Crypto License in Austria

The Austrian Regulatory Landscape – FMA and FM-GwG: A Foundation of Integrity

The foundation of Austria’s approach to virtual asset regulation is laid in its robust legal framework, which is rooted in established EU financial law but implemented with distinct national rigor. Austria’s regulatory focus is historically on stability, consumer protection, and strict adherence to anti-financial crime measures, a culture that is directly reflected in the VASP registration process.

The Role of the Financial Market Authority (FMA)

The FMA is the sole, ultimate authority responsible for the supervision and regulation of all financial services in Austria, including the virtual asset sector. Its mandate spans banks, insurance companies, securities firms, and now, Virtual Asset Service Providers (VASPs).

The regulator’s (FMA) mandate is not focused on issuing a “license” in the traditional sense for general crypto services, but requires a mandatory FMA registration для конкретных видов деятельности, считающихся “услугами, связанными с virtual currencies” under Austrian law.
The FMA registration, therefore, is an AML/CFT compliance certification, confirming the firm’s capacity to act as an “obliged entity” under the FM-GwG. This certification is fundamentally an organizational and procedural approval, not a prudential one (which will change under MiCA).

Defining the Austrian Crypto Asset Service Provider (CASP)

The key activities subject to FMA oversight under the current framework include:

Exchange Services (Fiat-to-Crypto/Crypto-to-Crypto): Operating as a platform that facilitates the exchange of virtual currencies against fiat currency or between different virtual currencies.
Custodian Services (Wallet Providers): Providing services to safeguard or administer virtual assets or instruments enabling control over virtual assets (i.e., holding private keys on behalf of clients).
Transfer/Issuance Services: Acting as an issuer or distributor of certain virtual assets, particularly those involved in fundraising or transfer activities, though the final classification often hinges on other financial laws.

Any company performing one or more of these functions must submit an application for VASP registration before commencing operations in Austria or targeting Austrian clients. Crucially, the FMA’s jurisdiction extends to foreign VASPs that actively target the Austrian market, meaning local registration is necessary even without a physical Austrian office, although a local legal entity is highly recommended for the process. Active targeting is defined by marketing activities, offering Austrian contact details, or utilizing API interfaces connected to Austrian websites.

Legal Foundation: The FM-GwG and its Rigor

The Financial Market Money Laundering Act (FM-GwG) outlines the detailed AML/KYC obligations for all supervised entities. The Act requires the implementation of a comprehensive risk management system, including:

Risk Assessment (RBA): A thorough, documented, and regularly updated assessment of the money laundering и terrorism financing risks inherent to the firm’s business model.
Internal Controls and Procedures: Establishing robust internal controls, focusing on the day-to-day implementation of Customer Due Diligence (CDD) measures, particularly concerning remote onboarding procedures.
Data Protection: Ensuring the secure and compliant handling of personal and sensitive data collected during the KYC onboarding process, in full alignment with the EU’s General Data Protection Regulation (GDPR). The FMA treats GDPR compliance as an integral part of its due diligence on the organizational structure, demanding proof of adequate technical and organizational measures (TOMs).

How to Obtain FMA VASP Registration: The Step-by-Step Technical Process

The application for registration is highly technical and requires a deep understanding of Austrian administrative law and financial compliance standards, demanding meticulous attention to local substance and organizational structure.

Pre-Application Phase: Corporate Structure and Local Substance

Before the formal application submission, the prospective service provider must establish the necessary legal and operational foundation.

Austrian Legal Entity: The applicant must be registered as a legal entity in Austria, typically a Gesellschaft mit beschränkter Haftung (GmbH) or, for larger enterprises, an Aktiengesellschaft (AG).
Demonstrable Local Presence: Establishing a demonstrable local presence is crucial for the FMA’s regulatory scrutiny. This includes having a registered office, local operational staff, and evidence that the entity is managed and controlled from Austria (local substance requirements).
Management and Key Personnel: Appointing a competent and reliable management board. The FMA requires a rigorous Fit and Proper Test (F&P) for all directors and key personnel. The F&P review extends to criminal records, personal financial solvency, and professional qualifications relevant to the financial sector.

Compliance Officer Appointment and the MLRO’s Role

The mandatory appointment of a qualified AML Reporting Officer (MLRO) is one of the most critical steps, demonstrating the firm’s commitment to compliance leadership.

MLRO Competence and Independence: The MLRO must be demonstrably qualified, have sufficient seniority, independence, and resources. The MLRO is responsible for overseeing the entire AML compliance program and acting as the primary point of contact for the FMA и the Financial Intelligence Unit (FIU).
Internal Communication and Reporting: The organizational structure must ensure that the MLRO has direct, unimpeded access to the management board, ensuring the integrity of the internal control environment.

Application Documentation: The Comprehensive Compliance Manual

The critical documents include:

Detailed Business Plan (3-Year Projection): Covering the service provider’s operational model and financial projections.
AML/KYC Compliance Manual (FM-GwG Alignment):
- Customer risk categorization methodology (Low, Medium, High) with specific criteria.
- Enhanced Due Diligence (EDD) procedures for high-risk customers, PEPs (Politically Exposed Persons), and complex structures.
- Ongoing transaction monitoring rules and suspicious activity reporting protocols (SAR/Suspicious Transaction Report filing to the FIU).
IT Security & Operational Resilience: Documentation proving the robustness of the cybersecurity protocols (often benchmarked against standards like ISO 27001) and systems for ensuring operational resilience against technical failures or breaches (BCP/DRP).
Organisational Chart and Governance: A detailed structure showing the internal lines of responsibility and isolating the independence of the MLRO function.
Shareholder and UBO Documentation: Certified documentation proving the impeccable background of all qualifying shareholders and Ultimate Beneficial Owners (UBOs), including certified criminal record checks from all relevant jurisdictions.

Deep Dive into AML/KYC Scrutiny: SOF/SOW and WiEReG

The FMA’s due diligence on the compliance manual goes beyond simple box-taking, focusing intensely on the source of funds and wealth, and corporate transparency.

Source of Funds (SOF) and Source of Wealth (SOW): VASPs must implement clear policies for documenting and verifying the SOW (legal origin of total accumulated assets) and SOF (origin of specific funds used in a transaction), especially for high-value transactions.
Beneficial Owners Register (WiEReG): Compliance with the Austrian Register of Beneficial Owners Act (Wirtschaftliche Eigentümer Registergesetz – WiEReG) is mandatory. The VASP must implement internal controls to identify, verify, and document the UBOs of all corporate clients.

Operational Compliance and Technical Mandates

Achieving and maintaining FMA registration requires continuous investment in technology and human capital, ensuring that the firm’s operations meet the highest standards of financial security and consumer protection.

Advanced AML/KYC Technology and KYT

Austrian compliance demands state-of-the-art RegTech solutions to manage risk effectively and adhere to the strict requirements of the FM-GwG.

Real-Time Sanctions and PEP Screening: Continuous and automated screening of all customers, UBOs, and transactional parties against mandatory sanctions lists (EU, UN, OFAC) and Politically Exposed Persons (PEPs) databases. This is a critical step to ensure compliance with international sanctions regimes and prevent asset freezing.
On-Chain Analytics and KYT (Know Your Transaction): Integration of advanced blockchain monitoring tools is essential. This includes:
- Real-time risk scoring of external and internal wallets.
- Tracing the origin and destination of funds to identify exposure to high-risk entities (e.g., mixing services, ransomware, sanctioned addresses).
- Implementing Know Your Transaction (KYT) rules that automatically flag transactions, which forms the basis for potential SAR filing, especially those potentially violating sanctions or other financial restrictions.

FATF Travel Rule Implementation: Secure Data Exchange

As an EU member state, Austria is fully committed to the Financial Asset Task Force (FATF) standards, including the Travel Rule (Recommendation 16).

Data Sharing Mandate: The rule requires the collection and secure transmission of originator and beneficiary information for crypto transactions exceeding a low threshold (typically €1,000).
Secure Infrastructure and Protocol: Firms must utilize approved, secure message protocols (e.g., Travel Rule Protocol) to transmit this sensitive data. The FMA requires a detailed plan on how interoperability, data integrity, and recipient verification (Know Your Corresponding VASP – KYV) are ensured.
Handling Sunrise Issues: VASPs must detail their procedures for sending virtual assets to jurisdictions without full Travel Rule implementation, including collecting and retaining all required information, ready for submission to the FMA и law enforcement.

IT Security and Operational Resilience (BCP/DRP)

The FMA requires demonstrable capacity for business continuity and disaster recovery to protect client assets and market stability.

Business Continuity Planning (BCP): A detailed plan outlining the procedures and resources necessary to maintain critical business functions in the event of major disruptions.
Disaster Recovery Plan (DRP): A specific plan for restoring IT infrastructure and data, including defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Custody and Key Management: For custodians, the IT security documentation must detail the use of Hardware Security Modules (HSMs), multi-signature access controls, cold storage percentages, and strict internal controls to manage private keys.

The MiCA Tsunami – Transitioning to the EU-Wide License

The impending implementation of the Markets in Crypto-Assets (MiCA) Regulation represents the most significant shift for every registered VASP in Austria. MiCA will replace the current national patchwork of AML registrations with a unified, comprehensive EU MiCA license that grants MiCA Passporting rights across all 27 EU member states. The full application date for most CASP rules is December 30, 2024. Austria offers a transitional period, allowing existing registered CASPs to continue operations until December 31, 2025, while seeking authorization.

MiCA CASP Authorization Requirements: Capital, Governance, and Client Protection

MiCA Capital Requirements (The Financial Bar)

MiCA mandates specific minimum capital thresholds:

MiCA CASP Class	Primary Services	Min. Capital	Note
Class 1	Advice, Execution of Orders	€50,000	Must also meet 1/4 of fixed overheads.
Class 2	Exchange, Trading Platform Op.	€125,000	Must also meet 1/4 of fixed overheads.
Class 3	Custody and Administration	€150,000	Highest fixed req. due to client asset risk.

Austrian VASPs must plan for an increase in subscribed share capital to meet these thresholds. The prudential requirement is the higher of the minimum capital or 25% of fixed overheads.

Client Protection and Governance

Prudential Safeguards: CASPs must maintain prudential safeguards corresponding to the higher of the fixed minimum capital or a variable minimum threshold equal to one quarter (25%) of the firm’s previous year’s fixed overheads.
Professional Indemnity Insurance (PII): MiCA requires CASPs to hold professional indemnity insurance (PII) to cover potential risks.
Safeguarding of Client Assets: CASPs must implement measures to safeguard the assets of their clients, including:
- Mandatory segregation of client crypto-assets from the firm’s own capital.
- Requirement to deposit client funds (fiat) with an EU credit institution or central bank.
Organisational Requirements: Strict rules on corporate governance, including the establishment of an effective internal control function и risk management function.
Investor Protection: CASPs providing advice or execution must collect client information to assess their knowledge, experience, и financial situation before providing services.

The DORA Mandate: Technical Resilience and FMA’s ICT Scrutiny

MiCA is inextricably linked to the Digital Operational Resilience Act (DORA), which became applicable in January 2025. DORA imposes significant new technical compliance obligations that the FMA will scrutinize. CASPs fall squarely under DORA’s scope.

ICT Risk Management: CASPs must establish and maintain a detailed Information and Communication Technology (ICT) risk management framework.
Mandatory Testing: DORA requires regular, rigorous testing of the BCP and DRP, including basic tests (vulnerability assessments) annually and advanced penetration testing (Threat Led Penetration Testing – TLPT) for critical entities.
ICT-related Incident Management and Reporting: Entities must establish processes for monitoring, logging, classifying, and reporting major ICT-related incidents and significant cyber threats to the FMA.
Third-Party Oversight: CASPs must manage and monitor risks arising from critical ICT third-party service providers (e.g., cloud services, custody software), ensuring that outsourcing arrangements are fully compliant with DORA’s mandates.

Strategic Considerations and the Austrian Advantage

For foreign and domestic crypto exchange operators, the decision to prioritize FMA registration now is a strategic move that facilitates future MiCA compliance and establishes immediate credibility in the financial community.

Intersection with Other Austrian Financial Laws

The FMA’s holistic approach to supervision means VASP activities often intersect with other established regulatory acts:

Banking Act (BWG): Certain complex services, such as crypto lending, borrowing, or activities that constitute the management of pooled investments, can be classified as regulated banking services under the Austrian Banking Act (Bankwesengesetz – BWG), potentially requiring a full banking license. Trading on a commercial basis on one’s own account or on behalf of others requires a license under BWG.
Payment Services Act (ZaDiG/PSD2): VASP activities involving fiat transfers (on/off-ramps) often touch upon payment services. The fiat handling mechanism itself is subject to the Zahlungsdienstegesetz (ZaDiG 2018), which implements PSD2. The FMA ensures compliance with strong customer authentication (SCA).
Tax Compliance: Austria has a distinct tax regime for crypto assets (since March 2022), treating them as capital assets subject to a fixed rate of 27.5%.

The True Cost of Compliance vs. The Risk of Penalties

Cost Component	FMA VASP Reg. (Est. Range)	MiCA CASP Auth. (Est. Range)
Min. Capital	€1,000	€50k – €150k
Legal/Consulting	€20k – €40k	€80k – €160k+
RegTech Infra.	Moderate, ongoing	High, ongoing
PII (MiCA Only)	N/A	Variable, significant
Total Time	3–6 Months	9–18 Months

The cost of non-compliance—ranging from cease-and-desist orders and massive administrative fines under the FM-GwG (up to €200,000 for administrative offenses) to exclusion from the European financial system—is exponentially higher.

Austria as the Gateway to the EU MiCA Regime

Securing a current Crypto License in Austria (i.e., FMA registration) is the most powerful preparatory step for the MiCA transition.

Compliance Culture and Regulatory Alignment: The rigor of the FMA’s requirements already instills the deep regulatory compliance culture required by MiCA.
Pre-Vetting Advantage: An existing registered VASP will have already successfully undergone the intense FMA due diligence and Fit and Proper Test for key personnel.
Reputational Advantage: Operating with official FMA registration immediately confers a high level of trust, invaluable for securing partnerships, and a smoother path to MiCA Passporting.

Request more information

Send Request

Mastering the Austrian Compliance Mandate

The path to obtaining a Crypto License in Austria is one of dedication, detail, and demonstrable operational excellence. The current requirement for FMA registration under the stringent FM-GwG serves as an indispensable proving ground for any VASP aspiring to operate legally and reliably in the European Union.

By investing in state-of-the-art RegTech solutions, adhering meticulously to the FATF Travel Rule, establishing a robust AML compliance program under the watchful eye of the FMA, and demonstrating the requisite financial stability, firms secure not only immediate operational legality but also a critical strategic advantage. This position ensures they are optimally situated to transition into the forthcoming era of the unified EU MiCA license, confidently utilizing MiCA Passporting to achieve pan-European reach while upholding Austria’s renowned reputation for financial integrity. The Crypto License in Austria is truly the mark of a globally compliant and future-ready digital asset service provider.

FAQ

Which Authority Issues the Crypto License in Austria and What Type of Authorization Is Required?

The authority responsible for regulation and supervision is the Financial Market Authority (FMA). Austria does not issue a "license" in the traditional sense; instead, a mandatory FMA registration is required under the national Financial Market Money Laundering Act (FM-GwG). This authorization qualifies the company as a Virtual Asset Service Provider (VASP).

What Are the Key FMA Requirements for Obtaining VASP Registration?

The primary requirement is demonstrating full compliance with the FM-GwG, which involves developing and implementing a robust AML compliance program (Anti-Money Laundering program) and a risk management system. Additionally, the company must establish a local legal entity, appoint competent management, and name a qualified AML Reporting Officer (MLRO).

Which Types of Crypto Services Are Subject to FMA Registration?

Mandatory registration is required for the following activities:

Exchange Services (fiat-to-crypto and crypto-to-crypto).
Custodian Services (providing services for the safekeeping and administration of virtual assets, including private keys).
Transfer and Issuance services for certain virtual assets.

How Will the MiCA Regulation Impact Existing FMA Registration?

The implementation of the Markets in Crypto-Assets (MiCA) Regulation (expected in late 2024 / early 2025) will replace the current national registration with a unified EU MiCA license. Existing FMA-registered VASPs will need to apply for formal CASP (Crypto-Asset Service Provider) authorization and meet MiCA's stricter requirements regarding capital, governance, and consumer protection.

What is the FATF Travel Rule and How Does it Apply to Austrian Crypto Companies?

The FATF Travel Rule mandates that registered service providers (VASPs) collect and securely transmit originator and beneficiary information for crypto transactions exceeding a specified threshold. This requirement is compulsory for all companies with FMA registration and necessitates the use of specialized Travel Rule software.

How Long Does the FMA Registration Process Typically Take?

The application process is technically complex and often takes between 3 to 6 months. This duration is highly dependent on the completeness and quality of the initial documentation submitted, as well as the results of the FMA due diligence review.

Why Is Securing FMA Registration Now a Strategic Step Before MiCA?

Obtaining current FMA registration is considered a powerful preparatory step for the MiCA transition. The rigorous FMA due diligence and the Fit and Proper Test for personnel proactively establish a high-level compliance culture, which should make the process of obtaining the full EU MiCA license smoother and faster.

What Are the Main Financial and Personnel Requirements Mandated by the FMA?

Key requirements include substantial investment in RegTech solutions (AML software, blockchain monitoring tools) and, most importantly, the appointment of a highly qualified, independent AML Reporting Officer (MLRO), which represents one of the largest operational costs. MiCA will also introduce higher minimum capital requirements.