I founded COREDO in 2016, and since then I have seen every day how entrepreneurs lose momentum because of regulatory uncertainty. This is especially noticeable in projects with virtual assets: licensing, AML, bank accounts, infrastructure — too many things are moving at once. In this article I have compiled the practices our team has tested in the EU, the UK, Estonia, the Czech Republic, Cyprus, Singapore and Dubai, and I also examined in detail the topic “Crypto licensing in Bulgaria” with a focus on VASP registration in Bulgaria, AML requirements and the impact of MiCA. This is not a forward-looking overview, but practical steps, metrics and solutions that help teams launch on time, keep compliance risks under control and achieve a predictable ROI.
Bulgaria: an entry point for VASP
Bulgaria attracts with the simplicity of company incorporation, a modest corporate tax and flexible approaches to registering virtual asset service providers. crypto company registration in Bulgaria proceeds without excessive barriers: the corporate structure is set up quickly, and VASP registration relies on the EU anti‑money‑laundering requirements (AMLD5/AMLD6) and national rules. For a startup this means a shorter regulatory lead time and a manageable time‑to‑market.
On the plus side — clear access to the EU, proximity to key payment rails and the assurance that the national framework is compatible with future MiCA authorization. On the downside: increased scrutiny from banks toward crypto business and the need to demonstrate mature AML/KYC and operational security from day one. COREDO’s practice confirms: a sound AML architecture and a demonstrable risk management model remove most objections from banks and payment partners.
AMLD5/AMLD6 and MiCA: the role of registers
Today Bulgaria applies a VASP registration model (exchange services and custodial wallets) in state registers and under AML supervision. The FIU (Financial Intelligence Unit) functions are performed by the Directorate of Financial Intelligence, and VASP accounting is conducted in accordance with national norms and the requirements of AMLD5/AMLD6. Licensing of virtual assets in Bulgaria is often used as a market term, but legally it is a registration regime with compliance, reporting and inspection obligations.
MiCA and Bulgaria
MiCA introduces a pan-European authorization for CASP (Crypto‑Asset Service Providers) and uniform standards: capital, governance, client protection, as well as passporting. The impact of MiCA on VASP licensing in Bulgaria is twofold: on one hand, the existing VASP registration serves as a “temporary berth” for launching; on the other, it creates a basis for future CASP authorization with minimal process refactoring. Our experience at COREDO has shown that the “migration” from a registration regime to MiCA authorization proceeds smoothly if you account in advance for the minimum capital requirements, governance and information security (IS).
EU passporting for VASP
MiCA opens full EU passporting for CASP: having obtained permission in one EU country, you can offer services across the Union. Before MiCA, companies have to rely on equivalence, local registrations or “mutual recognition” frameworks, which complicates cross‑border compliance. The solution developed at COREDO envisions choosing Bulgaria as the “base” state with a subsequent expansion plan via MiCA passporting once the rules are fully in force.
EU anti-money laundering legislation and the FIU
VASP in Bulgaria are obliged entities. They perform KYC/KYB, CDD and EDD, implement transaction monitoring and submit SARs (suspicious activity reports) to the FIU. Regulations for crypto exchangers in Bulgaria require an internal AML policy, risk assessment procedures, appointment of an MLRO (Money Laundering Reporting Officer) and staff training. The regulatory landscape also includes FATF requirements, including the Travel Rule for VASP‑to‑VASP and transactions to non-custodial wallets (VASP‑to‑OB) through additional checks.
VASP business models — compliance with regulations
Each model — exchange, brokerage, custodial service, OTC, payment gateways — carries its own risks and a set of prudential measures. I often ask founders to start with a risk appetite statement and a process map: without this it is difficult to align the AML framework, technical architecture and capital requirements.
Prudential capital requirements
Capital requirements for VASPs in Bulgaria are currently modest at the registration stage, but MiCA introduces threshold capital requirements and minimum reserves by type of service. Minimum registration capital requirements for VASPs in Bulgaria depend on the corporate form, while the future MiCA authorization foresees fixed levels (benchmarks of 50–150 thousand EUR by service type). I recommend building in a buffer: regulators value a conservative approach to capital and liquidity.
Corporate structure and governance
Legal structure, holding, subsidiaries, branches: determine the tax burden and the manageability of risks. Corporate governance and directors’ responsibilities require real control: regular meetings, a risk committee, minutes, independent audits. The COREDO team has implemented corporate frameworks where the duties of the MLRO, CTO and the risk director do not critically overlap, and backup authorities ensure business continuity (BCP/DR).
Tax optimization and transfer pricing
Taxation of crypto companies in Bulgaria is based on the general corporate tax (10%) and local VAT rules. Crypto–fiat exchange operations in the EU are often exempt from VAT, but the details depend on the specific service and the contract with the client. In transfer pricing, transparency and documentation are mandatory, especially for cross-border services within a group.
Company registration prior to VASP
The COREDO team regularly runs “end‑to‑end” projects where we take on the full cycle: from company formation to the “go‑live” launch of operations, including bank accounts, AML policy and technology implementation.
Company registration in Bulgaria
Opening a company in Bulgaria for a crypto project typically takes 5–10 business days after the package is prepared. Beneficial owners and directors are entered into the register, UBO (Beneficial ownership disclosure) is disclosed, and compliance officers are appointed. requirements for beneficiaries and the ownership structure for VASP in Bulgaria include transparent source of funds and clear control.
VASP in Bulgaria: documents and AML
What documents are required for an application for a crypto license in Bulgaria? In practice, these are:
- incorporation documents, ownership structure and UBO confirmations;
- business plan describing services and a risk map;
- KYC policy/KYB and client verification, including passport verification for VASP in Bulgaria;
- CDD/EDD procedures for crypto companies and sanctions screening scenarios (OFAC/UN);
- AML policy tailored to local law;
- appointment of an MLRO with verified qualifications;
- InfoSec package: access control, logging, incident response plan, BCP/DR.
How to prepare an AML policy for VASP in Bulgaria? I recommend building it around a risk assessment by products and client segments, Travel Rule implementation, EDD triggers, and SAR procedures with clear SLAs for escalations.
Realistic timelines and cost
license processing times for VASP in Bulgaria (registration) depend on the completeness of the package and the readiness of the AML architecture. In our practice: 4–8 weeks for VASP registration after incorporation and agreement on the AML package. The cost of VASP licensing in Bulgaria consists of legal services, AML/IB consulting, notary and state fees, and the technology stack; TCO for the first year varies depending on the model (exchange vs custody) and the level of automation.
How to reduce the risk of rejection
The risks of license refusal for VASP in Bulgaria are most often associated with:
- a weak MLRO track record and lack of relevant cases;
- incomplete disclosure of UBO and source of funds;
- formal AML procedures without real control points;
- inadequate IT security.
A solution developed by COREDO, preliminary diagnostics, MLRO verification, a Travel Rule stress‑test and piloting of monitoring before submission.
Compliance architecture AML/KYC
Compliance procedures for small VASP require balance: excess control harms the customer experience, lack of it increases SARs and regulatory inquiries. I build a “layered” architecture: from risk policy to technology and KPIs.
Reporting to the FIU and AML requirements
AML requirements for VASP in Bulgaria include:
- Risk Assessment and Risk Appetite with annual updates;
- CDD/EDD scenarios and periodic KYC refresh;
- transaction monitoring in real time and rule engines;
- SARs, procedures for filing suspicious reports to the FIU;
- Reporting requirements for VASP in Bulgaria on training, incidents and internal audits.
Adapting AML processes when entering the European market from Bulgaria affects reporting formats and the depth of sanctions screening.
KYC/KYB: sanctions and GDPR
KYC for crypto companies in Bulgaria is built on multi-level verification: document, biometrics, liveness, geo-risks. Best KYC practices for Bulgarian VASP include PEP screening and sanctions lists (OFAC/UN, EU), plus additional rules for legal entities (KYB). GDPR and personal data protection for VASP are a separate priority: data residency and storage of KYC data, data subject rights, DPIA for high-risk processes.
Blockchain transaction analytics
How to provide AML transaction monitoring for small VASP? We combine behavioral rules, chain analysis and transaction monitoring tools, as well as heuristics for addresses. False positive rate is a key metric: I aim for a controlled range with MTTR for incidents and SLAs for escalations, so that compliance does not paralyze the business.
MLRO: independent review and audit
Requirements for the MLRO (qualifications, independence, access to the board of directors) set the tone for the entire function. Requirements for internal audit and independent review of compliance – an annual cycle, coverage of key processes, sample testing and a report to the board of directors. AML training and staff upskilling form the overall culture and reduce operational mistakes.
Compliance team KPIs
Compliance team KPIs: SAR conversion rate, MTTR for incidents, SLA for KYC, share of EDD cases, false positives rate, results of independent reviews. COREDO’s practice confirms: transparent metrics improve dialogue with banks and regulators.
Custody, keys, access
The technology stack affects risks as much as the legal form. I rely on the principles of “security by design” and certification.
Custody key management
Custody models: custodial vs non-custodial define different depths of control. Requirements for cold and hot wallet management under Bulgarian regulations are described at a high level, so we cover them with best practices: HSM, MPC, threshold signatures and multi‑sig. Key management (custody) procedures for VASP Bulgaria include role separation, on-call shifts, segmentation and change control.
Information security and continuity
ISO 27001, SOC 2 and cybersecurity standards create a foundation of trust. Access control, IAM and least privilege principles reduce insider risks; audit trail and logging requirements help incident response and audits. Operational resilience and business continuity (BCP/DR) are a mandatory part of risk passports.
Integrations and liquidity
Integration with exchanges and liquidity pools requires API integration and security standards, as well as counterparty assessment. Technology stacks for VASP – from KYC/AML to Wallet and Custody – we select taking into account the target revenue model and TCO so as not to “overheat” CAPEX at launch.
Bank accounts and payment partners
Bank account for a crypto company in Bulgaria: a common question among founders. I always say: accounts are opened not by presentations, but by your compliance and case study.
Agreements with banks and EMIs
Agreements with banks and payment providers in the EU require clear limits, described VASP‑to‑OB scenarios, completion of Due Diligence and demonstration of a control environment. Interaction with banks and payment partners for VASPs in Bulgaria is built on a transparent risk assessment and clear SLAs for monitoring. When a bank is conservative, we add EMI solutions with SEPA and fast onboarding.
Data management
We design data residency and KYC data storage with GDPR, liability insurance and retention requirements in mind. This simplifies checks and reduces friction with banks.
Entering EU markets
How to scale a VASP after obtaining a license in Bulgaria? I recommend a two‑track strategy: compliance maturity and commercial expansion.
How to bring the product to market
Market‑entry and go‑to‑market procedures for VASPs depend on the segment: retail, B2B, institutional. Revenue models, fee‑for‑service, spread, custody fees, dictate UX, SLAs and even compliance metrics. The COREDO solution: launching pilot segments with a controlled budget and measurable LTV/CAC to avoid “burning” capital at an early stage.
Cross-border license compatibility
Cross‑border compliance and a multi‑jurisdictional strategy involve matching local rules with the future MiCA passporting. Compatibility of a Bulgarian license with licenses of other EU countries becomes linear after MiCA: passporting replaces the cascade of local registrations. Until then we choose “core” markets and providers to avoid duplicating costs.
What regulatory sandboxes are
Regulatory sandboxes and pilot regimes in the EU can give an edge on time‑to‑market. In Bulgaria the focus is on careful pilots with banks and EMIs, where the compliance architecture is already in place and easily auditable.
TCO, unit economics and project ROI
The decision to obtain a license is about economics. I ask teams to record TCO and unit economics from day one.
TCO and compliance costs
Compliance costs and the TCO (Total Cost of Ownership) assessment include: legal support for the VASP in Bulgaria, AML/IB platforms, audits, training, independent checks, policy updates and insurance. Add overhead for regulatory lead time and capital reserves.
Unit economics: CAC/LTV and revenue models
Unit economics of the license: CAC and LTV for the VASP show the model’s resilience. For a spread model liquidity and turnover are important; for custody, AUC (assets under custody) and fees. Real-time transaction monitoring and rule engines are not only about risk but also about conversion: a low false-positive rate strengthens the UX.
ROI, NPV and payback
How to assess the ROI from licensing a VASP in Bulgaria? Compare NPV taking into account TCO, expected customer base growth and the timing for MiCA passporting. ROI metrics — payback period and NPV — become more predictable with a stable regulatory lead time and clear agreements with banks.
COREDO Case Studies: What Worked
I believe in the power of case studies: they are better than any declarations.
Small EU VASP: launch and risk control
A European startup chose Bulgaria as its base. The COREDO team implemented the incorporation, prepared the AML package, established the Travel Rule and deployed blockchain analytics. Result: VASP registration in six weeks, banking infrastructure via an EMI, FPR below 8% at launch and MTTR of incidents under 24 hours.
Lesson: a well‑designed compliance architecture speeds up both client onboarding and the dialogue with banks.
Asian fintechs entering the EU via Bulgaria
A client with a strong product and mature AML from Asia requested compatibility with the EU. We adapted KYC/KYB, conducted a compliance audit for a VASP in Bulgaria, built cross‑border compliance and prepared a MiCA roadmap.
Result: launch of a B2B channel in the EU, controlled expansion and agreements with payment partners.
Custodial platform: technical security
The custodial provider arrived without a clear key management policy. We implemented HSM/MPC, separated cold/hot processes and prepared an ISO roadmap.
After an independent review, compliance and SOC 2 preparations, the project received approval from the banking partner.
Founders’ Frequently Asked Questions
I’ve collected the questions I hear most often and the answers that work for us.
What documents are needed at the start?
What documents are required to apply for a crypto license in Bulgaria: charter documents, evidence of UBO, business plan, AML/KYC policies, appointment of an MLRO, infosec package, evidence of source of funds. For certain models we add descriptions of custody processes, stress scenarios and BCP/DR.
Beneficiaries, personnel and partners
Requirements for beneficiaries and ownership structure for a VASP in Bulgaria include transparency of sources, absence of sanction-related risks and a clear chain of control. Conditions for employed staff and resellers in a Bulgarian VASP entail AML training, third-party oversight and outsourcing compliance only while the licensed entity retains responsibility. PEP checks are mandatory, sanctions screening is continuous.
How to choose a legal partner
How to choose a law firm to support a VASP license in Bulgaria? Look for a combination: EU case experience, AML audit experience, technological expertise (Travel Rule, custody, ISO), and the ability to build a dialogue with banks.
Professionals speak the language of business: unit economics, TCO, time-to-market, not empty words but parameters of the roadmap.
Relationship with banks and reputation
Reputational risks and crisis management are part of strategy, not an “after-the-fact” response. Include the crisis‑plan in the BCP, prepare communications, logging and an audit trail for the quick reconstruction of events. Agreements with banks and payment providers in the EU benefit from such maturity.
VASP registration in the EU via Bulgaria
If your clients are in the EU, Bulgaria provides a quick start, straightforward VASP registration and preparation for MiCA. The compatibility of Bulgaria’s license with the licenses of other EU countries will strengthen as MiCA and passporting are fully implemented. This reduces fragmentation and the costs of duplicating compliance.
VASP business model for Bulgaria
How to structure a VASP business model to comply with Bulgarian regulations? Highlight services (exchange, custody, brokerage), describe customer segments, risks, sources of liquidity and EDD procedures. Add prudential measures, compliance KPIs and a roadmap to MiCA with target capital thresholds.
COREDO’s Position and Conclusions
I lead projects where speed is as important as reliability. Bulgaria gives entrepreneurs the chance to open a company quickly, complete VASP registration and simultaneously prepare for MiCA realities: EU passporting, common standards and predictable requirements. The COREDO team has implemented dozens of such routes, and I see consistent patterns: a strong MLRO, a mature AML architecture, technological discipline (HSM/MPC, IAM, ISO 27001/SOC 2), a transparent economic model (TCO, CAC/LTV, NPV) and a calibrated plan “registration – launch – scale: MiCA”.
Legal support for VASP in Bulgaria is not about paperwork; it’s about a strategy where compliance becomes a competitive advantage. If you are evaluating a crypto license in Bulgaria or a VASP license in Bulgaria as a route into the EU, lay the right foundations: uncompromising AML/KYC, managed operational security and a clear revenue logic. Then the “regulatory wind” will fill your sails, not blow in your face.