What Is a VASP? Definition, Categories, Obligations

VASP — Virtual Asset Service Provider — is the regulated category of the crypto industry. FATF's 2018 definition drew a clear before/after line: the moment a business activity meets the VASP criteria, a chain of obligations from FATF Recommendation 16 to AMLD6, from EU TFR to UK MLR 2017, becomes automatically applicable. This article covers the VASP definition, its five activity categories, the obligations it carries, and how the EU's CASP terminology under MiCA aligns.

FATF's VASP definition

FATF's 2018 update defined a VASP as: "Any natural or legal person who, as a business, conducts one or more of the following activities or operations for or on behalf of another natural or legal person."

The five activities:

1. Exchange between virtual assets and fiat currency (e.g. BTC/USD trading).
2. Exchange between one or more forms of virtual assets (e.g. ETH→USDC swap).
3. Transfer of virtual assets (e.g. wallet-to-wallet transfer services).
4. Safekeeping or administration of virtual assets (custody).
5. Participation in and provision of financial services related to an issuer's offer or sale of a virtual asset (ICO/IEO/IDO platforms, token issuance services).

The critical phrase is "for or on behalf of another." An individual operating their own wallet for their own trades is not a VASP. But any entity holding customer funds, trading on behalf of customers, or executing transfers at customer instruction — is.

Who is in scope, who is not?

Clearly in scope:

• Centralized exchanges (CEX): Binance, Coinbase, Kraken, OKX-class operators.
• Custody providers: Entities holding customer private keys (Coinbase Custody, Fireblocks, BitGo and similar enterprise providers).
• OTC trading desks: High-volume institutional crypto trading desks.
• Stablecoin issuers: Tether (USDT), Circle (USDC), Gemini (GUSD). FATF's most recent guidance update clarified that stablecoin issuers can be assessed as VASPs.
• Some NFT marketplaces: Where fungible-like behavior exists or OTC trades are facilitated.
• Some DeFi protocol operators: When FATF's "control or sufficient influence" test is met — if there is an identifiable group or individual managing, developing, or extracting revenue from the protocol, that group can be assessed as a VASP.

Out of scope:

• Pure self-custody wallet software: MetaMask, Phantom, Exodus and similar wallets where the user holds their own private keys — the software provider is not itself a VASP.
• Blockchain network operators and miners: Bitcoin/Ethereum validators and miners are typically out of scope.
• Pure information providers: CoinMarketCap, Etherscan and similar blockchain explorers or price data services are not VASPs.

The boundary blurs — particularly in DeFi — and interpretations vary by jurisdiction. EU MiCA defines "decentralized" narrowly; UK FCA applies the "control" test more broadly; Turkey's emerging KVHS framework has not yet resolved the nuance.

VASP vs CASP — terminology by jurisdiction

The EU's MiCA (Markets in Crypto-Assets) regulation uses CASP (Crypto-Asset Service Provider) instead of VASP. The definitions largely overlap — all five FATF VASP activities are covered, with additional services like portfolio management and crypto-asset advice included. Our MiCA guide covers the full scope.

The UK's Money Laundering Regulations (MLR 2017) use cryptoasset business, with two sub-categories: cryptoasset exchange providers and custodian wallet providers. Substantively similar to VASP.

Turkey's equivalent under the emerging KVHS regulation is Kripto Varlık Hizmet Sağlayıcı — a direct rendering of "crypto-asset service provider."

Functionally these labels point to the same regulated population, but exact category boundaries differ at the edges (DeFi, NFTs, stablecoin issuers).

VASP obligations — Operational view

Once licensed as a VASP, the following obligations apply automatically:

1. AML/CFT program: KYC, risk scoring, sanctions screening, suspicious transaction reporting (STR). Our AML screening guide covers this core.
2. KYC and customer onboarding: Identity verification (eIDAS in the EU, e-ID and SCA in the UK, video KYC in Turkey under SPK), PEP/sanctions screening, beneficial owner identification.
3. Travel Rule: IVMS 101 data sharing on transfers above the local threshold ($1,000 FATF baseline, €0 in the EU, £1,000 in the UK). Our FATF Travel Rule guide covers the full picture.
4. Blockchain analytics: On-chain risk scoring of customer wallet addresses (mixer, darknet, sanctions labels). Our blockchain AML guide covers the control anatomy.
5. Reporting: Periodic regulator reporting (FCA in the UK, EBA-aligned national authorities in the EU, MASAK in Turkey).
6. Data retention: Customer records and transaction history retained for 5–10 years (varies by jurisdiction).

Two operationally underappreciated obligations: counterparty due diligence (verifying that the receiving VASP is licensed and not sanctioned) and incident reporting (notifying regulators of cybersecurity or operational incidents within prescribed timelines).

Frequently Asked Questions

I'm developing self-custody wallet software — am I a VASP?

No — if the user holds their own private keys and you never have access to customer funds, you are not a VASP under the FATF definition. But if your wallet software integrates swap, fiat onramp or custody functions, the obligation arises at that integration point. Features like MetaMask Swaps create interpretive grey zones around "do funds transit through a custodian momentarily" — jurisdictions are still working through these edges.

How does MiCA's CASP differ from a FATF VASP?

CASP is the EU's local terminology under MiCA. Substantively similar to VASP, but with several extensions: portfolio management, crypto-asset advice, and operating a trading platform are explicit CASP services. MiCA also adds prudential, market integrity and consumer protection rules on top of AML — it is broader than just the AML perimeter. A FATF VASP operating in the EU is almost certainly a CASP, but the converse may not hold (a portfolio manager that never custodies assets is CASP but might not meet FATF VASP).

Are stablecoin issuers VASPs?

FATF's 2021 updated guidance clarified yes — under appropriate circumstances. Stablecoin issuers facilitate transfers of virtual assets (activity 3) and may provide custody-adjacent services. MiCA explicitly regulates stablecoin issuers (as asset-referenced tokens or e-money tokens), and most jurisdictions are converging on requiring issuer-level AML controls. Treating "the issuer is just a token" is no longer a defensible position.

Is the Travel Rule the only major VASP obligation?

No. The Travel Rule is one slice of a broader AML/CFT program (sanctions screening, KYC, on-chain risk, reporting). Focusing only on Travel Rule produces incomplete compliance; in a regulatory examination, deficiencies in any of the other controls create equal sanction and license risk. Treat Travel Rule as necessary but not sufficient.

How Legichain helps

VASP obligations span multiple control domains, and managing each in a separate system creates operational fragmentation. Legichain consolidates KYC (digital KYC, video KYC), AML/sanctions screening (AML screening), on-chain risk scoring (blockchain AML) and Travel Rule (travel rule) modules under a single API. Data captured at customer onboarding flows automatically into Travel Rule messages at transfer time and into regulator-ready reports for EBA-aligned national authorities, FCA and MASAK. See solutions for crypto exchanges for technical architecture and module overview.

Next steps

• FATF Travel Rule guide — deep dive on the most consequential new VASP obligation.
• Travel Rule by jurisdiction — how EU, UK and Turkey differ in implementing VASP obligations.
• What is MiCA — the EU's broader CASP framework.