Home Business
10

Crypto Exchange Regulations: What Platforms Must Comply With

By Konstantin Vasilenko
Updated:
Crypto Exchange Regulations: What Platforms Must Comply With
Key Takeaways

  • AML registration is the legal minimum to operate. A full licence means you have been reviewed and approved. Banks and institutional partners know the difference.
  • MiCA CASP authorization covers all 27 EU member states with one approval. Operating without it while serving EU clients is now a legal violation with fines of up to 15% of annual turnover.
  • Client asset segregation is mandatory under MiCA. FTX collapsed with $8 billion in customer funds missing because this rule was ignored.
  • The Travel Rule applies to transfers above €1,000 in the EU. Non-compliance blocks banking access, not just regulatory approval.
  • Marketing is actively enforced. Fair, clear, and not misleading is the legal standard, and it applies to every channel including social media and influencer partnerships.
  • Compliance does not end at authorization. Annual audits, regulatory reports, incident notifications, and on-demand examinations are all part of operating under a licence.

For years, running a crypto exchange in a regulatory grey zone was a viable strategy. Register where the rules were lightest, serve customers globally, and deal with compliance questions if and when they arrived. That window has closed.

Binance, once the largest exchange in the world by volume, paid $4.3 billion to US regulators in 2023 to settle years of AML failures. The FCA (Financial Conduct Authority) has approved fewer than 15% of crypto firm applications since its registration regime launched. Under MiCA, platforms serving EU clients without CASP authorization now face fines of up to 15% of annual turnover. The message from regulators globally is consistent: crypto compliance is no longer a box to tick. It is the matter of staying in business.

What makes this harder than most operators expect is that AML registration and KYC flows are only the starting point. Each layer built on top carries its own obligations and its own enforcement risk. This guide breaks down what each layer actually requires and how it applies to exchanges and platforms operating today.

What AML and KYC Requirements Must Crypto Exchanges Meet?

Every jurisdiction that regulates crypto requires exchanges to implement anti-money laundering (AML) programs and Know Your Customer (KYC) processes before taking their first customer. Without both, operating legally is not possible in any major market.

The core obligation breaks into three distinct requirements.

Customer identification means verifying who your users actually are before they transact, using identity documents and biometric checks.

Transaction monitoring runs continuously in the background, watching for activity patterns that suggest financial crime.

Then there is suspicious activity reporting: the formal obligation to notify financial intelligence units when flagged activity crosses defined thresholds. All three need to be operational from day one, not layered in after launch.

How rigorous the KYC program needs to be depends on the jurisdiction and risk category. A retail user making small transactions sits in a different risk band than a corporate account processing large volumes, and regulators expect the program to reflect that. Risk-based programs must be documented and reviewed on a regular basis. For a closer look at how KYC design affects conversion and user experience, the Paybis guide to KYC in crypto transactions covers the trade-offs in detail.

The international standard underpinning most national AML frameworks comes from the FATF (Financial Action Task Force). Crypto exchanges are specifically captured under Recommendation 15, which treats Virtual Asset Service Providers as obligated entities with the same AML responsibilities as traditional financial intermediaries. Records must be retained for a minimum of five years in most jurisdictions.

One point to keep in mind: relying on a third-party KYC provider does not transfer the regulatory obligation. Outsourcing the process does not outsource the responsibility. If the provider falls short, the platform is the one facing the regulator.

What Is the Difference Between a Crypto Registration and a Licence?

A registration tells the regulator you exist and have committed to AML obligations. A crypto licence means you have been reviewed and approved to provide specific financial services to clients. They are not interchangeable, and the gap between them is widening with every enforcement cycle.

Most crypto exchanges operating today hold AML registrations with national financial intelligence units, which is the minimum required to avoid operating illegally. The problem is that registration is increasingly insufficient as a signal to banks, institutional partners, and enterprise clients. They want to see a licence, because a licence means someone with regulatory authority has already done the due diligence on the business.

The main licensing frameworks crypto platforms encounter vary by market:

  • FinCEN MSB Registration (United States) is a federal-level registration covering exchange and payment activities. It must be supplemented by state-level money transmitter licences in each US state where customers are served, which creates significant compliance cost and legal complexity for any platform with national ambitions.
  • FCA Registration (United Kingdom) focuses on AML compliance for crypto asset businesses. The FCA has approved fewer than 15% of applications since the regime launched, and those that do get through face ongoing supervision obligations that are genuinely demanding.
  • VASP Registration (EU, pre-MiCA) was the national-level AML registration that different EU member states operated before MiCA. Many are still active during the transition period, but they are being replaced.
  • CASP Authorization under MiCA (EU, current standard) is the comprehensive licensing framework now in force across the EU. It goes substantially beyond AML registration, and it is covered in full in the next section.

The practical implication for multi-market platforms is straightforward: serving EU users without CASP authorization is now a legal violation, not a grey area. The same logic applies to every jurisdiction. Customer location determines the regulatory requirement, not platform location.

What Does MiCA CASP Authorization Actually Require?

CASP authorization under MiCA requires a full review by a National Competent Authority before a platform can serve EU clients. One approval passport across all 27 EU member states and the broader EEA, covering a market of 450 million people.

Getting that approval means every element of the business is assessed before anything is granted. The governance structure is reviewed on its own terms. Management suitability is assessed individually for key function holders. Capital adequacy, IT security, and operational resilience each have separate evaluation criteria.

The process became fully applicable in December 2024, and the transition window for existing operators running on national registrations is not open indefinitely.

Once authorized, the obligations do not stop. They become the operating standard:

  • Governance requirements. Boards and senior management must meet fit-and-proper standards. Key function holders are assessed individually. Internal controls, risk management frameworks, and compliance functions must be documented and operational.
  • Capital requirements. MiCA sets minimum own funds requirements that vary by service type. Exchanges must hold adequate capital buffers regardless of market conditions.
  • Client asset safeguarding. User crypto-assets must be segregated from the platform’s own assets at all times. This applies to both cryptocurrency and fiat funds held on behalf of clients.
  • Conflict of interest management. Platforms that trade for their own account while also serving clients must have documented policies preventing client disadvantage. Proprietary trading strategies cannot use information from client order flow.
  • White paper and disclosure obligations. Platforms listing tokens on their exchange must ensure those tokens have compliant white papers. Platforms distributing new token offerings face additional disclosure requirements.
  • Complaint handling. Formal procedures for investigating and resolving client complaints within defined timeframes are mandatory. The process must be documented and demonstrably followed.

MiCA is the most comprehensive crypto regulation standard applied at scale anywhere in the world. For any platform with EU exposure, it is not optional. Paybis’s EU licensing announcement covers what obtaining this authorization involved in practice.

What Capital Requirements Do Crypto Exchanges Need to Meet?

Under MiCA, minimum own funds for CASPs start at €50,000 and reach €150,000 depending on the services offered. These are floors, not targets, and regulators expect platforms to hold significantly more to demonstrate genuine financial resilience.

This is one of the areas where crypto regulation most closely resembles traditional financial services law, and where many platforms remain underprepared. The base thresholds give way to additional requirements tied to the volume of assets under custody, meaning platforms that scale quickly face a capital requirement that scales with them.

Beyond the MiCA thresholds, robust platforms build out three further layers:

  • Operational liquidity buffers. Enough liquid assets to cover withdrawal requests during stress scenarios without affecting the platform’s solvency. Crypto markets can move fast and withdrawal demand can spike sharply.
  • Insurance coverage. Cyber liability and crime coverage for theft and fraud are increasingly expected by regulators and institutional partners. They are not substitutes for capital but they reduce tail risk exposure.
  • Stress testing. Documented scenarios testing the platform’s ability to survive extreme market conditions or key counterparty failures. Regulators review these as part of MiCA’s operational resilience requirements.

Platforms that have not established formal capital frameworks are increasingly finding this a sticking point in partner due diligence. Institutional clients and enterprise integrations want to see the framework, not just the number.

What Is Client Asset Segregation and Why Does It Matter?

Client asset segregation means keeping user funds in separate accounts from the platform’s own operational capital. Under MiCA it is mandatory, and the consequences of skipping it are not theoretical. By the time FTX administrators were appointed, $8 billion in customer assets were missing because client funds had been commingled with operational capital for years.

Under MiCA, client crypto-assets must be held separately from the platform’s own assets, and the platform must be able to identify each client’s holdings at any point in time. Client fiat balances must be held in segregated accounts with regulated credit institutions or in qualifying money market instruments. The rule exists precisely to prevent the FTX scenario from being repeatable.

In practical terms, that means four specific operational requirements:

  • Separate custody infrastructure. Client assets cannot sit in wallets that also hold operational funds or proprietary positions. Custody arrangements must document clearly which assets belong to which category.
  • Accurate records in real time. Platforms must maintain transaction records that allow client balances to be reconciled at any moment without delays or approximations.
  • No use of client assets. Client crypto cannot be lent, rehypothecated, or used as collateral without explicit client consent and specific regulatory permission. MiCA’s default position is prohibition.
  • Insolvency protections. Segregated client assets are not available to the platform’s creditors in insolvency. This protection only holds if segregation was genuine and consistently maintained, not implemented on paper and ignored in practice.

What Conduct of Business Rules Apply to Crypto Platforms?

Conduct of business rules govern how a platform must treat its clients, covering everything from pre-transaction fee disclosure to conflict of interest management. Being licensed does not mean a platform can treat customers however it wants. Breaching conduct rules creates enforcement exposure even when a platform’s AML and licensing status is otherwise clean.

  • Pre-transaction disclosure. Clients must receive clear information about fees and execution mechanics before committing to a transaction. Burying costs in spreads and revealing them only after execution is prohibited under MiCA and many national frameworks.
  • Best execution. Platforms executing orders on behalf of clients must take reasonable steps to achieve the best available outcome. Price and speed both factor in, as does likelihood of execution, and this applies to order-routing decisions and any discretion exercised over timing.
  • Suitability and appropriateness. For platforms providing investment advice or portfolio management, client suitability assessments are required. For order execution and exchange services, appropriateness checks apply: does this client actually understand the risks of what they are buying? Positive answers cannot be assumed.
  • Fair treatment. Clients must be treated equitably. Differential pricing or service levels based on undisclosed criteria create regulatory exposure.
  • Conflicts of interest. A platform that lists tokens it holds on its own balance sheet, or that charges listing fees from issuers, must have documented policies addressing how those conflicts are handled. Identifying and managing them is a formal obligation, not a best practice.

What Data Protection Obligations Do Crypto Exchanges Have?

Crypto exchanges processing personal data of EU residents must comply with GDPR regardless of where the platform is based, and a personal data breach must be reported to regulators within 72 hours. The financial services obligations and the data obligations run in parallel and overlap in ways that require active management, not separate compliance tracks.

  • GDPR (EU) applies to any platform processing personal data of EU residents. KYC documents, transaction histories, IP addresses, and device identifiers all count as personal data. Platforms must have a lawful basis for processing each data category and must honour data subject rights including access and erasure.
  • Data minimization. KYC data collected must be limited to what is necessary for the compliance purpose. Storing more than is needed creates both regulatory exposure and a larger attack surface for security incidents.
  • Retention periods. AML regulations require transaction records to be kept for a minimum of five years in most jurisdictions. That has to be balanced against GDPR’s data minimization principle, which typically means retaining records for compliance purposes while restricting how that data can be accessed or used for anything else.
  • Vendor management. Platforms using third-party data processors must have data processing agreements in place. The platform remains responsible for how those vendors handle client data, regardless of what the contract says about liability.

What Is the Travel Rule and How Does It Apply to Exchanges?

The Travel Rule requires crypto exchanges to pass identifying information about the sender and beneficiary when transferring assets between virtual asset service providers. In the EU, it applies to transfers above €1,000 and has become a practical prerequisite for maintaining banking relationships.

It is now implemented in most major jurisdictions, and non-compliance creates two categories of risk. The first is regulatory. The second, which is increasingly the more immediate problem, is banking access: regulated financial institutions are unwilling to service platforms that cannot demonstrate Travel Rule compliance.

  • VASP identification. Before sending funds to another exchange or custodian, platforms must verify that the counterparty is a registered VASP and collect their identifier.
  • Originator and beneficiary data. For covered transfers, the originator’s name and account identifier must be transmitted to the receiving VASP along with the corresponding beneficiary details. The full data set required varies by jurisdiction.
  • Technology solutions. Travel Rule compliance requires interoperability with other VASPs. Solutions like TRISA, Sygna, and TRP handle the secure messaging layer, and a compliant solution needs to be selected and integrated before covered transfers can be processed.
  • Unhosted wallet handling. Transfers to or from self-custodied wallets present a specific challenge. Regulators have taken different positions on how to handle these, and some require enhanced due diligence for unhosted wallet transfers above threshold amounts.

What Marketing and Risk Disclosure Rules Apply to Crypto Platforms?

Crypto marketing is one of the most actively enforced areas of regulation, and platforms frequently breach rules they did not know applied to them. The core standard across the EU and UK is that all marketing must be fair, clear, and not misleading. That standard is treated as a financial services obligation, not an advertising dispute.

  • Mandatory risk warnings. Most regulated jurisdictions require prominent risk disclosures on marketing materials. In the UK, FCA rules mandate specific warning text. Under MiCA, risk disclosures must accompany white papers and marketing materials for crypto-assets.
  • No financial advice in marketing. Marketing materials must not constitute personalized investment advice. That means avoiding language that tells specific users what to buy, hold, or sell based on their individual circumstances.
  • Fair, clear, and not misleading. Claims must be accurate, must acknowledge risks alongside potential returns, and must be capable of being substantiated. The standard applies to every channel without exception.
  • No unverifiable superiority claims. Statements positioning the platform as uniquely safe or superior to named competitors without verifiable evidence create enforcement exposure. All comparative claims must be backed by sources that can withstand regulatory scrutiny.
  • Social media and influencer marketing. Paid promotions via social media must be disclosed. In the UK, crypto promotions by influencers require prior approval by an FCA-authorized firm. Failure to disclose paid relationships is treated as a misleading commercial practice.

What Ongoing Reporting Do Licensed Crypto Platforms Need to Do?

A crypto licence is not a one-time approval. Licensed platforms face continuous reporting obligations, including periodic regulatory reports, annual audits, incident notifications, and on-demand regulatory examinations. The infrastructure to manage these needs to be in place before the licence is granted, not built afterwards when the first report is due.

  • Regulatory reports. Most licensing frameworks require periodic reports covering transaction volumes, customer numbers, and any material operational incidents. Reporting frequencies vary by framework and jurisdiction.
  • Notifiable events. Material changes to the business, such as ownership transfers, senior management changes, or shifts in operational jurisdiction must be notified to regulators within defined timeframes. Operating through material changes without notification is a licence condition breach.
  • Audit requirements. CASP authorization under MiCA requires annual audits by qualified external auditors. The scope covers financial statements, AML program effectiveness, and operational controls reviewed independently.
  • Regulatory examinations. National Competent Authorities can conduct on-site examinations or request information at any time. Platforms must maintain records and systems that allow rapid, accurate responses.
  • DORA (EU Digital Operational Resilience Act). From January 2025, financial entities including CASPs are subject to DORA’s requirements on IT risk management and incident reporting. ICT-related incidents above defined severity thresholds must be reported to regulators within strict timeframes.

How Does Paybis Handle Compliance for B2B Partners?

When a platform integrates Paybis, it connects to infrastructure that already holds the MiCA CASP licence and the PSD2 PI licence, both issued by the Bank of Latvia in May 2026. The compliance standing of a platform’s infrastructure partners is a regulatory question in its own right, and the answer needs to be as clean as the platform’s own credentials.

US operations run under FinCEN MSB registration, Canada under FINTRAC, Poland under VASP registration, and the UK under FCA authorization. Taken together, these are the regulatory credentials that enterprise partners can present to their own regulators and auditors as evidence of counterparty due diligence.

When partners integrate the Paybis on/off-ramp or Paybis Send, KYC processing, AML monitoring, Travel Rule compliance, and client asset segregation are handled on the Paybis side. The compliance overhead does not disappear, but it does not need to be built and maintained independently either. That is a significant operational difference for platforms that want to move quickly without building a compliance function from scratch.

For businesses that need crypto payout capabilities at corporate scale without holding cryptocurrency on their balance sheet, the corporate ramp and swaps product handles conversion and settlement under the same licensed framework. More on how the full product suite works is covered in the on/off-ramp guide for businesses.

For ongoing MiCA developments and how they affect platform operations, the Paybis MiCA content hub covers the regulation and its practical implications.

Bottom Line

Crypto exchange compliance in 2026 is not an AML registration and a KYC flow. Each layer of the framework carries its own obligations, and the MiCA CASP standard has raised the floor for any platform with EU exposure. The expectation from regulators and institutional partners is that crypto businesses operate at the same standard as regulated financial services firms. That standard is enforced. The Binance settlement, the FCA rejection rates, and MiCA’s 15% turnover fines all point in the same direction.

If you treat compliance as a cost centre rather than a foundation, you’ll increasingly find yourself locked out of banking relationships, partner integrations, and the markets where serious volume sits.

FAQ

Do all crypto exchanges need a MiCA CASP licence?

Any exchange that provides crypto-asset services to clients in the EU needs CASP authorization under MiCA. This applies regardless of where the exchange is based. An exchange headquartered outside the EU that actively onboards EU residents must comply with MiCA and obtain CASP authorization through an EU member state. The transition period for existing operators who held national registrations before MiCA applied has a defined end date, after which operating without full CASP authorization is illegal. Exchanges serving non-EU clients exclusively may not require CASP authorization but still face licensing requirements in whichever jurisdictions their clients are based.

How long does it take to get CASP authorization?

MiCA sets a statutory review period of 25 working days from receipt of a complete application. In practice, the timeline depends heavily on the quality of the application and the current workload of the National Competent Authority. Applications that require follow-up questions or remediation of identified gaps can take significantly longer. Platforms that engage experienced regulatory counsel and prepare comprehensive applications in advance tend to move through the process faster. Budget several months to a year for a realistic planning timeline.

What is the penalty for operating without authorization?

Operating as a CASP in the EU without authorization is a regulatory breach enforceable by National Competent Authorities. Administrative fines can reach up to €700,000 for individuals or 15% of total annual turnover for companies. Beyond fines, platforms face public censures and bans on providing services. Member states may also apply criminal penalties at the national level. Beyond formal enforcement, unauthorized platforms typically lose access to banking and payment infrastructure as regulated counterparties become unwilling to service them.

Can I use a third-party compliance provider to meet my obligations?

Yes, and many platforms do. Outsourcing KYC or transaction monitoring can be cost-effective for platforms at early stages. However, the platform retains regulatory responsibility for the compliance of those outsourced functions. Regulatory examinations will assess whether oversight of third-party providers is adequate, not just whether a provider relationship exists. Contracts with compliance vendors must specify service levels, audit rights, and incident notification obligations. Where an outsourced provider fails to perform, the platform faces the regulatory consequences.

How does compliance affect integration with B2B crypto infrastructure providers?

A platform’s own compliance standing is directly linked to the compliance standing of its partners. Regulators conduct counterparty risk assessments and expect businesses to perform due diligence on the licences and operational standards of their infrastructure providers. Integrating with an unlicensed or inadequately licensed provider can create regulatory exposure even if your own operations are fully compliant. Before signing any agreement with a provider handling customer funds, request their regulatory credentials and AML policies, and include compliance representation warranties in the contract.

Disclaimer: Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 mins to learn more at: https://go.payb.is/FCA-Info

Written by

Post author
Konstantin Vasilenko
Konstantins is a blockchain and digital payments executive with over 20 years of IT experience. He co-founded Paybis in 2014, helping build it into a global crypto platform serving users across 180+ countries. He brings deep technical and business expertise to Paybis' growth and partnership strategy. He is also a co-founder of the Latvian Blockchain Association and is a regular speaker at major industry events, where he represents Paybis' vision of making crypto accessible and useful for both individuals and businesses worldwide.