What is a VASP, and how does Switzerland regulate crypto?

What does VASP mean?

VASP is the FATF definition of a crypto-asset business, added to the FATF Glossary in June 2019 alongside the matching definition of a "virtual asset". The Task Force is the inter-governmental body that sets the global anti-money-laundering standards, and its forty Recommendations are the benchmark national regulators are measured against. Recommendation 15 is the one that brought crypto inside the perimeter. A VASP is any natural or legal person that, as a business, conducts one or more of five activities for or on behalf of someone else.

• Exchange between virtual assets and fiat currencies.
• Exchange between one or more forms of virtual assets.
• Transfer of virtual assets.
• Safekeeping or administration of virtual assets, or of instruments that give control over them.
• Participation in, and provision of, financial services related to an issuer's offer or sale of a virtual asset.

Three points decide whether the label fits. It applies to a business, so an individual moving their own coins is not a VASP. It is activity-based, so the same company can be a VASP for one service and not another. And it is the service to a third party that counts, which is why custody for clients is in scope while self-custody is not. The European Union codified almost the same population under a different name, the Crypto-Asset Service Provider (CASP), in its Markets in Crypto-Assets Regulation (MiCA), applying across the EU and EEA from 2024 into 2025. Switzerland sits in neither framework and regulates the substance through its own statutes.

How does Switzerland regulate a VASP?

Switzerland regulates a VASP by what it actually does. The FATF acronym carries no weight here; the governing question is whether the business is a financial intermediary under the Anti-Money Laundering Act (AMLA, SR 955.0). Exchanging crypto for fiat or one token for another, transferring value, and holding client assets all qualify as financial intermediation when carried on commercially. Once a business is a financial intermediary it owes the full set of AMLA duties: identify the contracting party, establish the beneficial owner, monitor the relationship by risk, and report well-founded suspicion to the Money Laundering Reporting Office (MROS).

How those duties are supervised splits into two routes. A firm below the prudential threshold satisfies AMLA by affiliating with a FINMA-recognised self-regulatory organisation (SRO), which audits it every year. That is the lighter route, and the common one for an exchange or transfer business. A firm whose activity reaches deeper into financial-market law needs a FINMA prudential licence and direct supervision instead. The line between the two is the most expensive thing to misjudge in Swiss crypto, and it usually moves the moment the business starts holding other people's assets.

When holding assets changes the licence

Custody is where the regime shifts, because deposits are a banking matter. Taking crypto or fiat from the public and holding it on the firm's own balance sheet can amount to accepting deposits under the Banking Act (BankA, SR 952.0), which requires a banking or fintech authorisation. The DLT Act softened this for genuine custody: crypto assets held for clients and capable of being individually attributed are segregated from the custodian's estate in bankruptcy, so they are not treated as deposits and stay outside the banking threshold. Get the holding structure wrong (commingled wallets, no individual attribution, a redemption claim against the firm) and the same activity tips into deposit-taking. The detail is in our note on crypto custody in Switzerland.

What the FINMA framework covers

FINMA built the Swiss crypto framework in stages, and each layer answers a different question. The first sorted what a token is; the later ones regulate what a business does with it. The table sets out the four building blocks a VASP meets in Switzerland.

Token classification is the foundation everything else rests on. A payment token (a pure means of payment, such as bitcoin) brings AMLA duties when handled commercially. A utility token gives access to an application. An asset token represents a claim or an asset and is treated as a security, which adds prospectus and trading rules on top of AML. A token can be hybrid and carry more than one regime at once. Confirming the type before launch, rather than arguing it afterwards, is the purpose of a FINMA token classification ruling.

Stablecoins sit at the awkward edge of this. FINMA's guidance of 26 July 2024 turns on the redemption claim: where holders have a claim for repayment against the issuer, that typically counts as a deposit and pulls the project under the Banking Act, unless a bank guarantee is arranged on FINMA's terms. The same guidance flagged the money-laundering and sanctions exposure a stablecoin carries, treating every holder as a customer of the issuer.

What "VASP" does not settle in Switzerland

Calling a business a VASP describes the activity; it answers almost none of the Swiss licensing questions on its own. Four gaps catch foreign founders most often.

It is not a Swiss licence category. No Swiss authority grants a "VASP licence". A firm registers as a company, then either affiliates with an SRO or applies to FINMA, depending on what it does. A commercial-register entry and a Zug address confer no financial authorisation whatsoever.

It does not fix which regime applies. Two businesses both correctly described as VASPs can land in different places: one an SRO member running an exchange, the other a FINMA-licensed custodian holding deposits. The five FATF activities are a starting grid that the Swiss analysis then resolves.

It says nothing about token rules. The VASP concept is AML-only. Whether a token is a security, whether a prospectus is owed, and whether a stablecoin is a deposit are separate questions, each answered under Swiss securities, banking and financial-services law.

It is not MiCA, and MiCA is not Switzerland. A firm passported as a CASP across the EU still needs Swiss authorisation to operate from Switzerland, and vice versa. Treating the two as interchangeable is how cross-border crypto groups end up under-licensed in one jurisdiction. Which framework a firm should base under is a structuring decision, taken before incorporation rather than after.

In the crypto mandates we run, the part that bites is rarely the AML registration itself; it is the moment a business that started as a simple exchange begins to hold client assets, and the custody arrangements quietly carry it across the deposit line into a heavier licence than it planned for.

How a VASP gets authorised in Switzerland

Authorisation starts with a subordination enquiry rather than an application. Because the regime depends on substance, the first step is to describe the exact business model to FINMA (what is exchanged, transferred or held, for whom, and on whose balance sheet) and confirm which category applies before building anything. FINMA answers subordination (Unterstellung) enquiries precisely for this purpose, and a written answer is worth far more than an assumption.

From there the path forks by activity. A business confirmed as a financial intermediary below the prudential threshold proceeds to SRO affiliation, builds its AML organisation, and is audited annually. A business that takes deposits or holds assets in a way that engages the Banking Act prepares a FINMA authorisation file, with capital, organisation and fit-and-proper management to evidence. A venue admitting the public to multilateral trading of DLT securities needs the DLT trading-facility licence, the route FINMA first granted on 18 March 2025. Across all three, the AML duties of the Swiss AML framework apply from the first client, and the supervising body, whether an SRO or FINMA, expects them to be operational on day one rather than promised. Which gate fits a given model is the work set out in our guide to the Swiss crypto licence.

The picture is still moving. A dedicated Crypto-Institution licence is expected to enter into force in 2027, intended to give crypto businesses a category built for them rather than an adapted banking or fintech licence. Until it arrives, the rules above are the live ones, and the safest sequence is unchanged: classify the token, map the activity to a Swiss regime, settle custody before taking a single client asset. The full set of guides sits in our crypto and blockchain knowledgebase.