EST · MMXXVI
Home/Services/Licensing Registration/CASP authorisation under mica for Early-stage Founders
Licensing & Registration

CASP authorisation under mica for Early-stage Founders

Casp authorisation under mica for Early-stage Founders. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk to OBO

What the MiCA Regime Actually Covers – and Why Early-stage Founders Get It Wrong

CASP authorisation under MiCA is the mandatory regulatory gateway for any business offering crypto-asset services to EU customers, regardless of where that business is incorporated. The Markets in Crypto-Assets Regulation (MiCA) – the EU's comprehensive digital-asset regulatory regime, administered by ESMA and national competent authorities – came into full effect for crypto-asset service providers in late 2024. For early-stage founders building exchanges, custody platforms, brokerage services or portfolio management tools, the question is no longer whether MiCA applies. It is whether the business is structured to survive the application process.

Operating without the right authorisation risks enforcement action, frozen payment rails and the loss of banking relationships at exactly the moment a business needs them most. This page sets out the regulated perimeter, the process, the common structural mistakes and a decision framework for founders deciding where and how to apply.

Who Needs CASP Authorisation – and Does That Include You?

Any entity providing crypto-asset services to clients located in the EU requires CASP authorisation (authorisation as a Crypto-Asset Service Provider) under the applicable provisions of MiCA, unless a specific exemption applies. The regulated perimeter is wide. It covers operation of a trading platform, execution of orders, exchange of crypto-assets for fiat or other crypto-assets, custody and administration on behalf of clients, reception and transmission of orders, portfolio management and crypto-asset transfer services. Advisory services on crypto-assets are also captured.

Crucially, the territorial reach of MiCA does not stop at the EU border. A company incorporated in the BVI, Cayman Islands or Singapore that actively solicits or onboards EU retail clients is operating inside the MiCA perimeter. In our practice, we regularly advise founders who assumed that an offshore structure – a BVI holding company, a Cayman fund vehicle – was sufficient to ring-fence EU exposure. It is not. The nexus test under the applicable MiCA provisions turns on where the service is directed, not where the legal entity sits.

Exemptions exist for intra-group transactions, for certain peer-to-peer arrangements and for entities already licensed under sectoral financial legislation. But each exemption is narrow and fact-specific. Founders who rely on an exemption without a formal legal assessment carry the enforcement risk personally.

ESMA has published guidance on the boundary between exempt and regulated activity. That guidance makes clear that relabelling an activity – calling a custody service "safekeeping" or calling brokerage "introductions" – does not change its legal character.

How Does the CASP Application Process Work Under MiCA?

The CASP authorisation process under MiCA is sequential, document-intensive and materially different from the lighter-touch registration regimes that preceded it in member states such as Lithuania and Malta. The application is submitted to the national competent authority of the member state where the applicant is incorporated – not where its customers are located. Once authorised, the CASP passport allows the business to provide services across the entire EU and EEA without further local authorisation, which is the single most significant commercial advantage the regime creates.

The application package typically covers: a detailed business plan and financial model; evidence of minimum own funds or capital (the level varies by licence category and is set by the applicable MiCA provisions – founders should confirm current requirements with counsel); governance documentation including management body composition and conflicts policy; AML/CFT policies, procedures and the identity of the MLRO; IT security and operational resilience documentation; and the proposed whitepaper, if the CASP also issues crypto-assets. For founders building from scratch, assembling this package is a six-to-nine month project at minimum, depending on the jurisdiction and the completeness of the underlying business infrastructure.

The competent authority has a defined assessment window once a complete application is accepted. Where the application is deemed incomplete, the clock resets. In our experience, the leading cause of delay is not regulatory hostility – it is an incomplete application submitted prematurely.

A common structural question is jurisdiction selection. Within the EU, member states differ in their supervisory capacity, their processing pace, the sophistication of their guidance and the ancillary banking environment. Lithuania was historically favoured for speed; Malta developed the VFA framework that now transitions to MiCA CASP authorisation. Both remain viable, though both now operate under the same MiCA standard, which narrows the divergence between them.

The MiCA passporting mechanism means that jurisdiction selection is a once-only decision with long-run consequences – the operational home, the regulatory relationship and the supervisory culture all flow from it.

For a scoped assessment of your CASP application structure and jurisdiction selection, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity, the user base, the services offered, the banking – change the analysis materially. Map your options.

What Are the Most Costly Mistakes Early-stage Founders Make?

Early-stage founders pursuing CASP authorisation make a predictable set of structural errors, and most of them are avoidable with early legal engagement. The most consequential is building the operating entity before the licence question is resolved. A founder who incorporates a Malta company, hires a team and signs payment processor agreements – and only then instructs counsel on MiCA – has already constrained the options. Restructuring an operating company mid-application is expensive and signals instability to the regulator.

The second error is underestimating the governance requirements. MiCA requires that the management body collectively holds sufficient knowledge, skills and experience for the type of crypto-asset services offered. For a two-person founding team, this typically means early, documented recruitment of independent board members or senior advisors with relevant regulated-industry backgrounds. Regulators across the leading EU hubs increasingly expect genuine governance substance, not nominee arrangements.

The third error is misclassifying the service. A token that confers rights analogous to a financial instrument does not become a "utility token" by virtue of a legal opinion or a white paper label. MiCA's token taxonomy – distinguishing asset-referenced tokens (ARTs), e-money tokens (EMTs) and other crypto-assets – determines which authorisation or notification route applies. Misclassification at the whitepaper stage creates liability that can surface years later.

A fourth, and increasingly common, mistake concerns the cross-border stack. Founders who obtain MiCA authorisation in one EU member state and then bank through a third-country correspondent, use a US-domiciled custody sub-custodian and settle through a Singapore-regulated exchange are operating a multi-jurisdictional structure that may trigger registration, notification or licensing obligations in each of those hubs. The EU CASP authorisation does not export to Singapore, the UK or the UAE. In our practice, we map the full operating stack – the entity where the licence sits, the entity that holds customer assets, the entity that touches payment rails – before a single application is filed.

In a recent licensing matter, a fintech founder had incorporated an operating company in an EU member state, applied for CASP authorisation and simultaneously onboarded US institutional clients through a subsidiary. The US subsidiary triggered separate FinCEN and state money-transmitter obligations that had not been scoped. We identified the exposure before the EU application was filed and restructured the group to separate the EU retail CASP entity from the institutional business – avoiding a situation where a US enforcement action could have jeopardised the EU authorisation. The matter resolved cleanly, and the EU application proceeded on the corrected structure.

How Does MiCA Interact With Licensing in Other Jurisdictions?

MiCA applies within the EU and EEA, but the digital-asset businesses that succeed in the long run are not purely EU businesses. They serve users across time zones, bank in multiple currencies, custody assets in multiple venues and may be structured across holding, operating and custody layers in different jurisdictions. The EU CASP passport is a powerful instrument – but it covers EU activity only. Every other jurisdiction requires its own assessment.

For a business that also serves clients in the UAE, the applicable regime is the VARA (Virtual Assets Regulatory Authority) framework in Dubai or the FSRA regime within ADGM in Abu Dhabi, depending on where the entity operates. These are activity-based licensing regimes with their own capital, governance and AML requirements. A MiCA-authorised CASP that opens a Dubai office without separate VARA authorisation is in breach in the UAE, regardless of its EU status.

Similarly, UK customers require engagement with the FCA's cryptoasset registration regime under the applicable Money Laundering Regulations and, where financial promotions are involved, compliance with the FCA's crypto financial promotion rules. The UK deliberately did not adopt MiCA. A MiCA passport does not extend to the UK.

Singapore-regulated entities operating under the MAS Payment Services Act framework operate under a separate DPT licensing regime. Hong Kong's SFC administers a VASP licensing regime for virtual-asset trading platforms. These are fully independent of MiCA.

For founders building a global business from an EU base, the practical sequence is: resolve the MiCA authorisation structure first (it is the most demanding), then layer the additional jurisdictions based on the priority user or revenue markets. Allied counsel in each relevant jurisdiction handle the local filing; OBOLUS coordinates the overall structure and ensures that the entity and governance design satisfies each regime simultaneously.

If a prior application stalled or a banking relationship was closed, a structural reassessment can identify the root cause and the route back. Write to info@oboluslaw.com or message us via t.me/oboluslaw. Map your options.

Which CASP Structure Is Right for Your Founder Profile?

No single MiCA application structure fits every early-stage business. The right approach turns on the services offered, the target markets, the capital available and the founder's operational timeline. Below is a decision framework across three common founder profiles.

Profile A – EU-focused exchange or brokerage, seed-stage, sub-five-person team. The priority is obtaining CASP authorisation for exchange and order reception/transmission services in a single EU member state. A streamlined jurisdiction – one with an established competent authority, accessible supervisory guidance and a banking environment that supports crypto businesses – is appropriate. The structure is a single EU operating entity. The application timeline, assuming a well-prepared package, is typically a matter of months rather than years, though this varies by jurisdiction and application quality. Key risk: governance weakness. Solution: recruit an experienced MLRO and at least one independent board member early.

Profile B – Multi-service platform, Series A or later, serving EU and UK or UAE. The structure requires a minimum of two authorised entities: a MiCA-authorised CASP in an EU member state for the EU business, and either an FCA-registered entity for the UK or a VARA-licensed entity for Dubai. Custody services may require a third authorisation, depending on whether they are provided in-house or via a sub-custodian. The timeline extends significantly because applications run in parallel across jurisdictions. Key risk: governance and capital dilution across entities. Solution: a holding structure that consolidates capital and provides shared services to the operating entities, with clear intra-group agreements that satisfy each regulator's independence expectations.

Profile C – Token issuer that also provides secondary market services. This profile triggers both the MiCA whitepaper regime and the CASP authorisation regime. The whitepaper must be notified or approved depending on the token class; a separate CASP authorisation covers the secondary market activities. The interaction between the two regimes – particularly the issuer's obligations regarding market integrity and insider information – is technically demanding. Key risk: misclassification of the token as a non-ART, non-EMT "other crypto-asset" when its economic substance brings it within a more regulated category. Solution: a token classification opinion obtained before the whitepaper is drafted, not after.

What Are the AML and Travel Rule Obligations Under MiCA?

MiCA-authorised CASPs are subject to the full suite of EU AML/CFT obligations, including the applicable provisions implementing FATF Recommendation 15 on virtual assets and the Travel Rule – the obligation to transmit originator and beneficiary information alongside crypto-asset transfers. The Travel Rule threshold for EU transfers is set by the applicable Transfer of Funds Regulation provisions; founders should confirm the current de-minimis and technical standards with counsel, as these have been subject to implementation timelines that vary by member state.

In practice, Travel Rule compliance requires CASP-to-CASP data exchange – each side of a transfer must be able to send and receive originator/beneficiary data. This requires technical integration with a Travel Rule solution provider and a policy for handling transfers to or from non-compliant counterparts, including unhosted wallets. ESMA and the European Banking Authority have published joint guidance on the practical implementation expectations. For early-stage founders, Travel Rule readiness is a pre-authorisation requirement, not a post-licence project.

The cross-border AML dimension is acute for businesses operating in multiple jurisdictions. A VASP registered in Singapore under the MAS Payment Services Act, a VARA-licensed entity in Dubai and a MiCA-authorised CASP in the EU each face the same FATF baseline but implement it through different national rules, different thresholds and different supervisory expectations. An intra-group transfer between these entities may trigger Travel Rule obligations in all three directions simultaneously.

A Pre-Application Checklist for CASP Founders

Before submitting a MiCA CASP application, a well-prepared founding team should be able to answer the following questions affirmatively. If any answer is "not yet," that gap is worth addressing before the application clock starts.

Is the EU operating entity incorporated in the chosen member state, with a registered office and a genuine local presence that satisfies the competent authority's substance expectations? Has the management body been assembled with the required collective knowledge and experience, and has a fit-and-proper assessment been conducted? Is the AML/CFT programme documented, including a risk assessment, customer due-diligence procedures, suspicious-transaction reporting protocols and a named MLRO? Has the token classification question been resolved, and if a whitepaper is required, has it been drafted and reviewed for compliance with the applicable MiCA provisions? Is the IT security and operational resilience documentation current and aligned with the competent authority's expectations? Has the capital structure been confirmed against the minimum own-funds requirement for each licence category being sought? Has the cross-border footprint been mapped, with any additional jurisdiction-specific obligations identified and a compliance plan in place for each?

Operators we advise routinely arrive with five of these seven elements in place. The missing two are almost always governance documentation and the cross-border stack analysis. Both are addressable – but they take time, and time is the scarcest resource for a founder facing a market window.

Related at OBOLUS

FAQ

How long does a crypto licence take to obtain?

The timeline for CASP authorisation under MiCA varies by jurisdiction, licence category and the completeness of the application. A well-prepared application in a jurisdiction with established supervisory capacity typically progresses over a period of months. Incomplete applications reset the assessment clock. Pre-application preparation – governance, AML documentation, capital structuring – is typically a six-to-nine month project before any regulatory submission.

Which jurisdiction is best for licensing my crypto business?

There is no universally best jurisdiction. Within the EU, the right member state turns on supervisory responsiveness, banking environment, operational cost and the services being licensed. Lithuania and Malta have established track records; both now operate under the same MiCA standard. For businesses with non-EU activity, the EU CASP authorisation must be combined with jurisdiction-specific authorisations – VARA in Dubai, FCA registration in the UK, MAS licensing in Singapore – for each relevant market.

Do I need a separate custody licence?

Custody and administration of crypto-assets on behalf of clients is a regulated service under MiCA. If a CASP provides custody in-house, that activity must be covered by the CASP authorisation. Using a third-party sub-custodian does not eliminate the obligation – it shifts the regulatory relationship but introduces counterparty and contractual requirements. In other jurisdictions, such as Singapore under the MAS regime or the UAE under VARA, custody may require a separate, standalone authorisation. The answer is fact-specific and should be confirmed before the structure is finalised.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. We map the licence, banking and custody stack across operating layers before you commit – so that the structure you build is the structure that survives regulatory scrutiny. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com.

By Aisha Tan, Licensing & Jurisdictions Analyst – specialising in EU MiCA CASP authorisations and multi-jurisdictional licensing stack design for early-stage digital-asset businesses.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours