When Do You Need a Crypto License? Practical Qualification for Founders

When you actually need a crypto license – and when you do not
Licensing

When Do You Need a Crypto License? Practical Qualification for Founders

Section 1 Introduction Scope and approach

When you actually need a crypto license — and why the first question is usually wrong

Many teams assume that “crypto” automatically means “licensed”. In practice, the licensing trigger is rarely the technology itself. It is the regulated activity: custody, exchange/trading venue operation, brokerage/execution, or investment and yield-like services. This article explains when do you need a crypto license and when you do not, using a practical qualification approach aligned with how regulators assess business models.

Why Why misclassification becomes expensive

If you start by “choosing a license” instead of qualifying the activity, you risk building the wrong structure: delayed launch, forced redesign of flows, banking friction, and cross-border exposure when marketing reaches restricted jurisdictions.

Rule The core rule regulators apply

Licensing is typically activity-based. Regulators look at who controls client assets, who intermediates transactions, and whether the product has an investment/yield economic function. Branding (“DeFi”, “non-custodial”) is not determinative if control points exist in implementation.

What you should take from Section 1 Read time: ~1 minute
  • Start with qualification, not jurisdiction shopping. Define what your company actually does in the transaction chain.
  • Control and intermediation drive licensing. Keys, settlement wallets, order execution, matching, routing, fees linked to trades.
  • “Non-custodial” is not a legal shield by itself. Admin permissions, upgradeability, recovery/freeze rights can change the result.
Section 2

Activity-based regulation: the qualification logic behind crypto licensing

Regulators typically classify businesses by function: who controls assets, who intermediates transactions, and whether the product has an investment or yield economic profile. This section explains the practical method used to determine scope.

How to qualify your model before choosing a jurisdiction

  • 1
    Map the transaction chain. Users, assets, wallets/accounts, counterparties, fees, and where decisions are made.
  • 2
    Find control points. Keys, recovery/freeze rights, admin permissions, upgradeability, settlement wallets, omnibus accounts.
  • 3
    Test for intermediation. Order execution, matching, routing, arranging deals, spread/commission linked to transactions.
  • 4
    Test for economic function. Yield framing, lending/borrowing, managed strategies, discretionary selection, pooling.
  • 5
    Only then select the route. MiCA, VARA, AIFC and other regimes differ in perimeter detail and supervisory style — but scope starts with your activity.
Practical rule Use plain-language test

If your role can be described as a custodian, intermediary, or investment operator in plain language, treat the model as licensing-driven until proven otherwise — regardless of how “non-custodial” or “DeFi” it is marketed.

Section 3 Decision tree Yes / No logic

Decision tree: when do you need a crypto license?

Answer each question honestly. A single “Yes” usually means your project falls inside a licensing perimeter and requires jurisdiction-specific analysis (MiCA, VARA, AIFC). Multiple “No” answers may indicate a non-licensed model — subject to AML, marketing, and consumer-protection rules.

Step 1 Control
Do you control or safeguard client crypto assets?
Keys, wallets, settlement accounts, recovery or freeze rights.
YES → licensing likely

Custody is one of the most consistently regulated crypto activities.

  • custodial wallets
  • omnibus settlement accounts
  • asset safeguarding
NO → next step

Proceed, but non-custodial design alone is not decisive.

Step 2 Intermediation
Do you execute, match, or arrange transactions?
Order books, routing, brokerage, transaction-based fees.
YES → licensing likely

Intermediation is often regulated even without custody.

NO → next step

Continue to assess economic substance.

Step 3 Economic function
Do you offer yield, lending, or managed strategies?
“Earn”, pooling, discretionary staking, investment-like exposure.
YES → licensing likely

These models are commonly treated as financial services.

NO → outside scope

You may fall outside crypto licensing perimeter.

Section 4 Core regulated activities

Custody, exchange and brokerage: activities that almost always require a crypto license

While regulatory frameworks differ in structure and terminology, certain crypto activities are consistently treated as regulated financial services. If your business model falls into one of the categories below, licensing should be assumed at the structuring stage.

Custody / Safekeeping
High certainty trigger
What regulators look at:
  • control or safeguarding of client private keys
  • operation of wallets or settlement accounts
  • ability to move, freeze or recover client assets
Custody is one of the most consistently regulated crypto activities across jurisdictions. Even partial or technical control (admin keys, recovery logic, omnibus wallets) is usually sufficient to trigger a licensing requirement.
Exchange / Trading venue
High certainty trigger
Typical indicators:
  • order books or matching engines
  • price formation or liquidity aggregation
  • execution of trades between third parties
Operating a trading venue is almost universally regulated. Outsourcing custody or liquidity does not remove licensing exposure if execution, matching, or market operation remains under your control.
Brokerage / Execution / Arranging
Common trigger
Often overlooked elements:
  • order routing to third-party venues
  • arranging or negotiating transactions
  • fees or spreads linked to executed trades
Even without custody or an order book, acting as an intermediary in execution or transaction flow can fall within regulated brokerage or arranging activities, depending on the jurisdiction and client segment.
Key takeaway: if your platform can be described — in plain language — as holding assets, executing trades, or acting between buyer and seller, regulators are likely to treat it as a licensed crypto service provider regardless of technical architecture.
Section 5 Yield and investment features Financial services perimeter

Yield, lending and “investment-like” features: when crypto becomes regulated financial services

Custody and exchange are obvious licensing triggers. Yield and investment features are often more subtle — but they frequently move a crypto product into the financial services perimeter. Regulators focus on whether the user’s exposure is driven by your operational decisions, pooling, or promised/targeted returns.

Key drivereconomic substance over UI labels
Common riskyield marketed as “simple earn”
Practical testare you the decision-maker?

1 Why yield features trigger licensing

Yield products often create a regulated profile because they resemble investment management, deposit-taking, lending, or collective investment functions — depending on the jurisdiction and user segment. The legal characterisation is driven by economic function: what the user reasonably expects and what the operator actually controls.

Typical “yield” constructions
  • staking-as-a-service with operational responsibility
  • pooled strategies or discretionary allocation
  • lending/borrowing with platform-set terms
  • “earn” accounts with advertised APY or ranges
Why regulators care
  • asymmetric information and consumer risk
  • maturity/liquidity mismatch
  • conflicts of interest and disclosure
  • financial stability and prudential concerns

2 Practical triggers you should assume are regulated

If any of the elements below are true, you should assume licensing analysis is required, even if you describe the product as “non-custodial”, “automated” or “DeFi-like”. The trigger is often the combination of control and return expectation.

Control / discretion
  • you choose validators, counterparties or venues
  • you rebalance, route, or manage risk parameters
  • you can pause, upgrade, or override the strategy
Return framing
  • promised/targeted returns or APY ranges
  • marketing focused on “income” or “passive yield”
  • fees are linked to yield performance
Boundary insight where teams misclassify risk

A common mistake is treating “staking” as purely technical. In many regimes, the moment you become an operator (not a software provider) — i.e., you take responsibility for delegation, execution, or economic outcomes — the model starts to resemble regulated intermediation.

Section 6 Often outside scope Software / infrastructure

When a crypto license is often not required: pure software and infrastructure models

Not every crypto-related business is a regulated crypto service provider. Projects that do not custody assets, do not execute transactions, and do not intermediate value flows are often outside licensing scope. The qualification still depends on how the model is implemented (control points, permissions, and who bears operational responsibility).

A Non-custodial software (no control)

Pure software that users run or control themselves is often outside licensing scope where the provider has no ability to control, move, freeze, or recover client assets.

  • open-source wallets where keys stay with the user
  • non-custodial interfaces that do not intermediate transactions
  • client-side signing and direct on-chain execution

B Data, analytics and tooling

Providing market data, dashboards, analytics, or risk tooling is typically not licensing-driven if it does not cross into execution, advice, or managed strategies.

  • blockchain explorers and indexing services
  • portfolio analytics and reporting tools
  • security monitoring and smart-contract audits

C Infrastructure providers (technical role)

Infrastructure services can be outside licensing scope when the provider performs a technical function without custody, brokerage, or discretionary decision-making over user assets.

  • node/RPC providers and hosting
  • custody-agnostic KYC tooling and compliance SaaS
  • developer APIs that do not execute trades

D Payment acceptance (limited use cases)

Merchant acceptance or invoicing tools may be outside licensing scope in some jurisdictions where the provider does not intermediate exchange or provide custody beyond a purely incidental technical step.

  • payment buttons and invoice generators
  • merchant plugins that route users to external PSPs
  • on-chain settlement with user-controlled wallets
Important qualification caveat “outside scope” can change quickly

Many models move into a licensing perimeter when a provider introduces embedded custody, transaction execution, routing with fees linked to trades, or yield framing. The same product can be non-licensed in one architecture and licensing-driven in another.

Section 7 Borderline cases High misclassification risk

Borderline crypto models: where projects most often misclassify licensing risk

Some crypto business models sit close to the regulatory boundary. They are frequently presented as “non-custodial” or “pure infrastructure”, but in practice introduce control, intermediation, or economic exposure that can trigger licensing. These cases account for a large share of enforcement and post-launch remediation.

1 Smart-contract control with admin rights

Projects often treat smart contracts as neutral infrastructure while retaining upgrade, pause, or recovery rights. Regulators assess who controls outcomes, not whether logic is “on-chain”.

  • upgradeable proxies and admin-controlled parameters
  • emergency pause or asset recovery functions
  • governance tokens concentrated with the operator

2 “Non-custodial” front-ends with transaction routing

Interfaces that route transactions, select venues, or batch orders can be treated as intermediaries even without holding assets directly.

  • default routing to preferred liquidity sources
  • fee extraction linked to executed trades
  • transaction sequencing or aggregation

3 DAO-labelled structures with central operators

“DAO” branding does not remove regulatory responsibility where a core team performs operational, promotional, or treasury-management functions.

  • foundation or company executing DAO decisions
  • centralised control over treasury or protocol revenue
  • active off-chain management by a small group

4 Hybrid earn + access products

Products that combine utility access with yield or rewards are often mischaracterised as “non-financial”, despite having a return-driven core.

  • token locking with yield or revenue share
  • access rights bundled with economic upside
  • reward structures resembling investment returns
Regulatory pattern

In borderline cases, regulators look past labels and focus on three core questions:

• Who controls assets
• Who decides how value is deployed
• What users are economically relying on

Small architectural choices can move a project from “outside scope” into a fully regulated activity.

Section 8 Jurisdictional comparison MiCA · VARA · AIFC

MiCA vs VARA vs AIFC: how different regulators qualify the same crypto activity

The same crypto business model can fall inside or outside licensing scope depending on the regulatory philosophy applied. This section compares how the EU (MiCA), Dubai (VARA), and the AIFC (Kazakhstan) approach qualification, supervision, and proportionality — using the activity-based lens discussed above.

EU — MiCA

Harmonised rulebook

MiCA is built around legal certainty and uniformity across the EU. Activities are exhaustively defined, and falling within scope generally means full CASP licensing with limited flexibility.

  • strict activity definitions and perimeter tests
  • high compliance and organisational thresholds
  • limited tolerance for hybrid or phased models

Dubai — VARA

Activity + supervisory discretion

VARA applies an activity-based framework with significant supervisory judgement. Licensing scope often depends on implementation details and the regulator’s risk assessment.

  • phased licensing and MVP approaches
  • greater flexibility in early-stage structuring
  • ongoing supervisory engagement post-launch

Kazakhstan — AIFC (CASP)

Principles-based proportionality

The AIFC regime focuses on proportionality and substance. Similar activities may be licensed differently depending on scale, client type, and operational risk.

  • principles-based qualification
  • risk- and scale-sensitive compliance
  • greater scope for tailored structuring
Comparative takeaway

Choosing a jurisdiction is not about “lighter” or “stricter” regulation. It is about how a regulator interprets activity, control, and risk. The same model may be non-viable under MiCA, workable under VARA with supervision, or proportionally licensed in the AIFC depending on implementation and growth strategy.

Section 9 Pre-launch checklist Self-assessment

Pre-launch checklist: how to self-assess licensing exposure before going live

Before you pick a jurisdiction or spend on licensing, you should be able to describe your model in a way a regulator, bank, or exchange partner would accept. This checklist is not legal advice — it is a practical way to stress-test your assumptions and identify where the licensing perimeter is likely to be triggered.

Five questions to answer in writing

  • 1) Who controls assets and keys? Map custody and control points (including admin permissions and recovery logic). If you can move, freeze, or recover user assets — assume licensing analysis is required.
  • 2) Who executes or intermediates transactions? Identify whether you route orders, batch transactions, operate a matching engine, or charge trade-linked fees. Execution and intermediation often trigger exchange/brokerage licensing even without custody.
  • 3) Is there yield, lending, or pooled strategy exposure? Document how returns are generated and whether you exercise discretion over allocation or risk parameters. “Earn” framing and operator discretion are common reasons regulators treat products as financial services.
  • 4) Who is the target user and where are you marketing? Retail vs professional clients, and the jurisdictions reached via website/app distribution. Cross-border marketing can create licensing exposure even without local entity or staff.
  • 5) What can you prove with documentation? Regulators and banks will ask for policies, diagrams, and evidence — not just statements. Prepare artifacts early; “we are non-custodial” is rarely accepted without technical proof.
What to prepare (minimum evidence package)
  • transaction flow diagram (who does what, when, and with which wallets/contracts)
  • control matrix: keys, admin roles, upgradeability, pause/freeze rights
  • user journey: onboarding, disclosures, risk warnings, marketing claims
  • terms and policies: ToS, risk disclosure, AML/KYC approach (if applicable)
  • outsourcing map: custody providers, liquidity venues, payment rails, cloud and infra
  • jurisdiction logic: where users are located and what geofencing (if any) exists
Section 10 Conclusion Structural decision

Conclusion: a crypto license is not a checkbox — it is a structural decision

Whether you need a crypto license is rarely answered by a single rule or jurisdictional shortcut. Regulators assess substance, control, and risk allocation across the entire business model. Getting the licensing question wrong usually does not fail fast — it fails later, when the cost of correction is highest.

What consistently matters across jurisdictions

Despite different legal frameworks, regulators converge on the same fundamentals: who controls assets and execution, who makes economic decisions, and what users are relying on. Labels, technical architecture, and marketing narratives are secondary to these core questions.

Why timing matters

Licensing analysis is most effective before launch, banking integration, and user acquisition. Retrofitting compliance after growth has begun often leads to forced restructuring, market exits, or prolonged supervisory engagement.

Practical closing thought The right question is not “where is licensing cheapest or fastest”, but whether your model can be clearly explained, evidenced, and defended to a regulator, bank, or counterparty. Jurisdiction choice should follow qualification — not replace it.
Oleg Prosin

Oleg Prosin is the Managing Partner at WCR Legal, focusing on international business structuring, regulatory frameworks for FinTech companies, digital assets, and licensing regimes across various jurisdictions. Works with founders and investment firms on compliance, operating models, and cross-border expansion strategies.

view all posts

Related Posts