A Virtual Asset Service Provider (VASP) is a business that facilitates the exchange, transfer, safekeeping, or issuance of virtual assets—such as cryptocurrencies or tokens—on behalf of others.
The term was introduced by the Financial Action Task Force (FATF), the global standard-setter for anti-money laundering and counter-terrorism financing, and is now widely referenced in national regulatory frameworks, though some jurisdictions use different terminology.
This guide will define what a VASP is, explore common types of VASPs with real-world examples, walk through the registration process, outline key compliance obligations, and highlight emerging trends shaping the VASP landscape heading into 2025.
While exact definitions of a VASP vary across jurisdictions, most align with the standards introduced by the FATF in its Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.
According to FATF, a VASP is any business that, on behalf of others, conducts one or more of the following activities: exchanging virtual assets for fiat currency; exchanging one form of virtual asset for another; transferring virtual assets; safeguarding or administering virtual assets or related instruments; and providing financial services related to the issuance or sale of a virtual asset.
The FATF definition of a VASP also offers a practical framework for understanding the most common types of crypto businesses that fall under regulatory oversight. Below are examples that correspond to each functional category.
Exchange between virtual assets and fiat currency – This includes businesses that enable the conversion of fiat currencies (like USD or EUR) into crypto and vice versa. Common examples are centralized exchanges like DMM, payment gateways that support fiat-to-crypto transactions, over-the-counter (OTC) brokers, and crypto ATMs—often flagged as high-risk exit points for laundering. Peer-to-peer exchanges like NoOnes, which suffered a security breach in January 2025, also fall into this category due to their facilitation of fiat-to-crypto trades between users.
Exchange between one or more forms of virtual assets – These platforms support crypto-to-crypto trading or token swaps. They include decentralized exchanges (DEXs) like Uniswap, swap services such as 1inch, and liquidity aggregators. Due to the absence of centralized control and KYC measures, DEXs are frequently exploited for laundering purposes. In the Onyx Protocol hack, for instance, stolen tokens were converted into 1,157 ETH through decentralized swaps, routed between exploiter wallets, and eventually funneled into Tornado Cash.
Transfer of virtual assets – This covers services that move virtual assets from one wallet to another on behalf of users. Examples include custodial wallet providers, crypto remittance platforms like BitPesa, and broker-dealers that execute transfers or settlements on behalf of clients.
Safeguarding or administering virtual assets or related instruments – This category includes entities that offer custody, storage, or private key management services. Examples include crypto custodians like Fireblocks, centralized exchanges with custodial wallets such as Binance, and enterprise wallet providers that manage secure access and authorization for institutional clients.
Providing financial services related to the issuance or sale of a virtual asset – This category includes firms that support token creation, fundraising, or promotion. Common examples include token launch platforms like Pump.fun, often used to launch low-quality or fraudulent meme coins; STO platforms; and crypto investment banks or advisors. Underwriters and marketing firms also fall under this category and are occasionally linked to fraud. In one case, the DOJ convicted the founder of My Big Coin Pay for falsely marketing a token as asset-backed while misappropriating millions in investor funds.
While each type of VASP carries distinct risks—such as laundering through DEXs or misrepresentation in token sales—all are exposed to vulnerabilities tied to financial crime, fraud, or technical failure. The specific threats may differ, but the need for robust risk management is universal across the entire VASP ecosystem.
Registering as a VASP is understandably more complex than a typical business licensing process. This complexity reflects the heightened regulatory scrutiny placed on entities handling digital assets, especially given the risks tied to money laundering, fraud, and consumer protection. Below are key requirements that VASPs typically encounter during registration.
Application Submission - The registration process begins with a comprehensive application, which generally includes business registration and incorporation documents, along with detailed business information. This often takes the form of a business plan that outlines the company’s structure, product offerings, target markets, underlying technology, and key personnel. Regulators use this to evaluate the legitimacy and preparedness of the applicant.
License Fees - Licensing fees for VASPs are intentionally set at higher levels to deter unserious applicants. The Monetary Authority of Singapore (MAS), for instance, charges S$500 for money-changing services and S$1,000 for merchant acquisition services. These fees increase based on business scope and scale—a major payment institution offering merchant acquisition services pays S$1,500. Since VASPs often operate across multiple jurisdictions, they must carefully budget for cumulative licensing costs.
Paid-Up Capital Requirements - Unlike many startups in other industries that set flexible levels of paid-up capital, VASPs are typically subject to minimum capital thresholds mandated by regulators. These ensure that the company has adequate financial resources to build secure infrastructure, hire compliance personnel, and absorb operational risks. Under the EU’s Markets in Crypto-Assets (MiCA) regulation, for example, crypto advisory firms must hold at least €50,000 in paid-up capital, while custody providers are required to maintain €150,000.
Operational Capital Requirements - In addition to initial capitalization, some regulators impose ongoing operational capital requirements. These are designed to ensure that VASPs can continue meeting obligations to clients, even during periods of stress. For instance, the Hong Kong Securities and Futures Commission (SFC) mandates that licensed virtual asset trading platforms maintain at least HKD 3 million in liquid capital.
It’s also important to recognize that VASP registration is not a simple one-off application—it’s a multi-stage process often involving extensive back-and-forth with regulators. Businesses should begin well in advance of their intended launch in any jurisdiction. In Dubai, for example, acquiring a full license from the Virtual Assets Regulatory Authority (VARA) can take six to nine months from the time of initial submission.
The obligations of a Virtual Asset Service Provider (VASP) are extensive and designed to uphold global standards for financial integrity and consumer protection.
Know Your Customer (KYC) - Before transacting with any customer, VASPs are required to establish and verify the customer’s identity. This process involves collecting official identification documents—such as government-issued IDs—and validating their authenticity. If there are doubts about the documents' legitimacy, VASPs must apply enhanced due diligence measures, which may include video verification or selfie-based ID checks. In addition to this initial onboarding, VASPs are expected to conduct ongoing monitoring of customer behavior to detect any anomalies or shifts in risk profile. The FATF sets global standards for KYC, which national regulators then implement through jurisdiction-specific policies and enforcement mechanisms.
Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) - Also governed by FATF standards, AML/CFT obligations require VASPs to actively monitor and analyze transactional behavior to detect illicit activity. This includes identifying patterns commonly associated with financial crime, such as peel chains, chain hopping, and smurfing—tactics used by ransomware operators, cybercriminal networks, and terrorist organizations like Hamas to obscure the origin and destination of funds. When suspicious activity is detected, VASPs must file Suspicious Transaction Reports (STRs) with the appropriate authorities in their jurisdiction. Failure to do so may result in significant legal and financial penalties.
Travel Rule - Although now widely associated with crypto, the Travel Rule was first introduced by the FATF in 1996 to combat money laundering and terrorist financing in traditional banking. The rule requires financial institutions to share originator and beneficiary information for transactions above a threshold—$3,000 in the U.S. and $1,000 in many other jurisdictions. In June 2019, FATF extended the rule to VASPs in response to the growing risks of anonymous crypto transactions. Since then, FATF has taken a phased implementation approach, conducting regular progress reviews—beginning in July 2020, and most recently in July 2024—to assess global compliance. Jurisdictions that fail to implement the Travel Rule effectively may be placed on the FATF’s greylist, which signals strategic deficiencies in their AML/CFT regimes and can significantly impact access to international financial systems.
Sanctions Compliance - Sanctions compliance is often seen as more straightforward than other obligations because it centers on screening transactions against government-issued blacklists, but it still presents significant challenges. These lists—such as those maintained by the Office of Foreign Assets Control (OFAC) in the United States—are frequently updated, requiring VASPs to use automated tools that can keep up at scale. OFAC’s sanctions apply not only to U.S.-based VASPs, including those in U.S. territories, but also to U.S. citizens, permanent residents, and businesses operating globally. However, as bad actors adopt increasingly sophisticated sanctions evasion tactics—such as cycling funds through new wallet addresses or using mixers—VASPs must go beyond basic list-matching and implement systems capable of detecting evasive behavior in real time.
Custodianship - Custodianship requirements are typically set at the national or regional level and have come under increased scrutiny following high-profile failures such as FTX, where customer funds were misused by company executives. In response, many jurisdictions have introduced strict rules to protect client assets—most notably by prohibiting the commingling of customer and corporate funds. These regulations often require the segregation of assets, ensuring that customer holdings are held in separate, safeguarded accounts. For instance, in Singapore, the MAS mandates that VASPs place customer funds in trust accounts with approved financial institutions.
Market Education - Like custodianship, market education standards are defined by national or regional regulators and are designed to ensure that users understand the risks associated with crypto trading. Given the volatility of digital assets and the technical complexity of blockchain technology, regulators expect VASPs to prevent uninformed users from trading blindly on their platforms. This includes assessing a user’s financial literacy and crypto knowledge—and providing educational content when needed. In the United Kingdom, for example, the Financial Conduct Authority (FCA) requires that VASPs must not only present standardized risk warnings but also implement a 24-hour cooling-off period for new retail investors before their first trade. Additionally, they are required to offer detailed risk education that goes beyond general statements, covering topics such as volatility, custody risks, and how the underlying technology functions.
Together, these obligations form a complex web of compliance requirements that vary across jurisdictions. For VASPs, navigating this patchwork is not only operationally demanding but also essential to maintaining regulatory approval and user trust.
The landscape for VASPs is rapidly evolving, shaped by new technologies, regulatory expectations, and emerging threats. Below are three key trends redefining how VASPs operate and defend against financial crime.
Proactive Public–Private Collaboration - Historically, collaboration between VASPs and law enforcement was largely reactive—initiated only after a crime had occurred. Investigations relied on ad hoc data sharing, with VASPs tracing transactions, exchanging findings, and supporting prosecution efforts. The challenge with this model is timing: by the time data is shared, criminals may have already moved funds or covered their tracks.
A more effective approach is ongoing, proactive collaboration—even in the absence of active investigations. This often takes place through industry associations, cross-sector working groups, or conferences where public and private stakeholders share emerging threats, typologies, and investigative techniques. This active collaboration with law enforcement allows both sides to stay ahead of evolving crypto crime, fostering more agile, informed responses.
Shift from Blacklists to Behavior-Based Blockchain Analytics - In the past, compliance screening relied heavily on static blacklists, such as those issued by the OFAC. While important, blacklists have major limitations—namely, the ease with which bad actors can create fresh wallet addresses that don’t appear on any list. This cat-and-mouse game leaves compliance teams constantly playing catch-up.
To close this gap, Merkle Science pioneered behavior-based blockchain analytics. Rather than only flagging known addresses, Compass analyzes behavioral signals—such as a user rapidly draining their wallet minutes after receiving funds—as red flags. This dynamic approach has since been adopted across the industry. We welcome this evolution: increased competition in behavior-based rule engines means stronger defenses across the ecosystem and fewer blind spots for criminals to exploit.
Multi-Solution Blockchain Analytics Models - In other domains, enterprises often rely on all-in-one systems—like a Human Resource Information System (HRIS)—to meet their needs. But in blockchain analytics, many firms have learned that no single platform can fully support the complexity of compliance, investigations, and education.
That’s why organizations increasingly turn to Merkle Science for a suite of complementary tools. A crypto exchange, for instance, might use Compass for transaction screening and suspicious activity reporting, Tracker for investigative tracing, and the Institute for specialized training in compliance and forensic techniques. This modular approach allows clients to customize their toolset while benefiting from deep integration and shared intelligence across our products.
VASPs operate in an increasingly complex regulatory landscape, with obligations spanning KYC, AML/CFT, Travel Rule compliance, sanctions screening, custodianship, and user education. These requirements vary by jurisdiction and evolve rapidly, making compliance both operationally demanding and high-stakes.
As threats grow more sophisticated and regulators tighten expectations, VASPs must move beyond one-size-fits-all solutions. A single tool rarely meets the breadth of needs across transaction screening, investigations, and reporting. That’s why forward-looking VASPs are building multi-layered analytics stacks—combining tools like Compass for real-time risk detection and Tracker for in-depth blockchain investigations—to future-proof their compliance and security frameworks.
Reach out to us today for a free demo on how our tools can help your VASP.