EST · MMXXVI
Home/Services/Token Offerings Securities/Stablecoin issuance authorisation from a Cross-border Perspective
Token Offerings & Securities

Stablecoin issuance authorisation from a Cross-border Perspective

Stablecoin issuance authorisation from a Cross-border Perspective. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring.

Stablecoin issuance sits at the intersection of three distinct regulatory regimes simultaneously. A token pegged to a fiat currency is, depending on its design and the jurisdiction of its offerees, an e-money token (a digital token maintaining a stable value by referencing a single official currency), an asset-referenced token (a token referencing a basket of assets, currencies or commodities), a regulated payment instrument, or – in the wrong structure – an unregistered security. Getting the token classification wrong before launch does not merely slow the product. It converts the issuance into an enforcement event.

This page sets out the regulated basis for stablecoin issuance, the authorisation process across the leading hubs, the cross-border complications that operators consistently underestimate, and the structuring decisions a legal team must resolve before a whitepaper goes out. The analysis draws on the applicable MiCA regime, the VARA rulebooks, the FSRA framework in ADGM, the MAS Payment Services Act regime in Singapore, and comparable regimes in the BVI and Cayman Islands.

What makes a stablecoin a regulated instrument?

A stablecoin becomes a regulated instrument the moment its design confers rights that fall within a statutory definition – and every major regime now has one. Under MiCA, the EU's Markets in Crypto-Assets Regulation, a token that maintains a stable value by referencing the value of one official currency is an EMT (e-money token); a token referencing a basket is an ART (asset-referenced token). Both categories require issuer authorisation. The legal question is not whether the issuer intends to offer a regulated product. It is whether the design of the token, assessed against its substance, falls within the definition.

The substance-over-label principle is the operating rule across every major regime. A whitepaper that calls a token a "utility token" does not settle the classification. What matters is the bundle of rights the token confers on the holder: does it give a claim on the issuer, a redemption right, a yield, or access to a reserve? Those economic attributes – not the marketing description – determine the regulatory category. OBOLUS assesses classification against the substance of rights from the outset of any issuance engagement, because a misclassification identified after the token generates a trading market is structurally far harder to correct.

This risk is acute for operators expanding into the EU. Under MiCA, an issuer of significant ARTs or EMTs (a designation tied to defined thresholds of holders and transaction volume) faces enhanced supervisory requirements, including direct oversight by ESMA alongside the relevant national competent authority. A cross-border issuance that reaches those thresholds without the issuer anticipating the enhanced regime creates a compliance cliff.

Which authorisation regime applies to your issuance?

The applicable authorisation depends on three variables: the peg mechanism, the jurisdiction of the issuing entity, and the geographic reach of the offering. Those three variables rarely point to a single answer.

In the EU and EEA, an EMT issuer must be authorised either as a credit institution or as an electronic money institution (EMI) – an entity licensed to issue electronic money under the applicable payments directive – and must comply with the whitepaper and disclosure obligations under MiCA. An ART issuer requires direct authorisation under MiCA from the relevant national competent authority and must maintain reserve assets that meet the composition and custody requirements set out in the applicable regime provisions. Both categories require a MiCA-compliant whitepaper to be published, passported and notified to ESMA before the token is offered to the public in the EU.

In Dubai, VARA (the Virtual Assets Regulatory Authority) regulates virtual-asset issuance under its activity-based rulebooks. An operator wishing to issue a stablecoin on the mainland Dubai market must hold the relevant VARA authorisation for issuance activity. The VARA regime is distinct from the ADGM/FSRA framework that applies in the Abu Dhabi free zone: operators should not assume that a single UAE-facing structure covers both. In our practice, operators regularly underestimate this distinction when building a UAE commercial presence.

In Singapore, the MAS Payment Services Act classifies certain stablecoins as digital payment tokens (DPTs) or, for single-currency pegged stablecoins meeting defined criteria, as regulated MAS-regulated stablecoins subject to reserve, redemption and disclosure requirements. The applicable licence tier under the Payment Services Act depends on the scale of the issuance and the nature of activities conducted.

In the BVI and Cayman Islands, the BVI FSC and CIMA respectively administer VASP registration regimes. Neither jurisdiction has yet enacted a bespoke stablecoin issuer authorisation category equivalent to MiCA's ART/EMT framework. An issuer using an offshore vehicle must therefore consider whether the token constitutes a security, an investment fund interest, or a payment instrument under the relevant regime – and whether the target markets impose their own extraterritorial requirements regardless of where the issuer is domiciled.

Bridging CTA: The analysis above describes the standard classification paths. Your entity structure, reserve mechanism, and user geography change the analysis materially. For a scoped classification and authorisation assessment, contact OBOLUS at Map your options.

What does the authorisation application process involve?

Stablecoin issuer authorisation is a document-intensive process that typically runs across multiple regulatory bodies simultaneously when the issuance is cross-border. The core elements are consistent across the leading regimes: a legal entity with the required paid-in capital, a whitepaper that meets the applicable disclosure standard, evidence of governance and risk management arrangements, AML/CFT policies that satisfy FATF Recommendation 15 obligations, and – for most regimes – a detailed description of the reserve asset mechanism.

Under MiCA, an ART authorisation application must be submitted to the national competent authority of the issuer's home member state. The competent authority then reviews the application against the requirements of the applicable regime provisions and may request additional information. The process concludes with a decision on authorisation. If the issuer has passporting intentions, the NCA notifies the competent authorities of the target member states. An EMT issuer operating through an EMI applies for the EMI authorisation through the relevant national process – Lithuania and Malta are frequently used entry points because of established supervisory infrastructure, with the MiCA CASP transition now reshaping both pathways.

The whitepaper requirement is not merely a disclosure formality. Under MiCA, the whitepaper for an ART or EMT must contain specified content categories, must be published on the issuer's website, and must be notified to the regulator. Liability for inaccurate or misleading whitepapers attaches under the applicable provisions. OBOLUS provides end-to-end MiCA whitepaper review as a scoped service, assessing the draft against the disclosure obligations before submission.

In practice, the authorisation timeline varies by jurisdiction and application quality. Regulators in the leading hubs increasingly expect pre-application engagement – a meeting or written query submitted before the formal filing – and applications that arrive without prior regulatory engagement tend to generate more information requests and longer review periods. In our cross-border practice, we prepare pre-submission regulatory engagement materials as a standard step in the authorisation process.

How does a cross-border offering complicate the authorisation picture?

A stablecoin offered across borders faces layered authorisation risk because the issuer's home jurisdiction and the users' jurisdictions each impose independent requirements, and those requirements can conflict. The home-jurisdiction authorisation does not function as a global passport outside MiCA's EEA passporting mechanism. An issuer authorised in Lithuania as an EMT issuer under MiCA may passport that authorisation across the EEA. It cannot rely on that authorisation to offer the token to users in Singapore, Dubai, the UK or the United States.

The United States presents the most complex extraterritorial exposure. The SEC and the CFTC each assert jurisdiction over digital-asset activities involving US persons based on the nature of the token and the activities conducted, regardless of where the issuer is incorporated. FinCEN's money-services-business framework and state money-transmitter licensing obligations create a further layer of compliance obligation. An issuer that does not actively geofence US persons and document that exclusion creates a live enforcement risk even if the entity never touches the US market intentionally.

Banking access amplifies this complexity. Stablecoin issuers hold reserve assets, typically in fiat currency or short-duration government instruments, in segregated accounts. Securing and maintaining banking relationships for a reserve account is a distinct business problem from obtaining regulatory authorisation. Banks that service stablecoin issuers apply their own due-diligence and risk-appetite frameworks, and a regulator-approved issuer can still find itself without reserve custody arrangements. Operators we advise regularly discover that banking access planning must run in parallel with – not after – the regulatory authorisation process.

The Travel Rule (the FATF-derived obligation requiring virtual-asset service providers to pass originator and beneficiary data with transfers above the applicable threshold) applies to transfers of stablecoins in most of the leading regimes. An issuer whose token is transferred through third-party VASPs must ensure that those VASPs have Travel-Rule-compliant infrastructure, and that the issuer's own transfer mechanisms support data transmission. This is an infrastructure obligation, not just a legal one, and it must be embedded in the token's technical architecture before launch.

What are the most common mistakes in stablecoin issuance structuring?

Mis-classifying the token at inception is the most consequential mistake we encounter. The assumption that a utility label on a whitepaper settles the legal classification is consistently wrong. Regulators in the EU, the UAE, Singapore and the UK each apply a substance-based analysis. A stablecoin that gives holders a redemption right at par against the issuer's reserve is not a utility token in any of those regimes. It is a payment instrument or an EMT, depending on the peg structure. Launching under an incorrect classification and then reissuing or restructuring after a regulator challenge is operationally expensive and reputationally damaging.

The second common mistake is treating the whitepaper as a marketing document rather than a regulated disclosure. Under MiCA, the whitepaper is a liability document. Statements in it about the reserve mechanism, the redemption process and the token rights must be accurate, verifiable and consistent with the actual smart-contract and legal architecture. A whitepaper that describes daily redemption at par when the legal terms allow a 30-day redemption window, for example, creates both a regulatory and a civil liability exposure.

The third mistake is sequencing banking after regulation. We have seen issuers reach final authorisation in good faith and then spend many months attempting to open the reserve account because they did not commence bank engagement early enough. Reserve custody is a regulated activity in most regimes; the bank must itself be satisfied with the issuer's governance and AML arrangements, independent of the regulator's authorisation decision. Starting that dialogue at the same time as the regulatory process – not after it – is a material risk-reduction step.

A structuring matter: multi-jurisdiction EMT issuance

In a recent cross-border structuring engagement, a payments technology company sought to issue a EUR-referenced e-money token for use across the EU and the GCC. The company had established a preliminary whitepaper using a utility-token framing and proposed to issue from a BVI entity. Our review identified that the token's redemption mechanics placed it squarely within the EMT definition under MiCA, and that the BVI entity structure would not support EU passporting. We advised on the redomiciliation of the issuance entity to an EU member state with an established EMI authorisation pathway, restructured the whitepaper disclosure to meet MiCA's content requirements, and prepared the pre-application engagement materials for the relevant national competent authority. We also mapped the VARA notification requirements for the GCC-facing distribution and identified that parallel authorisation in that market required a distinct local entity. The matter concluded with the client holding a clear roadmap for a dual-track authorisation process – before any token went to market.

Which structure fits which operator profile?

The right authorisation structure depends on the issuer's commercial profile, target geography and reserve mechanism. The following profiles describe the principal decision paths.

An EU-focused EMT issuer with a single fiat peg and a European user base should pursue MiCA-based EMI authorisation in a member state with a well-developed supervisory infrastructure. Lithuania and Malta have established pathways under the transitional MiCA regime. The key risk is achieving the required capital and governance standards before the supervisory clock begins running on the MiCA transition deadline.

An issuer targeting the GCC with a USD or AED peg and no immediate EU user base should assess the VARA issuance framework for Dubai and the ADGM/FSRA framework for Abu Dhabi as parallel tracks, since the two free zones operate distinct regimes. Banking in the GCC for reserve custody is a material practical question that must be resolved in parallel with the regulatory application.

An issuer seeking a global remittance or B2B payments use case, with users across multiple jurisdictions including Southeast Asia, should begin with the MAS Payment Services Act classification analysis. Singapore's single-currency stablecoin framework imposes reserve, redemption and audit requirements that are operationally demanding. An issuer that does not meet those requirements may need to structure the product as a DPT service rather than a regulated stablecoin, which carries different downstream restrictions.

An issuer using an offshore holding structure in the BVI or Cayman Islands for fund management or treasury purposes, with no direct retail offering, faces the lightest domestic authorisation burden – but must conduct a jurisdiction-by-jurisdiction analysis of every market in which the token will be distributed, since the offshore domicile offers no extraterritorial shield against the regulatory requirements of the distribution markets.

If a prior structure stalled at the banking or regulatory stage, a second read of the architecture can surface the structural reason and the route forward. For that analysis, write to OBOLUS at Map your options.

Self-assessment checklist before filing an authorisation application

Before committing to a formal regulatory filing, an issuer should be able to answer the following questions clearly. If the answer to any of them is uncertain, the gap should be resolved before submission, not during the review process.

  • Has the token been classified against the substantive definitions in each target jurisdiction, not merely under the issuer's home law?
  • Does the whitepaper accurately describe the reserve mechanism, the redemption rights, and the smart-contract architecture – and are those descriptions consistent with the actual legal terms?
  • Is the issuing entity domiciled in a jurisdiction that can support the required authorisation and, where relevant, passporting?
  • Has the reserve custody arrangement been confirmed with a banking counterparty, not merely assumed?
  • Does the AML/CFT programme satisfy FATF Recommendation 15 and the Travel Rule requirements of each target market?
  • Has the token's technical architecture been reviewed for Travel-Rule data-transmission compatibility?
  • Have US-person geofencing obligations been assessed and implemented, even if the issuer does not target the US market?
  • Has pre-application engagement with the relevant regulator been scheduled and the engagement materials prepared?

We regularly advise clients through each of these steps as part of a scoped pre-filing audit. The objective is to reach submission with a complete, accurate application – not to iterate through regulator information requests.

Related at OBOLUS

FAQ

Is my token a security?

Token classification turns on the substance of rights the token confers, not on its label. A token that gives holders a claim on the issuer's assets, a profit expectation, or a share in an enterprise may meet the legal definition of a security under US, EU or UK law regardless of how it is described in the whitepaper. OBOLUS assesses classification against the applicable regime in each target jurisdiction before any token goes to market, because misclassification identified after launch is structurally far harder to correct.

Do I need a MiCA whitepaper?

Under MiCA, an issuer of an ART or EMT that is offered to the public in the EU or EEA must publish a whitepaper that meets the prescribed content requirements and notify it to the relevant national competent authority before the offering. Certain exemptions apply – for example, for offerings below defined thresholds or directed exclusively at qualified investors – but those exemptions are narrow. An issuer offering a stablecoin to retail users in the EU without a compliant whitepaper is in breach of the applicable MiCA provisions.

How should an airdrop be structured legally?

An airdrop – the distribution of tokens to recipients without direct payment – is not automatically exempt from regulatory requirements. If the distributed tokens are classified as ARTs, EMTs or securities in the target jurisdictions, the airdrop may constitute a public offering requiring a whitepaper or a prospectus. The structure of the airdrop, the identity of the recipients, and the mechanism by which tokens are distributed each affect the classification analysis. Legal review of the airdrop mechanics against the applicable regime in each target market is essential before distribution.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. Digital assets are the whole of our practice. We assess token classification against the substance of rights, not the marketing label – and we structure issuances to withstand regulatory scrutiny across every target market. To discuss your issuance, contact info@oboluslaw.com.

By Roman Levitt, Technology & DeFi Counsel – specialising in token issuance structuring, smart-contract legal architecture and multi-jurisdiction authorisation for digital-asset businesses.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours