Crypto License in Philippines

Supervisory Reality After Approval

How BSP, SEC, and AMLC Actually Supervise a Live Crypto Business

Approval in the Philippines is not an endpoint. It is the beginning of a permanent supervisory relationship where regulators evaluate behaviour, not documents. This section explains what happens after authorisation, how supervision is exercised in practice, and what distinguishes VASPs that remain stable under scrutiny from those that drift into regulatory risk.

Philippine supervisors do not treat crypto businesses as technology platforms. They treat them as financial institutions operating high-risk transfer infrastructure. Every supervisory interaction is framed around one question: does the organisation behave as declared when pressure appears?

Supervision as an Ongoing Operating Condition

Supervision in the Philippines is continuous, not episodic. Regulators assume that crypto businesses are exposed to volatility, fraud, cyber risk, and rapid scale. As a result, they test whether controls operate consistently over time.

Key characteristics of ongoing supervision include:

• repeated information requests tied to transaction behaviour

• thematic reviews focused on AML, Travel Rule execution, and custody controls

• ad-hoc inquiries triggered by market events or user complaints

• retrospective reconstruction of past decisions and incidents

Supervisors are less interested in whether a policy exists and more interested in whether the organisation can prove how it acted in a specific situation months later.

What Regulators Monitor Continuously

Governance Behaviour Under Stress

Governance is tested during moments of friction, not during routine operations.

Supervisors observe:

• who actually makes risk decisions when alerts escalate

• whether board and senior management involvement is real or symbolic

• how conflicts between commercial objectives and compliance controls are resolved

• whether delegations of authority are respected in practice

Weak governance patterns include delayed decisions, informal overrides, undocumented approvals, and reliance on offshore parent instructions without local accountability.

AML Execution and Decision Discipline

AML supervision focuses on execution quality, not policy language.

Regulators assess:

• alert volumes versus resolution capacity

• quality of investigation narratives

• consistency of STR filing thresholds

• escalation discipline for complex or borderline cases

• evidence that alerts are closed based on analysis, not pressure

A common failure pattern is “alert fatigue”, where monitoring rules exist but teams lack the authority or capacity to act decisively.

Travel Rule Operational Integrity

Travel Rule compliance is reviewed as a transactional process, not a compliance checkbox.

Supervisory attention includes:

• accuracy and completeness of transmitted data

• handling of counterparties with incompatible Travel Rule standards

• treatment of failed or partial data transfers

• controls around unhosted wallet interactions

• reconciliation between blockchain data and internal records

Breakdowns usually occur at scale, when transaction volumes rise and exception handling is underdeveloped.

Custody and Asset Protection Behaviour

Custody supervision focuses on control, not technology branding.

Regulators test:

• who can access private keys and under what conditions

• how emergency access is governed

• segregation between client and proprietary assets

• procedures for loss events, forks, or protocol failures

• reconciliation frequency and discrepancy handling

Any ambiguity around key control or asset ownership is treated as a material supervisory concern.

Supervisory Interaction Patterns

Routine Reporting

Licensed VASPs are required to submit regular reports covering:

• transaction volumes and values

• user metrics and activity segmentation

• AML indicators and STR statistics

• operational incidents and remediation actions

• financial condition and capital position

Reports are not passive filings. Supervisors use them to build behavioural profiles and identify anomalies over time.

Thematic Reviews

Regulators periodically launch focused reviews across the sector.

Typical themes include:

• AML effectiveness in high-risk corridors

• Travel Rule implementation consistency

• cybersecurity resilience and incident handling

• custody and asset segregation controls

• outsourcing and third-party risk management

Thematic reviews often result in follow-up actions, even for compliant firms.

Event-Driven Inquiries

Certain events automatically attract supervisory attention:

• security breaches or attempted intrusions

• abnormal transaction spikes

• significant customer complaints

• media exposure involving fraud or losses

• rapid growth without corresponding control expansion

In these situations, regulators expect immediate transparency and structured responses.

Recordkeeping and Regulatory Memory

Retrospective Accountability

Philippine supervisors operate with long institutional memory.

VASPs must be able to reconstruct:

• why a customer was onboarded

• why a transaction was allowed or blocked

• who approved an exception

• what information was available at the time

• how risks were assessed then, not later

Poor recordkeeping is treated as a governance failure, not an administrative lapse.

Evidence Expectations

Evidence must be:

• contemporaneous, not recreated

• internally consistent across systems

• attributable to specific decision-makers

• preserved for regulatory inspection

Email chains, chat messages, and informal approvals often become part of supervisory reviews.

Operational Substance and Local Authority

Why Local Presence Is Actively Tested

Local presence is not symbolic. Regulators test whether:

• key officers are physically accessible

• decisions can be made without offshore approval delays

• compliance teams can act independently

• escalation paths remain functional during crises

Remote-control models are systematically challenged.

Staffing and Capacity Monitoring

Supervisors observe:

• staffing ratios relative to transaction volumes

• turnover in compliance and risk roles

• training effectiveness and continuity

• reliance on contractors versus internal staff

Under-resourced teams are viewed as structural risk indicators.

Banking Relationships and Supervisory Alignment

How Banking Access Is Evaluated

Banks in the Philippines rely heavily on regulatory signals.

They assess:

• quality of BSP supervision

• history of regulatory findings

• AML execution credibility

• transparency of ownership and governance

A VASP’s ability to maintain banking relationships is directly linked to its supervisory reputation.

Managing Bank-Driven Reviews

Banks routinely conduct their own reviews, which often mirror regulatory concerns.

Successful VASPs:

• maintain regulator-aligned documentation

• can explain control logic clearly

• provide timely, structured responses

• avoid contradictions between bank and regulator narratives

Scaling Under Supervision

Growth as a Supervisory Test

Rapid growth is not viewed positively by default.

Regulators evaluate:

• whether controls scale with volumes

• whether monitoring thresholds are recalibrated

• whether staffing expands proportionally

• whether governance keeps pace with complexity

Uncontrolled growth is treated as a risk event.

Product Expansion Controls

Adding new features or services requires internal discipline.

Supervisors expect:

• documented change management

• risk assessments for new products

• AML and Travel Rule impact analysis

• governance approvals before launch

Silent feature creep is a common supervisory red flag.

Incident Management Expectations

Security and Operational Incidents

When incidents occur, regulators expect:

• immediate containment actions

• clear internal escalation

• accurate impact assessment

• timely regulator notification

• structured remediation plans

Minimisation or delayed disclosure significantly worsens outcomes.

Customer Impact and Communication

Supervisors evaluate:

• how clients are informed

• whether communications are accurate and timely

• whether compensation or remediation is handled fairly

• whether complaint handling remains functional

Poor client communication often triggers deeper reviews.

Enforcement Philosophy

Progressive Intervention

Philippine regulators typically escalate gradually:

• observations and guidance

• formal findings and remediation timelines

• activity restrictions

• penalties or licence suspension

Early transparency and cooperation materially influence outcomes.

What Triggers Severe Action

Severe intervention is usually linked to:

• misrepresentation of operations

• repeated AML failures

• asset protection breaches

• obstruction or non-cooperation

• governance collapse

Documentation alone cannot compensate for behavioural failures.

How We Build for Supervisory Longevity

Our approach is designed around survivability under supervision, not just approval.

We structure:

• decision frameworks that work during crises

• AML processes that scale and remain defensible

• Travel Rule execution that handles exceptions gracefully

• custody controls that withstand forensic review

• governance that can explain itself years later

The objective is a Philippine crypto operation that regulators, banks, and partners trust over time — even as the market evolves and pressure increases.

Institutional Operating Model

How a Philippine Crypto Business Must Actually Be Built to Survive Supervision

A Philippine crypto licence is only defensible if the business is constructed as a single, internally coherent operating system. Regulators do not evaluate compliance functions, technology, governance, and finance separately. They evaluate whether these components reinforce each other under pressure.

This section explains how a Philippine crypto operation must be architected, not described. It focuses on operating logic, internal discipline, and structural decisions that determine whether the licence remains stable over time.

One Operating System, Not a Collection of Policies

The dominant supervisory assumption in the Philippines is that fragmented systems fail. A VASP built as disconnected silos will eventually contradict itself under scrutiny.

A viable institutional model demonstrates:

• alignment between governance authority and operational execution

• consistency between AML risk appetite and product design

• coherence between custody controls and financial planning

• traceability between decisions, actions, and records

Supervisors actively test for contradictions between declared intent and operational reality.

Governance Architecture That Regulators Trust

Board and Senior Management Function

The board is not symbolic. It is a control organ.

Supervisors expect boards to:

• understand the crypto-specific risks of the business

• actively approve risk appetite and material changes

• receive and question compliance and incident reports

• document dissent and challenge, not just approval

A board that only ratifies management proposals is treated as weak governance.

Executive Authority and Local Decision-Making

Local authority is a core requirement.

Effective structures ensure:

• executives can suspend activity without offshore approval

• compliance heads have independent escalation rights

• local management controls budgets for risk mitigation

• crisis decisions are not delayed by parent company politics

Remote-control governance models are systematically rejected in practice.

Committees and Control Functions

Committees are expected to function, not exist.

Common supervisory focus areas include:

• risk committees that actively review exposure metrics

• AML committees that resolve high-risk cases formally

• IT or security committees that oversee resilience and incidents

Minutes are examined for substance, not formatting.

Financial Logic and Capital Discipline

Capital as a Risk Buffer, Not a Number

Paid-in capital is evaluated in relation to operational risk.

Supervisors assess:

• custody exposure versus capital adequacy

• liquidity under stress scenarios

• ability to absorb operational losses

• dependence on parent funding

Capital planning that ignores volatility or custody risk is considered superficial.

Treasury and Asset Segregation

Financial controls must be explicit and enforceable.

A defensible model includes:

• legally segregated client accounts

• operational separation between client and house wallets

• reconciliation routines with escalation thresholds

• clear loss-allocation logic

Any ambiguity around asset ownership invites regulatory intervention.

AML as an Operating Capability

Risk-Based Approach in Practice

Risk-based AML means the system adapts.

Supervisors expect:

• differentiated treatment of customer segments

• dynamic monitoring thresholds

• periodic reassessment of risk profiles

• documented rationale for risk decisions

Static risk matrices are quickly identified and criticised.

Alert Handling and Escalation

AML effectiveness is measured at the alert level.

Regulators review:

• alert quality versus volume

• investigation depth and reasoning

• escalation timelines

• senior management involvement in sensitive cases

Closing alerts without analytical narrative is a common failure point.

STR Discipline

STRs are judged on credibility.

Effective practices include:

• clear articulation of suspicion

• linkage to transaction patterns

• internal approval records

• consistency with prior risk assessments

Over-reporting and under-reporting are both treated as weaknesses.

Travel Rule as Transaction Infrastructure

Embedded, Not Layered

Travel Rule compliance must be embedded in transaction flows.

Supervisors assess:

• how data is captured at initiation

• how it is transmitted and verified

• how failures are handled

• how exceptions are escalated

Manual workarounds collapse under volume.

Unhosted Wallet Treatment

Unhosted wallets are not prohibited, but they are scrutinised.

Expected controls include:

• enhanced due diligence triggers

• transaction limits or monitoring intensification

• behavioural pattern analysis

• management sign-off for elevated risk

Treating unhosted wallets as “normal” is a regulatory red flag.

Technology as a Supervisory Topic

IT Risk Governance

Technology is supervised as infrastructure.

Regulators evaluate:

• ownership of IT risk

• incident response authority

• testing and remediation discipline

• dependency on third-party providers

Lack of internal technical understanding at management level is viewed negatively.

Cybersecurity and Incident Handling

Incident handling defines credibility.

Supervisors expect:

• predefined incident classification

• immediate containment actions

• forensic capability or access

• clear communication lines

Delayed disclosure erodes trust rapidly.

Change Management

Every platform change is a risk event.

Strong controls include:

• documented change approval

• risk assessment for new features

• testing before deployment

• rollback procedures

Silent releases are routinely uncovered during reviews.

Custody and Key Control Reality

Control Over Keys

Custody is evaluated through control, not custody labels.

Regulators test:

• who can initiate key access

• how approvals are granted

• how emergency access is handled

• how keys are backed up and recovered

Single-person control structures are unacceptable.

Loss Scenarios and Recovery

Supervisors expect realistic planning.

This includes:

• protocol failure scenarios

• internal fraud scenarios

• operational error scenarios

• client communication plans

Optimistic assumptions undermine credibility.

Operational Substance and Staffing

Staffing as a Risk Metric

Staffing levels are monitored continuously.

Regulators consider:

• workload per compliance officer

• turnover rates

• training frequency

• reliance on external consultants

Chronic understaffing is treated as structural non-compliance.

Training and Institutional Knowledge

Training is expected to be ongoing.

Effective programmes include:

• onboarding for new hires

• scenario-based AML training

• incident response drills

• governance awareness for executives

Generic online courses are insufficient.

Outsourcing and Third-Party Risk

Vendor Dependency

Outsourcing does not transfer responsibility.

Supervisors assess:

• due diligence on vendors

• contractual control rights

• contingency plans for vendor failure

• monitoring of vendor performance

Critical functions without fallback plans are flagged.

Group Structures and Intragroup Services

Intragroup arrangements are examined closely.

Regulators expect:

• arm’s-length documentation

• clear accountability lines

• independence of local control functions

Group dominance without safeguards is challenged.

Product Design and Consumer Protection

Product Risk Awareness

Product design is treated as a compliance matter.

Supervisors review:

• fee transparency

• risk disclosures

• suitability for target users

• marketing alignment with actual risk

Aggressive marketing unsupported by controls attracts scrutiny.

Complaint Handling

Complaints are regulatory signals.

Expected practices include:

• structured intake and classification

• root-cause analysis

• timely resolution

• escalation of systemic issues

Ignored complaints often trigger thematic reviews.

Scaling Without Regulatory Drift

Growth Controls

Growth must be governed.

Supervisors look for:

• growth triggers tied to control expansion

• staffing thresholds linked to volume

• recalibration of monitoring systems

Unmanaged growth is treated as a failure of governance.

Geographic Expansion

Cross-border activity adds complexity.

Expectations include:

• jurisdictional risk assessment

• consistency with Philippine licence scope

• alignment with foreign Travel Rule standards

Uncoordinated expansion creates compliance fragmentation.

Internal Audit and Self-Testing

Independent Assurance

Self-testing is expected.

A robust model includes:

• periodic internal audits

• thematic reviews

• follow-up on findings

• board oversight of remediation

No self-critique suggests institutional immaturity.

Learning from Findings

Regulators value learning behaviour.

They assess whether:

• findings lead to real changes

• repeat issues are eliminated

• root causes are addressed

Repeated minor findings can escalate into major concerns.

Culture as a Supervisory Factor

Compliance Culture

Culture is inferred from behaviour.

Signals regulators notice:

• willingness to escalate bad news

• absence of blame-shifting

• clarity in decision ownership

• respect for control functions

Toxic growth culture undermines even strong frameworks.