Crypto License in Panama
Operating a VASP in Panama Under the AML/CTF Framework
The Republic of Panama, globally recognized as a pivotal center for international finance, logistics, and maritime trade, offers a highly strategic and commercially advantageous jurisdiction for Virtual Asset Service Providers (VASPs). Unlike highly regulated European markets, Panama currently operates within a flexible regulatory framework for cryptocurrency activities, providing an exceptional, low-cost model centered on strict compliance with Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) standards.
This strategic positioning is reinforced by Panama’s robust legal stability and its globally renowned territorial tax system. Panama allows Virtual Asset Exchanges, custody providers, and remittance services to incorporate and operate under a standard corporation structure, provided they meticulously adhere to the requirements of the Financial Analysis Unit (UAF). This process, mandated by Law 23 of 2015, focuses on registering the VASP as a Non-Financial Obligated Subject (Sujeto Obligado No Financiero). Navigating this UAF registration process is the mandatory legal first step for establishing any compliant Crypto Exchange Panama or money services business (MSB).
This comprehensive, extended guide provides an exhaustive analysis of the Panamanian legal landscape, the intricacies of the UAF VASP registration, the unparalleled commercial advantage of the territorial tax system, and the advanced technical compliance required. We will delve into the critical role of the Compliance Officer, the nuances of local banking, and the operational best practices needed for sustained, legally sound operation within this evolving financial hub.
Defining the Legal Framework: The AML Mandate and the "No Crypto License" Reality
Panama’s attractiveness stems from its approach to virtual assets, which prioritizes AML oversight rather than dedicated, high-friction licensing.
The Current Regulatory Position: The UAF Imperative
As of 2025, the Panamanian government does not issue a specific “Crypto License” or a dedicated digital asset operating license (e.g., a “VASP License” equivalent to those in the UAE or Singapore). Critically, no specific law directly regulates the issuance, trading, or custody of virtual assets beyond their treatment under the country’s stringent AML/CTF laws.
The key legislative and regulatory instruments are:
Law 23 of 2015: This foundational AML/CTF statute established the legal framework for the prevention of money laundering, classifying certain financial and commercial activities as “obliged subjects”.
The Financial Analysis Unit (UAF): The UAF is the Financial Intelligence Unit (FIU) of Panama and the main supervisory body responsible for enforcing Law 23 of 2015 on all non-financial entities, including Virtual Asset Service Providers (VASPs).
FATF and GAFILAT Compliance: Panama is actively engaged in aligning its regulatory structure with the recommendations of the Financial Action Task Force (FATF) and its regional affiliate, GAFILAT.
This legal framework positions the VASP registration not as a licensing hurdle, but as a mandatory AML/CTF compliance obligation enforced by the UAF, providing maximum operational flexibility under a mature legal umbrella. This approach significantly lowers the Panama VASP license cost and time-to-market compared to major G20 jurisdictions.
Scope of Mandatory UAF Registration for VASPs
The registration is compulsory for any legal entity, whether locally incorporated or operating remotely but targeting Panamanian clients, that conducts one or more of the following activities on behalf of a client, as per FATF Recommendation 15:
Exchange Services: Providing services for the exchange between virtual assets and fiat currencies, or between one or more forms of virtual assets. This targets exchanges, brokers, and OTC desks.
Transfer & Remittance: Facilitating the transfer of virtual assets (remittances, payments, cross-border settlements). This covers crypto-payment processors and remittance services.
Custody and Wallet Services: The secure custody and administration of virtual assets or instruments enabling control over virtual assets (e.g., hosted wallet services, cold storage providers).
Participation and Financial Services: Participation in financial services related to an issuer’s offer or sale of a virtual asset.
The UAF Registration Process: Procedural and Documentary Depth
The entire process aims to inscribe the VASP in the Registro Público de Sujetos Obligados No Financieros (Public Registry of Non-Financial Obligated Subjects) maintained by the UAF. This is a comprehensive compliance exercise that typically spans 2 to 5 months, contingent upon the quality and specificity of the compliance documentation.
Phase I: Corporate Foundation and Local Substance Requirements
Establishing the corporate structure is the crucial first step, requiring a demonstrably credible local presence compliant with the Commercial Code.
Corporate Incorporation: The VASP must incorporate a local legal entity, commonly a Sociedad Anónima (S.A.) or Sociedad de Responsabilidad Limitada (S.R.L.). The Articles of Association must explicitly include VASP activities, such as “virtual asset management and exchange,” as part of its legal objective.
Local Registered Agent: It is mandatory to appoint a Panamanian attorney to act as the Registered Agent. This agent is the permanent legal point of contact for all governmental authorities.
Local Office and Substance: While the law does not mandate extensive commercial headquarters, establishing a demonstrable physical office address (or a reputable legal address) is critical. This physical presence is essential for demonstrating genuine local substance, which is a major factor in securing a corporate bank account.
Minimal Share Capital: Panama does not impose a high minimum statutory share capital requirement for VASP registration. The emphasis is purely on demonstrating operational viability (sufficient funds to cover 6-12 months of projected operating expenses, OpEx).
Phase II: The Core Compliance Dossier (The Risk-Based Approach)
This phase requires the development of an exhaustive internal governance and compliance framework that must be submitted to the UAF. The submission must clearly demonstrate a Risk-Based Approach (RBA) tailored specifically to the unique threats of virtual assets.
| Required Compliance Document | Key Focus and Requirement (UAF Scrutiny) |
| AML/CTF Manual and RBA Policy | Must outline a highly specific Risk-Based Approach (RBA) tailored to virtual asset activity. Must detail rigorous procedures for KYC/CDD, ongoing monitoring, and Suspicious Activity Report (SAR) filing with the UAF. Must specifically address ML/CTF risks associated with crypto-to-fiat conversions, non-custodial wallets, and cross-border remittances. |
| Compliance Officer (CO) Appointment | UAF Compliance Officer requirements demand a dedicated CO with proven legal/financial/AML qualifications and operational independence. The CO must be authorized to stop transactions and report suspicious activities directly to the UAF without fear of corporate reprisal. |
| Internal Controls and IT Security Manual | Detailed description of the VASP’s IT infrastructure, data protection protocols, and cybersecurity measures (e.g., ISO 27001 alignment). This includes access controls, data encryption standards, and the separation of network environments (testing/production). |
| Employee Training Program | A formalized, documented annual training program for all employees (including directors) on their responsibilities under Law 23 of 2015, focusing on “red flags” specific to virtual asset transactions. |
| Know Your Transaction (KYT) Strategy | Specific documented methodology for performing Know Your Transaction (KYT) analysis on the blockchain, including the use of blockchain analytics tools to risk-score addresses and identify sources/destinations of funds. |
The submission must demonstrate active, technological risk mitigation and a comprehensive internal control architecture, going far beyond a generic template.
Phase III: Final Review and Registration Grant
The UAF’s review is meticulous. They frequently issue multiple Requests for Information (RFIs) seeking detailed clarifications on the operational flow, the risk assessment matrix, and the CO’s independence.
Public Registry: A positive decision grants the VASP its official registration number, which is then published in the Registro Público de Sujetos Obligados No Financieros. This confirms the VASP’s legal status as an obliged subject under Panamanian law.
Local Auditor Engagement: The VASP must demonstrate engagement with a Certified Public Accountant (CPA) registered in Panama. This auditor is crucial for preparing the mandatory annual financial statements and performing the Annual Independent AML Audit necessary for ongoing compliance.
Continuous Obligation: The registration is not a permanent license; it is an obligation requiring continuous, demonstrable adherence to the AML/CTF framework and submitting the required annual reports.
The Unparalleled Commercial Advantage: Panama's Territorial Tax System
The most significant strategic and financial draw of the Panama VASP registration is its globally competitive tax jurisdiction, which operates on a territorial tax principle.
Understanding the Territorial Tax System
Panama employs a Territorial Tax System for Corporate Income Tax (CIT).
Principle: Only income generated from sources within Panama is subject to local corporate income tax (CIT). Income generated from sources outside the country is legally considered non-taxable (foreign-sourced income).
Application to VASPs: For a Crypto Exchange Panama, this means:
Local Income (Taxable): Any fees, commissions, or profits derived from services provided to clients residing in Panama or operations physically executed within the country. This income is subject to the standard corporate income tax rate (currently 25%).
Foreign Income (Non-Taxable): The vast majority of income generated by a VASP (e.g., transaction fees, trading profits, custody fees) derived from international clients (Europe, Asia, North America) whose funds, servers, and operations are managed and sourced outside the country is legally exempt from Panamanian CIT.
The territorial tax system is the single most significant financial benefit, as it legally exempts the primary revenue stream of international VASPs—foreign-sourced crypto transaction fees and trading income—from local corporate tax. This dramatically lowers the effective Panama VASP license cost compared to jurisdictions with worldwide taxation.
Tax Compliance: Demonstrating Foreign Source
To maintain the integrity of this tax exemption, the VASP must maintain strict documentation proving that revenue streams are genuinely foreign-sourced.
Documentation: Maintain meticulous records of client KYC (proving residency outside Panama), server locations, and the physical location where the trade/service was executed.
Transfer Pricing: Panamanian tax authorities (DGI) will scrutinize transfer pricing and operational flows to ensure that foreign-sourced income is not deliberately routed through the local entity to avoid taxation.
Indirect Tax Exemptions
| Tax Type | Panamanian Position for Foreign-Sourced Income | Impact for VASPs |
| Corporate Income Tax (CIT) | 0% (for foreign-sourced income) | Maximum tax efficiency for international operations. |
| Capital Gains Tax (CGT) | Generally not applicable to the exchange of crypto-to-crypto (as crypto is not recognized as a security or legal tender). | Flexibility for treasury management and investment activities. |
| Value Added Tax (VAT) / ITBMS | Generally outside the scope for digital/financial services provided to foreign clients. | Avoidance of significant indirect tax burdens on international revenue. |
Request more information
Operational Challenges: Banking and Financial Access
While the compliance and tax frameworks are highly favorable, securing a local corporate bank account remains the single most challenging operational hurdle for any VASP. The difficulty is purely risk-driven, stemming from the banks’ reluctance to jeopardize their correspondent relationships.
To provide context for international operators, the table below highlights the key differences between the Panamanian UAF registration path and the evolving situation in neighboring Costa Rica.
Comparative Overview: Panama vs. Costa Rica VASP Focus
| Parameter | Panama (UAF Registration Focus) | Costa Rica (Evolving Regulation) |
| Primary Regulatory Body | UAF (Financial Analysis Unit, focused on AML/CTF enforcement). | SUGEF (Superintendencia General de Entidades Financieras – Proposed for VASP oversight). |
| Legal Status of VASP | Mandatory Registration as a Non-Financial Obligated Subject (Law 23/2015). | Unregulated but tolerated. Formal VASP legislation pending/under discussion. |
| Corporate Tax Advantage | 0% CIT on Foreign-Sourced Income (Highly established legal precedent). | 0% CIT on Foreign-Sourced Income (Established, but banking access is unpredictable). |
| Mandatory Compliance Tool | Rigorous FATF Travel Rule implementation is required. | Implementation expected post-legislation; currently less enforced. |
The Bank Risk Appetite Problem
Panamanian banks are highly conservative due to their critical reliance on international Correspondent Banking Relations (CBRs), particularly for processing US Dollar (USD) transactions. This reliance subjects them to the stringent AML/CTF standards of the jurisdictions hosting the correspondent banks (primarily the U.S. and Europe).
The Global “De-risking” Trend: Local banks view UAF-registered VASP holders with extreme caution. The global trend of “de-risking” dictates that financial institutions minimize exposure to perceived high-risk sectors, including cryptocurrency. This often results in a blanket refusal of service to crypto-related businesses to protect their own CBRs from regulatory penalties.
Heightened Scrutiny by Superintendency of Banks (SBP): Even though the UAF regulates non-financial subjects, the SBP heavily influences the local banks’ risk policies. Banks must demonstrate to the SBP that their client acceptance policies fully mitigate the specific ML/CTF risks associated with virtual assets. Opening an account requires exceptional transparency and due diligence, often demanding significantly more documentation from the VASP than the UAF itself.
Strategy for Banking and Fiat Access: The Dual Approach
A VASP must adopt a robust, dual-pronged approach to manage fiat flow and overcome the banking bottleneck:
Local Bank Strategy (Substance & OpEx Focus): The primary goal of a local Panamanian bank account is to handle local operational expenses (OpEx), salaries, tax payments, and demonstrate local substance. To secure this:
Demonstrable Substance: The VASP must prove its local commitment. This includes providing the physical office lease, local utility bills, and proof of a local Legal Representative and/or Compliance Officer.
Exhaustive Flow of Funds Analysis: A crucial requirement is a detailed, bank-approved Flow of Funds document. This transparently shows the origin and destination of all fiat and crypto assets, the frequency of conversion, and the rigorous on-chain and off-chain reconciliation processes. The bank needs assurance that the VASP is not serving high-risk jurisdictions or illicit counterparties.
UBO Vetting and Source of Wealth (SOW): Banks require highly detailed and verifiable Source of Wealth (SOW) documentation for all Ultimate Beneficial Owners (UBOs) and directors, including proof of the source of initial operating capital.
Alternative Fiat Strategy (International Trading Focus): The majority of international crypto-to-fiat trading and settlement should be handled externally. The most successful VASPs establish initial fiat access using Fintech-friendly Electronic Money Institutions (EMIs) or licensed Payment Service Providers (PSPs) in jurisdictions known for their crypto-friendly banking policies (e.g., Switzerland, the UK, or specific offshore financial centers). This strategy minimizes the direct risk exposure of the Panamanian local bank account, allowing the VASP to leverage the Panamanian entity primarily for the UAF registration and the territorial tax benefits on international revenue.
The VASP must treat the local banking relationship as a separate, rigorous compliance project, providing full transparency on the ultimate beneficiaries and the robust technical safeguards in place.
Advanced AML/CTF and Technology Compliance
The UAF’s focus on operational integrity demands a robust, auditable technical framework that goes beyond basic legal documentation, emphasizing the implementation of global FATF standards.
FATF Travel Rule Implementation: Technical Deep Dive
Panama’s commitment to FATF standards (specifically Recommendation 16) means all registered VASPs must comply with the Travel Rule for virtual asset transfers exceeding the equivalent of USD 1,000.
Information Collection Mandate: The VASP (as the Originator VASP) must obtain and hold the required information about the originator (sender) and the beneficiary (receiver). This data includes the name, account number/wallet address, and the physical address or national identification number.
Secure Information Transmission: The VASP must implement a technical solution (such as a TRISA-aligned protocol or other secure, decentralized messaging standard) capable of transferring this mandatory information securely and instantaneously with the beneficiary VASP. This technical integration must be proven.
The Compliance Officer’s Role in Travel Rule: The Compliance Officer must monitor the effectiveness of the Travel Rule solution, ensuring data integrity, security, and the correct handling of transactions involving non-custodial (unhosted) wallets, which are exempt from VASP-to-VASP data sharing but still require risk assessment.
Key Management, Custody, and ISO 27001 Alignment
For any VASP offering custodial services, security protocols must be internationally recognized and auditable.
Layered Custody Policy: A documented, tiered custody policy is required. The mandatory use of geographically redundant, air-gapped Cold Storage for a substantial percentage of client assets (typically 90% or more) must be detailed, along with protocols for the hot wallet (operational) management.
Cryptographic Hardware and Ceremony: The use of Hardware Security Modules (HSMs) or Multi-Party Computation (MPC) technology for the secure generation, storage, and access of private keys must be explicitly documented. A formal, auditable Key Generation and Destruction Ceremony (logged with timestamps and participant signatures) is essential to prove non-repudiation and access control.
ISO 27001 Alignment and CSO: While formal ISO 27001 certification may not be mandatory at the UAF stage, the VASP’s Information Security Management System (ISMS) must be designed in alignment with these principles. This requires appointing a dedicated Computer Security Officer (CSO), distinct from operational staff, to oversee the security governance, Penetration Tests, and continuous vulnerability monitoring.
Advanced Transaction Monitoring and Risk Scoring
The VASP must use technology to prove its AML commitment.
Automated Monitoring Parameters: The Automated Transaction Monitoring system must be configured with rules specific to virtual assets, including detecting “structuring” (breaking large crypto transfers into smaller ones), rapid changes in transaction size/frequency, and fund movements to high-risk jurisdictions.
Blockchain Analytics Integration: Mandatory, ongoing use of Blockchain Analytics Tools to perform real-time risk scoring of all addresses against known sanctions lists (OFAC, UN), darknet markets, mixing services, and illicit activity databases. The system must generate alerts based on configurable risk thresholds.
Risk-Based Handling of Privacy Enhancing Technologies (PETs): The AML/CTF Manual must contain an explicit and detailed policy on the treatment of Privacy Coins and Mixing Services. This policy must dictate that if a PET is involved, the VASP must apply Extreme Enhanced Due Diligence (EDD), or, preferably, block the transaction entirely, recording the reason for the block.
Maintenance and Compliance Governance: Sustaining Legal Status
Compliance with the UAF is a permanent, ongoing obligation under Law 23 of 2015, requiring continuous corporate attention.
Annual Reporting, Auditing, and Ongoing Due Diligence
Annual Independent AML Audit: A crucial annual requirement is the submission of a comprehensive Annual Independent AML Audit of the VASP’s entire AML/CTF program to the UAF. This audit must be conducted by a qualified Panamanian CPA or AML consultant and must verify that the internal policies are effective in practice (e.g., checking sampled KYC files, testing the transaction monitoring system’s efficacy).
Continuous Employee Training: The formalized annual training program (referenced in Section 2.2) must be documented with attendance logs, course materials, and proof of post-training testing. The UAF may request these records to verify commitment to Law 23 of 2015.
Technology & Security Review: An annual External Penetration Test (Pen Test) and a full review of the Business Continuity and Disaster Recovery (BCP/DR) plans are necessary. The results, showing that all critical vulnerabilities have been remediated, must be held on file and potentially submitted to the UAF upon request.
Corporate Governance and Fiduciary Duty
Beyond AML, the VASP’s directors are bound by strict corporate governance standards.
Director Liability: Panamanian law imposes significant fiduciary duties on directors. Failure to ensure compliance with the UAF’s requirements can lead to personal liability, including fines and potential criminal proceedings for severe AML/CTF violations.
Record Keeping: The VASP must maintain all client and transaction records (including KYC, CDD, and all transaction data) for a minimum of five (5) years, in a manner that is immediately accessible and reconstructible for the UAF upon request. This requirement underpins the entire AML framework.
The ultimate success of the VASP lies not in securing the initial UAF registration, but in establishing a culture of continuous compliance and robust technical oversight, thereby sustaining the tax-efficient operational advantage Panama provides.
Compliance Roadmap: UAF VASP Registration in Panama 2025
Panama VASP Compliance Checklist
| Stage | Critical Requirement |
| I. Corporate Setup | Local Incorporation (S.A. or S.R.L. established with VASP objectives) |
| Local Registered Agent (Panamanian attorney appointed) | |
| Physical/Registered Office (Secured address for substance proof) | |
| II. Compliance Dossier | AML/CTF Manual (Full RBA Policy detailing VA risks and EDD procedures) |
| Compliance Officer (Appointed, fully independent, and UAF-vetted) | |
| IT/Cybersecurity Protocols (Documented ISMS, BCP/DR plan) | |
| III. Global Compliance | FATF Travel Rule Readiness (Technical solution integrated or planned for cross-border transfers) |
| Blockchain Analytics Integration (KYT risk-scoring tools in active use) | |
| Key Management System (Custody protocols detailed, Cold Storage policy in place) |
Technical Resilience and Auditing Checklist
This section covers the specialized technical governance necessary to satisfy the UAF’s operational integrity concerns.
| Technical Governance Area | Compliance Requirement |
| Custody & Keys | Cold Storage Policy (Minimum 90% client assets in air-gapped storage) |
| Key Generation/Destruction (Multi-sig, auditable, documented ceremony) | |
| HSM/MPC Usage (Hardware-level security for keys) | |
| Monitoring & Screening | Automated Transaction Monitoring (Rule-based software operational) |
| Sanctions/PEP Screening (Mandatory, ongoing screening of all parties) | |
| Resilience | Annual Penetration Testing (Pen Test) (External firm, application and infrastructure scope) |
| Business Continuity and Disaster Recovery (BCP/DR) (Tested and documented for RTO/RPO) |
The Gateway to Tax-Efficient Global Crypto Operations
Obtaining UAF VASP registration in Panama is a powerful strategic choice. It allows global VASPs to combine the financial advantage of a territorial tax system with minimal upfront capital requirements, all while operating under a robust, internationally recognized AML/CTF framework (Law 23 of 2015).
Panama offers the optimal equilibrium between tax efficiency and regulatory credibility, making it the premier strategic gateway for global crypto exchanges, remittance providers, and custodians targeting both the Latin American market and global retail traffic. By proactively prioritizing advanced compliance, establishing robust local substance, and meticulously addressing the banking challenges, VASPs can secure a durable, legally compliant, and highly profitable presence in this stable financial hub.
FAQ
No. The highly publicized Ley de Cripto Panama was partially vetoed by the President, meaning a formal, dedicated licensing regime is not yet established. The requirement is mandatory VASP registration.
The Superintendencia de Sujetos No Financieros (SSNF) is the authority responsible for the mandatory registration and AML/CTF supervision of Virtual Asset Service Providers (VASPs) under Ley 23 of 2015.
The law remains partially vetoed, pending further legislative action to address concerns related to AML/CTF and compliance with international standards set by FATF.
Mandatory Panama VASP registration SSNF. This process verifies the integrity of the firm’s personnel and the robustness of its AML compliance Panama crypto program.
Panama operates a territorial tax system. Income generated from services executed outside Panama is generally exempt from local corporate income tax, offering a favorable tax structure for international operations.
Unwavering adherence to the AML/CTF mandates of Ley 23 of 2015, which includes establishing a Risk-Based Approach (RBA), implementing strict CDD/EDD, and filing Suspicious Transaction Reports (STRs).
Yes. To satisfy the SSNF requirements, the VASP must be locally incorporated, maintain a registered physical office, and appoint a qualified, locally based Compliance Officer.
No. The SSNF's supervision focuses exclusively on financial crime prevention (AML/CTF), not the prudential regulation of market operations, which is reserved for the banking and securities sectors.
Securing traditional banking services. Banks require the SSNF registration and proof of a transparent, robust AML compliance Panama crypto framework to mitigate their own risk exposure.
The process is variable, but typically takes several months, depending heavily on the quality and completeness of the initial submission, the complexity of the VASP's model, and its efficiency in responding to SSNF information requests.