EST · MMXXVI
Home/Jurisdictions/Georgia/Crypto exchange setup in Georgia: Legal Requirements for Businesses
Licensing & Registration

Crypto exchange setup in Georgia: Legal Requirements for Businesses

Crypto exchange setup in Georgia. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk to OBOLUS.

Operating a crypto exchange (a platform that enables the buying, selling or swapping of digital assets for clients) in Georgia requires a clear understanding of the country's regulatory posture before a single line of code goes live. Georgia has emerged as a notable entry point for digital-asset businesses seeking a cost-effective, operationally flexible regime inside a jurisdiction with growing international connectivity. Yet the absence of a bespoke, MiCA-style licensing architecture does not mean the environment is unregulated – it means the obligations are distributed across general financial, tax and anti-money-laundering laws in ways that catch operators by surprise.

For a business weighing crypto exchange setup in Georgia, the core questions are: what activity requires authorisation, who supervises it, and how does that interact with the jurisdictions where your users, banking and tax residence actually sit? This page answers each of those questions in sequence and identifies where the structural risks cluster for an inbound operator.

What Is the Regulatory Basis for a Crypto Exchange in Georgia?

Georgia does not operate a dedicated VASP (virtual asset service provider) licensing regime equivalent to the VARA rulebooks in Dubai or the Payment Services Act framework administered by MAS in Singapore. The primary regulatory hook is the National Bank of Georgia, which supervises payment services and certain financial intermediaries, combined with Georgia's AML/CFT framework, which aligns – at a structural level – with FATF Recommendation 15 on virtual assets.

In practice, the activity classification determines which supervisory path applies. An exchange that merely facilitates crypto-to-crypto conversions for its own account may sit in a different legal position from one that accepts fiat deposits, executes client orders or offers custody. Georgia's financial supervisory perimeter has historically been narrower than those of the EU or UAE, which is precisely the operational attraction for early-stage operators. However, that narrower perimeter carries a structural caveat: a Georgian-domiciled exchange serving users in the EU, the UK or the UAE is immediately subject to the extraterritorial reach of MiCA, the FCA financial-promotion rules and VARA's activity-based licensing regime – regardless of where the legal entity sits.

The cross-border dimension is not optional analysis. It is the analysis. Regulators in the leading digital-asset hubs increasingly look at where the client sits and where the marketing is directed, not just where the server or the company registration lives.

Operating without the right licence risks enforcement action, frozen banking rails and the kind of reputational damage that is difficult to reverse once a regulator has opened an investigation. We regularly advise operators who structured in Georgia precisely because the domestic regime appeared permissive, and who subsequently discovered that their EU user base triggered a MiCA CASP authorisation obligation in parallel.

The process above describes the standard entry path. Your facts – the entity structure, the target user base and the banking stack – change the analysis materially. For a scoped assessment of your situation, contact OBOLUS at info@oboluslaw.com.

Who Needs Authorisation to Operate a Crypto Exchange in Georgia?

Whether a business requires formal authorisation under Georgian law turns on the precise nature of its activity, its counterparties and the currencies or instruments involved.

A business that accepts Georgian lari or foreign currency from clients and converts it into digital assets – or vice versa – is likely performing a payment or money-changing function that engages the National Bank of Georgia's supervisory remit. That engagement may require registration or licensing before activity commences. A platform that operates purely on a crypto-to-crypto basis and does not touch fiat currency may fall below that threshold domestically, but it does not escape AML/CFT obligations: Georgia's AML framework imposes know-your-customer and transaction-monitoring requirements on virtual asset service providers, and those requirements apply irrespective of whether the business holds a formal licence.

Custody is a separate question. An exchange that holds client private keys or controls client wallets is performing a custody function. In the leading licensing jurisdictions – including ADGM in Abu Dhabi, the SFC regime in Hong Kong and the VARA framework in Dubai – custody is a regulated activity requiring its own authorisation or a combined licence. Georgia does not currently impose an equivalent discrete custody licence, but that gap in domestic regulation does not insulate the operator from the expectations of its banking partners or from the laws of the jurisdictions where its custodied clients are resident.

The AML/CFT perimeter is the most immediately operative constraint for most inbound operators. Georgia's financial intelligence unit expects VASPs to conduct customer due diligence, apply enhanced measures to high-risk counterparties and maintain transaction records consistent with FATF standards. Non-compliance in this area can result in supervisory intervention even where no exchange licence is technically required.

What Does the Setup Process Look Like for an Inbound Business?

Setting up a crypto exchange in Georgia typically involves a sequence of corporate, regulatory and operational steps, and the order in which they are completed matters for banking access and for compliance readiness.

The first step is entity incorporation. Georgia's corporate law is relatively straightforward, and an LLC (limited liability company, known as a shpk under Georgian law) or a joint-stock company can be incorporated quickly. The choice of entity type affects governance structure, capital flexibility and the optics of the business for banking and partner due diligence.

The second step is AML/CFT registration and programme establishment. Before accepting any client funds or processing any transactions, the business must implement a compliant AML programme. That means a nominated compliance officer, written policies covering customer due diligence, transaction monitoring, suspicious activity reporting and record-keeping, and – where the business's transaction volumes trigger the obligation – alignment with Georgia's implementation of the Travel Rule (the requirement to pass originator and beneficiary data with each qualifying transfer). In our cross-border practice, we find that most operators underestimate the programme-build timeline, treating compliance as a post-launch task rather than a precondition for banking access.

The third step is banking. This is often the hardest. Georgian commercial banks vary significantly in their appetite for digital-asset business clients. A well-structured AML programme, a clear business model description and a credible ownership structure are prerequisites for opening a corporate account. Banks that do accept crypto-exchange clients will conduct their own enhanced due diligence and may impose transaction volume limits or require periodic reporting.

The fourth step – and the one most frequently skipped – is a cross-border licensing audit. Before the exchange onboards users outside Georgia, the operator must assess whether those jurisdictions require the exchange to be locally licensed. Serving EU residents without a MiCA CASP authorisation, UK residents without FCA registration under the Money Laundering Regulations, or UAE residents without a VARA licence creates parallel enforcement exposure that the Georgian entity itself cannot shield against.

How Do AML and the Travel Rule Apply to Georgian Crypto Exchanges?

Georgia's AML/CFT obligations for virtual asset service providers are grounded in its implementation of FATF standards, including FATF Recommendation 15, which requires jurisdictions to regulate VASPs for AML/CFT purposes. The practical consequence is that a Georgian-registered crypto exchange must apply customer due diligence to all clients, not just those above a stated monetary threshold, and must maintain records in a form that is accessible to supervisors on request.

The Travel Rule imposes an additional layer of obligation. When the exchange sends or receives a virtual asset transfer on behalf of a client, it must – above the applicable de-minimis threshold – transmit originator and beneficiary information to the counterpart VASP. Georgia has moved toward alignment with FATF's Travel Rule expectations, though the precise threshold and technical requirements are subject to regulatory guidance that operators should verify against current legislation before go-live.

In our practice, Travel Rule compliance is one of the most operationally intensive elements of exchange setup. The obligations require either a purpose-built technical solution or integration with a third-party Travel Rule compliance provider. The choice of provider affects cost, counterparty coverage and the speed at which the exchange can process institutional-volume transfers. Operators who launch without a Travel Rule solution in place routinely face rejection from correspondent banking relationships and from institutional clients who are themselves subject to AML audits.

The cross-border AML interaction is equally important. An exchange serving clients in Singapore must align with MAS's DPT service expectations on customer due diligence; one serving EU clients must meet the standards that a MiCA CASP authorisation would impose, even if the exchange itself is not yet MiCA-authorised. Regulators share intelligence, and a supervision event in one jurisdiction can prompt inquiries from supervisors in another.

How Do Tax and Banking Stack Interact with a Georgian Exchange Structure?

Georgia's tax environment is one of the more attractive in the region for digital-asset businesses. The country operates a territorial tax system, meaning that income earned from foreign sources by a Georgian entity is generally not subject to Georgian corporate income tax – though this principle must be applied carefully in the context of an exchange that has both domestic and foreign clients and activities. As with all tax positions, the specific outcome depends on the facts of each structure and should be confirmed with advice tailored to those facts.

For an exchange with EU, UK or US clients or investors, the Georgian tax position is only part of the picture. Transfer pricing rules, controlled-foreign-corporation provisions in the investor's home jurisdiction and withholding tax obligations on distributions all interact with the choice to domicile in Georgia. A structure that looks efficient on a Georgia-only analysis may create tax inefficiencies – or outright liabilities – when the full cross-border picture is drawn.

Banking access for Georgian crypto exchanges is best described as tiered. Some Georgian commercial banks maintain a formal appetite for digital-asset business clients; others do not. For exchanges that require correspondent banking in euros or US dollars – which is nearly every exchange seeking institutional clients – the choice of primary bank matters enormously, because the correspondent bank's own AML posture will condition the exchange's ability to settle in hard currencies.

Operators we advise regularly discover that the banking question should be resolved before the corporate structure is finalised, not after. A banking relationship that is conditional on a particular entity type, ownership structure or jurisdiction of incorporation can effectively dictate structural choices that were assumed to be free. We map the licence, banking and tax stack together before our clients commit to a structure.

If a prior application stalled or a banking relationship was closed, a fresh structural review can identify the reason and the path forward. To pressure-test your structure before you commit, message us via t.me/oboluslaw.

A Cross-Border Exchange: How Structure Determines Outcome

In a recent matter, an exchange operator had incorporated in Georgia and commenced operations, accepting clients from across Europe and the Gulf. The business had Georgian AML registration and a functional compliance programme, but had not conducted a cross-border licensing audit before launch. When a European regulator received a complaint from a local client, it queried the exchange's authorisation to serve EU persons under MiCA. The operator faced the choice of ceasing EU client service, pursuing an emergency CASP authorisation in an EU member state or restructuring to route EU-facing activity through a separately authorised entity. We were engaged in the latter half of that year to structure the separation of the EU-facing business, coordinate with allied counsel in the relevant EU jurisdiction for the CASP application, and renegotiate the banking arrangements that the initial structure had placed at risk. The matter resolved without enforcement action, but the restructuring cost significantly more – in time and in fees – than a pre-launch licensing audit would have. The lesson is direct: the Georgian entity was correctly set up for Georgia; it was not designed for the client base it actually served.

Which Operator Profile Is Georgia the Right Choice For?

Georgia is not the right answer for every crypto exchange structure, but it is the right answer for a defined set of operator profiles. The decision matrix below maps the most common scenarios in our practice.

Profile A – Early-stage exchange, Georgian or regional client base: An operator focusing on Georgian-resident clients or regional markets with limited EU, UK or US exposure is well-suited to a Georgian primary structure. The domestic regulatory cost is lower than in the major licensing hubs, the tax position can be attractive under the territorial system, and the operational timeline from incorporation to launch is typically shorter than in MiCA-regulated member states. The key risk is growth: if the client base expands into regulated jurisdictions, a parallel licensing event will be needed.

Profile B – Mid-size exchange seeking an EU gateway: For an operator whose commercial plan requires EU client access, Georgia is a useful holding or operational layer, but it is not a substitute for MiCA CASP authorisation. A common structure pairs a Georgian operational entity (handling technology, staff and certain back-office functions) with an EU-licensed CASP entity (handling EU client-facing activity). This requires careful governance design to ensure the EU regulator is satisfied that the EU entity genuinely controls the regulated activity.

Profile C – Exchange targeting institutional or Gulf clients: Institutional counterparties and Gulf-based clients increasingly require their exchange counterparts to hold licences issued by a recognised regulator – VARA, ADGM/FSRA, the SFC or MAS. A Georgia-only structure is unlikely to satisfy institutional due diligence requirements. For this profile, Georgia may function as a technology or holding layer, with the client-facing regulated activity housed in VARA, ADGM or a comparable hub.

Profile D – Operator seeking regulatory arbitrage: Businesses that seek a Georgian structure specifically to avoid the obligations that would apply in the jurisdictions where their clients actually sit are taking a risk that no structure can fully neutralise. Regulators in the EU, the UK and the UAE have demonstrated a clear willingness to assert jurisdiction over businesses that serve their residents regardless of where the legal entity is registered. In our practice, we do not design structures for regulatory avoidance; we design structures that are compliant in every jurisdiction that materially applies.

What Are the Most Common Mistakes in Georgian Crypto Exchange Setup?

The most persistent mistake is treating the Georgian registration as the end of the compliance analysis rather than the beginning. A business that is incorporated and AML-registered in Georgia has completed the domestic steps. It has not addressed the licensing exposure created by its user geography, its banking jurisdiction or its investor base.

A second frequent error is deferring the Travel Rule solution. Operators regularly plan to implement Travel Rule compliance after launch, treating it as a scalability item rather than an operational prerequisite. In practice, the absence of a Travel Rule solution closes off institutional banking relationships and limits the exchange's ability to partner with other VASPs that are themselves compliant.

A third mistake – one we encounter regularly across jurisdictions, not just Georgia – is treating custody as an implied feature of an exchange licence rather than a separately assessed activity. Where the exchange controls client private keys, it is performing custody. That custody function may require separate authorisation in the client's jurisdiction even where it does not require it in Georgia.

A fourth mistake is the myth that a single offshore or lower-cost licence is sufficient to serve clients globally. That assumption drives operators into enforcement risk in the very markets they are trying to grow. The correct approach is to map the licence obligation to each jurisdiction where the exchange has, or expects to have, a meaningful client base – and to build the structure around that map, not the other way around.

Related at OBOLUS

About OBOLUS

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. Digital assets are the entirety of our practice, and we act only for businesses – not retail investors, not individuals. We map the licence stack across operating, custody and payment layers before a client commits to a structure, which is the point at which the advice has the most leverage. To discuss your situation, contact info@oboluslaw.com or message us at t.me/oboluslaw.

FAQ

How long does a crypto licence take to obtain?

The timeline varies significantly by jurisdiction and licence type. In Georgia, domestic AML/CFT registration can be completed within a matter of weeks following incorporation, though building a compliant programme takes longer. A MiCA CASP authorisation in an EU member state typically runs to several months; VARA and ADGM applications are comparable. An exchange with a multi-jurisdictional client base should plan for parallel processes that may not resolve on the same timeline, and factor that into its operational launch schedule.

Which jurisdiction is best for licensing my crypto business?

There is no single best jurisdiction. The right answer depends on where your clients are, what activities you conduct, your banking requirements and your investor base. Georgia suits operators focused on regional markets or early-stage businesses with limited EU or institutional exposure. For EU client access, a MiCA CASP authorisation in an EU member state is required. For institutional counterparties, VARA, ADGM, MAS or the SFC are the benchmarks. We assess the full stack – not the domestic licence in isolation – before recommending a structure.

Do I need a separate custody licence?

In most leading licensing regimes, custody of client virtual assets is a regulated activity requiring its own authorisation or a combined licence that expressly covers custody. Georgia does not currently impose an equivalent standalone custody licence, but that domestic position does not resolve the question in the jurisdictions where your clients are resident. If your exchange controls client private keys or wallet balances, you should obtain jurisdiction-specific advice on whether that activity requires separate authorisation in each market you serve.

By Aisha Tan, Licensing & Jurisdictions Analyst – specialist in inbound exchange and VASP licence structuring across emerging and established digital-asset hubs.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours