Crypto License in Philippines

The Philippines as a Hub for Virtual Asset Service Providers

The Republic of the Philippines has emerged as one of the most proactive and complex regulatory environments for digital assets in Southeast Asia. Driven by a highly engaged, young, and mobile-savvy population, and a massive remittance market, the country presents a compelling, albeit multi-layered, opportunity for Virtual Asset Service Providers (VASPs). Unlike single-regulator jurisdictions, licensing a crypto operation in the Philippines requires navigating the mandates of up to three key agencies: the Bangko Sentral ng Pilipinas (BSP), the Securities and Exchange Commission (SEC), and the Cagayan Economic Zone Authority (CEZA).

Successfully obtaining a Philippine Crypto License in 2025 demands a precise understanding of which regulator governs which part of the value chain, focusing heavily on Anti-Money Laundering (AML) compliance and consumer protection. This exhaustive guide details the regulatory frameworks, the stringent capital and operational requirements, the critical FATF Travel Rule implementation, and the nuanced tax implications, providing a definitive roadmap for international firms seeking to establish a compliant, high-growth presence in the Philippine digital economy.

The Dual Regulatory Landscape: BSP vs. SEC Authority

The foundational complexity of the Philippine regulatory environment stems from the different treatment of Virtual Currencies (VCs) and Crypto-Assets/Digital Securities. This bifurcation dictates which primary license an applicant must pursue.

The Bangko Sentral ng Pilipinas (BSP) Framework for VASPs

The Bangko Sentral ng Pilipinas (BSP), the country’s central bank, is the primary regulator for entities dealing with the exchange of fiat currency and virtual assets. Under Circular No. 1108 of 2021, the BSP expanded its oversight from Virtual Currency Exchanges (VCEs) to comprehensive Virtual Asset Service Providers (VASPs).

Key Mandate: The BSP views VASP activities primarily as a Money Service Business (MSB), particularly a form of remittance and transfer company. This classification is rooted in the high volume of remittances sent by Overseas Filipino Workers (OFWs), for which crypto-assets are increasingly used.
Covered Activities: The BSP requires a Certificate of Authority (COA) for entities engaging in:
- Exchange between virtual assets and fiat currencies (PHP/USD/etc.)
- Exchange between one or more forms of virtual assets.
- Transfer of virtual assets (remittances).
- Custody or administration of virtual assets (wallet providers).
The BSP license, therefore, is essential for any VASP that facilitates fiat-to-crypto and crypto-to-fiat transactions involving the Philippine Peso (PHP). This covers nearly all operational cryptocurrency exchanges targeting the domestic market.

The Securities and Exchange Commission (SEC) Framework for CASPs

The Securities and Exchange Commission (SEC) oversees the issuance and trading of crypto-assets classified as securities. The SEC recently intensified its regulatory reach with the issuance of rules for Crypto-Asset Service Providers (CASPs).

Key Mandate: The SEC focuses on investor protection and market integrity, especially concerning Initial Coin Offerings (ICOs), Security Token Offerings (STOs), and the operation of crypto-asset trading venues that list digital securities.
CASP Rules: Entities that offer crypto-assets to the public or operate a trading venue for digital assets deemed to be securities must register and comply with the SEC’s CASP Rules. This typically requires registration as a corporation under Philippine laws.
Dual Jurisdiction: An entity offering both VASP services (fiat-crypto exchange) and trading digital securities (like tokenized stocks) will require concurrent authorization from both the BSP and the SEC, demanding an extremely high level of coordinated compliance.

The CEZA Offshore Licensing Option

The Cagayan Economic Zone Authority (CEZA) offers licenses for Offshore Virtual Currency Exchanges (OVCEs) operating within the Cagayan Special Economic Zone and Free Port (CSEZFP).

CEZA Mandate: CEZA provides a separate, tax-friendly zone intended for offshore operations, primarily focused on attracting FinTech Solutions (FTS) Providers and blockchain innovation from foreign entities.
Restrictions: CEZA licenses explicitly prohibit transactions involving the Philippine Peso (PHP) and are barred from serving Philippine citizens or residents.
The CEZA FTS License offers lower corporate tax benefits and reduced regulatory friction for global exchanges that do not intend to target the domestic Filipino market.

Financial and Operational Requirements for BSP VASP Licensing

The BSP’s VASP guidelines set clear and substantial financial and operational benchmarks, designed to ensure the stability and security of licensed operators.

Minimum Capital Requirements

The BSP differentiates capital requirements based on whether the VASP holds customer funds (custodial) or merely facilitates non-custodial transactions. These requirements are subject to continuous review and are typically the most significant entry barrier.

VASP Category	Minimum Paid-in Capital (PHP)	Approximate USD Equivalent
Custodian VASP (Holds client funds/keys)	50,000,000	850,000
Non-Custodian VASP (E.g., Software Provider, Intermediary)	10,000,000	170,000

Liquidity and Solvency: Beyond the minimum capital, the VASP must maintain adequate liquidity at all times and adhere to prudent risk management policies to ensure solvency, particularly concerning the volatile nature of the assets held. The BSP emphasizes that the minimum capital must be fully paid up and unimpaired by losses throughout the operation.

Mandatory Compliance and Governance Structure

The BSP mandates a robust governance framework aligned with international financial standards.

Anti-Money Laundering (AML) Registration: All VASPs must register with the Anti-Money Laundering Council (AMLC) of the Philippines and strictly adhere to the AMLC’s guidelines, particularly concerning Know Your Customer (KYC), Customer Due Diligence (CDD), and filing of Suspicious Transaction Reports (STRs).
Fit and Proper Rule: All directors, principal officers, and shareholders (with significant ownership) must pass the BSP’s ‘Fit and Proper’ test. This involves extensive background checks, police clearances, and an assessment of their financial integrity and competence. This is a non-negotiable step that often determines the timeline for license approval.
Local Presence and Staff: The VASP must be registered as a corporation in the Philippines and maintain a physical office that is appropriately staffed during regular business hours. Key compliance and operations personnel must be based locally.

Advanced Security and Compliance Mandates

Philippine crypto regulation is heavily influenced by the Financial Action Task Force (FATF) recommendations and an intense focus on technological resilience.

Strict Enforcement of the FATF Travel Rule

The BSP mandates strict compliance with the FATF Travel Rule, treating virtual asset transfers as cross-border wire transfers. This places an obligation on the originating VASP to gather and transmit specific information.

Transaction Threshold: For transfers amounting to PHP 50,000 or more (approx. USD 850), the VASP must obtain and transmit data on both the sender and the receiver.
Required Information: The transmitted data must include: the sender’s name, account number, physical address, and the beneficiary’s name and account number. Compliance requires the VASP to integrate a secure, encrypted Travel Rule technical solution into its platform.
Unhosted Wallets: VASPs are required to perform enhanced due diligence (EDD) on transactions involving unhosted (self-custodied) wallets to properly assess and mitigate the associated money laundering and financing risks.

Robust Cybersecurity and Operational Risk Frameworks

The BSP’s emphasis on IT risk is paramount, requiring sophisticated security measures that exceed basic industry standards.

IT Risk Management Framework (ITRMF): VASPs must implement a comprehensive ITRMF that covers system resilience, data integrity, and capacity planning. This framework must demonstrate that the VASP can maintain core services and transaction processing during periods of extreme market volatility or attempted denial-of-service (DDoS) attacks.
Penetration Testing (Pen Test) and Vulnerability Management: Before deployment and at least annually thereafter, the VASP must engage an independent, qualified third party to conduct rigorous penetration testing on the entire ecosystem (web application, APIs, and critical infrastructure). All high-risk vulnerabilities must be remediated promptly, and the reports must be submitted to the BSP.
Key Management System (KMS) Audit: For custodial VASPs, the policies regarding the management of private keys are heavily scrutinized. This includes the use of Hardware Security Modules (HSMs), multi-signature authorization protocols, and clear, auditable procedures for key generation, storage, backup, and destruction. The security of the KMS directly impacts the VASP’s ability to protect client funds.
Business Continuity Planning (BCP) and Disaster Recovery (DR): The BCP/DR plan must be detailed, tested, and demonstrate a minimal Recovery Time Objective (RTO). The plan should specifically address scenarios unique to the crypto sector, such as blockchain network congestion or major stablecoin de-pegging events, showing how the VASP ensures market orderly conduct and client notification during such crises.

3. Segregation of Client Assets and Due Diligence Triggers

Asset Segregation: The BSP strictly requires that all client virtual assets and fiat funds must be held in accounts legally and operationally segregated from the VASP’s proprietary operational funds.
Enhanced Due Diligence (EDD) Triggers: EDD is mandatory for transactions exceeding PHP 500,000 (approx. USD 8,500) or its foreign currency equivalent. For Politically Exposed Persons (PEPs), the VASP must obtain senior management approval before establishing the business relationship.

The CEZA FTS License: Offshore Opportunities and Tax Benefits

The Cagayan Economic Zone Authority (CEZA) offers a distinctive regulatory path for international FinTech companies aiming for an Asian base without engaging the domestic Philippine market.

The FinTech Solutions (FTS) License Framework

The FTS license is CEZA’s mechanism for regulating blockchain and virtual asset operations within its economic zone.

Offshore Focus: The license is strictly for Offshore Virtual Currency Exchanges (OVCEs). Licensees are explicitly prohibited from offering services to Filipino citizens or residents, and all crypto-fiat conversions must be conducted outside of the Philippines.
Investment and Substance: CEZA requires a substantial commitment to the economic zone. Historically, this has included:
- Investment Commitment: A minimum investment of USD 1 Million over a two-year period.
- Physical Presence: Establishing a back office and physical presence within the Cagayan Special Economic Zone and Free Port (CSEZFP).
- Sub-Licensing: The primary licensee is often granted the ability to have multiple sub-licenses for traders and brokers operating under its regulatory umbrella.
The CEZA license provides a streamlined gateway for international exchanges seeking tax incentives and a fast track into the Asian market, provided they accept the domestic prohibition.

Tax and Fiscal Advantages of the CEZA Zone

The primary attraction of CEZA is its favorable tax regime for offshore activities.

Preferential Tax Rate: CEZA-registered enterprises enjoy a preferential tax rate on income derived from their registered activities within the zone. This is significantly lower than the standard Philippine corporate tax rate.
Tax Holidays: CEZA often grants tax holidays for a specific period after initial registration, providing a critical cash flow advantage during the start-up phase.
Import/Export: Exemptions from duties and taxes on the importation of capital equipment, raw materials, and other items directly used in the licensed activity.

CEZA vs. BSP License Comparison

The choice between CEZA and BSP/SEC is fundamentally a decision between an offshore tax haven (CEZA) and onshore market access (BSP/SEC).

Feature	BSP VASP (Onshore Access)	CEZA FTS (Offshore Access)
Primary Regulator	Bangko Sentral ng Pilipinas (BSP)	Cagayan Economic Zone Authority (CEZA)
Market Access	Domestic Philippine Market (PHP)	Strictly Non-Philippine Residents
Minimum Capital	PHP 10M – PHP 50M	USD 1,000,000
Corporate Tax Rate	Standard Philippine Corporate Tax (30%)	Preferential Tax Rate
Primary Focus	Remittance, Financial Stability, Consumer Protection	Foreign Investment, Innovation, Economic Zone Development

Request more information

Send Request

Taxation and Accounting for Cryptocurrency in the Philippines

The tax treatment of virtual assets remains a nuanced area in the Philippines, primarily guided by the Bureau of Internal Revenue (BIR) interpretations of the National Internal Revenue Code (NIRC).

Tax Classification of Crypto-Assets

The BIR generally categorizes the income derived from crypto-asset transactions based on the taxpayer’s intent.

Capital Assets: Cryptocurrency held for long-term investment purposes is generally treated as an intangible Capital Asset. Gains derived from the sale or exchange of these assets are subject to the Capital Gains Tax (CGT) or Ordinary Income Tax depending on the taxpayer’s classification (individual or corporation).
Ordinary Assets (Inventory): For VASPs or professional traders who hold cryptocurrency for sale in the ordinary course of business, the assets are treated as Inventory. Income from the sale is subject to Ordinary Income Tax (up to 35% for corporations) and may be subject to Value-Added Tax (VAT) if the VASP is VAT-registered.
VASPs must establish a clear accounting policy, ideally in consultation with a Philippine tax attorney, to classify their own holdings versus client funds to manage corporate tax exposure.

Taxation of VASP Services

The revenue earned by the VASP itself—primarily in the form of transaction fees, brokerage commissions, and listing fees—is subject to standard Philippine corporate taxation.

Standard Corporate Income Tax (CIT): Currently, the standard corporate tax rate in the Philippines is 30%. VASP profits, minus deductible operating expenses, are taxed at this rate (unless the VASP is registered under a special zone like CEZA).
VAT and Business Taxes: Depending on the nature of the service, certain transaction fees may be subject to VAT. The complexities surrounding VAT on digital asset services require careful structuring of fee mechanisms.

Documentation and Reporting Requirements

VASPs must adhere to strict reporting requirements to both the BSP and the BIR.

Quarterly and Annual Reporting: VASPs must provide quarterly reports on their activities, transactions, user data, and financial standing to the BSP.
Tax Returns: Accurate recording of all income, capital gains, and transactions is mandatory for annual tax returns. The lack of specific, detailed BIR guidelines means a conservative and highly documented approach to income classification is essential to mitigate audit risk.

The Licensing Process and Key Challenges

Obtaining a BSP VASP license is a multi-stage, rigorous process that often spans 6 to 12 months.

1. The Phased Application Process

The application is typically submitted through the BSP’s Supervision and Examination Sector (SES).

Phase 1: Application to Establish MSB: The VASP must first apply for approval to operate as a Money Service Business (MSB). This phase requires the submission of the application letter, articles of incorporation, and a detailed Business Plan outlining the target market, operational procedures, and risk management strategy.
Phase 2: Submission of Comprehensive Compliance Documentation: Upon initial approval, the VASP submits the full suite of compliance documents, including the AML/CFT Manual, IT Risk Management Framework, and the results of the ‘Fit and Proper’ check for all principals.
Phase 3: Technical Demonstration and On-site Audit: The BSP may require a technical demonstration of the VASP’s platform and security protocols. An on-site audit of the physical office and corporate substance may follow.
Phase 4: Issuance of Certificate of Authority (COA): The COA is granted only after the BSP is satisfied with the VASP’s compliance, financial standing, and technical readiness.

2. Major Regulatory Headwinds: The Moratorium Strategy (New Content Added)

The Philippine licensing environment is characterized by certain bottlenecks and complexities. The primary hurdle is the BSP’s current policy stance.

The Moratorium on New Licenses: Since September 2022, the BSP has imposed a moratorium on the issuance of new VASP licenses to new applicants. This was initiated to allow the central bank to focus its supervisory capacity on existing licensees and develop more robust, risk-based regulations without being overwhelmed by a flood of new applications.
Implications for Entry: This moratorium means that the traditional application pathway for a new VASP license is currently inaccessible. International firms seeking immediate market access must rely on strategic alternatives, making the regulatory landscape highly competitive and reliant on mergers and acquisitions (M&A).
Targeting Existing Licensees (Acquisition Strategy): The most certain and fastest route to a BSP VASP license is often the strategic acquisition of an existing BSP-licensed VASP or a registered Money Service Business (MSB) with a VASP component. This requires intensive M&A due diligence focused on the target’s compliance history, as the BSP will scrutinize the change of control and the new management’s ‘Fit and Proper’ status.
Regulatory Overlap: Managing the overlapping jurisdiction of the BSP (remittance/VASP), SEC (securities/CASP), and the AMLC (AML) requires a highly specialized local legal and compliance team.
Local Banking Access: While licensed, securing banking relationships with major Philippine commercial banks can be challenging, as many institutions remain cautious about the volatile and high-risk nature of the crypto sector.

3. The Due Diligence Dossier: Key Documents

The success of the application heavily relies on the quality and completeness of the submitted documentation.

Document Category	Key Content Requirement
Governance & Corporate	Detailed Corporate Governance Manual; Articles of Incorporation; Curricula Vitae and Financial Disclosures of all directors/officers.
Financial & Business	3-5 Year Financial Projections; Proof of PHP Minimum Paid-in Capital Deposit; Comprehensive Risk Management Policy.
Compliance (AML/CFT)	Risk-Based Approach (RBA) Framework; Detailed KYC/CDD procedures; FATF Travel Rule Implementation Plan.
IT & Security	IT Security Audit Report (independent); Business Continuity Plan (BCP); Cold Storage and Key Management System policy.

Future Outlook and Strategic Entry Considerations

The Philippines remains a high-potential market, driven by powerful demographic and economic forces.

Digital Adoption and the Remittance Engine

The high mobile penetration rate and the massive role of remittances (approximately 35 billion USD annually) solidify the Philippines’ position as a key global crypto market. VASPs that can demonstrate low-cost, secure, and rapid cross-border payment solutions are best positioned for success.

Fintech Integration and Partnership

The BSP strongly encourages integration with the traditional financial sector. Future growth will be driven by FinTech collaborations—partnerships between licensed VASPs and traditional banks or payment processors—to bridge the crypto-fiat gap and ensure wider adoption by the unbanked population.

CBDC Exploration: The BSP is actively exploring a Central Bank Digital Currency (CBDC), which, while not a direct competitor, signifies the government’s commitment to digitalizing the financial infrastructure. Licensed VASPs will be crucial in the eventual deployment and distribution of any sovereign digital currency.

Strategic Entry Options Amid the Moratorium

Given the current BSP moratorium, international firms must adopt creative strategies for market entry:

Acquisition of Licensed Entities: The most certain and fastest route to a BSP VASP license is often the strategic acquisition of an existing BSP-licensed VASP or a Money Service Business with an established track record. This avoids the moratorium queue but requires extensive due diligence on the target’s compliance history.
CEZA as a Launchpad: Starting with a CEZA FTS license to establish an Asian operational base and build a track record before the BSP moratorium lifts remains a viable, low-friction option for purely offshore services.
Focusing on Non-VASP Services: Launching non-VASP services, such as blockchain software development or unregulated advisory services, while preparing the compliance framework for a future license application.

The Philippine crypto regulatory environment is a dynamic landscape that prioritizes robust AML and consumer protection over rapid market entry. Firms succeeding here will be those willing to make substantial, verifiable commitments to compliance and local substance.

FAQ

What is the difference between a VASP and a CASP license?

The Philippines uses two primary licenses: VASP and CASP. VASP (Virtual Asset Service Provider) is issued by the central bank (BSP) and primarily focuses on crypto-fiat exchange and remittances (AML/CTF compliance). CASP (Crypto-Asset Service Provider) is a newer registration/license from the Securities and Exchange Commission (SEC). It governs all entities dealing with crypto-asset securities, custody, and platforms that offer crypto services to Filipino investors.

Which regulator do I need to register with: BSP or SEC?

It depends on your core business model. You will likely need both for comprehensive operations: BSP (VASP): Required for any exchange involving Philippine Pesos (fiat) or cross-border money transfer activities. SEC (CASP): Required for any service involving custody of client assets, token offerings, or platforms dealing with tokens that qualify as securities.

Is there a moratorium on new VASP license applications?

Yes. The Bangko Sentral ng Pilipinas (BSP) has imposed an indefinite moratorium on accepting new VASP license applications (as of late 2025). This is a move to strengthen regulatory oversight and mitigate risks following the country’s removal from the FATF grey list.

How can a new company enter the market given the VASP moratorium?

Since the moratorium only applies to new applications, the most viable path for market entry is through the acquisition (M&A) of an existing, already licensed VASP. This process requires exhaustive due diligence and subsequent formal approval from the BSP for the change of control.

What are the minimum paid-up capital requirements for CASP (SEC)?

To register as a CASP, the applicant must be incorporated in the Philippines and meet a minimum paid-up capital of ₱100 million Philippine Pesos (excluding crypto-assets). This high threshold is designed to ensure financial resilience and enhanced investor protection.

What are the minimum capital requirements for VASP (BSP)?

The capital requirement for a BSP-licensed VASP is tiered based on its classification as a Money Service Business (MSB). This typically ranges from ₱10 million to ₱50 million, depending on the extent and complexity of the services offered (e.g., simple exchange vs. complex transfers).

Is a physical office required in the Philippines?

Yes. Both the BSP (VASP) and SEC (CASP) frameworks explicitly mandate that the applicant must establish a registered local corporation and maintain a physical office presence within the Philippines.

What are the key AML/CTF obligations for a licensed VASP?

The VASP must implement a robust compliance program that includes: Strict KYC/CDD (Know Your Customer/Customer Due Diligence) procedures. Continuous transaction monitoring and suspicious activity reporting (SARs). Full technical compliance with the FATF Travel Rule. Ongoing Enterprise-Wide Risk Assessment.

Does the FATF Travel Rule apply in the Philippines?

Absolutely. The BSP strictly enforces the Travel Rule compliance Philippines, which requires VASPs to securely transmit verifiable originator and beneficiary information for all crypto transactions exceeding the established threshold (generally $₱ 50, 000$ ).

Can a CEZA license serve Philippine residents?

No. The CEZA (Cagayan Economic Zone Authority) Crypto License is strictly an offshore license. It is designed for businesses serving international clients. Licensees must implement geofencing controls and are expressly forbidden from marketing to or transacting with Philippine residents or using the domestic financial system.

What is the typical timeline for obtaining the full license?

While the official timeline for BSP approval was previously around 2 months, the overall process—including corporate setup, IT Audit for Crypto Exchanges, development of AML manuals, and regulatory interviews—usually takes 6 to 12 months (excluding the current VASP moratorium period).

What kind of technology audit is required?

Both BSP and SEC require a mandatory, independent IT Audit to confirm the security architecture. This includes system resilience, key custody procedures, internal controls, and regular Penetration Testing (Pen-testing) to prove the VASP's ability to protect customer funds and data.

What are the SEC DATO regulations?

DATO (Digital Asset Token Offering) regulations are issued by CEZA and govern the issuance of digital tokens within the economic zone. If a token targets the domestic market or is classified as a security, it falls under the more stringent SEC CASP rules regarding registration and disclosure.