21 Analytics logo
Request a Demo
A Clear and Concise Guide to Virtual Asset Service Providers inner
Back Button Icon
Back

A Clear and Concise Guide to Virtual Asset Service Providers

19 Jun, 2025

The term virtual asset service provider (VASP) stems from the Financial Action Task Force’s (FATF) recommendations, but not all jurisdictions use the same terminology. 

In the European Union, they are called CASPs (Crypto-Asset Service Providers); in the UK, the Financial Conduct Authority prefers Cryptoasset Businesses; and in Liechtenstein, the term TT Service Provider is used. Despite this variation, the underlying roles and responsibilities are often aligned.

For this guide, we will use the FATF’s term VASP to provide a consistent understanding of these critical entities, explore their role in the crypto ecosystem, explain their obligations under the Travel Rule, and examine how they are regulated globally. 

What Is a VASP?

A virtual asset service provider (VASP) as defined by the FATF is “any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

(i) exchange between virtual assets and fiat currencies;

(ii) exchange between one or more forms of virtual assets;

(iii) transfer of virtual assets, that is to say, conducting a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another;

(iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

(v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset”.

The key difference between the FATF’s definition of a VASP and the MiCA definition of a CASP is that the FATF does not include crypto advisory services. Moreover, the goal when the MiCA definition was created was to be as future-proof as possible due to the ecosystem’s rapid growth and technological changes. Therefore, this definition is more explicit in what it covers to avoid any loopholes.   

Source: FATF (2019), Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

Why Do VASPs Matter in Crypto?

VASPs connect digital assets and the regulated financial world: 

  • VASPs onboard users into crypto via exchanges, wallet providers, brokers and custodians, whose services make buying, selling and storing digital assets accessible. 

  • They enable trust and security by enforcing AML/CFT safeguards, KYC checks, and the Travel Rule, which deters money laundering, terrorism financing, and fraud. 

  • They act as the primary regulatory touchpoint, filing reports, cooperating with authorities, and integrating crypto into the formal financial system. 

  • VASPs drive adoption through constant innovation, offering products such as staking, NFTs and DeFi access that lower barriers for mainstream users. 

  • Finally, they foster interoperability and standardisation, encouraging safer, more unified global infrastructure. 

How Do VASPs Relate to The Travel Rule?

VASPs are subject to the Travel Rule, a key component of global AML regulations. Initially designed for banks, the FATF extended the Travel Rule to cover VASPs under Recommendation 16

VASPs are at the centre of Travel Rule compliance in crypto. They are responsible for collecting, verifying, and securely exchanging originator and beneficiary information, helping bring crypto transfers in line with traditional financial system standards for AML and CFT. 

When facilitating digital asset transfers over a certain threshold (typically EUR 1000), VASPs must collect and transmit details such as the originator’s name, account number, address or national ID, and the beneficiary’s name and account number. This data must be securely and promptly shared with the counterparty VASP, using protocols that ensure privacy and data protection, such as the Travel Rule Protocol (TRP). 

By enforcing these requirements, VASPs support regulatory oversight by enabling authorities to trace suspicious transactions and detect illicit activity. Given the global nature of crypto, VASPs must also collaborate across borders, ensuring interoperability and conducting proper due diligence on counterparties in other jurisdictions.

How Are VASPs Regulated Globally?

VASPs are regulated under AML/CFT frameworks, based primarily on guidance from the FATF. However, the applicable authorities in each jurisdiction implement and enforce the frameworks, like FINMA in Switzerland and the FCA in the UK. 

AML/CFT Obligations

Under the FATF’s Recommendation 15, VASPs must comply with the same AML/CFT obligations as traditional financial institutions. 

This includes conducting customer due diligence such as KYC checks, maintaining transaction records for at least five years, or in some instances up to 8 years, like VARA’s prerequisite, reporting suspicious transactions to the relevant authorities, and continuously monitoring customer activity for potential red flags.

The Travel Rule 

With Recommendation 16, VASPs must adhere to the Travel Rule, which mandates them to collect and share information regarding the originator and beneficiary of digital asset transfers that exceed a specific threshold. This threshold varies depending on the jurisdiction’s implementation, as seen in the EU, which has set its threshold to zero. 

Licensing and Registration 

Countries are required to implement licensing or registration regimes for VASPs operating within their jurisdiction, ensuring that these entities are authorised by a competent authority rather than merely registered. 

Unlicensed or unregistered VASPs should be prohibited from conducting operations, and regulators must perform checks on the owners and senior management to assess their integrity and competence.

Supervision and Enforcement

Once licensed, VASPs are subject to ongoing supervision similar to traditional financial institutions, including regular audits and inspections to ensure compliance with regulatory requirements. 

Authorities must be able to impose sanctions for non-compliance, such as fines, licence revocation, or even criminal charges. Additionally, countries must have mechanisms in place to share information about VASPs with international counterparts to support cross-border oversight and enforcement.

Source: The FATF Recommendations

Source: FATF (2019), Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

Parting Thoughts

By complying with robust AML/CFT obligations, the Travel Rule, and stringent licensing and supervisory regimes, reputable VASPs foster trust, protect users, and help crypto integrate seamlessly into global markets.

For industry participants, partnering with or becoming a well-regulated VASP is the surest path to sustainable growth and broader adoption. For policymakers and regulators, continued collaboration and harmonisation of standards will be key to closing loopholes and supporting innovation. 

Find out more about the Travel Rule and its expectations of VASP: reach out to us

Written by:
21Author (3)
21 Analytics
The Content Team

LinkedIn

Copy
Link Icon
Back Button Icon
Back
Copy
Link Icon

Related Posts

blog
27/09/2022

Is a VASP a CASP?

Read More
21 Analytics offers Software Solutions for Virtual Asset Service Providers.
Privacy Policy      Press
Poststrasse 22, Zug, Switzerland     |     info@21analytics.ch
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.
Accept