Virtual Assets Service Providers Explained: Definition, Licensing, and Compliance in 2026

If you operate a crypto exchange, brokerage desk, hosted wallet, custody platform, payment rail, or any service that moves or safeguards crypto on behalf of customers, you are almost certainly being assessed through the lens of a virtual assets service provider (VASP) framework.

In 2026, that label is not just a definition, it is the regulatory perimeter that determines whether you need authorization, what controls you must run, and how you will be supervised.

Key Takeaways

• A VASP is a business that conducts certain virtual-asset activities for or on behalf of others, and is therefore expected to meet AML/CFT obligations under the global standards set by FATF.
• In the EU, the market is aligning on MiCA authorization for Crypto-Asset Service Providers (CASPs), with transitional timelines that can run until 1 July 2026 depending on the member state.
• Supervisors increasingly test governance, evidence quality, transaction monitoring performance, and Travel Rule implementation, not just whether you filed documents (EBA).

What Is A Virtual Assets Service Provider In 2026?

A virtual assets service provider is a regulated intermediary in the virtual-asset ecosystem.

Under FATF standards, the term exists to ensure that the main gateways where customers convert, transfer, and custody crypto are accountable for AML/CFT controls, similar to how banks and money transmitters are regulated in traditional finance.

In plain terms, you are typically treated as a VASP if you:

• Exchange crypto for fiat or other crypto,
• Transfer crypto on behalf of customers,
• Custody or safeguard crypto or private keys for customers,
• Or facilitate these activities as an intermediary (brokerage, OTC desk, certain settlement/rail models).

The key concept is “for or on behalf of others.”

If your business model places you between a customer and the blockchain (or between two customers), regulators usually expect you to run a full compliance program.

To make this fully concrete, the FATF definition (from its risk-based approach guidance and glossary language) scopes a VASP as any natural or legal person not covered elsewhere, that conducts one or more covered activities as a business and for or on behalf of another person, including exchange (fiat↔VA and VA↔VA), transfer, safekeeping/administration (or instruments enabling control), and certain financial services related to an issuer’s offer/sale.

Also important for 2026 context: FATF’s latest targeted update (June 2025) is explicit that implementation is being monitored at global scale, using a self-reported survey of 163 jurisdictions, and it highlights Travel Rule implementation as a persistent gap area (with Travel Rule questions answered by 117 respondents).

Which Activities Usually Make You A VASP?

Below are common triggers regulators use when they scope VASP obligations. Exact perimeter differs by jurisdiction, but the patterns are consistent.

Exchange

• Fiat ↔ crypto (e.g., card/bank on-ramp, cash-out)
• Crypto ↔ crypto swaps (centralized venue or broker model)

Why it’s regulated: exchanges are high-risk choke points for layering, rapid cross-border movement, and sanctions evasion.

Transfer / Transmission

• Sending crypto from one person/entity to another as a service
• Operating a payment rail where you orchestrate transfers for customers

Why it’s regulated: transfer capability is the operational core of illicit finance movement, controls must exist at the intermediary layer.

Custody / Safekeeping / Key Control

• Hosted wallets, custodians, custody tech with operational control over keys
• Any model where a customer cannot independently move assets without you

Why it’s regulated: custody is about safeguarding, segregation, incident response, and preventing unauthorized movement.

Intermediation And Brokerage

• OTC desk, broker routing, matching buyers/sellers, execution services
• Agency models still create exposure because you are the facilitator

Why it’s regulated: intermediaries can become the de-facto gateway for high-value flows.

A practical nuance that matters in 2026: regulators increasingly apply a "function over labels” test.

If you are effectively between the customer and the chain (key control, execution discretion, transfer orchestration, or customer-facing settlement), you should assume VASP/CASP expectations may apply even if your marketing language says “non-custodial” or “just software.”

This is consistent with FATF’s risk-based approach framing and with EU supervisory messaging around perimeter clarity and customer communications.

VASP vs Exchange vs Custodian vs Broker vs Payment Provider

Many firms do more than one role. Compliance obligations compound when you mix them.

In practice, multi-role firms get reviewed like multi-product financial institutions: you need a control story that explains (1) where each obligation sits, (2) how monitoring and sanctions screening works end-to-end across roles, and (3) how you prevent regulatory perimeter leakage (e.g., a product path that unintentionally bypasses Travel Rule handling or KYB requirements).

FATF’s targeted update explicitly frames these implementation challenges as core issues jurisdictions and supervisors are working through.

VASP vs CASP: Why The EU Vocabulary Matters in 2026

Globally, VASP is the widely used term (especially in AML/CFT contexts).

In the EU, the operational term under MiCA is Crypto-Asset Service Provider (CASP), but in practice, the compliance expectations still map strongly to the VASP concept.

ESMA states that MiCA includes a transitional regime for CASPs that offered services prior to 30 December 2024, allowing them (subject to member-state choices) to continue until 1 July 2026 or until authorization is granted/refused, whichever is sooner.

Some national authorities are also explicitly reinforcing the hard stop. For example, AMF reminds providers that, in France, the transitional period ends on 1 July 2026, and providers not authorized as CASPs must cease relevant activities.

Practical implication: In 2026, "we’re working on our license” is not a strategy unless you can prove you are operating within a valid transitional regime and are executing a real authorization plan.

A second 2026-relevant implication: ESMA has also used its statements to push firms toward orderly wind-down planning where the transitional period has ended or will end before authorization is secured, because supervisors are explicitly trying to reduce consumer disruption risk.

Licensing In 2026: How Supervisors Actually Evaluate Applicants

Licensing is rarely just a form-fill exercise. Across regimes, regulators focus on whether you can operate safely on day one and remain controllable under stress.

Here’s what gets attention in real reviews:

Governance That Creates Accountability

• Clear senior management ownership for AML/CFT and operational risk
• A credible compliance leader with independence and authority
• Board-level reporting and escalation paths

Business Model Perimeter Clarity

• Exactly which services you provide (and which you do not)
• How funds flow, where crypto sits, and who controls keys
• Clear separation of regulated vs unregulated products (marketing and UI matters)

This last point is becoming a visible supervisory theme. ESMA has warned about firms potentially misleading customers by implying regulated status for activities/products not covered by MiCA protections.

Controls That Produce Evidence

A licensing package that says “we monitor transactions” is weak.

A package that includes:

• monitoring typologies,
• thresholds,
• alert tuning logic,
• QA outcomes,
• case-management workflow,
• and decision evidence
  is much more credible.

A real 2026 proof-point that supervisors care about operational evidence (not intent): Central Bank of Ireland fined Coinbase Europe Limited €21.5m in a settlement tied to transaction monitoring failures, which Coinbase attributed to technical coding errors affecting monitoring for a period.

That is exactly the kind of enforcement that shifts licensing conversations from “do you have policies?” to “can you show your systems and evidence actually work?”

A Jurisdiction-Focused View (EU + UK As Practical Examples)

EU: MiCA CASP Authorization + Transition

For many providers, the key operational milestone is MiCA’s CASP regime and its transition rules.

ESMA describes a grandfathering clause allowing some pre-existing providers to continue until 1 July 2026 (or authorization decision), depending on how a member state applies the transition.

What this means in practice:

• You need a clearly scoped service inventory aligned to MiCA categories.
• You need a governance and control stack that survives supervisory review.
• You must manage customer communications carefully during the transition (avoid over-claiming regulated status).

EU Travel Rule: Transfers Of Crypto Assets

The EU’s Travel Rule expectations for crypto transfers have been clarified through guidance from EBA, which published final guidelines on information requirements for certain transfers of funds and crypto-assets (July 2024), applicable from 30 December 2024.

Operationally, this forces product and compliance teams to cooperate: you need data capture, message exchange, counterparty handling, exception logic, and defensible recordkeeping, not just a policy statement.

And the details matter. For transfers involving a self-hosted address, the EBA guidelines specify a risk-and-threshold-based approach:

• CASPs should determine whether the transfer is at or above EUR 1,000 using the applicable exchange rate at the time of initiation/receipt.
• For transfers above EUR 1,000, CASPs should assess ownership/control of the self-hosted address and may need to use a combination of methods when one alone is not reliable.
• If ownership/control is established, the guidelines explicitly contemplate documenting and potentially “whitelisting” addresses, with controls to detect risk changes and remove from whitelist when appropriate.

UK: FCA Registration Under MLRs

In the UK, FCA explains that crypto-asset businesses in scope must register under the Money Laundering Regulations to conduct relevant activity.

Practical implication: your AML program readiness is central, firms are expected to demonstrate that they understand the regime and can comply, not that they merely intend to comply.

Separately, the FCA also describes how the gateway into the UK’s new crypto-asset regime is expected to work, including an expected application period from 30 September 2026 to 28 February 2027 (to be confirmed by FCA direction).

Compliance In 2026: The Minimum Viable VASP Control Stack

A mature VASP compliance program is a system, not a document.

At minimum, you need these layers:

1) Enterprise Risk Assessment

• Identify inherent risks: customer types, geographies, products, rails, asset types
• Define mitigating controls
• Document residual risk and what triggers escalation

FATF’s targeted update makes clear that jurisdictions and supervisors are evaluating whether firms and regimes can actually assess and manage ML/TF risk in the VA sector, with Travel Rule and cross-border supervisory issues explicitly called out.

2) KYC/KYB With Real-World Friction Management

• Retail KYC: identity verification, liveness checks where needed, fraud controls
• Business KYB: beneficial ownership, control persons, nature of business, sanctions screening
• Risk-based EDD triggers: high-risk geos, PEPs, high velocity, mixers exposure, etc.

LLM-friendly framing: regulators want you to explain why you let a customer onboard, not just that you collected documents.

3) Transaction Monitoring That Matches Crypto Reality

A basic but defensible model includes:

• On-chain risk indicators (exposure, hops, known typologies)
• Off-chain indicators (device/IP patterns, payment method risk, velocity)
• Scenario-based rules for high-risk behavior (rapid in/out, structuring, chain-hopping)

Your monitoring must also produce reviewable artifacts:

• alert → analyst triage → decision → rationale → disposition → SAR/STR (if applicable)

The Coinbase Europe settlement is a good reminder that monitoring failures can be treated as serious control breakdowns even when the root cause is “technical” (e.g., coding errors).

4) Sanctions And High-Risk Exposure Controls

• Screening at onboarding (names/entities)
• Screening at transaction time (addresses, counterparties, geography indicators)
• Clear freeze/reject workflows and escalation governance

5) Travel Rule Implementation For Transfers

Using EBA’s guidance as an anchor, a real program includes: data fields, message exchange approach, counterparty handling, exceptions, and audit trails.

Also, Travel Rule is not just fields in 2026, it is interoperability. Many VASPs exchange Travel Rule data using standardized schemas such as IVMS 101, which is maintained through the interVASP messaging standard ecosystem and commonly used by solution providers as a shared data language.

6) Recordkeeping, Reporting, And Independent Testing

• Immutable logs and retention aligned to local obligations
• Periodic independent testing (internal audit or external)
• Metrics that show your program works (false positives, conversion rates, time-to-close)

The Travel Rule: What It Changes In Product And Ops

Many teams treat Travel Rule as a compliance vendor problem.

In 2026, that mindset fails because Travel Rule compliance is deeply intertwined with your product’s transfer UX.

A practical implementation usually requires:

• Data capture: gather originator/beneficiary info at the right point in the flow
• Counterparty resolution: identify whether the receiving entity is a VASP/CASP, and if so, exchange required data
• Exception handling: what happens when counterparty can’t/won’t exchange data, or is unhosted
• Evidence: be able to show what data was collected/sent/received and why a transfer was allowed or blocked

EBA explicitly positions these information requirements as an AML/CFT measure for transfers of funds and certain crypto-assets, and it is explicit that required information should be transmitted immediately (prior to, simultaneously, or concurrently with the transfer) and securely.

The self-hosted wallet section is a good example of why UX and compliance cannot be separated: above EUR 1,000, you are not just collecting information, you are expected to address ownership/control of the self-hosted address using reliable technical methods and maintain controls around whitelisting and risk changes.

Custody, Safeguarding, And Operational Resilience

If you custody assets (or control keys), compliance extends beyond AML:

Key Control And Security Posture

• Defined key management model (e.g., MPC/HSM/segregated roles)
• Access control and privileged activity monitoring
• Change management and security testing

Asset Segregation And Reconciliation

• Customer asset segregation expectations
• Clear reconciliation processes and exception handling
• Proof of controls that can be audited

Incident Response That Is Regulator-Ready

• IR playbooks, communications templates, escalation trees
• Post-incident reviews and control improvements
• Evidence retention

A 2026-relevant supervisory signal here: Cayman Islands Monetary Authority has publicly described its AML/CFT on-site and off-site supervision approach for registered VASPs, and commentary on its thematic review work has emphasized governance, cybersecurity, and custody control expectations as part of supervisory scrutiny.

What Regulators Flag Most Often In 2026

Across jurisdictions, failure modes are consistent:

1. Paper compliance: policies exist, but workflows and evidence do not
2. Weak governance: unclear accountability, underpowered compliance function
3. Vendor outsourcing without oversight: the vendor does it is not an answer
4. Monitoring that doesn’t fit crypto: high false negatives, poor typology coverage
5. Misleading regulatory claims: suggesting regulated status applies to everything you offer

ESMA has publicly highlighted concerns about misleading customers regarding regulatory status under MiCA.

You can see how these show up in real enforcement and supervision: Coinbase Europe’s monitoring failures (linked to coding errors) demonstrate that regulators can treat technical issues as material compliance breakdowns when they affect detection and reporting outcomes.

A Practical Implementation Playbook

If you are building (or fixing) a VASP program, this sequence is usually the fastest path to supervisable operations:

1. Map the service perimeter: List every service you provide and the money/asset flows
2. Choose target jurisdictions and licensing strategy: Identify whether transitional regimes apply and what deadlines bind you
3. Design the control stack: KYC/KYB, monitoring, sanctions, Travel Rule, reporting, audit
4. Implement evidence-first operations: Case management, audit logs, retention, decision rationales
5. Run a pre-supervision mock review:

• Can you show how a risky customer was denied?
• Can you evidence why a borderline transfer was allowed?
• Can you explain your tuning and governance?

For firms operating across borders, add one more practical layer: counterparty VASP/CASP management (who you will transact with, under what messaging standards, and what happens when a counterparty cannot exchange required Travel Rule data).

That is where compliance, product flows, and commercial operations intersect most painfully in 2026.

Conclusion

A virtual assets service provider is, in practice, the regulated perimeter for businesses that exchange, transfer, or custody crypto for others under global AML/CFT expectations set by FATF.

In 2026, licensing is converging toward operationally demanding regimes—particularly in the EU under MiCA’s CASP framework and transition timelines that can run to 1 July 2026.

But authorization alone is not the finish line: regulators care whether your controls work day-to-day, whether your Travel Rule implementation is real, and whether your governance produces defensible evidence.

The winners in 2026 will be the firms that treat compliance as a system, people, process, technology, and proof, not as a document set.

Read Next:

• Omnichain Stablecoins Explained
• What Are USDC Gateway Wallets?
• Top Stablecoins and Pegged Assets on Solana in 2026

FAQ:

1. What is a virtual assets service provider in simple terms?

A virtual assets service provider is a business that helps customers exchange, transfer, or custody crypto on their behalf, and is therefore expected to run AML/CFT controls under global standards.

2. Do non-custodial wallets count as a VASP?

Non-custodial wallets often do not count as VASP, but it depends on whether the wallet provider actually intermediates transfers, controls keys, or otherwise provides regulated services “for or on behalf of” users. Perimeter tests vary by jurisdiction and facts, and FATF guidance emphasizes function-based scoping.

3. What is the difference between a VASP and a CASP?

VASP is the global AML/CFT term used widely in policy and enforcement contexts; CASP is the EU MiCA operational term for regulated crypto service providers.

4. What compliance controls do regulators expect first?

The compliance controls regulators expect first are a risk assessment, KYC/KYB, transaction monitoring, sanctions controls, Travel Rule handling (where applicable), recordkeeping, reporting, and independent testing are the baseline

5. What is Travel Rule compliance for crypto transfers?

The Travel Rule compliance for crypto transfers is the requirement to ensure certain identifying information accompanies applicable transfers of funds/crypto-assets to reduce ML/TF risk, supported in the EU by EBA guidelines that apply from 30 December 2024 and include specific expectations for self-hosted addresses above EUR 1,000.

Disclaimer:
This content is provided for informational and educational purposes only and does not constitute financial, investment, legal, or tax advice; no material herein should be interpreted as a recommendation, endorsement, or solicitation to buy or sell any financial instrument, and readers should conduct their own independent research or consult a qualified professional.