Digital asset businesses represent one of the fastest-growing client segments approaching corporate service providers. Crypto exchanges, DeFi protocols, NFT platforms, Web3 startups, and virtual asset fund managers all require corporate structures, registered addresses, and compliance services — and many are turning to specialist CSPs who understand their sector. For CSPs prepared to serve this market, there is significant fee premium opportunity. For those who approach it without adequate preparation, there is significant regulatory risk.
This article examines the key considerations for CSPs engaging with digital asset clients: regulatory classification, enhanced due diligence requirements, jurisdiction selection, and the operational implications for your firm.
Understanding Virtual Asset Service Providers
The FATF's 2019 Recommendation 15, extended to virtual assets and Virtual Asset Service Providers (VASPs), brought digital asset businesses firmly within the scope of global AML/CFT frameworks. A VASP is any entity that conducts exchange, transfer, safekeeping, or administration of virtual assets — or participates in and provides financial services related to an issuer's offer and sale of virtual assets.
For CSPs, this matters because: (a) a client operating as a VASP may itself be subject to AML licensing requirements in its operating jurisdiction; and (b) the CSP's own AML obligations in relation to VASP clients are subject to additional scrutiny by regulators and inspection teams.
Jurisdiction Selection for Digital Asset Structures
Several jurisdictions have moved proactively to create regulatory frameworks for digital asset businesses, making them attractive for CSPs and clients seeking regulatory clarity:
- UAE (ADGM and DIFC): The Abu Dhabi Global Market introduced the Digital Asset Framework in 2018, one of the world's first comprehensive crypto regulatory regimes. DIFC has since introduced its own digital assets regime. UAE mainland is regulated by the Virtual Asset Regulatory Authority (VARA) for Dubai.
- Cayman Islands: The Virtual Asset (Service Providers) Act 2020 (VASPA) creates a registration and licensing regime for Cayman-based VASPs, administered by CIMA.
- BVI: The BVI does not have a specific VASP licensing regime but has issued guidance on how existing financial services legislation applies to digital asset businesses.
- Seychelles: Popular for crypto structures, but lacks a specific VASP framework — reliance on general FSA oversight.
- EU (MiCA): The Markets in Crypto-Assets Regulation (MiCA), applicable from 2024, creates a comprehensive licensing regime for crypto asset service providers across the EU. Malta, Luxembourg, and Ireland are among the favoured EU domiciles for MiCA-regulated structures.
Regulatory risk: CSPs must avoid inadvertently providing registered office or director services to unlicensed VASPs in jurisdictions that require VASP licensing. Failure to identify that a client requires a licence they do not hold exposes the CSP to regulatory scrutiny and potential enforcement action.
Enhanced Due Diligence for Digital Asset Clients
Digital asset clients warrant enhanced due diligence as a matter of course — not because the sector is inherently criminal, but because it presents specific money laundering risk factors that require more detailed assessment. Most AML regulatory guidance (including FATF, CBUAE, BVI FSC, and CIMA guidance) treats VASPs as inherently higher-risk customer categories.
EDD for digital asset clients should include:
- Verification of any VASP licence or registration held in the relevant jurisdiction
- Understanding the nature of the digital assets handled (utility tokens, security tokens, NFTs, stablecoins) and the specific activities conducted
- Source of funds for the entity's business (venture capital, token sale proceeds, trading revenue — each carries different risk profiles)
- Identification and verification of all beneficial owners — crypto businesses often have complex ownership structures involving founders, early investors, and token holders
- Blockchain analytics: for crypto businesses that process significant transaction volumes, blockchain analytics tools (Chainalysis, Elliptic, TRM Labs) can assess whether the business has exposure to high-risk wallet addresses, mixers, or sanctioned entities
- Assessment of the client's own AML programme — does the VASP conduct KYC on its own customers? Is it compliant with the Travel Rule (FATF Recommendation 16)?
The Travel Rule Implications for CSPs
The FATF Travel Rule (Recommendation 16) requires VASPs to share originator and beneficiary information when transferring virtual assets above a threshold (typically USD/EUR 1,000). While the Travel Rule applies directly to VASPs rather than CSPs, CSPs servicing VASP clients should understand whether their clients are compliant with Travel Rule obligations in their operating jurisdiction — Travel Rule non-compliance is a significant AML red flag.
Banking Access for Digital Asset Clients
One of the most practical challenges for crypto corporate clients is banking. Many mainstream banks remain reluctant to provide accounts to VASPs, even licensed ones, due to perceived AML risks and de-risking policies. CSPs servicing this sector should be realistic with clients about banking options and should consider whether their jurisdiction of incorporation choice affects banking access.
UAE, Singapore, and certain EU jurisdictions have the most developed banking infrastructure for regulated digital asset businesses. BVI and Cayman structures serving crypto clients often face banking challenges, particularly for operating accounts rather than holding structures.
Periodic Review and Ongoing Monitoring
Digital asset businesses are subject to rapid change — regulatory status, business model, and ownership can all shift significantly within a single year. CSPs should:
- Schedule annual EDD reviews for all digital asset clients (regardless of their assigned risk rating)
- Monitor for regulatory changes in the client's operating jurisdiction that may affect their licensing status
- Watch for adverse media — enforcement actions, exchange hacks, token fraud allegations — that should trigger an unscheduled review
- Monitor publicly available on-chain data where the client's wallet addresses are known, as a supplementary source of risk intelligence
Building a Crypto-Competent CSP Practice
For CSPs that want to serve digital asset clients well, some investment in sector knowledge is required. Staff who understand the difference between a CEX and a DEX, who know what the Travel Rule requires, and who can read a token allocation table will onboard clients more efficiently and assess risk more accurately than those approaching crypto as a generic corporate service matter.
Joining VASP-focused industry associations (such as the Global Digital Finance association), attending sector conferences, and maintaining relationships with specialist crypto lawyers in key jurisdictions all contribute to building the expertise needed to serve this market at the level clients expect.
The digital asset sector will continue to mature. The period of regulatory uncertainty that characterised the early crypto years is giving way to structured licensing frameworks across major jurisdictions. CSPs that build crypto competence now are positioning for a growing and fee-premium client segment — one where compliance knowledge is genuinely valued and rewarded.