Ongoing Compliance for Crypto Companies: Retainer vs One-Off
⚖️ Compliance · VASP Guide
Ongoing Compliance for Crypto Companies: Retainer vs One-Off
When a one-off compliance project is enough — and when you need ongoing support. What a compliance retainer covers, what it costs, and how to structure it at different stages of your VASP.
1
One-off vs retainer: making the right choice
When each approach is appropriate
2
What a compliance retainer covers
The scope of ongoing compliance support
3
The real cost: compliance vs non-compliance
Why the comparison matters
4
Compliance subscription by stage
Early-stage, growth, and licensed VASP
5
Setting up your compliance retainer
What to include and how to structure it
⚖️ Section 1
One-off vs retainer: making the right choice
The right compliance model depends on where you are, what your regulatory obligations are, and how quickly your business is changing. Not every company needs a compliance retainer — but once you cross certain thresholds, a one-off approach becomes a liability, not a saving.
✅ One-off project is sufficient when
Appropriate for specific, bounded compliance work
Pre-launch compliance setup
Initial AML/KYC policy, compliance manual, and privacy notice for a platform that is not yet live and does not yet have regulatory obligations. One-off work with defined deliverables and a clear endpoint.
Licence application preparation
Preparing the regulatory application package for FSC, VARA, or MAS — a project with defined deliverables. Retainer not needed until post-approval.
Policy refresh or audit
Updating AML/KYC policy following a regulatory change, or conducting a compliance audit following a change of business model. A discrete, bounded project.
Responding to a regulator query
Preparing a response to a specific supervisory authority query or information request. A one-off project with a defined deadline and deliverable.
🔄 Retainer is necessary when
Ongoing obligations that do not have an endpoint
You hold a regulatory licence
Licensed VASPs have ongoing obligations: regulatory reporting, supervisory correspondence, annual returns, policy maintenance, and staff training. These are continuous — not project-based.
You have a compliance officer vacancy or gap
If your compliance officer leaves, is not yet qualified, or is part-time, a retainer provides the continuous function — MLRO, regulatory reporting, and policy maintenance.
Your regulatory environment is changing
Launching in a jurisdiction undergoing regulatory transition (MiCA, new VARA rules, FSC updates) requires continuous monitoring and policy updates.
You are growing and onboarding new client segments
New client types or new jurisdictions require AML/CFT risk reassessment, policy updates, and potentially enhanced due diligence procedures. Growth creates compliance obligations continuously.
The inflection point
The right moment to move from one-off to retainer is typically when you receive your licence or when you reach 500+ KYC’d customers — whichever comes first. At that point, compliance is no longer a project: it is an operational function that needs to run continuously.
📋 Section 2
What a compliance retainer actually covers
A compliance retainer is not a hotline. It is a structured ongoing service that covers the recurring compliance obligations of a licensed or regulated VASP — so that those obligations are met continuously, not in reactive bursts.
What a compliance retainer covers
Eight core service areas of an ongoing compliance engagement
Retainer scope
Ongoing AML/CFT monitoring and reporting
Monthly review of transaction monitoring alerts. SAR drafting and submission where required. Periodic AML/CFT compliance reports for the board and regulators. MLRO function where no internal MLRO is in place.
Regulatory update tracking and policy maintenance
Monitoring regulatory publications, FATF guidance, NCA updates, and jurisdiction-specific rule changes. Updating AML/KYC policy, compliance manual, and risk appetite statement as required.
Regulator correspondence and supervisory liaison
Drafting responses to supervisory authority queries, information requests, and annual compliance certifications. Managing relationships with NCAs, FSC, VARA, or other relevant regulators.
Ad-hoc compliance advisory and escalations
On-demand advice on specific compliance questions as they arise: new product launches, new client types, cross-border expansion, specific transaction queries. A retainer client gets a same-day or next-day response.
Staff training and compliance culture
Quarterly or bi-annual AML/CFT training for customer-facing staff, operations, and management. Training on red flags, transaction monitoring, escalation procedures, and data protection. Documented training records.
Risk reassessment and business risk review
Annual reassessment of your business risk profile: customer risk, product risk, geographic risk, channel risk. Updating the risk framework to reflect business changes.
Customer due diligence (CDD) review and EDD cases
Periodic review of customer CDD completeness and quality. Second opinion or case management for enhanced due diligence (EDD) cases — high-risk customers, PEPs, customers with complex structures.
Incident response and breach management
If a compliance incident occurs — a data breach, a missed SAR, a regulator query outside the normal cycle — the retainer covers the response. This is the insurance function of a retainer.
What a retainer is not
A compliance retainer is not a licence to outsource your entire compliance function without oversight. The licensed entity remains responsible for compliance — the retainer provides the expertise, the function, and the documentation. You need an internal point of contact who manages the relationship and signs off on compliance decisions.
💰 Section 3
The real cost: compliance vs non-compliance
The cost of a compliance retainer looks large until you compare it to the cost of what it prevents. Here are the numbers that frame the decision.
The calculus is straightforward: a compliance retainer at EUR 12,000–30,000 per year provides ongoing AML/CFT function, regulatory monitoring, and incident response. A single enforcement action costs multiples of that in fines, remediation, legal fees, and business disruption. The retainer is not a cost: it is insurance against a much larger, unpredictable cost.
📈 Section 4
Compliance subscription structure by stage
The right compliance subscription looks different at each stage of your VASP’s development. Here is how to structure ongoing compliance support as you scale from pre-licence through to a fully licensed, growing operation.
Stage 1
Early-stage VASP
Pre-licence or in application process
What you need: Light monthly retainer focused on policy maintenance, regulatory monitoring, and pre-licence compliance readiness. Not yet full MLRO function — you are building toward a licence, not operating under one.
Typical scope: Monthly regulatory update brief. Quarterly policy review. Application support (query responses, regulator correspondence). Pre-examination readiness assessment when approaching in-principle approval.
Typical cost: EUR 800–1,500/month. This is the minimum viable compliance support for a company building toward a licence.
Stage 2
Growth-stage VASP
Licensed, scaling, 200–2,000 customers
What you need: Full ongoing compliance function — MLRO support or nominee, monthly AML/CFT review, policy maintenance, and regulatory correspondence. This is the core compliance retainer for a licensed VASP that does not yet have a full internal compliance team.
Typical scope: MLRO function (nominee or support). Monthly transaction monitoring review. SAR drafting. Quarterly staff training. Annual risk reassessment. Regulatory update tracking and policy updates. Regulator correspondence management.
Typical cost: EUR 2,000–4,000/month. This is the sweet spot for most licensed VASPs between Series A and Series B.
Stage 3
Licensed VASP at scale
MiCA/VARA licensed, building internal team
What you need: External compliance advisory alongside an internal compliance team — second opinions on EDD cases, senior advisory on complex regulatory questions, and external perspective on internal policies.
Typical scope: Senior compliance advisory (10–20 hours/month). Complex EDD case review. Regulatory strategy (licence expansions, new jurisdictions). Supervisory examination preparation. External quality review of internal compliance function annually.
Typical cost: EUR 3,000–6,000/month for senior advisory retainer. The value is not volume — it is access to experienced judgment on complex, high-stakes compliance decisions.
The gap between stages
The most dangerous compliance position is a company that has grown from Stage 1 to Stage 2 without upgrading the compliance support. A Stage 1 compliance retainer applied to a Stage 2 VASP is a regulatory gap. Review your compliance support every time you reach a new milestone.
🚀 Section 5
Setting up your compliance retainer
What to include in a compliance retainer engagement, how to structure the relationship, and what to look for when choosing a compliance provider.
Five things to define before you sign a compliance retainer
Get these right and the engagement runs smoothly
5 points
1
Define scope precisely — what is in and what is out
Avoid scope creep and unmet expectations
Compliance retainers fail most often because of unclear scope. Define exactly what is covered: how many hours of advisory per month, which specific obligations (MLRO function, SAR filing, training), which jurisdictions, and which products. Anything outside the defined scope should be quoted separately.
2
Identify your internal compliance point of contact
You must have someone accountable internally
A compliance retainer is not a substitute for internal accountability. You need a named internal contact who owns the compliance function — reviews outputs, signs off on policies, and manages the escalation path. This can be the CEO or COO at early stage, but must be someone senior enough to make compliance decisions.
3
Agree on response times and escalation paths
Critical for incident response
Define how quickly the retainer provider responds to: routine queries (24 hours), urgent compliance questions (4 hours), regulatory emergency (immediate). Define what constitutes a “regulatory emergency” — a supervisory authority on the phone is one; a new FATF guidance paper is not.
4
Build in a quarterly review cycle
Compliance needs evolve with the business
The compliance retainer should include a quarterly review: what has changed in the regulatory environment, what has changed in the business, and whether the current retainer scope still matches the current compliance obligation. Many companies stay on the same retainer for 2 years while their regulatory obligations have doubled.
5
Require a compliance calendar and documented deliverables
Accountability and audit trail
A compliance retainer should produce a documented compliance calendar at the start of each year — listing every recurring obligation, its deadline, who is responsible, and the output format. When a regulator asks “what does your compliance function do?”, the answer should be a folder of deliverables, not a verbal description of a retainer arrangement.
Structure your compliance as an ongoing function — not an afterthought
Our compliance subscription covers AML/CFT monitoring, MLRO function, regulatory update tracking, policy maintenance, staff training, and regulator correspondence — for VASPs at every stage from pre-licence through to MiCA and VARA licensed operations.
Post Comment