Not every company operating in the crypto ecosystem is required to hold a digital asset license. What determines the obligation is the business model, not the asset being used, not the product name, and not the country where the founding team happens to sit. Regulators look at activity, not labels.
This article maps the business models that consistently trigger licensing obligations across jurisdictions, from the European Union to offshore markets.
Centralised Crypto Exchanges (CEX)
Platforms that match buyers and sellers of crypto assets, hold user funds, and execute orders within their own internal systems, this is the category most directly subject to licensing requirements across virtually every jurisdiction.
Regulators examine three elements: custody of user assets, order matching, and management of third-party funds. All three are present in the CEX model. In the European Union, the MiCA regime classifies these operations as Crypto Asset Service Providers (CASPs) that must obtain authorisation before operating. Jurisdictions including Lithuania, Estonia, and Poland have been actively processing CASP applications since 2024.
Crypto OTC Desks and Brokerage Platforms
OTC desks that handle direct transactions between two parties, typically in large volumes, operate in a grey zone in many countries, but regulators are increasingly classifying this activity as a Virtual Asset Service Provider (VASP) function.
The distinction between an OTC operation that requires a license and one that does not comes down to whether the platform holds or moves assets on behalf of clients. If it does, licensing obligations almost certainly apply. FATF has established international standards that more than 200 member countries use as the reference point for classifying these activities.
Custodial Wallet Providers
Non-custodial wallets, where users hold their own private keys, generally do not trigger licensing obligations. Custodial wallets are a different matter.
When a company holds private keys on behalf of users, it is technically managing third-party assets. That sits at the core of the VASP definition. Under MiCA, custody and administration of crypto assets on behalf of clients is one of the CASP categories that explicitly requires authorisation before the service can be offered.
Token Issuance Platforms
Issuing a token is not simply a technical act, it is a legal one. Whether the issued token is classified as an e-money token (EMT), an asset-referenced token (ART), or a utility token determines which regulatory regime applies.
Under MiCA, issuers of EMTs and ARTs are subject to strict authorisation requirements, including minimum capital obligations and mandatory white paper filings. Launching a token without first establishing its classification is a material regulatory risk in any MiCA-scope jurisdiction.
Crypto Payment Platforms and Remittance Services
Companies that facilitate payments using crypto assets, whether crypto-to-fiat, fiat-to-crypto, or crypto-to-crypto, almost always operate within the scope of VASP or CASP regulation, depending on the jurisdiction.
The practical distinction here is between passively accepting crypto as a payment method versus actively executing conversions and forwarding funds. The second model is what generally triggers the licensing obligation. In many European jurisdictions, platforms of this kind may also need authorisation as a Payment Institution (PI) under PSD2, in addition to any VASP or CASP requirement.
Crypto Asset Managers and Funds
Investment funds holding crypto assets, including crypto hedge funds, venture funds with token exposure, and family office structures, operate within a different regulatory layer from retail platforms. Many jurisdictions, including the Cayman Islands and BVI, have dedicated licensing regimes for digital asset fund managers.
One point worth noting: even if the fund does not accept public deposits, managing crypto assets on behalf of third-party investors frequently triggers registration or authorisation requirements regardless.
DeFi Protocols with Centralised Interfaces
This is the most actively contested area in digital asset regulation right now.
Protocols that are genuinely decentralised and autonomous, with no identifiable point of central control, fall outside the reach of most existing licensing regimes. But the moment there is a centralised frontend, a team controlling the smart contracts, or an identifiable governance mechanism, regulators start looking for an accountable entity. MiCA acknowledges this complexity but makes clear that DeFi services operated in a centralised manner remain subject to CASP requirements.
Staking and Yield Management Platforms
Platforms that pool user crypto assets for staking purposes or yield strategies, particularly those offering fixed returns, are drawing increasing regulatory attention. In some jurisdictions, this activity can be classified as collective investment management, which carries its own licensing obligations separate from the VASP or CASP regime.
One Principle That Applies Across All Categories
The relevant question is not “do we use crypto?” but “what do we do with client assets?” The moment a company holds, moves, executes, or manages digital assets on behalf of another party, the regulatory door opens.
The most common mistake is assuming that the absence of a license means the absence of an obligation. Regulators in Europe, Asia, and the Middle East have demonstrated a clear willingness to act against companies operating without authorisation, even when those companies are based in a different jurisdiction from their clients.
LegalBison works with founders and compliance teams who need to understand where their business model sits on this regulatory map, and which jurisdictions best match their operational structure.
LegalBison.com is a global boutique legal and business services firm specialising in regulatory architecture for FinTech and digital asset projects. With offices in Poland, Estonia, Bahrain, Malaysia, Costa Rica, and Panama, the firm advises clients across more than 50 jurisdictions worldwide.