Case / AIFC
CASP license (AIFC): regulatory positioning and licensing roadmap
A practical outline of how we typically structure a CASP licensing track in the AIFC: from model mapping and
perimeter analysis to policies, governance, and regulator-ready documentation.
Public version is simplified and anonymised. In a private call we can show “closest matches” based on your
services (exchange / brokerage / custody / OTC), geographies and risk profile.
Snapshot
Jurisdiction
AIFC (Kazakhstan)
AFSA regulatory perimeter
Model
B2B / Pro investors
Controlled access, no public retail
Route
Phased licensing
From positioning to full submission
Core deliverables
Policies + governance
AML, onboarding, risk, BCP
Perimeter analysis
Licensing roadmap
AFSA Q&A readiness
Compliance stack
Context
What the client needed
Most CASP projects fail not because of “documents”, but because the model is not mapped correctly to the regulator’s
expectations and operational reality (users, assets, custody, controls, banking).
Initial situation
- Crypto services planned for professional / corporate customers (OTC / brokerage / conversion).
- Cross-border flows, multiple fiat rails, and external liquidity / custody providers.
- Need to avoid accidental “retail/public offering” positioning.
- Investor/banking readiness required alongside regulator readiness.
B2B focus
Third-party providers
High compliance visibility
Key questions we answered
- Which activities fall into CASP scope and which can stay outside the perimeter.
- Where custody happens (and how it is documented and controlled).
- How onboarding, suitability/appropriateness and KYB/KYC are built for the target user group.
- What “minimum viable” policies are not enough and what AFSA typically expects to see.
Output is always model-driven: we write documents from real flows (user journey, asset movement, control points),
not from generic templates.
Workstream
How the case was structured
A typical CASP track is a sequence: define the perimeter → design target operating model → build governance and policies →
prepare submission materials and Q&A package.
Step 01
Positioning
Regulatory perimeter & model mapping
Mapped services to regulated activities, defined exclusions, and fixed “retail/public” risk at the level of UX and marketing.
- Activities map and assumptions
- User eligibility and access rules
- Asset flow & custody diagram
Step 02
Operations
Target operating model & control points
Converted the business idea into operational reality: roles, segregation of duties, approvals, monitoring, and reporting.
- Governance and key functions
- Outsourcing / vendor controls
- Incident and escalation routes
Step 03
Compliance
Policies and procedures pack
Drafted core compliance stack aligned with the chosen model and providers, including onboarding and transaction monitoring logic.
- AML / KYC / KYB policy
- Onboarding procedures
- Risk management framework
Step 04
Resilience
BCP and IT / security narrative
Built a clear story on how systems, access control, audit trails, back-ups and continuity work together for a regulated firm.
- Business Continuity Plan
- IT controls and data handling
- Incident response workflow
Step 05
Submission
Submission readiness & Q&A pack
Prepared the project for regulator dialogue: anticipated questions, clarified “grey areas”, and packaged materials consistently.
- Regulator-ready explanations
- Document set consistency checks
- Q&A / clarifications prep
Step 06
Public layer
Website / disclosures alignment
Ensured the public-facing layer does not contradict the licensing narrative: wording, disclaimers, risk disclosures, and user terms.
- Risk disclosures
- Terms / platform rules
- Marketing compliance notes
Deliverables
What the client received
Exact scope varies, but the structure below is a typical “regulator-ready” pack for CASP-style projects.
Core pack
- Perimeter analysis and activity mapping (what is regulated and why).
- Target operating model: roles, controls, outsourcing and governance.
- AML / KYC / KYB policy + onboarding procedures (incl. monitoring logic).
- Risk management framework and internal reporting logic.
- Business Continuity Plan (BCP) and IT/security narrative.
Regulator dialogue readiness
- Regulator Q&A preparation and narrative consistency checks.
- Gap list: what must be implemented in product/ops before submission.
- Public-facing alignment: terms, disclosures, and user communications.
- Vendor / provider checks: what to request from custody/liquidity partners.
В реальности это сильно экономит время: AFSA чаще всего “копает” именно в противоречиях между моделью,
IT, документами и тем, что написано на сайте.
FAQ
Common questions for CASP (AIFC)
Short answers in public format. For your exact model we normally give a structured memo.
Can we start as “B2B only” and avoid retail obligations?
Often yes, but “B2B” must be reflected everywhere: eligibility rules, onboarding, website wording,
and how you handle marketing and access. If public onboarding exists, the regulator can treat it differently.
Do we need full policies before we have a finished product?
You need policies that match the reality you claim. If product is incomplete, we build a phased approach:
minimum viable controls now + a controlled implementation plan with deadlines and owners.
Is outsourcing (custody, screening, liquidity) acceptable?
Usually yes, but outsourcing requires strong oversight, documented due diligence, and clear responsibility allocation.
We structure vendor clauses and internal procedures around it.
What typically causes delays?
Contradictions: website/marketing says one thing, documents say another, and operations cannot support either.
The fastest route is consistent mapping: model → controls → documents → public layer.
Want a CASP route mapped to your exact model?
Send 5–7 bullet points about your services (exchange/OTC/brokerage/custody), target clients (B2B/retail),
geographies, fiat rails and providers. We will respond with a realistic licensing path and a document/implementation plan.
You do not need to disclose sensitive details in the first message. A high-level model description is enough.
Best fit if you:
- Need a regulator-ready perimeter analysis (what is in / out of scope).
- Want a phased approach: lighter launch → upgrades → full readiness.
- Have third-party custody/liquidity and need proper oversight framework.
- Need consistency between ops, IT, policies and public website claims.
AIFC licensing is less about “forms” and more about the logic of your operating model.
We build that logic and package it coherently.