Do You Need a Crypto License? A Practical Checklist for Crypto Businesses
Do You Need a Crypto Licence?
A Practical Checklist for Crypto Businesses
Regulatory obligations for cryptocurrency businesses are expanding rapidly across every major jurisdiction. This guide breaks down which activities trigger licensing, where in the world those obligations apply, and how to conduct a structured compliance assessment before you launch — or before your regulator contacts you first.
Introduction — The Licence Question Every Crypto Business Faces
For most of crypto's first decade, the standard advice for new projects was straightforward: build quickly, launch globally, and treat regulation as a problem for later. That approach worked — for a while — because regulators were slow, frameworks were absent, and enforcement was rare. None of those conditions remain true in 2024. Crypto is now one of the most actively regulated sectors in financial services, with specific licensing regimes in force across the European Union, the United Kingdom, the United States, Singapore, the UAE, and dozens of other jurisdictions.
The question "do we need a licence?" is no longer a regulatory formality. It is one of the most consequential legal questions a crypto business can face — and the answer is rarely simple. Whether a licence is required depends on what activity your business performs, who your customers are, what assets you deal in, and in which jurisdiction or jurisdictions your operations have effect. Getting the answer wrong exposes founders, directors, and the company itself to criminal liability, civil penalties, and forced business closure.
"We're a DeFi protocol — we don't need a licence"
"We're incorporated offshore — foreign regulation doesn't apply"
"Our token isn't a security — we don't need SEC registration"
The practical starting point for any crypto business — whether at pre-launch, post-launch seeking to remediate, or scaling into new markets — is a structured assessment of its licensing obligations. That assessment requires understanding three things: which activities you perform, which jurisdictions you operate in or serve customers in, and how regulators in those jurisdictions characterise those activities. This guide provides the framework for conducting that assessment.
- Crypto is effectively unregulated in most jurisdictions
- Offshore incorporation eliminates licensing exposure
- DeFi is outside the scope of financial regulation
- NFTs are art — not financial instruments
- AML/KYC requirements don't apply to crypto exchanges
- Staking rewards are not regulated financial products
- Licensing regimes in force across EU, UK, US, Singapore, UAE, and 50+ other jurisdictions
- Regimes apply by reference to customer location, not incorporation
- DeFi operators face CFTC, SEC, and MiCA obligations in multiple jurisdictions
- NFTs with investment characteristics may be classified as financial instruments
- VASP registration and FATF Travel Rule compliance required in most major markets
- Staking-as-a-service flagged as potential security offering (SEC v. Kraken)
The term VASP — Virtual Asset Service Provider — was introduced by the Financial Action Task Force (FATF) in its 2019 guidance and has since been adopted as the basis for licensing and registration frameworks in the EU (MiCA), the UK (FCA), the UAE (VARA), and numerous other jurisdictions. A VASP is broadly any natural or legal person that, as a business, provides services involving the exchange, transfer, safekeeping, or administration of virtual assets, or that participates in or provides financial services related to a virtual asset offering.
Why this matters: if your business falls within the VASP definition in a jurisdiction, you are very likely subject to that jurisdiction's registration, licensing, AML, and customer due diligence obligations — regardless of whether you have physically registered a legal entity there. The VASP definition is deliberately broad. Most businesses that handle crypto assets in some capacity will meet it.
Four factors determine whether your business needs a licence — and what type:
Activity performed
The specific service you provide — exchange, custody, payments, issuance, advice — determines which regulatory category you fall into. Different activities attract different licences, and some activities attract multiple licensing obligations simultaneously.
Customer jurisdiction
Most licensing regimes apply based on where customers are located. Serving EU customers after December 2024 brings MiCA into scope. Serving US customers may trigger FinCEN, SEC, or CFTC obligations. Customer location is frequently more important than business location.
Asset type
How a crypto asset is legally classified — as a commodity, a security, an e-money token, an asset-referenced token, or a utility token — determines which regulatory framework applies. Classification is jurisdiction-specific and is often disputed. Bitcoin and Ether are treated differently from tokens issued by a company to investors.
Business scale and structure
Some licensing regimes contain thresholds — de minimis exemptions, professional investor carve-outs, or public offer thresholds — that may exclude smaller operations. Others apply regardless of scale. Understanding which exemptions exist, and whether your business qualifies for them, is part of the licensing assessment.
The sections that follow address each of these factors systematically: which activities trigger licensing obligations; how those obligations apply across the major regulatory jurisdictions; a practical checklist for conducting your own assessment; and what happens to businesses that operate without the required licences.
Section 1 — Which Crypto Activities Trigger a Licensing Requirement?
The licensing obligation does not follow the asset — it follows the activity. A business that simply holds Bitcoin for its own account is not providing a regulated service. A business that holds Bitcoin on behalf of third-party customers is providing custody — a regulated activity in almost every jurisdiction with a crypto licensing framework. The same asset, different activities, entirely different regulatory exposure. Understanding the activity-level analysis is the first step in any licensing assessment.
Six categories of activity account for the vast majority of licensing triggers across major jurisdictions. Each carries distinct obligations, distinct regulator attention, and distinct penalty exposure when operated without required authorisation.
Exchange and trading services
Operating a platform that allows customers to buy, sell, or exchange crypto assets against fiat currency or against other crypto assets is the most heavily regulated crypto activity across every major jurisdiction. This includes centralised exchanges (CEXs), crypto-to-fiat on/off ramps, OTC desks, and peer-to-peer exchange platforms where the operator facilitates matching.
The regulatory logic is that exchange services control the gateway between traditional finance and crypto — and are therefore the highest-priority target for AML/KYC obligations and investor protection requirements.
Custody and safekeeping
Holding, storing, or controlling crypto assets — private keys, wallets, or custody accounts — on behalf of third parties is a regulated activity in the EU, UK, US, Singapore, and UAE. This includes exchange wallets, institutional custody services, multi-signature wallet operators where the operator controls a key, and wallet-as-a-service providers where assets are held on behalf of end users.
Self-custodied wallets — where the user retains full control of their private keys — are generally not regulated from the operator's perspective, though they may require Travel Rule compliance in certain contexts.
Crypto payments and money transmission
Facilitating the transfer of crypto assets between wallets — whether as a payment processor, crypto remittance service, or value transfer layer — falls within money transmission in most jurisdictions. In the US, this triggers federal FinCEN Money Services Business (MSB) registration and state-level Money Transmitter Licence (MTL) requirements in most states.
Notably, the payment of employees or contractors in crypto, and the processing of crypto payments as a merchant acquirer, may also attract money transmission obligations in some jurisdictions depending on whether the operator takes custody of assets in transit.
Token issuance and ICOs
Issuing and offering tokens to the public can trigger securities regulation, prospectus requirements, or token-specific disclosure obligations depending on how the token is classified. Tokens that are sold to investors with an expectation of profit from the issuer's efforts (Howey test in the US) are treated as securities. Asset-referenced tokens and e-money tokens under MiCA require specific authorisation before public offering.
The structure of the token sale — whether conducted via a public ICO, SAFT, or private placement — does not determine the classification. The economic substance of the arrangement determines whether securities or token-offering rules apply.
Staking-as-a-service and yield products
Offering customers the ability to stake crypto assets in return for yield — whether through a centralised staking product, a liquid staking protocol operated by a company, or a yield-bearing account — has attracted regulatory attention in multiple jurisdictions. The SEC's enforcement action against Kraken's staking programme in 2023, resulting in a $30 million settlement and cessation of US staking services, established a high-profile precedent that staking-as-a-service may constitute an unregistered securities offering.
Yield products backed by lending or DeFi strategies are similarly exposed to securities classification, and the UK FCA's financial promotions regime applies to communications about staking yields offered to UK consumers.
NFTs and digital collectibles
NFTs are explicitly carved out of MiCA's scope when they are unique and non-fungible — but the carve-out does not apply to fractionalised NFTs, NFTs that are fungible in practice (large collections of identical tokens), or NFTs that represent financial instruments. ESMA has indicated it will provide guidance on borderline NFT cases.
In the US, the SEC has signalled that NFTs structured as investment products — for example, royalty-bearing NFTs where buyers expect income from the issuer's efforts — may constitute securities. An NFT that is purely a digital art collectible with no financial mechanics faces very limited licensing exposure; an NFT that is a fractional interest in a revenue-generating asset almost certainly does not.
- DeFi protocols with a controlling operator: Where a company develops, controls, upgrades, or profits from a DeFi protocol, regulators in the US and EU have taken the position that the operator may be subject to licensing obligations — particularly if the protocol facilitates exchange, lending, or asset management functions.
- Crypto lending and borrowing platforms: Platforms that accept crypto assets from depositors and lend them to borrowers — effectively operating as banks — face securities classification risk in the US (BlockFi, Celsius enforcement actions) and potential e-money or credit institution licensing obligations in the EU.
- Crypto derivatives and leveraged products: Offering leveraged trading, perpetual contracts, or options on crypto assets triggers derivatives regulation — CFTC oversight in the US and MiFID II in the EU — regardless of whether the underlying asset is a commodity or security.
- Crypto investment advice and portfolio management: Providing personalised recommendations on which crypto assets to buy or sell — whether through a platform, a newsletter, or automated signals — may constitute investment advice under MiFID II / UK FCA regulations, requiring authorisation as a financial adviser or investment firm.
| Activity | EU MiCA licence | UK FCA regime | US regulatory body | AML / KYC obligation? | Licensing urgency |
|---|---|---|---|---|---|
| Crypto exchange (CEX) | CASP — exchange service | Cryptoasset business registration | FinCEN MSB + state MTLs + potential SEC/CFTC | Yes — mandatory | Immediate |
| Custody / wallet (third-party) | CASP — custody service | FCA registration; safeguarding | State trust charter; SEC custody rule (pending) | Yes — mandatory | Immediate |
| Crypto payments / transfer | CASP — transfer services | FCA registration; may need EMI | FinCEN MSB + state MTLs | Yes — mandatory | Immediate |
| Token issuance (security token) | ART/EMT authorisation or white paper | FCA prospectus / financial promotions | SEC securities registration or exemption | Yes — investor KYC | Pre-launch |
| Staking-as-a-service | Possibly CASP or investment firm | FCA financial promotions; possible authorisation | SEC — active enforcement risk | Likely yes | High |
| DeFi protocol (with operator) | CASP if operator controls protocol | Case-by-case; FCA guidance pending | CFTC / SEC — enforcement active | Possibly yes | Medium–high |
| NFT marketplace (collectibles) | Excluded (unique NFTs) | Generally excluded; financial promotion rules apply | Low risk for pure collectibles | AML registration may apply | Low–medium |
| Crypto investment advice | Investment firm (MiFID II) | FCA investment adviser authorisation | SEC RIA registration if US customers | Yes | High |
The matrix above reflects the general position as of 2024–2025. Regulatory positions on DeFi, staking, and NFTs are developing rapidly — some of these entries will be updated by enforcement action or rulemaking within the next 12 months. The safest approach is always to conduct a jurisdiction-specific legal analysis rather than relying on a general-purpose summary.
Section 2 — Jurisdiction-by-Jurisdiction: What Licences Exist and Who Needs Them
There is no single global crypto licence. Each major jurisdiction has developed its own licensing framework — with its own scope, its own regulator, its own application process, and its own penalty regime for unlicensed operations. What follows is a summary of the five most significant regulatory regimes for crypto businesses with international operations or customers: the EU under MiCA, the UK under the FCA, the United States under multiple federal and state bodies, the UAE under VARA, and Singapore under the MAS.
European Union — Markets in Crypto-Assets Regulation (MiCA)
Regulator: National competent authorities (NCAs) + ESMA oversight · In force: June 2023 (full application from December 2024)MiCA is the world's most comprehensive horizontal crypto licensing regime, applying across all 27 EU member states. It creates a single licence — the Crypto-Asset Service Provider (CASP) authorisation — that grants a passporting right to operate across the entire EU once issued by any one member state's NCA. This is a material advantage for businesses seeking EU-wide operations: one application, one regulator, one authorisation.
MiCA distinguishes three regulated categories of crypto asset: asset-referenced tokens (ARTs) — stablecoins backed by multiple assets or currencies; e-money tokens (EMTs) — tokens referenced to a single fiat currency; and other crypto assets, which include utility tokens and investment tokens. ARTs and EMTs require specific issuer authorisation. Other crypto assets require a white paper in specified form before public offering.
- Exchange, custody, transfer, portfolio management, crypto advice, and placing/reception of orders are all regulated CASP activities requiring separate authorisation per activity category
- Non-EU businesses serving EU customers must obtain authorisation — there is no "reverse solicitation" exemption for proactive marketing to EU customers
- Transitional arrangements allow existing VASP-registered businesses to continue operating under national regimes for up to 18 months from full MiCA application (country-specific)
- Significant crypto asset service providers face enhanced reporting obligations under DORA (Digital Operational Resilience Act) from January 2025
United Kingdom — Financial Conduct Authority (FCA) Crypto Regime
Regulator: Financial Conduct Authority (FCA) · In force: Phased 2020–2024; full regime in developmentThe UK has operated a cryptoasset business registration regime since January 2020 under the Money Laundering Regulations (MLRs). This registration — which focuses on AML/KYC controls rather than prudential regulation — is mandatory for any business operating as a cryptoasset exchange provider or custodian wallet provider in the UK. The FCA has been notably strict in this process: as of 2024, approximately 85% of applications were withdrawn or rejected.
The UK is developing a broader cryptoasset regulatory framework that will bring crypto exchanges, custody, and staking within the FCA's full authorisation regime (rather than just AML registration). The financial promotions regime — which requires all crypto communications to UK consumers to be approved by an FCA-authorised firm — has been in force since October 2023, and has resulted in several major exchanges blocking UK users pending compliance.
- Operating as a cryptoasset business in the UK without FCA registration is a criminal offence under the MLRs — not merely a regulatory breach
- The financial promotions regime applies to any communication that invites or induces UK consumers to engage in regulated activity — including social media, websites, and app store descriptions accessible from the UK
- UK stablecoin issuers will be subject to a separate FCA/Bank of England regime once the Financial Services and Markets Act 2023 provisions are fully implemented
United States — Multi-Agency Framework (FinCEN, SEC, CFTC, State MTLs)
Regulators: FinCEN, SEC, CFTC, state regulators · Framework: Overlapping, no single federal crypto licenceThe United States has the most complex crypto regulatory environment of any major jurisdiction — multiple federal agencies assert jurisdiction over different aspects of crypto activity, with no single federal licensing framework. The key question is which federal body has jurisdiction, which turns on how the relevant crypto asset is classified (commodity vs. security) and what activity is being performed.
FinCEN regulates money transmission: any business that exchanges or transfers value — including crypto — for customers must register as a Money Services Business (MSB) and comply with Bank Secrecy Act obligations. The SEC claims jurisdiction over crypto assets that are securities (under the Howey test) and over platforms that trade them. The CFTC regulates crypto commodities (principally Bitcoin and Ether) and any derivatives on crypto assets. Additionally, most states require a separate Money Transmitter Licence (MTL) — with New York's BitLicence being the most onerous.
- The SEC has pursued enforcement actions against Binance, Coinbase, Ripple (XRP), Terraform Labs (Luna/UST), and numerous DeFi protocols under its securities jurisdiction — the regulatory risk for US customer-facing services is currently very high
- The GENIUS Act (stablecoin legislation) and FIT21 Act (comprehensive crypto market structure legislation) are moving through Congress as of 2024–2025, potentially creating clearer federal pathways
- Operating as an unlicensed money transmitter in the US is a federal crime carrying up to five years imprisonment under 18 U.S.C. § 1960
UAE — Virtual Asset Regulatory Authority (VARA) + CBUAE
Regulator: VARA (Dubai) · Central Bank UAE (for payment tokens) · In force: 2023 full regimeThe UAE has positioned itself as a crypto-friendly jurisdiction and has built one of the most clearly structured licensing regimes for virtual asset businesses. VARA — the Virtual Asset Regulatory Authority, established in Dubai — operates the primary licensing regime covering the Emirate of Dubai (including DIFC-adjacent activities). Abu Dhabi has a separate regime through ADGM's FSRA. The Central Bank of the UAE oversees payment token (stablecoin) regulation.
VARA licences are structured around specific activity categories — VA Exchange, VA Broker-Dealer, VA Custody, VA Lending & Borrowing, VA Management & Investment, and Advisory Services — and require a separate licence authorisation for each activity. The VARA framework has attracted significant crypto business relocation from other jurisdictions due to its relative speed and clarity compared to EU and US regimes.
- VARA's Retail Authorisation allows customer-facing operations; Institutional Authorisation restricts to professional counterparties only — a useful distinction for B2B-focused businesses
- Free zone operations (DIFC, ADGM) have their own regulatory authorities and are popular for institutional crypto businesses due to English common law legal framework
Singapore — Monetary Authority of Singapore (MAS) — PSA Regime
Regulator: Monetary Authority of Singapore (MAS) · Framework: Payment Services Act 2019 (amended 2022)Singapore operates a tiered licensing regime for payment service providers under the Payment Services Act (PSA). For crypto businesses, the key distinction is between a Standard Payment Institution (SPI) licence — for lower-volume operators with transaction and e-money thresholds — and a Major Payment Institution (MPI) licence for operators exceeding those thresholds. Most substantive crypto exchange, custody, and transfer businesses require an MPI licence.
Singapore's MAS has maintained a selective approach to crypto licensing — approving relatively few businesses while maintaining strict AML controls. In-principle approvals are issued before full licences, and the process involves detailed assessment of AML/CFT policies, technology risk management, and governance. Singapore has also restricted retail crypto marketing, limiting crypto businesses from advertising in public-facing spaces.
- Businesses providing DPT (Digital Payment Token) services in Singapore without a PSA licence or exemption are committing an offence under the PSA
- Security token offerings require a separate Capital Markets Services licence and must comply with the Securities and Futures Act — a separate regulatory track from DPT services
The critical insight: none of these regimes operate in isolation for a business with international customers. A Singapore-licensed exchange that serves EU customers after December 2024 is within scope of MiCA. A VARA-licensed exchange that markets to UK consumers needs FCA financial promotion compliance. Global crypto operations almost always require a multi-jurisdiction licensing strategy — not a single licence and a hope that other regulators won't notice.
| Jurisdiction | Licence / regime | Regulator | AML mandatory? | Passportable? | Timeline | Friendliness |
|---|---|---|---|---|---|---|
| EU (all 27 states) | CASP authorisation (MiCA) | National NCA + ESMA | Yes | Yes — EU-wide | 18–24 months | Medium |
| United Kingdom | FCA cryptoasset registration (expanding) | FCA | Yes | No | 12–18 months | Medium — strict |
| United States | FinCEN MSB + state MTLs + SEC/CFTC | FinCEN, SEC, CFTC, state | Yes | No — state-by-state | 1–3 years (full MTL coverage) | Low — enforcement-heavy |
| UAE (Dubai) | VARA activity licences | VARA / CBUAE | Yes | No — UAE only | 6–12 months | High — crypto-friendly |
| Singapore | PSA — Major/Standard PI | MAS | Yes | No | 12–24 months | Medium — selective |
Selecting a primary licensing jurisdiction is a strategic decision for crypto businesses — the choice of where to obtain the first licence affects operational timeline, market access, capital requirements, and the regulatory scrutiny the business will face. Businesses primarily targeting EU markets should prioritise MiCA CASP authorisation. Businesses looking for faster time-to-market in a crypto-friendly environment frequently look first at the UAE or, for Asian markets, Singapore.
Section 3 — The Practical Licensing Checklist: Assess Your Obligations
The following checklist is structured as a four-phase process — moving from activity identification through jurisdiction mapping, exemption analysis, and application preparation. It is intended for use by founders, in-house legal teams, and compliance leads conducting a first-pass assessment of their licensing obligations. It is not a substitute for jurisdiction-specific legal advice, which should be obtained before making any licensing application or business launch decision.
Phase 1 — Map your activities against regulated categories
Determine what you do; whether it is regulated; and which regulatory category appliesEvery licensing assessment starts with an honest, precise description of what your business does — not what you call it, not what you wish it were, but what services it provides to third parties and what role it plays in handling their assets. Regulators apply regulatory characterisation based on economic substance, not commercial labelling.
Phase 2 — Map your jurisdictional footprint
Determine which jurisdictions' regulations apply to your business based on customer location and operational presenceOnce you have identified your regulated activities, the next step is determining in which jurisdictions those activities are regulated — and whether your business falls within scope. Most regimes apply based on customer location, not business incorporation. The question is not "where are we registered?" but "where do our customers live?"
Phase 3 — Assess available exemptions and de minimis thresholds
Determine whether any exemptions, carve-outs, or transitional arrangements reduce your licensing obligationsMost licensing regimes include exemptions, carve-outs, or transitional provisions that may reduce the immediate licensing burden for some businesses. Identifying applicable exemptions is a critical part of any licensing assessment — but exemptions must be read carefully, because they are often narrow, conditional, and frequently misapplied.
Institutional / professional investor carve-out
Several regimes permit business-to-business crypto services directed exclusively at institutional or professional counterparties without the full retail licensing requirements. MiCA's reverse solicitation exemption and the UK's financial promotions exemption for "eligible counterparties" are examples — but both require strict controls.
De minimis and volume thresholds
Some regimes set volume or revenue thresholds below which a Standard licence (rather than Major) applies, or below which registration rather than full authorisation is required. Singapore's SPI/MPI distinction and some EU member state transitional arrangements are examples. Thresholds change — build a monitoring mechanism.
Transitional arrangements
MiCA includes transitional provisions allowing VASP-registered businesses in EU member states to continue operating under national law for up to 18 months from the date of full MiCA application in their jurisdiction. The duration and conditions vary by member state. These provisions do not apply to new market entrants.
Closed-loop / limited network exemptions
Tokens that are usable only within a single closed system — a gaming platform, a loyalty scheme with no redemption right — may fall outside virtual asset licensing requirements in some jurisdictions. The exemption requires that tokens cannot be exchanged for external value. The moment tokens acquire exchange value, the exemption typically fails.
| Exemption type | Available in | Conditions | Reliability |
|---|---|---|---|
| Institutional-only (no retail customers) | EU, UK, Singapore, UAE | Must serve only verified institutional counterparties; no retail access whatsoever; strict controls required | Medium — frequently challenged |
| MiCA transitional (existing VASP-registered businesses) | EU member states (varies) | Must have been registered under national VASP regime before MiCA full application; maximum 18 months | High — if eligible |
| US SEC Reg D / Reg S (private placement) | US | Accredited investors only; no general solicitation (Reg D); no US persons (Reg S); filing required | Medium — SEC scrutiny increasing |
| Closed-loop / no redemption value | EU (MiCA), UK, Singapore | Token must have no exchange value outside the closed system; any external exchange renders this inapplicable | Low — narrow; easily lost |
| Purely utility token (MiCA small offering exemption) | EU (MiCA) | Offering must be below €1M over 12 months; white paper still required for offerings over certain thresholds | High — if within threshold |
Phase 4 — Prepare for the licensing application
What regulators require and how to prepare an application that will be taken seriouslyRegulatory applications for crypto licences are substantive undertakings — not form-filling exercises. The FCA, MAS, and VARA have all rejected applications from businesses that submitted technically complete paperwork without the underlying organisational infrastructure the paperwork claimed to evidence. An application is only as strong as the compliance programme, governance structure, and financial controls behind it.
Critical timing point: In most jurisdictions, you must not begin providing regulated services until your licence or registration is in place — or until you are formally within a recognised transitional period. Starting operations and applying for a licence simultaneously is common in practice but constitutes unlicensed operation during the application period, which is itself an offence in many jurisdictions. Applying before launch — not concurrently — is the only fully compliant approach.
The checklist above covers the structural elements of a licensing assessment. It does not replace the jurisdiction-specific legal analysis required for each regulatory regime you are subject to. Each regime has its own nuances, interpretation guidance, and regulatory culture — and what works in an FCA application does not necessarily transfer to a MAS or VARA application without significant adaptation.
Section 4 — Operating Without a Licence: Enforcement, Penalties, and Risks
The assumption that crypto regulators are slow, under-resourced, and unlikely to pursue enforcement against businesses that are technically offshore has been comprehensively disproved by the enforcement record of the past four years. The SEC, CFTC, FinCEN, DOJ, FCA, and MAS have collectively imposed billions of dollars in penalties on unlicensed crypto businesses — and several founders and directors have faced personal criminal liability. Operating without required licences is not a calculated risk: it is an undisclosed liability.
How Enforcement Actually Works
Crypto regulators do not typically discover unlicensed operators through random inspections. They identify them through on-chain analytics (blockchain transaction tracing), consumer complaints, intelligence from licensed competitors, whistleblowers, suspicious activity reports from banks, and intelligence sharing between international regulators through the FATF and bilateral agreements. An unlicensed crypto business that is active in a regulated market is generating a data trail that regulators know how to read.
Civil monetary penalties
Civil penalties are the most common enforcement outcome for unlicensed crypto operation. Amounts are calculated based on the period of unlicensed operation, transaction volumes, revenue generated, and the degree of harm to consumers. Penalties can reach tens or hundreds of millions of dollars at the federal level and tens of millions at the state level in the US, and up to 15% of annual global turnover for MiCA breaches in the EU.
Criminal prosecution of individuals
The DOJ, CFTC, and SEC have pursued criminal charges against founders and executives of unlicensed crypto businesses. In the US, operating as an unlicensed money transmitter is a federal crime under 18 U.S.C. § 1960 carrying up to five years imprisonment. Founders who personally directed or profited from unlicensed operations face personal liability regardless of corporate structure — offshore incorporation does not shield individual founders from US criminal jurisdiction.
Business cessation orders
Regulators have the power to order immediate cessation of unlicensed business operations — meaning a company must stop providing regulated services, freeze customer accounts, and begin an orderly wind-down under regulatory supervision. This outcome destroys business value immediately and leaves the founders and directors exposed to further liability for the losses experienced by customers during the wind-down period.
Asset freezes and consumer restitution
Where unlicensed crypto businesses have caused consumer losses — particularly in cases of fraud, collapse, or inadequate safeguarding — regulators can obtain court orders freezing assets and directing restitution to affected customers. Directors and founders may be required to disgorge personal assets where they have personally benefited from unlicensed operations. This outcome is particularly common where the unlicensed operation also involved consumer fund misappropriation.
The Enforcement Escalation Sequence
Crypto regulatory enforcement typically follows a recognisable escalation pattern:
Regulatory intelligence and initial identification
Regulator identifies potential unlicensed operator through on-chain analytics, complaint data, media reports, or international intelligence sharing. Preliminary internal investigation conducted. No contact with the business at this stage.
Formal information request / CID
Regulator issues a formal information request or Civil Investigative Demand (CID) requesting documentation, records, and information. Receipt of a formal request signals that regulatory investigation is already well advanced. This is not an early warning — it is a signal that enforcement is likely already in progress.
Wells notice / formal warning
In the US, the SEC issues a Wells Notice informing the company that staff intend to recommend enforcement action. The company has an opportunity to respond. This is the last point at which a negotiated settlement is routinely available — though the settlement parameters are now set by the regulator's assessment of the violation.
Formal enforcement action / consent order
Regulator files enforcement action, or the business agrees to a consent order — a negotiated resolution that typically involves: admission or non-admission of the violations; a substantial monetary penalty; operational restrictions or cessation; ongoing compliance monitoring; and personal undertakings from directors. Consent orders are public.
Criminal referral (in serious cases)
In cases involving deliberate evasion, consumer fraud, market manipulation, or wilful AML violations, the civil regulator refers the matter to criminal prosecutors. Criminal prosecution of founders and directors follows separately and on a longer timeline — but the personal consequences are of a different order of magnitude.
| Jurisdiction | Maximum civil penalty | Criminal exposure? | Personal liability for directors? | Notable enforcement action |
|---|---|---|---|---|
| EU (MiCA) | Up to €15M or 3% global turnover (CASP); up to €5M or 3% for issuers | Possible — via member state law | Yes — NCA may sanction individuals | MiCA in early enforcement phase (2024–2025) |
| United Kingdom (FCA) | Unlimited — FCA can impose any financial penalty | Yes — MLR breaches are criminal | Yes — senior managers personally liable | FCA issued over 250 consumer alerts for unregistered crypto firms (2022–2024) |
| United States (FinCEN/DOJ) | Up to $250,000 per wilful BSA violation; total settlements in billions | Yes — 18 U.S.C. § 1960; up to 5 years | Yes — executives personally prosecuted | Binance — $4.3B (2023); BitMEX — $110M (2021) |
| United States (SEC) | Disgorgement + up to $1M per violation (higher for certain fraud) | Yes — securities fraud criminal referral | Yes — founders personally charged | Terraform/Do Kwon — $4.5B civil penalty (2024) |
| Singapore (MAS) | Up to SGD 1M per offence under PSA | Yes — PSA criminal sanctions apply | Yes — officers may be personally liable | Multiple unlicensed exchanges directed to cease operations (2022–2024) |
| UAE (VARA) | AED 50M maximum financial sanction | Limited — primarily civil regime | Yes — officers may be sanctioned | VARA issued market alerts and cease-and-desist to unlicensed operators (2023) |
Conclusion: Six Steps to a Licence-Ready Crypto Business
The question "do we need a crypto licence?" almost always has the same answer for businesses that serve real customers at meaningful scale: yes — in one or more jurisdictions. The productive question is not whether to licence, but when, where, and in what sequence. The following six-step roadmap provides a practical framework for moving from unlicensed exposure to a compliant operating structure.
Conduct an activity and jurisdiction audit
Map every service you provide, every asset you handle, and every jurisdiction where you have customers. This matrix is the foundation of your licensing strategy and should be reviewed whenever you launch a new product or enter a new market.
Select a primary licensing jurisdiction
Choose the jurisdiction for your first licence based on your primary market, timeline requirements, capital capacity, and regulatory friendliness. For EU access, prioritise MiCA CASP. For faster entry in a crypto-forward environment, consider UAE VARA or Singapore MAS.
Build the compliance infrastructure before applying
Appoint an MLRO and compliance officer. Implement AML/KYC procedures operationally — not on paper. Deploy Travel Rule compliance technology. Conduct a penetration test and document your security posture. Regulators assess infrastructure maturity, not paperwork completeness.
Geo-block unlicensed markets with documented controls
Until you hold a licence in a jurisdiction, implement IP-based geo-blocking, KYC-based residency exclusions, and payment method restrictions for that market. Document the controls, test them regularly, and keep logs. Incomplete geo-blocking is worse than no geo-blocking because it creates a false compliance narrative.
Engage local counsel in each regulated jurisdiction
Do not rely on general-purpose licensing guides — including this one — as a substitute for jurisdiction-specific legal advice. Regulatory positions on DeFi, staking, NFTs, and specific asset classifications are evolving rapidly. Jurisdiction-specific counsel with active regulatory relationships is the only reliable way to track these changes in real time.
Build a regulatory monitoring and update function
Assign regulatory tracking to a specific role. Schedule quarterly reviews of applicable regimes, subscribe to regulatory update alerts, and maintain a living document of your licensing position and any open applications or pending obligations. The regulatory landscape in 2026 will be materially different from 2024 — your compliance programme must evolve with it.
