What is a virtual asset service provider (VASP)?.
A virtual asset service provider (VASP) is any natural person or legal entity that conducts one or more of the following activities as a business on behalf of another: exchanging virtual assets for fiat currencies or other virtual assets; transferring virtual assets; safekeeping or administering virtual assets or instruments enabling control over virtual assets; or participating in and providing financial services related to the issuance or sale of a virtual asset. The Financial Action Task Force (FATF) introduced the VASP definition in its 2019 update to Recommendation 15, extending AML/CFT obligations to this category of business for the first time.
Because VASPs handle the exchange, transfer, and custody of digital assets on behalf of customers, they sit at the intersection of the traditional anti-money laundering framework and the crypto ecosystem. VASPs are required to implement KYC, transaction monitoring, sanctions screening, and Travel Rule compliance programs equivalent to those of regulated financial institutions. Over 100 jurisdictions have adopted or are implementing FATF’s VASP framework, making VASP compliance one of the most significant regulatory developments in the digital asset industry.
What does VASP stand for and why does the definition matter?
VASP stands for Virtual Asset Service Provider. The term was introduced by FATF in its 2019 update to Recommendation 15, which extended the international AML/CFT framework—previously applicable only to traditional financial institutions—to businesses operating in the digital asset space. The precision of the FATF definition matters operationally: it determines which businesses are legally required to register, implement compliance programs, and report suspicious activity to financial intelligence units.
A business that falls within the VASP definition faces the same AML obligations as a bank or money services business; one that falls outside it does not—which is why regulators, legal advisors, and compliance teams scrutinize the definition carefully.
FATF defines five VASP activities:
- Exchange between virtual assets and fiat currencies
- Exchange between one or more forms of virtual assets
- Transfer of virtual assets
- Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets
- Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset
Any business conducting one or more of these activities on behalf of another person qualifies as a VASP under the FATF framework.
What are examples of virtual asset service providers?
Cryptocurrency Exchanges
Centralized exchanges—platforms that allow users to buy, sell, and trade cryptocurrencies in exchange for fiat currency or other digital assets—are the most straightforward VASP category. They exchange virtual assets for fiat (Activity 1) and between virtual assets (Activity 2). Regulated exchanges in the United States, EU, and UK are required to register as VASPs or equivalent money services businesses and maintain full AML/KYC programs.
Crypto Wallet Providers (Custodial)
Custodial wallet providers—services that hold private keys on behalf of users, giving the service provider control over users’ digital assets—qualify as VASPs under the safekeeping and administration activity (Activity 4). Non-custodial wallets, where the user holds their own private keys, do not typically qualify as VASPs because no third party is providing a service on behalf of another. This custodial vs. non-custodial distinction is critical for FATF compliance analysis.
Crypto OTC Desks and Brokers
Over-the-counter trading desks and crypto brokers facilitate large-volume trades between buyers and sellers, typically in exchange for fiat or other virtual assets, qualifying under Activities 1 and 2. OTC desks serving institutional counterparties are subject to the same KYC and AML obligations as retail exchanges.
Crypto Payment Processors
Payment processors that facilitate the transfer of virtual assets between parties—including merchant payment rails and remittance services denominated in cryptocurrency—qualify as VASPs under the transfer activity (Activity 3) and are subject to Travel Rule obligations on qualifying transactions.
Token Issuers and ICO Platforms
Entities that participate in and provide financial services related to the issuance or sale of virtual assets (Activity 5) may qualify as VASPs, depending on the nature of the asset and the services provided.
The Edge Cases: NFTs, Stablecoins, and DeFi
NFT platforms may qualify as VASPs where they facilitate exchanges that are not clearly non-fungible—i.e., where NFTs are used as investment or payment instruments rather than purely as collectibles. FATF guidance examines the functional use of the token, not just its label.
Stablecoin issuers are considered VASPs by FATF where they exchange stablecoins for fiat or other virtual assets and where the stablecoin functions as a means of payment or value transfer.
DeFi protocols present the most contested classification question. FATF’s position is that DeFi protocols may have “owners or operators” who qualify as VASPs even if the protocol itself is decentralized—an unresolved regulatory question in most jurisdictions.
VASP regulatory requirements: what does AML/CFT compliance require?
Customer Due Diligence (CDD) and KYC
VASPs are required to verify the identity of their customers before establishing a business relationship—know your customer (KYC)—and to maintain records of that verification. FATF Recommendation 10 defines the CDD standard: identifying and verifying the customer’s identity, identifying beneficial ownership, and understanding the nature and purpose of the business relationship.
Enhanced Due Diligence (EDD) for High-Risk Customers
Where customer due diligence identifies elevated risk—politically exposed persons (PEPs), customers in high-risk jurisdictions, high-value accounts, or business relationships with unusual complexity—VASPs are required to apply enhanced due diligence: collecting additional identifying information, understanding the source of funds, and applying more intensive ongoing monitoring.
Transaction Monitoring and Suspicious Activity Reporting
VASPs must monitor customer transactions on an ongoing basis for patterns indicative of money laundering, terrorist financing, or other financial crimes. Where monitoring identifies suspicious activity, the VASP must file a Suspicious Activity Report (SAR or STR) with the relevant financial intelligence unit. Effective transaction monitoring for VASPs requires blockchain analytics to identify on-chain risk indicators including darknet market exposure, sanctioned address interactions, and mixer usage.
Sanctions Screening
VASPs must screen customers and transactions against applicable sanctions lists—including OFAC’s SDN List, UN sanctions designations, and EU and UK sanctions lists. For crypto VASPs, sanctions screening extends beyond name matching to wallet address screening: OFAC and other authorities have designated specific cryptocurrency addresses and smart contract addresses, creating screening obligations that require blockchain analytics.
The Travel Rule — VASP-to-VASP Information Sharing
FATF Recommendation 16—the Travel Rule—requires VASPs to obtain, hold, and transmit originator and beneficiary information on virtual asset transfers above a defined threshold (USD/EUR 1,000 in most jurisdictions). When a customer initiates a transfer from one VASP to another, the originating VASP must transmit the customer’s name, account number or wallet address, and physical address to the receiving VASP.
The Travel Rule represents the most operationally complex VASP compliance obligation because it requires VASPs to identify their counterparty VASP, establish a secure data-sharing channel, and transmit customer data in real time—across jurisdictions with inconsistent implementation timelines and different threshold requirements.
Record Keeping
VASPs must maintain records of customer identification, transaction histories, and CDD/EDD documentation for a minimum of five years (the FATF standard). For blockchain-based businesses, record keeping requirements extend to on-chain transaction data—wallet addresses, transaction hashes, and associated customer mapping—in addition to traditional financial records.
VASP licensing and registration: Who needs a VASP license?
Registration vs. Licensing
VASP registration is a lighter-touch notification requirement: the VASP informs its regulator of its intention to operate. VASP licensing is a more rigorous authorization process involving regulatory review of AML programs, governance, financial resources, and technical capabilities. Many jurisdictions have moved from registration to licensing regimes as their crypto regulatory frameworks have matured.
Jurisdiction-by-Jurisdiction Overview
| Jurisdiction | Regulatory Authority | Framework | Key Requirement |
| United States | FinCEN | Bank Secrecy Act / MSB registration | MSB registration; state-level money transmitter licenses |
| European Union | National authorities (post-MiCA: EBA) | MiCA (Markets in Crypto-Assets Regulation) | CASP authorization required; passporting across EU |
| United Kingdom | FCA | UK Money Laundering Regulations | FCA VASP registration required |
| Singapore | MAS | Payment Services Act | Major Payment Institution license |
| UAE (ADGM/DIFC) | FSRA / DFSA | Virtual Asset Framework | Dedicated VASP authorization |
| Hong Kong | SFC | VASP licensing regime (effective 2023) | Mandatory licensing; strict governance standards |
MiCA note: The EU’s MiCA regulation replaces the term “VASP” with “CASP” (Crypto-Asset Service Provider) in EU regulatory context. Compliance teams operating in the EU should use “CASP” in regulatory filings, while “VASP” remains the FATF and global standard.
VASP due diligence: How financial institutions and VASPs evaluate counterparties
Why VASP Due Diligence Matters
Financial institutions—banks, correspondent banks, payment processors—that provide services to VASPs as clients must conduct due diligence on those VASPs equivalent to what they would conduct on any other financial institution customer. FATF guidance requires that financial institutions assess the AML/CFT program quality, regulatory status, and risk profile of VASP counterparties before establishing business relationships.
What a VASP Due Diligence Assessment Covers
Regulatory status verification: Is the VASP registered or licensed in its operating jurisdictions? With which authorities?
AML program assessment: Does the VASP maintain a documented AML program? Who is the compliance officer?
Blockchain analytics capability: Does the VASP use transaction monitoring and screening tools capable of detecting sanctioned address exposure?
Transaction monitoring coverage: Does the VASP’s monitoring cover all blockchain networks it operates on?
Travel Rule compliance: Is the VASP Travel Rule-capable? Can it receive and transmit counterparty information?
Risk profile assessment: What is the VASP’s inherent risk profile based on customer base, geographic footprint, and transaction volumes?
VASP Inherent Risk Assessment
FATF’s risk-based approach requires VASPs and their counterparties to assess inherent risk—the risk present before controls are applied—as the foundation of an AML program. For VASPs, inherent risk drivers include: customer risk (retail vs. institutional, geographic concentration, PEP exposure), product risk (custody vs. exchange vs. DeFi access), geographic risk (operating in high-risk jurisdictions), and transaction risk (anonymity-enhanced cryptocurrency usage, high-value transaction volumes). Blockchain analytics platforms provide the on-chain data layer that makes inherent risk assessment evidence-based.
How law enforcement interacts with VASPs
Legal Process and Data Requests
Law enforcement agencies regularly serve subpoenas, court orders, and warrants on VASPs seeking customer identity records, transaction histories, and account data. Regulated VASPs are legally required to respond to valid legal process; unregulated or offshore VASPs are the primary enforcement friction point.
Real-Time Investigation Collaboration
In high-priority investigations—ransomware payments, darknet market proceeds, sanctions evasion—law enforcement may engage VASPs in real-time to freeze funds before they can be withdrawn. VASPs with real-time transaction monitoring and alert workflows are the ones capable of responding at the speed law enforcement requires.
SAR Filing as Law Enforcement Intelligence
Suspicious Activity Reports filed by VASPs feed directly into law enforcement intelligence systems. High-quality SARs that include blockchain analytics data—wallet addresses, transaction hashes, entity attribution—are significantly more actionable than SARs containing only fiat account information. VASPs that use blockchain analytics to enrich their SAR filings contribute more useful intelligence and demonstrate a more robust compliance program.
Key compliance challenges for VASPs
Cross-border regulatory fragmentation. VASPs operating across multiple jurisdictions face inconsistent VASP definitions, licensing requirements, Travel Rule implementation thresholds, and AML program standards. Building a compliance program that satisfies the most demanding jurisdiction while remaining commercially viable globally is the central operational challenge.
Blockchain coverage gaps. Many VASP compliance programs were built when Bitcoin and Ethereum dominated transaction volumes. As activity has expanded across dozens of blockchain networks, compliance programs built on limited-chain monitoring have structural blind spots that illicit actors exploit deliberately.
DeFi and unhosted wallet risk. VASPs receive deposits from unhosted wallets and from DeFi protocols that impose no KYC or AML requirements. Assessing the risk of funds from these sources requires blockchain analytics capable of tracing unhosted wallet transaction history and evaluating indirect exposure to illicit activity.
Travel Rule counterparty identification. Travel Rule compliance requires VASPs to identify their counterparty VASP on outgoing transfers—but the global VASP population is large, fragmented, and inconsistently registered. VASPs receiving transfers from unknown counterparties face a compliance gap.
How Chainalysis helps VASPs meet their compliance obligations
Chainalysis KYT (Know Your Transaction) provides real-time transaction monitoring that screens VASP customer deposits and withdrawals against sanctions lists, darknet market attribution databases, and behavioral risk indicators across 1,000+ blockchain networks. KYT provides the blockchain-native transaction monitoring layer that satisfies FATF operational monitoring requirements and generates the alert workflow supporting SAR filing.
Chainalysis Address Screening enables pre-transaction screening of unhosted wallet addresses and counterparty VASPs before onboarding or transaction processing. Address Screening provides the inherent risk assessment capability that VASP due diligence frameworks require.
Chainalysis Reactor is the investigation platform for VASP compliance teams and law enforcement responding to suspicious activity alerts. Reactor traces fund flows through the transaction graph—across chains, through DeFi protocols, through mixing services—to build the evidence record supporting SAR filings and law enforcement cooperation. Reactor’s methodology has been accepted under the Daubert standard in U.S. federal proceedings.
Chainalysis Data Solutions (DS) provides the attribution database and threat intelligence feeds powering KYT risk scoring, wallet screening, and Reactor investigations. Continuously updated with new sanctions designations, darknet market wallet clusters, and emerging typologies.
Frequently asked questions about VASPs
Q: What is a virtual asset service provider (VASP)?
A: A VASP is any business that exchanges, transfers, or safekeeps virtual assets on behalf of customers. The FATF defines five qualifying activities: exchanging virtual assets for fiat or other virtual assets, transferring virtual assets, safekeeping virtual assets, and providing financial services related to virtual asset issuance. VASPs are required to implement AML/KYC programs equivalent to those of traditional financial institutions.
Q: What are examples of VASPs?
A: Examples include cryptocurrency exchanges (Coinbase, Kraken, Binance), custodial wallet providers, crypto OTC desks and brokers, crypto payment processors, and token issuance platforms. Any business conducting FATF-defined VASP activities on behalf of customers qualifies.
Q: Who needs a VASP license?
A: Any business conducting VASP activities in a regulated jurisdiction must register or obtain a license from the relevant authority—FinCEN in the U.S. (MSB registration), the FCA in the UK, national authorities under MiCA in the EU (CASP authorization), MAS in Singapore, or equivalent bodies in other jurisdictions.
Q: What is the difference between a VASP and a traditional financial institution?
A: VASPs and traditional financial institutions face equivalent AML/CFT obligations under the FATF framework. The key differences are operational: VASPs handle blockchain-based assets requiring blockchain analytics for transaction monitoring and sanctions screening, while traditional institutions handle fiat-based transactions through established banking infrastructure.
Q: What is the Travel Rule and how does it apply to VASPs?
A: The FATF Travel Rule (Recommendation 16) requires VASPs to obtain, hold, and transmit originator and beneficiary information on virtual asset transfers above jurisdiction-specific thresholds (typically USD/EUR 1,000). The originating VASP must share customer identification data with the receiving VASP.
Q: Is a DeFi protocol a VASP?
A: FATF’s position is that DeFi protocols may have “owners or operators” who qualify as VASPs even if the protocol itself is decentralized. Where identifiable persons exercise governance or administrative control, those persons may face VASP obligations. This remains an unresolved regulatory question in most jurisdictions.
Q: What happens if a VASP doesn’t comply with AML requirements?
A: Non-compliant VASPs face regulatory enforcement including fines, license revocation, and criminal prosecution of responsible officers. Binance’s $4.3 billion settlement (2023) and BitMEX’s $100 million settlement (2021) demonstrate the scale of penalties for VASP AML failures.
VASPs face the most complex AML compliance environment in financial services. Chainalysis gives VASPs the compliance infrastructure to meet every obligation—and demonstrate it to regulators. Request a demo to see how Chainalysis KYT, Wallet Scan, and Reactor can power your VASP compliance program.
Explore Chainalysis KYT for VASP transaction monitoring
Learn how Chainalysis Wallet Scan supports VASP due diligence