How to be a VASP in Finland

VASP, EMI, PI, AIF, AIFM… The mystical world of Financial Technology (Fintech) is filled with strange abbreviations and phrases, and their legal status can from the outside appear even more mind-boggling. Whilst these different kinds of Fintech structures might seem highly complex on the surface, with the right expertise, their practical implementation does not need to be that ambiguous.

In this new 4-part series, we will step-by-step go through the practical side of all relevant Fintech structures, from the birth of a business idea to the practical functioning of a registered Fintech company.

In this first part of our Fintech in Practice series, we will analyse how to obtain a Virtual Asset Service Provider (VASP) registration in Finland and, further, how to function as a VASP in the current ever-changing legal jungle of new emerging technologies.

What is a VASP in practice?

According to the definition given by the Financial Action Task Force (FATF), a VASP is a person or a company who transfers or exchanges virtual assets and fiat currencies, exchanges one or more forms of virtual assets, administrates virtual assets or instruments enabling control over virtual assets or participates in and provides financial services related to the sale of a virtual asset. VASPs have, as a consequence of the EU’s fifth anti-money laundering directive (5AMLD), been incorporated into Finnish legislation through the Act on Virtual Currency Providers in 2019.

In Finnish legislation, virtual currency providers refer to:

• virtual currency issuers,
• virtual currency exchange service providers, and
• virtual currency wallet providers

Colloquially speaking, the latter definition is the established definition of a VASP in Finland.

VASPs in Finland are under the supervision of the Financial Supervisory Authority (FIN-FSA), and whoever intends to offer services relating to virtual currencies must thus submit a registration notification to the FIN-FSA for entry into the register. A VASP registration is a several-step process that usually calls for external legal assistance. Next, we will briefly go through these steps and give you practical advice how to navigate through the VASP registration process.

Determining whether the company needs a VASP registration

The first step of becoming a VASP is to identify whether your company's business activities require a VASP registration with the FIN-FSA. This is done by mirroring the business activities (e.g. the actual services to be provided to users) to the VASP definition; in other words, can the company be regarded as a virtual currency issuer, a virtual currency exchange service provider or a virtual currency wallet provider?

First and foremost, a virtual currency issuer refers to a person or a company that issues a digital representation of value:

1. that is not a legal means of payment,
2. that can nonetheless be used as a means of payment, and
3. that can be transferred, stored and exchanged digitally

A virtual currency exchange service provider is, in turn, a business that, for instance, exchanges virtual currency for fiat currency or another virtual currency or maintains a marketplace where its customers can engage in these kinds of activities.

Finally, a wallet service provider refers to a person or company that holds virtual currency on behalf of another or offers its transfer or storage (e.g. custodial wallet services).

In some cases, determining whether the business activities fall within the scope of these definitions and whether a particular virtual currency-related service is subject to any of the exceptions listed in the law is not always a straightforward process and may thus require external assistance to safeguard the legal position and risks of the company.

The VASP registration process

Once it has been determined whether the business activities fall within the scope of the VASP definition, the company must register with the FIN-FSA by applying for a VASP registration from the FIN-FSA. The registration process requires on average between 4-6 months if the process goes smoothly and the application and all necessary attachments are prepared carefully.

The registration requirements can be divided into direct requirements and indirect requirements. According to the direct requirements:

• the company must have the right to engage in business activities in Finland,
• the person making the notification must not be bankrupt, and
• the person making the notification must be reliable which includes the shareholders and management

Additionally, the company must be able to demonstrate what virtual currency service(s) will be provided under the VASP registration.

In addition to these direct requirements, the company must also have adequate procedures and safeguards for the storage and protection of customer funds (both concerning fiat and virtual currency). Furthermore, the company must follow all applicable anti-money laundering and terrorist financing regulation (AML), which includes the preparation of extensive documentation of AML policies, risk assessments, KYC procedures, and AML trainings. Lastly, the company must also comply with relevant marketing regulation in regard to marketing of the virtual currency services.

Identifying all relevant EU and national regulations is not for the faint-hearted. An inadequate understanding of the relevant framework of rules might lead to unnecessarily long and costly registration processes, which could be avoided with the right expertise. It is recommendable that everyone considering a VASP registration become familiar with the relevant regulation on a practical level. Understanding the meaning of the regulation on the surface is not enough if the practical implementation remains a blur.

Functioning as a VASP

Once a company has been registered as a VASP, all that remains from a legal standpoint is to remain compliant with the ever-changing regulation. This means complying with all the procedures mentioned during the registration process as well as complying with other laws.

For instance, consumer protection regulation must be taken into consideration if the customer base consists of consumers, and data protection regulation must be adhered to if and when the company processes personal data.

It is also important that companies stay vigilant not to operate outside the scope of the VASP registration, for instance, by enabling execution of different kinds of payment transactions, which could trigger the need for a payment institution's license. A VASP with no other additional registration or authorisation may not operate outside the scope of VASP registration.

In addition to legal compliance, functioning as a supervised VASP means that there are certain reporting requirements to the FIN-FSA, which is important to remember in the daily business operations as a VASP.

What about the future?

The EU’s Markets in Crypto-Assets Regulation (MiCA) has been on every cryptocurrency enthusiast’s tongue for quite some time now. The regulation is expected to come into force in 2024 and it will be applicable as such in all member states. The goal of MiCA is to increase investor protection and improve financial stability without stifling innovation in the crypto-asset sector.

The regulation will introduce a new legislative framework for crypto asset service providers (CASPs) regarding, for instance, supervision, consumer protection and environmental impact. The concept of CASPs is broader than VASPs and implies that MiCA will most probably apply more broadly than the current national virtual asset legislation.

The biggest change for registered VASPs is that they will have to apply for a license to operate as a crypto-asset service provider from the FIN-FSA. However, member states may apply a simplified procedure for applications for authorisation submitted within 18 months of the adoption of the regulation by entities that, at the time of entry, were authorised under national law to provide crypto-asset services (meaning in Finland all then-current VASPs). Crypto-asset service providers, which provided their services in accordance with applicable law before, may continue to do so for 18 months or until they are granted a CASP authorisation based on the MiCA.

Thus, the biggest change for functioning VASPs is that they will have to apply for a CASP authorisation based on the MiCA instead of the current VASP registration, which, in turn, might lead to some administrative costs. However, after receiving a CASP authorisation based on the MiCA, the crypto-asset service providers may offer their services in the EU -> a so-called EU passport regime will be created with the MiCA, which will lower the barriers of entry into the markets of other member states.

In other words, regulation is perhaps not always the root of all evil (pun intended). Now it is just a matter of preparing your organisation for the upcoming regulatory changes.

If you have any questions regarding VASPs and the upcoming MiCA regulation, do not hesitate to contact us! We have successfully assisted several companies to achieve a VASP registration in Finland, and with our assistance, you will easily navigate through the evolving regulatory landscape.