VASP vs CASP: What’s the Difference and Which One Applies to You?
- VASP stands for Virtual Asset Service Provider. It is a FATF term used in AML frameworks globally. A VASP registration confirms a business exists and has committed to anti-money laundering rules.
- CASP stands for Crypto-Asset Service Provider. It is a MiCA term. A CASP licence means a financial regulator has reviewed the business and approved it to offer crypto services.
- The gap between the two is significant. A VASP registration is a notification. A CASP licence is an authorization.
- If your business serves EU clients, VASP registration is no longer sufficient. You need CASP authorization under MiCA.
- Outside the EU, VASP is still the dominant framework in FATF-aligned jurisdictions. Both terms may apply to the same business depending on which markets it operates in.
- Treating a VASP registration as equivalent to a CASP licence is one of the most common compliance misunderstandings in the industry right now.
You have probably heard both these terms: VASP and CASP. There is one significant difference. And a lot of businesses are currently treating them as the same thing.
VASP and CASP both describe companies that provide crypto services. They appear in regulatory documents, compliance frameworks, and licensing discussions, sometimes interchangeably. But they are not interchangeable. One is an AML registration that tells a regulator your business exists. The other is a financial services licence that tells the market your business has been reviewed, assessed, and authorized to hold client funds. Getting that distinction wrong has real consequences, particularly if you run a business with European clients.
This article explains what each term means, where each one applies, and how to work out which one your business needs.
Table of contents
What Is a VASP?
VASP stands for Virtual Asset Service Provider. The term comes from the Financial Action Task Force, the global body that sets anti-money laundering standards. FATF introduced it in 2019 through an update to its Recommendation 15, which extended AML obligations to businesses offering crypto services.
Under the FATF framework, a VASP is any business that, as a commercial activity, exchanges crypto for fiat, exchanges one crypto for another, transfers crypto, safeguards or manages crypto assets, or participates in token offerings. The definition is broad. If your business does any of these things on a professional basis, you are a VASP under FATF’s framework.
Countries that adopted FATF’s recommendations, which includes most major economies, translated this into national law by requiring VASPs to register with their financial intelligence unit, implement an AML program, and comply with customer verification and transaction reporting rules. What VASP registration does not require is a full regulatory review of the business. It is a commitment to AML compliance, confirmed by notification. The regulator does not assess whether the business is safe or well-run before registration is granted.
For most of the crypto industry’s regulated history, VASP registration was the ceiling of what most jurisdictions required. That has changed, particularly in Europe.
What Is a CASP?
CASP stands for Crypto-Asset Service Provider. The term comes from MiCA, the EU’s Markets in Crypto-Assets Regulation, which came into full force in December 2024. It is the EU’s replacement for the VASP framework within European borders.
Under MiCA, a CASP is any legal entity that provides crypto-asset services on a professional basis to clients within the EU. The services covered include exchange, custody, portfolio management, the operation of a trading platform, and crypto advisory services, among others. The definition broadly overlaps with VASP, but the authorization process is entirely different.
Getting a CASP licence requires a full application to a national financial regulator, a review of the business covering governance, capital adequacy, management suitability, IT security, and operational resilience, and a formal decision from the regulator before the business is permitted to operate. One CASP licence, once granted, provides passports across all 27 EU member states and the broader EEA. It covers 450 million people from a single authorization.
That passporting mechanism is one of MiCA’s most commercially significant features. For businesses with EU ambitions, a single CASP licence replaces what would previously have required separate engagements with regulators in every market.
What Is the Real Difference Between a VASP and a CASP?
The real difference is what each one actually demonstrates about a business.
A VASP registration demonstrates that a business told a regulator it exists and signed up to AML obligations. The regulator received the notification, added the business to a list, and expects it to follow the rules. Nothing in the registration process requires the regulator to evaluate whether the business is well-run, financially stable, or safe for clients to use.
A CASP licence demonstrates that a financial regulator reviewed the business and decided it met the standard for offering financial services to clients. The governance, management, capital, and IT security were all assessed before the licence was granted. The AML program was reviewed for genuine substance and evidence of operation. Only after all of that did the authorization come through.
The practical consequence of this difference shows up clearly when something goes wrong. A client of a VASP-registered business has very limited recourse if the platform mishandles their funds, because no regulator assessed the platform’s operations before it was allowed to hold those funds. A client of a CASP-licensed business has real protections: fund segregation is mandatory, fees must be disclosed upfront, complaints must be handled through a formal process, and the regulator that issued the licence has ongoing oversight of the business.
For businesses evaluating which framework applies to them, the relevant question goes beyond which term describes their activities. What actually matters is which standard they are held to, and what that means for the clients and partners relying on them.
Which One Applies to Your Business?
The answer depends on two things: where your clients are, and what services you offer.
If you serve clients in the EU, CASP authorization under MiCA is required. VASP registration in an EU member state may have been sufficient before December 2024, but the transition period for legacy registrations has a defined end date. Operating on a VASP registration while serving EU clients after that transition period closes is a legal violation.
If you serve clients outside the EU, the VASP framework still applies in most FATF-aligned jurisdictions. The US uses its own MSB registration framework, which maps broadly to the VASP concept. The UK uses FCA registration. Canada uses FINTRAC registration. These are all VASP-equivalent frameworks in their respective jurisdictions. A business operating only in these markets needs to meet their local requirements, which remain AML-focused rather than full financial services authorization.
If you serve clients in both the EU and other markets, both frameworks apply simultaneously. The CASP licence covers the EU side. The relevant VASP-equivalent registrations cover the other markets. Many businesses operating at scale hold multiple authorizations across jurisdictions for exactly this reason.
If you are unsure whether your services fall within scope, the operative question is what you actually do with client assets. If your business holds crypto on behalf of clients, executes transactions on their behalf, or converts between crypto and fiat, you are almost certainly within the scope of both frameworks in whatever markets you serve. The crypto exchange regulations guide covers what that means in practice once you are within scope.
Can a Business Be Both a VASP and a CASP?
Yes. In fact, most serious crypto businesses operating across multiple markets are both simultaneously.
A business that holds a CASP licence in Latvia and serves EU clients operates as a CASP under MiCA for its European operations. The same business, serving clients in the US, operates as an MSB registered with FinCEN under the US VASP-equivalent framework. In Canada, it registers with FINTRAC. In the UK, it registers with the FCA.
The CASP licence covers the EU. The VASP-equivalent registrations cover everywhere else. The business does not choose one over the other. It meets the requirements of each jurisdiction where it operates.
What changes as MiCA matures is that the CASP standard is likely to become the reference point globally, the same way GDPR became the reference point for data protection. Other jurisdictions are watching MiCA closely, and several are building frameworks that incorporate similar elements. The VASP-to-CASP shift that happened in the EU may eventually influence how non-EU frameworks develop.
How Do You Move From VASP Registration to CASP Authorization?
For businesses that currently hold VASP registrations in EU member states and need to convert to CASP authorization, the transition process involves a full CASP application to the relevant national regulator.
The application requires documentation that most VASP-registered businesses do not currently have ready. Governance structures need to be formally documented. Capital requirements need to be met and verified. Management suitability assessments need to be completed. The AML program needs to be upgraded from a registration-level policy to a full documented program with evidence of operation. IT security needs to be assessed and documented to the standard regulators expect from a licensed financial services provider.
For businesses that have been operating as VASPs without this infrastructure, building it from scratch while also running the business takes time. Six to twelve months is a realistic preparation timeline for a well-resourced business. Businesses that underestimate the gap between VASP registration and CASP authorization tend to discover it during the completeness assessment when the application is submitted, which is when the clock pauses and the delays begin.
For businesses in the pre-authorization phase that want to continue offering crypto services to EU clients through a licensed partner in the meantime, integrating the Paybis on/off-ramp provides a compliant route. KYC processing, AML monitoring, and client asset segregation are handled on the Paybis side under the CASP licence already in place.
How Does Paybis Operate Under These Frameworks?
Paybis operates as a licensed CASP under MiCA, with the CASP licence and the Payment Institution licence under PSD2 both issued by the Bank of Latvia in May 2026. The CASP licence covers all 27 EU member states and the broader EEA. For EU operations, Paybis sits within the full CASP framework with all the obligations and client protections that entail.
Outside the EU, Paybis holds VASP-equivalent authorizations in the relevant markets. FinCEN MSB registration covers US operations. FINTRAC registration covers Canada. VASP registration in Poland covers that market. FCA authorization covers the UK. The full picture is covered in the Paybis EU licensing announcement.
For B2B partners, that stack of authorizations is what makes Paybis a viable counterparty for businesses operating across multiple markets. The Paybis Corporate On/Off Ramp serves institutional and business clients needing direct crypto and fiat liquidity, with Paybis handling compliance, including KYB and AML monitoring. Paybis Send handles global crypto payouts under the same licensed framework. The Paybis MiCA content hub covers ongoing regulatory developments and their practical implications for platform operators.
Bottom Line
VASP and CASP describe the same type of business under two different regulatory frameworks. The difference between them is not terminology. It is the standard of oversight each one requires. A VASP registration is an AML notification. A CASP licence is a financial services authorization. For businesses serving EU clients, the question of which one applies has a clear answer: CASP authorization is required, and the window to transition from legacy VASP registrations to full CASP authorization is closing. For businesses operating outside the EU, VASP frameworks remain the standard, though the direction of travel globally is toward higher authorization requirements, not lower ones.
FAQ
Is a VASP registration still valid in the EU after MiCA came into force?
VASP registrations in EU member states remain valid during the MiCA transition period, which varies in length by country. Once the transition period ends in a given jurisdiction, operating on a legacy VASP registration while serving EU clients becomes illegal. The end date differs by member state, so businesses need to check the specific deadline for the jurisdiction where they are registered. Operating past that deadline on a VASP registration exposes the business to the same enforcement consequences as operating without any authorization at all.
Does every business that accepts crypto payments need to be a VASP or a CASP?
Accepting crypto as payment for goods or services does not automatically make a business a VASP or CASP. The frameworks apply to businesses providing crypto-asset services on a professional basis, meaning exchange, custody, portfolio management, and similar activities. A retailer that accepts Bitcoin at checkout is not providing a crypto-asset service. The distinction matters because the compliance obligations are very different. If there is genuine uncertainty about whether a business’s activities fall within the VASP or CASP definition, legal advice from a specialist in the relevant jurisdiction is the right starting point.
What does FATF have to do with the VASP vs CASP distinction?
FATF created the VASP term and the framework that most non-EU jurisdictions use to regulate crypto businesses for AML purposes. MiCA built on FATF’s foundation but went substantially further by creating a full financial services authorization rather than an AML registration. The two frameworks coexist because FATF sets international standards that countries implement in national law, while MiCA is an EU regulation that replaces national frameworks within European borders. A business operating globally needs to understand both, because FATF-aligned jurisdictions outside the EU continue to use the VASP framework while EU operations fall under CASP.
If I hold a CASP licence, do I still need VASP registration in other jurisdictions?
Yes. A CASP licence covers EU and EEA operations. For markets outside the EU, the relevant national frameworks apply regardless of what EU authorization a business holds. A CASP-licensed business serving US clients still needs FinCEN MSB registration. Serving Canadian clients requires FINTRAC registration. The CASP licence does not extend beyond the EU and EEA, and it does not substitute for the AML registration requirements that apply in other markets.
How do institutional partners typically evaluate VASP vs CASP status?
Institutional partners, including banks, payment processors, and enterprise clients, increasingly distinguish between VASP registrations and CASP licences in their due diligence processes. A CASP licence provides verifiable evidence of a full regulatory review, ongoing oversight, and compliance with capital and operational standards. A VASP registration from a jurisdiction with light enforcement provides much weaker assurance. Many institutional counterparties now request copies of the actual licence, the issuing regulator’s name, and confirmation that the licence is currently in good standing as standard parts of onboarding. Businesses that can only provide a VASP registration from an offshore jurisdiction are increasingly finding that insufficient for the relationships they want to build.
Disclaimer: Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 mins to learn more at: https://go.payb.is/FCA-Info
