When Does Crypto Activity Become Regulated: Do You Need a License?

When Does Crypto Activity Become Regulated: Do You Need a License?
Crypto & Digital Assets , ,

When Does Crypto Activity Become Regulated: Do You Need a License?

Crypto Regulation Threshold Guide

When Does Crypto Activity
Become Regulated?
Do You Need a Licence?

Regulatory obligations do not switch on at an arbitrary point — they follow specific legal triggers: the nature of your activity, what asset you handle, who your customers are, and in which jurisdictions you operate. This guide maps the precise thresholds that transform personal crypto activity into regulated business, and provides a structured framework for assessing your own position.

Regulation triggers
Asset classification tests
Commercial activity thresholds
Personal holdings vs. business
Jurisdiction-specific rules
Licensing decision framework
📋
Table of Contents
Introduction — The Grey Zone Between Personal Activity and Regulated Business Why the line between unregulated crypto activity and regulated services is not obvious — and why getting it wrong matters
1
Section 1 — The Five Triggers That Transform Crypto Activity Into a Regulated Service Custody of third-party assets, exchange functions, public offering, holding out, and systematic commercial conduct — each trigger independently creates regulatory obligations
2
Section 2 — Asset Classification: Why What You Trade Determines Who Regulates You Security vs. commodity vs. e-money token vs. utility token — how classification determines which regulatory framework applies and to whom
3
Section 3 — The Commercial Activity Test: Where Personal Holdings End and Business Begins Frequency, scale, profit-seeking intent, third-party involvement, and public-facing conduct — the factors that convert personal crypto activity into regulated business operations
4
Section 4 — Jurisdiction-Specific Threshold Rules and Safe Harbours How the EU, UK, US, UAE, and Singapore define the threshold at which crypto activity triggers licensing, and which exemptions exist
Conclusion — A Six-Step Framework for Assessing Your Regulatory Status A structured decision process for founders and legal teams: from activity mapping to licensing strategy

Introduction — The Grey Zone Between Personal Activity and Regulated Business

One of the most persistently misunderstood aspects of crypto regulation is the question of where it starts. Holding Bitcoin in a personal wallet is not regulated. Operating a Bitcoin exchange platform for thousands of customers is heavily regulated. Between those two points lies a grey zone where the line between unregulated personal activity and regulated financial services is blurry, contested, and consequential — and most crypto businesses are operating somewhere in that zone without a clear legal analysis of which side of the line they fall on.

The question "when does crypto activity become regulated?" does not have a single global answer. It has multiple jurisdiction-specific answers, each determined by a combination of factors: what activity is being conducted, which asset is involved, who the counterparties are, and whether the conduct is systematic and commercial. What is clear is that the regulatory triggers exist, they are increasingly being enforced, and the businesses most at risk are those operating in the grey zone with no documented legal analysis of their regulatory status.

Clearly unregulated
Personal holdings, self-custody, private transactions
Grey zone
Frequent trading, group pools, small platforms, DAO participation
Clearly regulated
Exchanges, custodians, token issuers, payment processors

The grey zone contains three categories of activity that most commonly generate licensing uncertainty:

🔄
Grey zone type 1

High-frequency personal trading

An individual who trades crypto assets frequently, systematically, and profitably may be characterised as conducting a regulated activity in some jurisdictions — particularly if they provide signals, copy-trading, or manage funds on behalf of others as part of the same activity. The line between sophisticated personal investor and unlicensed investment adviser is genuinely unclear in several regimes.

👥
Grey zone type 2

DAO and community pool structures

A DAO that accepts contributions of crypto assets from members, manages a treasury, and distributes returns to token-holders exhibits the economic characteristics of an investment fund or collective investment scheme. Whether it is regulated as such depends on how it is structured — but the "decentralised" label alone does not resolve the regulatory question.

🛠️
Grey zone type 3

Small platforms and tools

A developer who builds a crypto swap interface, a portfolio aggregation tool, or a DeFi front-end may be providing a regulated crypto asset service in the EU under MiCA, depending on whether the developer controls, routes, or takes fees on the transactions. The threshold between a tool and a service is a key regulatory question as MiCA enforcement matures.

✔ Generally not regulated
  • Holding crypto assets in a personal wallet (any amount)
  • Buying and selling crypto assets for your own account on an exchange you don't operate
  • Paying for goods or services using crypto from your own holdings
  • Receiving crypto as payment for goods or services you sell
  • Mining or validating on a public network for your own account
  • Developing open-source smart contracts with no operator role
  • Writing about, advising generally about, or educating people on crypto assets
⚠ Likely regulated — licence probably required
  • Operating a platform where others can exchange crypto assets
  • Holding crypto assets on behalf of third parties (even informally)
  • Offering a product that pays yield or staking returns to customers
  • Issuing tokens to the public for investment or speculative purposes
  • Providing personalised advice on which crypto assets someone should buy
  • Operating a payment system that processes crypto transactions for merchants
  • Managing a fund or pool that invests in crypto assets on behalf of investors
⚖️
Professional guidance Uncertain about your licensing position? Get specialist advice

The regulatory analysis for most crypto businesses is fact-specific and jurisdiction-dependent. Once you have assessed your activity and concluded that a licence may be required, the next step is obtaining structured legal support for the application process. WCR Legal's crypto licensing services cover regulatory assessment, jurisdiction selection, application preparation, and ongoing compliance support.

View crypto licensing services →

Four legal questions determine whether any given crypto activity is regulated — these are the four lenses through which every regulatory analysis must pass:

⚙️

What is the activity?

Exchange, custody, payment transfer, portfolio management, investment advice, token issuance, DeFi operation — each is a distinct regulatory category. A single business may perform multiple regulated activities simultaneously, each attracting separate licensing obligations.

🪙

What type of asset is involved?

The regulatory framework that applies depends on how the underlying crypto asset is classified — security, commodity, e-money token, asset-referenced token, or utility token. The same activity performed on a security token is regulated differently than the same activity performed on a commodity token.

👤

Who are the counterparties?

Activities conducted on behalf of third parties — customers, investors, depositors — attract regulation that purely proprietary activities do not. The moment a third party's assets or interests are involved, the regulatory question changes materially. Institutional counterparty relationships often carry different obligations than retail ones.

📈

Is the conduct commercial and systematic?

Most regulatory regimes require that activity be conducted "by way of business" — as a commercial, systematic, profit-seeking enterprise — rather than as an isolated or personal transaction. The frequency, scale, and commercial character of the activity are all relevant to whether the "by way of business" threshold is met.

The sections that follow examine each of these questions in detail: the specific legal triggers that transform crypto activity into regulated services; how asset classification determines which regulatory regime applies; the commercial activity test and how it distinguishes personal holdings from regulated business; and the specific threshold rules that apply in major jurisdictions.

Section 1 — The Five Triggers That Transform Crypto Activity Into a Regulated Service

Regulators do not regulate crypto assets as such — they regulate specific activities conducted in relation to crypto assets. Understanding this distinction is fundamental. Bitcoin is not regulated; operating a platform that allows people to buy and sell Bitcoin is regulated. The five triggers below each independently create licensing obligations in most major jurisdictions. Any one of them, present in a business model, is sufficient to require a regulatory analysis.

T1

Custody of third-party crypto assets

Controlling or holding assets belonging to other people — the most universal licensing trigger across all major jurisdictions
Highest trigger

The custody trigger activates whenever a business takes control of, or holds, crypto assets that belong to someone else. "Control" in this context means holding private keys, managing wallet credentials, operating pooled or omnibus wallets, or having the technical ability to move customer assets — not merely providing infrastructure through which customers move their own assets.

The custody trigger is the broadest and most universally enforced across every major regulatory regime. It requires no element of exchange, no public offering, and no commercial scale threshold to activate. A business that holds one customer's private key on their behalf is providing a custody service and will, in most jurisdictions, require a licence or registration for doing so.

EU (MiCA)CASP — custody and administration of crypto-assets
UK (FCA)Cryptoasset exchange / custodian wallet provider registration
USState trust or charter; SEC custody rule (investment adviser context)
Activities that activate this trigger
  • Operating an exchange with on-platform wallets where users deposit funds
  • Providing a "managed wallet" product where the operator holds private keys
  • Multi-signature wallet services where the operator holds any key
  • Staking-as-a-service where customer assets are held and staked by the operator
  • Crypto lending products where assets are transferred to the lender's custody
T2

Facilitating exchange between crypto assets or crypto and fiat

Operating, controlling, or profiting from a venue where parties trade crypto assets — the classic licensing trigger for exchange platforms
Highest trigger

The exchange trigger is activated by operating, managing, or materially controlling a platform, protocol, or service through which third parties exchange crypto assets against other crypto assets or against fiat currency. This includes centralised exchanges, OTC desks, automated market makers (AMMs) with a controlling operator, and any service that routes, matches, or settles trades between counterparties.

Critically, the exchange trigger does not require that the operator itself takes a proprietary position in the traded assets. A business that facilitates matching between buyers and sellers — without itself buying or selling — is still providing an exchange service and attracts the same licensing obligations as a principal-model exchange in most jurisdictions.

EU (MiCA)CASP — exchange of crypto-assets for fiat or other crypto-assets
UK (FCA)Cryptoasset exchange provider registration
US (FinCEN)MSB registration mandatory for exchange function
Activities that activate this trigger
  • Operating a centralised exchange with an order book
  • Running an OTC desk that quotes prices and executes against customer orders
  • Operating an AMM where liquidity is pooled and swaps are facilitated by operator-controlled smart contracts
  • Operating a crypto ATM network (exchange function at point of physical sale)
  • Providing a P2P matching service where trades are settled between users (broker function)
T3

Making a public offering of crypto assets

Offering tokens, coins, or crypto-asset rights to the public — triggers prospectus, white paper, or securities offering requirements
High trigger

The public offering trigger is activated when a business offers crypto assets to members of the public — meaning parties who have no pre-existing relationship with the issuer that would provide them with equivalent information protections. Under MiCA, any public offering of crypto assets (other than those specifically excluded) requires publication of a crypto-asset white paper with specified content. Under US securities law, a public offering of a crypto asset that constitutes a security requires either registration or an applicable exemption.

The trigger is assessed at the point of the offering — not at the point of secondary trading. A business that privately places tokens with sophisticated investors and never makes a public offering may avoid this trigger; a business that posts "buy our tokens" on a public website has activated it regardless of the legal structure of the sale.

EU (MiCA)White paper required; ART/EMT issuer authorisation if applicable
UK (FCA)Financial promotions approval; prospectus if qualifying
US (SEC)Securities registration or Reg D/S exemption required
Activities that activate this trigger
  • Conducting an ICO or TGE open to members of the public
  • Publicly advertising a token sale on a website or social media
  • Listing a newly issued token on a public exchange where anyone can buy
  • Operating a launchpad that facilitates public token offerings by other issuers
T4

Holding out — presenting as a financial services provider

Marketing, branding, or positioning in a way that leads customers to believe they are dealing with a regulated financial service — even if no licence is held
Medium trigger

The "holding out" trigger captures businesses that present themselves to customers as financial service providers without actually holding the required licence. This is distinct from — and additional to — the underlying activity trigger. A crypto business that claims to provide "regulated custody", "licensed exchange services", or "fully compliant investment management" without the corresponding authorisation is committing a separate regulatory offence under most financial services frameworks.

This trigger is particularly relevant for businesses that operate in jurisdictions where crypto services are not yet specifically regulated but fall within the general financial services holding-out prohibition. It is also relevant for businesses that have applied for a licence but not yet received it — continuing to operate as if licensed during the application period is a holding-out offence.

UK (FCA)S.24 FSMA — holding out as authorised firm is a criminal offence
EU (MiCA)Using "CASP" or equivalent designation without authorisation prohibited
USMisrepresenting registration status to customers — securities fraud risk
Activities that activate this trigger
  • Describing your platform as "regulated", "licensed", or "FCA-registered" without the required authorisation
  • Using terms like "bank-grade security" or "insured deposits" in marketing materials without the corresponding regulatory status
  • Claiming membership in financial industry bodies or regulatory sandboxes you are not actually enrolled in
T5

Systematic commercial conduct — "by way of business"

The frequency, scale, and profit-seeking character of crypto activity — converting isolated personal transactions into regulated commercial conduct
Context-dependent trigger

Most regulatory regimes require that regulated activity be carried on "by way of business" — that is, as a commercial, systematic, profit-seeking enterprise rather than as an isolated personal transaction. The "by way of business" test prevents regulation from capturing purely personal activity (someone selling Bitcoin to pay rent) while bringing within scope commercial-scale activity that is functionally equivalent to a regulated financial service.

The test is fact-intensive and context-specific. Factors that push activity toward the "by way of business" characterisation include: frequency and regularity of transactions; profit-seeking intent; marketing or public-facing conduct; customer relationships; and the scale of the operation relative to the operator's other income. There is no bright-line threshold — a business conducting 100 transactions per year may be regulated; a sophisticated trader conducting 1,000 personal transactions for their own account may not be.

EU (MiCA)"On a professional basis" — assessed by scale, regularity, profitability
UK (FCA)"By way of business" — PERG guidance; fact-specific
US (FinCEN)"As a business" — frequency, profit intent, commercial character
Factors that push activity toward "by way of business"
  • Operating a public-facing website or platform, even informally
  • Charging fees or taking a spread on transactions conducted for others
  • Advertising or marketing the service to prospective customers
  • Maintaining a regular customer base or subscription list
  • Deriving a significant proportion of income from the activity
🔗

Important: triggers interact and compound. A single business model may activate multiple triggers simultaneously — for example, an exchange that holds customer assets activates both T1 (custody) and T2 (exchange). Each trigger independently creates regulatory obligations, and the combination of triggers often requires more than one licence or registration. The compliance burden is not additive in a linear sense — it is multiplicative, because each trigger may be assessed by a different regulator.

Trigger Activates in EU? Activates in UK? Activates in US? Licence type Severity
T1 — Custody of third-party assets Yes — MiCA CASP Yes — FCA registration Yes — state trust/charter Custody / CASP / wallet provider Critical
T2 — Facilitating exchange Yes — MiCA CASP Yes — FCA registration Yes — FinCEN MSB + MTLs Exchange / MSB / CASP Critical
T3 — Public offering of tokens Yes — white paper / ART/EMT authorisation Yes — fin. promotions / prospectus Yes — SEC registration or exemption Issuer authorisation / securities filing High
T4 — Holding out as regulated Yes — MiCA naming restrictions Yes — S.24 FSMA criminal offence Yes — misrepresentation risk No specific licence; offence by conduct High — criminal exposure
T5 — Systematic commercial conduct Depends — "professional basis" test Depends — "by way of business" test Depends — "as a business" test Depends on underlying activity Context-dependent

The triggers above represent the minimum threshold analysis for any crypto business. Identifying which triggers are present is the first step in a licensing assessment — but identifying triggers is not the same as completing the analysis. Each trigger must then be evaluated against the specific assets involved (Section 2), the commercial character of the activity (Section 3), and the jurisdiction-specific threshold rules (Section 4).

Section 2 — Asset Classification: Why What You Trade Determines Who Regulates You

The same activity — for example, facilitating the purchase and sale of a digital asset on a platform — is regulated differently depending on what type of asset is involved. A platform trading Bitcoin may be regulated primarily as a money services business or payment service provider. The same platform trading a token that is classified as a security may be regulated as a securities exchange — a dramatically more demanding regulatory category. Asset classification is not a technicality: it determines which regulator has jurisdiction, which licence is required, and what the penalties for non-compliance look like.

⚖️

Security tokens — highest regulatory burden

Securities law applies

A crypto asset is a security when it satisfies the applicable securities law test — most prominently the US Howey test, but also comparable tests in EU member state law and UK FCA guidance. Securities are investment contracts: an investment of money in a common enterprise with an expectation of profits from the efforts of others.

Security tokens attract the most demanding regulatory treatment. In the US, they must be registered with the SEC or offered under an exemption; the platforms that trade them must register as broker-dealers or national securities exchanges; and investment advisers who recommend them require RIA registration. Under EU MiFID II, security-equivalent tokens attract investment firm and trading venue requirements.

US regulatorSEC — securities registration or exemption
EU regulatorNational NCA — MiFID II investment firm rules
UK regulatorFCA — specified investment; full authorisation
ExamplesSTOs, tokenised equity, revenue-share tokens, profit-right tokens
📊

Commodity tokens — lighter, but still regulated

Commodity / VASP law applies

Bitcoin and Ether are generally treated as commodities rather than securities in the US, placing them under CFTC jurisdiction rather than SEC jurisdiction (at least for spot markets). In the EU and UK, they are treated as crypto-assets subject to MiCA and FCA registration respectively — not as traditional commodities, but not as securities either. This gives commodity tokens a materially lighter regulatory footprint than security tokens, but a heavier one than utility tokens.

The CFTC has asserted jurisdiction over Bitcoin and Ether derivatives markets. The SEC's position on Ether has evolved — following the transition to proof-of-stake, the SEC has indicated Ether may no longer be a security, though this is not codified in law.

US regulatorCFTC (derivatives); FinCEN (spot exchange/transfer)
EU regulatorNCA — MiCA CASP rules
UK regulatorFCA — cryptoasset registration
ExamplesBitcoin (BTC), Ether (ETH), Litecoin (LTC)
💵

E-money tokens & asset-referenced tokens — stablecoin-specific rules

MiCA ART/EMT rules (EU); e-money law (UK)

MiCA creates two distinct categories for stablecoins. E-money tokens (EMTs) are tokens that reference a single fiat currency and are used as a means of exchange — equivalent to electronic money. Asset-referenced tokens (ARTs) reference a basket of assets or currencies. Both require specific issuer authorisation from an EU regulator before they can be publicly offered — and significant ARTs (by transaction volume or user base) face enhanced requirements including recovery plans and liquidity reserves.

In the UK, stablecoins used for retail payment will be subject to Bank of England and FCA oversight under the Financial Services and Markets Act 2023. The US has debated federal stablecoin legislation — pending passage, stablecoin issuers face patchwork state-level e-money and money transmission regulation.

EU (EMT)MiCA — e-money institution or credit institution authorisation required
EU (ART)MiCA — specific ART issuer authorisation; NCA approved
UKFCA + Bank of England — systemic stablecoins; FCA for retail
ExamplesUSDT, USDC, DAI, EURT, algorithmic stablecoins
🔧

Utility tokens — lighter regulation, narrower scope

MiCA white paper; limited securities risk

Utility tokens provide access to a product or service on a specific platform and are not designed as investments. Under MiCA, utility tokens are the residual category — they are subject to white paper disclosure requirements for public offerings but do not require CASP authorisation simply to issue them. The key risk for utility tokens is misclassification: a token sold to investors before the product exists, with an expectation of secondary market appreciation, often fails the utility token characterisation and should be assessed as a potential security.

The SEC has consistently challenged utility token characterisations for pre-launch token sales. The functional utility of a token at the time of sale — not the label — determines whether it satisfies the securities exemption.

EU (MiCA)White paper for public offerings; no CASP authorisation for issuance
US (SEC)Securities risk if pre-launch sale; Howey analysis required
Key riskMisclassification — marketing as utility; SEC treating as security
ExamplesPlatform access tokens (post-launch, operational platforms only)

For any token issued to investors or sold via a public or private offering in the US market, the Howey test is the critical classification framework:

⚖️
The Howey Test — four elements required for securities classification
Element 1
Investment of money
The purchaser invests money or money's worth. In a crypto context, purchasing a token with fiat currency or other crypto assets satisfies this element. Receiving tokens for free (airdrops) may not satisfy this element, though other Howey elements may still apply.
Element 2
In a common enterprise
The investment is pooled with others in a common enterprise. For most token sales, this is straightforwardly satisfied — all purchasers' funds go to the same issuer for the same stated purpose. The common enterprise need not be formally structured as a company or partnership.
Element 3
With an expectation of profits
The purchaser expects to profit from their investment. The SEC focuses on how the token was marketed and what the objective economic incentive of the purchaser was. If secondary market appreciation was the primary pitch — not platform access — this element is satisfied even for tokens labelled "utility".
Element 4
From the efforts of others
The expected profit derives from the managerial or entrepreneurial efforts of a third party (typically the issuer or a founding team), not from the investor's own work. This element is key for decentralisation arguments — the SEC has accepted that sufficiently decentralised networks may fail this element for native tokens.

Under MiCA, the classification sequence follows a structured set of questions about the token's characteristics:

Does the token reference a single fiat currency and function as a means of exchange?
ART/EMTIf yes → classify as e-money token. Requires e-money institution or credit institution status before issuance.
Does the token reference a basket of assets, currencies, or commodities to maintain a stable value?
ART/EMTIf yes → classify as asset-referenced token. Requires specific ART issuer authorisation from an EU NCA.
Is the token a financial instrument under MiFID II (equity, debt, derivative, fund unit)?
MiFID IIIf yes → MiCA does not apply; MiFID II / national securities law applies. Investment firm authorisation required for related services.
Is it unique, non-fungible, and not used as a means of payment or investment?
Excluded NFTIf yes → excluded from MiCA (true NFTs). However, fractionalised NFTs or fungible "NFT" collections may not qualify for the exclusion.
Does the token fall into none of the above categories?
Other Crypto-AssetResidual category (including utility tokens). White paper required for public offerings. CASP authorisation required for related services. Lighter issuer obligations.
Asset classification EU framework UK framework US framework Exchange needs licence? Issuance regulated?
Security / investment token MiFID II — investment firm rules FCA — specified investment; full authorisation SEC — broker-dealer registration Yes — most demanding Yes — securities filing or exemption
E-money token (EMT) MiCA — e-money institution or credit institution FCA — e-money licence / bank State e-money / money transmission Yes — CASP Yes — EMT issuer authorisation
Asset-referenced token (ART) MiCA — ART issuer authorisation required FCA + BoE regime Patchwork — varies by state; federal bill pending Yes — CASP Yes — NCA authorisation pre-issuance
Commodity token (BTC, ETH) MiCA — CASP for exchange/custody FCA registration CFTC (derivatives); FinCEN (spot) Yes — CASP / FinCEN MSB No issuer regulation (mining/PoS)
Utility token (post-launch) MiCA — white paper; CASP for services FCA registration; promotions rules Limited if no Howey characteristics Yes — CASP if services provided White paper required — no auth needed
True NFT (unique collectible) Excluded from MiCA Generally excluded — promotions rules may apply Low risk for pure collectibles Generally no — exclusion applies No — exclusion applies if truly unique
⚠️

Classification is not self-determined. A business cannot simply decide what category its token falls into. Regulators — particularly the SEC — have consistently characterised tokens based on economic substance rather than the issuer's stated classification. A token labelled a "utility token" in a whitepaper but marketed with price appreciation projections and sold to investors seeking returns will be assessed as a security regardless of the label. Independent legal analysis of your token's characteristics — conducted before any sale or marketing activity — is the only reliable basis for classification.

Asset classification interacts with the activity triggers from Section 1: the same activity performed on different asset types may attract obligations from entirely different regulatory frameworks and different regulators. A business that trades both commodity tokens and security tokens may simultaneously need a CASP authorisation (for the commodity side) and broker-dealer registration (for the security token side). Cross-asset platforms face the most complex classification and licensing challenges in the current regulatory environment.

Section 3 — The Commercial Activity Test: Where Personal Holdings End and Business Begins

Even where a crypto activity would theoretically be regulated — because it involves exchange, custody, or asset transfer — most regulatory frameworks require that it be conducted "by way of business" (UK), "on a professional basis" (EU MiCA), or "as a business" (US FinCEN) before licensing obligations attach. This requirement exists to prevent regulation from capturing purely personal activity — someone selling crypto assets from their own savings is not a financial service provider. Understanding how this test works, and how it is applied in practice, is critical for founders and developers who are not sure whether their activity has crossed the commercial threshold.

Five factors determine whether crypto activity meets the commercial activity threshold. No single factor is determinative — regulators look at the totality of the circumstances:

🔁
Frequency and regularity

A one-off sale of crypto assets is unlikely to constitute regulated activity. Repeated, regular transactions — particularly if conducted on a schedule, in response to customer demand, or as a core business function — push toward the commercial threshold. Regulators look for patterns of conduct, not isolated events.

An individual who trades crypto daily for their own account for three years, and then begins executing trades on behalf of friends "informally", has crossed the frequency threshold in combination with the third-party element — even if no formal fee is charged.

High weight
💰
Profit-seeking intent

Activity conducted with the intention of generating recurring revenue — through fees, spreads, subscription charges, or any other commercial model — signals "by way of business" conduct. This includes taking a percentage spread on exchanges, charging a platform fee, or earning management fees on a pooled investment structure.

The absence of explicit fees does not defeat this factor. A business that earns revenue from transaction volume, from marketing partnerships, or from proprietary trading alongside its customer-facing service is profit-seeking regardless of its fee structure.

High weight
👥
Third-party customer relationships

The most significant single factor across most jurisdictions. Once a business begins performing regulated activities — exchange, custody, payment transfer — on behalf of third parties, the commercial threshold is almost automatically met. The concept of a "customer" is broad: it includes platform users, API customers, managed account holders, DAO treasury participants, and friends for whom informal services are performed.

The "by way of business" requirement was designed to exclude purely personal activity. The moment a third party relies on your service, or you assume obligations to a third party in connection with a regulated activity, personal activity ends and business activity begins.

Highest weight
📢
Public-facing conduct and marketing

Operating a public-facing website, social media account, or application through which services are offered to the public is strong evidence of commercial activity. This includes publishing trading signals or investment commentary to a subscribed audience, operating a Discord server where trade execution occurs, or listing a product on an app store.

The promotion trigger works independently of the commercial activity test in many jurisdictions — the UK's financial promotions regime applies to any communication that invites persons to engage with a regulated activity, regardless of whether the promoter is itself licensed or commercially operating. A public-facing crypto service that is not licensed is generating regulatory exposure at the marketing layer, not just the operational layer.

Medium–high weight
📊
Scale relative to total income

Where crypto-related services represent a significant proportion of a person's or entity's total income or activity, this supports a commercial characterisation. Conversely, where crypto activity is genuinely incidental to a primary non-financial business — for example, a software company that holds Bitcoin in treasury — the commercial activity test may not be met for the treasury management itself (though other activities might still be regulated).

There is no specific percentage threshold — this is a holistic assessment. A developer earning 80% of their income from platform fees on a crypto exchange is clearly in "business"; a company holding 5% of reserves in Bitcoin as a treasury asset is much less clearly so.

Medium weight

The following scenarios illustrate how the commercial activity test applies in practice:

Generally unregulated

Individual buying and holding Bitcoin

A person buys Bitcoin through an exchange, holds it in a self-custodied wallet, and sells a portion periodically for personal expenses. No third-party involvement, no fees charged, no marketing, no customer relationships.

No trigger met — personal investment activity. Tax obligations may apply but no financial services licensing required.
Grey zone — assess carefully

Developer running a public DeFi front-end

A developer builds and operates a publicly accessible website that routes swaps through a third-party AMM protocol, earns a 0.05% interface fee on each transaction, and has no custody of user funds.

T2 (exchange — facilitation) and T5 (commercial conduct) may both apply. MiCA scope for front-end operators is actively debated. Legal analysis recommended before launch.
Grey zone — assess carefully

Informal "group buy" organiser

A crypto enthusiast pools funds from 12 friends to collectively buy a token, holds the pooled wallet themselves, and distributes gains. No fees charged, personal relationship with all participants.

T1 (custody of third-party assets) is clearly met. The "business" test may fail on scale and commercial intent — but collective investment scheme rules may apply even without a formal business structure.
Regulated — licence required

Crypto signals Telegram group with paid subscription

A person operates a Telegram group charging €50/month for "buy/sell signals" on crypto assets, with 800 paying subscribers. Personalised recommendations made on specific assets.

T5 (commercial conduct) clearly met. Investment advice on specific assets to paying subscribers — requires investment adviser authorisation in EU and UK. FCA financial promotion rules apply immediately.
Regulated — licence required

P2P exchange platform with escrow service

A business operates a platform connecting buyers and sellers of crypto assets directly, holds funds in escrow during transaction, charges a 1% completion fee, and has 5,000 users.

T1 (custody — escrow), T2 (exchange — matching/facilitation), and T5 (commercial scale) all clearly met. CASP/FCA/FinCEN MSB registration required across relevant jurisdictions.
Regulated — licence required

DAO with discretionary treasury management

A DAO accepts ETH contributions from token-holders, a core team makes discretionary investment decisions on how to deploy the treasury, and returns are distributed to token-holders quarterly.

Likely constitutes a collective investment scheme. T1 (custody of third-party assets), T5 (commercial/systematic conduct). Investment fund or CASP authorisation likely required in EU; fund registration required in US for US-person investors.
Commercial activity assessment: quick-check matrix
Factor Personal activity Grey zone Commercial activity
Third-party customer assets involved
?
Fees or spread charged to customers
?
Public-facing website or platform
?
Regular, repeated transactions
Occasional
Frequent
Systematic
Marketing or customer acquisition activity
Limited
Active
Primary source of income
No — incidental
Partial
Yes — primary

Practical guidance: if your activity checks two or more boxes in the "commercial activity" column of the matrix above — and particularly if it involves third-party customer assets — you should treat the activity as regulated and conduct a formal licensing analysis before continuing to operate. The default position should not be "we are probably not regulated" — it should be "we need to confirm whether we are regulated, and here is the documented legal basis for our conclusion."

The commercial activity test is fact-sensitive and jurisdiction-specific. What tips a grey zone activity into regulated territory in the UK (where the "by way of business" test is interpreted broadly) may not do so under US FinCEN guidance (which focuses more narrowly on money transmission). Section 4 addresses the specific threshold rules and exemption frameworks that apply in each major jurisdiction.

Section 4 — Jurisdiction-Specific Threshold Rules and Safe Harbours

Once you have identified which triggers apply to your activity and confirmed that the commercial activity threshold is met, the final question is: what does the specific jurisdiction require, and are any exemptions or safe harbours available? Each of the major regulatory regimes sets its own threshold rules — some based on customer numbers, some on transaction volumes, some on the nature of the counterparty, and some on the geographic scope of the business. This section covers the specific threshold and exemption rules for the EU, UK, US, UAE, and Singapore.

🇪🇺

European Union — MiCA thresholds and exemptions

Full application from December 2024 · National competent authority (NCA) regulates in each member state

MiCA applies to crypto-asset service providers that offer services to EU clients on a professional basis — "professional basis" is not defined by a volume or revenue threshold, but is assessed qualitatively as commercial, systematic, and recurring activity for remuneration. The primary exemptions that reduce licensing burden under MiCA are as follows:

Trigger: professional basisCommercial, systematic, recurring activity for economic advantage — no fixed threshold
Small offering exemption<€1M public offering in 12 months — white paper optional (simplified notice possible)
Transitional periodExisting national VASP-registered businesses: up to 18 months from full MiCA application in their member state
Available exemptions and carve-outs
  • Purely intra-group services (parent to subsidiary) — not CASP activity
  • Truly unique NFTs — excluded from MiCA scope entirely
  • Closed-loop tokens with no exchange value outside the issuer's network
  • Crypto-asset mining and validation conducted for own account — not regulated
  • Small public offerings (below €1M in 12 months) — reduced disclosure; no white paper required for genuinely small offers
  • Reverse solicitation — services provided exclusively at client's own initiative (very narrow and strictly interpreted by ESMA)
🇬🇧

United Kingdom — FCA "by way of business" threshold

FCA registration under MLRs · Financial promotions regime in force since October 2023 · Full authorisation regime in development

In the UK, FCA registration for cryptoasset businesses applies to any firm carrying on cryptoasset exchange or custodian wallet activities "by way of business" in the UK. "By way of business" is assessed through the FCA's PERG guidance — which focuses on commercial intent, regularity, and whether the activity is conducted as a commercial enterprise. There is no fixed volume or customer threshold.

The financial promotions regime applies independently of whether the firm is registered: any communication that is a financial promotion for a qualifying cryptoasset must be approved by an FCA-authorised firm or issued by a registered cryptoasset business. This means even unlicensed businesses must comply with promotions rules or face criminal liability under FSMA 2000.

Registration trigger"By way of business" — commercial, regular, profit-seeking activity in the UK
Promotions triggerAny communication inviting UK persons to engage with qualifying cryptoassets — no commercial threshold
Criminal exposureOperating without FCA registration = criminal offence under MLRs; unapproved promotions = criminal offence under FSMA
Available exemptions
  • Overseas firms with no UK customer activity (reverse solicitation is narrow — active UK marketing defeats this)
  • Activities not within the definition of "cryptoasset exchange provider" or "custodian wallet provider" under UK MLRs
  • Financial promotions communicated exclusively to professional investors under the financial promotions exemption order
🇺🇸

United States — FinCEN "as a business" + SEC / CFTC thresholds

Multi-agency framework · FinCEN BSA applies to MSBs · SEC applies Howey to security tokens · CFTC covers derivatives

FinCEN defines a Money Services Business (MSB) as a person who engages in money transmission "as a business" — meaning the exchange or transfer of value is not merely incidental to another primary business. FinCEN has explicitly stated there is no de minimis threshold for MSB status based on transaction volume or dollar amount — even a single transaction as an unlicensed money transmitter can constitute a violation of 18 U.S.C. § 1960.

At the state level, most states require separate money transmitter licences (MTLs) for businesses engaging in crypto exchange or transfer. New York's BitLicence requires any virtual currency business activity involving New York residents — not just New York businesses. Serving a single New York customer without a BitLicence may constitute a violation.

FinCEN MSB triggerAny exchange or transfer of value "as a business" — no de minimis volume threshold
SEC triggerAny public offering of a security token — regardless of amount. Reg D exemption for private placements to accredited investors.
NY BitLicenceApplies to any virtual currency business activity involving NY residents — customer location based, not business location
Available exemptions
  • Non-custodial software providers — FinCEN has confirmed that developers of non-custodial software are generally not MSBs
  • SEC Reg D / Rule 506(b) — private placements to accredited investors with no general solicitation; Form D filing required
  • SEC Reg S — offers made exclusively to non-US persons outside the US with no directed selling efforts into the US
  • Intragroup transactions — value transfers between entities in the same corporate group are generally not money transmission
🇦🇪

UAE (Dubai) — VARA activity-based threshold

VARA applies to all virtual asset activity in Dubai · Activity-based licensing; separate retail and institutional authorisations

VARA's regulatory scope applies to any natural or legal person conducting virtual asset activities in or from Dubai as a business — regardless of incorporation location. VARA does not publish a transaction volume threshold for licensing; the threshold is qualitative (commercial, systematic, for profit). VARA distinguishes between Institutional Authorisation (B2B only, professional counterparties) and Retail Authorisation (retail customer-facing operations), providing a structural pathway for institutional-only businesses to access a lighter-touch authorisation.

Licensing triggerAny virtual asset activity "as a business" in Dubai — qualitative threshold, no fixed volume floor
Institutional vs. retailInstitutional authorisation available for B2B/professional counterparty services — lighter than retail
Free zone noteDIFC and ADGM have their own regulatory frameworks separate from VARA — businesses in those free zones follow DFSA/FSRA rules
Available exemptions
  • DIFC-licensed businesses may operate under DFSA rules rather than VARA (separate framework)
  • ADGM-licensed businesses operate under FSRA rules (Abu Dhabi separate jurisdiction)
  • Pure technology providers (infrastructure, software, no customer-facing VA activity) — not within VARA scope
🇸🇬

Singapore — MAS PSA thresholds and SPI/MPI distinction

Payment Services Act · Standard PI vs. Major PI distinction · DPT services licensing

Singapore's PSA applies to any person who provides payment services in Singapore as a business. For Digital Payment Token (DPT) services — which cover crypto exchange, transfer, and custody — a licence is required unless an exemption applies. The SPI/MPI distinction provides a volume-based threshold: businesses operating below specified monthly transaction volumes and e-money floats may qualify for a Standard Payment Institution licence, with lighter capital requirements than the Major PI licence.

SPI thresholdMonthly transactions <SGD 3M (DPT services); e-money float <SGD 5M
MPI thresholdAbove SPI thresholds → Major PI licence required; SGD 1M base capital
In-principle approvalMAS grants IPA before full licence; business can operate during IPA period under certain conditions
Available exemptions
  • Businesses that received MAS exemption under the transitional provisions of the PSA may continue operating under those terms pending full licence determination
  • Services provided only to institutional counterparties (accredited investors) under certain conditions
  • Pure software / non-custodial technology providers who do not take custody or control of customer funds

Safe Harbour Summary: Key Exemptions Across Jurisdictions

Exemption type EU (MiCA) UK (FCA) US (FinCEN/SEC) UAE (VARA) Singapore (MAS)
Institutional / professional only Narrow — strict controls Available — eligible counterparty Yes — Reg D for accredited investors Yes — Institutional Authorisation Possible — conditions apply
Small volume / offering threshold Yes — <€1M in 12 months No fixed volume threshold No — FinCEN has no de minimis No published threshold Yes — SPI thresholds apply
Non-custodial / technology provider Debated under MiCA Depends on activity Yes — FinCEN confirmed for non-custodial software Yes — pure tech providers excluded Yes — non-custodial tools excluded
Intra-group transactions Yes — not CASP activity Generally not "by way of business" Yes — FinCEN exempts intra-group Case-specific Case-specific
Overseas / reverse solicitation Very narrow — ESMA strict interpretation Narrow — UK marketing defeats it Yes — Reg S for non-US persons Not published — no reliable safe harbour Limited — MAS scrutiny of overseas firms
Regulatory Assessment Framework

Conclusion: A Six-Step Framework for Assessing Your Regulatory Status

Determining whether crypto activity is regulated is not a single question — it is a structured analytical process that moves through trigger identification, asset classification, commercial activity assessment, jurisdiction mapping, and exemption analysis. The following six-step framework distils this guide into a practical decision process for founders, compliance leads, and in-house legal teams.

1

List every activity your business performs

Be precise and comprehensive. Include exchange, custody, payment, issuance, advice, staking, lending, and protocol operation. Do not describe activities by their commercial label — describe what actually happens technically and economically. Each activity is assessed independently.

2

Apply the five trigger test to each activity

For each activity: does it involve custody of third-party assets (T1)? Exchange facilitation (T2)? A public offering (T3)? Holding-out conduct (T4)? Is it conducted systematically and commercially (T5)? Any trigger present warrants regulatory analysis before the activity continues or launches.

3

Classify each asset involved

For each crypto asset your business handles: is it a security (Howey test in the US; MiFID II in EU), an e-money token, an asset-referenced token, a commodity, or a utility token? Classification determines which regulatory body has jurisdiction and which licence is required.

4

Assess whether the commercial activity threshold is met

Apply the five-factor commercial activity test: customer relationships, profit-seeking intent, frequency, public-facing conduct, and income proportion. Where the threshold is met, proceed on the basis that licensing obligations exist. Where genuinely uncertain, treat the activity as regulated until proven otherwise.

5

Map your jurisdictional exposure

Identify every jurisdiction where you have customers, marketing activity, or operational presence. For each: identify the applicable licensing regime, the regulator, and whether any exemptions apply to your specific activity and customer profile. Build a jurisdiction-activity matrix as a living compliance document.

6

Obtain jurisdiction-specific legal advice and implement

This framework produces a picture of your likely regulatory obligations — it does not replace jurisdiction-specific legal advice for each regime where obligations may exist. Commission formal legal opinions in your primary jurisdictions before launch, and review annually or whenever the business model changes.

The most important insight from this guide is that the question "are we regulated?" has a default answer for most businesses that operate platforms, hold customer assets, or generate revenue from crypto-related services: yes, in at least one jurisdiction, almost certainly. The productive question is not whether regulation applies — it is which regimes, which licences, and in what sequence to obtain them. For businesses that have identified a licensing obligation and are ready to take the next step, WCR Legal's crypto licensing services provide regulatory assessment, jurisdiction selection, and full application support across the major crypto licensing regimes.
Tag
Oleg Prosin

Oleg Prosin is the Managing Partner at WCR Legal, focusing on international business structuring, regulatory frameworks for FinTech companies, digital assets, and licensing regimes across various jurisdictions. Works with founders and investment firms on compliance, operating models, and cross-border expansion strategies.

view all posts

Related Posts