VASP to CASP and CASP Authorisations – A Step by Step Guide

In our previous article we discussed the basics of what the Markets in Crypto Assets Regulation (MiCA) is, what the new regulation will change and who is affected by the new legislation. We also presented the most central terminology that stems from MiCA and that will be implemented once the regulation takes effect.

In this second article of our MiCA-series we discuss the matter of crypto-asset service providers (CASPs) and the requirements that market actors need to pay due diligence to before the entry into application of MiCA in the latter half of 2024. If market actors implement the regulation incorrectly, the monetary sanctions could become quite consequential for the service provider.

 CASP license and MiCA in Finland

It is worth noting that CASPs are a newcomer definition with reference to the adaptation and entry into application of MiCA and therefore it is a completely new regulated legal body. As we’ve discussed in our article on How to be a VASP in Finland, the first step of becoming a Virtual Asset Service Provider (VASP) is to identify whether the company’s business activities require a VASP-registration with the Finnish Financial Supervisory Authority (FIN-FSA). As mentioned therein, according to the definition given by the Financial Action Task Force, (FATF) a VASP is a person or a company who transfers or exchanges virtual assets and fiat currencies, exchanges one or more forms of virtual assets, administrates virtual assets or instruments enabling control over virtual assets or participates in and provides financial services related to the sale of a virtual asset. VASPs have, as a consequence of the EU’s fifth anti-money laundering directive (5AMLD), been incorporated into Finnish legislation through the Act on Virtual Currency Providers in 2019. Similarly to VASPs, the first step of becoming a CASP is to identify whether a CASP authorisation is required for the company’s business activities or not.

In Finland, the reasoning of the Act on Virtual Currency Providers currently stands, and VASPs are legal entities that have gained authorization and are supervised by the Finnish Financial Supervisory Authority (FIN-FSA). Due to the new MiCA regulation, VASPs will eventually be put to history and once entry into application, the regulation refers to the virtual asset operators as crypto-asset service providers, CASPs.

What is a CASP?

When assessing what is required from a company whose operations require a CASP authorization and when assessing what information needs to be included in an application for a CASP authorization , relevant articles in the MiCA regulations needs to be addressed. MiCA defines a CASP in Art. 3 as “any legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59;”.

Crypto-asset services on the other hand are defined in Art. 3 as the following services and activities relating to any crypto-asset:

(a)    providing custody and administration of crypto-assets on behalf of clients;

(b)    the operation of a trading platform for crypto-assets;

(c)    the exchange of crypto-assets for funds;

(d)    the exchange of crypto-assets for other crypto-assets;

(e)    the execution of orders for crypto-assets on behalf of clients;

(f)     placing of crypto-assets;

(g)    the reception and transmission of orders for crypto-assets on behalf of clients;

(h)    providing advice on crypto-assets;

(i)     providing portfolio management on crypto-assets;

(j)    providing transfer services for crypto-assets on behalf of clients;"

Therefore, any legal person or other undertaking whose occupation or business is to provide any of the services listed above is regarded as a CASP. The provision of such services does, however, not automatically make the service provider a CASP. The authorization of CASPs is regulated in Art. 59, 63 and 64 that lays out the requirements for the CASP authorization. This means that carrying out any of the crypto-asset services listed above, requires the entity has gained an appropriate CASP authorization in its home Member State.

CASP Authorization Process

Here’s what we know about the authorization process of a CASP that is done accordance with MiCA.

1. Crypto-asset services shall not be provided within the Union unless:

• they are provided by a legal person or other undertaking that has been authorized as a crypto-assets service provider in accordance with Article 63; or 
• they are provided by a credit institution, central securities depository, investment firm, market operator, electronic money institution, UCITS management company, or an alternative investment fund manager that is allowed to provide crypto-asset services pursuant to Article 60.

2.  Application for CASP authorization

The application for authorization shall include the information listed in MiCA Article 62. The list of requirements is extensive, covering information from points a) to s) including, to mention a few, the following information of the applicant crypto-asset service provider:

• the name, legal name and other conventional business and contact information, as well as the legal status;
• a description of the governance arrangements and internal control mechanisms, policies and procedures to identify assets and manage risks, including money laundering and terrorist financing risks, and a business continuity plan;
• proof that the applicant crypto-asset service provider meets the requirements for prudential safeguards in accordance with Article 67.

However, if the applicant crypto-asset service provider has, prior to the entry into force of MiCA, already delivered information to the competent authority pursuant to an authorization to act as an EMI (electronic money institution), VASP (virtual asset service provider) or PSP (payment service provider) or other authorized body whose business actions relate to crypto-assets , the information does not have to be provided to the same authority again. This applies only when such information or documentation is still up-to-date and accessible to the competent authorities. 

3. CASP authorization process

MiCA Article 63 describes the authorization process that is to be applied accordingly in all Member States. Here’s what we know:

4. Assessment of the application

When the company wishing to receive a CASP authorization has sent its application to the competent authority within its home Member State, the competent authority shall assess whether that application is complete by checking that the information listed in Article 63, meaning the list of requirements running from a) to s). Where the application is not complete, the authorities shall set a deadline by which the applicant crypto-asset service provider is to provide the missing information.

5. Completion of application

If the applicant, however, fails to meet this new deadline, the competent authority may refuse to review the application completely. The applicant will be notified by the competent authority within 25 days from the receiving of the application whether the application is complete or not.

6. Cooperation with the competent authorities in other Member States

 If the applicant crypto-asset service provider is any of the following, the competent authority in the home Member State of the applicant is obliged to consult with the competent authorities of the other Member State.

• the applicant is a subsidiary;
• the applicant is a subsidiary of the parent undertaking of an entity listed in Art. 63(5); or
• the applicant is controlled by the same natural or legal persons who control an entity listed in Art. 63(5).

7. Complete application and final assesment

The competent authority will assess the applicant’s compliance with the requirements listed above. The assessment takes into account the nature, scale and complexity of the crypto-asset services that the applicant crypto-asset service provider intends to provide. This means that the operations must truly meet with the requirements set out in MiCA and not just look compliant on paper. The competent authority will notify the applicant of its decision within 5 working days. 

8. Reasoned decision

The competent authority shall within 40 days from receiving the complete application adopt a fully reasoned decision either granting or refusing authorization and the competent authority shall notify the applicant of its decision within 5 working days. 

9. Refusal to grant authorization

The authorization may be refused by the competent authority where there are objective and demonstrable grounds for believing that, i.e.,:

• the management body of the applicant crypto-asset service provider poses a threat to its effective, sound, and prudent management and business continuity, and to the adequate consideration of the interest of its clients and the integrity of the market, or exposes the applicant crypto-asset service provider to a serious risk of money laundering and terrorist financing;
• the shareholders or members, whether direct or indirect, that have qualifying holdings in the applicant crypto-asset service provider do not meet the criteria of sufficiently good repute set out in article 68(2);
• the applicant fails to meet or is likely to fail to meet any requirements for the assessment of the application.

9. ESMA Notification

The competent authority will hereafter inform ESMA (the European Securities and Markets Authority) of granted authorizations within two working days of granting authorization. Refusals shall also be notified to. ESMA will then add all the information submitted in a register of crypto-asset service providers referred to in Art. 109(5).

Since the list of requirements for the information that needs to be included in the CASP authorization is quite extensive, since the competent authorities in all Member States are obliged to cooperate with each other and mainly, since to the authorization process of a CASP has not been done before, the process of applying and receiving a CASP authorization could easily take up to at 6 months. Therefore, all affected actors should initiate necessary measures to ensure compliance with MiCA and where necessary, consult with a legal professional.

VASP to CASP

As discussed earlier, the definition of VASPs will eventually be put to history and e new regulated body, CASP, takes its place. Crypto-asset service providers authorized in accordance with MiCA shall at all times meet the conditions for their authorization, and again, a person who is not a crypto-asset service provider shall not use a name, or a corporate name, or issue marketing communications or undertake any other process or measures suggesting that it is a crypto-asset service provider or that is likely to create confusion in that respect.

Our professionals have been assisting clients that operate in the crypto industry in regard to authorisations, operations and taxation to mention a few. We will continue to assist our clients in a wide range of questions that may arise due to the changing situation and the new regulatory landscape in Finland.

We are happy to discuss how MiCA may affect your operations and what measures should be taken to ensure compliance with the regulation. If you have any questions regarding MiCA, its implementation, or its implications, don’t hesitate to contact us at info@nordiclaw.fi! Were happy to assist you!

Our Associate Trainee Charlotta Grandell took part in writing this article.

Updated 5.6.2026