Is Your VASP Operating Illegally in the UK, EU or UAE Without Knowing It?

1. The Problem Most VASP Founders Don’t See Coming

You built your crypto business the way most founders do: incorporated in a jurisdiction that was welcoming to virtual asset companies, launched a product that worked globally by design, and started acquiring users wherever they found you — through an app, a website, social media, or word of mouth.

You have users in the UK. You have users in Germany, France, the Netherlands. You have users in Dubai. You probably have users in a dozen other countries too. Your platform is available in English, maybe in multiple languages. You accept card payments, bank transfers, or stablecoin deposits from customers around the world.

Here is the question most founders wait too long to ask: in how many of those markets are you a regulated entity right now — without having applied for a single licence?

The answer, in 2026, is almost certainly more than you think.

The regulatory architecture for Virtual Asset Service Providers has undergone a fundamental transformation over the past three years. The UK, the EU under MiCA, and the UAE under VARA and its free zone frameworks have each implemented — or are actively enforcing — activity-based licensing regimes. These regimes do not care where your company is incorporated. They care where your customers are.

If you are actively providing virtual asset services to residents of the UK, any EU member state, or the UAE, you may already be operating as an unlicensed financial services firm in those jurisdictions — and subject to criminal sanctions, civil penalties, forced cessation of services, and enforcement action against your directors and senior management.

FATF’s landmark March 2026 report on offshore VASPs identified this exact scenario as one of the primary drivers of global financial crime risk. It also documented that regulators in the UK, EU, UAE, and beyond are actively building the detection and enforcement infrastructure to act on it. The era of operating globally from a single offshore registration is ending — not gradually, but rapidly.

This article is designed to help VASP founders, compliance officers, and fintech operators understand precisely where the lines are drawn in the three most commercially significant markets: the UK, the EU, and the UAE.

---

2. What “Operating Illegally” Actually Means for a VASP

Before examining each jurisdiction, it is worth being precise about what we mean when we say a VASP may be operating illegally.

In traditional financial services, a firm “operates” in a jurisdiction if it has a physical presence — an office, employees, registered address. Licensing requirements flow from physical presence. This is the model most offshore crypto businesses were built around: incorporate in a favourable jurisdiction, operate digitally, serve customers globally without physical presence in any regulated market.

That model is no longer legally secure in the UK, EU, or UAE.

All three jurisdictions have moved — through different legislative mechanisms — toward what FATF calls an activity-based approach to VASP licensing. Under this approach, the licensing obligation is triggered not by where you are incorporated, but by the nature and direction of the services you provide. If you are:

• Actively marketing virtual asset services to residents of a jurisdiction
• Onboarding residents of that jurisdiction as customers
• Processing transactions for residents using domestic payment infrastructure
• Providing custody, exchange, transfer, or advisory services to residents

…then you are providing regulated services in that jurisdiction. Full stop. The fact that your servers are in the Seychelles, your company is registered in the BVI, or your founders are based in Singapore is legally irrelevant to whether you have triggered a licensing obligation in London, Frankfurt, or Dubai.

The consequences of providing regulated services without authorisation include:

• Criminal prosecution of the entity and its directors (UK: breach of the general prohibition under s.19 FSMA constitutes a criminal offence under s.23 FSMA; penalties include up to two years’ imprisonment)
• Civil enforcement — injunctions, asset freezes, restitution orders
• Administrative fines — potentially running into hundreds of millions (the OKX and Binance cases set the precedent)
• Forced cessation of services to residents, with mandatory account migration
• Reputational damage that destroys banking relationships, investor confidence, and partnership agreements
• Personal liability for MLROs, compliance officers, and directors who knew or should have known about the regulatory exposure

The FATF report is unambiguous that regulators are no longer waiting for the largest platforms to cross the threshold before acting. Smaller VASPs are increasingly in scope. The FCA has issued more than 2,300 alerts on illegal crypto promotions. Japan’s JFSA has requested app-store removals. India has blocked platform access and issued criminal referrals. The enforcement toolkit is deployed and operational.

---

3. The UK: FCA Registration, Financial Promotions, and the Offshore Trap

The UK is arguably the most aggressive jurisdiction in the world when it comes to enforcing its VASP regime against offshore operators. Understanding exactly how and when UK obligations are triggered is critical for any VASP with meaningful UK customer exposure.

The AML Registration Obligation

Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), as amended, any firm that carries on cryptoasset exchange or custodian wallet activities by way of business in the UK must register with the FCA as a cryptoasset business. Failure to do so is a criminal offence.

“By way of business in the UK” does not require physical presence. The FCA’s position — confirmed in its supervisory guidance — is that a firm carries on business in the UK if it is providing services to UK customers through any channel, including digital platforms. An offshore VASP that:

• Accepts UK customers onto its platform
• Processes transactions denominated in GBP or using UK payment rails
• Maintains accounts for UK-resident users
• Provides custody of digital assets on behalf of UK residents

…is carrying on a cryptoasset business in the UK and must be FCA-registered. The fact that the firm has no UK office, UK employees, or UK bank account does not alter this analysis.

The FCA’s Register currently lists approved cryptoasset businesses. If your firm is not on that list and you have UK customers, your current legal position should be treated as a compliance emergency.

For a detailed breakdown of what UK registration and FCA oversight entails for payment institutions and electronic money firms — which increasingly overlap with VASP activity — our guides to SPI and API licensing and FCA AML audit preparation are essential reading.

The Financial Promotions Regime — The October 2023 Watershed

In October 2023, the UK extended its financial promotions regime to qualifying cryptoassets. This change is arguably more significant for offshore VASPs than the AML registration requirement — because its scope is explicitly extraterritorial and its criminal sanctions are immediate.

Under section 21 of the Financial Services and Markets Act 2000 (FSMA), no person may communicate a financial promotion in the course of business unless they are either authorised by the FCA or the promotion has been approved by an FCA-authorised person. Since October 2023, this prohibition applies to qualifying cryptoasset promotions — which includes virtually all consumer-facing advertising, social media content, and marketing for VASP services.

The FCA has been explicit: financial promotions do not need to be expressly targeted at UK consumers to trigger the regime. If UK consumers can view the promotion and potentially engage with the product or service being promoted, the communication is likely capable of having an effect in the UK and is therefore subject to the financial promotion regime.

This means:

• A Twitter/X post promoting your exchange — visible to UK users — may constitute an illegal financial promotion
• A YouTube video explaining how to use your platform — accessible in the UK — may be an illegal financial promotion
• A Google ad campaign that has not explicitly geo-blocked the UK — is an illegal financial promotion
• An affiliate or influencer campaign where you have not verified that UK users cannot access the content — is an illegal financial promotion

Failure to comply is a criminal offence under section 25 FSMA, punishable by up to two years’ imprisonment and/or an unlimited fine. The FCA has also warned regulated banks and payment institutions that accepting payments from or partnering with firms engaged in illegal promotions may itself constitute a money laundering offence — because the benefits of illegal promotions may constitute criminal property.

The FCA’s enforcement record since October 2023 makes this real: over 2,300 illegal promotion alerts issued, more than 1,000 scam website takedowns, and 60+ app-store removal requests to Apple and Google. Civil litigation against one offshore VASP for unlawful promotion has been commenced.

For VASPs already navigating the UK’s evolving regulatory landscape for 2026, understanding the interaction between financial promotions compliance and AML registration is non-negotiable.

The Travel Rule Obligation

UK VASPs — including offshore VASPs that trigger registration obligations — must comply with the UK’s Travel Rule requirements under the MLR 2017. This means collecting and transmitting originator and beneficiary information for qualifying VA transfers. For offshore VASPs with UK customer exposure, failure to implement Travel Rule controls is a standalone regulatory breach, separate from and in addition to any registration failure. See our crypto Travel Rule guide for operational detail.

---

4. The EU: How MiCA Creates Instant Cross-Border Liability {#eu}

The EU’s Markets in Crypto-Assets Regulation (MiCA) came into full effect for Crypto-Asset Service Providers (CASPs) on 30 December 2024. It is the most comprehensive VASP regulatory framework in the world, and its scope is explicitly designed to capture offshore operators providing services into the EU market.

MiCA’s Territorial Scope

Article 2(1) of MiCA applies to any natural or legal person that is engaged in the issuance, offer to the public, or admission to trading of crypto-assets, or that provides crypto-asset services in the Union. There is no carve-out for firms incorporated outside the EU. If you are providing crypto-asset services to EU residents, MiCA applies to you.

Article 59 states that CASPs may not provide crypto-asset services within the Union unless they are established and authorised in a Member State. “Established” means having a legal entity incorporated in the EU through which authorised services are provided.

The practical implication is stark: if you are a VASP incorporated outside the EU and you are providing exchange, custody, transfer, or advisory services to EU residents, you are in breach of MiCA unless you have obtained CASP authorisation in an EU member state.

The Reverse Solicitation Exception — Narrower Than You Think

MiCA does provide one exception: reverse solicitation, under Article 61. A third-country firm may provide services to an EU client without authorisation if the client initiated the relationship at their own exclusive initiative, without any prior solicitation, offer, or advertisement directed at that client or at EU clients generally.

This exception is narrower than it appears in practice. The European Securities and Markets Authority (ESMA) has published guidelines making clear that:

• If you have ever engaged in any form of advertising, promotion, or marketing directed at EU residents — including social media posts, search engine advertising, or participation in EU-based events — the reverse solicitation exception is unavailable to you
• The exception cannot be used on an ongoing basis to extend the services provided under the initial reverse solicitation — it applies to the specific transaction or service the client initiated, not to a broader commercial relationship
• Firms may not circumvent MiCA by inducing clients to submit requests that appear to be unsolicited

In short: if you have ever done anything to attract EU customers — including having a website in European languages — you almost certainly cannot rely on reverse solicitation.

The Cross-Border Passporting Advantage — for Those Who Get Authorised

MiCA’s single market framework does provide a significant benefit for VASPs that do obtain authorisation: a CASP authorised in one EU member state can passport its services across all 27 member states without requiring separate authorisation in each. This makes EU CASP authorisation strategically valuable for any VASP seeking to build a sustainable European business.

Several EU jurisdictions offer relatively streamlined CASP authorisation processes. Our detailed guides cover the regulatory landscape in the Netherlands, Poland, Czech Republic, Lithuania, Bulgaria, and Romania — each with different processing timelines, supervisory cultures, and ongoing compliance requirements.

The 6AMLD Dimension

MiCA sits alongside the EU’s broader AML framework, including the Sixth Anti-Money Laundering Directive (6AMLD). EU member states have implemented 6AMLD, which expands the list of predicate offences for money laundering, introduces stricter liability for legal persons, and in several member states extends criminal liability to compliance officers and directors of firms that fail to implement adequate AML frameworks. An offshore VASP that serves EU customers without authorisation is not only in breach of MiCA — it may be exposing its senior management to 6AMLD criminal liability in the jurisdictions where those customers reside.

---

5. The UAE: VARA, ADGM, DIFC — and Why “Not Incorporated There” Is No Defence {#uae}

The UAE has built one of the world’s most sophisticated — and fragmented — virtual asset regulatory frameworks. Understanding it requires navigating three distinct regulatory jurisdictions within a single country.

The Three Regulatory Zones

Mainland UAE — Virtual asset activities on the UAE mainland are regulated by the Virtual Assets Regulatory Authority (VARA), which operates under the Dubai Virtual Assets Law. VARA has authority over VASPs providing services in or from the Emirate of Dubai and, in conjunction with relevant federal authorities, across the mainland UAE. VARA requires licensing for any entity conducting virtual asset activities — including exchange services, broker-dealer services, VA management and investment, and VA lending and borrowing.

ADGM (Abu Dhabi Global Market) — The Abu Dhabi Global Market’s Financial Services Regulatory Authority (FSRA) regulates virtual asset activities within the ADGM free zone. The ADGM framework is one of the most developed VASP regulatory environments globally, with a well-established Spot Crypto Asset Framework. Entities operating in ADGM require authorisation from the FSRA.

DIFC (Dubai International Financial Centre) — The Dubai Financial Services Authority (DFSA) regulates virtual asset activities within the DIFC. The DFSA has introduced a comprehensive framework for Investment Token activities, DFSA Category 3C licensing, and related requirements. A detailed breakdown of the DIFC AMI compliance framework is available in our specialist guide.

How the UAE Triggers Offshore VASP Liability

All three UAE regulatory frameworks share a common characteristic: they apply to entities providing services in or from the relevant jurisdiction, and in the case of VARA specifically, to entities providing services to UAE residents — regardless of where the VASP is incorporated or located.

VARA’s framework explicitly captures VASPs that:

• Market virtual asset services to UAE residents through any channel
• Onboard UAE residents as customers
• Process transactions for UAE residents using UAE payment infrastructure (including UAE dirham transfers or UAE bank accounts)
• Maintain an office, employees, or any commercial presence in the UAE — even informally

The VARA marketing regulations impose specific requirements on virtual asset advertising in the UAE, and apply to any marketing directed at UAE residents regardless of the VASP’s domicile.

The Cayman-ADGM enforcement case documented in the FATF’s March 2026 report illustrates precisely how UAE regulators approach cross-border VASP structures. The FSRA imposed $8.85 million in penalties and a UBO ban on a group that was routing fiat-to-virtual-asset conversion transactions through an unlicensed ADGM entity — even though the primary corporate entity was registered elsewhere.

For a comprehensive map of the UAE’s full crypto regulatory landscape including VARA, ADGM, SCA and CBUAE, our 2025 guide provides the detailed analysis VASPs need to assess their exposure.

---

6. The 10 Triggers That Make You a Regulated Entity Whether You Like It Or Not {#ten-triggers}

Drawing on FATF’s documented red flags, the FCA’s published guidance, ESMA’s MiCA guidelines, and VARA’s marketing framework, the following are the ten most significant triggers that create regulatory obligations in the UK, EU, and UAE for offshore VASPs — regardless of where the VASP is incorporated.

1. Accepting customers who self-identify as residents of the jurisdiction during onboarding. If your KYC or onboarding process collects nationality or residence information and you proceed to onboard UK, EU, or UAE residents, you have knowingly provided regulated services to persons in those jurisdictions.

2. Processing deposits or withdrawals via domestic payment rails. Accepting GBP via Faster Payments or CHAPS, EUR via SEPA, or AED via UAE domestic bank transfers constitutes active engagement with the domestic financial system and is a strong indicator of regulated activity in those jurisdictions.

3. Running advertising campaigns that are accessible to residents. This includes Google Ads without robust geo-exclusion, social media posts on platforms with UK/EU/UAE user bases, influencer partnerships with influencers whose audiences include significant UK/EU/UAE followings, and app store listings without geographic restrictions.

4. Offering the platform in the local language or currency. Providing a platform in English specifically for the UK market, in any of the 24 EU official languages for EU residents, or in Arabic for UAE users — particularly with AED pricing — is a documented indicator of intentional market targeting.

5. Having a local phone number, WhatsApp group, or customer service presence. Any customer-facing touchpoint that suggests local presence — even a forwarding number or a Telegram group with local administrators — signals active provision of services in the jurisdiction.

6. Sponsoring or participating in local events. Sponsoring a crypto conference in London, Dubai, or Amsterdam, or having team members present at those events as representatives of the firm, constitutes active market engagement.

7. Using local influencers or affiliate marketers. Paying or incentivising UK, EU, or UAE-based individuals to promote your platform to their local audiences triggers financial promotions obligations in those jurisdictions — and potentially direct liability for the influencers themselves.

8. Having an app available in local app stores without restrictions. If your app is available in the UK App Store or Google Play, the EU App Store or Google Play, or the UAE App Store or Google Play without geo-restrictions, it is by definition accessible to and marketed to residents of those jurisdictions.

9. Processing IP addresses from those jurisdictions without geo-blocking. If your platform is technically accessible from UK, EU, or UAE IP addresses and you have not implemented geo-blocking — or your geo-blocking is trivially circumvented — regulators will treat this as evidence of active market participation.

10. Having customers who have previously completed KYC using UK, EU, or UAE identity documents. If your KYC database contains customers who verified their identity using UK passports, EU national identity cards, or UAE Emirates IDs, you have documentary evidence of active service provision to residents of those jurisdictions.

---

7. The “Unintentional oVASP” Problem {#unintentional}

FATF’s March 2026 report explicitly distinguishes between intentional oVASPs — those that deliberately design their business model to evade licensing requirements — and unintentional oVASPs — those that are genuinely unaware of, misunderstand, or misinterpret the regulatory framework applicable to their activities.

This distinction matters enormously for enforcement outcomes. Regulators have consistently treated intentional evasion — the OKX model of knowing you need to register and choosing not to — as warranting the most severe sanctions. Unintentional non-compliance, where a firm genuinely did not understand its obligations, is generally treated more leniently — particularly where the firm co-operates with regulators, self-reports, and moves promptly to remedy the situation.

However, FATF is equally explicit that ignorance is not a defence and is increasingly not being treated as a significant mitigating factor. As more jurisdictions publish clear, accessible guidance on their activity-based licensing frameworks, regulators’ tolerance for “we didn’t know” is diminishing. The FCA has run extensive industry engagement programmes ahead of its crypto promotions regime. ESMA has published detailed MiCA implementation guidelines. VARA has published comprehensive guidance on its licensing requirements. The information is available.

The practical implication for VASP founders is this: the window in which ignorance provides meaningful mitigation is closing. If you are operating in the UK, EU, or UAE without a full understanding of your regulatory obligations, the most risk-reducing thing you can do right now is commission a thorough compliance review — not wait for a regulator to contact you.

This is precisely the situation where an independent AML review and a cross-border regulatory exposure assessment can be transformative. Finding a problem yourself, before a regulator finds it for you, is categorically different from being the subject of a regulatory investigation.

---

8. Real Penalties, Real Companies: What Happened When VASPs Got It Wrong {#real-penalties}

The enforcement record in the UK, EU, and UAE makes clear that these are not theoretical risks. The following cases represent the direction of regulatory travel — and the scale of consequences for VASPs that do not address their cross-border exposure.

OKX — $504 Million (United States, with direct lessons for UK/EU)

In February 2025, OKX pleaded guilty to operating an unlicensed money-transmitting business in the US and agreed to pay over $504 million in penalties. The core of the case was simple: OKX knew it needed to register to serve US customers; it chose not to; and it actively helped customers circumvent its own geographic restrictions.

While this is a US case, it is directly instructive for UK, EU, and UAE exposure. The factual pattern — offshore incorporation, active targeting of a regulated market, knowing non-registration, internal circumvention advice — is replicable in any jurisdiction with an activity-based licensing framework. UK, EU, and UAE regulators are watching these cases and building parallel enforcement capacity.

Binance — $4.3 Billion Resolution (Multi-Jurisdictional)

The Binance case is the largest VASP enforcement resolution in history, spanning the US DOJ, FinCEN, OFAC, and CFTC. The compliance lessons for VASPs from this case are extensively documented. For offshore VASPs operating in multiple markets, the key lesson is that regulators coordinate internationally and that penalties from multiple jurisdictions compound rapidly.

Monzo — £21.1 Million FCA Fine

While Monzo is not an offshore VASP, the FCA’s £21.1 million fine of Monzo for AML failures — including deficiencies in its financial crime risk management framework during a period of rapid customer growth — is directly instructive for VASPs scaling internationally. The fine demonstrates that the FCA’s enforcement appetite extends to growth-stage firms, not just established institutions, and that the combination of rapid customer acquisition and inadequate compliance infrastructure is a high-risk pattern that the FCA targets.

CIMA-ADGM Co-ordinated Enforcement

The 2023 Cayman-ADGM enforcement action — $8.85 million in penalties plus a UBO ban — demonstrates UAE regulators’ willingness to pursue complex, multi-jurisdictional enforcement actions against VASPs with offshore corporate structures. The specific trigger was a UBO overriding AML/CFT controls and routing transactions through an unlicensed SPV. The lesson: the more complex your corporate structure, the higher the regulatory scrutiny — not the lower.

---

9. The Self-Assessment: Is Your VASP Actually Compliant?

Work through the following questions honestly. If you answer “yes” or “I’m not sure” to any of them, your firm has potential regulatory exposure that requires immediate professional assessment.

UK Exposure:

• Do you have customers who completed KYC using UK identity documents or who provided a UK residential address?
• Do you accept GBP deposits or withdrawals via UK banking infrastructure?
• Is your platform or app accessible from UK IP addresses without geo-blocking?
• Have you run advertising campaigns — including social media, Google, or influencer campaigns — that have not explicitly excluded UK audiences?
• Are you registered on the FCA’s cryptoasset register? If not, do you believe you should be?

EU Exposure:

• Do you have customers from any of the 27 EU member states?
• Do you have a CASP authorisation in any EU member state, or have you applied for one?
• Have you conducted any marketing or promotional activity — including social media posts — that was not explicitly geo-blocked from all EU member states?
• Do you offer your platform in any EU official language other than English?
• Are you relying on the reverse solicitation exception? Have you obtained legal advice confirming that reliance is justified?

UAE Exposure:

• Do you have customers who identified as UAE residents during onboarding, or who used UAE bank accounts or payment methods?
• Have you marketed your services at UAE-based crypto events, through UAE-based influencers, or via UAE-targeted advertising?
• Do any of your team members operate from the UAE, even informally?
• Are you aware of the VARA, DFSA, and FSRA licensing frameworks, and have you obtained legal advice on whether they apply to your business?

If the honest answer to any of these questions raises doubt about your current compliance status, the next step is a structured regulatory exposure assessment — not a hope that regulators won’t notice.

---

10. What to Do If You Think You Have a Problem

If your self-assessment has surfaced potential regulatory exposure, the path forward requires speed, precision, and professional guidance. The following is a practical framework for what to do next.

Step 1: Do not ignore it. The instinct to hope the problem resolves itself, or that regulators are focused on larger firms, is understandable but dangerous. Regulatory exposure compounds over time. Every month you continue serving UK, EU, or UAE customers without authorisation adds to the scope of potential liability.

Step 2: Commission a cross-border regulatory mapping exercise. Before you can address a problem, you need to understand its full dimensions. This means a systematic analysis of every jurisdiction where you have meaningful customer presence, mapping your activities against the applicable licensing framework in each. This is not a one-size-fits-all exercise — the UK, EU, and UAE each have distinct tests for what triggers a licensing obligation, and the analysis must be jurisdiction-specific.

Step 3: Assess your options. Depending on the scale and nature of your exposure, the available options typically include:

• Proactive engagement with the relevant regulator — In many jurisdictions, a firm that voluntarily approaches the regulator to disclose a compliance gap and present a remediation plan will be treated materially more leniently than one that is identified through supervisory action. This is a well-established feature of FCA, VARA, and FSRA practice.
• Expedited licensing application — If you have UK, EU, or UAE customer exposure and are not yet licensed, pursuing authorisation on an expedited basis demonstrates regulatory good faith.
• Ceasing services to non-compliant markets — In some cases, the most appropriate response is to geo-block specific markets until licensing is obtained. This must be done carefully and with documented evidence of effective implementation.
• Account migration — Where you have existing customers in markets where you lack authorisation, a managed migration plan that transitions those customers to a locally authorised entity (where one exists in your group) may be required.

Step 4: Build your AML programme before, not after, your licence application. Regulators assess the quality of your AML/CFT framework as part of every licensing process. A firm that arrives at a licensing application without a documented, functional AML programme will not be authorised. Our complete AML programme blueprint provides the design framework, and our AML advisory services team can build the programme with you.

Step 5: Appoint a qualified MLRO. Every licensing application in the UK, EU, and UAE requires designation of a Money Laundering Reporting Officer who meets the regulator’s fit-and-proper requirements. The MLRO must have genuine authority, real access to customer data, and adequate seniority. A nominal or “dummy” MLRO — something FATF has specifically flagged as a supervisory red flag — will cause your application to fail and may trigger additional scrutiny. See our guide to why VASPs should outsource their MLRO function for a detailed analysis of the options.

---

11. How ComplyFactor Helps VASPs Resolve Offshore Compliance Exposure

ComplyFactor is a specialist compliance advisory firm with deep expertise in virtual asset regulation across the UK, EU, UAE, Canada, Switzerland, Pakistan, and Australia. We work with VASP founders, compliance officers, and fintech operators at every stage of the regulatory compliance lifecycle.

Cross-Border Regulatory Mapping — We conduct systematic jurisdiction-by-jurisdiction analyses of your licensing exposure, identifying where your activities trigger regulatory obligations and mapping a practical path to compliance. This is typically the starting point for any VASP that has identified potential offshore compliance risk.

MLRO Outsourcing — Our global MLRO services place qualified, experienced Money Laundering Reporting Officers in your business — individuals with genuine authority, real access to systems and customer data, and the regulatory knowledge to satisfy FCA, VARA, DFSA, and national competent authority fit-and-proper requirements. An outsourced MLRO from ComplyFactor is not a checkbox — it is a functional compliance resource.

AML Compliance Programme Development — We build AML/CFT compliance programmes from the ground up, calibrated to your specific risk profile as a virtual asset business. This includes risk assessments, policies and procedures, transaction monitoring frameworks, KYC/CDD processes, Travel Rule implementation, and STR frameworks — everything regulators expect to see when they examine your business.

Independent AML Audits — Our AML audit services provide the independent assurance that UK, EU, and UAE regulators require. Whether you are preparing for an FCA supervisory visit, a VARA compliance assessment, a DFSA examination, or simply want to understand where your programme has gaps before a regulator identifies them, our audit team brings both jurisdiction-specific regulatory expertise and genuine independence.

Licensing and Registration Support — We have supported VASP licensing across multiple jurisdictions, including FCA registration in the UK, CASP authorisation across EU member states, VARA licensing in Dubai, and DFSA licensing in the DIFC. We manage the full licensing process — from regulatory business plan development to fit-and-proper assessments to ongoing regulatory liaison.

Contact ComplyFactor today for a confidential assessment of your VASP’s cross-border regulatory exposure.

---

12. Frequently Asked Questions

I’m incorporated in the Seychelles / BVI / Cayman Islands. Does UK, EU or UAE law really apply to me?

Yes — if you are actively providing virtual asset services to residents of those jurisdictions. Incorporation offshore does not exempt you from activity-based licensing obligations in the UK (MLR 2017 and FSMA), the EU (MiCA), or the UAE (VARA, FSRA, DFSA). Regulators in all three jurisdictions have confirmed this in published guidance, and enforcement cases have demonstrated that offshore incorporation is not a shield against regulatory action.

We have a “no UK/EU/UAE users” policy in our Terms of Service. Is that sufficient?

No. A terms of service prohibition is not a substitute for effective technical geo-blocking, and courts and regulators have consistently held that stated policies are not determinative where actual user behaviour contradicts them. The FCA, ESMA, and VARA all apply a substance-over-form analysis — they look at what is actually happening, not what your T&Cs say. You need documented evidence that your geo-blocking is technically effective and consistently applied.

We rely on the MiCA reverse solicitation exception. Are we safe?

Almost certainly not, if you have engaged in any marketing or promotional activity directed at EU residents. ESMA’s guidelines on reverse solicitation make clear that the exception is extremely narrow. Any preceding solicitation — including social media posts, advertising, influencer campaigns, or participation in EU-based events — eliminates the reverse solicitation defence for services offered to EU clients who were exposed to that solicitation.

What is the process for getting FCA-registered as a cryptoasset business?

FCA registration under the MLR 2017 requires the firm to demonstrate adequate AML/CFT systems and controls, a fit-and-proper senior management team and beneficial owners, and a compliant business model. The FCA’s rejection rate for cryptoasset registration applications has historically been high. Firms should expect to invest in building a genuine compliance infrastructure — including a qualified MLRO, documented policies and procedures, and a functional transaction monitoring framework — before applying. ComplyFactor has extensive experience supporting FCA registration applications. Contact us to discuss your specific situation.

How long does MiCA CASP authorisation take?

Under MiCA, the authorisation process involves an initial completeness assessment of up to 25 working days, followed by a substantive assessment period — with the total process typically running up to 40 working days from receipt of a complete application, extendable where further information is required. In practice, the timeline varies significantly by jurisdiction — from a few months in more streamlined jurisdictions to considerably longer in others. The quality of your application documents — particularly your AML programme, business model description, and senior management suitability evidence — is the primary determinant of processing speed. Our analysis of EU member state MiCA implementation compares processing timelines and regulatory cultures across key jurisdictions.

What’s the difference between VARA licensing and DFSA/FSRA authorisation in the UAE?

VARA regulates virtual asset activities in mainland Dubai and, more broadly, across the UAE mainland (in conjunction with federal authorities). The DFSA regulates within the DIFC free zone. The FSRA regulates within the ADGM free zone. These are legally distinct jurisdictions within the UAE — a VARA licence does not permit operations within the DIFC, and vice versa. Choosing the right regulatory framework depends on your target customer base, business model, and operational footprint. Our comprehensive guide to UAE crypto regulation maps the distinctions in detail.

What happens if we voluntarily disclose our compliance gap to the regulator?

In most jurisdictions, voluntary disclosure — particularly where accompanied by a credible remediation plan — is treated as a significant mitigating factor in enforcement decisions. Regulators distinguish between firms that come forward proactively and those that are identified through supervisory action or third-party intelligence. The size of any penalty, and whether enforcement action is taken at all, can be meaningfully influenced by whether the firm disclosed the problem itself. This is one of the strongest arguments for moving quickly once you have identified a potential compliance issue.

---

Key Takeaways

Operating a VASP in 2026 without understanding your cross-border regulatory obligations is not a business strategy — it is a liability. The UK, EU, and UAE have each built comprehensive, extraterritorially applicable regulatory frameworks that capture offshore VASPs serving their residents, and all three jurisdictions are actively deploying enforcement infrastructure to identify and act on unlicensed activity.

The question is not whether regulators can reach your business. In the UK, EU, and UAE, they demonstrably can. The question is whether they will find a compliant business or a non-compliant one when they look.

If you have any uncertainty about where your firm stands — talk to ComplyFactor. A compliance problem discovered and remediated early is a manageable challenge. A compliance problem discovered by a regulator is an existential one.

---

This article is for informational purposes only and does not constitute legal advice. Regulatory frameworks change frequently — always seek qualified legal and compliance advice specific to your business and jurisdictions of operation. ComplyFactor is an independent compliance advisory firm and is not affiliated with any regulatory body.