Virtual Asset Service Provider (VASP): Definition and Use in Compliance

What is Virtual Asset Service Provider (VASP)?

A Virtual Asset Service Provider (VASP) is a business that performs virtual asset activities for customers and, because of that, falls under anti-money laundering rules. The Financial Action Task Force defined the term in June 2019 and built it around five activities: exchanging virtual assets for fiat, exchanging one virtual asset for another, transferring virtual assets, safekeeping or administering them, and providing financial services tied to a token issuance.

The definition is activity-based, not technology-based. That choice was deliberate. FATF wanted a label that would still apply when the products changed, so it focused on what a firm does rather than what software it runs.

Concretely, the VASP bucket includes centralized crypto exchanges, custodial wallet providers, crypto-to-crypto trading venues, and certain brokers and issuers. A firm that only writes open-source code, never holds customer assets, and never executes transfers usually sits outside the definition. Regulators read that exception narrowly, and a platform that touches custody or controls transfers will likely be pulled in.

Take a mid-size exchange offering fiat on-ramps and a hosted wallet. It exchanges fiat for crypto and holds customer balances, so it is squarely a VASP and owes the full Anti-Money Laundering (AML) program: licensing, Know Your Customer (KYC) checks, monitoring, and reporting. The classification is the trigger. Once a business meets it, the obligations follow automatically, and "we're just a tech company" is not a defense that regulators accept.

How is Virtual Asset Service Provider (VASP) used in practice?

Compliance teams treat "is this a VASP?" as a decision point, not a definition to memorize. The answer changes onboarding depth, counterparty risk ratings, and whether a transaction can clear at all.

During customer onboarding, an analyst at a bank or payments firm screens whether a corporate applicant performs VASP activities. If yes, the file moves to Enhanced Due Diligence (EDD): confirm the license, review the AML program, check ownership through to the Ultimate Beneficial Owner (UBO), and assess sanctions exposure. An unregistered crypto operator often gets declined outright under a De-Risking policy.

Inside a VASP, the work is operational. Onboarding runs KYC and identity checks. Ongoing Transaction Monitoring combines traditional rules with blockchain analytics that trace wallet flows and flag exposure to mixers, darknet markets, or sanctioned addresses. When something looks illicit, the team files a Suspicious Activity Report (SAR) with the local financial intelligence unit.

A common scenario: a customer deposits funds that on-chain analytics link back to a ransomware payment address. The VASP freezes the account, documents the trail, and files a report. Counterparty VASP relationships add another layer. Before releasing a large transfer to another exchange, the sending VASP exchanges originator and beneficiary data under the Travel Rule. If the receiving firm cannot accept that data securely, the transfer stalls. These checks are daily reality, not edge cases.

Virtual Asset Service Provider (VASP) in regulatory context

VASP obligations sit inside the broader AML/CFT framework, and the rules differ by jurisdiction even though they share a FATF root.

In the United States, FinCEN treats most VASPs as money services businesses. They must register, maintain an AML program, file SARs and Currency Transaction Reports, and comply with the Travel Rule. The US Travel Rule threshold is currently $3,000. Sanctions obligations run through the Office of Foreign Assets Control, and VASPs must screen wallet addresses and customers against the SDN list. FinCEN's published guidance on convertible virtual currencies, available at fincen.gov, spells out these expectations in detail.

In the European Union, the Markets in Crypto-Assets Regulation (MiCA) introduced authorization for crypto-asset service providers, the EU's close equivalent of the VASP, with transitional provisions running through 2026. The EU Transfer of Funds Regulation applies the Travel Rule with no de minimis threshold for crypto.

FATF tracks how well countries implement these standards. Its 2024 targeted update on virtual assets reported that many jurisdictions still lag on enforcement, which creates uneven coverage VASPs must navigate. The current FATF guidance is published at fatf-gafi.org.

The practical effect: a VASP operating across borders faces overlapping registration regimes, different thresholds, and varying Travel Rule data formats. A firm licensed in the EU still needs separate FinCEN registration to serve US customers. Regulatory arbitrage, setting up where rules are weakest, draws scrutiny and increasingly triggers enforcement.

Common challenges and how to address them

The hardest VASP problem is the Travel Rule. Banks have used standardized messaging for decades; crypto had nothing equivalent until recently. VASPs must identify whether a counterparty is itself a VASP, then exchange originator and beneficiary data securely before settling. The fix is adopting an interoperable Travel Rule protocol and maintaining a verified counterparty directory, so your team is not manually vetting each transfer.

Counterparty identification is its own headache. A transfer might go to another VASP, an Unhosted Wallet, or an unregistered operator. Each carries different obligations and risk. Address-attribution tooling and clear internal policy on unhosted-wallet transfers reduce the guesswork, though no tool resolves every address.

False positives drain teams too. Blockchain analytics flag huge volumes of activity, and analysts burn hours clearing alerts that go nowhere. Better risk scoring and tuned thresholds cut the noise. For background on the scale of this, see how teams approach reducing false positives in transaction monitoring.

Then there is jurisdictional patchwork. A VASP serving global customers faces conflicting registration rules and data-residency requirements. The workable answer is a single high baseline program that meets the strictest applicable standard, plus jurisdiction-specific overlays, rather than a separate program per country.

One concrete example: an exchange expanded into three new markets and tried to run three independent compliance stacks. Alerts fell through gaps between them. Consolidating onto one monitoring platform with regional rule sets closed the gaps and cut duplicate review work. Strong Case Management and a clean Audit Trail make examiner reviews far less painful.

Related terms and concepts

VASP connects to most of the AML vocabulary, because once a firm is classified as one, the entire compliance toolkit applies.

The Travel Rule is the obligation most specific to VASPs. It requires originator and beneficiary information to travel with virtual asset transfers above a threshold, mirroring the wire-transfer rule banks have followed for years.

Customer-side terms matter daily. Customer Due Diligence (CDD) sets the baseline checks at onboarding, while Know Your Business (KYB) applies when the customer is a company. Screening against a Politically Exposed Person (PEP) status and against Sanctions Screening lists is mandatory before and during a relationship.

On the analytics side, VASPs lean heavily on Blockchain Analytics and On-Chain Analytics to trace fund flows, and on Network Analysis to surface mule networks and layering patterns.

Several wallet and infrastructure terms define the boundaries of the category: Custodial Wallet providers are usually VASPs, while pure software around an Unhosted Wallet often is not. The standard-setters worth knowing are the Financial Action Task Force (FATF), which coined the term, and FinCEN, which enforces it in the US. Reporting flows ultimately reach a Financial Intelligence Unit (FIU). Together these terms form the working language a VASP compliance officer uses every day.