Operating a digital-asset business without understanding the regulated perimeter is not a theoretical risk. It is the reason exchanges lose banking, custodians face enforcement, and token issuers receive stop orders after years of quiet operation. The question is not whether your activity looks like a financial service. It is whether it is one under the applicable regime – and in most jurisdictions, regulators are now answering that question aggressively. This analysis maps the boundary, examines how leading regimes draw it, and gives operators a clear diagnostic for where their activity sits.
Across MiCA, VARA, the MAS Payment Services Act and the FCA money-laundering registration regime, the defining question is consistent: does the activity involve custody, transfer, exchange, or the provision of services in relation to digital assets on behalf of a third party? If yes, a licence or registration is almost certainly required. The precise scope, the entity perimeter, and the cross-border reach differ by regime – but the threshold principle is stable.
The sections below work through the analysis jurisdiction by jurisdiction, examine the common structural mistakes operators make, and set out a decision matrix for the most typical operator profiles.
What Is the Regulated Perimeter, and Why Does It Keep Moving?
The regulated perimeter is the line a regulator draws between activity that requires authorisation and activity that does not. For digital assets, that line is defined by a combination of the activity performed, the asset type involved, and – critically – who bears the risk of the asset on whose behalf.
The perimeter has expanded materially since 2019. FATF's Recommendation 15 applied anti-money-laundering and counter-terrorism-financing obligations to virtual asset service providers (VASPs) – entities that conduct virtual asset transfers, exchange, or administration for or on behalf of a customer. That standard flowed into national law across the major hubs, and then MiCA layered a full authorisation regime on top of it across the European Union. The result: activity that was unregulated five years ago now sits squarely inside the perimeter in most jurisdictions where digital-asset businesses want to operate.
Two forces drive continued expansion. First, regulators look at function, not form. A wallet provider that holds keys is a custodian. A DeFi front-end that routes user trades through smart contracts may be an exchange. A staking-as-a-service platform that accepts customer assets and controls validator keys may fall under ESMA's guidance on custody of crypto-assets under MiCA. Second, the Travel Rule (the obligation to pass originator and beneficiary data with a virtual-asset transfer) triggers independent compliance obligations the moment a VASP sends or receives a transfer on behalf of a customer – regardless of whether any licence application is pending.
In our practice, operators most frequently cross the perimeter without realising it when they add a feature – a custody wallet, a swap function, a yield product – to what they considered a software platform. Each addition is a separate regulatory event that must be assessed.
How Do Leading Regimes Define the Licensing Trigger?
Each major regime names a set of regulated activities; once an operator performs one of those activities above a de-minimis threshold, the licence obligation attaches. The categories are substantively convergent, though the labels and thresholds differ.
Under MiCA, the regulated activities for a CASP (crypto-asset service provider) include custody and administration, operation of a trading platform, exchange against fiat or other crypto-assets, execution of orders, placing of crypto-assets, reception and transmission of orders, providing advice, and portfolio management. The whitepaper regime separately covers issuers of ARTs (asset-referenced tokens) and EMTs (e-money tokens), imposing its own authorisation obligations on those issuers regardless of whether they also provide services. ESMA has issued guidance on how the activity categories should be applied, and national competent authorities are implementing enforcement accordingly.
Under VARA in Dubai, the trigger is performing any of eight defined virtual-asset activities – advisory services, broker-dealer services, custody services, exchange services, lending and borrowing services, management and investment services, and virtual-asset issuance – for or in connection with virtual assets. VARA's activity-based architecture means a business must identify every service line and licence each separately.
Under the MAS Payment Services Act, the critical trigger for digital-asset businesses is providing digital payment token (DPT) services – specifically, dealing in, facilitating the exchange of, or transferring DPTs. The licence tier (standard payment institution or major payment institution) turns on transaction volume thresholds, which the Payment Services Act specifies and MAS may update.
Under the FCA regime in the UK, a business that carries on cryptoasset activity as defined under the Money Laundering Regulations must register with the FCA, even if the activity does not engage the Financial Services and Markets Act authorisation requirement. The FCA's financial-promotion rules additionally apply to communications that invite engagement with cryptoassets – a separate trigger that catches marketing functions as well as operational ones.
The cross-border reality is that a business may trigger two or three of these regimes simultaneously. An exchange incorporated in an EU member state, serving UK users and settling through a Singapore-based liquidity provider, faces MiCA CASP authorisation, FCA registration, and a MAS analysis – all at once.
Does It Matter What Kind of Crypto-Asset Is Involved?
Asset classification is a threshold question that can change the entire regulatory outcome. The same transaction – a transfer of value using a digital token – may fall under securities law, e-money regulation, a dedicated crypto-asset regime, or none of them, depending on what the token actually is.
The foundational principle across all major regimes is substance over label. A token called a "utility coin" that confers rights to revenue, profit participation, or governance over a protocol generating income will be assessed against the economic substance of those rights – not the marketing description. Under MiCA, the relevant categories are ARTs, EMTs, and "other crypto-assets" (a residual category that captures most utility and payment tokens not caught by the first two). Securities tokens – tokens that qualify as financial instruments under EU law – fall outside MiCA and into the existing securities regulatory regime. That exit from MiCA is not a regulatory haven; it typically means a stricter and more capital-intensive authorisation path.
Under FINMA's token taxonomy in Switzerland, the categories are payment tokens, utility tokens, and asset tokens. Payment tokens used for transfer of value trigger anti-money-laundering obligations immediately. Asset tokens – tokens representing a claim on an issuer or asset – trigger securities-law analysis. The practical consequence is that a single token with mixed characteristics may engage multiple frameworks simultaneously.
In our cross-border practice, we see this issue most acutely with governance tokens issued by DeFi protocols that later introduce fee-sharing mechanisms. At issuance, the token may have been a genuine utility instrument. After the fee mechanism activates, it may be an asset token under at least one of the regimes where the protocol's users are located. The regulatory analysis must be repeated every time the token's economic structure changes materially.
The FCA has taken an expansive view of what constitutes a "specified investment" for purposes of financial promotions. A business that issues or markets a token with any investment-like characteristic in the UK must assess the promotion rules before publishing any communication – including on social media – or risk enforcement for unauthorised financial promotion.
Why the AML and Travel Rule Layer Is Independent of Licence Status
A business that concludes it falls outside the regulated perimeter for licensing purposes may still be fully inside the perimeter for AML/CFT compliance – and the obligations are not light. The Travel Rule, derived from FATF Recommendation 16 as applied to virtual assets, requires that a VASP transmitting a virtual-asset transfer on behalf of a customer collects and transmits specified originator and beneficiary information alongside the transaction. The precise data fields, the de-minimis threshold below which the obligation does not apply, and the mechanism for peer VASP identification each vary by jurisdiction, but the core obligation is now embedded in the law of every significant hub.
The practical difficulty is dual. First, a business must determine whether it is a VASP for Travel Rule purposes – a classification that can arise even where the business has not obtained and does not believe it needs a licence. Second, even a properly licensed VASP faces the sunrise problem: the Travel Rule cannot function as designed if the counterparty VASP is not also Travel Rule-compliant. Operators in our practice routinely face the question of what to do when a transfer is destined for a jurisdiction where no compliant Travel Rule solution is deployed.
KYC (know-your-customer) obligations attach the moment an AML regime applies. A KYC framework for a crypto business must address customer onboarding, ongoing due diligence, enhanced due diligence for higher-risk customers, and – under most major regimes – source-of-funds and source-of-wealth analysis for larger transactions. Transaction monitoring – the automated and manual review of transaction patterns for AML red flags – is a separate obligation that most regimes impose explicitly, and it must be calibrated to the specific risk profile of the business's customer base and product set.
In a recent compliance review, a payment-infrastructure business had correctly concluded that its core transfer activity was outside the licensing perimeter for financial services purposes in its home jurisdiction. It had not, however, registered as a VASP under the AML regime – a separate register maintained by the financial intelligence unit. The distinction was material: the business faced retroactive penalty exposure for the period of unregistered operation, even though no licence had ever been required.
For a scoped assessment of your AML perimeter position – whether you are a VASP for Travel Rule purposes, what your KYC framework must cover, and where transaction monitoring gaps create enforcement exposure – contact OBOLUS at info@oboluslaw.com. The analysis above describes the standard path. Your facts – the entity structure, the user base, the asset types, the banking rails – change the outcome, and a generic read is rarely sufficient. Map your options.
What Makes the Cross-Border Position the Most Dangerous Blind Spot?
Most enforcement failures we see in cross-border digital-asset businesses are not failures of regulatory knowledge. They are failures of regulatory mapping. An operator who understands MiCA perfectly may still be non-compliant if its UK users trigger FCA registration, its Singapore settlement leg triggers MAS licensing, or its marketing into the UAE triggers VARA's regime for virtual-asset activities directed at residents.
The jurisdictional trigger varies by regime. Some regimes (MiCA, for example) attach to the location of the regulated entity. Others attach to the location of the customer (where the service is provided to), the location of the transaction infrastructure, or – in the US context – the location of the transaction itself regardless of where either party is domiciled. The NYDFS BitLicense, for instance, attaches to virtual-currency business activity involving New York State residents or conducted from New York – a criterion that sweeps in foreign operators serving the New York market through the internet.
The result is that a single digital-asset business commonly faces a minimum of three to four distinct regulatory analyses: the home entity jurisdiction, the jurisdiction of its primary user market, the jurisdiction of its banking relationships, and potentially the jurisdiction of its liquidity or settlement counterparties. In practice, those analyses rarely produce a single clean answer. More often they produce a map of overlapping obligations, some of which must be resolved by structural means – separate licensed entities, geographic access controls, or contractual passthrough of compliance obligations to counterparties.
We regularly advise clients on what we call the licence-banking-tax stack: the interaction between where you hold the regulatory licence, where you maintain the banking relationship, and where the taxable income arises. A mismatch between any two of those three creates either regulatory risk, banking risk, or tax cost – sometimes all three simultaneously.
What Are the Most Common Structural Mistakes Operators Make?
Five structural mistakes appear with regularity in the cross-border digital-asset businesses we assess. None is exotic. All are avoidable with early legal analysis.
The first is feature creep without regulatory review. A business launches as a data or analytics product – clearly outside the perimeter. It then adds a peer-to-peer matching function, then a settlement wallet, then a yield option. By the third addition, it has crossed the licensing threshold in at least two jurisdictions. No single step felt like a regulatory event; the aggregate does.
The second is reliance on a single offshore licence. Operators frequently assume that a licence from a well-regarded offshore centre – a Cayman VASP registration, a BVI FSC authorisation under the VASP Act 2022 – provides global cover. It does not. Offshore registrations satisfy the home-jurisdiction requirement. They do not satisfy the licensing requirement in the jurisdictions where the business's users are located.
The third is misclassifying the custodial relationship. A business that holds private keys on behalf of customers is a custodian under most regimes, even if it does not describe itself as one. The custody trigger is one of the most consistently enforced across MiCA, VARA, and MAS. Businesses that hold keys at the infrastructure layer while characterising the service as "non-custodial" based on the user-facing architecture should obtain a formal analysis before relying on that characterisation.
The fourth is inadequate AML infrastructure for the scale of the business. A transaction-monitoring system calibrated for a hundred transactions a day is not compliant for a business processing ten thousand. Regulators assess the adequacy of AML systems against the actual risk profile of the business, not against a minimum-viable standard.
The fifth – and most consequential in enforcement outcomes – is failure to appoint a qualified MLRO. Most major regimes require a designated money laundering reporting officer (MLRO) with the seniority, authority, and competence to discharge the role. Regulators in the leading hubs treat an inadequate MLRO appointment as an indicator of broader compliance weakness, and it features prominently in enforcement decisions.
If a prior application stalled, a banking relationship was closed, or an enforcement letter has arrived, a second read can surface the structural reason and the route back. Write to OBOLUS at info@oboluslaw.com. A second assessment costs a fraction of a regulatory proceeding. Map your options.
Decision Matrix: Which Operator Profile Needs What?
The licensing requirement turns on the operator profile. Four profiles recur in our practice, each with a distinct regulatory trajectory.
Profile A – The EU-incorporated exchange serving retail users across the EEA. This operator needs CASP authorisation under MiCA from its home member state's national competent authority. Passporting then permits cross-border service provision within the EU and EEA. The AML obligations – including a full KYC framework, transaction monitoring, and Travel Rule compliance for all VASP-to-VASP transfers – attach immediately on authorisation. Timeline from application to authorisation varies by member state and application quality; the process is generally measured in months, not weeks. The key risk is underestimating the operational build required before the application: MiCA's documentation requirements are extensive, and applications that arrive without a functioning compliance infrastructure are typically returned.
Profile B – The non-custodial DeFi protocol with a legal entity in Switzerland. This operator's analysis turns on two questions: does the protocol involve the provision of any service on behalf of a third party (triggering the VASP perimeter), and does the token issued to protocol participants constitute a payment, utility, or asset token under FINMA's taxonomy? A genuinely non-custodial, fully decentralised protocol with no identifiable VASP function may fall outside the perimeter for licensing purposes. The AML perimeter is separate: even a non-custodial operator may need to register with the relevant self-regulatory organisation (SRO) in Switzerland if it falls within the definition of a financial intermediary. The key risk is the protocol's governance structure shifting the decentralisation analysis – particularly if a core team retains admin keys or can upgrade contracts unilaterally.
Profile C – The institutional custodian seeking to serve clients in Dubai and Abu Dhabi. This operator faces a dual analysis: VARA's custody licence for mainland Dubai activity, and FSRA's virtual-asset custody authorisation for ADGM activity. The two regimes are not interchangeable, and the geographic scope of each is defined by the financial free zone boundaries. The operator will also need to satisfy each regulator's capital, systems, and governance requirements independently. In our practice, institutional custodians entering the UAE market typically begin with ADGM/FSRA given the regime's alignment with international institutional standards, then consider a VARA authorisation for mainland market access.
Profile D – The payments business with global user acquisition and no defined home jurisdiction. This is the highest-risk profile. A business that acquires users globally without a regulatory home creates enforcement exposure in every jurisdiction where it has meaningful user volume. The first step is always jurisdiction selection – identifying the home licensing jurisdiction that provides the best combination of regulatory credibility, banking access, and operational fit. Under MiCA, a Lithuania or Malta CASP authorisation provides EU-wide passporting. For Asia-Pacific access, a MAS licence provides credibility across the region. For Middle East access, VARA or ADGM/FSRA is the standard path. The key risk for this profile is the period between user acquisition and licence grant: operating without authorisation while the application is pending creates retroactive exposure in most regimes.
A Common Assumption: One Offshore Licence Is Enough
A persistent assumption among early-stage crypto operators is that a registration in the Cayman Islands, BVI, or a similar offshore centre satisfies the regulatory requirement globally. It does not, and regulators in the major retail markets have become increasingly direct in saying so.
The BVI FSC's registration under the VASP Act 2022 and CIMA's regime under the Cayman Virtual Asset Service Providers Act each satisfy the home-jurisdiction requirement for businesses domiciled in those territories. They do not constitute authorisation to serve retail users in the EU, the UK, Singapore, or the UAE. Each of those jurisdictions asserts its own licensing jurisdiction over activity directed at its residents, regardless of where the operator is incorporated.
The practical consequence is this: a business incorporated in the Cayman Islands, serving EU retail users through an app, is not compliant with MiCA because it has a CIMA registration. It is non-compliant. The EU member state's national competent authority may issue a stop order, the app stores may be required to delist the application, and the business's banking counterparties – most of whom have their own regulatory obligations to manage – may close the accounts.
Offshore centres remain genuinely useful in the digital-asset regulatory stack. They serve as holding company and fund domicile jurisdictions, as structuring vehicles for institutional products, and as the home for activities that do not involve serving retail users in regulated markets. Their function is structural, not regulatory cover. We map that distinction explicitly in every cross-border structure we assess.
When Should an Operator Engage Legal Counsel on Perimeter Analysis?
The answer is: before the product feature is built, not after. The cost differential between pre-build perimeter advice and post-enforcement remediation is measured in orders of magnitude. An operator that identifies a licensing trigger before launch can structure around it – by adjusting the custody architecture, geofencing the user base, selecting the right home jurisdiction, or sequencing the licence application to match the go-live timeline. An operator that identifies the trigger after enforcement has commenced has none of those options and all of the costs.
Three events reliably signal that perimeter analysis is overdue. First: the business is adding a new product feature – even a small one – that touches customer asset custody, transfer, or exchange. Second: the business is expanding its user base into a new jurisdiction or removing a geographic restriction. Third: the business has received a query from a regulator, a banking partner has raised a compliance question, or an enforcement action has commenced against a competitor in the same vertical.
In each of those situations, the analysis required is the same: identify every activity the business performs, map each activity against the licensing regimes of every jurisdiction where the business operates or where its users are located, assess the AML and Travel Rule posture, and identify any gaps that create current enforcement exposure. That analysis is the foundation of a defensible compliance position.
We have seen the consequences when that analysis is delayed. In a recent matter, a stablecoin-adjacent payments business had been operating for several years across multiple EU member states without CASP authorisation, relying on a legal opinion from its home jurisdiction that predated MiCA's transition period. When MiCA's authorisation requirements became fully applicable, the business faced a choice between a rapid remediation – new entity, new application, new banking – and winding down the EU operations entirely. The remediation was possible. It was also expensive, time-consuming, and entirely avoidable with earlier analysis.
Related at OBOLUS
- Compliance, AML and Travel Rule for Digital-Asset Businesses – full-scope AML, KYC and Travel Rule advisory for VASPs and CASPs across jurisdictions
- Travel Rule Compliance in Malta – Malta-specific Travel Rule program design under the MFSA and MiCA transition regime
- CASP Authorisation under MiCA for Institutional Clients – end-to-end MiCA CASP application support for exchanges, custodians and asset managers
FAQ
What does the Travel Rule require from a VASP?
The Travel Rule requires a VASP that initiates a virtual-asset transfer on behalf of a customer to collect specified originator information – typically the sender's name, account identifier, and in some regimes their address or national identification – and transmit that information to the beneficiary VASP alongside the transaction. The beneficiary VASP must collect and hold corresponding information about the recipient. The precise data fields, the de-minimis threshold below which the obligation does not apply, and the mechanism for counterparty VASP identification each vary by jurisdiction and must be assessed against the applicable local AML regime, not against the FATF standard alone.
Who must act as MLRO for a crypto firm?
Most major regimes require a designated money laundering reporting officer (MLRO) who holds sufficient seniority and authority to discharge the role effectively. The MLRO must have direct access to the board, the ability to file suspicious activity reports independently, and the competence to oversee the business's full AML program – including KYC, transaction monitoring, and Travel Rule compliance. Regulators assess MLRO appointments rigorously. A nominee MLRO with no real authority or a part-time appointee without adequate resource is treated as a substantive compliance failure, not a technical one, and frequently features in enforcement proceedings.
How do regulators audit crypto AML programs?
Regulators in the major hubs – including ESMA's national competent authorities, VARA, MAS, and the FCA – audit AML programs through a combination of document review, transaction sampling, staff interviews, and systems testing. They assess whether the written policies match the operational reality, whether the transaction-monitoring system is calibrated to the actual risk profile of the business, and whether the MLRO has the authority and resource to function effectively. Inspections may be scheduled or unannounced. Businesses that cannot demonstrate a live, tested, and documented program at the point of inspection face remedial action, regardless of whether any specific suspicious transaction has been identified.
OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. We map the licence stack across operating, custody and payment layers before you commit – identifying perimeter gaps before they become enforcement events. We work alongside forensic partners to convert on-chain evidence into court-ready disclosure applications where recovery is required. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com or message us at t.me/oboluslaw.
By Victor Olsen, Regulatory & Compliance Analyst – specialising in cross-border perimeter analysis and AML program design for digital-asset businesses across the EU, UAE and Asia-Pacific hubs.
This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.