Article

What Is a VASP? Virtual Asset Service Providers Explained

"VASP" is a term most people first encounter in a piece of small print - on a provider's footer, in a compliance memo, or buried in a due diligence questionnaire.

VASP is the regulatory category that decides whether a counterparty is allowed to hold, move, or exchange your digital assets at all, and whether you have any meaningful recourse if something breaks.

The definition is stricter than most marketing pages let on. It comes with named obligations, named registrars, and a public paper trail - when a provider claims VASP status, that claim is verifiable in roughly two minutes.

This piece walks through what the term means, where it came from, who it actually catches, how the major jurisdictions implement it, and how to check a provider's status before you wire anything.

What a VASP Actually Is

A Virtual Asset Service Provider is any natural or legal person that, as a business, performs one or more of five specified activities on behalf of someone else.

The list comes from the Financial Action Task Force - the international standard-setter for anti-money-laundering and counter-terrorism financing rules - under Recommendation 15 and its Interpretive Note, adopted in June 2019.

The five activities are:

    • Exchange between virtual assets and fiat currencies - converting BTC to USD, EUR to ETH, and so on.
    • Exchange between one or more forms of virtual assets - trading BTC for ETH, swapping stablecoins.
    • Transfer of virtual assets - moving assets on behalf of a customer, on-chain or off-chain.
    • Safekeeping or administration of virtual assets, including instruments that enable control over them - custody, in plain English, including key management.
    • Participation in or provision of financial services related to an issuer's offer or sale of a virtual asset - token sales, structured product wrappers, capital-raising support.

Two things follow from that wording.

The definition is activity-based, not entity-based - the FATF doesn't care what a company calls itself; it cares what the company does, for whom, and at what scale.

"Crypto company" is a marketing label. "VASP" is a regulatory determination.

The "for or on behalf of another" language is the load-bearing phrase.

A person trading their own crypto on their own account is not a VASP. A company that takes custody of someone else's crypto, or routes someone else's transfer, is. The line is the relationship.

The standard now binds, in some form, the 205 jurisdictions that participate in the FATF's global network through its FATF-Style Regional Bodies.

The 39 full FATF members, the major economies plus the European Commission and the Gulf Co-operation Council are the ones that set the standard. Everyone else implements it.

That global reach matters for one practical reason: there is no jurisdiction left where "we operate offshore, the rules don't apply" is a defensible answer.

The rules apply somewhere. The interesting question and the one that decides counterparty risk is whether the somewhere has teeth.

Why FATF Created the Category (and What the Travel Rule Demands)

Why it exists: Crypto was moving billions across borders outside traditional banking rules. So in 2018, FATF said: "Virtual asset platforms need to follow the same customer reporting rules as banks."

The core rule: When one crypto platform sends $1,000+ to another on behalf of a customer, it must share:

  • Customer's name & wallet address
  • Recipient's name & wallet address

The receiving platform must verify this info and check for fraud/sanctions before accepting it.

The problem: Only 1 country (The Bahamas) is fully compliant. About 75% of countries are only partially compliant or don't comply at all.

This creates a real issue: platforms that follow the rules vs. those that don't are very different risks.

Bottom line: The infrastructure exists (messaging systems are built), but most of the world hasn't actually implemented it yet. It's a work in progress.

Who Counts as a VASP and Who Doesn't

Once the activity test is on the table, the boundary cases become tractable.

Centralized exchanges, custodians, OTC desks, fiat on/off-ramps, brokerage firms, crypto ATMs, and trust companies offering digital-asset administration are all VASPs in the clear.

They each perform at least one of the five activities, for or on behalf of clients, as a business. Almost every regulator's register confirms this implicitly and the names that turn up are predictable.

The harder cases sit on three frontiers.

Decentralized finance. The FATF's updated 2021 guidance addresses this directly. Software code itself is not a VASP. But where a person or entity has "control or sufficient influence" over a DeFi arrangement running the front end, holding admin keys, taking fees, marketing the protocol that person or entity may qualify.

The test is functional, not declared. The piece I'd flag here for anyone in DeFi: calling something "decentralized" doesn't move the line.

DAOs. Same test, same answer. A DAO is not exempt because it routes governance through token-weighted voting. If the substantive activity matches one of the five, the controllers of that activity can be VASPs.

Self-hosted wallets. A user holding their own keys and transacting their own assets is not a VASP. But a VASP that sends funds to or receives funds from a self-hosted wallet faces heightened diligence obligations. Different jurisdictions implement this differently, but the principle is the same. The regulated counterparty has to know enough about the unhosted side to discharge its own obligations.

One specific clarification that gets lost is that developers writing open-source code that enables one of the five activities are not VASPs by virtue of writing the code. Operating a service that performs the activity is the trigger. Publishing the code is not.

Where this matters in practice is the line between "I'm just providing software" and "I'm operating a service" is being tested in court, in regulatory enforcement, and in policy negotiation in roughly every major jurisdiction simultaneously.

The Jurisdictions That Matter

The activity definition is global. The implementation is national, and that is where the substantive differences live.

Cayman Islands (CIMA)

We’d point first to Cayman, partly because it is RYKI's home regime, and partly because the structure of the Act is a clean expression of how the FATF standard translates into a national framework.

The Cayman Islands Virtual Asset (Service Providers) Act was passed in May 2020, with the registration provisions taking effect on 31 October 2020. The Cayman Islands Monetary Authority (CIMA) supervises the regime.

The structure is risk-tiered. Most VASPs sit in a registration category. Custody providers and trading platforms above defined thresholds enter a separate licensing tier that Phase 2 licensing regime commenced on 1 April 2025, pulling the largest custody and trading operators into a more intensive supervisory posture.

Cayman registrations are public and searchable on the CIMA register. RYKI is one of the names on it registration number 2208986 and the regime is one we operate inside daily, which is to say we read its updates the way other companies read their accountants' notes.

What the Cayman regime actually requires of a registered VASP is the standard FATF stack: a compliance program, designated AML compliance officers, risk-based customer due diligence with verification of beneficial owners, sanctions screening, suspicious activity reporting, recordkeeping, and Travel Rule data exchange for transfers over the threshold.

The regulator inspects, requires reporting, and can suspend or revoke registration. None of this is exotic it is the same shape of obligation a Cayman fund or a Cayman bank operates under, applied to virtual assets.

Canada (FINTRAC)

Canada brought virtual currency dealers inside the Money Services Business (MSB) framework on 1 June 2020, through amendments to the regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

From that date, any "person or entity dealing in virtual currencies" domestic or foreign providing services to Canadian clients must register with FINTRAC as an MSB.

The Travel Rule for virtual currency transfers came into force on 1 June 2021, requiring originator and beneficiary information to accompany cross-border transfers and meaningful internal transfers above the equivalent threshold.

RYKI holds a FINTRAC MSB registration alongside its Cayman VASP status.

The Canadian regime's distinguishing feature is that "MSB" is a single bucket that already covered foreign exchange, money transmission, and money order services before crypto arrived.

Bringing virtual currency in as one more activity inside an established perimeter has produced relatively coherent supervision, even where the substantive obligations match the FATF standard.

European Union (MiCA and the CASP)

The European Union's framework looks different on the surface and substantially similar underneath.

The Markets in Crypto-Assets Regulation Regulation (EU) 2023/1114, known universally as MiCA entered into force in June 2023.

The stablecoin provisions applied from 30 June 2024, and the broader Crypto-Asset Service Provider regime applied from 30 December 2024.

EU member states with pre-existing national VASP regimes are running an 18-month transitional window through 1 July 2026, after which a CASP authorisation under MiCA is the only path.

The terminology shifted to "CASP" for two reasons.

First, MiCA wanted to align with EU MiFID-style language. Second, MiCA expanded the activity list beyond the FATF five issuance of asset-referenced and e-money tokens, custody, exchange, execution, placement, and several others making the European framework the most prescriptive of the major regimes.

United States (FinCEN)

The US has not adopted "VASP" as a regulatory category. It uses the older Money Services Business framework, in which "money transmitter" includes most crypto businesses providing transmission, exchange, or fiat conversion services.

The Financial Crimes Enforcement Network (FinCEN) is the federal supervisor; state money-transmitter licensing applies on top, varying meaningfully by state.

The functional overlap with the FATF VASP standard is substantial registration, BSA/AML program, suspicious activity reporting, sanctions screening but the operational reality is fragmented.

Most international providers serving US persons end up holding both federal MSB registration and state-by-state licenses.

Other regimes worth naming

A short tour of the regimes most institutions encounter:

Jurisdiction

Regulator

Framework

Status

Australia

AUSTRAC

Digital Currency Exchange register

In force since April 2018

Hong Kong

SFC

VATP licensing regime

In force since June 2023

Singapore

MAS

Payment Services Act / DPT services

In force since January 2020

United Arab Emirates

VARA (Dubai)

Virtual Assets and Related Activities Regulations

In force since February 2023

United Kingdom

FCA

Cryptoasset firm registration (MLR)

In force since January 2020

Each has its own register and its own scope nuances. The architecture is recognisably FATF; the implementation details are not interchangeable.

VASP, CASP, and MSB - How the Acronyms Diverge

The acronym soup confuses more deals than it should.

VASP is the FATF term, and the term jurisdictions use when they implement the FATF standard directly Cayman, Bermuda, BVI, Singapore (alongside its own DPT label), Australia, Hong Kong (where the SFC uses "VATP" for trading platforms but the FATF designation is recognised). It is also the term most commonly used in international due-diligence questionnaires.

CASP is the European term, introduced by MiCA. It overlaps heavily with VASP but is broader in some respects (covering crypto-asset issuance and structured services explicitly) and narrower in others (the EU's "crypto-asset" definition excludes some categories the FATF treats as virtual assets).

MSB is the older AML category long predating crypto that Canada and the United States have stretched to cover virtual asset activity. A Canadian MSB registration that lists "dealing in virtual currencies" as an activity is functionally a VASP designation. A US MSB classification with "money transmission" covering crypto is the same.

Most providers operating internationally end up with several of these at once.

RYKI's CIMA VASP registration in the Cayman Islands and FINTRAC MSB registration in Canada is a representative pattern, not an unusual one.

Buyers should expect serious counterparties to carry multiple registrations, and should expect each one to be verifiable independently which is the next, and most practical, question.

How to Verify a Provider's VASP Status

Most "we are a regulated VASP" claims are unverifiable in five seconds. They should be. The claim is meaningful only because it is checkable, and the check takes about two minutes.

Here is the procedure:

Step 1: Identify the regulator and find the register. A real registration names a specific regulator and a specific public register. CIMA's register sits on the CIMA VASP register. Canada's MSB register is searchable on the FINTRAC website. AUSTRAC, the SFC, the FCA, MAS, and VARA each maintain analogous public lookup tools. If a provider can't tell you which register to look at, the claim is already weak.

Step 2: Match the exact legal name. Marketing names are not legal names. The entity on the register must be the entity on the contract you are about to sign. A subtle mismatch "Acme Crypto Ltd." on the contract, "Acme Holdings Ltd." on the register is a meaningful red flag, often a sign that the regulated entity is a holding company, not the operating entity, or vice versa.

Step 3: Check the activity scope. A VASP registration in many jurisdictions is activity-specific. A registration for "virtual asset transfer" doesn't authorise custody. A Canadian MSB registration listing "foreign exchange dealing" but not "virtual currency dealing" doesn't cover crypto. The scope should match the service being purchased.

Step 4: Confirm it's current. Registers change. Registrations expire, get suspended, or get withdrawn. The relevant question is whether the registration is current as of the day of your transaction, not as of the day the provider's website was last updated. Most registers display the status field plainly.

Step 5: Get the registration number in writing. A real provider will give the registration number on request, with the regulator's verification URL. RYKI's CIMA registration is 2208986, and the verification path is the CIMA register itself that is the level of specificity to ask for from any counterparty.

The red flags are the inverse of the checks.

Vague claims of "offshore licensing" without a named regulator. Refusal to give a registration number. Registrations on FATF black- or grey-listed jurisdictions where the supervisory regime is itself called into question.

Rubber-stamped certificates from "regulatory consultants" or unrelated law firms presented as proof of registration. They are not proof of anything except that someone paid for the certificate.

If you are evaluating a counterparty and want a working example to anchor against, RYKI is registered with CIMA in the Cayman Islands and with FINTRAC in Canada, and you are welcome to put us through the verification procedure above.

Speak with our team if you want to walk through what registration actually means in your specific jurisdictional context.

Apply in less than 5 minutes. Join the thousands of institutions already using RYKI.
Get Started