EST · MMXXVI
Home/Jurisdictions/Compare/European Union (MiCA) vs Hong Kong: Where to License a Crypto Business
Licensing & Registration

European Union (MiCA) vs Hong Kong: Where to License a Crypto Business

European Union (MiCA) vs Hong Kong: Where to License a Crypto Business. Cross-border digital-asset legal counsel for business – licensing, disputes and structur

Operating a digital-asset business without the right licence is not a calculated risk – it is an accelerating liability. Regulators in the European Union and Hong Kong are both tightening their perimeters. The question for an exchange, custodian, token issuer or fund is which regime fits the business model, the user base and the capital structure that already exists or is being built.

This comparison covers the two most consequential licensing regimes for internationally active crypto businesses: MiCA (the EU's Markets in Crypto-Assets Regulation, supervised by ESMA and national competent authorities) and the Hong Kong VASP licensing regime (administered by the Securities and Futures Commission, the SFC). Both are mature, activity-based regimes with genuine passporting or market-access implications. Neither is a light registration. The sections below map the regulatory posture, licence categories, timelines, substance requirements, AML obligations, tax and banking environment, and a decision matrix by operator profile.

How Do the Two Regulators Approach Crypto Oversight?

The SFC and ESMA approach oversight from different institutional traditions, and that difference shapes the day-to-day compliance burden from application through to ongoing supervision.

ESMA and its network of national competent authorities operate a rules-based, passportable regime under MiCA. The framework is exhaustive by design. A CASP (crypto-asset service provider) authorised in one EU member state may passport its services across the entire EU and EEA without additional national licences. The practical consequence is significant: one authorisation can serve a continental market of over four hundred million people. The cost is regulatory depth – capital requirements, organisational standards, whitepaper obligations and conduct rules apply from day one.

The SFC operates Hong Kong's VASP licensing regime for virtual-asset trading platforms, referred to internally as the VATP framework. Hong Kong's posture is principles-based within a structured licence gate. The SFC has signalled an intent to be a credible, open hub for compliant crypto businesses, but it applies rigorous vetting – particularly on management fitness, cybersecurity and custody segregation. A Hong Kong licence carries strong reputational weight in Asian institutional and family-office markets.

The cross-border reality matters here. A European entity with Asian users, or an Asian entity targeting European retail, cannot avoid both regimes. Regulators in the leading hubs increasingly expect a business to hold the licence that matches the geography of its users, not merely the geography of its incorporation.

What Licence Categories Exist Under Each Regime?

MiCA and the Hong Kong VATP framework both use activity-based licence structures, but they segment activities differently – and that distinction affects which entities need what.

Under MiCA, the CASP authorisation covers a menu of regulated services: reception and transmission of orders, execution of orders, exchange against fiat or other crypto-assets, operation of a trading platform, custody and administration, placement, portfolio management and advice. An entity applies for authorisation covering the specific services it intends to offer. Separate token-level regimes apply to ART (asset-referenced token) issuers and EMT (e-money token) issuers, each with its own authorisation track and reserve/redemption obligations. Whitepaper publication obligations attach to most token offerings regardless of issuer type.

Under the SFC's VATP framework, Hong Kong's VASP licensing applies primarily to centralised virtual-asset trading platforms. The licence is holistic – it covers the exchange function, and custody is treated as an integrated component subject to specific segregation standards. Fund managers investing in virtual assets above certain thresholds may require separate SFC authorisation under the existing securities framework. Token issuers must assess whether their token constitutes a security under Hong Kong law; if it does, securities-regime obligations apply in addition to, or instead of, VASP requirements.

The structural implication: a business running an exchange, a custody service and a structured-product token issuance simultaneously will face a wider licence matrix in both jurisdictions than a single-activity operator. We map that matrix before a client commits to either regime.

For a scoped assessment of the licence categories that apply to your specific activity set, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your entity type, the user geography and the nature of the assets on your platform change the analysis materially.

How Long Do Applications Take, and What Do They Require?

Timeline varies by jurisdiction, authority workload, applicant preparation and activity scope – and both regimes are currently processing a significant volume of applications as incumbents transition from prior registrations.

Under MiCA, CASP authorisation follows a structured process administered by the relevant national competent authority. The application covers a comprehensive organisational file: governance structure, fit-and-proper assessments for senior management and shareholders, a business plan, internal controls and compliance policies, a prudential capital showing, AML/CFT programme documentation and, where applicable, a whitepaper. Member state authorities have a defined review period under the regulation. Operators we advise routinely note that preparation time before filing – assembling the organisational and compliance documentation – can be substantial. The choice of member state matters: supervisory culture, language and the authority's prior exposure to crypto applications all affect the practical timeline.

In Hong Kong, the SFC VATP application process is similarly document-intensive. The SFC scrutinises management fitness, cybersecurity architecture, custody and client-asset segregation, and the platform's token-admission criteria. Applicants must demonstrate that a responsible officer with the requisite knowledge is in place. The SFC conducts interviews and may issue multiple rounds of queries. Timeline from filing to in-principle approval has generally been measured in many months, not weeks, and varies with application complexity.

In our cross-border practice, we have seen businesses underestimate application lead times in both regimes. The preparation phase – structuring the entity, appointing qualified personnel, documenting the compliance programme – is the principal timeline driver in both cases. Filing an incomplete application resets the clock.

What Are the AML and Travel Rule Obligations?

Both regimes are anchored in the FATF framework, including Recommendation 15 and the Travel Rule (the obligation to pass originator and beneficiary data with a virtual-asset transfer above the applicable threshold). Compliance with the Travel Rule requires operational infrastructure – a VASP-to-VASP messaging solution – and due diligence on counterparty VASPs. Neither regime treats Travel Rule compliance as optional.

Under MiCA and the applicable EU AML/CFT directives, CASPs are obliged entities with full AML programme requirements: customer due diligence, enhanced due diligence for higher-risk relationships, transaction monitoring, suspicious activity reporting and sanctions screening. ESMA and national competent authorities expect the AML framework to be documented, tested and subject to independent review. The EU's AML Authority (AMLA) is expected to take on direct supervisory responsibilities for the largest cross-border CASPs over time, adding another supervisory layer.

In Hong Kong, VASPs are subject to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance and the SFC's guidance on AML/CFT for virtual assets. The practical standards are comparable to MiCA in depth. The SFC expects robust customer identification, transaction monitoring and Travel Rule compliance from day one of licensing. Token-listing decisions are expected to include an AML risk assessment of the asset itself.

The Travel Rule data threshold applicable in each jurisdiction should be confirmed against current legislation before operationalising a compliance programme. Both the EU threshold and the Hong Kong threshold are subject to legislative review and should not be assumed from secondary sources.

What Substance and Governance Does Each Regime Require?

Substance requirements determine where the business really sits and how much of the operation must be locally staffed and managed. Both regimes have moved firmly away from letterbox structures.

MiCA requires genuine establishment in the authorising member state. This means a registered office, senior management present and active in the EU, and the ability to demonstrate to the NCA that key decisions are made locally. The passporting right is valuable precisely because it rewards genuine substance in one member state with market access across all others. Shell or nominee structures do not meet the standard; NCAs are applying heightened scrutiny to applicants with thin local presence.

The SFC in Hong Kong expects the licensed entity to be incorporated in Hong Kong or to have a registered presence there. Management fitness vetting is personal and detailed – the SFC assesses each responsible officer individually. Cybersecurity infrastructure is also treated as a substance matter: the SFC expects core technology operations to meet defined security and resilience standards, and outsourcing arrangements must be disclosed and governed appropriately.

For a business weighing the two regimes, the honest comparison is not which regime requires less substance – both require a genuine operation – but which aligns with the talent, banking and operational infrastructure the business can realistically build and sustain.

How Do Tax and Banking Conditions Compare?

Tax and banking are often the deciding factors after the regulatory analysis is complete. A licence in a jurisdiction where the business cannot bank or where the tax treatment destroys the economics is not a solution.

Within the EU, tax treatment of crypto-asset businesses varies by member state. Some member states offer competitive corporate tax regimes; others apply standard rates. VAT treatment of crypto services under EU law generally exempts exchange services from VAT, but the application of that principle to specific crypto activities varies and should be confirmed jurisdiction by jurisdiction. Crypto-to-crypto and crypto-to-fiat transactions may have differing VAT treatment in certain member states. The choice of member state for CASP authorisation therefore has a direct tax dimension.

In Hong Kong, the corporate tax rate applies to profits sourced in Hong Kong, and there is no capital gains tax, no VAT and no withholding tax on dividends. For businesses where trading gains constitute a significant revenue stream, the Hong Kong tax environment is often favourable. The absence of a GST or VAT layer simplifies compliance for digital-asset service businesses compared with EU operations.

Banking access is a live operational constraint in both environments. EU-licensed CASPs may find banking more accessible with a credible MiCA authorisation in hand, as correspondent banks and payment processors can rely on the authorisation as a due-diligence anchor. In Hong Kong, banking for crypto businesses has historically been selective, though the SFC's licensing regime has improved the environment for licensed VATPs. In both cases, banking should be scoped in parallel with the licence application, not after it. Operators we advise routinely discover that the bank's onboarding timeline is longer than the regulatory timeline.

If your prior application stalled or a bank account was closed, a second read can surface the structural reason and the route back. Write to OBOLUS at info@oboluslaw.com to map the licence, banking and tax stack for your build.

Which Jurisdiction Fits Which Operator Profile?

There is no universal answer to this question. The right jurisdiction depends on the operator's target market, existing corporate structure, user geography, asset classes and management location. The matrix below describes the dominant considerations by profile – it does not declare a winner, because the facts of each business change the conclusion.

Exchange operator targeting EU retail and institutional users. MiCA CASP authorisation is the functional requirement. Without it, the exchange is operating without a licence in the EU. The passporting right makes a single EU authorisation materially more valuable than an equivalent licence in a third country. The relevant member state for authorisation depends on substance capacity, language and the NCA's supervisory track record with crypto applications. Hong Kong may be an additional licence, not an alternative, if the platform also serves Asian users.

Exchange operator with a primarily Asian institutional and professional-investor base. The Hong Kong VATP licence is the primary target. SFC authorisation signals credibility to institutional counterparties across the Asia-Pacific region. MiCA authorisation may be needed in parallel if EU-based investors are being served, or if the platform is passporting into EU member states.

Custodian providing standalone custody services. Under MiCA, custody and administration of crypto-assets on behalf of clients is a regulated CASP service requiring authorisation. In Hong Kong, custody within a licensed trading platform is integrated; standalone custodians should assess whether their service constitutes a regulated activity under the applicable SFC framework. For custodians serving global clients, both licences may be required as the client base grows.

Token issuer (ART or EMT) targeting EU distribution. MiCA is the operative regime. ART and EMT issuers require specific authorisation under MiCA, distinct from CASP authorisation. Whitepaper obligations apply. Hong Kong's securities-law analysis applies if the token could constitute a security or structured product under Hong Kong law, requiring separate assessment.

Crypto fund or asset manager. In the EU, managing a crypto fund triggers existing AIFMD obligations in most cases, alongside any MiCA CASP services the manager provides. In Hong Kong, fund managers with significant virtual-asset exposure require SFC authorisation under the applicable securities framework. The fund domicile – Cayman, BVI, Luxembourg – interacts with the manager's licensing requirements and should be assessed as a combined structure.

In a recent licensing matter, a payments and exchange operator sought to serve both EU professional clients and Asian institutional investors simultaneously. We advised on structuring a European CASP entity and a Hong Kong VATP entity within a shared holding structure, mapping the governance, capital and AML documentation requirements across both filings. The application packages were built in parallel, reducing total elapsed time compared with sequential filings.

Related at OBOLUS

Is a Single Offshore Licence Enough to Serve Global Users?

A common assumption among early-stage operators is that an offshore registration – a BVI, Cayman or similar structure – provides sufficient cover to serve clients worldwide. It does not.

Both MiCA and the Hong Kong VASP regime apply on the basis of where users are located, not merely where the operator is incorporated. An exchange incorporated offshore but actively marketing to EU residents requires MiCA CASP authorisation. A platform incorporated in a third country but onboarding Hong Kong retail investors falls within the SFC's licensing perimeter. Regulators in both jurisdictions have demonstrated willingness to pursue offshore operators who are effectively conducting regulated activities within their borders.

The enforcement risk is not theoretical. Operating without the right licence exposes the business to regulatory action, cessation orders, fines and – critically – the loss of banking relationships and payment-processing access that follow a public enforcement notice. An offshore registration provides a useful structural base for holding, tax and governance purposes. It is not a substitute for the activity licence that matches the user base.

FAQ

How long does a crypto licence take to obtain?

Timeline varies significantly by jurisdiction, regulator and application quality. Under MiCA, national competent authorities work within a defined statutory review window, but preparation time before filing – assembling governance documents, compliance programmes and capital evidence – typically takes several months. In Hong Kong, the SFC's VATP application process involves detailed vetting of management fitness and technical infrastructure; applicants should plan for a process measured in many months from initial filing to in-principle approval. Filing a complete, well-prepared application is the single greatest determinant of elapsed time in both regimes.

Which jurisdiction is best for licensing my crypto business?

There is no single best jurisdiction. The right choice depends on where your users are located, the activities you conduct, your ability to establish genuine local substance, your tax and banking requirements, and the asset classes you handle. An exchange serving EU retail clients needs MiCA CASP authorisation regardless of where the entity is incorporated. A platform focused on Asian institutional investors should prioritise the Hong Kong VATP regime. Many internationally active businesses require licences in both jurisdictions, and the structures must be coordinated from the outset.

Do I need a separate custody licence?

Under MiCA, custody and administration of crypto-assets on behalf of clients is a standalone regulated service within the CASP authorisation framework. An entity providing custody services must include that activity in its authorisation scope. In Hong Kong, custody is treated as an integrated function within the VATP licence for trading platforms, but standalone custodians should assess whether their services constitute a regulated activity under the applicable SFC framework. In both regimes, providing custody services without the appropriate authorisation is a regulated activity carried on without a licence.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. We map the licence stack across operating, custody and payment layers before you commit – so the structure is right the first time. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com or message us at t.me/oboluslaw.

By Aisha Tan, Licensing & Jurisdictions Analyst – specialising in comparative licensing strategy for digital-asset businesses across EU, Asia-Pacific and offshore jurisdictions.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours