A payments company seeking to hold client digital assets discovers that custody is a regulated activity (an activity requiring explicit authorization before it can be conducted) in the jurisdiction where its clients sit – not merely a technology function. That discovery, made after banking rails are already in place, is the moment enforcement risk becomes real. For operators building inside or into Kazakhstan's Astana International Financial Centre (AIFC), the question is direct: what authorization is required to provide digital-asset custody, and how does a business obtain it?
Digital-asset custody in the AIFC requires authorization from the Astana Financial Services Authority (AFSA), the financial regulator operating within the AIFC's common-law framework. The AIFC operates under English common-law principles and maintains its own courts and arbitration centre, making it structurally distinct from the Republic of Kazakhstan's general civil-law system. Custody of digital assets – holding, safeguarding and administering virtual assets on behalf of clients – falls within the AFSA's perimeter as a discrete regulated activity. An entity conducting that activity without authorization is exposed to enforcement, mandatory wind-down and the loss of banking and payment access.
This page sets out the regulatory basis, the authorization process for an inbound business, the cross-border tax and banking interactions that shape structuring decisions, and the decision point at which outside counsel adds the most value.
What does the AFSA actually regulate in digital-asset custody?
The AFSA regulates digital-asset activities conducted within or from the AIFC under a regime that treats custody as a stand-alone licensed function, not an ancillary capability bundled with exchange or brokerage. An entity holding or controlling digital assets on behalf of another person – whether by private key management, multi-signature arrangements or omnibus wallet structures – is conducting a custodial activity within the AFSA's perimeter. The regime covers both pure-custody providers and integrated platforms that include custody as a component of a broader offering.
The AIFC's legal architecture matters here. The Centre operates under its own acts, regulations and rules. AFSA-issued rules on digital assets define the regulated activities, the authorization criteria and the ongoing obligations. Because the AIFC is a common-law enclave, its framework is structurally legible to operators from English-law jurisdictions – and its courts are accessible in a dispute, which affects counterparty confidence and banking relationships in a way that an offshore registry alone does not.
Operators sometimes assume that holding client assets in a technically non-custodial arrangement – smart contracts, self-custody with client signing keys – takes the activity outside the perimeter. AFSA's approach, consistent with global best practice, looks at substance: if the platform retains meaningful control, access or influence over the assets, a custody analysis applies. We have seen this misread cost operators their application and their banking relationships simultaneously.
Who needs AFSA authorization for digital-asset custody in the AIFC?
Any entity incorporated within the AIFC that holds or safeguards digital assets on behalf of clients needs an AFSA authorization covering that activity. The obligation applies regardless of the entity's primary business model: a crypto exchange adding custodial wallets, a fund administrator holding LP digital-asset allocations, a payments business holding merchant float in stablecoins – each triggers the custody authorization requirement once client assets come under the entity's control.
Inbound operators – businesses incorporated outside Kazakhstan that wish to passport services into the region or to establish an AIFC presence as their Central Asian hub – face a two-step question. First, does the proposed activity require an AIFC-incorporated entity, or can the foreign entity be recognized or registered at a lower threshold? Second, if AIFC incorporation is required, which license category covers the full activity set the business intends to operate? In our cross-border practice, the most common mistake at this stage is structuring for the narrowest authorization that covers today's product, with no headroom for custody, lending or staking layers that the business will add within twelve months.
Entities that are already authorized in another recognized jurisdiction may find a faster path through the AFSA's framework for recognized entities, but custody activities – because they involve direct client-asset risk – generally require a full AIFC-based authorization rather than a lighter recognition path. The applicable rules distinguish between entities conducting regulated activities as their primary business and those conducting them incidentally; the boundary is fact-specific.
For a scoped assessment of whether your activity triggers the AIFC custody authorization requirement, contact OBOLUS at info@oboluslaw.com. The process above describes the standard regulatory perimeter. Your facts – the entity structure, the technical custody model, the client profile – change the analysis materially.
How does the AFSA authorization process work for digital-asset custody?
The AFSA authorization process for a digital-asset custody business runs in three substantive phases: pre-application engagement, formal application review, and authorization with conditions. Each phase carries its own documentary requirements and pacing considerations, and the clock does not start until the AFSA confirms a complete submission.
In the pre-application phase, the applicant engages with the AFSA to scope the intended activities, identify the correct license category and surface any structural issues before the formal file is submitted. This phase is not optional for custody applicants – the AFSA expects substantive dialogue on the technical custody model, the safeguarding arrangements and the key personnel before accepting a formal application. Operators who skip this engagement and submit cold typically face a request-for-information cycle that adds months to the timeline.
The formal application requires a detailed regulatory business plan, financial projections, governance documentation, policies covering AML/CFT (anti-money laundering and counter-financing of terrorism), custody-specific safeguarding arrangements, key person vetting and evidence of adequate capital. Capital requirements vary by license category and are set by AFSA rules; the applicable figure is confirmed at the pre-application stage and should not be assumed from older market data. Timeline from complete submission to authorization is a matter of months in straightforward cases; complex structures or novel custody models extend that window.
Conditions attached to the authorization at issuance are common. A new custody provider may receive restrictions on the asset classes it may hold, the client categories it may serve or the jurisdictions into which it may market. Working through conditions to an unconditional authorization is a second-stage process that runs in parallel with the entity becoming operational. In our practice, we prepare clients for this reality at the outset – an authorization with conditions is a working authorization, not a rejection.
A practical note on key persons: the AFSA vets senior management and compliance officers as part of the authorization process. Persons with enforcement history in other jurisdictions, or whose prior entities lost authorization elsewhere, face heightened scrutiny. The AIFC's common-law framework means that AFSA decisions are judicially reviewable, but a failed vetting is more efficiently avoided than challenged.
What AML and Travel Rule obligations apply to AIFC custodians?
AIFC custodians are subject to a comprehensive AML/CFT regime aligned with FATF Recommendations, including Recommendation 15, which applies the FATF standards specifically to virtual assets and virtual asset service providers. The Travel Rule – the obligation to collect, hold and transmit originator and beneficiary information alongside digital-asset transfers – applies to AIFC-authorized VASPs, including custodians making outbound transfers.
For a custody provider, the Travel Rule creates operational requirements at the point of withdrawal or transfer: the custodian must pass the required counterparty data to the receiving VASP and must implement procedures to handle transfers from non-compliant or unhosted wallets. The applicable data threshold and de-minimis treatment are set by AFSA rules and should be confirmed against current AFSA guidance rather than assumed from the FATF base text, which leaves these parameters to national implementation.
In practice, Travel Rule compliance requires technology infrastructure – a VASP-to-VASP messaging solution that is interoperable with the receiving entity's system – not merely a policy commitment. We regularly advise custody applicants to include Travel Rule infrastructure as a pre-authorization deliverable rather than a post-authorization fix, because the AFSA expects demonstrable compliance readiness at the point of authorization, not a roadmap.
The cross-border dimension is significant. A Kazakh-authorized custodian holding assets for clients based in the EU, the UAE or Singapore may face concurrent obligations under MiCA, the VARA regime or the Payment Services Act framework administered by MAS. Each regime has its own Travel Rule threshold, data-field requirements and liability-allocation rules. An AIFC authorization alone does not satisfy those concurrent obligations; a multi-layer compliance architecture is required from day one.
How do tax and banking interact with the AIFC custody structure?
The tax and banking environment around an AIFC custody entity shapes the commercial viability of the structure as much as the regulatory authorization does. These two factors – often treated as downstream implementation details – frequently determine whether the structure is operationally sustainable.
On the tax side, Kazakhstan has a network of double-taxation treaties that may be relevant to an AIFC-incorporated entity's income, depending on where its ultimate beneficial owners reside and where its fee income is sourced. The AIFC itself offers a distinct tax regime within Kazakhstan, with reduced rates on certain income categories for qualifying entities. The interaction between the AIFC tax regime and the treaty network requires analysis specific to the entity's profit model and beneficial ownership structure; it cannot be assumed from general Kazakhstan tax commentary, which relates to the civil-law system outside the AIFC perimeter. Lydia Brennan, our tax and structuring analyst, has noted that mismatches between the entity's functional location and its contractual relationships routinely generate withholding-tax exposure that was not modeled at the outset.
On the banking side, an AIFC custodian holding client digital assets needs fiat banking for operational expenses, fee collection and, typically, a reserve currency account supporting stablecoin or conversion operations. Kazakhstan has domestic banks with AIFC connectivity, and several international correspondent-banking relationships extend to AIFC entities. However, a custody entity holding third-party assets at scale will face enhanced due diligence from correspondent banks – specifically around the beneficial ownership of client assets, the jurisdiction of underlying clients and the AML framework supporting the custody operation. Authorization from the AFSA is a necessary but not sufficient condition for banking access; the quality of the AML documentation submitted to the bank matters as much as the license itself.
Operators building the AIFC custody entity as a regional hub for Central Asia and adjacent markets should also model the banking requirements of the markets they intend to serve. A custodian serving institutional clients in Russia or Iran will face correspondent-banking restrictions that no AIFC authorization can overcome. In our cross-border practice, we map the banking stack as part of the authorization engagement, not as a separate downstream exercise.
A recent AIFC custody authorization matter
In a recent engagement, an institutional fund administrator seeking to offer digital-asset sub-custody to its fund clients approached us at the point of AIFC incorporation – after completing its company setup but before engaging the AFSA. The entity's technical custody model relied on a multi-party computation arrangement that its technology provider described as "non-custodial." Our initial analysis established that the arrangement retained meaningful platform-level access and therefore triggered the custody authorization requirement. We restructured the application approach, prepared the regulatory business plan and safeguarding policy documentation, and accompanied the entity through the pre-application engagement with the AFSA. Authorization was granted with a condition restricting the initial eligible asset classes; that condition was subsequently lifted following a period of operational demonstration. The engagement concluded in the second half of the preceding year.
Which operator profile should pursue AIFC custody authorization?
The AIFC custody authorization is a strong structural choice for a defined set of operator profiles. It is not the right answer for every business with a Kazakh client base or a Central Asian strategy.
Profile A – institutional fund administrator or prime broker seeking a common-law CIS hub. The AIFC's common-law framework, its arbitration centre and its treaty network make it attractive for operators whose counterparties require enforceable legal relationships. The AFSA authorization adds regulatory legitimacy to the common-law structure. Indicative path: AIFC incorporation, pre-application engagement within the first quarter of operations, authorization within several months of complete submission.
Profile B – exchange operator adding custody as a product layer. If the exchange is already authorized for trading and transfer activity, adding custody requires an extension of scope rather than a fresh authorization. The timeline is shorter, but the safeguarding documentation requirements are the same as for a standalone custodian. Key risk: underestimating the capital impact of adding segregated client-asset obligations to an entity already capital-constrained for its trading authorization.
Profile C – non-AIFC operator seeking AIFC entity as a licensing vehicle only. The AIFC authorization is not designed as a pass-through for operators with no genuine AIFC presence or management. The AFSA expects substance – real key persons, real governance, real infrastructure. An authorization obtained on a substance-light basis faces compliance risk on every annual review. Operators seeking a licensing vehicle with minimal presence should consider other structures; we can map the alternatives.
For operators who do not fit the AIFC profile, comparable custody authorization is available under the VARA regime in Dubai, under the ADGM/FSRA framework in Abu Dhabi, or under MAS in Singapore. Each regime has a different capital model, timeline and ongoing obligation structure. A side-by-side assessment before the entity is incorporated saves the cost of restructuring later.
If a prior application stalled or banking access was withdrawn, a second read on the structure frequently surfaces the reason – and the route forward. Contact OBOLUS at info@oboluslaw.com or reach us via t.me/oboluslaw.
A common assumption: one offshore registration covers Central Asian operations
A common assumption among operators entering the Central Asian digital-asset market is that a registration in a well-established offshore centre – BVI, Cayman, Seychelles – provides adequate authorization to hold client assets for clients in Kazakhstan and the surrounding region. It does not. The AFSA's perimeter applies to activities conducted from within the AIFC, and client-facing obligations in the broader Kazakhstani market are governed by the Republic's own regulatory requirements, which sit outside the AIFC framework entirely.
The practical consequence: an operator holding client digital assets from an offshore entity, without AIFC or in-country authorization, may face enforcement from the AFSA if it presents as an AIFC business, from Kazakhstani financial regulators if it presents as a domestic business, or from the regulators of its clients' home jurisdictions. Offshore registration resolves none of those exposures. It does reduce the upfront cost of establishment – which is the commercial logic that makes it attractive. The problem is that it trades a known upfront cost for an uncertain but larger enforcement cost downstream.
Operators we advise who have relied on an offshore vehicle to serve Central Asian institutional clients have, without exception, needed to restructure to a properly authorized entity before their institutional counterparties would transact at scale. The restructuring cost – including the cost of the original offshore setup that is then redundant – typically exceeds the authorization cost they avoided initially.
Related at OBOLUS
- Digital-asset licensing and registration – the full licensing regime across 70+ jurisdictions, mapped by operator profile
- Digital-asset custody authorization in the UAE (VARA) – how the Dubai custody regime compares for inbound operators
- Worldwide freezing orders in the Czech Republic – recovery options when client assets are misappropriated across borders
FAQ
How long does a crypto licence take to obtain?
In the AIFC, the timeline from complete formal submission to authorization typically runs from several months to the better part of a year, depending on the complexity of the custody model, the quality of the initial submission and whether conditions need to be resolved before authorization is granted. Pre-application engagement with the AFSA – which adds weeks at the front end – generally shortens the formal review cycle by reducing information requests. Timelines in other jurisdictions vary considerably by regime and applicant profile.
Which jurisdiction is best for licensing my crypto business?
There is no universal answer. The AIFC suits institutional operators needing a common-law CIS hub with enforceable counterparty relationships. The VARA regime in Dubai suits operators targeting the Middle East with a broad activity set. MAS in Singapore suits businesses with Asian institutional clients and significant compliance infrastructure. The right jurisdiction depends on the business model, the client profile, the banking requirements and the long-term structural plan. We map those factors before recommending a jurisdiction – not after.
Do I need a separate custody licence?
In the AIFC, custody is a regulated activity distinct from exchange or transfer services. An entity already authorized for trading or payments generally requires an extension of scope to add custody – it cannot assume that an existing authorization covers safeguarding client assets. The documentation and capital requirements for custody apply regardless of whether the activity is standalone or bundled. Some jurisdictions treat custody as a subset of a broader VASP authorization; the AIFC's activity-based approach requires explicit coverage for each regulated function.
OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, including the AIFC, VARA, ADGM, MAS, SFC, MiCA and the FCA regime – on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance architecture that sits around every licensing engagement. Digital assets are the whole of our practice. We map the licence stack – operating, custody and payment layers – before you commit to a structure, not after. To discuss your situation, contact info@oboluslaw.com.
By Aisha Tan, Licensing & Jurisdictions Analyst – specialising in AIFC, VARA and MAS custody and licensing authorization for exchange operators, fund administrators and institutional custodians entering new markets.
This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.