Many Virtual Asset Service Providers or VASPs have emerged over the last few years. As a relatively “new” phenomenon these service providers, and crypto in general, have been unregulated in many areas of law. However, lately, proposals for regulation have come forward such as the Markets in Crypto-assets (MiCA) legislative proposal in the European Union. We have also witnessed the creation of a legal framework to regulate Bitcoin in countries such as El Salvador and also Ukraine just a few days ago. Despite the lack of a general legal framework, it can be said that, especially in the field of Anti Money Laundering (AML) regulation, noticeable progress has been made.

What are the money laundering risks related to VAPSs?

A few of the common money laundering risks related to crypto are related to anonymity or pseudonymity, the use of crypto for illicit transactions (for example on the dark web to buy hard drugs, firearms, or high-value goods), being of a higher risk because all transactions are non-face to face, can be stolen/hacked easier and the lack of regulation as mentioned before.

As specific money laundering risks related to VASPs we can mention:

  • Not all VASPs identify their clients
  • Many VASPs apply limited due diligence on their clients (no registered economic activity of the client, source of funds, source of wealth, etc).
  • No specific regulation is in place in many countries.

What is the current AML regulation for VASPs around the world?

In June 2019 FATF in the document “Guidance for a Risk-Based Approach on Virtual Assets and VASPs” (which was updated at the end of 2021) stated that:

“To manage and mitigate the risks emerging from Virtual Assets, countries should ensure that VASPs are regulated for AML/CFT purposes and licensed or registered and subject to effective systems for monitoring and ensuring compliance with….. the FATF Recommendations.”

In recent years countries like Spain, the U.S.A., and the U.K. have implemented AML regulations applicable to VASPs. Different approaches have been taken by national legislators as we will see by zooming in on the specifics of the aforementioned countries.


The modification of Law 10/2010, of 28 April, on prevention of money laundering and terrorism financing in April 2021 introduced two new obligated subjects (see article 2 z) of Law 10/2010:

  • Crypto-fiat exchange services
  • Electronic wallet-custody providers 

As obligated subjects, these entities have to comply with the complete AML law and are in fact considered as “financial entities” similar to banks that involve additional reporting requirements to the Bank of Spain.

Last October the Bank of Spain opened the register where these providers have to register within a period of 3 months. 

The requirements to register are:

  1. Submit the entity´s AML Risk Assessment
  2. Submit the entity´s AML Policy
  3. Present certificates of the absence of a criminal record for the management and directors.

On Thursday, February 17th, 2022 it was announced that the first company that has been approved in the new register is the Spanish company Bit2Me. A few weeks ago Binance has also announced it will create a Spanish domiciled company and apply for the register.

Companies that operate from Spain or target Spanish clients and do not register with the Bank of Spain can face severe penalties.

The United States

In March 2013 FinCEN guidance established a Virtual Assets (crypto) exchanger as “a person or business involved in the exchange of a virtual currency for fiat currency, funds, or other virtual currency. Exchanges shall be considered as Money Services Businesses (MSBs) like Western Union, Ria Money Transfer, or MoneyGram. As such they must register with FinCEN (and in each state) and are obliged to implement an AML program. AML programs must include the following:

1) Written policies, procedures, and controls based on a previous risk assessment.

2) Designate an AML Compliance Officer;

3) Have periodic independent AML reviews/audits.

4) Training of personnel, directors and senior management, the AML Compliance Officer, and all client-facing staff.

The remaining pillar of FinCEN guidance, which is Customer Due Diligence (CDD), does not fully apply to MSBs.

Not complying with FinCEN´s requirement is considered a serious crime (felony) in the U.S.A.

The United Kingdom

Starting the 10th of January 2020, the Financial Conduct Authority (FCA) became the AML supervisor for crypto-asset firms, which includes firms that exchange money to and from crypto assets and those that safeguard their customers’ crypto assets. From this date, existing crypto-asset businesses have had to comply with the Money Laundering Regulations, and these firms were required to be registered with the FCA before 10 January 2021.

The FCA established a Temporary Registration Regime to allow existing crypto-asset firms, who had applied to be registered with the FCA, to continue trading. New businesses (which began operating after 10 January 2020), were required to obtain full registration with the FCA before conducting any business. 

According to the FCA, it was not able to assess and register all companies that had applied for registration, due to the complexity and standard of the applications received and the pandemic restricting the FCA’s ability to visit companies as planned.

Nowadays firms that are trading without a license are at risk of being subject to the FCA’s criminal and civil enforcement powers.


Apart from tax legislation, which remarkably always is the fastest to be produced, AML legislation has been one of the first areas of crypto regulation around the world or at least in many countries. Formal registration and the implementation of proper AML controls will reduce the risk of money laundering, fraud, scams, etc and generate confidence with the general public in order to further promote the adoption of virtual assets. As such the AML legislation of VASPs should be seen as a welcome friend and not an enemy.

This document was created by
Team Core