What Is a VASP? Definition, Requirements, and AML Obligations

Introduction

According to the FATF's 2025 Targeted Update on the implementation of its standards on virtual assets and VASPs, 75% of assessed jurisdictions remain only partially compliant or non-compliant with Recommendation 15 — the standard that requires countries to regulate and supervise Virtual Asset Service Providers.

At the same time, enforcement actions against unregistered or non-compliant crypto businesses have accelerated across every major jurisdiction, with fines, license revocations, and banking relationship terminations becoming routine consequences.

(Source: FATF, Targeted Update on Implementation of the FATF Standards on VA and VASPs, June 2025, fatf-gafi.org)

For crypto businesses, the practical question is straightforward: does your operation qualify as a Virtual Asset Service Provider, and if so, what obligations follow? The answer to this question determines whether your company must obtain a license, implement an AML Compliance Program, conduct Customer Due Diligence, monitor transactions, and comply with the Travel Rule — or risk operating illegally.

This article explains the VASP classification under the FATF Framework, identifies which activities and business models fall within scope, outlines the key AML requirements that apply, and summarizes how major jurisdictions — including the EU under MiCA and the United States under FinCEN — implement these obligations in practice.

What Is a Virtual Asset Service Provider (VASP)?

A VASP is any natural or legal person who, as a business, conducts specified financial activities involving virtual assets on behalf of another person. The term was introduced by the Financial Action Task Force (FATF) in 2019 when it amended Recommendation 15 and adopted an accompanying Interpretive Note (INR.15) to extend AML/CFT requirements to the crypto sector. (Source: FATF, Interpretive Note to Recommendation 15 (INR.15), adopted June 2019; FATF Glossary)

In regulatory terms, the VASP designation functions as a classification trigger. Once an entity meets the definition, it becomes subject to the same AML/CFT obligations that apply to traditional financial institutions — including Customer Due Diligence, recordkeeping, Suspicious Activity Reporting, and the Travel Rule. The FATF's position is explicit: VASPs carry the full range of preventive obligations under the Recommendations.

In practical terms, this means that a crypto exchange, a custodial wallet provider, or a payment processor handling virtual assets on behalf of clients faces the same regulatory expectations as a bank processing wire transfers. The technology is different; the compliance obligations are not.

VASP Definition Under FATF

The FATF Glossary defines a Virtual Asset Service Provider as follows:

"Any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: (i) exchange between virtual assets and fiat currencies; (ii) exchange between one or more forms of virtual assets; (iii) transfer of virtual assets; (iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and (v) participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset." (Source: FATF Glossary, fatf-gafi.org; reproduced in FATF Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, October 2021, Annex A, p.109)

Two elements of this definition require particular attention:

The FATF has emphasized that these definitions are to be interpreted broadly and expansively. The organization's stated position is that no relevant financial asset, regardless of the format in which it is offered, should fall outside the FATF Standards.

(Source: FATF Updated Guidance, October 2021, Para. 46, p.22)

Virtual Assets vs. Digital Assets

For the purposes of VASP classification, a virtual asset is defined as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. This definition intentionally excludes:

(Source: FATF Glossary; FATF Updated Guidance, October 2021, p.109)

The distinction is consequential because an asset's classification determines which regulatory framework applies. Non-fungible tokens (NFTs), for example, are generally not treated as virtual assets when used purely as collectibles. However, the FATF's 2021 Updated Guidance clarified that NFTs may qualify as virtual assets where they are used for payment or investment purposes in practice — a determination that must be made on a case-by-case basis based on the functional characteristics of the asset, not its label.

What Activities Qualify as VASP Services?

The scope of activities captured by the VASP definition is deliberately broad. The FATF designed the classification to be technology-neutral and expansive, ensuring that new business models and operational structures do not create gaps in regulatory coverage. The key analytical question is not what technology a business uses, but what function it performs.

Core VASP Activities

The five categories of VASP activity outlined in the FATF Glossary cover the full transactional lifecycle of virtual assets:

(Source: FATF Glossary; FATF Updated Guidance, October 2021, Part Two, pp.21–36)

Common Types of VASPs

While the above categories define the regulatory threshold in functional terms, the business models that most commonly fall within the VASP classification include:

Importantly, classification depends on what a company actually does operationally — not how it labels its services or structures its marketing. The FATF has stated that countries should not apply the VASP definition based on the nomenclature or terminology that an entity uses to describe itself or the technology it employs.

(Source: FATF Updated Guidance, October 2021, Para. 52)

Who Is NOT a VASP? Common Misconceptions

Not every participant in the crypto ecosystem qualifies as a VASP. The classification hinges on two operational factors: (1) conducting the specified activities as a business, and (2) doing so on behalf of another person. Entities that do not meet both criteria are generally excluded.

The following categories are typically not classified as VASPs under the FATF framework:

(Source: FATF Updated Guidance, October 2021, para. 67)

The distinction is functional, not structural. Regulators assess what an entity does in practice, not how it describes itself. Businesses operating in grey areas — particularly those with features that blur the line between self-custody tools and custodial services — should obtain a formal legal assessment, as national regulators may apply broader interpretations than the FATF baseline.

Why VASP Classification Matters for Compliance

VASP classification is not simply a taxonomic label — it is a legal trigger that activates a comprehensive set of regulatory obligations. Once a business falls within the VASP definition under applicable national law, a defined regulatory pathway follows: registration or licensing, AML program implementation, customer due diligence, ongoing transaction monitoring, recordkeeping, and reporting.

Understanding this threshold is critical because regulatory consequences flow from classification, not from intent. A crypto business that meets the functional criteria for a VASP but has not registered, obtained a license, or implemented an AML program is in violation of applicable law — regardless of whether it intended to provide regulated services.

Regulatory Consequences of Being a VASP

The FATF Interpretive Note to Recommendation 15 (INR.15) establishes baseline obligations that jurisdictions are expected to apply to all VASPs. In regulatory terms, once an entity is classified as a VASP, it must:

(a) Register or Obtain a License from a competent national authority. At a minimum, the FATF requires registration in the jurisdiction where the VASP was created (or where its place of business is located, in the case of natural persons). Jurisdictions may also require registration or licensing before a VASP can conduct business within their borders or offer services to their residents.

(Source: INR.15, para. 3; FATF Updated Guidance, October 2021, Part Three, pp.22–23)

(b) Implement a Risk-Based AML/CFT Program that includes internal policies, procedures, controls, a designated compliance officer, employee training, and an independent audit function — proportionate to the risks identified through the entity's own risk assessment.

(c) Conduct Customer Due Diligence (CDD) on all customers at onboarding and on an ongoing basis, applying enhanced due diligence (EDD) measures to higher-risk relationships.

(d) Monitor Transactions for suspicious patterns and file suspicious activity reports (SARs) or suspicious transaction reports (STRs) with the relevant financial intelligence unit (FIU).

(e) Comply with the Travel Rule (Recommendation 16 as applied to VASPs), transmitting originator and beneficiary information alongside qualifying virtual asset transfers.

(f) Maintain Records of customer identification data, transaction histories, and compliance activities for at least five years (or as prescribed by national law).

The FATF further requires that competent authorities take action to identify natural or legal persons carrying out VASP activities without the requisite license or registration, and apply appropriate sanctions. (Source: INR.15, para. 3) Failure to comply can result in civil fines, criminal prosecution, license revocation, and loss of access to banking and payment services. In serious cases, individual officers and directors may face personal liability.

Key AML Requirements for VASPs

The AML obligations imposed on VASPs mirror those that have long applied to banks, payment institutions, and other traditional financial intermediaries. The FATF framework provides the international standard; national legislation determines the specific procedural requirements. Below is a breakdown of the core obligations.

KYC and Customer Due Diligence

Know Your Customer (KYC) obligations form the foundation of every AML compliance program. Under the FATF Recommendations (particularly Recommendations 10–12), VASPs must verify the identity of their customers before establishing a business relationship or conducting an occasional transaction above the applicable threshold.

In practical terms, KYC for VASPs Involves Three Elements:

These obligations apply at onboarding and on a continuous basis throughout the relationship. A one-time identity check at account creation does not satisfy the standard; VASPs must keep customer information current and recalibrate risk assessments as the relationship evolves.

Transaction Monitoring and Risk Detection

While KYC addresses who a customer is, transaction monitoring addresses what they do. VASPs must implement systems capable of continuous, risk-based monitoring of customer transactions to identify patterns consistent with money laundering, terrorist financing, sanctions evasion, or other illicit activity.

Effective transaction monitoring programs typically include:

(a) Risk-Based Rules and Thresholds. Configuring monitoring systems to flag transactions that exceed defined value thresholds, involve high-risk jurisdictions or counterparties, or exhibit behavioral patterns associated with known typologies (such as structuring, rapid fund movement, or layering through multiple wallets).

(b) Alert Generation and Investigation. Producing alerts for potentially suspicious activity, with documented workflows for alert triage, escalation, investigation, and disposition. Each alert must be reviewed and documented regardless of whether it ultimately results in a SAR filing.

(c) Suspicious Activity Reporting. Filing SARs (or equivalent reports under national law) with the relevant financial intelligence unit when, after investigation, a transaction or pattern of transactions gives rise to a suspicion of money laundering, terrorist financing, or other criminal activity.

(d) Audit Trail and Documentation. Maintaining records of all monitoring activity, alert dispositions, and SAR filings sufficient to demonstrate to supervisors and examiners that the monitoring program operates effectively and consistently.

Manual transaction monitoring, reviewing individual transactions or wallet addresses without automated support, may be feasible in the earliest stages of a business. However, as transaction volumes grow, manual processes cannot scale without introducing unacceptable compliance risk. Alert backlogs, inconsistent review standards, and missed patterns are among the most common compliance findings identified during supervisory examinations of VASPs.

Automated Crypto Transaction Monitoring solutions are effectively a necessity for any VASP operating at scale, enabling real-time risk assessment, blockchain analytics integration, and consistent application of monitoring rules across the entire transaction flow.

Travel Rule Compliance

The FATF Travel Rule, as applied to VASPs through the Interpretive Note to Recommendation 15 (paragraph 7), requires that when a VASP sends virtual assets to another VASP, both parties must collect and transmit identifying information about the originator and the beneficiary.

Required data for qualifying transfers typically includes:

(a) Originator Information: full name, account number (or wallet address used for the transaction), and either physical address, national identity number, customer identification number, or date and place of birth;

(b) Beneficiary Information: full name and account number (or wallet address).

The sending VASP is responsible for collecting this information and ensuring it accompanies — or is made available in connection with — the transfer. The receiving VASP must obtain and hold required originator information and ensure that beneficiary information is accurate.

(Source: INR.15, para. 7(a)–(b); FATF Updated Guidance, October 2021, Part Four)

According to the FATF's 2025 Targeted Update, 73% of surveyed jurisdictions (85 of 117 jurisdictions, excluding those that prohibit VASPs) have now enacted legislation implementing the Travel Rule — an increase from 65 jurisdictions in 2024. However, supervision and enforcement of Travel Rule compliance remain uneven. Less than one-third of jurisdictions with Travel Rule legislation have issued findings or taken enforcement action specifically focused on Travel Rule compliance.

(Source: FATF, Targeted Update on Implementation of the FATF Standards on VA and VASPs, June 2025)

In practice, Travel Rule implementation remains one of the most operationally challenging aspects of VASP compliance. Interoperability between compliance solutions, counterparty identification (particularly when transfers involve unhosted wallets), and inconsistent data standards across jurisdictions continue to create friction.

Sanctions Screening and Wallet Checks

VASPs are required to screen customers and transactions against applicable sanctions lists, including those maintained by OFAC (United States), the EU Consolidated List, and the United Nations Security Council Sanctions Committee. In the context of virtual assets, sanctions compliance has additional operational dimensions compared to traditional financial services.

In practical terms, sanctions screening for VASPs involves:

Sanctions screening must be performed at onboarding, at the point of each transaction, and on a continuous basis. The consequences of processing a transaction involving a sanctioned party or address can include significant civil penalties, criminal prosecution, and reputational damage that extends well beyond the specific transaction.

VASP Regulations Across Jurisdictions

While the FATF sets the global standard through its Recommendations, individual jurisdictions implement VASP-related obligations through their own legislative and regulatory frameworks. The result is a system where the underlying principles are consistent — registration, AML programs, CDD, monitoring, Travel Rule, recordkeeping — but the specific requirements, terminology, thresholds, and enforcement mechanisms vary.

Global Standards (FATF)

FATF Recommendation 15 and its Interpretive Note (INR.15) form the baseline framework that all 205 jurisdictions in the FATF's Global Network are expected to implement. Since the adoption of INR.15 in June 2019, the FATF has published six Targeted Updates on jurisdictional compliance (the most recent in June 2025), conducted extensive outreach, and identified jurisdictions with materially important VASP activity for enhanced monitoring.

Despite this sustained pressure, global implementation remains uneven. As of the 2025 assessment cycle, 75% of assessed jurisdictions are only partially compliant or non-compliant with R.15. The FATF has specifically highlighted deficiencies in licensing and registration frameworks, supervisory capacity, and Travel Rule enforcement as areas requiring urgent improvement.

(Source: FATF, Targeted Update on Implementation of the FATF Standards on VA and VASPs, June 2025; FATF, Targeted Update, July 2024)

European Union (MiCA)

The European Union's Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114, commonly known as MiCA) represents the most comprehensive regional crypto regulatory framework to date. Under MiCA, the legacy VASP registration regimes maintained by individual EU member states are being replaced by a unified Crypto-Asset Service Provider (CASP) authorization system.

Key elements of MiCA's CASP regime include:

(a) Authorization Requirement. From December 30, 2024, no person may provide crypto-asset services in the EU unless authorized as a CASP by the national competent authority (NCA) of an EU member state, or unless they are an already-regulated financial institution (credit institution, investment firm, etc.) that has notified their NCA under MiCA Article 60.

(Source: MiCA, Article 59; ESMA, esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica)

(b) Transitional Period. Existing VASPs lawfully providing services before December 30, 2024 may continue to operate under a transitional ("grandfathering") regime until they are granted or refused CASP authorization, or until July 1, 2026 — whichever comes first. The exact transitional timeline varies by member state under Article 143(3) of MiCA.

(Source: MiCA, Article 143(3); AMF (France), Statement on Transitional Period, February 2026)

(c) EU Passport. A CASP authorized in one EU member state may provide services across all 27 member states through passporting rights — replacing the current system where VASPs must register separately in each jurisdiction.

(d) Capital Requirements. MiCA imposes minimum capital requirements of €50,000 for advisory services, €125,000 for custody and exchange services, and €150,000 for entities operating trading platforms.

(e) Conduct and Compliance Obligations. CASPs must meet requirements on governance, fitness and propriety of management, client asset safeguarding, cybersecurity and IT security (aligned with the Digital Operational Resilience Act, or DORA), AML/KYC compliance, marketing communications standards, and complaint handling procedures.

The transition from VASP to CASP under MiCA is not merely a relabeling exercise. The authorization requirements are substantially more demanding than the registration regimes they replace, involving detailed application packages, business plans, governance documentation, and — in practice — processing timelines that frequently exceed initial regulatory estimates.

United States (FinCEN and MSB Rules)

In the United States, the VASP concept is not used as a regulatory term. Instead, crypto businesses that accept and transmit convertible virtual currency (CVC) on behalf of customers are classified as Money Services Businesses (MSBs) — specifically as money transmitters — under the Bank Secrecy Act (BSA) and FinCEN regulations.

In its 2019 guidance (FIN-2019-G001), FinCEN clarified that no new regulatory obligations were being introduced for crypto businesses. Rather, existing BSA requirements already applied to entities engaged in money transmission involving virtual currencies. The classification depends on functional activity — accepting and transmitting value on behalf of others — not on business labels or technical architecture.

(Source: FinCEN, Application of FinCEN's Regulations to Certain Business Models Involving Convertible Virtual Currencies, FIN-2019-G001, May 9, 2019)

Crypto Businesses classified as MSBs must:

(a) Register with FinCEN as a Money Services Business;
(b) Implement a written AML compliance program tailored to their risk profile;(c) Conduct customer due diligence and maintain CDD records;
(d) File Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) as required;
(e) Comply with the Funds Transfer Recordkeeping and Travel Rule requirements under 31 CFR §1010.410(e) and (f) for qualifying transactions of $3,000 or more;(f) Obtain and maintain state-level money transmitter licenses in most states, each with its own application process, bonding requirements, and capital thresholds.

The result is a multi-layered compliance landscape that combines federal registration and BSA obligations with state licensing requirements — a system frequently described as one of the most complex in the world for crypto businesses.

VASPs and DeFi: Where the Line Is Drawn

The application of VASP classification to decentralized finance (DeFi) remains one of the most actively debated areas in crypto regulation. The FATF's position, first articulated in its 2021 Updated Guidance and reinforced in subsequent Targeted Updates, centers on a functional test: does an identifiable person or entity exercise control or sufficient influence over the DeFi arrangement?

The FATF's 2021 Guidance clarified that a DeFi application — meaning the software program itself — is not a VASP under the Standards, because the Standards do not apply to underlying software or technology. However, creators, owners, and operators who maintain control or sufficient influence over a DeFi arrangement, even if that arrangement appears decentralized, may fall within the VASP definition where they are providing or actively facilitating VASP services.

(Source: FATF Updated Guidance, October 2021, para. 67)

The Guidance identifies several factors that may indicate control or influence, including:

(a) Whether any party profits from the service or has the ability to set or change parameters;

(b) Whether there is an ongoing business relationship between identified parties and users;

(c) Whether governance mechanisms (including through smart contracts or voting protocols) allow identifiable parties to modify the protocol's functionality.

In practical terms, the majority of DeFi protocols operating today have some form of identifiable governance, administrative functionality, or upgrade capability. Truly immutable, autonomous protocols with no identifiable controlling parties are rare. The regulatory trend across jurisdictions — including the EU under MiCA, which explicitly excludes "fully decentralized" services but defines that standard narrowly — is toward capturing more, not fewer, DeFi-adjacent activities within the regulatory perimeter.

The FATF expects countries to determine on a case-by-case basis whether an identifiable person qualifies as a VASP within a DeFi arrangement. For businesses operating in or adjacent to the DeFi space, this means that relying on a "decentralized" label as a regulatory shield carries increasing legal risk.

Risks of Non-Compliance for VASPs

The consequences of failing to comply with VASP obligations are not theoretical. Regulators across jurisdictions have demonstrated a growing capacity and willingness to identify and penalize non-compliant crypto businesses. The FATF's 2025 Targeted Update noted that jurisdictions are increasingly taking supervisory and enforcement actions against VASPs, with the number of jurisdictions reporting having conducted inspections and taken enforcement action rising year over year.

(Source: FATF, Targeted Update on Implementation of the FATF Standards on VA and VASPs, June 2025)

Real Business Risks

The practical consequences of non-compliance are concrete, measurable, and — for many businesses — existential:

(a) Fines and Financial Penalties. Regulatory enforcement actions in the crypto sector now routinely involve penalties in the hundreds of thousands to millions of dollars. In the EU, enforcement related to MiCA non-compliance has already resulted in over €540 million in fines since the regulation took effect. In the United States, FinCEN enforcement actions against MSBs have involved civil money penalties of up to $100 million for BSA violations. In France, the AMF has warned that operating as a CASP without MiCA authorization after July 1, 2026 carries criminal penalties including a two-year prison sentence and a €30,000 fine.

(Source: AMF, Statement on Transitional Period for DASPs, February 2026, amf-france.org)

(b) License Revocation or Denial. Operating without proper authorization — or failing a supervisory inspection — can result in loss of the right to operate, with forced wind-down of customer positions and mandatory cessation of services.

(c) Loss of Banking Access. Traditional financial institutions conduct their own due diligence on crypto counterparties. A VASP that cannot demonstrate a functioning AML compliance program, proper licensing, and regulatory good standing will face increasing difficulty maintaining — or establishing — banking relationships. For many crypto businesses, loss of a banking partner is an operational crisis.

(d) Criminal Liability. In serious cases, individual officers, directors, and compliance personnel may face personal criminal charges for facilitating money laundering, operating an unregistered money transmission business, or willfully failing to implement required AML controls.

(e) Reputational Damage. Public enforcement actions — including regulatory warnings, blacklists of unregistered providers, and court proceedings — undermine trust with customers, institutional partners, and counterparties. In a competitive market, reputational harm can be as damaging as the financial penalties themselves.

The cost of building and maintaining a compliance program is significant. The cost of operating without one, measured in fines, lost banking relationships, forced shutdowns, and personal liability, is almost always greater.

Conclusion

VASP classification under the FATF framework is not simply a regulatory label — it is a binding compliance obligation that activates a comprehensive set of AML requirements. If your crypto business exchanges, transfers, custodies, or otherwise manages virtual assets on behalf of clients, you are operating within a regulated perimeter that requires licensing, customer due diligence, transaction monitoring, sanctions screening, Travel Rule compliance, and ongoing recordkeeping and reporting.

The regulatory environment continues to evolve rapidly. The FATF is pressing for faster global implementation of Recommendation 15. The EU's MiCA framework is replacing national VASP registrations with a unified CASP authorization regime, with a final deadline of July 1, 2026. The United States continues to enforce existing BSA requirements against crypto MSBs with increasing frequency and severity.

Understanding whether your business qualifies as a VASP — and acting on the obligations that follow — is not a future compliance task. It is a present legal requirement.

-AMLBot Team

FAQ