EST · MMXXVI
Home/Services/Compliance Aml Travel Rule/VASP business risk assessment for Established Operators
Compliance, AML & Travel Rule

VASP business risk assessment for Established Operators

Vasp business risk assessment for Established Operators. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk to OB

Established virtual asset service providers face a different regulatory challenge than startups seeking initial authorization. The compliance program that passed muster two years ago may now expose the business to supervisory action, banking withdrawal or enforcement. Under the MiCA (Markets in Crypto-Assets Regulation) regime in the European Union, under VARA (Virtual Assets Regulatory Authority) rules in Dubai, and under the Payment Services Act supervised by MAS (Monetary Authority of Singapore), regulators are conducting thematic reviews of existing licensees – not just examining new applicants. The business risk is not theoretical. A compliance program built for one product set, one user base or one jurisdiction can become a liability the moment any of those three factors change.

This page sets out what a structured VASP business risk assessment involves for an established operator, why it differs from a new-applicant review, and how the cross-border reality of digital-asset operations makes the exercise more complex – and more necessary – than a standard AML audit.

Why Established Operators Need a Fresh Risk Assessment

An established operator's AML risk profile shifts whenever the business changes – and in digital assets, the business changes constantly. New products, new user corridors, a custody expansion or a stablecoin integration each add risk vectors that an existing program may not address. Supervisors under MiCA, VARA and the FATF (Financial Action Task Force) Recommendation 15 framework for virtual assets have all signaled that periodic, documented risk re-assessment is an expectation, not an option.

The common failure mode we see in our practice is an operator whose written policies reflect the original licensing application but whose actual operations have diverged. The gap between documented controls and live activity is exactly what a regulatory inspection targets. When the FCA (Financial Conduct Authority) in the United Kingdom reviews a firm's cryptoasset registration under the Money Laundering Regulations, or when VARA conducts a desk-based supervision exercise, the first document requested is the business-wide risk assessment. A stale or templated document signals that the compliance function is not keeping pace.

Operating without an up-to-date risk assessment also undermines the firm's negotiating position in two practical scenarios: a banking review and a regulatory inquiry. Banks serving VASPs increasingly require documented evidence of live controls before renewing facilities. An operator who cannot produce a current, product-specific risk assessment is a de-risking candidate.

For a scoped review of your current compliance posture, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity structure, the user base geography and the banking layer – change the analysis materially.

What a VASP Business Risk Assessment Covers

A structured VASP business risk assessment for an established operator examines four interlocking dimensions: the product and service risk profile, the customer and counterparty risk profile, the geographic risk profile and the delivery-channel risk profile.

Product and service risk maps every revenue-generating activity against the applicable regulatory classification. A platform offering spot trading, staking and a custody wallet is carrying three distinct risk profiles. The staking product may introduce DeFi exposure. The custody wallet changes the safeguarding obligation. Each new product restarts the classification analysis under the relevant regime – whether that is the CASP authorisation categories under MiCA, the activity-based licence matrix under VARA or the licence tiers under the Payment Services Act.

Customer and counterparty risk reviews whether the KYC (know-your-customer) framework in operation actually matches the customer types the platform serves. An operator who expanded into institutional clients without updating its enhanced due-diligence procedures for legal-entity customers is exposed. So is one whose retail onboarding uses risk-scoring calibrated for a lower-volume market before a user-growth event.

Geographic risk is the dimension most often under-documented by established operators. Where users are located is a regulatory fact, not a contractual choice. A platform incorporated in Malta under the MFSA's VFA framework transitioning to MiCA cannot simply ignore user concentrations in higher-risk corridors by reference to its terms of service. FATF high-risk-jurisdiction lists are incorporated by reference into most supervisory expectations. Every significant user corridor needs a documented rationale and proportionate controls.

Delivery-channel risk addresses how the platform is accessed. Mobile-first operators who added API access for algorithmic traders, or retail exchanges who enabled institutional sub-account structures, have opened channels whose AML risk profile differs from the original design. Those channels need to appear, named and assessed, in the risk document.

How Does the Travel Rule Interact with an Established Operator's Risk Assessment?

The Travel Rule (the obligation, derived from FATF Recommendation 16, to pass originator and beneficiary information with virtual-asset transfers) is now operational across most flagship licensing jurisdictions and creates a direct link between a VASP's transaction monitoring architecture and its counterparty risk framework. For an established operator, the Travel Rule is not a checkbox item – it is a live data-quality and counterparty-management obligation that must be reflected in the risk assessment.

Two practical issues arise repeatedly. First, a VASP may be exchanging Travel Rule data with counterparty VASPs whose own compliance programs are weak. Under most supervisory interpretations, receiving Travel Rule data from an unverified or non-compliant counterparty does not discharge the receiving VASP's obligation – it may compound it. The risk assessment must document the operator's VASP counterparty due-diligence procedure, including how unhosted-wallet transactions are handled.

Second, the technical implementation of Travel Rule compliance varies by jurisdiction. The data threshold above which the Travel Rule obligation is triggered, and the de-minimis treatment, differ across MiCA, the Singapore framework, the Hong Kong VASP regime and the AIFC/AFSA rules in Kazakhstan. An operator serving users across those jurisdictions needs a policy that addresses the most demanding applicable standard – or a jurisdictional tiering that is defensible under examination. Neither can be produced without a current, geographically specific risk assessment.

In our cross-border practice, we regularly see operators who have deployed a Travel Rule technical solution but have not updated their AML program documentation to reflect it. The gap between the technical capability and the written policy is itself a compliance finding.

Common Mistakes Established Operators Make in AML Risk Programs

The most consequential errors are structural, not procedural. They persist across licensing cycles because no one is tasked with questioning the original architecture.

The first is ownership confusion between compliance and product. As VASP businesses scale, product teams launch new features faster than compliance can re-assess them. The result is a risk document that describes the product set at licensing, not the product set today. A current assessment requires a formal change-management trigger: every new product, new corridor or new counterparty type generates a risk-assessment addendum before launch, not after.

The second is transaction monitoring tuned to old baselines. Rules written for a platform processing modest volumes may generate excessive false positives – or, more dangerously, miss genuine red flags – after user growth or product expansion. An established operator's risk assessment must include a documented review of whether transaction monitoring rules remain calibrated to current activity patterns.

The third is geographic expansion without documented risk rationale. Operators who open up new user corridors by relaxing geo-blocking, or who onboard institutional clients with counterparty exposure in higher-risk jurisdictions, frequently do so without updating the risk assessment. When a supervisor asks for the business-wide risk document and a significant user corridor is unaddressed, the answer "we did not consider that market material" is rarely persuasive.

The fourth – and perhaps the subtlest – is MLRO role drift. In growing firms, the MLRO (Money Laundering Reporting Officer) role is often held by someone whose primary function is legal, operations or product. The risk assessment may be formally signed by the MLRO but authored by a consultant or junior analyst without sufficient product knowledge. Regulators examining the document for internal consistency will identify the disconnect.

The Cross-Border Dimension: Why One Licence Is Rarely Enough

A common assumption among established operators is that a well-maintained licence in a single reputable jurisdiction provides adequate cover for a global user base. It does not. Regulatory exposure in digital assets follows activity, not incorporation. A platform licensed under VARA in Dubai, with MiCA-passportable operations from Malta and users in Singapore, carries supervisory obligations in at least three frameworks simultaneously.

The cross-border risk assessment question is therefore not "where are we licensed?" but "where are we operating, and what does each of those jurisdictions require?" The answer shapes the risk matrix, the due-diligence standards and the SAR (suspicious-activity report) filing obligations. An operator filing SARs only to its home-jurisdiction FIU while serving a significant user base in a jurisdiction with its own reporting obligation is carrying a documented compliance gap.

Banking adds a further layer. VASPs in multiple jurisdictions often bank across multiple institutions, each with its own AML program and correspondent relationships. A banking-friendly risk assessment – one that a correspondent bank's compliance team can read and sign off on – is structured differently from a regulator-facing document. We map the licence, banking and compliance stack together, because a gap in any one layer affects the others.

For operators considering a second or third licensing jurisdiction, a risk assessment review is a prerequisite to the licensing application itself. No competent regulator in a flagship hub will grant a CASP authorisation, a VARA licence or a Payment Services Act licence to an established operator whose home-jurisdiction risk documentation is materially deficient.

If a prior application stalled or a banking relationship was withdrawn, a structured review can identify the compliance gap and the route back. Write to info@oboluslaw.com.

The Risk Assessment Process: What to Expect

A structured VASP business risk assessment for an established operator proceeds in identifiable stages, and understanding those stages helps the compliance team prepare efficiently.

The first stage is a document and data review. This covers the existing business-wide risk assessment (if one exists), the current AML/CFT policy suite, the MLRO's most recent annual report, transaction monitoring rule sets and alert disposition data, KYC framework documentation, and any prior regulatory correspondence. The gap between what is documented and what is operationally true is visible in this stage.

The second stage is a product and activity map. Every product, every user corridor and every counterparty type is logged against the applicable regulatory classification. New activities since the last documented assessment are flagged immediately. This is where Travel Rule coverage gaps typically surface.

The third stage is a risk-scoring exercise. Each dimension – product, customer, geography, channel – is scored against a calibrated methodology. The methodology must be documented, because supervisors reviewing the risk assessment will examine not only the scores assigned but the rationale for the scoring approach.

The fourth stage is a gap analysis: the distance between the risk scores assigned and the controls currently in place. A high-scoring risk with a weak or undocumented control is a finding. The gap analysis feeds a remediation plan with prioritized action items, ownership and timelines.

The output is a single, integrated document that a supervisor, a correspondent bank or a prospective licensing authority can read as a coherent description of how the operator understands and manages its AML risk. It is not a template. A templated risk assessment is identifiable at a glance and signals the opposite of what it is meant to demonstrate.

Decision Matrix: Which Operators Need Immediate Action

Not every established VASP faces the same urgency. The following profiles guide the prioritization decision.

Profile A – Rapid growth, unchanged compliance infrastructure. A VASP that has doubled its user base or added a new product (staking, lending, institutional custody) since its last formal risk assessment is carrying an undocumented risk increase. The appropriate response is an immediate gap analysis, followed by a full risk-assessment refresh, before the next supervisory touchpoint. The key risk is that an undocumented expansion is the first thing a thematic review will identify.

Profile B – Multi-jurisdiction expansion in progress. An operator adding a MiCA CASP authorisation, a VARA licence or a Singapore Payment Services Act licence to an existing structure needs a risk assessment that is fit for the new regulator's expectations, not only the home regulator's. The appropriate response is a cross-border risk assessment that maps all active jurisdictions against a unified control framework. Timeline pressure is real: most licensing applications require the risk assessment as a condition of completeness.

Profile C – Banking review or correspondent pressure. A VASP whose banking relationships are under review, or whose correspondent bank has requested updated AML documentation, needs a banking-audience risk assessment quickly. The document must demonstrate calibrated controls, current transaction monitoring and a live MLRO function – not a filing from the original licensing date. In our experience, a well-prepared risk assessment can materially shift a bank's de-risking decision.

Profile D – Post-enforcement or prior regulatory finding. An operator who has received a supervisory letter, a deficiency notice or a formal finding on AML controls faces the most time-sensitive situation. The remediation plan required by the regulator typically references the risk assessment as the anchor document. A credible remediation requires a credible risk assessment as its foundation.

A Note on the MLRO Function

In late 2024, a payment technology company operating across two licensing jurisdictions engaged us after its primary banking partner requested a full AML file review as a condition of account renewal. The firm had a current licence in each jurisdiction and a compliant onboarding process, but its business-wide risk assessment had not been updated since the second licensing application. We conducted a product and activity mapping exercise, identified three product lines launched after the last documented assessment and re-scored the geographic risk profile to reflect a material increase in higher-risk-corridor volume. The refreshed document – accompanied by a gap-analysis remediation plan with evidenced closure dates – was submitted to the bank within the required timeframe. The account was retained. The exercise also surfaced a Travel Rule policy gap that was remediated before the next supervisory cycle.

Objection Handler: Is a Single Offshore Licence Sufficient?

A common assumption in the market is that a well-maintained VASP registration in an offshore jurisdiction – the BVI under the VASP Act 2022, the Cayman Islands under the CIMA regime, or a low-burden AML-registration jurisdiction – is sufficient to manage global regulatory exposure. The assumption is incorrect for established operators with material user volumes.

An offshore registration satisfies the registration requirement in the jurisdiction of incorporation. It does not satisfy the regulatory obligations of jurisdictions where users are located, where fiat on-ramps and off-ramps operate, or where the banking layer sits. A VASP with a BVI FSC registration and a significant European user base is not insulated from MiCA supervisory expectations by virtue of its BVI status. ESMA and the national competent authorities supervising MiCA apply an activity-based perimeter, not an incorporation-based one.

The business consequence of the single-licence assumption is not hypothetical. We have seen operators lose EU banking access, face FCA financial-promotion enforcement and receive supervisory correspondence in jurisdictions they believed were not relevant to them – all while maintaining a valid offshore registration. The risk assessment is the document that makes the multi-jurisdictional exposure visible and manageable.

Operators we advise who have worked through this exercise routinely identify two or three jurisdictions where they have material activity and no documented compliance position. The corrective path – whether that is a licensing application, a controlled market exit or a documented exemption analysis – is far less disruptive when identified proactively than when surfaced by a regulator.

Related at OBOLUS

FAQ

What does the Travel Rule require from a VASP?

The Travel Rule, derived from FATF Recommendation 16 for virtual assets, requires a VASP to collect and transmit originator and beneficiary information alongside virtual-asset transfers above the applicable threshold. The specific data fields and the threshold above which the obligation is triggered vary across jurisdictions – MiCA, the Singapore Payment Services Act, the Hong Kong VASP regime and the AIFC framework each set their own requirements. A VASP must comply with the most demanding standard applicable to the corridor being served. Technical implementation and counterparty VASP verification are equally part of the obligation.

Who must act as MLRO for a crypto firm?

Most licensing regimes that require an AML program – including under MiCA, VARA, the FCA's MLR registration and the MAS framework – require the designation of a named MLRO (Money Laundering Reporting Officer) who is accountable for the firm's AML function. The MLRO must typically be a sufficiently senior individual with real authority, adequate resources and direct access to management. Regulators increasingly expect the MLRO to be embedded in the business rather than an external consultant. The precise seniority and fitness-and-propriety requirements vary by regime and licence category.

How do regulators audit crypto AML programs?

Supervisors conducting AML audits of VASPs typically begin with the business-wide risk assessment and then test whether the documented controls match operational reality. They examine transaction monitoring rule sets, alert-handling records, KYC file samples, Travel Rule data-quality records and MLRO annual reports. Thematic reviews – where a regulator examines a cohort of firms on a specific topic such as Travel Rule implementation or high-risk-customer due diligence – are increasingly common across MiCA national competent authorities, VARA and MAS. Gaps between policy documentation and live practice are the most common enforcement trigger.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the compliance, AML and Travel Rule programs that sit around them. We map the licence, banking and compliance stack across operating, custody and payment layers before you commit to a structure. We also work alongside forensic partners to convert on-chain evidence into court-ready disclosure applications where enforcement action follows a compliance failure. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com or message us via t.me/oboluslaw.

By Victor Olsen, Regulatory & Compliance Analyst – specialist in VASP AML program architecture, Travel Rule implementation and cross-border supervisory compliance for established digital-asset operators.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours