Virtual Asset Service Provider: FATF Definition & Scope

What Is a Virtual Asset Service Provider (VASP)? Who Needs One?

A virtual asset service provider (VASP) is any business or entity that facilitates transactions with virtual assets , including cryptocurrencies, tokens, and digital currencies. These providers offer services such as exchanging, safeguarding, transferring, or managing virtual assets . The Financial Action Task Force ( FATF ) definition of virtual asset services places VASPs at the core of the digital asset sector. If you operate a cryptocurrency exchange , act as a wallet provider , or deliver services related to digital assets , you may be classified as a virtual asset service provider and likely need to meet both international and national compliance requirements.

Businesses that commonly fall within the scope include:

Cryptocurrency exchanges (centralized and decentralized)
Wallet providers (custodial and non-custodial)
Payment processors handling digital currencies
OTC desks
Token issuers and organizations conducting token sales
Custodians responsible for assets on behalf of clients
Trading platforms facilitating exchange between virtual assets or fiat currencies

VASPs are foundational to today’s financial landscape. They drive digital asset adoption but also attract focused attention from regulators and law enforcement .

Magnus Müller

+41782084680

info@crypto-license.io

Сontact us

FATF VASP Definition: Scope and Key Activities

The FATF definition shapes the global understanding of virtual asset service providers . Under FATF standards , a VASP is any natural or legal person not covered under other AML CFT laws who conducts one or more of these activities:

Exchanging virtual assets for fiat currencies or other digital assets
Providing administration of virtual assets or safekeeping or administration of assets for clients
Transfer virtual assets , including cross-border movement
Issuance or safekeeping of instruments representing digital assets
Providing financial services related to an issuer’s offer or sale of a virtual asset

Examples of virtual asset service providers include crypto exchanges , wallet providers , token issuers , and payment processors . The FATF’s guidance extends to emerging digital assets, such as non-fungible tokens (NFTs) , depending on their structure and use.

For a comprehensive overview, refer to our FATF Crypto Guidelines: VASP Compliance Framework Explained.

Key Compliance Requirements for VASPs: AML, CFT, and the Travel Rule

Operating a virtual asset service lawfully means placing compliance at the heart of your business. VASPs must establish rigorous anti-money laundering and counter-terrorism financing controls. Core obligations include:

1. Customer Due Diligence (CDD) & Enhanced Due Diligence (EDD)
A VASP is obliged to conduct comprehensive know your customer reviews. This entails verifying customer identities, collecting documentation, assessing risk profiles, and screening for sanctions or politically exposed persons.

2. Ongoing Monitoring & Record Keeping
VASPs must consistently monitor transactions and customer identity for patterns indicating illicit activities . Record keeping is legally required; business must retain customer and transaction records, often for 5–10 years as mandated.

3. Suspicious Activity and Transaction Reporting
If a transaction or activity appears unusual, VASPs are required to file suspicious activity reports with the proper authorities. Regular transaction reporting is also mandatory in most jurisdictions.

4. The Travel Rule
The Travel Rule mandates that virtual asset transfers above specific thresholds include sender and beneficiary details—allowing law enforcement and regulatory bodies to trace transfers, counter money laundering , and mitigate terrorist financing . Learn more in Crypto Travel Rule: VASP Compliance Requirements.

For guidance on red flags, see AML Red Flags in Cryptocurrency: Detection Guide.

VASP Licensing: Jurisdictions, Process, and Typical Costs

Licensing requirements and regulatory obligations for VASPs vary by jurisdiction. Switzerland, the European Union’s MiCA Framework, Estonia, and Lithuania each offer tailored regulatory pathways.

To obtain a VASP license , key steps generally include:

Incorporating a compliant legal entity in Switzerland or the EU
Preparing and submitting a detailed business plan and AML/CTF procedures
Appointing qualified directors, AML officers, and relevant staff
Completing due diligence and KYC background checks
Satisfying capital requirements and paying relevant registration fees

Further country insights and step-by-step guides:

For cost breakdowns, see VASP License Cost: Registration Fees & Ongoing Expenses and Crypto License Cost: Pricing by Country & License Type [2026].

Our Expertise: VASP Licensing and Compliance Support

Based in Switzerland, our firm specializes in corporate law , financial regulation , crypto assets , and licensing . We provide:

Strategic advice on VASPs must registration and licensing in Switzerland and the EU
Guidance on regulatory frameworks and FATF standards
Drafting of robust AML/CTF policies and compliance controls
Full-cycle support from application to ongoing record keeping and audits
Coordination with regulatory bodies , tax authorities , and law enforcement when required

Our track record spans all major crypto asset types—from exchanges and custodial wallet solutions to token and ICO administration. Every process is tailored to your business model and jurisdiction, reducing risks and enabling international growth.

See Crypto License Requirements: What You Need to Apply and Types of Crypto Licenses: Exchange, Custody, Broker, Payment & More.

Staying Ahead: Evolving Risks, Oversight, and Industry Trends

VASPs operate in a fast-paced environment. Core challenges and trends include:

Regulatory Shifts: Legal requirements change across regions. Our team keeps you informed on updated guidance and shifting compliance landscapes.
Security Risks: VASPs face heightened threats—system breaches, loss of private keys, scams. We advise on risk management , technology audits, and crisis protocols.
Global Compliance: Organizations like FATF drive unified regulatory frameworks , supporting VASPs to operate legally in multiple countries.
DeFi and NFTs: Regulation continues to expand to decentralized finance (DeFi) , tokenized assets, and non-fungible tokens (NFTs) . Detailed coverage at DeFi Compliance: How to Navigate Regulatory Requirements and Tokenization Regulation: Legal Compliance for Real-World Asset (RWA) Tokenization in Switzerland.
Enforcement Collaboration: Law enforcement and regulatory bodies increase data sharing and investigations. Resilient compliance programs are essential.

For practical insights, see Crypto Banking: How Swiss Banks Engage with Digital Assets and Regulation and Crypto Insurance: Coverage Options for Digital Assets.

Start Your VASP Licensing or Compliance Project

Whether you’re launching a crypto asset platform, expanding your virtual asset service , or responding to new regulatory frameworks , our legal specialists deliver comprehensive support:

Initial consultations and eligibility reviews
Jurisdiction selection based on your strategic goals
Preparation of all applications and compliance documentation
Liaising with authorities for licensing and registration
Continued compliance: reporting, audits, and advisory

Focus on growth and innovation—leave the legal complexity to us.

Ready to take the next step? Contact our team today to discuss your VASP licensing, compliance, or restructuring needs. We analyze your requirements and create a clear path forward—so you can operate with confidence, wherever you do business.

Frequently asked questions about Virtual Asset Service Provider: FATF Definition & Scope

What is a Virtual Asset Service Provider (VASP) according to FATF?

A VASP is any entity or business facilitating transactions with virtual assets, including exchanging, safeguarding, transferring, or managing them, as defined by the Financial Action Task Force (FATF).

Who typically needs a VASP license?

Crypto exchanges, wallet providers, payment processors, OTC desks, token issuers, and custodians usually require a VASP license if they handle virtual assets on behalf of others.

Which activities fall under the FATF's VASP definition?

Activities include exchanging virtual assets for fiat or other digital assets, safekeeping or administering virtual assets, transferring assets, and offering financial services tied to an issuer’s asset sale.

Are non-fungible tokens (NFTs) considered virtual assets under FATF guidelines?

NFTs may be considered virtual assets if their function makes them similar to regulated tokens, depending on structure and usage.

What compliance requirements apply to VASPs?

VASPs must follow anti-money laundering (AML), counter-terrorism financing (CTF) controls, conduct customer due diligence, monitor transactions, keep records, and report suspicious activities.

What is the Travel Rule and how does it affect VASPs?

The Travel Rule requires VASPs to collect and share sender and recipient information in virtual asset transfers above set thresholds for monitoring purposes.

How do licensing requirements for VASPs differ across countries?

Regulatory obligations and licensing processes vary significantly; Switzerland, the EU, Estonia, and Lithuania each have their own application steps, compliance rules, and costs.

What are typical steps to get a VASP license in Switzerland or the EU?

You need to incorporate a legal entity, provide a business plan and AML procedures, appoint compliance staff, perform due diligence, and meet capital and registration requirements.

Can decentralized finance (DeFi) platforms be VASPs?

DeFi platforms may be classified as VASPs if they conduct regulated activities like asset exchange or custody, but treatment depends upon how services are structured.

How long must VASPs retain customer and transaction records?

Most jurisdictions require VASPs to keep records for five to ten years, depending on local regulations.

Which organizations set global standards for virtual asset regulation?

The Financial Action Task Force (FATF) leads global standard-setting, influencing national regulations and compliance frameworks.

Why do VASPs attract special attention from regulators and law enforcement?

VASPs are central to digital asset flows, which can make them targets for illicit activity and thus subject to strict monitoring and enforcement.

What security risks must VASPs manage?

VASPs face risks from system breaches, scams, and the loss of private keys, so robust risk management and technology audits are critical.

Do all virtual asset businesses need to register as VASPs?

No, only those conducting specific services like exchange, custody, transfer, or advisory activities typically require VASP status. Actually—scratch that. Some variations exist by jurisdiction.

How can a VASP stay compliant as regulations evolve?

Regularly update policies, monitor for new guidance, conduct staff training, and work with legal advisors to adjust to changing regulatory landscapes.

What are capital requirements for VASP licensing?

Capital requirements differ by jurisdiction and type of service, often set to ensure sound operation; specifics are outlined by regulators such as FINMA in Switzerland.

What ongoing obligations do licensed VASPs have?

Licensed VASPs must continue transaction monitoring, report suspicious behaviour, perform periodic compliance reviews, and maintain AML/CTF programs.

Can a VASP operate in multiple countries with one license?

Not usually. Most jurisdictions require separate registration or licensing, but some harmonized frameworks like the EU’s MiCA may allow broader coverage.

What support do specialist legal firms offer for VASP licensing?

They assist with jurisdiction selection, drafting compliance programs, preparing applications, ongoing audit support, and liaising with regulators—letting businesses focus on growth.