Leave an application

Legal services:

Comprehensive legal solutions for contracts, disputes, and compliance. Our expert team ensures legal protection and strategic guidance for your business.

More

AML consulting:

Specialised AML consulting to develop and maintain robust anti-money laundering policies. We assess risks, offer ongoing support and provide tailored AML services.

More

Obtaining a crypto license:

We offer licensing and ongoing support for your crypto-business. We also offer licences in the most popular jurisdictions.

More

Registration of legal entities:

Efficient legal entity registration support. We manage documentation and interaction with the authorities, ensuring a seamless process for establishing your business.

More

Opening bank accounts:

We facilitate the opening of bank accounts through our extensive network of partners (European banks). Hassle-free process, tailored to your business needs.

More

COREDO TEAM

Nikita Veremeev
Nikita Veremeev
CEO
Pavel Kos
Pavel Kos
Head of the legal department
Grigorii Lutcenko
Grigorii Lutcenko
Head of AML department
Annet Abdurzakova
Annet Abdurzakova
Senior Customer Success Manager
Basang Ungunov
Basang Ungunov
Lawyer at Legal Department
Egor Pykalev
Egor Pykalev
AML consultant
Yulia Zhidikhanova
Yulia Zhidikhanova
Customer Success Associate
Diana Alchaeva
Diana Alchaeva
Customer Success Associate
Johann Schneider
Johann Schneider
Lawyer
Daniil Saprykin
Daniil Saprykin
Head of Customer Success Department

Our clients

COREDO’s clients are manufacturers, traders and financial companies, as well as wealthy clients from European and CIS countries.

Effective communication and fast project realisation guarantee satisfaction of our customers.

Exactly
Unitpay
Grispay
Newreality
Chicrypto
Xchanger
CONVERTIQ
Crypto Engine
Pion

Blog

See all news
04.02.2026
Reverse Solicitation under MiCA How to legally offer crypto asset services to clients from the EU without a license

I founded COREDO in 2016, and since then our team has supported dozens of international projects: from company incorporations in the EU and Asia to obtaining crypto, payment and forex licenses. Over the years one topic consistently returns to the agenda of executives and CFOs: whether it is possible to work with clients from the EU without a license if the contacts originate from the clients themselves. This is MiCA reverse solicitation — a narrow corridor of lawful cross-border servicing where the time to market, compliance risks and profitability are at stake.

MiCA: what falls within the scope

MiCA forms an EU-wide perimeter for CASPs (crypto-asset service providers) and for the assets themselves. Within the perimeter are asset-referenced tokens (ART), e-money tokens (EMT) and most other tokens that are not financial instruments under MiFID II; some utility tokens may fall outside MiCA if they are not traded on trading platforms and only provide access to an existing product.

MiCA rules for CASPs cover custody and administration of crypto-assets for clients, trading platform operations, exchange of crypto-assets for fiat or other assets, order execution, crypto-asset placements, receipt and transmission of orders, and crypto-asset advisory. If you perform these functions for EU clients from the territory of a third country, you must understand the boundaries of MiCA reverse solicitation and the national rules of complementation in individual member states.

The European Securities and Markets Authority coordinates practice together with national competent authorities (NCAs), but enforcement details are often shaped at the country level. Our experience at COREDO has shown: ignoring local guidelines is a short route to enforcement and regulatory inquiries, even if formally you rely on pan-EU rules.

What is reverse solicitation
I use a working definition: MiCA reverse solicitation is a situation where an EU client on their own initiative (client-initiated contact) approaches a provider in a third country, and that provider provides a service without prior individual or mass solicitation of demand in the EU. This is the passive reception doctrine: you accept a passive inbound, rather than creating an economic nexus by active measures in the Union.

The logic of “without prior solicitation” means no cold outreach, targeted advertising, roadshows, partner referrals tied to EU territories, or bypass communications before the moment of request. Pre-contractual communication under MiCA is allowed only as a response to a client-initiated contact, without expansion into marketing and without converting the dialogue into a mass campaign.
Requirements for websites and public information are critical here. If a site has an explicit call-to-action for EU residents, is localized in the domain zone of a specific EU country, uses EU-IP targeting, or offers promotions for the EU: NCAs may treat this as providing crypto services without an EU license, rather than as reverse solicitation. At COREDO we often begin an audit with an inventory of the digital footprint: banners, landing pages, cookie policy, geotargeting, testimonials, coverage maps.

MiCA licensing logic and exceptions
Exceptions to MiCA’s licensing obligation essentially boil down to the correct application of reverse solicitation, but national regulators calibrate the threshold of permissible actions differently. In one COREDO project for a client from Dubai we agreed with local lawyers in two EU jurisdictions the boundaries of permissible web communication: neutral content, no personalized offers, a strict ban on EU-ID retargeting.

MiCA transitional provisions are important for providers already operating under local regimes before full implementation. At the same time transitional provisions do not make reverse solicitation limitless: NCAs continue to apply their own economic presence tests, and ESMA publishes enforcement guidance that influences interpretations.

Servicing EU clients from a third country (onshore vs offshore servicing) is permissible in the absence of presence and substance in the EU, by forming a contractual structure outside the EU and building processes around passive reception. But as the share of EU clients grows and onshore teams, representative offices or agents appear in the Union, the risk of forced jurisdiction and enforcement arises.

Legally offering crypto-asset services
The key question is how to document inbound client requests. The solution developed at COREDO includes multi-level recording of client-initiated contacts in the CRM and web platform logs: recording the original click source, storing the voluntarily submitted contact form, timestamp, IP and geodata, as well as screenshots of user journeys.

Best practices for crypto service providers include an opt-in onboarding process where the client confirms they initiated the contact independently, understands the absence of an EU license and acknowledges that servicing is provided from a specific third country. Consent documentation and record-keeping requirements under MiCA require retaining these confirmations for periods at least equal to the document retention policy adopted in your jurisdiction and aligned with EU expectations.

The evidentiary basis in a dispute with a regulator relies on audit trails and IT logging. At COREDO we add to the legal memorandum an evidence preservation layer: captured versions of the site at the time of contact (web archives), cold campaign logs (showing zero EU targeting), internal instructions to managers prohibiting proactive contacts. Such COREDO practice demonstrates that even in the event of a regulatory request you can present a structured defense line.

KYC and EDD under reverse solicitation
AML principles under reverse solicitation are not weakened: a risk-based approach is mandatory just as it is for licensed activity. I recommend building KYC/CDD processes for non-residents from the outset, including PEP screening and EU sanctions lists, confirmation of beneficial ownership (UBO), and source-of-funds and wealth checks when internal thresholds are exceeded.

Transaction monitoring for client-initiated activity cannot be simplified. We implemented behavioral monitoring algorithms for several CASPs, configured thresholds for alerts and SARs, documented escalation procedures in case of suspicions and assigned MLRO duties and responsibilities at the board level. The Travel Rule’s application to crypto transactions is a separate control point, especially when interacting with European VASPs.

Enhanced Due Diligence for clients from the EU is necessary in cases of heightened risk related to jurisdiction, transaction typology or product category (for example, highly volatiletokens, participation in off-chain transactions, working with mixers). In some projects the COREDO team implemented a hybrid model: basic KYC in-house, while EDD and screening are carried out by a certified provider, with transparent outsourcing of compliance to a third party.Marketing: pre-contractual communication
Restrictions on advertising and cold outreach, the basic rule of reverse solicitation under MiCA. Any contact activity directed at EU residents, including partner programs with EU bloggers, referral payments, localized landing pages “for EU clients”, are red flags for NCAs. legal opinion drafting for reverse solicitation at our firm always includes a legal assessment of advertising campaigns and oversight of marketing materials.

Pre-contractual communication rules of MiCA allow responses to specific inquiries, but prohibit expanding the dialogue into mass mailings.

Requirements for websites and public information include neutral presentation, absence of promises of service availability in the EU, a clear disclaimer about the provider’s non-resident status and the contract’s jurisdiction. In one case COREDO’s transfer of a site from an EU domain to an international one with geotargeting disabled eliminated the provider’s risk of a formal “EU public offer”.
The test for client passivity must be clear to the sales team. We prepare cheat-sheets for managers “do/don’t”: what can be said, how to answer questions about availability for EU residents, what information is relevant and how to avoid the fine line between advising and solicitation. This reduces the likelihood of unintentionally breaching the “without prior solicitation” logic.

Structuring relationships with an EU client

Contract structuring for reverse solicitation is built around transparency and choice of law. Contract models with a client from the EU include clear terms of service and dispute jurisdiction outside the EU, disclosures about the provider’s status, the absence of an EU license and the legal position of the third country. Protective clauses in the contract should cover risks of compelled jurisdiction, product limitations and service termination in the event of regulatory requirements.

Transparency and disclosure in reverse solicitation are an ally, not an obstacle. Proper product governance, client segmentation and territorial risk assessments, as well as a documented evaluation of the applicability of the MiCA scope to specific assets (for example, ART or EMT), will help demonstrate the model’s good faith to NCAs. At COREDO we formalize governance and board-level oversight in the form of a report to the board on the share of EU clients and triggers for migration to licensing.

Data protection and GDPR implications are also critical. Even if you are outside the EU, processing personal data of EU residents requires GDPR compliance: appointing a DPO where necessary, legal bases for processing, cross-border data transfers and contracts with processors. Confidentiality and information exchange with counterparties must take into account banking secrecy, local AML rules and NCAs’ requirements.

Risks: compliance, reputation, taxes

Compliance risks in reverse solicitation include the risk of reclassification as crypto-asset service providers without a license if the regulator deems your communications to be solicitation. Regulatory fines and enforcement actions are often accompanied by a requirement to close access to EU clients and block local payment channels. COREDO works through pre-emptive remediation steps: freezing marketing, reviewing contracts, additional staff training.

Limiting reputation risks requires a conservative information policy and readiness for regulatory inquiry. Evidence preservation and a document retention policy are not formalities: the absence of log records and screenshots often undermines the provider’s legal position. Our clients who had an established audit trail went through checks with minimal losses.

Tax consequences of cross-border services depend on economic presence. The economic nexus test and the risk of a permanent establishment (PE) in the EU depend on where key managerial decisions are made, where employees are located and where marketing is conducted from. We recommend assessing cross-border tax reporting implications together with tax advisors and taking into account CRS/FATCA when structuring.

Checklist for responding to a request from an EU client

  • Confirm client-initiated contact: record the channel, time, IP, consent.
  • Check geotargeting: exclude retargeting and personalized offers for the EU.
  • Perform KYC/CDD, conduct PEP/sanctions screening, determine the risk profile.
  • Assess tokens: MiCA scope and classification (ART/EMT/utility), product limitations.
  • Provide disclosures: non-resident provider status, lack of an EU license, contract jurisdiction.
  • Appoint the MLRO responsible for monitoring and the travel rule, record thresholds and alerts.
  • Preserve all evidence: website screenshots, CRM logs and marketing platform logs.
  • Assess the share of EU clients and thresholds for migration to EU licensing.
  • Prepare a legal opinion on MiCA reverse solicitation and internal instructions for the team.

Licensing or reverse solicitation
Licensing vs servicing via reverse solicitation: a matter of cost-benefit analysis. The economic feasibility of operating without a license is high at early stages when you need to quickly test a product and reach initial transactions. But compliance cost modeling shows: as the share of EU revenue grows, the cost of marketing controls, legal opinions and enforcement risks begins to exceed the CAPEX for obtaining a license in the chosen EU jurisdiction.

The ROI assessment when foregoing licensing should take into account the probability of fines and restrictions, the cost of regulatory protection and the opportunity cost due to restrained marketing. Scaling the business through reverse solicitation is limited: the model is poorly compatible with active growth and product marketing. In one project COREDO prepared a roadmap: 6 months of a reverse scenario with a cap on the EU share and a parallel launch of licensing in Cyprus taking into account capital and guarantee requirements.

Exit strategies include migrating the business to the EU or servicing remotely while obtaining a license in a country oriented towards CASP. A regulator sandbox program option sometimes accelerates testing of innovative products. Registration formalities in the EU and interaction with a local lawyer, preparation of governance documents, AML policies and procedures for CASP, this is an area where the COREDO team has implemented full cycles, including product governance and board supervision.

Practice and interaction with ESMA/NCAs

ESMA’s enforcement practice shows a high interest in pre-contractual communication and cross-border onboarding. NCAs – national competent authorities of the EU: send regulatory requests and expect transparent answers: website architecture, marketing campaigns, share of EU clients, AML control and escalation procedures. Legal support for reverse solicitation is useful not only in a dispute, but also in preparation for an inspection.

The COREDO team prepares legal opinions on MiCA reverse solicitation taking into account national nuances, including the legal position of third countries and MiCA, product mapping and assessment of the marketing footprint. We agree with the client in advance on a response playbook: who responds, what data is disclosed, how the internal compliance manual for CASP is demonstrated, and how evidence preservation is presented.

Practical tip: conduct a pre-emptive gap review of marketing, onboarding and IT logging before going live with EU traffic. It is faster and cheaper than urgently fixing traces after a regulatory letter.

Internal policies and controls
Drafting an internal control policy for CASP in the context of reverse solicitation is not a simplified version of the “full” license. Documents should cover the risk-based approach to AML/CFT, KYC/EDD, transaction monitoring algorithms, thresholds for SAR, travel rule, outsourcing governance and data quality controls. The internal compliance manual for CASP structures the roles of the MLRO, the second line of defense and escalations to the board.

Control over marketing materials: a mandatory control. We recommend a pre-clearance procedure for any communication that may reach EU residents: landing pages, mailings, social media posts, partner creatives. The document retention policy sets retention periods, and the IT landscape maintains an audit trail across key systems.

Governance and board-level oversight address strategic issues: limits on the share of EU revenue, triggers for moving to licensing, a compliance and legal risk reserve budgeting model. It is at this level that it is decided whether reverse solicitation will remain an experiment or become a bridge to a full EU presence.

COREDO practice examples that work
Case 1: a Singaporean provider serving EU holdings on a request basis. The COREDO team built opt-in onboarding, centralized KYC with EDD for high-risk profiles and a strict “no EU marketing” policy. We prepared a legal opinion on MiCA reverse solicitation with a risk map and a migration plan to a Cypriot license upon reaching a 25% EU-share threshold. A regulatory inquiry from one of the NCAs was closed with an evidentiary base: logs, screenshots, instructions.

Case 2: a Dubai VASP with active content marketing. COREDO’s audit revealed hidden geotargeting to several EU countries and a referral network with EU bloggers. We froze the campaigns, rewrote public disclosures, implemented pre-clearance, trained the sales team and put in place a document retention policy. At the same time we started the licensing process in Estonia; after 8 months the company moved to an onshore model.

Case 3: a British fintech platform with utility tokens. The legal assessment showed exceptions for some tokens, but ancillary services fell within the MiCA scope. COREDO’s practice confirmed: mixed models more often err in classification. We separated product flows, for some — reverse solicitation with neutral web architecture, for others — an application for a license in Slovakia.

Contract models and data protection
Contract models with an EU client should include: choice of law and dispute jurisdiction outside the EU, clear product restrictions, terms for termination of service on regulatory grounds and notifications, disclosure of economic and legal risks. Contracts should set out mechanisms for KYC/EDD, consents for processing and transfer of data, as well as the provider’s rights to transaction monitoring and freezing operations upon red flags.

Terms of service and dispute jurisdiction should work together with data protection policies. Deep integration of GDPR processes (legal bases, DSR procedures, DPIA where necessary) reduces the risk of secondary claims. In one project COREDO synchronized the ToS, privacy notice and AML policy to eliminate contradictions and demonstrate the integrity of governance.

When reverse solicitation is not advantageous
Business model alignment with MiCA requires an honest assessment. If your growth depends on marketing, partnerships and public promotion, reverse solicitation will limit scaling and increase the cost of compliance. If the business case envisages a significant flow of clients from the EU, it is advisable to plan for EU licensing in advance, choosing jurisdictions with a clear NCA practice and accessible infrastructure (for example, Cyprus, Estonia, some Central European countries).

Compliance cost modeling helps management see where the breaking point lies between the costs of legal protection for the reverse model and the CAPEX/OPEX of a licensed presence. The COREDO team often calculates scenarios: a basic reverse for 6–9 months, a hybrid model with limited marketing and a full transition to a license with an onshore team and presence and substance requirements.

What the regulator will ask during an inspection
Preparation for a regulator’s inspection on client-initiated contacts: it is not only documents. Regulators check product governance, the continuity of the customer information trail, monitoring stability, response to alerts and the competence of the MLRO. We conduct simulated requests where the client team answers questions about site structure, onboarding logic, token classification and the use of EU sanctions lists.

The regulatory perimeter under MiCA changes as ESMA publications are released, and COREDO regularly updates templates of the internal compliance manual for CASP. This allows rapid implementation of changes: for example, strengthening requirements for pre-contractual disclosures or revising the passive client test procedure.

Nuances of ART, EMT and utility tokens
Asset-referenced tokens are regulated more strictly, especially regarding issuance, reserves and disclosures. E-money tokens under MiCA trend towards requirements similar to electronic money, including capital and safeguarding of funds. Utility tokens may be outside MiCA with a narrow functional purpose, but as soon as trading availability or an investment motive appears: we return to the MiCA scope.

COREDO helps clients with product mapping: a matrix of token functions, use scenarios, impact on AML/KYC and product restrictions in reverse solicitation. This reduces the risk of incorrect classification and NCA claims.

From hypothesis to a sustainable model

  • Carry out a MiCA scope and applicability assessment to the product, taking into account national transpositions.
  • Decide whether the model allows passive inbound without marketing in the EU.
  • Build web and CRM architecture with inbound logging, disable EU targeting.
  • Develop an internal compliance manual, AML policies, travel rule procedures and the MLRO role.
  • Set up KYC/CDD/EDD, sanctions and PEP checks, transaction monitoring.
  • Prepare a legal opinion on MiCA reverse solicitation and a response plan for inquiries.
  • Agree on ToS, agreements, disclosures, a privacy notice and GDPR processes.
  • Identify triggers for moving to licensing, calculate ROI and choose a jurisdiction.
  • Maintain record-keeping, evidence preservation and regular board oversight.

Conclusions

Reverse solicitation under MiCA is a tool, not a goal. It helps legally test a product, carefully work with inbound requests from the EU and gather market feedback. But this model requires discipline: no marketing in the EU, impeccable documentation, strong AML/KYC and transparent contractual relations.

The COREDO team has walked this path with clients many times: from the legal opinion and process setup to transitioning to a licensed model in the EU. I am convinced that resilience in the crypto-economy is built on two pillars – strategic clarity and operational excellence. Reverse solicitation can become your bridge to Europe if you define the boundaries in advance, stay within the regulatory perimeter and make a timely decision about licensing.

Read more
04.02.2026
MiCA and VARA a comparison for crypto exchanges in 2026

Since 2016 I have been leading COREDO through dozens of regulatory cycles and changes in the EU, the UK, Singapore and the UAE. The COREDO team has gone all the way from company formation and CASP/VASP licensing to building mature AML‑programs, reserve proofs and setting up operational resilience. In this article I have compiled the strategy we actually use in projects: how to prepare a crypto exchange and related fintech services for MiCA in the EU and for VARA in Dubai by 2026, with details, not theory for theory’s sake.

Below you will see concrete steps, regulatory nuances and technological solutions that already work. Where the market imposes higher requirements, I will explain how we close them — from governance and capital adequacy to the Travel Rule, custody and smart‑contract audits. The goal is to give you a structure that makes it easy to plan market entry into the EU and the UAE, to estimate compliance cost and ROI, and, most importantly: to move quickly and without unnecessary risks.

MiCA and VARA: what you need to know in 2026

Illustration for the section «MiCA and VARA: what you need to know in 2026» in the article «MiCA and VARA – comparison for crypto exchanges 2026»

MiCA and VARA are already shaping a new regulatory landscape for crypto-assets, so it is worth having a clear understanding of the main implications for businesses and users. Below we break down what is important to know in 2026: the scope of MiCA, requirements for providers and practical interaction with VARA.

Scope of MiCA

MiCA is a pan-European regulation covering crypto-assets, tokens and CASP services: exchange, trading platform operation, custody, token issuance and order execution. By 2026 MiCA harmonizes rules for stablecoins, tightens requirements on transparency, risk management and minimum capital. An important feature: MiCA passporting for operating in the EU — by obtaining a license in one EU country and complying with corporate and prudential standards, you can serve clients across the European Economic Area.

VARA mandate in Dubai

VARA has created a modular licensing system for VASPs in Dubai: advisory, broker‑dealer, custody, exchange, lending/borrowing, management & investment. The rules are divided into knowledge and process areas: Company, Compliance & Risk, Market Conduct, Technology & Information, as well as an Issuance Rulebook for tokens. By 2026 VARA is expected to consolidate the rulebooks, clarify third‑country equivalence and strengthen requirements for managing technology risks, including operational SLAs with wallet providers and access control.

CASP vs VASP, terms and responsibilities

In the EU under MiCA, Crypto‑Asset Service Provider (CASP); in Dubai — Virtual Asset Service Provider (VASP). The difference is not only in terminology. COREDO’s practice confirms: VARA describes technological and information requirements in greater detail (logging, cybersecurity, BCM), while MiCA focuses on prudential and market integrity aspects for EU market participants. For crypto exchanges the question “MiCA vs VARA for crypto exchanges” often means not choosing “or” but “and”, when an international structure builds a licensing architecture covering both jurisdictions.

Extraterritoriality and equivalence

MiCA and VARA have extraterritorial elements: marketing, interface availability, client targeting and onboarding create compliance obligations. VARA is developing an approach of international recognition and third‑country equivalence, but it does not remove local Licensing where there is a physical presence, a management center or targeted marketing. Our experience at COREDO shows: we model in advance a jurisdiction risk matrix and a roadmap for obtaining the relevant approvals to avoid regulatory arbitrage with unpredictable consequences.

Market entry: EU vs Dubai

Illustration for the section «Market entry: EU vs Dubai» in the article «MiCA and VARA – comparison for crypto exchanges 2026»

Choosing a strategy for market entry in the EU or Dubai is determined by differences in regulation, taxes and access to customer and technological infrastructure. Special attention should be paid to passporting under MiCA and its limitations, which directly affect the speed and scalability of presence in Europe.

MiCA passporting: limitations

MiCA passporting for operating in the EU is a powerful advantage: a single standard for 27 countries, centralized requirements for disclosure, token registry, capital and governance. But passporting has limitations: local AML supervision by national authorities, requirements for the language of disclosures, as well as related rules: PSD2 for payments, GDPR for data, AMLD5/6 for reporting. The solution developed by COREDO: «passporting‑plus», a base license + local procedures (for example, language, STR/CTR formats, interaction with the FIU), compiled into a single compliance matrix.

VARA license for exchanges in Dubai

Dubai offers fast access to capital, infrastructure of liquidity providers and technological flexibility. VARA license for exchanges 2026 requires a clear picture of governance, operational resilience, risk management and internal controls. VARA regulation of virtual assets Dubai 2026 emphasizes tech processes: asset segregation, custody models, incident management and public notifications. The COREDO team has implemented a number of «VARA‑readiness» projects, including Travel Rule integration and KYT automation with on-chain monitoring.

ROI from compliance: CapEx vs OpEx

Compliance costs (compliance cost) for MiCA and VARA include CapEx (AML implementation/KYC platforms, KYT, SIEM, DLP, smart contract audits, proof of reserves) and OpEx (CCO/MLRO team, transaction monitoring, training, regular audits, regulatory fees). The assessment of ROI from complying with MiCA and VARA for exchanges is built on three metrics: market access (EU passporting, VARA recognition), reduced cost of capital (trust from banks and investors), and accelerated customer onboarding. At COREDO we calculate ROI as savings on risks (fines, downtime, rejected payments) and revenue growth through lawful marketing and partnerships.

How to obtain a crypto exchange license

Illustration for the section «How to obtain a crypto exchange license» in the article «MiCA and VARA – comparison for crypto exchanges 2026»

Licensing crypto exchanges is a complex process implemented through clearly structured step-by-step procedures that minimize regulatory and operational risks. The first key stage, registration of a legal entity in the EU and bringing operations into compliance with MiCA requirements, is followed by the preparation of documents, compliance processes and technical integration.

Registering a legal entity in the EU under MiCA

Registering a legal entity for an exchange in the EU under MiCA begins with choosing a jurisdiction: taxes, regulator competence, access to talent and banks. Company registration in the EU: choice of jurisdiction and tax aspects run in parallel with the preparation of the CASP dossier: business plan, policies, risk appetite, description of IT architecture, custody, key roles (CEO, CCO, MLRO, CISO), as well as a token registry and classification under MiCA. An important block is client onboarding under MiCA requirements and the disclosure and transparency obligations under MiCA.

Registration in the UAE: Free Zone/Mainland

Registering a legal entity in the UAE under VARA — a choice between Free Zone (for example, DIFC/DWTC/DMCC, if relevant to the licensing model) and Mainland. Free Zones provide speed and infrastructure; Mainland — access to government procurement and certain types of activities. Crypto exchange licensing procedures in the UAE include compliance with corporate requirements, proof of economic substance, a compliance package and coordination with banking gateways. In practice we set the sequence: corporate structure (SPV, branch, subsidiary) → preliminary coordination with VARA → technological and operational controls → interview with the regulator.

Migration of license, clients and data

License migration: how to move an exchange to the EU or the UAE — this is a project about three fronts: legal risks, migration of clients and data, and operational continuity. GDPR and personal data protection during KYC require a DPIA, updates to consents and MSAs with providers, as well as planning backups and data recovery. COREDO’s practice confirms: staged migration, a pilot phase, a dual AML/KYC perimeter and a pre-agreed disclosure plan for clients allow you to pass an audit and regulatory inspection without disruptions.

Capital, governance and risk management

Иллюстрация к разделу «Capital, governance and risk management» у статті «MiCA и VARA – сравнение для криптобирж 2026»

Understanding capital requirements, effective governance and reliable risk management processes form the basis of financial resilience and compliance with regulatory standards. In the next section we will examine the minimum capital and reserves necessary to maintain solvency and cover potential losses.

Minimum capital and reserves

Capitalization and prudential requirements for CASP under MiCA depend on the type of services and include minimum own capital requirements and buffers. Under VARA: the emphasis is on liquidity resilience, coverage of operational risks and reserving mechanisms. We detail stress‑testing models and liquidity management (prudential stress testing), including outflow scenarios, market shocks and custodian failures. Having a register of limits and three lines of defense reduces the likelihood of supervisory claims.

Management of conflicts of interest

Management of conflicts of interest and governance are a separate focus for both MiCA and VARA. The board of directors, independent directors, a risk committee, and a clear role for the Chief Compliance Officer and MLRO are not a formality. At COREDO we build an authority matrix, a remuneration policy, personal trading rules and an escalation mechanism. For exchanges with an in‑group market maker, separation of duties, market conduct and independent monitoring are critical.

Operational resilience (BCM)

Operational resilience and business continuity (operational resilience) are mandatory topics. BCM (business continuity management), backup sites, RTO/RPO, incident management and disclosure plans – that is what regulators check first. In our projects COREDO uses tabletop exercises, testing of backup payout processes and chain outage scenarios to demonstrate readiness for failures and cyber incidents.

AML/KYC: from policies to technologies

Illustration for the section «AML/KYC: from policies to technologies» in the article «MiCA and VARA – comparison for crypto exchanges 2026»

AML/KYC today requires a shift from formal policies to technological solutions that automate checks and minimize operational risks. This is especially important when implementing MiCA and VARA requirements and when organizing KYC/EDD for corporate clients.

KYC/EDD requirements under MiCA and VARA

KYC requirements under MiCA and VARA converge: multi-layered KYC, EDD for high-risk and corporate clients, beneficiary verification, confirmation of sources of funds. KYC/EDD standards for corporate clients include analysis of ownership structures, sanctions risks and geographies. We implement a risk‑based approach: different layers of checks depending on risk, periodic reviews and sampling audits.

Travel Rule for cross-border transactions

Integration of the Travel Rule under MiCA and VARA is mandatory for cross‑border transactions. We use the OpenVASP, Sygna and TRP protocols, addressing interoperability with different VASPs and jurisdictions. AML/KYC processes for cross‑border transactions are configured to satisfy both FATF and local requirements without creating unnecessary friction for the client.

FATF, AMLD5/6 and STR/CTR with authorities

FATF recommendations and their impact on MiCA/VARA set the minimum threshold. Implementing AMLD5/6 in the context of MiCA means correct risk segmentation, triggers for STR/CTR and standardized reporting formats. The COREDO team helps organize interaction with law enforcement authorities and regulators, including handling requests and preserving the chain of custody.

Sanctions, screening, PEP/SDN and information exchange

Managing sanctions risks and screening, regular updates of PEP/SDN lists, geographic filters and intergovernmental agreements and information exchange. We combine sanctions compliance with graph algorithms and on-chain analytics to detect complex evasion schemes. This approach reduces the likelihood of blocks by banks and payment providers.

Proof of reserves and asset custody

The topics of custody, proof of reserves, and overall asset security define the rules for storage and transparency when working with digital assets. Below we will review MiCA’s custody requirements and the key provisions of custodian agreements that help ensure compliance with these standards.

Agreements and custody under MiCA

MiCA custody requirements emphasize segregation of client funds, daily reconciliations, and mandatory agreements with custodians under MiCA. Contracts record client rights, procedures for access recovery, insurance, and disclosure procedures in case of incidents. For CASP entities holding assets, it is critical to have a clear map of responsibilities and regular reporting to clients.

Custody models under VARA and insurance

VARA custody models detail the architecture of hot and cold wallets, multisig, HSMs, and withdrawal procedures. Custody rules — hot wallets vs cold storage in Dubai — assess not only the technology but also operational controls. Crypto-asset insurance and market practice in 2026 require assessment of limits, retroactive coverage, and coordination with the regulator.

Proof of reserves: audit and certification

The practice of proof of reserves is becoming standard. We use combined methodologies: on-chain verification, independent attestations, and confirmation of liabilities without disclosing personal data. Audit and certification of crypto exchanges in 2026 include independent verification of financial statements, procedures, and IT controls, which strengthens the trust of banks and institutional investors.

CISO and cyber risks of wallet providers

Access control and the role of the CISO in a crypto exchange are coming to the forefront. Cyber risks, backups and data recovery, network segmentation, key management, and operational SLAs with wallet providers are a topic to which VARA applies particularly strict standards. At COREDO we conduct a gap analysis of Technology & Information requirements and address it through SIEM, PAM, and regular Red/Blue Team exercises.

Disclosure and investor protection

Operational transparency and detailed disclosure: key elements of effective investor protection in the digital assets space. In the following subsections we will examine MiCA’s disclosure requirements, the organization of the token register and the content of the whitepaper that help implement these principles in practice.

MiCA disclosure: registry and whitepaper

MiCA’s disclosure and transparency requirements include a whitepaper for public token offerings, a token register and classification under MiCA, as well as clear risk disclosures. Public transaction registries and the transparency requirement strengthen oversight by investors and regulators. At COREDO we establish a process for updating the whitepaper when tokenomics or functionality change.

Stablecoin regulation and reserves

MiCA vs VARA stablecoin regulation converges on one point: the priority of resilience and reserve policy. Assessing stablecoin stability and reserve policy involves checking asset quality, reporting frequency and the transparency of guarantees. In the EU additional requirements are imposed on issuers; in Dubai the emphasis is on disclosures and counterparty risk management.

Protection of token marketplace consumers

MiCA’s impact on the licensing of token marketplaces concerns placement, listing and delisting rules, as well as consumer protection. Ensuring investors’ rights and consumer protection means clear pricing rules, prevention of manipulation and clear complaint procedures. We integrate market conduct controls and independent oversight of listings.

Compliance and operational integrations

Tools for compliance and support of operational integrations combine automated risk monitoring, blockchain activity analysis and ML models to fight fraud. Below we will examine the key elements in detail: KYT and on‑chain monitoring, anti‑fraud ML and graph analytics.

KYT and on-chain monitoring

Technological compliance solutions (KYT, blockchain analytics) are the foundation for AML compliance for crypto exchanges. On‑chain monitoring and KYT tools, anti‑fraud algorithms and machine learning for AML, AML algorithms using graph analytics and tools for monitoring suspicious patterns provide speed and accuracy. We configure risk‑based rules and playbooks for analysts to reduce false positives and accelerate investigations.

ROI assessment: automation, BPM, KPI/KRIs

Compliance automation and BPM tools save time and maintain quality. Compliance performance metrics (KPIs, KRIs): onboarding time, share of EDD cases, number of STR/CTR, average investigation time. ROI assessment from automating AML processes includes OpEx reduction and fewer regulatory incidents thanks to a controlled process.

Integration with banks: PSD2 and KYC

Integration of banking gateways and banks’ KYC requirements remain a barrier for crypto exchanges. Integration with payment providers and PSD2 compliance require reliable identification, transaction monitoring and preventive sanctions measures. The COREDO team pre‑agrees compliance packages with banks, reducing time‑to‑yes.

Blockchain interoperability and oracles

Blockchain interoperability and oracle risk: new sources of operational and market risks. Smart‑contract audits and technical risk management: independent audits, bug bounties and deployment policies. We include these elements in the regulatory dossier to demonstrate mature risk management.

Regulatory supervision and sanctions

Attention to supervision and potential sanctions has become a key factor for market participants: non-compliance with rules often entails operational and reputational risks. Below we examine regulatory practice at the ESMA and national regulator levels, including reporting requirements and the frequency of document submissions.

Reports to ESMA and national regulators: frequency

The supervisory practice of ESMA and national authorities in the EU establishes consistent approaches to disclosures and reporting. Regulatory reports and filing frequency depend on the type of services and the scale of the business: operational incidents, transaction volumes, complaints and disciplinary measures. At COREDO we formalize a reporting calendar and responsibilities for each area.

VARA regulatory sandboxes: appeals

Regulatory sandboxes and VARA pilot projects are a quick way to test innovations under supervision. The right to appeal regulatory decisions exists in both systems, but it is important to properly document the process and maintain an open dialogue. We prepare position letters and arguments in the regulator’s language.

Supervisory sanctions and fines

Supervisory sanctions and fines under MiCA and VARA are a reality for companies with immature compliance. We reduce legal risks for crypto exchanges under MiCA and VARA through early gap assessments, staff training and independent reviews. COREDO conducts pre-audit to fix vulnerabilities before a supervisory visit.

COREDO Case Studies: launching exchanges in the EU and Dubai

COREDO case studies demonstrate how we bring exchanges to the EU and Dubai markets through a phased regulatory compliance strategy. Next, we will break down the MiCA compliance plan — from onboarding counterparties and setting up internal processes to scaling operations and maintaining compliance.

Exchange compliance plan under MiCA

Recently the COREDO team completed a CASP licensing project focused on exchange and custody. We built a compliance plan for entering the EU markets: client onboarding under MiCA requirements, token classification, whitepaper procedures, KYT and the Travel Rule. After obtaining the license we enabled passporting in three EEA countries and scaled the business while complying with MiCA requirements without additional licenses.

VARA risks and controls in Dubai

Another case: an exchange with derivatives on virtual assets under VARA. We deployed risk management and internal VARA controls, including liquidity stress testing, a Company & Risk Rulebook, Technology & Information controls, as well as custody models with cold reserves and insurance. The regulator accepted the PoR model with independent attestation and regular public reports.

Migration from Asia to the EU: clients and data

A client from Asia moved its operations center to the EU. We designed the migration of clients and data when changing jurisdiction, arranged contracts with custodians, performed a DPIA under GDPR and conducted an audit of IT controls. Result: successful license migration, smooth transfer of liquidity and continuity of trading without downtime.

Liquidity, M&A and exits

For sustainable business expansion, liquidity, proper M&A planning and well‑thought exit strategies remain key. In the following section we will examine the principles of liquidity management and stress testing that help assess a company’s ability to withstand shocks and prepare for deals and exits.

Liquidity management and stress tests

Counterparty risk management and credit risk require limits on market makers, custodians and stablecoin issuers. We build prudential stress testing taking into account volatility, oracle failure scenarios and network outages. This increases the confidence of banks and institutional partners.

IPO and M&A exit strategy: regulatory framework

Exit strategies: IPO, M&A and the impact of regulatory requirements determine the structure of reporting and internal control. Audit and independent review of financial statements, mature policies and transparent KPI/KRIs increase the company’s valuation. At COREDO we build a data room with an emphasis on compliance tracks and regulatory history.

Impact of geopolitics and sanctions

The influence of geopolitics and sanctions policy on exchange operations: a factor of strategic planning. We update screening rules, test alternative payment channels and set up inter-jurisdictional information exchange. This approach preserves market access and reduces the likelihood of sudden blocks.

Checklist for launching an exchange under MiCA/VARA 2026

  • Legal structure: SPV/branch/subsidiary; beneficial ownership register; tax planning.
  • Licensing: CASP under MiCA with passporting; VARA VASP classes for exchange/custody/broker-dealer.
  • Governance: board, independent directors, risk committee; roles CCO, MLRO, CISO.
  • Capital and reserves: minimum requirements and buffers; liquidity plan and stress tests.
  • AML/KYC: risk‑based KYC/EDD, sanctions (PEP/SDN), STR/CTR, FATF/AMLD5/6, Travel Rule (OpenVASP/Sygna/TRP).
  • Custody: hot/cold wallets, multisig, HSM, insurance; agreements with custodians under MiCA.
  • Proof of Reserves и аудит: methodology, independent attestation, regular public reporting.
  • Technology: KYT, on‑chain analytics, anti‑fraud ML, SIEM/PAM; BPM automation, KPI/KRIs.
  • Transparency: token registry and classification under MiCA; whitepaper and disclosures; market conduct.
  • Operational resilience: BCM, incident management, RTO/RPO, redundant sites and backups.
  • Integrations: banking gateways, PSD2 compatibility, banks’ KYC requirements.
  • Regulation: reports and frequency, VARA sandboxes, right of appeal, engagement with the regulator.
  • Data and GDPR: DPIA, client and data migration, contracts with providers, access control.
  • Smart contracts: audits, bug bounties, deployment management; oracle risks and interoperability.

Why COREDO is a long-term partner

The 2026 MiCA regulation for crypto-assets and the 2026 VARA regulation for virtual assets in Dubai set a high bar for crypto exchanges. For some it’s a barrier, but I see a window of opportunity: passporting under MiCA, equivalence and international recognition of VARA, mature procedures, a foundation for scaling without regulatory surprises. Our experience at COREDO has shown that the right compliance architecture not only grants market access but also saves capital, speeds up deals, and increases company valuation.

If you are planning crypto exchange licensing in the EU under MiCA or an expansion to Dubai, start with a risk map, a licensing roadmap, and pilot AML/KYT integrations. The COREDO team has already built dozens of such programs, from legal entity registration to proof of reserves and regulatory reporting. I’m ready to discuss details: where migration is advisable, which custody models to choose, how to optimize CapEx vs OpEx, and how to build a compliance matrix that will withstand audit and scaling.

Read more
03.02.2026
Licensing of CASPs capital and personnel

Since 2016 I have been building COREDO as a company that removes regulatory uncertainty for entrepreneurs and financial directors. During this time the COREDO team has obtained licenses and set up operating models in the EU, the United Kingdom, the Czech Republic, Slovakia, Cyprus, Estonia, Lithuania, Singapore and Dubai. In this article I have compiled practical recommendations on CASP licensing, with a focus on capital, personnel, AML and technological resilience. I draw on the experience of numerous projects so that you can immediately see where the main value lies and how to avoid costly mistakes.

Why MiCA and global supervision now

Illustration for the section «Why MiCA and global supervision now» in the article «CASP licensing – capital and personnel»

The European MiCA regulation introduces common requirements for CASPs regarding capital, organizational structure and client protection, and also provides passporting mechanisms in the EU. COREDO’s practice confirms: the new regime raises the entry threshold, but with proper preparation accelerates scaling across regions and reduces fragmentation of requirements. We take into account that MiCA and the capital requirements for CASPs tie own funds to the set of services and fixed overhead costs.

Outside the EU, important benchmarks are set by the FCA (United Kingdom), BaFin (Germany), FINMA (Switzerland) and MAS (Singapore). These regulators emphasize fit-and-proper requirements for CASP management, verification of funding sources and operational resilience. FATF recommendations to VASPs and on staffing requirements, as well as AMLD5/6 in the EU, have strengthened the focus on ML/TF risks and CASP personnel requirements. In Dubai VARA details the separation of responsibilities custodian vs exchange, which directly affects capital and insurance coverage.

Choosing a jurisdiction and market entry

Illustration for the section ‘Choosing a jurisdiction and market entry’ in the article ‘CASP licensing – capital and personnel’

Decisions on choosing a jurisdiction and forming a market entry model define the legal, tax and commercial framework of expansion. Below we will examine step by step how these factors manifest in the EU context: from regulatory harmonization to requirements for economic substance.

EU regulatory harmonization

MiCA creates uniform rules, but in practice each state retains particularities in supervision and expectations regarding local presence. Economic substance and local presence of a CASP are not a formality: real resident directors, an office, a full-time MLRO, and management functions within the country strengthen the position at the application stage. At COREDO we design the organizational structure of the CASP in advance for licensing and prepare a passporting strategy to later use cross-border CASP services without duplicating licenses.

Estonia, Malta, Lithuania offer different entry barriers. In Estonia the minimum share capital for a VASP depends on the services and usually ranges from €100,000 to €250,000; personnel and control requirements have been strengthened since 2022. In Malta the VFA classification raises the bar for capital and governance: for advanced classes this means hundreds of thousands of euros and enhanced internal controls. Lithuania actively welcomes crypto business: VASP registration is possible, but banks and payment providers expect confirmed substance and a mature AML framework.

Depth and supervisory models in four countries

The FCA conducts strict registration of crypto companies: there is no formal minimum capital, but a CASP’s own funds must cover risks and fixed expenses, and personnel must demonstrate competencies and independence of compliance functions. FINMA and the Swiss cantonal regulators apply a high level of scrutiny to custody solutions and directors’ responsibilities. In Singapore under MAS’ PSA for DPT providers the minimum capital and security deposit depend on the volume of operations; mature processes for cybersecurity and key management are expected. In Dubai, VARA imposes clear requirements for product documentation, outsourcing of critical functions, and SLAs with providers.

CIS: a bridge to the EU and Asia

Applicants from the CIS are successfully licensed when they build a transparent ownership structure, confirm the sources of capital for the CASP and document the business reputation of founders and investors. The COREDO team has implemented multi-level structures with an EU holding and operating companies in Asia to balance tax burden and personnel requirements. This approach facilitates banking relationships, KYC/KYB and demonstrates sanctions compliance to regulators.

Capital for CASP: terms and calculations

Illustration for the section «Capital for CASP: terms and calculations» in the article «CASP Licensing – capital and personnel»

For proper capital management within CASP it is important to first build a clear understanding of key terms before moving on to practical calculations. In the first section we will go through the basic terminology and regulatory logic to lay the foundation for further capital assessment methods and concrete computations.

Terminology and regulatory logic

Own funds (own funds): this is a regulatory metric of resilience. Distinguish paid-up capital vs authorized capital: the regulator considers paid-in capital and other elements of own funds, not just the authorized share capital ceiling. MiCA prescribes minimum capital for CASP in the range of €50–150k depending on services and/or 25% of annual fixed overheads: the higher figure is chosen.

Capital versus liquidity: the regulator for CASP requires both. Capital is a buffer against losses; liquidity is the ability to meet obligations and withstand outflows. Some jurisdictions apply elements of ICAAP: internal capital assessment and stress-testing, and risk-weighted assets (RWA) are adapted to the nature of crypto exposures and operational risks.

Risks, stress tests and capitalization

risk assessment and capital testing for CASP include scenarios: technology failure, abrupt outflows of client funds, increased market/credit risk exposures to liquidity providers. Liquidity reserves and stress tests for a crypto operator show how quickly you cover margin requirements, withdrawals and operating expenses. The COREDO team implemented ICAAP logics taking into account RWA methodologies and operational risk, as well as an analysis of “capitalizable and non-capitalizable liabilities” for correct calculation of own funds.

How to calculate capital requirements for a crypto exchange? We take the minimum CASP share capital, add a buffer to FOE (fixed overheads) for 12–18 months, account for CASP reserve capital requirements for custody and cyber risk coverage. Capitalization strategies when scaling a CASP include additional issuances, subordinated debt as a source of regulatory capital within limits, and cyber insurance, which indirectly reduces net losses in stress scenarios.

Funding and corporate actions

Sources of funding for a CASP license must be transparent: equity, convertible notes, subordinated debt, subject to conditions recognized by the regulator. Evidence of capital sources for CASP relies on bank statements, SPAs, corporate resolutions, auditor reports and investors’ tax returns. Procedures for increasing capital and additional issuances require regulatory approvals for changes to capital structure and updates to corporate documentation, as well as timely notifications to the regulator.

Personnel: fit and proper and organizational design

Illustration for the section “Personnel: fit and proper and organizational design” in the article “CASP Licensing – Capital and Personnel”

A company’s effectiveness largely depends on its personnel, adherence to the fit and proper principles, and thoughtful organizational design. In the following points we will examine staffing requirements and leadership roles in detail to understand how to build competencies, responsibilities, and managerial interactions within the organization.

Requirements and leadership roles

CASP personnel requirements are based on the fit and proper principle: honesty, experience, qualifications, time on the market, and the ability to devote real time to management. Minimum qualifications for CASP CTO, CFO, CCO include proven experience in the financial sector, risk and security management, and for the MLRO, competencies in ML/TF assessment, skills in developing AML policies and interacting with the FIU. What is considered sufficient qualification for an MLRO? Practical experience in AML/CTF, relevant certifications (for example, ICA/ACAMS), knowledge of AMLD5/6 and FATF, investigation cases and SARs.

The roles of MLRO, CCO, CTO, CFO, CIO in a CASP allocate responsibilities: MLRO: management of AML and SARs, CCO – overall compliance framework and reporting, CTO/CIO – security, keys, infrastructure, CFO: capital, liquidity, reporting. The responsibility of CASP directors and staff is personal: the regulator assesses their decisions, the management of conflicts of interest in CASP leadership, and the independence of control.

Hiring and screening effectiveness

Recruitment and personnel screening procedures for a CASP include background checks, biography checks, criminal record and sanctions screening of the director, verification of education and actual achievements. Preparing CVs and proof of experience for CASP applicants should be substantive: projects, KPIs, implemented rollouts, certifications. The composition of the compliance and AML department in a CASP is built from an MLRO, KYC/KYB analysts, a sanctions officer, a reporting officer, and an independent internal auditor.

Ongoing operating expenses for CASP personnel should be planned for 12–18 months ahead. Performance indicators for the compliance function (KRI, KPI) include SLA for KYC, alert processing time, escalation rate, SAR quality, as well as ROI metrics from investments in compliance personnel. The assessment of the economic efficiency of hiring vs outsourcing shows: some functions are cost-effective to keep in-house, while others should be given to an external provider. Compliance function: in-house vs centralized for a CASP group: often a hybrid model with coordination at the holding level.

Succession, motivation and retention

A leadership succession plan and regulator requirements demand ready candidates for key roles, documented procedures for transferring access to assets and signing authorities. Compensation models and risk-oriented bonuses are agreed with the remuneration committee to avoid incentivizing excessive risk. Workforce planning when entering new markets helps avoid overloading the MLRO and deterioration of control.

Technologies, security and resilience

Illustration for the section “Technologies, security and resilience” in the article “CASP Licensing – capital and personnel”

Reliable technologies, the indispensable foundation for ensuring the security and operational resilience of services. Below we will examine in detail custody, segregation and key management practices that are critically important for protecting assets and maintaining operations during incidents.

Custody and key management

Capital and the safeguarding of client funds in a CASP depend on the chosen model: custody, exchange, brokerage. Product documentation requirements (custody, exchange, brokerage) include a description of client fund segregation and client accounting, SLAs with custodians, management of conflicts of duties and storage conditions. Cold and hot wallets, KMS, HSM, multisig: the standard for secure storage; key management and crypto-custody are documented in policy, with recovery procedures.

Asset insurance and client loss coverage reduce operational risks; cyber insurance and capital requirements are linked: having adequate coverage can affect the assessment of residual risk in ICAAP. Agreements with liquidity and leverage providers should limit counterparty risks, and outsourcing exchange engines and SLAs for critical functions are required with transparent RTO/RPO.

Compliance and privacy

KYC/KYB and beneficiary verification are reinforced by sanctions screening: sanctions controls and SDN/OFAC/UN/EU lists, a daily routine. For KYT and transaction monitoring we use Chainalysis, Elliptic, TRM as KYT tools, configure AML alert levels and detection rules based on a risk-based approach. The travel rule and technical provider integration are mandatory elements for cross-border transfers between VASPs.

Technical requirements: SOC2, ISO27001, regular pentest, vulnerability management and access control. Business continuity and backup policies support operational resilience, while incident reporting and engagement with the regulator reduce regulatory risks during outages. Practices to prevent personal data leaks (GDPR/PDPA) and integration of HR and compliance for access control to assets close significant security gaps.

Independence of quality control

internal audit and the quality control of CASP personnel assess the effectiveness of the first and second lines of defence. Critical functions can be outsourced, but responsibility remains with the directors; we define vendor control KPIs and independent monitoring. Engagement with external auditors and capitalization reviews helps demonstrate the maturity of risk management.

License application: documents and process

Properly assembled documents and a structured submission process are the key to a successful application, and checkpoints help track readiness at each stage. We’ll start with organizational matters, then go over substance requirements and finish with the practical part – a business plan that confirms the project’s economic justification.

Substance of the organization and business plan

The set of documents for a CASP license includes an organizational chart and a description of functions in the application, roles and authorities, as well as local presence and economic substance for the license. How to prepare a business plan for a CASP license? We describe products, revenue models, stress scenarios, growth strategies, risk maps and control measures. The financial forecast template for a CASP license includes P&L, cash flow, capital and liquidity, FOE, and “what-if” scenarios.

Product documentation details custody chains, exchange procedures, brokerage, limits on client transactions and margin risks. Segregation of client funds is codified in contracts and operating instructions, taking into account regulatory guidance on custodian vs exchange liabilities. The organizational structure of a CASP for licensing demonstrates the independence of compliance and risk functions.

Deal structure: timing and cost

Timing and cost of obtaining a CASP license depend on the jurisdiction and the readiness of the materials. In the EU, with a quality package, review takes from 3 to 9 months; in Singapore and Dubai: longer for complex models. We assess in advance the ongoing operating expenses for CASP personnel and funding sources for the CASP license to avoid cash shortfalls at the finish.

We plan passporting in the EU and cross-border CASP services from the start: this affects IT architecture, contracts with custodians and the choice of travel rule provider. We consider the transition from a subsidiary to a branch and its licensing implications from the standpoint of taxation, capital and substance requirements, as well as CASP reserve capital requirements.

Reporting and control in the operational phase

In the operational phase, reliable reporting and continuous internal control become key to minimizing risks and ensuring compliance with standards. Regulatory reporting and AML are especially important – they require clear coordination of procedures, data transparency and prompt incident response.

AML and regulatory reporting

Internal reporting procedures and regulatory reports record compliance with capital and liquidity requirements, security incidents and governance changes. Capital and liquidity reporting rules vary, but in all cases a transparent accounting of own funds for CASP and FOE is required. AML reporting and Suspicious Activity Reports (SAR) require a qualified MLRO and precision in escalation procedures.

Liquidity management in cases of laundering and rapid outflows relies on pre-approved limits and stress plans. Setting limits on client transactions and margin risks reduces the likelihood of sudden breaks and market cascades. Regulatory fines and license refusals typically occur due to undercapitalization, weak AML and unverified sources of capital; the COREDO team remedied such situations through recapitalization and redesign of the KYC/KYB framework.

Structure audit, modification and closure

Regulatory approvals for changes to capital structure and corporate rights: a standard practice when scaling. External auditors check capitalization, IT controls and compliance with GDPR/PDPA. Business closure procedures and protection of clients’ interests include an asset return plan, regulator notifications and an independent audit of segregation.

COREDO case studies: where details matter

In Lithuania, the COREDO team implemented a project for an exchange CASP oriented toward a MiCA passport. The key was the strategy: the minimum capital for the CASP was covered with equity, and the CASP’s own funds were strengthened with subordinated debt within the limits. We implemented an ICAAP approach and outflow stress tests, recalculated FOE for 18 months and achieved a comfortable assessment by the regulator.

In Singapore, a solution developed at COREDO helped a DPT provider obtain a status compliant with PSA requirements. We built a SOC2-compliant architecture, implemented KMS/HSM and multisig, conducted a pentest and set up incident reporting. MAS positively assessed the competencies of the MLRO and the independence of internal audit.

In Estonia, our experience at COREDO showed how critical staffing requirements are for crypto companies. We supplemented the team with a strong MLRO, separated the CCO and MLRO roles, strengthened Travel Rule integration, and updated AML policies in light of AMLD6 and FATF. The result: a successful license review, reduced risk of enforcement actions, and stable relationships with banks.

In Dubai, the COREDO team established outsourcing of exchange engines with strict SLAs, formalized agreements with custodians and custody terms, and provided for asset and cyber risk insurance. This allowed for reduced capital add-ons for operational risks and sped up VARA approval. We also implemented KPI/KRI for compliance to transparently demonstrate ROI at the board level.

Checklists for CASP license

  • Capital and liquidity:
    • Own funds (own funds): minimum and FOE ≥ 25% of annual expenses.
    • Proof of sources of capital: bank statements, SPA, audit.
    • Recapitalization plan: additional share issuance, subordinated debt, cyber risk insurance.
    • Liquidity reserves and stress tests: outflows, margin calls, provider outages.
  • Personnel and governance:
    • Fit and proper for CASP management; independent CCO, qualified MLRO.
    • Procedure for checking the director’s background, criminal record and sanctions clearance.
    • Management succession plan; Risk, Audit, RemCo committees; conflict of interest.
    • Compensation models and risk-oriented bonuses; compliance KPI/KRI.
  • Technology and security:
    • Segregation of client funds; cold/hot wallets, KMS, HSM, multisig.
    • KYT: Chainalysis/Elliptic/TRM; Travel rule provider; sanctions lists.
    • SOC2/ISO27001; pentest; BCP/DR; incident reporting and contact with the regulator.
    • SLA with outsourcers; agreements with custodians and liquidity providers.
  • Documentation and process:
    • Organizational chart and job/function descriptions; local substance.
    • Business plan: products, revenue models, stress scenarios, financial forecasts.
    • AML/CTF policies, sanctions, KYC/KYB, SAR reports; internal reporting.
    • Passporting plan to the EU; assessment of tax and licensing consequences.

Cost planning and return on investment

Assessing the economic efficiency of hiring vs outsourcing requires comparing TCO: salaries, training and certification of AML/CTF staff, software licenses, external auditors. Metrics for return on investment in compliance and security are measured by reductions in losses from incidents, refusals in banking relationships, fines and licensing timelines. Techniques for optimizing personnel and compliance costs include a centralized center of expertise for the group, policy harmonization and shared services.

Staff planning when entering new markets builds in increased workloads for the MLRO and IT security, as well as stronger Travel Rule compliance and reporting. Economic efficiency assessment that takes into account capital threshold requirements by jurisdiction (EU/Asia/CIS) helps choose the optimal scaling route. comparison of jurisdictions by entry barrier and personnel cost we record in the financial model to support the board of directors’ decision.

Trends and Recommendations

Regulatory trends: tightening capital requirements after incidents and clarifying regulatory guidance on custodian vs exchange liabilities. Benchmarking of capital requirements between the EU and Asia shows an increased emphasis on FOE and operational risk. The impact of crypto insurance on capital requirements is becoming noticeable: regulators view real coverage with minimal exclusions positively.

Managing liquidity and sudden increases in outflows is becoming a key competency. Management of conflicts of interest, the role of the board of directors and committees, measures to reduce operational and reputational risk: all of this affects the assessment of an organisation’s “fit and proper” status. Taxation and reporting requirements for CASP require constant calibration as product lines and geography change.

Lessons from COREDO’s practice

In one project, the regulator initiated license revocation due to a capital shortfall after market fluctuations and an increase in FOE. The COREDO team quickly prepared a recapitalization plan, arranged subordinated debt, and updated the ICAAP and stress scenarios. The regulator accepted the adjustments, and the client avoided a business shutdown and strengthened liquidity reserves.

Another case concerned the travel rule: the provider was failing to meet SLAs and AML alerts were piling up. The solution developed at COREDO included replacing the provider, rebuilding the alert logic, setting KPIs for the team, and improving the MLRO’s competencies. Within two months processing time decreased threefold, and SARs became more accurate in structure and content.

I also highlight a project on the transition from a subsidiary to a branch in the EU. We assessed licensing implications in advance, adjusted capital and internal reporting, and agreed on governance changes. As a result the client retained passporting and optimized their tax position without regulatory delays.

How to gain time and reduce risks

Licensing CASP is a managed project where the outcome is determined by the quality of preparation and the discipline of execution. I recommend starting with an honest readiness assessment: capital and liquidity for 12–18 months, fit and proper for management, maturity of AML and technology security. The COREDO team will support you at every stage – from designing the organizational structure and economic substance to configuring ICAAP, implementing KYT and preparing for interviews with the regulator.

The sooner you turn regulatory requirements into a concrete plan, the easier it is to scale the business and protect clients’ interests. Regulators in the EU, the UK, Switzerland, Singapore and Dubai expect from CASPs the same as from mature financial participants: sufficient capital, responsible management, transparency and operational resilience. COREDO’s experience confirms: it is these principles that make crypto business sustainable and predictable over the long term.

Read more
See all news
LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt