Since 2016 I have been building COREDO as a company that removes regulatory uncertainty for entrepreneurs and financial directors. During this time the COREDO team has obtained licenses and set up operating models in the EU, the United Kingdom, the Czech Republic, Slovakia, Cyprus, Estonia, Lithuania, Singapore and Dubai. In this article I have compiled practical recommendations on CASP licensing, with a focus on capital, personnel, AML and technological resilience. I draw on the experience of numerous projects so that you can immediately see where the main value lies and how to avoid costly mistakes.
Why MiCA and global supervision now
The European MiCA regulation introduces common requirements for CASPs regarding capital, organizational structure and client protection, and also provides passporting mechanisms in the EU. COREDO’s practice confirms: the new regime raises the entry threshold, but with proper preparation accelerates scaling across regions and reduces fragmentation of requirements. We take into account that MiCA and the capital requirements for CASPs tie own funds to the set of services and fixed overhead costs.
Choosing a jurisdiction and market entry
Decisions on choosing a jurisdiction and forming a market entry model define the legal, tax and commercial framework of expansion. Below we will examine step by step how these factors manifest in the EU context: from regulatory harmonization to requirements for economic substance.
EU regulatory harmonization
MiCA creates uniform rules, but in practice each state retains particularities in supervision and expectations regarding local presence. Economic substance and local presence of a CASP are not a formality: real resident directors, an office, a full-time MLRO, and management functions within the country strengthen the position at the application stage. At COREDO we design the organizational structure of the CASP in advance for licensing and prepare a passporting strategy to later use cross-border CASP services without duplicating licenses.
Estonia, Malta, Lithuania offer different entry barriers. In Estonia the minimum share capital for a VASP depends on the services and usually ranges from €100,000 to €250,000; personnel and control requirements have been strengthened since 2022. In Malta the VFA classification raises the bar for capital and governance: for advanced classes this means hundreds of thousands of euros and enhanced internal controls. Lithuania actively welcomes crypto business: VASP registration is possible, but banks and payment providers expect confirmed substance and a mature AML framework.
Depth and supervisory models in four countries
The FCA conducts strict registration of crypto companies: there is no formal minimum capital, but a CASP’s own funds must cover risks and fixed expenses, and personnel must demonstrate competencies and independence of compliance functions. FINMA and the Swiss cantonal regulators apply a high level of scrutiny to custody solutions and directors’ responsibilities. In Singapore under MAS’ PSA for DPT providers the minimum capital and security deposit depend on the volume of operations; mature processes for cybersecurity and key management are expected. In Dubai, VARA imposes clear requirements for product documentation, outsourcing of critical functions, and SLAs with providers.
CIS: a bridge to the EU and Asia
Capital for CASP: terms and calculations
For proper capital management within CASP it is important to first build a clear understanding of key terms before moving on to practical calculations. In the first section we will go through the basic terminology and regulatory logic to lay the foundation for further capital assessment methods and concrete computations.
Terminology and regulatory logic
Capital versus liquidity: the regulator for CASP requires both. Capital is a buffer against losses; liquidity is the ability to meet obligations and withstand outflows. Some jurisdictions apply elements of ICAAP: internal capital assessment and stress-testing, and risk-weighted assets (RWA) are adapted to the nature of crypto exposures and operational risks.
Risks, stress tests and capitalization
How to calculate capital requirements for a crypto exchange? We take the minimum CASP share capital, add a buffer to FOE (fixed overheads) for 12–18 months, account for CASP reserve capital requirements for custody and cyber risk coverage. Capitalization strategies when scaling a CASP include additional issuances, subordinated debt as a source of regulatory capital within limits, and cyber insurance, which indirectly reduces net losses in stress scenarios.
Funding and corporate actions
Personnel: fit and proper and organizational design
A company’s effectiveness largely depends on its personnel, adherence to the fit and proper principles, and thoughtful organizational design. In the following points we will examine staffing requirements and leadership roles in detail to understand how to build competencies, responsibilities, and managerial interactions within the organization.
Requirements and leadership roles
The roles of MLRO, CCO, CTO, CFO, CIO in a CASP allocate responsibilities: MLRO: management of AML and SARs, CCO – overall compliance framework and reporting, CTO/CIO – security, keys, infrastructure, CFO: capital, liquidity, reporting. The responsibility of CASP directors and staff is personal: the regulator assesses their decisions, the management of conflicts of interest in CASP leadership, and the independence of control.
Hiring and screening effectiveness
Recruitment and personnel screening procedures for a CASP include background checks, biography checks, criminal record and sanctions screening of the director, verification of education and actual achievements. Preparing CVs and proof of experience for CASP applicants should be substantive: projects, KPIs, implemented rollouts, certifications. The composition of the compliance and AML department in a CASP is built from an MLRO, KYC/KYB analysts, a sanctions officer, a reporting officer, and an independent internal auditor.
Ongoing operating expenses for CASP personnel should be planned for 12–18 months ahead. Performance indicators for the compliance function (KRI, KPI) include SLA for KYC, alert processing time, escalation rate, SAR quality, as well as ROI metrics from investments in compliance personnel. The assessment of the economic efficiency of hiring vs outsourcing shows: some functions are cost-effective to keep in-house, while others should be given to an external provider. Compliance function: in-house vs centralized for a CASP group: often a hybrid model with coordination at the holding level.
Succession, motivation and retention
Technologies, security and resilience
Reliable technologies, the indispensable foundation for ensuring the security and operational resilience of services. Below we will examine in detail custody, segregation and key management practices that are critically important for protecting assets and maintaining operations during incidents.
Custody and key management
Asset insurance and client loss coverage reduce operational risks; cyber insurance and capital requirements are linked: having adequate coverage can affect the assessment of residual risk in ICAAP. Agreements with liquidity and leverage providers should limit counterparty risks, and outsourcing exchange engines and SLAs for critical functions are required with transparent RTO/RPO.
Compliance and privacy
Technical requirements: SOC2, ISO27001, regular pentest, vulnerability management and access control. Business continuity and backup policies support operational resilience, while incident reporting and engagement with the regulator reduce regulatory risks during outages. Practices to prevent personal data leaks (GDPR/PDPA) and integration of HR and compliance for access control to assets close significant security gaps.
Independence of quality control
internal audit and the quality control of CASP personnel assess the effectiveness of the first and second lines of defence. Critical functions can be outsourced, but responsibility remains with the directors; we define vendor control KPIs and independent monitoring. Engagement with external auditors and capitalization reviews helps demonstrate the maturity of risk management.
License application: documents and process
Properly assembled documents and a structured submission process are the key to a successful application, and checkpoints help track readiness at each stage. We’ll start with organizational matters, then go over substance requirements and finish with the practical part – a business plan that confirms the project’s economic justification.
Substance of the organization and business plan
Product documentation details custody chains, exchange procedures, brokerage, limits on client transactions and margin risks. Segregation of client funds is codified in contracts and operating instructions, taking into account regulatory guidance on custodian vs exchange liabilities. The organizational structure of a CASP for licensing demonstrates the independence of compliance and risk functions.
Deal structure: timing and cost
Timing and cost of obtaining a CASP license depend on the jurisdiction and the readiness of the materials. In the EU, with a quality package, review takes from 3 to 9 months; in Singapore and Dubai: longer for complex models. We assess in advance the ongoing operating expenses for CASP personnel and funding sources for the CASP license to avoid cash shortfalls at the finish.
Reporting and control in the operational phase
In the operational phase, reliable reporting and continuous internal control become key to minimizing risks and ensuring compliance with standards. Regulatory reporting and AML are especially important – they require clear coordination of procedures, data transparency and prompt incident response.
AML and regulatory reporting
Internal reporting procedures and regulatory reports record compliance with capital and liquidity requirements, security incidents and governance changes. Capital and liquidity reporting rules vary, but in all cases a transparent accounting of own funds for CASP and FOE is required. AML reporting and Suspicious Activity Reports (SAR) require a qualified MLRO and precision in escalation procedures.
Liquidity management in cases of laundering and rapid outflows relies on pre-approved limits and stress plans. Setting limits on client transactions and margin risks reduces the likelihood of sudden breaks and market cascades. Regulatory fines and license refusals typically occur due to undercapitalization, weak AML and unverified sources of capital; the COREDO team remedied such situations through recapitalization and redesign of the KYC/KYB framework.
Structure audit, modification and closure
Regulatory approvals for changes to capital structure and corporate rights: a standard practice when scaling. External auditors check capitalization, IT controls and compliance with GDPR/PDPA. Business closure procedures and protection of clients’ interests include an asset return plan, regulator notifications and an independent audit of segregation.
COREDO case studies: where details matter
In Lithuania, the COREDO team implemented a project for an exchange CASP oriented toward a MiCA passport. The key was the strategy: the minimum capital for the CASP was covered with equity, and the CASP’s own funds were strengthened with subordinated debt within the limits. We implemented an ICAAP approach and outflow stress tests, recalculated FOE for 18 months and achieved a comfortable assessment by the regulator.
In Singapore, a solution developed at COREDO helped a DPT provider obtain a status compliant with PSA requirements. We built a SOC2-compliant architecture, implemented KMS/HSM and multisig, conducted a pentest and set up incident reporting. MAS positively assessed the competencies of the MLRO and the independence of internal audit.
In Estonia, our experience at COREDO showed how critical staffing requirements are for crypto companies. We supplemented the team with a strong MLRO, separated the CCO and MLRO roles, strengthened Travel Rule integration, and updated AML policies in light of AMLD6 and FATF. The result: a successful license review, reduced risk of enforcement actions, and stable relationships with banks.
In Dubai, the COREDO team established outsourcing of exchange engines with strict SLAs, formalized agreements with custodians and custody terms, and provided for asset and cyber risk insurance. This allowed for reduced capital add-ons for operational risks and sped up VARA approval. We also implemented KPI/KRI for compliance to transparently demonstrate ROI at the board level.
Checklists for CASP license
- Capital and liquidity:
- Own funds (own funds): minimum and FOE ≥ 25% of annual expenses.
- Proof of sources of capital: bank statements, SPA, audit.
- Recapitalization plan: additional share issuance, subordinated debt, cyber risk insurance.
- Liquidity reserves and stress tests: outflows, margin calls, provider outages.
- Personnel and governance:
- Fit and proper for CASP management; independent CCO, qualified MLRO.
- Procedure for checking the director’s background, criminal record and sanctions clearance.
- Management succession plan; Risk, Audit, RemCo committees; conflict of interest.
- Compensation models and risk-oriented bonuses; compliance KPI/KRI.
- Technology and security:
- Segregation of client funds; cold/hot wallets, KMS, HSM, multisig.
- KYT: Chainalysis/Elliptic/TRM; Travel rule provider; sanctions lists.
- SOC2/ISO27001; pentest; BCP/DR; incident reporting and contact with the regulator.
- SLA with outsourcers; agreements with custodians and liquidity providers.
- Documentation and process:
- Organizational chart and job/function descriptions; local substance.
- Business plan: products, revenue models, stress scenarios, financial forecasts.
- AML/CTF policies, sanctions, KYC/KYB, SAR reports; internal reporting.
- Passporting plan to the EU; assessment of tax and licensing consequences.
Cost planning and return on investment
Assessing the economic efficiency of hiring vs outsourcing requires comparing TCO: salaries, training and certification of AML/CTF staff, software licenses, external auditors. Metrics for return on investment in compliance and security are measured by reductions in losses from incidents, refusals in banking relationships, fines and licensing timelines. Techniques for optimizing personnel and compliance costs include a centralized center of expertise for the group, policy harmonization and shared services.
Staff planning when entering new markets builds in increased workloads for the MLRO and IT security, as well as stronger Travel Rule compliance and reporting. Economic efficiency assessment that takes into account capital threshold requirements by jurisdiction (EU/Asia/CIS) helps choose the optimal scaling route. comparison of jurisdictions by entry barrier and personnel cost we record in the financial model to support the board of directors’ decision.
Trends and Recommendations
Regulatory trends: tightening capital requirements after incidents and clarifying regulatory guidance on custodian vs exchange liabilities. Benchmarking of capital requirements between the EU and Asia shows an increased emphasis on FOE and operational risk. The impact of crypto insurance on capital requirements is becoming noticeable: regulators view real coverage with minimal exclusions positively.
Managing liquidity and sudden increases in outflows is becoming a key competency. Management of conflicts of interest, the role of the board of directors and committees, measures to reduce operational and reputational risk: all of this affects the assessment of an organisation’s “fit and proper” status. Taxation and reporting requirements for CASP require constant calibration as product lines and geography change.
Lessons from COREDO’s practice
In one project, the regulator initiated license revocation due to a capital shortfall after market fluctuations and an increase in FOE. The COREDO team quickly prepared a recapitalization plan, arranged subordinated debt, and updated the ICAAP and stress scenarios. The regulator accepted the adjustments, and the client avoided a business shutdown and strengthened liquidity reserves.
Another case concerned the travel rule: the provider was failing to meet SLAs and AML alerts were piling up. The solution developed at COREDO included replacing the provider, rebuilding the alert logic, setting KPIs for the team, and improving the MLRO’s competencies. Within two months processing time decreased threefold, and SARs became more accurate in structure and content.
I also highlight a project on the transition from a subsidiary to a branch in the EU. We assessed licensing implications in advance, adjusted capital and internal reporting, and agreed on governance changes. As a result the client retained passporting and optimized their tax position without regulatory delays.
How to gain time and reduce risks
The sooner you turn regulatory requirements into a concrete plan, the easier it is to scale the business and protect clients’ interests. Regulators in the EU, the UK, Switzerland, Singapore and Dubai expect from CASPs the same as from mature financial participants: sufficient capital, responsible management, transparency and operational resilience. COREDO’s experience confirms: it is these principles that make crypto business sustainable and predictable over the long term.