious Activity Reporting

When a VASP identifies transactions potentially involving illicit activity, they must file a Suspicious Activity Report (SAR) in the US, or a Suspicious Transaction Report (STR) in many other jurisdictions. Two rules govern every filing:

  1. File when the transaction meets the threshold for suspicion — don't wait for certainty
  2. Never "tip off" the customer that a report has been filed

US MSB rules require five-year retention of SAR records and supporting documentation.

Record Keeping

VASPs must retain customer identity records, transaction details, and due diligence documentation for legally mandated periods. The EU's AMLD sets a five-year retention requirement post-relationship; the UK MLRs mirror this. Regulators typically expect production within days — not weeks — so retrieval workflows matter as much as storage.

AML Program and Governance

Regulators expect a formal, written AML program that includes:

  • A designated compliance officer (BSA Officer in the US, MLRO in the UK, CAMLO in Canada)
  • Documented policies and procedures
  • Ongoing staff training
  • Independent testing and audit

The compliance officer role carries personal liability in many jurisdictions, and regulators expect a genuinely qualified individual with real authority — not a nominal title holder.

Building a VASP Compliance Program That Works

The Core Components

A compliance program that satisfies regulatory expectations should include:

  • Written AML/BSA policy — documented, current, and specific to the business model
  • Qualified compliance officer — named, authorized, and accountable
  • Risk-based CDD framework — tiered by customer and product risk
  • Transaction monitoring procedures — automated where possible, with documented escalation paths
  • SAR/STR filing process — clear triggers, filing workflows, and non-disclosure controls
  • Travel Rule solution — where required, with inter-VASP data-sharing capability
  • Independent testing — periodic third-party audit of the program's effectiveness

7-component VASP AML compliance program framework checklist infographic

Regulators increasingly expect programs to be proportionate to the company's actual risk profile. A copy-pasted policy from another company's filing won't survive scrutiny.

The Compliance Officer Challenge

Hiring a full-time CCO, BSA Officer, or MLRO at the director level can cost $25,000+ per month in base compensation alone — beyond reach for most seed- or early-stage VASPs. Yet regulators won't accept a junior employee in the role.

That gap is where a fractional model makes practical sense. Fraxtional provides director-level CCO, BSA Officer, CAMLO, and MLRO services to crypto and fintech companies, with the compliance officer formally named in regulatory filings and representing the business to regulators, auditors, and banking partners. The cost is significantly less than a full-time hire — with the qualified leadership regulators actually expect.

Two recent examples show what that looks like in practice. A crypto lending platform engaged Fraxtional to remediate its AML framework ahead of a sponsor bank review and cleared the review faster than anticipated. When a crypto wallet provider found documentation gaps during bank onboarding, those issues were resolved within days — avoiding a delay that could have stalled the partnership.

Compliance as a Business Enabler

A well-documented, independently tested compliance program isn't just a regulatory checkbox — it's a prerequisite for growth. Sponsor banks and institutional investors conduct pre-deal compliance reviews, and a program with gaps will stall those relationships.

For VASPs at any growth stage, compliance readiness directly affects timelines and outcomes across:

  • Banking access — sponsor bank due diligence requires a defensible, documented program
  • MTL licensing — state regulators scrutinize program maturity before issuing or renewing licenses
  • Institutional capital — PE and Series A/B investors run compliance reviews before closing

Fraxtional's team holds CAMS, Certified Bitcoin Professional, and Certified Ethereum Professional credentials, with direct experience building VASP programs under FinCEN, NYDFS BitLicense, FATF, and international regulatory frameworks.

Frequently Asked Questions

What is a virtual asset service provider?

A VASP is any entity that, as a business, exchanges, transfers, or safeguards virtual assets on behalf of customers. The definition comes from FATF and brings these businesses under the same AML/CFT framework as traditional financial institutions.

What is an example of a virtual asset service provider?

Common examples include cryptocurrency exchanges (Coinbase, Kraken), custodial wallet providers, crypto ATM operators, OTC desks, and crypto payment processors — any business that manages or moves digital assets on behalf of users.

Are VASPs required to be licensed or registered?

Yes, in most major jurisdictions. In the US, VASPs typically register with FinCEN as MSBs. In the UK, FCA registration under the Money Laundering Regulations is required. In the EU, MiCA now governs CASP licensing. Exact requirements depend on the services offered and the jurisdictions where the business operates.

What is the FATF Travel Rule and how does it affect VASPs?

The Travel Rule requires VASPs to collect and transmit originator and beneficiary information for virtual asset transfers above a threshold (typically $1,000/€1,000). This creates data-sharing obligations between VASPs comparable to bank wire transfer rules, and requires compatible technical infrastructure on both sides of each transaction.

What is the difference between a VASP and a CASP?

"VASP" is the FATF term used globally for AML/CFT purposes. "CASP" is the EU MiCA term. They describe broadly similar entities, but MiCA's CASP framework creates specific authorization, conduct, and consumer protection requirements that go beyond AML obligations alone.

What happens if a VASP fails to meet AML/KYC requirements?

Regulators can impose significant fines, revoke operating licenses, or issue cease-and-desist orders. Beyond formal enforcement, non-compliance routinely leads to de-banking, lost institutional partnerships, and reputational damage that's hard to undo.