EST · MMXXVI
Home/Services/Licensing Registration/VASP licence application from a Cross-border Perspective
Licensing & Registration

VASP licence application from a Cross-border Perspective

Vasp licence application from a Cross-border Perspective. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk to O

Operating a digital-asset business across borders without the right licences is not a compliance oversight – it is a business-ending risk. Regulators across the EU, the UAE, Singapore and the UK have each accelerated enforcement against unlicensed operators: banking relationships disappear, payment rails freeze and, in the most serious cases, asset-restraint orders follow. The question is not whether your business needs a VASP authorisation (a licence or registration issued to a virtual asset service provider under an applicable regulatory regime) – it almost certainly does. The question is which authorisation, in which jurisdiction, structured around which entity, and sequenced in which order.

This page sets out the legal basis for VASP licence applications, the multi-jurisdiction reality every growing crypto business faces, the structural mistakes that cause applications to fail or stall, and the decision logic we apply when helping clients choose and build their licence stack.

Why Cross-border Licensing Is Not Optional

A VASP licence issued in one jurisdiction does not automatically authorise you to serve customers, hold assets or operate payment infrastructure in another. This is the central legal reality that a single offshore registration obscures. MiCA – the EU's Markets in Crypto-Assets Regulation, supervised by ESMA and the relevant national competent authority – does provide passporting rights once a CASP (crypto-asset service provider) authorisation is granted in one EU member state. But that passport covers EU/EEA territory only. It does not cover the UAE, Singapore, Hong Kong, Switzerland or the UK.

Every jurisdiction in which you solicit, onboard or serve clients, hold their assets or settle their transactions is a potential regulatory trigger point. The entity that holds the licence, the entity that touches the assets and the entity that contracts with users may all sit in different places. Each gap between them is a gap in your regulatory cover.

We regularly advise businesses that discover mid-build that their single registration does not reach the jurisdiction where their banking relationship sits, where their institutional counterparties operate, or where their largest user cohort resides. By that stage, retrofitting the structure is measurably more expensive than building it correctly from the start.

VARA – Dubai's Virtual Assets Regulatory Authority – operates an activity-based regime covering advisory, broker-dealer, custody, exchange, lending and transfer services. ADGM's FSRA (Financial Services Regulatory Authority) covers a distinct free-zone perimeter in Abu Dhabi. Neither regime's authorisation carries passporting rights into the other, let alone into MiCA territory or the MAS regime in Singapore.

What Triggers a VASP Licensing Requirement?

The threshold question – whether a given activity triggers a licensing obligation – turns on substance, not on how the activity is labelled internally. Most major regimes follow the same analytical logic: what service is being provided, to whom, and where does the provider have a real or constructive presence?

The activities most commonly regulated include the exchange of virtual assets for fiat or other virtual assets, the transfer of virtual assets on behalf of another person, the custody or administration of virtual assets or instruments giving access to them, and the operation of a trading platform. Under MiCA, each of these maps to a defined CASP activity class with corresponding own-funds requirements and conduct obligations. Under VARA, each maps to a separately licensed activity under the VARA rulebook. Under the MAS Payment Services Act, the provision of digital payment token (DPT) services triggers a DPT licence. The FCA in the UK requires cryptoasset businesses to register under the Money Laundering Regulations before conducting regulated activities.

The trigger is not incorporation. It is the activity. A Cayman Islands entity operating a trading interface used by EU residents, or a BVI holding company whose wallet infrastructure is managed by a team in Singapore, faces regulatory exposure in every jurisdiction where the activity lands – regardless of where the legal entity is registered.

FATF Recommendation 15 on virtual assets and the associated Travel Rule – the obligation to transmit originator and beneficiary data alongside a transfer – sit beneath all of this as a baseline. Compliance with the Travel Rule is a licensing condition across virtually every flagship regime, not a standalone obligation.

The process above describes the standard analytical framework. Your facts – the entity structure, the user geography, the product design – change the analysis significantly. For a scoped assessment of which activities trigger obligations in your target markets, contact OBOLUS at info@oboluslaw.com.

How Does the VASP Licence Application Process Work?

A VASP licence application is a documentary, organisational and legal submission that demonstrates to a regulator that your business meets the applicable fitness, financial and operational standards. The process is broadly sequential across most regimes, though the depth of pre-application engagement and the regulator's preferred sequence vary.

The first stage is structural. Before a document is drafted, the entity structure must support the application: the applicant entity must be incorporated in the right jurisdiction, have locally qualified directors or approved persons where the regime requires them, and have a group structure that the regulator can map clearly. Regulators increasingly look through complex holding chains and will require UBO (ultimate beneficial owner) disclosure to the same depth as the KYC standards the applicant claims to apply to its own customers.

The second stage is substantive. The application bundle typically comprises a detailed business plan and financial model, AML/CFT policies and procedures, technology and security documentation, a record of previous regulatory engagement (or the absence of it), and – under most MiCA-aligned regimes – a description of the governance model and key-function holders. The Bank of Lithuania, the MFSA in Malta and ESMA-supervised NCAs across the EU each have their own preferred bundle format, but the underlying substance is comparable.

The third stage is the regulator's assessment. The regulator may ask clarifying questions, conduct fitness-and-propriety checks on named individuals, request amended documentation or seek additional financial information. This phase is not passive. Experienced counsel manages the dialogue, anticipates additional requests and keeps the timetable moving. A missed response window can stop a clock or trigger a restart.

The fourth stage is post-authorisation. A licence granted is not a licence that operates itself. Most regimes impose ongoing obligations – periodic reporting, notification of material changes, travel-rule compliance testing, and supervisory cooperation. Failing these obligations after authorisation creates enforcement risk that can be as consequential as the original unlicensed-activity risk.

What Are the Most Common Reasons VASP Applications Fail?

Applications fail – or stall indefinitely – for a small number of recurring structural reasons. Understanding them in advance reduces both cost and timeline.

The most common is misaligned entity structure. The applicant entity is incorporated in a jurisdiction whose legal form, ownership chain or governance model does not fit the licensing regime. A sole-director BVI company applying for a CASP authorisation under MiCA, for instance, will face significant structural objections. The fix requires restructuring, which adds time and cost.

The second is incomplete UBO disclosure. Most flagship regulators – VARA, the MFSA, the Bank of Lithuania, the FSRA within ADGM – conduct deep background reviews of all individuals with significant ownership or control. Gaps in the disclosure, inconsistencies with public records or prior regulatory encounters elsewhere (including enforcement actions in jurisdictions the applicant has not voluntarily disclosed) reliably delay or defeat applications.

The third is generic AML/CFT documentation. Submitting a market-standard AML policy without adapting it to the specific product, the specific user base and the specific risk appetite of the applicant signals to the regulator that the applicant does not understand its own business risk. Regulators in every leading hub – the FCA, VARA, MAS and the relevant MiCA NCAs – have all published guidance on what adequate AML documentation looks like for a VASP. Generic text is not adequate.

The fourth is timing. Businesses often apply after they have already started operating, after a banking relationship has been terminated or after a regulatory enquiry has been received. Applying reactively, rather than proactively, reduces the negotiating space available and can convert a licensing question into an enforcement defence.

In our practice, the applications we see succeed fastest are those where the structural and documentary groundwork is completed before the first page of the application form is touched.

Decision Matrix: Which Jurisdiction Fits Which Operator Profile?

No single jurisdiction is the right answer for every operator. The decision turns on four axes: the product, the user geography, the group structure and the banking environment. The following decision logic is a starting point, not a verdict – the facts of each build will alter the outcome.

Profile A – EU market access as the primary goal. An operator whose primary user base is in the EU, or whose institutional counterparties require MiCA-compliant counterparty status, should pursue CASP authorisation in a MiCA-implementing member state. Lithuania has historically offered a streamlined entry path and a responsive regulator. Malta retains institutional recognition from its VFA era and is transitioning clearly to MiCA. The timeline is typically measured in months rather than weeks; the capital and organisational requirements are the same under MiCA regardless of member state. The passport is the strategic asset.

Profile B – Middle East operations, with or without EU ambition. An operator building a regional exchange or custody business for UAE-resident users or institutional counterparties in the GCC region should engage with either VARA (for mainland Dubai) or the FSRA within ADGM (for the Abu Dhabi financial free zone). The two regimes are architecturally similar but operationally distinct. VARA's activity-based structure suits operators offering multiple service lines from a single UAE entity. The DIFC, a separate financial free zone within Dubai, operates under English law and is not within VARA's perimeter – a structural detail that matters for dispute resolution and for certain institutional transactions.

Profile C – Asia-Pacific user base or institutional connectivity. An operator seeking access to institutional liquidity in Asia, or whose token issuance activity is directed at the Asia-Pacific market, will typically look at MAS under Singapore's Payment Services Act or at the SFC's VASP licensing regime in Hong Kong. Both are credentialed, internationally recognised regimes. Both carry meaningful capital and operational requirements. Singapore's DPT licensing framework is well-developed; Hong Kong's VASP regime for virtual-asset trading platforms (VATPs) is newer but building institutional recognition rapidly. FINMA in Switzerland remains a high-prestige option for asset-token or structured-product use cases.

Profile D – Offshore foundation with regulated subsidiaries. A group whose holding structure is domiciled offshore – in the Cayman Islands, the BVI or a similar jurisdiction – typically combines that holding layer with one or more regulated operating entities in the jurisdictions above. Under the BVI VASP Act 2022, BVI entities providing VASP services are themselves required to register with the BVI FSC; the offshore holding narrative no longer provides a safe harbour. Cayman CIMA similarly requires registration or licensing under the Virtual Asset (Service Providers) Act for qualifying activities.

How Does the Banking and Tax Layer Interact With the Licence?

A licence granted is not a banking relationship opened. The two are related but distinct processes, and failing to run them in parallel is one of the most common and most costly sequencing mistakes we see.

Banks – including crypto-friendly correspondent banks and EMI (e-money institution) partners – conduct their own due diligence on VASP counterparties. They want to see an active licence or registration, a clean AML programme and a compliant Travel Rule implementation. A business that obtains its licence and then begins the banking search frequently discovers that the preferred banking partner has a three-to-six-month onboarding queue, or requires structural changes the licence does not mandate but the bank's compliance team does.

The tax dimension adds a further layer. The jurisdiction of licensing, the jurisdiction of management and control and the jurisdictions of economic activity may all be different. Each difference is a potential taxable nexus. Token issuance, staking reward treatment, and the characterisation of trading gains all vary across jurisdictions and are treated inconsistently even within the EU pending further harmonisation. In our cross-border practice, we map the tax and banking stack at the same time as the licence stack – because changes made to one routinely require changes to the others.

If a prior application stalled or a banking relationship closed, a structural review can identify the underlying cause and the route forward. Write to OBOLUS at info@oboluslaw.com or reach us via t.me/oboluslaw.

A Common Assumption About Offshore Licences

A persistent assumption in the market is that a single offshore registration – a Seychelles entity, a St Vincent registration, or a flag-of-convenience VASP listing – is sufficient to operate a global exchange. It is not, and the regulatory architecture of the last three years has made this demonstrably clear.

MiCA prohibits the marketing of crypto-asset services to EU residents by an unauthorised entity, regardless of where that entity is incorporated. The FCA's financial-promotion rules apply to communications directed at UK persons, regardless of the communicator's incorporation. The MAS has taken enforcement action against entities with no Singapore presence whose platforms were accessible to Singapore users. VARA specifically addresses the question of activities conducted "into" Dubai by offshore entities.

The analysis does not change because the entity is offshore. It changes because the activity reaches a regulated jurisdiction. Operators who rely on an offshore structure to avoid licensing obligations in their actual markets are not in a grey area – they are in the enforcement zone, and the enforcement trend across every major hub is tightening, not loosening.

We map the regulatory perimeter before the entity structure is fixed, not after. That sequencing matters.

A Recent Cross-border Licensing Matter

In a recent licensing engagement, a digital-asset exchange operator headquartered in the Gulf approached us after its application to a MiCA-aligned national competent authority had stalled at the UBO-disclosure phase. The exchange was live, processing meaningful volume, and held a registration in an offshore jurisdiction that predated the current regulatory environment. The stall was structural: the UBO chain ran through two intermediate holding entities whose ownership was partially undisclosed, and the AML documentation referenced the offshore regime rather than the target EU regime's requirements. We restructured the UBO chain, replaced the AML documentation with regime-specific policies and rebuilt the governance disclosure. The application resumed and was assessed on its merits. The operator now holds a MiCA-pathway authorisation and is building toward its EU passport. The offshore registration was subsequently surrendered.

Self-assessment Checklist Before You Apply

The following questions are the same ones a regulator will ask. If any answer is uncertain, the application is not ready.

  • Is the applicant entity incorporated in the target jurisdiction, or does the regime require local incorporation?
  • Are all UBOs identified, verified and prepared to undergo fitness-and-propriety review?
  • Does the governance structure include locally qualified directors or approved persons where required?
  • Is the AML/CFT documentation product-specific, risk-calibrated and up to date with FATF guidance on virtual assets?
  • Does the Travel Rule compliance programme cover the specific transfer types and jurisdictional thresholds that apply?
  • Has the technology and security documentation been prepared to the applicable supervisory standard?
  • Has the group structure been mapped for the regulator, including all entities with shared management or beneficial ownership?
  • Is the banking relationship either in place or under active negotiation in parallel with the application?
  • Has the tax analysis for the chosen structure been completed across all relevant jurisdictions?

Related at OBOLUS

FAQ

How long does a crypto licence take to obtain?

Timeline varies significantly by jurisdiction, regime and the completeness of the application at submission. Under MiCA, the formal assessment period is set by the regulation, but pre-application preparation, regulator dialogue and post-submission clarification requests add to the overall elapsed time. VARA, MAS and the SFC each operate on their own assessment windows. In our experience, applications prepared with complete documentation and a well-structured entity move through review measurably faster than those requiring iterative correction. Plan for a process measured in months, not weeks, for any flagship regime.

Which jurisdiction is best for licensing my crypto business?

There is no single best jurisdiction. The right answer depends on your product, your user geography, your group structure and your banking strategy. EU market access points toward a MiCA-compliant CASP authorisation. Gulf operations point toward VARA or the FSRA within ADGM. Asia-Pacific connectivity points toward MAS or the SFC in Hong Kong. The mistake is optimising for one dimension – typically speed or cost – and ignoring the others. We map the full stack before recommending a primary jurisdiction and advise on the sequencing of any secondary authorisations required.

Do I need a separate custody licence?

In most flagship regimes, custody of virtual assets is a regulated activity in its own right. Under MiCA, the safekeeping and administration of crypto-assets is a separately defined CASP service. Under VARA, custody is a distinct licensed activity. A combined exchange-and-custody service typically requires either a combined authorisation or two separate ones, depending on the regime. Running custody within an exchange licence without specific authorisation is a compliance gap that regulators have explicitly signalled they will pursue. We assess the custody dimension as a standard element of every licensing engagement.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. Digital assets are the whole of our practice. Operators we advise routinely span multiple regulatory perimeters simultaneously – our core value is mapping the full stack, not optimising a single piece of it. To discuss your situation, contact info@oboluslaw.com.

By Aisha Tan, Licensing & Jurisdictions Analyst – specialising in multi-jurisdiction VASP authorisation strategy and cross-border regulatory structuring for digital-asset operators.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours