Counterparty VASP Due Diligence: A Practical Guide for Crypto Businesses
In its June 2025 Targeted Update on Virtual Assets, the Financial Action Task Force (FATF) reported that 85 of 117 responding jurisdictions — about 73% — had passed Travel Rule legislation, up from 65 a year earlier. The number is rising, but it carries a quieter message for anyone moving crypto between businesses: a meaningful share of jurisdictions still have not implemented the rule at all, and many that have are graded only partially compliant in practice.
That gap is exactly why counterparty checks matter. A crypto business can run a strong internal AML programme, mature KYC/KYB controls and continuous transaction monitoring, and still inherit risk the moment it sends funds to, receives funds from, or exchanges transfer data with another provider. The other side’s controls become part of your risk surface. Yet a brand on a website, or a claim that a company is “registered,” answers none of the questions that actually decide whether a transfer is safe: which legal entity you are dealing with, where that entity is authorised, which services the status covers, whether the counterparty can exchange required transfer information correctly, and what on-chain risk attaches to the actual transactions.
This guide lays out a practical framework for assessing a counterparty VASP before you establish a relationship, and for monitoring it afterwards — from identifying the legal entity through to setting the triggers that tell you when to look again.
What Is Counterparty VASP Due Diligence?
Counterparty VASP due diligence is the process by which a crypto business identifies, verifies, and risk-assesses another virtual asset service provider before establishing or continuing an operational relationship or crypto transfer flow. In plain terms, it is how you decide whether the institution on the other side of a transfer is who it claims to be, is allowed to do what you need it to do, and does not introduce risk you are unwilling to accept.
A counterparty VASP is not always an exchange. Depending on the relationship, it might be any provider that sends, receives, custodies, or routes virtual assets on behalf of others:
- Crypto Exchange: A platform that converts between assets or between crypto and fiat and frequently sends or receives transfers on behalf of its users.
- Custodial Wallet Provider: A provider that holds assets for clients and can sit on either side of a custody or transfer arrangement.
- OTC Desk: An institutional counterparty in a liquidity or settlement relationship, often with large and recurring flows.
- Crypto Payment Provider: A processor that moves value for merchants or end users as part of a payment workflow.
- On-Ramp / Off-Ramp Provider: A partner tied to conversion and transfer flows between fiat and virtual assets.
- Transfer Service Provider: Any institution that receives or forwards crypto on behalf of clients as part of a service arrangement.
Because companies of this kind can fall within the scope of AML/CFT obligations, the same framework that defines their duties also frames how you should check them — a topic covered in more detail in our overview of VASP Requirements for Crypto Businesses. In practical terms, the task is not simply “does this company have a licence?” A defensible review works through several connected layers: identifying the legal entity, confirming its regulatory status, understanding the relevant jurisdiction and the services in scope, assessing AML/CFT and sanctions controls, checking Travel Rule readiness, evaluating wallet and transaction exposure, and defining the triggers for ongoing monitoring.
The FATF framework treats the identification and due diligence of counterparty VASPs as part of how value moves safely between providers, and its updated guidance sets out the risk-based expectations that most national regimes now build on. (FATF Updated Guidance for Virtual Assets and VASPs.)
Counterparty Due Diligence Is Not Customer Due Diligence
It is easy to blur the two, because both involve “checking someone.” They answer different questions and they do not substitute for each other. Customer Due Diligence looks at the people or businesses using your service. Counterparty Due Diligence looks at another provider you transact or partner with. The two processes usually run in parallel. Onboarding a corporate client who happens to be a VASP can require both: Customer Due Diligence on the client relationship, and Counterparty Due Diligence on the provider role. Treating one as a stand-in for the other is a common — and avoidable — gap.
When Does a Crypto Business Need to Assess a Counterparty VASP?
The trigger is interaction with another provider, not the size of the transfer. Whenever value, data, or an ongoing arrangement crosses between your business and another institution, a counterparty review is in scope.
Counterparty VASP vs Self-Hosted Wallet
The distinction changes which controls apply and what you can realistically check.
- Provider-to-Provider Transfer: The other side may be an identifiable VASP or, in the EU, a CASP — an entity you can name, locate in a register, and assess for Travel Rule readiness.
- Transfer to a Self-Hosted Wallet: There may be no regulated provider on the receiving end, so counterparty verification gives way to wallet-level risk assessment and the controls your own jurisdiction requires for unhosted-wallet activity.
This is why cross-border transfers, interoperability between messaging standards, and uncertainty about the counterparty’s readiness create real operational friction — a set of difficulties explored in our piece on Crypto Travel Rule Implementation Challenges. This guide stays focused on institutional counterparties rather than the full set of self-hosted wallet obligations, and a transfer to a known exchange is not automatically safe simply because the recipient is a regulated business.
Step 1: Identify the Legal Entity Behind the Counterparty
Due diligence starts with a specific legal entity. Global crypto brands routinely operate through different companies in the EU, the UK, the US, and elsewhere, and a registration held by one of those entities does not automatically cover every product or every country where the brand appears. Before anything else, establish the following about the entity you will actually transact with:
- Full Legal Name: The registered company name, not the consumer brand.
- Registration Identifier: A company or registration number, or an equivalent identifier in its home jurisdiction.
- Registered Jurisdiction: Where the entity is incorporated and where it claims to operate.
- Regulatory Authority: The supervisor or register that oversees it, where applicable.
- Services in Scope: Which specific services you intend to use, and whether the entity actually provides them.
- Contracting and Settlement Party: Who signs the agreement and who will send or receive the crypto transfers.
- Status Alignment: Whether this entity is the same one that holds the regulatory status being relied on.
A single global brand may run its EU activity through one authorised company, its US activity through a registered money services business, and its other markets through entities with no comparable status at all. If your contract and your transfers run through an entity that is not the one named in the register, the registration you relied on may be irrelevant to your relationship. Confirming the entity in an official source is the start of due diligence, not the finish line.
Step 2: Verify Regulatory Status in the Relevant Jurisdiction
Once you know the entity, verify its status — precisely, and without leaning on the word “regulated.” That word does a lot of marketing work and very little compliance work. The FATF’s own assessments are a useful reality check here: across mutual evaluations conducted since the standards were extended to virtual assets in 2019, roughly three-quarters of assessed jurisdictions have been graded only partially compliant or non-compliant with the core requirements for VASPs. A registration somewhere is not, by itself, evidence of robust oversight.
A useful verification answers concrete questions: In which jurisdiction does this specific entity operate? Does it hold a registration, authorization, or licence there? Which regulator or official register confirms it? Which services does that status actually cover? Can the entity lawfully serve a business like yours, in your country? And are there warnings, transitional arrangements, restrictions, or enforcement actions on record?
“Authorised” and “Registered” can mean very different levels of supervision depending on the regime, and a status that covers, say, custody may say nothing about whether the entity may run an exchange service for clients in your market. Verify against the source the regulator publishes, not the screenshot the counterparty sends you.
EU Context: When a Counterparty VASP Is a CASP
If your counterparty operates in the European Union, the terminology shifts. Globally, the FATF term is VASP. In the EU, the relevant provider is generally a crypto-asset service provider, or CASP, authorised under the Markets in Crypto-Assets Regulation (MiCA, Regulation (EU) 2023/1114). When you assess an EU counterparty, the checks become specific:
- Identify the Authorised Entity: Confirm the exact CASP that holds the authorisation, not the group brand.
- Confirm the Service Scope: Check that its authorisation covers the specific crypto-asset services your relationship relies on.
- Account for Transfer Obligations: Treat the rules on crypto-asset transfers as a separate question from the authorisation itself.
In the EU, those transfer obligations sit in the recast Transfer of Funds Regulation (Regulation (EU) 2023/1113), which applied to crypto-asset transfers from 30 December 2024 and, notably, sets no minimum threshold — originator and beneficiary information must accompany transfers regardless of value.
This guide does not walk through how an entity obtains a MiCA authorization — that is a separate subject covered in MiCA Authorization for CASPs — nor does it reproduce the full set of EU Crypto Travel Rule Requirements for CASPs. The point here is narrower: a CASP authorization tells you a named entity is supervised for defined services; it does not, on its own, mean the transactions flowing through that entity carry low risk.
Step 3: Assess the Counterparty’s AML and Sanctions Controls
Regulatory status tells you a provider is permitted to operate. The next question is whether it operates within an acceptable AML/CFT process — whether it can actually do the compliance work a relationship with you depends on. This is where you move from “is it allowed?” to “can it be relied on?” Most businesses look at a recognizable set of control categories:
- AML/CFT Programme: A documented programme with a responsible, identifiable compliance function.
- Sanctions Screening: Procedures for screening parties and handling sanctioned entities or exposure.
- Onboarding Approach: How the counterparty onboards its own customers and business relationships.
- Suspicious Activity Escalation: What happens, and how quickly, when suspicious flows are detected.
- Information Request Handling: Whether it can respond to reviews, requests and escalations in reasonable time.
- High-Risk Policy: How it treats high-risk transactions, jurisdictions and counterparties.
- Recordkeeping and Audit Trail: Whether decisions and transfer information can be documented and retrieved.
- Restricted-Activity Boundaries: Which jurisdictions, services or transaction types it will not support.
The existence of a policy is not the same as the quality of its application. A counterparty can hand you a polished AML policy document and still escalate slowly, screen weakly, or be unable to answer an information request when it matters. Weigh the documents, the official status, the contract terms and the operational responses together — and treat the counterparty’s self-description as a claim to be tested, not a fact to be accepted.
Step 4: Check Travel Rule Readiness Before Exchanging Transfer Data
If the relationship involves transfers between providers, identifying the counterparty is only half the job. You also need to know whether it can correctly receive, transmit and handle the required originator and beneficiary information — the obligation that flows from FATF Recommendation 16 as extended to virtual assets, and from the national rules that implement it. Provider-to-provider transfers are precisely where that information must travel with the transaction, a mechanism explained in our overview of the FATF Crypto Travel Rule.
Before you exchange any data, work through what the counterparty can actually support:
- Counterparty Identification: Whether the other side is an identifiable VASP or relevant regulated institution, and under which entity it receives data.
- Transfer Scenarios: Which kinds of transfers will actually occur between you.
- Required Information Fields: Which originator and beneficiary fields must be exchanged for those transfers.
- Secure Transmission: How the required information is sent securely between you.
- Incomplete or Mismatched Data: How the counterparty handles missing or inconsistent information.
- Failed and Suspended Transfers: How rejected, failed or paused transfers are managed.
- Escalation Ownership: Who is accountable when something needs to be escalated.
- Audit Trail and Review Cycle: How transfer data is retained and how often counterparty information is refreshed.
Requirements differ by jurisdiction, and that variation is the heart of the problem. Thresholds, required fields and verification expectations are not uniform: the United States applies the Travel Rule to transmittals of US$3,000 or more, while the EU applies it to crypto-asset transfers with no minimum threshold at all.
A working technical integration is reassuring, but it is not the same as compliance readiness — you still need to know how the counterparty behaves when data is incomplete, who fixes it, and how cross-border interoperability is handled. Those operational realities, rather than the existence of a connector, are what our discussion of Crypto Travel Rule Implementation Challenges for Businesses focuses on.
Step 5: Evaluate Wallet and Transaction Risk Beyond Regulatory Status
A verified regulatory status does not remove on-chain risk. This is the step businesses most often underweight, and it is the one where most actual losses originate.
An authorised or registered provider still receives funds from many sources, and a relationship with a confirmed VASP does not make every transaction passing through it low-risk. Entity-level due diligence and transaction-level risk assessment solve different problems: the first asks who the institution is; the second asks what is actually moving, and whether that movement is changing in ways that should concern you.
- Wallet Screening: Assesses the risk exposure attached to the specific addresses involved in the relationship.
- Transaction Monitoring: Detects changing risk and suspicious flows after onboarding, when the static review is already behind you.
- Asset-Movement Focus: Keeps the review anchored to the actual movement of assets, not only the identity of the institution.
The scale of the underlying problem is the reason this layer is non-negotiable. Blockchain analytics reporting has put illicit on-chain activity associated with fraud and scams in the tens of billions of dollars in a single recent year, and a large share of high-value thefts move through services rather than around them. A counterparty being “regulated” does nothing to stop tainted value from arriving in a wallet you transact with. This is where transaction-level tooling fits: continuous transaction monitoring in crypto and wallet screening let a business test the actual chain activity rather than relying on the counterparty’s status or onboarding paperwork.
Used this way, a tool such as AMLBot supports the wallet-screening, KYT and ongoing-monitoring part of the workflow. It does not check an official register, confirm a licence, or perform the legal due diligence on the counterparty entity — those remain separate steps. The value is in closing the transaction-level gap that entity verification leaves open.
Step 6: Decide, Document and Set Monitoring Triggers
Due diligence ends with a documented decision that records what you found, what you allowed, and the conditions under which the relationship continues. A decision you cannot evidence later is, for practical purposes, a decision you did not make. At minimum, capture the following:
- Identity and Legal Entity: The verified entity behind the counterparty.
- Jurisdiction and Verified Status: Where it is authorised or registered, and the evidence relied on.
- Services Covered: The specific services the relationship involves.
- AML and Travel Rule Findings: The compliance and transfer information actually reviewed.
- Risk Classification: The internal risk level assigned to the relationship.
- Approved Transfer Scenarios: What the relationship is permitted to do.
- Restrictions and Escalation Conditions: The limits and the circumstances that force a review.
- Review Owner and Date: Who owns the relationship and when it is next assessed.
- Monitoring and Reassessment Triggers: The events that should reopen the file.
Review frequency and escalation decisions should be risk-based and aligned with your applicable legal obligations and internal compliance policy. There is no single correct interval for every business — a high-volume liquidity counterparty plainly warrants closer attention than an occasional, low-value partner — and an annual refresh is not automatically enough when a trigger event has occurred in the meantime.
Counterparty VASP Due Diligence Checklist
A compact, two-stage checklist you can lift straight into a procedure — one set of actions before the relationship begins, one set for the life of the relationship.
Before Establishing the Relationship
- Identify the Legal Entity: Establish the counterparty’s exact registered entity, not just its brand.
- Confirm the Services: Pin down which services the relationship will actually involve.
- Determine the Jurisdiction: Identify the relevant jurisdiction or jurisdictions.
- Verify Regulatory Status: Check status through official sources wherever applicable.
- Check Service Coverage: Confirm the claimed status actually covers the service you need.
- Obtain Compliance Contacts: Get appropriate AML and compliance contact information.
- Assess Travel Rule Readiness: Test readiness for provider-to-provider transfers before exchanging data.
- Evaluate On-Chain Exposure: Screen the relevant wallets and transaction exposure.
- Document the Decision: Record the conditions, the risk level and the owner of the review.
During the Relationship
- Monitor Activity: Track transactions and relevant wallet exposure on an ongoing basis.
- Flag Data Gaps: Watch for missing or inconsistent transfer information.
- Review Material Changes: Reassess after meaningful regulatory or legal changes.
- React to Risk Events: Re-open the file after sanctions, enforcement or adverse-risk events.
- Update on Structural Change: Refresh due diligence when the entity, service or jurisdiction changes.
- Keep Records: Maintain evidence of reviews, escalations and decisions.
Common Mistakes in Counterparty VASP Due Diligence
Most failures are not exotic. They come from a handful of recurring shortcuts — checking the brand instead of the entity, treating a registration as proof that all services are covered, assuming a regulated counterparty carries no on-chain risk, exchanging data before understanding who receives it, reviewing a counterparty once and never again, ignoring repeated operational exceptions, or confusing customer onboarding with institutional counterparty due diligence.
The lesson is not that working with external VASPs is too risky to attempt — provider-to-provider flows are how the industry functions. The lesson is that the risk is manageable only when the review is specific, evidenced, and kept alive after onboarding.
Building a Defensible Counterparty VASP Due Diligence Process
A defensible process has a clear shape. It begins by identifying the legal entity and verifying the relevant regulatory status. It continues by assessing the counterparty’s AML and Travel Rule readiness — what it is permitted to do, and what it can actually do. And it never treats regulatory status as a substitute for looking at the chain: wallet screening and transaction monitoring carry the part of the risk that entity verification cannot reach.
For a crypto business, those layers are a sequence. Institutional assessment, transfer-data controls, and ongoing on-chain risk monitoring each answer a different question, and a relationship is only as defensible as the weakest of them. In practical terms, the goal is a workflow you can evidence at any point — who you checked, what you found, what you allowed, and what would make you look again.
Within that workflow, AMLBot can support the transaction-level layer through wallet screening and continuous monitoring, surfacing changing risk signals once a relationship is live. It is not a tool for verifying a licence or performing the legal due diligence on a counterparty entity, and no single tool closes the whole process. Used for what it does well, it fills the on-chain gap that entity checks leave behind — and that gap is where counterparty risk most often turns into a real problem.
FAQ
What Is Counterparty VASP Due Diligence?
Counterparty VASP due diligence is the process of identifying and assessing another virtual asset service provider before establishing or continuing a business relationship or provider-to-provider crypto transfer flow. It typically includes legal entity verification, regulatory status checks, AML and Travel Rule readiness assessment, and ongoing transaction-level monitoring.
Why Do Crypto Businesses Need to Assess Counterparty VASPs?
Crypto businesses need to assess counterparty VASPs because they may send funds to, receive funds from, or exchange required transfer information with another provider — and that provider’s controls become part of their own risk. Assessing the counterparty confirms who is on the other side, whether it operates under an appropriate status, and what operational or transaction risks remain.
Is a Crypto Exchange Always a VASP?
Not always. A crypto exchange usually qualifies as a VASP when it performs activities covered by the relevant framework, such as exchanging or transferring virtual assets. The exact classification depends on the services it performs and the applicable jurisdiction, so it is determined by function rather than by label.
What Is the Difference Between a VASP and a CASP?
VASP is the term used in the global FATF framework for virtual asset service providers, while CASP is the term used in the European Union under MiCA for crypto-asset service providers. They describe similar businesses, and a company operating globally may need to apply both terms depending on where its counterparty is based.
What Should a Business Verify First When Assessing a Counterparty VASP?
The first step is to identify the exact legal entity behind the brand or service. The business should then confirm the relevant jurisdiction, the regulatory status of that entity, the scope of permitted services, and whether that entity is the actual party to the relationship or transfer flow.
Does a Licence or Registration Mean a Counterparty VASP Is Low-Risk?
No. Regulatory status confirms that a specific entity operates within a defined framework, but it does not prove that every transaction, wallet, or customer connected to that provider is low-risk. Transaction-level exposure has to be assessed separately through wallet screening and ongoing monitoring.
How Is Counterparty VASP Due Diligence Connected to the Travel Rule?
When crypto-asset transfers occur between relevant service providers, a business may need to exchange required originator and beneficiary information. Before doing so, it must know who the counterparty is, whether it can handle the required data correctly, and how incomplete information or exceptions will be managed.
Is Counterparty VASP Due Diligence the Same as Customer Due Diligence?
No. Customer due diligence assesses the individuals or businesses using a company’s services, while counterparty VASP due diligence assesses another crypto service provider in an operational relationship or transfer flow. Both may be required at once, but they answer different risk questions and do not replace each other.
Why Is Wallet Screening Still Needed After a Counterparty VASP Has Been Approved?
Wallet screening is still needed because an approved counterparty can be connected to transactions or wallet exposure that creates risk. Screening and transaction monitoring let a business assess actual on-chain activity over time, rather than relying only on the counterparty’s regulatory status or onboarding documents.
How Can AMLBot Support Counterparty VASP Due Diligence Workflows?
AMLBot supports the transaction-level part of the workflow through wallet screening and ongoing transaction monitoring, helping businesses evaluate on-chain exposure and detect changing risk signals after a relationship begins. It does not replace legal entity verification, official regulatory checks, or a business’s internal due diligence process.