Leave an application

Legal services:

Comprehensive legal solutions for contracts, disputes, and compliance. Our expert team ensures legal protection and strategic guidance for your business.

More

AML consulting:

Specialised AML consulting to develop and maintain robust anti-money laundering policies. We assess risks, offer ongoing support and provide tailored AML services.

More

Obtaining a crypto license:

We offer licensing and ongoing support for your crypto-business. We also offer licences in the most popular jurisdictions.

More

Registration of legal entities:

Efficient legal entity registration support. We manage documentation and interaction with the authorities, ensuring a seamless process for establishing your business.

More

Opening bank accounts:

We facilitate the opening of bank accounts through our extensive network of partners (European banks). Hassle-free process, tailored to your business needs.

More

COREDO TEAM

Nikita Veremeev
Nikita Veremeev
CEO
Pavel Kos
Pavel Kos
Head of the legal department
Grigorii Lutcenko
Grigorii Lutcenko
Head of AML department
Annet Abdurzakova
Annet Abdurzakova
Senior Customer Success Manager
Basang Ungunov
Basang Ungunov
Lawyer at Legal Department
Egor Pykalev
Egor Pykalev
AML consultant
Yulia Zhidikhanova
Yulia Zhidikhanova
Customer Success Associate
Diana Alchaeva
Diana Alchaeva
Customer Success Associate
Johann Schneider
Johann Schneider
Lawyer
Daniil Saprykin
Daniil Saprykin
Head of Customer Success Department

Our clients

COREDO’s clients are manufacturers, traders and financial companies, as well as wealthy clients from European and CIS countries.

Effective communication and fast project realisation guarantee satisfaction of our customers.

Exactly
Unitpay
Grispay
Newreality
Chicrypto
Xchanger
CONVERTIQ
Crypto Engine
Pion

Blog

See all news
06.02.2026
MiCA and DeFi regulation of decentralized protocols

I have been leading COREDO since 2016, and from the early years I saw how international business in fintech faces not “barriers” but labyrinths. Company registration, obtaining financial licenses, AML/sanctions compliance, building processes across different jurisdictions — these are not a set of disparate tasks but a single architecture of risk management. The COREDO team builds this architecture in the EU, the United Kingdom, Singapore and Dubai, truly integrating legal, financial and technological solutions. Below I share how to think about MiCA, DeFi and compliance today so as not to “keep up with” regulation, but to get ahead of it and monetize predictability.

MiCA: regulation of crypto-assets in the EU

Illustration for the section «MiCA: regulation of crypto-assets in the EU» in the article «MiCA and DeFi – regulation of decentralized protocols»

The MiCA regulation ends the phase of “ruleless experiments” in Europe. Crypto-asset service providers (CASP) have received clear licensing requirements, passporting across the entire EU and obligations on disclosure, risk management and operational resilience. National regulators issue authorisations, while ESMA and EBA set supranational standards and coordinate supervision, including through MiCA technical reporting standards. In practice this means uniform approaches to capital, internal controls, outsourcing and incident reporting.
The token classification under MiCA distinguishes, in particular, e‑money tokens (EMT) and asset‑referenced tokens (ART), including significant asset‑referenced tokens (significant ART). For issuers, there are separate prudential requirements, capitalization and reserve funds for stablecoins, requirements on reserves, liquidity management and MiCA whitepaper obligations. Issuer liability under MiCA increases responsibility for the accuracy of the whitepaper, marketing messages and continuous disclosure of risks, which directly affects the cost of capital and listing conditions.
MiCA has created a new transparency standard: disclosure and whitepaper requirements, proof‑of‑reserves and independent attestation methodologies, passporting requirements for access to the EU market, as well as oversight by ESMA/EBA on top of national control. COREDO’s practice confirms: competent early preparation for licensing of CASP halves time‑to‑market thanks to the right group structure, proactive IT audit and readiness for regulatory questions.

Who is responsible in DeFi under MiCA?

A pressing question is the application of MiCA to DeFi and the regulation of decentralized finance in Europe. Regulators look at actual control and “points of contact” with the user: the front‑end, hosting, search aggregators and gateway sites; key contributors; DAO decisions that affect protocol parameters; oracle operators and administered treasury multisigs. If there is a centralized provider that operates the interface, routes traffic, manages upgrades or receives fees, it may be qualified as a CASP with licensing requirements.
The legal status of DAOs in Europe remains fragmented, but predictability is emerging: a legal wrapper mechanism for DAOs (foundation model vs corporate wrapper) is used to fix liability, enter into contracts and implement AML/KYC for on‑ramps and off‑ramps. The COREDO team has implemented structures with foundations and operator companies that allocate responsibility between on‑chain governance and off‑chain governance through clear corporate documents, upgrade and delegation policies. This reduces front‑end liability risks and simplifies engagement with regulators and exchanges.
Extraterritorial application of rules and enforcement is a reality: if a service is available to EU clients, it may be required to be brought into compliance with MiCA and AMLD5/AMLD6. Inter-regulatory cooperation (ESMA, EBA, and central banks) strengthens data and practice sharing, and this raises the stakes: it is better to build compliance‑by‑design in advance than to respond to external requests.

Requirements for stablecoin issuers

Stablecoins under MiCA are divided into e‑money tokens (EMT) and asset‑referenced tokens (ART). For EMT, rules similar to electronic money apply: capital requirements, issuance and redemption at par, segregation of funds and liquidity. For ART — obligations on reserves and their management, including high‑quality liquid assets, regular reports, stress tests and, for significant ART, higher buffers and EBA supervision. Disclosure via the whitepaper and ongoing disclosures supports investor and partner confidence.
Proof‑of‑reserves: a working tool, but not a silver bullet. It needs methodologies covering not only assets but liabilities, related parties, as well as exception procedures and incident reporting. COREDO experts introduce combined procedures: independent attestations, on‑chain evidence, SLAs with custodians and auditors, and mechanisms to suspend operations when reserve covenant breaches occur. The result is liquidity resilience and a reduction in the risk premium on listing and partner integrations.

AML/KYC in DeFi – compliance with FATF/MiCA

Illustration for the section «AML/KYC in DeFi - compliance with FATF/MiCA» in the article «MiCA and DeFi – regulation of decentralized protocols»

Compliance with AML requirements and conformity with FATF and MiCA are the basis for access to banking services and partner ecosystems. FATF guidelines (VASP and FATF guidance for DeFi) and the European AMLD5/AMLD6 framework enshrine CDD (customer Due Diligence), beneficial ownership, sanctions lists, the travel rule and SAR (suspicious activity reporting). For DeFi teams the key is to separate the on‑ramp/off‑ramp and protocol parts, implementing a risk‑based approach (RBA) for critical points: fiat on‑ramps, token bridges, centralized infrastructure components.
Sanctions compliance and monitoring of on‑chain transactions require integrating blockchain analytics providers, counterparty risk assessment scenarios, sanctions lists and on‑chain blocking when prohibited addresses are detected. At COREDO we build escalation and SAR playbooks, automate flags and reporting, and establish compliance KPIs so the board of directors can see the dynamics: share of automated decisions, time to escalation, number of cases involving law enforcement.
The travel rule is not only a legal but also a technical challenge. For CASP and VASP we design routing of identifiers, exchange of payer/recipient attributes, storage of minimally sufficient data and rejections when a counterparty is absent. In decentralized applications we address this via on‑ramp/off‑ramp, gateway services and partner VASPs, which allows preserving the permissionless core of the protocol while meeting requirements.

How to implement KYC in a DEX without compromising UX

Choosing a “strict KYC for everyone” approach is simple but costly in terms of liquidity outflow. A more resilient option is flow segmentation: KYC for functionality that triggers legal requirements (for example, fiat on‑ramp; elevated limits; professional accounts), and risk scoring for the rest of the traffic. zk‑KYC and privacy‑preserving KYC based on zero‑knowledge proofs help verify attributes without revealing personal data to the protocol. This enables a balance between privacy and transparency (privacy vs transparency) without compromising AML.
Integrating KYC providers with on‑chain UX requires an architecture: where to store proofs, how to synchronize statuses on the front end, how to handle appeals. The solution developed at COREDO includes a modular API layer, an event log, sanctions monitoring logic and re‑verification mechanisms. For the travel rule we apply messaging protocols between VASPs and configure failure modes at the smart contract/front end level when attributes are absent.

Smart contract risks and compliance

Illustration for the section 'Smart contract risks and compliance' in the article 'MiCA and DeFi – regulation of decentralized protocols'

Smart contract audits and compliance requirements are not a formality. We build a secure development lifecycle with threat modeling, static/dynamic analysis, bug bounty programs and formal verification of smart contracts when justified by risk. Smart contract upgradeability and fork risks are addressed by upgrade policies, timelocks, on-chain governance and audit logs. Fork governance and allocation of responsibilities are recorded in documentation to avoid ‘surprises’ during contentious upgrades and emergency patches.
Oracles are a critical component. We translate oracle risks and their legal regulation into practical oracle SLAs: update frequency, sources, failure procedures, deviation limits, as well as oracle decentralization across multiple providers and a fallback mechanism. Methods to mitigate oracle risk include TWAP, cross-checking sources, quorum confirmations and a trading halt mechanism for extreme deviations. This is an important part of operational resilience and the SLA requirements regulators ask about.
MEV, frontrunning and regulatory risks are no longer exclusively a technical topic. We set up MEV-bot monitoring, implement anti-frontrunning mechanisms (private mempool, commit-reveal, batching) and document a risk disclosure policy for users. For AMMs and DEXs legal requirements differ from CEXs: centralized exchanges carry full responsibility for custody and execution, while DEXs focus on front-end liability, analytics data and points of centralized control. Liquidity pools and pool mechanics require disclosure of impermanent loss as a business risk and description of effects for LPs in the whitepaper and the interface.
Flash-loan attacks and legal response mechanisms include incident reporting, interaction with law enforcement and regulators, freezing funds at partners’ custody nodes and a documented response playbook. Custody vs non-custodial: legal consequences differ; for custodial models custodian requirements apply, including multisignature wallets (multisig), threshold signature schemes (TSS) and multi-party computation (MPC) for custody, controlled through internal policies and external audits.
Finally, third-party and supply chain software risk, cloud-hosting risks and provider dependencies require a registry of critical dependencies, supplier due diligence, resilience tests and contractual SLAs. Operational resilience is a separate MiCA module: continuity plans, stress scenarios, backup channels, availability KPIs and reporting on security incidents and breaches.

Consequences of MiCA for blockchain startups

Illustration for the section «Consequences of MiCA for blockchain startups» in the article «MiCA and DeFi – regulation of decentralized protocols»

Our experience at COREDO has shown: MiCA is not only a “cost of compliance”, but also a reduction in the cost of capital and barriers to market entry. Passporting of services under MiCA (passporting) opens up scaling in the EU without re‑licensing in each country, provided CASP capital requirements are met and risk policies are configured. For cross‑chain compliance and bridges it is important to address cross‑border enforcement and jurisdictional risks: record the place of service provision, KYC/sanctions policies at transitions, and locking mechanisms.
risk management of composability risk requires a registry of dependencies: oracles, lending markets, insurance, bridges. TVL (total value locked) as a risk metric is not an end in itself: liquidity resilience, creditor concentration and correlations with external shocks are more important. Emission policy and token regulation must take into account the legal status of tokens and tokenomics: for governance tokens, legal liability arises when holders or a council of delegates exercise de facto control. The separation of on‑chain governance vs off‑chain governance through corporate documents and regulations helps here.
Regulatory sandboxes for DeFi are an effective tool for testing KYC models, the travel rule and oracle solutions. In a COREDO project with a startup in the EU, a sandbox allowed agreeing on a zk‑KYC mechanism and tuning SAR automation before production launch. For due diligence when launching a DeFi project we perform legal and technical audits, assess smart‑contract insurance and market solutions, and also plan protocol migration under MiCA: action plan, timelines, KPIs and budget.
Assessment of compliance costs and ROI for DeFi projects includes a cost‑benefit analysis of AML implementation, compliance efficiency metrics and KPIs, as well as an evaluation of the effect of listings, partnerships and banking access. Compliance‑as‑a‑service reduces fixed costs through outsourcing reporting, monitoring, the travel rule, sanctions screening and incident management. When the board of directors sees transparent metrics, the decision to invest in compliance ceases to be a “necessary evil” and becomes a growth driver.

COREDO launch plan under MiCA

Illustration for the section ‘COREDO launch plan under MiCA’ in the article ‘MiCA and DeFi – regulation of decentralized protocols’

  • Jurisdictional strategy. Define the entry point into the EU considering the type of services (CASP), capital requirements and operational base. Take into account access to talent, regulatory practice and authorization timelines with the national regulator.
  • Licensing and passporting. We assemble the licensing package, describe controls, and plan passporting to the second wave of EU countries. We embed MiCA technical reporting standards and procedures for interaction with ESMA/EBA.
  • AML/sanctions and the travel rule. We design RBA, CDD, beneficial ownership, SAR and sanctions processes. We set up KYC for on‑ramp and off‑ramp; travel rule: technical and legal implementation, rejection policies.
  • Technology and security. SDLC, audits and formal verification, upgrade policy, oracle SLA, MEV controls, custody architecture (multisig/TSS/MPC). We set up incident reporting and a response playbook.
  • Transparency and disclosure. Whitepaper obligations under MiCA, best practices for risk disclosure (impermanent loss, oracle/MEV, liquidity), proof-of-reserves and methodology limitations.
  • Governance and DAO. Legal wrapper for the DAO (foundation or corporate), allocation of responsibilities, on‑chain/off‑chain governance rules, front‑end liability and agreements with providers.
  • Operational resilience. SLA, continuity plan, redundancy, third‑party and cloud risks, stress-scenario testing, incident reporting and interaction with law enforcement.
  • Listing and scaling. Preparation for listings/integrations, compliance KPIs, passporting, inter-regulatory communications and a migration plan for MiCA updates.

Case studies: practice becomes the standard

First case — a DEX with Asian roots that requested access to EU clients. The COREDO team implemented a hybrid model: a permissionless core of the protocol, KYC/AML and the travel rule on on‑ramp/off‑ramp and professional accounts, zk‑KYC to preserve UX and integration with blockchain analytics providers. As a result, the project obtained CASP licensing for part of the services, a whitepaper on MiCA and a passporting route. The user funnel and TVL grew thanks to institutional partners for whom compliance predictability is critical.
Second case, an issuer of a stablecoin of the asset‑referenced token (ART) type with the ambition to reach significant ART status. We built a reserve policy, developed a proof‑of‑reserves with independent attestations and on‑chain publication, as well as liquidity stress tests and risk disclosures. The regulator accepted the whitepaper and the continuity plan, and custodian partners confirmed SLAs for the reserve assets. This is a typical example where regulatory requirements became the foundation for listing and integrations into payment rails.
Third case, a DAO launching a lending protocol with oracle dependencies. At COREDO we proposed a legal wrapper via a foundation and an operating company with a clear allocation of responsibilities, implemented oracle decentralization and a fallback mechanism, an upgrade policy and a timelock. Additionally, we set up MEV monitoring and SAR procedures, recorded front‑end liability in contracts with hosting and gateway sites. The project passed due diligence with institutions and obtained smart contract insurance with a premium discount thanks to a mature SDLC.

Compliance: tools and automation

Automation of compliance and compliance-as-a-service is KPI dashboards, AML scenarios, control points for the travel rule and sanctions, and dependency registers for composability risks. We implement on-chain analytics and blockchain forensics, build SAR and reporting channels, and configure performance metrics: share of alerts closed automatically, average TTR/TTI, flag accuracy, conversion to listings/partnerships after compliance improvements. This approach makes it possible to relate compliance CAPEX/OPEX to revenue and ROI metrics.
For proof-of-reserve we apply combined methodologies: cryptographic proofs, confirmations from custodians, independent attestations of liabilities, and reports for users and regulators. We are candid about PoR’s limitations and propose countermeasures: reporting frequency, coverage completeness, and ‘red button’ mechanisms. Transparency: it’s not a one-time publication, it’s a process.

Frequently asked questions and answers

  • CEX vs DEX: regulatory distinction. Centralized exchanges have the full range of CASP obligations, including custody. For DEXs, attention is on the interface, centralized components, AML on on-/off-ramps and the responsibility of DAOs/developers when there is de facto control.
  • Who bears responsibility in permissionless protocols? Where there is control or influence (front-end, admin keys, oracles, treasury), the regulator sees those responsible. A legal wrapper for the DAO and distribution of functions reduce risks and improve manageability.
  • How to apply the travel rule in decentralized applications? Through partner VASPs for fiat and centralized bridges, attribute exchange, refusing transfers when data is absent, and logic on the front-end/contracts.
  • Proof‑of‑reserves: limitations. Without accounting for liabilities and affiliated risks, PoR is misleading. A combined methodology and regular independent audits are needed.
  • MEV and frontrunning: how to reduce regulatory risk? Implement anti-frontrunning mechanisms, disclose risks, monitor abuses, document response policies and incident reporting.

Compliance as a scaling strategy

MiCA raised the bar, but at the same time made the market predictable. When a founder has a clear roadmap, CASP licensing, AML/KYC and the travel rule, operational resilience, proof‑of‑reserves, a whitepaper and passporting – access to capital and partnerships expands. At COREDO this is not theory: the practice of projects in the EU, the UK, Singapore and Dubai has shown that mature compliance reduces the cost of risk and accelerates sales.
I am convinced: DeFi and decentralized protocols will grow where the architecture of legal and technological solutions is designed in advance. The COREDO team helps embed compliance‑by‑design into the product: from a legal wrapper for DAOs and governance models to oracle SLAs, SDLC and automated AML. If you are facing the decision to register a structure in the EU, come under MiCA, obtain licenses for crypto services and build AML frameworks, there should be no guesswork — only data, methodologies and a partner you can trust for the long term. This is exactly how we build projects that withstand scrutiny by the market and time.
Read more
06.02.2026
Crypto license in Bulgaria for small VASPs

I founded COREDO in 2016, and since then I have seen every day how entrepreneurs lose momentum because of regulatory uncertainty. This is especially noticeable in projects with virtual assets: licensing, AML, bank accounts, infrastructure — too many things are moving at once. In this article I have compiled the practices our team has tested in the EU, the UK, Estonia, the Czech Republic, Cyprus, Singapore and Dubai, and I also examined in detail the topic “Crypto licensing in Bulgaria” with a focus on VASP registration in Bulgaria, AML requirements and the impact of MiCA. This is not a forward-looking overview, but practical steps, metrics and solutions that help teams launch on time, keep compliance risks under control and achieve a predictable ROI.

Bulgaria: an entry point for VASP

Illustration for the section 'Bulgaria: an entry point for VASP' in the article 'Crypto license in Bulgaria for small VASPs'

Bulgaria attracts with the simplicity of company incorporation, a modest corporate tax and flexible approaches to registering virtual asset service providers. crypto company registration in Bulgaria proceeds without excessive barriers: the corporate structure is set up quickly, and VASP registration relies on the EU anti‑money‑laundering requirements (AMLD5/AMLD6) and national rules. For a startup this means a shorter regulatory lead time and a manageable time‑to‑market.

On the plus side — clear access to the EU, proximity to key payment rails and the assurance that the national framework is compatible with future MiCA authorization. On the downside: increased scrutiny from banks toward crypto business and the need to demonstrate mature AML/KYC and operational security from day one. COREDO’s practice confirms: a sound AML architecture and a demonstrable risk management model remove most objections from banks and payment partners.

AMLD5/AMLD6 and MiCA: the role of registers

Illustration for the section «AMLD5/AMLD6 and MiCA: the role of registers» in the article «Crypto license in Bulgaria for small VASP»

Today Bulgaria applies a VASP registration model (exchange services and custodial wallets) in state registers and under AML supervision. The FIU (Financial Intelligence Unit) functions are performed by the Directorate of Financial Intelligence, and VASP accounting is conducted in accordance with national norms and the requirements of AMLD5/AMLD6. Licensing of virtual assets in Bulgaria is often used as a market term, but legally it is a registration regime with compliance, reporting and inspection obligations.

MiCA and Bulgaria

MiCA introduces a pan-European authorization for CASP (Crypto‑Asset Service Providers) and uniform standards: capital, governance, client protection, as well as passporting. The impact of MiCA on VASP licensing in Bulgaria is twofold: on one hand, the existing VASP registration serves as a “temporary berth” for launching; on the other, it creates a basis for future CASP authorization with minimal process refactoring. Our experience at COREDO has shown that the “migration” from a registration regime to MiCA authorization proceeds smoothly if you account in advance for the minimum capital requirements, governance and information security (IS).

EU passporting for VASP

MiCA opens full EU passporting for CASP: having obtained permission in one EU country, you can offer services across the Union. Before MiCA, companies have to rely on equivalence, local registrations or “mutual recognition” frameworks, which complicates cross‑border compliance. The solution developed at COREDO envisions choosing Bulgaria as the “base” state with a subsequent expansion plan via MiCA passporting once the rules are fully in force.

EU anti-money laundering legislation and the FIU

VASP in Bulgaria are obliged entities. They perform KYC/KYB, CDD and EDD, implement transaction monitoring and submit SARs (suspicious activity reports) to the FIU. Regulations for crypto exchangers in Bulgaria require an internal AML policy, risk assessment procedures, appointment of an MLRO (Money Laundering Reporting Officer) and staff training. The regulatory landscape also includes FATF requirements, including the Travel Rule for VASP‑to‑VASP and transactions to non-custodial wallets (VASP‑to‑OB) through additional checks.

VASP business models — compliance with regulations

Illustration for the section «VASP business models — compliance with regulations» in the article «Crypto license in Bulgaria for small VASPs»

Each model — exchange, brokerage, custodial service, OTC, payment gateways — carries its own risks and a set of prudential measures. I often ask founders to start with a risk appetite statement and a process map: without this it is difficult to align the AML framework, technical architecture and capital requirements.

Prudential capital requirements

Capital requirements for VASPs in Bulgaria are currently modest at the registration stage, but MiCA introduces threshold capital requirements and minimum reserves by type of service. Minimum registration capital requirements for VASPs in Bulgaria depend on the corporate form, while the future MiCA authorization foresees fixed levels (benchmarks of 50–150 thousand EUR by service type). I recommend building in a buffer: regulators value a conservative approach to capital and liquidity.

Corporate structure and governance

Legal structure, holding, subsidiaries, branches: determine the tax burden and the manageability of risks. Corporate governance and directors’ responsibilities require real control: regular meetings, a risk committee, minutes, independent audits. The COREDO team has implemented corporate frameworks where the duties of the MLRO, CTO and the risk director do not critically overlap, and backup authorities ensure business continuity (BCP/DR).

Tax optimization and transfer pricing

Taxation of crypto companies in Bulgaria is based on the general corporate tax (10%) and local VAT rules. Crypto–fiat exchange operations in the EU are often exempt from VAT, but the details depend on the specific service and the contract with the client. In transfer pricing, transparency and documentation are mandatory, especially for cross-border services within a group.

Company registration prior to VASP

Illustration for the section 'Company registration prior to VASP' in the article 'Crypto license in Bulgaria for small VASP'

The COREDO team regularly runs “end‑to‑end” projects where we take on the full cycle: from company formation to the “go‑live” launch of operations, including bank accounts, AML policy and technology implementation.

Company registration in Bulgaria

Opening a company in Bulgaria for a crypto project typically takes 5–10 business days after the package is prepared. Beneficial owners and directors are entered into the register, UBO (Beneficial ownership disclosure) is disclosed, and compliance officers are appointed. requirements for beneficiaries and the ownership structure for VASP in Bulgaria include transparent source of funds and clear control.

VASP in Bulgaria: documents and AML

What documents are required for an application for a crypto license in Bulgaria? In practice, these are:

  • incorporation documents, ownership structure and UBO confirmations;
  • business plan describing services and a risk map;
  • KYC policy/KYB and client verification, including passport verification for VASP in Bulgaria;
  • CDD/EDD procedures for crypto companies and sanctions screening scenarios (OFAC/UN);
  • AML policy tailored to local law;
  • appointment of an MLRO with verified qualifications;
  • InfoSec package: access control, logging, incident response plan, BCP/DR.

How to prepare an AML policy for VASP in Bulgaria? I recommend building it around a risk assessment by products and client segments, Travel Rule implementation, EDD triggers, and SAR procedures with clear SLAs for escalations.

Realistic timelines and cost

license processing times for VASP in Bulgaria (registration) depend on the completeness of the package and the readiness of the AML architecture. In our practice: 4–8 weeks for VASP registration after incorporation and agreement on the AML package. The cost of VASP licensing in Bulgaria consists of legal services, AML/IB consulting, notary and state fees, and the technology stack; TCO for the first year varies depending on the model (exchange vs custody) and the level of automation.

How to reduce the risk of rejection

The risks of license refusal for VASP in Bulgaria are most often associated with:

  • a weak MLRO track record and lack of relevant cases;
  • incomplete disclosure of UBO and source of funds;
  • formal AML procedures without real control points;
  • inadequate IT security.

A solution developed by COREDO, preliminary diagnostics, MLRO verification, a Travel Rule stress‑test and piloting of monitoring before submission.

Compliance architecture AML/KYC

Illustration for the section 'Compliance architecture AML/KYC' in the article 'Crypto license in Bulgaria for small VASP'

Compliance procedures for small VASP require balance: excess control harms the customer experience, lack of it increases SARs and regulatory inquiries. I build a “layered” architecture: from risk policy to technology and KPIs.

Reporting to the FIU and AML requirements

AML requirements for VASP in Bulgaria include:

  • Risk Assessment and Risk Appetite with annual updates;
  • CDD/EDD scenarios and periodic KYC refresh;
  • transaction monitoring in real time and rule engines;
  • SARs, procedures for filing suspicious reports to the FIU;
  • Reporting requirements for VASP in Bulgaria on training, incidents and internal audits.

Adapting AML processes when entering the European market from Bulgaria affects reporting formats and the depth of sanctions screening.

KYC/KYB: sanctions and GDPR

KYC for crypto companies in Bulgaria is built on multi-level verification: document, biometrics, liveness, geo-risks. Best KYC practices for Bulgarian VASP include PEP screening and sanctions lists (OFAC/UN, EU), plus additional rules for legal entities (KYB). GDPR and personal data protection for VASP are a separate priority: data residency and storage of KYC data, data subject rights, DPIA for high-risk processes.

Blockchain transaction analytics

How to provide AML transaction monitoring for small VASP? We combine behavioral rules, chain analysis and transaction monitoring tools, as well as heuristics for addresses. False positive rate is a key metric: I aim for a controlled range with MTTR for incidents and SLAs for escalations, so that compliance does not paralyze the business.

MLRO: independent review and audit

Requirements for the MLRO (qualifications, independence, access to the board of directors) set the tone for the entire function. Requirements for internal audit and independent review of compliance – an annual cycle, coverage of key processes, sample testing and a report to the board of directors. AML training and staff upskilling form the overall culture and reduce operational mistakes.

Compliance team KPIs

Compliance team KPIs: SAR conversion rate, MTTR for incidents, SLA for KYC, share of EDD cases, false positives rate, results of independent reviews. COREDO’s practice confirms: transparent metrics improve dialogue with banks and regulators.

Custody, keys, access

The technology stack affects risks as much as the legal form. I rely on the principles of “security by design” and certification.

Custody key management

Custody models: custodial vs non-custodial define different depths of control. Requirements for cold and hot wallet management under Bulgarian regulations are described at a high level, so we cover them with best practices: HSM, MPC, threshold signatures and multi‑sig. Key management (custody) procedures for VASP Bulgaria include role separation, on-call shifts, segmentation and change control.

Information security and continuity

ISO 27001, SOC 2 and cybersecurity standards create a foundation of trust. Access control, IAM and least privilege principles reduce insider risks; audit trail and logging requirements help incident response and audits. Operational resilience and business continuity (BCP/DR) are a mandatory part of risk passports.

Integrations and liquidity

Integration with exchanges and liquidity pools requires API integration and security standards, as well as counterparty assessment. Technology stacks for VASP – from KYC/AML to Wallet and Custody – we select taking into account the target revenue model and TCO so as not to “overheat” CAPEX at launch.

Bank accounts and payment partners

Bank account for a crypto company in Bulgaria: a common question among founders. I always say: accounts are opened not by presentations, but by your compliance and case study.

Agreements with banks and EMIs

Agreements with banks and payment providers in the EU require clear limits, described VASP‑to‑OB scenarios, completion of Due Diligence and demonstration of a control environment. Interaction with banks and payment partners for VASPs in Bulgaria is built on a transparent risk assessment and clear SLAs for monitoring. When a bank is conservative, we add EMI solutions with SEPA and fast onboarding.

Data management

We design data residency and KYC data storage with GDPR, liability insurance and retention requirements in mind. This simplifies checks and reduces friction with banks.

Entering EU markets

How to scale a VASP after obtaining a license in Bulgaria? I recommend a two‑track strategy: compliance maturity and commercial expansion.

How to bring the product to market

Market‑entry and go‑to‑market procedures for VASPs depend on the segment: retail, B2B, institutional. Revenue models, fee‑for‑service, spread, custody fees, dictate UX, SLAs and even compliance metrics. The COREDO solution: launching pilot segments with a controlled budget and measurable LTV/CAC to avoid “burning” capital at an early stage.

Cross-border license compatibility

Cross‑border compliance and a multi‑jurisdictional strategy involve matching local rules with the future MiCA passporting. Compatibility of a Bulgarian license with licenses of other EU countries becomes linear after MiCA: passporting replaces the cascade of local registrations. Until then we choose “core” markets and providers to avoid duplicating costs.

What regulatory sandboxes are

Regulatory sandboxes and pilot regimes in the EU can give an edge on time‑to‑market. In Bulgaria the focus is on careful pilots with banks and EMIs, where the compliance architecture is already in place and easily auditable.

TCO, unit economics and project ROI

The decision to obtain a license is about economics. I ask teams to record TCO and unit economics from day one.

TCO and compliance costs

Compliance costs and the TCO (Total Cost of Ownership) assessment include: legal support for the VASP in Bulgaria, AML/IB platforms, audits, training, independent checks, policy updates and insurance. Add overhead for regulatory lead time and capital reserves.

Unit economics: CAC/LTV and revenue models

Unit economics of the license: CAC and LTV for the VASP show the model’s resilience. For a spread model liquidity and turnover are important; for custody, AUC (assets under custody) and fees. Real-time transaction monitoring and rule engines are not only about risk but also about conversion: a low false-positive rate strengthens the UX.

ROI, NPV and payback

How to assess the ROI from licensing a VASP in Bulgaria? Compare NPV taking into account TCO, expected customer base growth and the timing for MiCA passporting. ROI metrics — payback period and NPV — become more predictable with a stable regulatory lead time and clear agreements with banks.

COREDO Case Studies: What Worked

I believe in the power of case studies: they are better than any declarations.

Small EU VASP: launch and risk control

A European startup chose Bulgaria as its base. The COREDO team implemented the incorporation, prepared the AML package, established the Travel Rule and deployed blockchain analytics. Result: VASP registration in six weeks, banking infrastructure via an EMI, FPR below 8% at launch and MTTR of incidents under 24 hours.

Lesson: a well‑designed compliance architecture speeds up both client onboarding and the dialogue with banks.

Asian fintechs entering the EU via Bulgaria

A client with a strong product and mature AML from Asia requested compatibility with the EU. We adapted KYC/KYB, conducted a compliance audit for a VASP in Bulgaria, built cross‑border compliance and prepared a MiCA roadmap.

Result: launch of a B2B channel in the EU, controlled expansion and agreements with payment partners.

Custodial platform: technical security

The custodial provider arrived without a clear key management policy. We implemented HSM/MPC, separated cold/hot processes and prepared an ISO roadmap.

After an independent review, compliance and SOC 2 preparations, the project received approval from the banking partner.

Founders’ Frequently Asked Questions

I’ve collected the questions I hear most often and the answers that work for us.

What documents are needed at the start?

What documents are required to apply for a crypto license in Bulgaria: charter documents, evidence of UBO, business plan, AML/KYC policies, appointment of an MLRO, infosec package, evidence of source of funds. For certain models we add descriptions of custody processes, stress scenarios and BCP/DR.

Beneficiaries, personnel and partners

Requirements for beneficiaries and ownership structure for a VASP in Bulgaria include transparency of sources, absence of sanction-related risks and a clear chain of control. Conditions for employed staff and resellers in a Bulgarian VASP entail AML training, third-party oversight and outsourcing compliance only while the licensed entity retains responsibility. PEP checks are mandatory, sanctions screening is continuous.

How to choose a legal partner

How to choose a law firm to support a VASP license in Bulgaria? Look for a combination: EU case experience, AML audit experience, technological expertise (Travel Rule, custody, ISO), and the ability to build a dialogue with banks.

Professionals speak the language of business: unit economics, TCO, time-to-market, not empty words but parameters of the roadmap.

Relationship with banks and reputation

Reputational risks and crisis management are part of strategy, not an “after-the-fact” response. Include the crisis‑plan in the BCP, prepare communications, logging and an audit trail for the quick reconstruction of events. Agreements with banks and payment providers in the EU benefit from such maturity.

VASP registration in the EU via Bulgaria

If your clients are in the EU, Bulgaria provides a quick start, straightforward VASP registration and preparation for MiCA. The compatibility of Bulgaria’s license with the licenses of other EU countries will strengthen as MiCA and passporting are fully implemented. This reduces fragmentation and the costs of duplicating compliance.

VASP business model for Bulgaria

How to structure a VASP business model to comply with Bulgarian regulations? Highlight services (exchange, custody, brokerage), describe customer segments, risks, sources of liquidity and EDD procedures. Add prudential measures, compliance KPIs and a roadmap to MiCA with target capital thresholds.

COREDO’s Position and Conclusions

I lead projects where speed is as important as reliability. Bulgaria gives entrepreneurs the chance to open a company quickly, complete VASP registration and simultaneously prepare for MiCA realities: EU passporting, common standards and predictable requirements. The COREDO team has implemented dozens of such routes, and I see consistent patterns: a strong MLRO, a mature AML architecture, technological discipline (HSM/MPC, IAM, ISO 27001/SOC 2), a transparent economic model (TCO, CAC/LTV, NPV) and a calibrated plan “registration – launch – scale: MiCA”.

Legal support for VASP in Bulgaria is not about paperwork; it’s about a strategy where compliance becomes a competitive advantage. If you are evaluating a crypto license in Bulgaria or a VASP license in Bulgaria as a route into the EU, lay the right foundations: uncompromising AML/KYC, managed operational security and a clear revenue logic. Then the “regulatory wind” will fill your sails, not blow in your face.

Read more
04.02.2026
Reverse Solicitation under MiCA How to legally offer crypto asset services to clients from the EU without a license

I founded COREDO in 2016, and since then our team has supported dozens of international projects: from company incorporations in the EU and Asia to obtaining crypto, payment and forex licenses. Over the years one topic consistently returns to the agenda of executives and CFOs: whether it is possible to work with clients from the EU without a license if the contacts originate from the clients themselves. This is MiCA reverse solicitation — a narrow corridor of lawful cross-border servicing where the time to market, compliance risks and profitability are at stake.

MiCA: what falls within the scope

MiCA forms an EU-wide perimeter for CASPs (crypto-asset service providers) and for the assets themselves. Within the perimeter are asset-referenced tokens (ART), e-money tokens (EMT) and most other tokens that are not financial instruments under MiFID II; some utility tokens may fall outside MiCA if they are not traded on trading platforms and only provide access to an existing product.

MiCA rules for CASPs cover custody and administration of crypto-assets for clients, trading platform operations, exchange of crypto-assets for fiat or other assets, order execution, crypto-asset placements, receipt and transmission of orders, and crypto-asset advisory. If you perform these functions for EU clients from the territory of a third country, you must understand the boundaries of MiCA reverse solicitation and the national rules of complementation in individual member states.

The European Securities and Markets Authority coordinates practice together with national competent authorities (NCAs), but enforcement details are often shaped at the country level. Our experience at COREDO has shown: ignoring local guidelines is a short route to enforcement and regulatory inquiries, even if formally you rely on pan-EU rules.

What is reverse solicitation
I use a working definition: MiCA reverse solicitation is a situation where an EU client on their own initiative (client-initiated contact) approaches a provider in a third country, and that provider provides a service without prior individual or mass solicitation of demand in the EU. This is the passive reception doctrine: you accept a passive inbound, rather than creating an economic nexus by active measures in the Union.

The logic of “without prior solicitation” means no cold outreach, targeted advertising, roadshows, partner referrals tied to EU territories, or bypass communications before the moment of request. Pre-contractual communication under MiCA is allowed only as a response to a client-initiated contact, without expansion into marketing and without converting the dialogue into a mass campaign.
Requirements for websites and public information are critical here. If a site has an explicit call-to-action for EU residents, is localized in the domain zone of a specific EU country, uses EU-IP targeting, or offers promotions for the EU: NCAs may treat this as providing crypto services without an EU license, rather than as reverse solicitation. At COREDO we often begin an audit with an inventory of the digital footprint: banners, landing pages, cookie policy, geotargeting, testimonials, coverage maps.

MiCA licensing logic and exceptions
Exceptions to MiCA’s licensing obligation essentially boil down to the correct application of reverse solicitation, but national regulators calibrate the threshold of permissible actions differently. In one COREDO project for a client from Dubai we agreed with local lawyers in two EU jurisdictions the boundaries of permissible web communication: neutral content, no personalized offers, a strict ban on EU-ID retargeting.

MiCA transitional provisions are important for providers already operating under local regimes before full implementation. At the same time transitional provisions do not make reverse solicitation limitless: NCAs continue to apply their own economic presence tests, and ESMA publishes enforcement guidance that influences interpretations.

Servicing EU clients from a third country (onshore vs offshore servicing) is permissible in the absence of presence and substance in the EU, by forming a contractual structure outside the EU and building processes around passive reception. But as the share of EU clients grows and onshore teams, representative offices or agents appear in the Union, the risk of forced jurisdiction and enforcement arises.

Legally offering crypto-asset services
The key question is how to document inbound client requests. The solution developed at COREDO includes multi-level recording of client-initiated contacts in the CRM and web platform logs: recording the original click source, storing the voluntarily submitted contact form, timestamp, IP and geodata, as well as screenshots of user journeys.

Best practices for crypto service providers include an opt-in onboarding process where the client confirms they initiated the contact independently, understands the absence of an EU license and acknowledges that servicing is provided from a specific third country. Consent documentation and record-keeping requirements under MiCA require retaining these confirmations for periods at least equal to the document retention policy adopted in your jurisdiction and aligned with EU expectations.

The evidentiary basis in a dispute with a regulator relies on audit trails and IT logging. At COREDO we add to the legal memorandum an evidence preservation layer: captured versions of the site at the time of contact (web archives), cold campaign logs (showing zero EU targeting), internal instructions to managers prohibiting proactive contacts. Such COREDO practice demonstrates that even in the event of a regulatory request you can present a structured defense line.

KYC and EDD under reverse solicitation
AML principles under reverse solicitation are not weakened: a risk-based approach is mandatory just as it is for licensed activity. I recommend building KYC/CDD processes for non-residents from the outset, including PEP screening and EU sanctions lists, confirmation of beneficial ownership (UBO), and source-of-funds and wealth checks when internal thresholds are exceeded.

Transaction monitoring for client-initiated activity cannot be simplified. We implemented behavioral monitoring algorithms for several CASPs, configured thresholds for alerts and SARs, documented escalation procedures in case of suspicions and assigned MLRO duties and responsibilities at the board level. The Travel Rule’s application to crypto transactions is a separate control point, especially when interacting with European VASPs.

Enhanced Due Diligence for clients from the EU is necessary in cases of heightened risk related to jurisdiction, transaction typology or product category (for example, highly volatiletokens, participation in off-chain transactions, working with mixers). In some projects the COREDO team implemented a hybrid model: basic KYC in-house, while EDD and screening are carried out by a certified provider, with transparent outsourcing of compliance to a third party.Marketing: pre-contractual communication
Restrictions on advertising and cold outreach, the basic rule of reverse solicitation under MiCA. Any contact activity directed at EU residents, including partner programs with EU bloggers, referral payments, localized landing pages “for EU clients”, are red flags for NCAs. legal opinion drafting for reverse solicitation at our firm always includes a legal assessment of advertising campaigns and oversight of marketing materials.

Pre-contractual communication rules of MiCA allow responses to specific inquiries, but prohibit expanding the dialogue into mass mailings.

Requirements for websites and public information include neutral presentation, absence of promises of service availability in the EU, a clear disclaimer about the provider’s non-resident status and the contract’s jurisdiction. In one case COREDO’s transfer of a site from an EU domain to an international one with geotargeting disabled eliminated the provider’s risk of a formal “EU public offer”.
The test for client passivity must be clear to the sales team. We prepare cheat-sheets for managers “do/don’t”: what can be said, how to answer questions about availability for EU residents, what information is relevant and how to avoid the fine line between advising and solicitation. This reduces the likelihood of unintentionally breaching the “without prior solicitation” logic.

Structuring relationships with an EU client

Contract structuring for reverse solicitation is built around transparency and choice of law. Contract models with a client from the EU include clear terms of service and dispute jurisdiction outside the EU, disclosures about the provider’s status, the absence of an EU license and the legal position of the third country. Protective clauses in the contract should cover risks of compelled jurisdiction, product limitations and service termination in the event of regulatory requirements.

Transparency and disclosure in reverse solicitation are an ally, not an obstacle. Proper product governance, client segmentation and territorial risk assessments, as well as a documented evaluation of the applicability of the MiCA scope to specific assets (for example, ART or EMT), will help demonstrate the model’s good faith to NCAs. At COREDO we formalize governance and board-level oversight in the form of a report to the board on the share of EU clients and triggers for migration to licensing.

Data protection and GDPR implications are also critical. Even if you are outside the EU, processing personal data of EU residents requires GDPR compliance: appointing a DPO where necessary, legal bases for processing, cross-border data transfers and contracts with processors. Confidentiality and information exchange with counterparties must take into account banking secrecy, local AML rules and NCAs’ requirements.

Risks: compliance, reputation, taxes

Compliance risks in reverse solicitation include the risk of reclassification as crypto-asset service providers without a license if the regulator deems your communications to be solicitation. Regulatory fines and enforcement actions are often accompanied by a requirement to close access to EU clients and block local payment channels. COREDO works through pre-emptive remediation steps: freezing marketing, reviewing contracts, additional staff training.

Limiting reputation risks requires a conservative information policy and readiness for regulatory inquiry. Evidence preservation and a document retention policy are not formalities: the absence of log records and screenshots often undermines the provider’s legal position. Our clients who had an established audit trail went through checks with minimal losses.

Tax consequences of cross-border services depend on economic presence. The economic nexus test and the risk of a permanent establishment (PE) in the EU depend on where key managerial decisions are made, where employees are located and where marketing is conducted from. We recommend assessing cross-border tax reporting implications together with tax advisors and taking into account CRS/FATCA when structuring.

Checklist for responding to a request from an EU client

  • Confirm client-initiated contact: record the channel, time, IP, consent.
  • Check geotargeting: exclude retargeting and personalized offers for the EU.
  • Perform KYC/CDD, conduct PEP/sanctions screening, determine the risk profile.
  • Assess tokens: MiCA scope and classification (ART/EMT/utility), product limitations.
  • Provide disclosures: non-resident provider status, lack of an EU license, contract jurisdiction.
  • Appoint the MLRO responsible for monitoring and the travel rule, record thresholds and alerts.
  • Preserve all evidence: website screenshots, CRM logs and marketing platform logs.
  • Assess the share of EU clients and thresholds for migration to EU licensing.
  • Prepare a legal opinion on MiCA reverse solicitation and internal instructions for the team.

Licensing or reverse solicitation
Licensing vs servicing via reverse solicitation: a matter of cost-benefit analysis. The economic feasibility of operating without a license is high at early stages when you need to quickly test a product and reach initial transactions. But compliance cost modeling shows: as the share of EU revenue grows, the cost of marketing controls, legal opinions and enforcement risks begins to exceed the CAPEX for obtaining a license in the chosen EU jurisdiction.

The ROI assessment when foregoing licensing should take into account the probability of fines and restrictions, the cost of regulatory protection and the opportunity cost due to restrained marketing. Scaling the business through reverse solicitation is limited: the model is poorly compatible with active growth and product marketing. In one project COREDO prepared a roadmap: 6 months of a reverse scenario with a cap on the EU share and a parallel launch of licensing in Cyprus taking into account capital and guarantee requirements.

Exit strategies include migrating the business to the EU or servicing remotely while obtaining a license in a country oriented towards CASP. A regulator sandbox program option sometimes accelerates testing of innovative products. Registration formalities in the EU and interaction with a local lawyer, preparation of governance documents, AML policies and procedures for CASP, this is an area where the COREDO team has implemented full cycles, including product governance and board supervision.

Practice and interaction with ESMA/NCAs

ESMA’s enforcement practice shows a high interest in pre-contractual communication and cross-border onboarding. NCAs – national competent authorities of the EU: send regulatory requests and expect transparent answers: website architecture, marketing campaigns, share of EU clients, AML control and escalation procedures. Legal support for reverse solicitation is useful not only in a dispute, but also in preparation for an inspection.

The COREDO team prepares legal opinions on MiCA reverse solicitation taking into account national nuances, including the legal position of third countries and MiCA, product mapping and assessment of the marketing footprint. We agree with the client in advance on a response playbook: who responds, what data is disclosed, how the internal compliance manual for CASP is demonstrated, and how evidence preservation is presented.

Practical tip: conduct a pre-emptive gap review of marketing, onboarding and IT logging before going live with EU traffic. It is faster and cheaper than urgently fixing traces after a regulatory letter.

Internal policies and controls
Drafting an internal control policy for CASP in the context of reverse solicitation is not a simplified version of the “full” license. Documents should cover the risk-based approach to AML/CFT, KYC/EDD, transaction monitoring algorithms, thresholds for SAR, travel rule, outsourcing governance and data quality controls. The internal compliance manual for CASP structures the roles of the MLRO, the second line of defense and escalations to the board.

Control over marketing materials: a mandatory control. We recommend a pre-clearance procedure for any communication that may reach EU residents: landing pages, mailings, social media posts, partner creatives. The document retention policy sets retention periods, and the IT landscape maintains an audit trail across key systems.

Governance and board-level oversight address strategic issues: limits on the share of EU revenue, triggers for moving to licensing, a compliance and legal risk reserve budgeting model. It is at this level that it is decided whether reverse solicitation will remain an experiment or become a bridge to a full EU presence.

COREDO practice examples that work
Case 1: a Singaporean provider serving EU holdings on a request basis. The COREDO team built opt-in onboarding, centralized KYC with EDD for high-risk profiles and a strict “no EU marketing” policy. We prepared a legal opinion on MiCA reverse solicitation with a risk map and a migration plan to a Cypriot license upon reaching a 25% EU-share threshold. A regulatory inquiry from one of the NCAs was closed with an evidentiary base: logs, screenshots, instructions.

Case 2: a Dubai VASP with active content marketing. COREDO’s audit revealed hidden geotargeting to several EU countries and a referral network with EU bloggers. We froze the campaigns, rewrote public disclosures, implemented pre-clearance, trained the sales team and put in place a document retention policy. At the same time we started the licensing process in Estonia; after 8 months the company moved to an onshore model.

Case 3: a British fintech platform with utility tokens. The legal assessment showed exceptions for some tokens, but ancillary services fell within the MiCA scope. COREDO’s practice confirmed: mixed models more often err in classification. We separated product flows, for some — reverse solicitation with neutral web architecture, for others — an application for a license in Slovakia.

Contract models and data protection
Contract models with an EU client should include: choice of law and dispute jurisdiction outside the EU, clear product restrictions, terms for termination of service on regulatory grounds and notifications, disclosure of economic and legal risks. Contracts should set out mechanisms for KYC/EDD, consents for processing and transfer of data, as well as the provider’s rights to transaction monitoring and freezing operations upon red flags.

Terms of service and dispute jurisdiction should work together with data protection policies. Deep integration of GDPR processes (legal bases, DSR procedures, DPIA where necessary) reduces the risk of secondary claims. In one project COREDO synchronized the ToS, privacy notice and AML policy to eliminate contradictions and demonstrate the integrity of governance.

When reverse solicitation is not advantageous
Business model alignment with MiCA requires an honest assessment. If your growth depends on marketing, partnerships and public promotion, reverse solicitation will limit scaling and increase the cost of compliance. If the business case envisages a significant flow of clients from the EU, it is advisable to plan for EU licensing in advance, choosing jurisdictions with a clear NCA practice and accessible infrastructure (for example, Cyprus, Estonia, some Central European countries).

Compliance cost modeling helps management see where the breaking point lies between the costs of legal protection for the reverse model and the CAPEX/OPEX of a licensed presence. The COREDO team often calculates scenarios: a basic reverse for 6–9 months, a hybrid model with limited marketing and a full transition to a license with an onshore team and presence and substance requirements.

What the regulator will ask during an inspection
Preparation for a regulator’s inspection on client-initiated contacts: it is not only documents. Regulators check product governance, the continuity of the customer information trail, monitoring stability, response to alerts and the competence of the MLRO. We conduct simulated requests where the client team answers questions about site structure, onboarding logic, token classification and the use of EU sanctions lists.

The regulatory perimeter under MiCA changes as ESMA publications are released, and COREDO regularly updates templates of the internal compliance manual for CASP. This allows rapid implementation of changes: for example, strengthening requirements for pre-contractual disclosures or revising the passive client test procedure.

Nuances of ART, EMT and utility tokens
Asset-referenced tokens are regulated more strictly, especially regarding issuance, reserves and disclosures. E-money tokens under MiCA trend towards requirements similar to electronic money, including capital and safeguarding of funds. Utility tokens may be outside MiCA with a narrow functional purpose, but as soon as trading availability or an investment motive appears: we return to the MiCA scope.

COREDO helps clients with product mapping: a matrix of token functions, use scenarios, impact on AML/KYC and product restrictions in reverse solicitation. This reduces the risk of incorrect classification and NCA claims.

From hypothesis to a sustainable model

  • Carry out a MiCA scope and applicability assessment to the product, taking into account national transpositions.
  • Decide whether the model allows passive inbound without marketing in the EU.
  • Build web and CRM architecture with inbound logging, disable EU targeting.
  • Develop an internal compliance manual, AML policies, travel rule procedures and the MLRO role.
  • Set up KYC/CDD/EDD, sanctions and PEP checks, transaction monitoring.
  • Prepare a legal opinion on MiCA reverse solicitation and a response plan for inquiries.
  • Agree on ToS, agreements, disclosures, a privacy notice and GDPR processes.
  • Identify triggers for moving to licensing, calculate ROI and choose a jurisdiction.
  • Maintain record-keeping, evidence preservation and regular board oversight.

Conclusions

Reverse solicitation under MiCA is a tool, not a goal. It helps legally test a product, carefully work with inbound requests from the EU and gather market feedback. But this model requires discipline: no marketing in the EU, impeccable documentation, strong AML/KYC and transparent contractual relations.

The COREDO team has walked this path with clients many times: from the legal opinion and process setup to transitioning to a licensed model in the EU. I am convinced that resilience in the crypto-economy is built on two pillars – strategic clarity and operational excellence. Reverse solicitation can become your bridge to Europe if you define the boundaries in advance, stay within the regulatory perimeter and make a timely decision about licensing.

Read more
See all news
LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt