EST · MMXXVI
Home/Insights/Guides/How to Build Economic Substance for a Licensed VASP
Licensing & Registration

How to Build Economic Substance for a Licensed VASP

How to Build Economic Substance for a Licensed VASP. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk to OBOLUS

How to Build Economic Substance for a Licensed VASP

Operating a virtual asset service provider (VASP) without genuine economic substance in its licensed jurisdiction is one of the most common – and most costly – structural errors we see in cross-border digital-asset businesses. Regulators across every major hub now scrutinize whether a VASP licence reflects real operational presence or merely an address on a registration form. Getting this wrong risks enforcement action, revocation of regulatory authorisation, and the loss of banking relationships that took months to build. This guide walks through each step of building defensible economic substance, the regulatory basis for each requirement, the cross-border complications that arise in practice, and the mistake most operators make at each stage.

The process above describes the standard path. Your facts – the entity, the user base, the banking – change the analysis. For a scoped assessment of your substance position, contact OBOLUS at Map your options.

What Economic Substance Actually Means for a VASP

Economic substance, in the context of a VASP registration or crypto licence, means that the licensed entity conducts genuine, ongoing business activity in the jurisdiction that granted the licence – not merely a mailbox, a nominee director, and a shelf company. Every flagship regime now articulates this expectation, whether through mind-and-management tests, local-staff requirements, office mandates, or governance rules that require key decisions to be made on-site.

The regulatory basis differs by regime. Under MiCA, the European Union's Markets in Crypto-Assets Regulation administered by ESMA and national competent authorities, a CASP (Crypto-Asset Service Provider) authorisation is granted to an entity that genuinely operates from its home member state. The passporting benefit – the ability to serve clients across the EU and EEA from a single authorisation – is contingent on that home-state substance. VARA in Dubai requires that a licensed VASP maintain physical premises, qualified local staff, and management capable of making real decisions. MAS in Singapore, under the Payment Services Act, has made clear that Digital Payment Token service providers must not be shell vehicles.

The cross-border reality complicates this immediately. A VASP may be licensed in one jurisdiction, have its technology infrastructure in a second, hold user funds through a custodian in a third, and generate the majority of its revenue from users in a fourth. Each of those overlapping footprints can trigger independent regulatory obligations. Substance must be built at the licensed-entity level – it cannot be borrowed from an affiliate or a parent.

The common mistake at this step: conflating the business group's overall activity with the licensed entity's activity. A regulator examining substance will look at the entity on the licence, not the group.

Step 1 – Establish a Governance Structure the Regulator Can Actually Examine

The first substantive step is establishing a board and senior management structure that makes real decisions in the licensed jurisdiction – not one that rubber-stamps decisions already made offshore. This means identifying individuals who are resident or regularly present in the jurisdiction, hold appropriate qualifications or experience for fit-and-proper assessment, and have genuine authority over material business decisions.

VARA's rulebooks require licensed virtual asset businesses to have management that can be held accountable locally. The FCA's Senior Managers and Certification Regime (SMCR) – which applies to cryptoasset businesses registered under the Money Laundering Regulations in the United Kingdom – operates on similar accountability logic: named individuals must be responsible for named functions, and those individuals must be identifiable and approachable by the regulator. AFSA within the AIFC in Kazakhstan applies comparable senior-management accountability requirements to digital-asset trading facilities.

The cross-border note here is significant. If the VASP's ultimate controlling mind sits in a jurisdiction that has no licensing requirement – or a weaker one – the licensed-entity directors can become liability-holders for decisions they did not in fact make. Regulators increasingly ask for evidence of board-level deliberation: board minutes, attendance records, and documented decision rationales.

The common mistake: appointing nominee directors who do not attend meetings, do not review materials, and cannot answer basic questions about the business if contacted by the regulator. This is not substance. It is a red flag.

Step 2 – Secure a Physical Presence That Withstands Regulatory Inspection

A licensed VASP must maintain a registered office and, in most leading regimes, a place of actual business – not a virtual office or a shared coworking seat used once a quarter. The distinction matters: a registered address satisfies company law but does not satisfy the substance requirements of a VASP regime.

VARA makes this explicit for Dubai-licensed entities: the licensed activity must be conducted from premises in Dubai. The FSRA under ADGM has analogous expectations for entities holding regulated virtual-asset permissions in Abu Dhabi. MAS has communicated informally and through guidance that Digital Payment Token licensees are expected to have genuine operational presence in Singapore, not merely a representative office.

For the cross-border operator, the question is whether the licensed jurisdiction needs to be the primary operational hub or whether a credible secondary presence will suffice. In our practice, we see regulators increasingly willing to accept a structure where core product and technology functions sit outside the licensed jurisdiction – but compliance, governance, and client-facing functions must be anchored locally. The line is not always bright, and it varies by regime.

The common mistake: renting an impressive office, fitting it out, then operating the business entirely from another country. Regulators send inspectors. They look for occupied desks, working computers, and staff who answer the door.

Step 3 – Hire Qualified Local Staff in the Functions That Regulators Scrutinize

Substance is personnel-intensive. Most flagship VASP regimes require, at minimum, a locally-based compliance officer and a money-laundering reporting officer (MLRO) who can be contacted and held accountable by the relevant regulator. Many regimes add requirements for a locally-resident chief executive or country head, a locally-based risk officer, and – where custody or exchange functions are licensed – additional operational staff.

Under MiCA, a CASP authorisation requires that the applicant demonstrate to the national competent authority that its management body has appropriate knowledge, skills, and experience. The expectation is that this management operates from the licensed entity, not from a group holding company in a lower-regulation jurisdiction. The BVI's VASP Act 2022, administered by the BVI Financial Services Commission, similarly requires VASPs to have persons responsible for AML/CFT compliance who are resident and identifiable.

The cross-border complication: sourcing qualified staff in smaller or newer licensing jurisdictions can be operationally difficult. A CASP in a smaller EU member state, for instance, may struggle to hire experienced compliance professionals locally. The solution we see operators use is a combination of locally-contracted staff supported by a cross-border compliance function that documents the decision-making chain clearly. The local staff must hold genuine authority, not merely sign off on decisions made elsewhere.

The common mistake at this step: listing group employees as the VASP's compliance officers without formalizing a contractual relationship with the licensed entity itself, paying them from the licensed entity's payroll, and documenting their authority. Regulators examine employment contracts, payroll records, and organisational charts. Informal arrangements do not survive inspection.

The FATF Recommendations, including Recommendation 15 on virtual assets and the Travel Rule – the obligation to pass originator and beneficiary data alongside a transfer – require that a VASP's AML/CFT function is effective and accountable. An MLRO who is technically employed by a foreign affiliate cannot meaningfully satisfy that accountability to the local regulator.

Step 4 – Demonstrate That the Licensed Activity Is Actually Conducted from the Entity

Substance is not only about who sits in the office. It is about which entity enters into client agreements, which entity holds client money or assets, which entity earns the fee income, and which entity bears the regulatory risks. Each of these must track to the licensed entity if the licence is to be substantively valid rather than nominally held.

In our cross-border practice, we regularly advise on the structural step that many operators underestimate: ensuring that contractual flows match the substance claim. If the VASP licence is held by Entity A but client agreements, fee income, and custody flows run through Entity B (which is either unlicensed or licensed elsewhere), the regulator of Entity A will view Entity A as a shell. This is not merely a technical compliance issue. It creates a risk of enforcement under whichever regime governs Entity B's activity – and depending on that regime, Entity B may need its own crypto licence or VASP registration independently.

The cross-border note: a group of entities serving different geographies may legitimately hold separate licences in separate jurisdictions. But the contractual and financial flows must match the regulatory footprint. A VARA-licensed entity in Dubai serving European clients through EU-facing agreements will face MiCA scrutiny. A MAS-licensed DPT service provider whose operational substance is wholly in a jurisdiction outside Singapore will face MAS scrutiny.

The common mistake: building the revenue recognition in a low-tax holding entity while the regulated entity earns only nominal fees or intragroup charges. This arrangement almost always fails both the substance test for the VASP licence and the substance requirements that tax authorities in leading jurisdictions now impose on digital-asset businesses.

Step 5 – Build an AML/CFT Infrastructure That Is Owned, Operated, and Accountable at the Licensed Entity

Every major VASP regime requires a documented, risk-based AML/CFT framework. Under the FATF Recommendations – specifically Recommendation 15 – VASPs are obligated to implement controls calibrated to the specific risks of the virtual-asset activity they conduct. This is not a group compliance policy filed at a parent holding company. It is an entity-level obligation.

The practical requirements include a business risk assessment specific to the licensed entity's activity, customer due diligence (CDD) procedures applied by staff of that entity, transaction monitoring calibrated to the entity's product and user base, a Travel Rule solution that processes originator and beneficiary data for applicable transfers, suspicious activity reporting filed by the entity's MLRO, and periodic independent audits of the AML/CFT function.

The cross-border complication is acute. A VASP serving users across multiple jurisdictions faces Travel Rule obligations that differ by jurisdiction in their data thresholds and in which transactions they catch. The FATF standard sets a baseline, but each regime implements it with variations. A VARA-licensed entity sending transfers to Singapore-based counterparties must satisfy both VARA's Travel Rule expectations and those of MAS. Operators we advise routinely discover that their Travel Rule solution is configured for one regulatory environment and is non-compliant in at least one other jurisdiction in which they operate.

The common mistake: licensing the AML software at group level and giving the regulated entity read-access rather than operational ownership. This means the regulated entity cannot produce its own records under inspection without involving the group – a disclosure gap that regulators treat as a control failure.

Step 6 – Structure Banking and Financial Flows Through the Licensed Entity

No substance argument survives if the licensed entity cannot open and maintain bank accounts in its licensed jurisdiction. Banking for VASP licences is among the most structurally complex elements of building a compliant operation, and it is the point at which many well-structured licensing applications break down in practice.

Banking for a VASP requires, at minimum, operating accounts for the licensed entity's own funds, and – where the regime requires it – segregated client-money accounts or equivalent custodial arrangements. VARA, MAS, and the FSRA under ADGM each impose specific expectations about how client assets are held and segregated from the operator's own funds. A CASP under MiCA is subject to European Banking Authority guidance on safeguarding.

The cross-border note: a bank in the licensed jurisdiction may require the VASP to demonstrate local substance before opening an account – creating a circular dependency where substance requires banking and banking requires evidence of substance. In our practice, we address this by sequencing the substance build before the banking application and by preparing a clear substance memorandum that the entity's management can present to prospective banking partners. We have seen operators attempt to shortcut this by using a payment institution account in a different jurisdiction as the licensed entity's primary banking channel. This approach consistently draws regulatory attention and often results in follow-on questions about whether the entity's financial activity is genuinely conducted from the licensed jurisdiction.

The common mistake: assuming that because a group has a banking relationship somewhere, that relationship will extend to the new licensed entity without additional due diligence. Banks treat each regulated entity as a separate onboarding subject.

If a prior application stalled or an account was closed, a second read can surface the structural reason and the route back. Contact OBOLUS at Map your options.

Step 7 – Document the Substance Position and Test It Before the Regulator Does

The final step – and the one most frequently omitted – is conducting a formal substance review before the regulator conducts its own inspection or periodic supervision review. A documented substance position is a defensible substance position.

A substance file should include: the licensed entity's organisational chart with reporting lines and employment relationships, a schedule of board and management meetings with attendance records, a description of physical premises with evidence of occupancy, a record of the regulated activity conducted by the entity (agreements executed, transactions processed, revenues earned), the entity-level AML/CFT framework and audit reports, the entity's banking arrangements, and evidence of the Travel Rule solution operating at entity level.

In a recent licensing support matter, a payments company that had held a VASP registration in a major EU jurisdiction for over a year was alerted by its national competent authority that its substance position would be reviewed as part of the MiCA transition process. We were engaged to conduct a gap analysis. The exercise identified three structural gaps: the licensed entity's board meetings were held outside the jurisdiction and not documented; the MLRO was employed by the group rather than the entity; and client agreements named a different group entity rather than the licensed VASP. Each gap was remediable, but remediating all three required structural changes to be completed under a defined timeline agreed with the regulator. Earlier, proactive review would have identified and addressed these gaps before they became a supervised compliance issue.

The cross-border note: in a multi-jurisdiction group, substance reviews for each licensed entity should be staggered to avoid operational disruption. Regulators in different jurisdictions may conduct supervision cycles on different schedules, and a finding in one jurisdiction can prompt enquiries in others where the group is also licensed.

The common mistake: treating substance as a one-time act – something established at the point of authorisation and never revisited. Substance must be maintained, documented, and periodically tested. Regulatory authorisation is not a static achievement.

Related at OBOLUS

FAQ

How long does a crypto licence take to obtain?

Timelines vary considerably by jurisdiction and by the complexity of the application. Some registration-based regimes process applications within a matter of weeks; full authorisation under a more demanding regime – such as MiCA CASP authorisation or a MAS Digital Payment Token licence – typically takes several months from submission of a complete application. Pre-application engagement with the regulator, the completeness of the substance file, and the regime's own supervisory workload all affect the timeline.

Which jurisdiction is best for licensing my crypto business?

There is no single answer. The right jurisdiction depends on where your users are, which activities you conduct, where you can build genuine substance, and where your banking partners operate. A VARA licence in Dubai, a MiCA CASP authorisation in an EU member state, a MAS DPT licence in Singapore, and an ADGM permission under FSRA each suit different operator profiles. The appropriate analysis starts with the business model and works outward to the licence – not the other way around.

Do I need a separate custody licence?

In most flagship regimes, custody of client virtual assets is a regulated activity that requires explicit authorisation – either as a standalone permission or as a named activity within a broader VASP licence. Under MiCA, custody and administration of crypto-assets on behalf of clients is one of the defined CASP activities requiring authorisation. VARA, MAS, and ADGM each treat custody as a separately permissioned function. Whether your structure requires a separate licensed custodian entity or whether custody can sit within a single licensed entity is a question that turns on the regime and the volume and nature of assets held.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across more than 70 jurisdictions, on disputes and on-chain asset recovery across more than 25 forums, and on the tax, banking and compliance obligations that sit around them. We map the licence stack across operating, custody and payment layers before you commit – so the structural gaps are identified before the regulator finds them. Digital assets are the whole of our practice. To discuss your substance position or your licensing structure, contact info@oboluslaw.com or message us at t.me/oboluslaw.

By Aisha Tan, Licensing & Jurisdictions Analyst – specialist in multi-jurisdictional VASP licensing, CASP authorisation processes, and the substance requirements that regulators enforce in leading digital-asset hubs.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours