Crypto License in Philippines
The Regulatory Nexus: Key Agencies and Their Roles
Securing a crypto license in the Philippines is a multi-step process involving stringent requirements from several regulators. The country was one of the first in Asia to establish formal crypto regulation, cementing its status as a regulated digital asset hub. This framework ensures that any entity dealing with virtual assets adheres to global financial governance standards.
The Bangko Sentral ng Pilipinas (BSP): Monetary Policy and VASP Oversight
As the central bank, the BSP is the principal regulator responsible for issuing the VASP License (Virtual Asset Service Provider). The BSP’s regulatory approach stems from its mandate to maintain financial stability and ensure the integrity of the payment system. The BSP views VASPs as operating akin to Money Service Businesses (MSBs) because they facilitate the transfer of value, regardless of the underlying asset class.
The core requirements are anchored in BSP Circular No. 1108, which dictates standards for anti-money laundering and counter-terrorist financing (AML/CTF), risk management, technology governance, and most critically, strict capital requirements for VASP in the Philippines. The financial viability of the applicant is paramount. The BSP requires adherence to global banking norms to manage risks associated with digital currency volatility, liquidity, and operational continuity. Obtaining the BSP VASP License demonstrates credibility and commitment to regulatory best practices.
The Anti-Money Laundering Council (AMLC): The Compliance Gatekeeper
The AMLC is the financial intelligence unit responsible for enforcing the Anti-Money Laundering Act (AMLA). All licensed crypto firms must register with the AMLC and strictly adhere to its reporting and diligence guidelines. A vital component of AML/CTF compliance Philippines is the proactive submission of both Suspicious Transaction Reports (SARs) and Covered Transaction Reports (CTRs) for transactions exceeding the mandated threshold (currently ).
Implementing a robust compliance program is essential, extending beyond routine checks. This includes mandatory Enhanced Due Diligence (EDD VASP) for high-risk customers, politically exposed persons (PEPs), and for any large, unusual, or suspicious transactions. The AMLC also issues specific advisories regarding emerging money laundering typologies related to virtual assets, requiring VASPs to be highly adaptive and vigilant.
The Securities and Exchange Commission (SEC): Securities Tokens and the CASP Framework
While the BSP regulates currency-like activities, the SEC asserts jurisdiction over any digital asset that qualifies as a security, such as investment contracts or Tokenized Securities Philippines. Any VASP involved in the listing, trading, or facilitation of issuance of tokens under the SEC’s purview must seek separate authorization or clearance.
Recent significant regulatory developments include the introduction of rules for Crypto Asset Service Providers (CASP). The CASP framework, overseen by the SEC, mandates higher capital requirements (up to million for some types of services) and extensive disclosure rules for all entities that offer crypto-asset services to Filipino investors. This expanding oversight reflects the SEC’s commitment to investor protection and market integrity, especially concerning unregistered platforms operating in the country.
The Cagayan Economic Zone Authority (CEZA): The Offshore Path
For entities targeting an international market, the CEZA offers the CEZA Crypto License within the Cagayan Special Economic Zone and Freeport. Licensed under the CEZA FinTech Regulation, these entities operate as an Offshore Virtual Currency Exchange (OVCE). The critical condition is the absolute prohibition of any interaction with Philippine residents or the domestic financial system. CEZA’s framework, including its specialized CEZA regulatory sandbox, is designed to attract foreign investment and position the zone as a Philippines Offshore Crypto Hub, benefiting from specific tax incentives.
Deep Dive into the BSP VASP Licensing Process
The process of how to get a VASP license in the Philippines is notoriously rigorous. With the indefinite moratorium on new VASP licenses currently in place, the most viable path for new entrants is through the acquisition of an existing licensed entity, which still necessitates a deep understanding of the regulatory requirements for change of control and compliance.
Corporate Structure and Financial Requirements
An applicant must first incorporate as a domestic corporation with the SEC. The VASP’s Articles of Incorporation must explicitly detail the intention to operate as a VASP. The core financial stability test is meeting the specific, tiered capital requirements for VASP in the Philippines, which range from million to million, depending on the complexity of services offered (e.g., simple exchange versus custodial services). This capital must be fully paid-in and verified via an audited balance sheet VASP prior to the formal application.
The Detailed Three-Stage Approval Process
The BSP mandates a phased, three-stage approval process designed to stress-test the applicant’s readiness:
Stage 1: Application to Establish as MSB: This submission includes the official application, a detailed, multi-year business plan, the proposed management structure, and the vital Corporate Governance Manual VASP. The business plan must explicitly address adherence to all existing Local Crypto Exchange Requirements.
Stage 2: Letter of No Objection: The BSP performs rigorous due diligence on the viability and leadership of the applicant. Key personnel (directors, principal officers) are vetted under the Fit and proper rule BSP VASP. This phase assesses the company’s commitment to compliance and risk management before investing heavily in technology.
Stage 3: Certificate of Authority (COA): The final approval. This is contingent upon satisfying all pre-opening conditions, including a successful IT Audit for Crypto Exchanges, and physical verification that all technical, operational, and financial safeguards are fully implemented and ready for launch.
Governance, Risk Management, and Personnel
The integrity of the leadership is non-negotiable. The Fit and proper rule BSP VASP ensures that individuals with a history of financial misconduct or regulatory failure are excluded. The Corporate Governance Manual VASP must clearly define oversight, accountability, and the roles of key risk personnel, including the Chief Compliance Officer and the MLRO, ensuring robust internal checks and balances that reflect high corporate governance standards VASP.
Mastering AML/CTF and The Travel Rule Mandate
Strict AML/CTF compliance Philippines is the single most intensive ongoing obligation for any VASP, directly tying the crypto sector to the global fight against illicit finance.
Technical Compliance with the Travel Rule
The implementation of the Travel Rule compliance Philippines goes beyond policy; it requires sophisticated technical solutions. VASPs must implement Travel Rule technical solutions that facilitate the secure, instantaneous, and compliant transfer of originator and beneficiary data for transactions above the threshold (for VASP-to-VASP transfers). This mandates the VASP to perform a mandatory KYV (Know Your VASP) check on the counterparty to ensure they are a regulated entity in a non-sanctioned jurisdiction.
Enhanced Due Diligence (EDD) Procedures
The Enhanced Due Diligence (EDD VASP) process is a critical layer of defense. It is not a check-box exercise. It requires specialized procedures for:
PEP Screening: Continuous monitoring of Politically Exposed Persons (PEPs) and their immediate family/associates.
Source of Funds (SOF) and Source of Wealth (SOW) Verification: For transactions exceeding the threshold or those deemed high-risk, the VASP must obtain and verify documentation to prove the legitimacy of the funds, ensuring they do not originate from illicit sources.
Ongoing Monitoring: EDD mandates enhanced, risk-based monitoring of all customer activity to detect changes in behavior that might indicate money laundering attempts.
Managing Unhosted Wallet Risk
The AMLC Regulatory Issuance on VAs specifically targets the risk posed by unhosted, or self-custody, wallets. VASPs must establish and continually refine protocols for unhosted wallet risk assessment. This involves developing risk typologies to distinguish between legitimate transfers (e.g., transfers to a user’s known hardware wallet) and potentially illicit ones (e.g., transfers to high-risk foreign wallets). The VASP must have the technology to screen these wallet addresses against sanction lists and known illicit activity databases before approving the transaction.
Technology Risk Management and Operational Excellence
The BSP emphasizes that technology risk must be managed at the board level. The IT system is considered a critical component of financial stability.
Rigorous IT Governance and Security Protocols
The VASP must establish an IT governance framework VASP that aligns with the institution’s overall business objectives and risk tolerance. This framework governs all technological decisions, including vendor selection and system upgrades.
Mandatory Cybersecurity Measures BSP demand multi-layered security architectures. For highly sensitive systems, the use of Hardware Security Module (HSM custody) for private key storage is often the required standard. For operational security, Penetration testing VASP must be conducted regularly by independent, qualified third parties, with results reported directly to the VASP’s Risk Committee and the BSP.
Custody and Wallet Security Standards
The Digital Assets Custody Standards require not only strict key management but also technological redundancy. Custodial VASPs must demonstrate expertise in modern cryptographic solutions such as Multi-Party Computation (MPC) wallet architecture, which distributes key shares to eliminate a single point of failure. The technical architecture must ensure the immediate and provable segregation of client assets from the VASP’s proprietary operational funds.
Business Continuity and Disaster Recovery
Operational resilience is measured by the effectiveness of the Business Continuity Plan VASP. This plan must cover not just technical failure but also external disruptions (e.g., power outages, natural disasters). Annual DR drills VASP (Disaster Recovery) must be simulated and documented to prove the VASP’s ability to recover data and resume critical functions within acceptable timeframes. Furthermore, the VASP must submit continuous system resilience reporting to the central bank. If a VASP chooses outsourcing IT VASP functions, the outsourcing agreement must be reviewed by the BSP, as the VASP cannot outsource regulatory liability.
Request more information
The Offshore Alternative: The CEZA Crypto License
The CEZA Crypto License offers a distinct proposition for globally focused fintech companies, provided they can strictly adhere to the terms of the CEZA FinTech Regulation.
Economic Commitment and License Structure
CEZA’s framework is based on economic development. Principal licensees are required to make a substantial investment commitment CEZA, typically towards local facilities and job creation within the zone. The Licensing fee for crypto VASP costs are considerable but are balanced by significant tax incentives CEZA Crypto, including tax holidays and preferential tax rates on offshore revenue. The formal registration of CEZA FinTech operator requires demonstrating both financial capacity and a viable operational base within the Freeport.
Strict Non-Interference with the Domestic Market
The integrity of the “ring-fence” is paramount. Licensees must implement highly sophisticated geofencing controls VASP to block access from users in the Philippines. Any evidence of unauthorized onshore solicitation can lead to immediate and permanent revocation of the license, as this compromises the central distinction between the CEZA and BSP jurisdictions.
Digital Asset Listing and Securities
CEZA has clear Digital Asset Token Offering (DATO) regulations for new token issuances within the zone. VASPs operating under CEZA must ensure that tokens listed on their Offshore Virtual Currency Exchange comply with strict disclosure rules. This includes confirming arrangements with CEZA-accredited wallet providers and custodians to maintain a compliant ecosystem.
Consumer Protection and Operational Integrity
Financial Consumer Protection Standards
The Philippines Central Bank Crypto framework demands that all VASPs adhere to a rigorous consumer protection framework VASP. This mandate goes beyond simple disclosures:
Risk Disclosure: Must be prominent, explicit, and clearly state that virtual assets are risky and not covered by Philippine Deposit Insurance Corporation (PDIC insurance disclaimer).
Transparency: Strict fee transparency VASP rules apply, requiring all charges, spreads, and settlement times to be clearly communicated to the consumer before the transaction is executed.
Dispute Resolution: VASPs must establish efficient complaint handling VASP procedures, adhering to BSP standards for fairness and prompt resolution of customer disputes.
Market Integrity and Custody Oversight
The internal market integrity rules VASP govern trading practices, aiming to prevent market manipulation. This requires the establishment of a formal Listing Manual VASP with objective criteria for token admission. For firms offering storage, continuous auditing of the Digital Assets Custody Standards is necessary to prove the security and segregation of client funds.
Regulatory Reporting and Fraud Management
Ongoing reporting requirements BSP include comprehensive financial, operational, and transactional reports submitted monthly and quarterly. Accurate reporting on AML/CTF compliance Philippines is constantly monitored by the AMLC. Furthermore, VASPs must implement a sophisticated Fraud Risk Management System VASP that is capable of identifying and mitigating fraud vectors, which are constantly evolving in the digital asset space.
Strategic Challenges, Regulatory Outlook, and Future Trends
The Philippines Crypto Regulation continues to evolve, heavily influenced by both global FATF mandates and the BSP’s domestic financial objectives.
Market Entry and Regulatory Environment
The moratorium on new VASP licenses has cemented M&A (Mergers and Acquisitions) as the primary strategy for new entrants. Any firm pursuing this must be prepared for a long and detailed review of the acquired entity’s compliance history and governance structure to ensure adherence to all Local Crypto Exchange Requirements.
Tax Framework and International Transactions
Tax planning is paramount. Beyond corporate income tax, the specific taxation of virtual assets in the Philippines (capital gains, income from staking/mining) requires detailed accounting. For multinational firms, the transfer-pricing framework for cross-border group flows must be clearly defined and documented to ensure local tax compliance while minimizing global tax friction. The significant volume of Cross-border payments crypto Philippines for remittances makes this a high-focus area for the Bureau of Internal Revenue (BIR).
Future Regulatory Convergence and Digitalization
Digital Banking: The issuance of Digital Banking License Philippines approvals signifies a move toward full financial digitalization. VASPs are expected to integrate or seek convergence with these platforms, providing broader financial services.
Central Bank Digital Currency (CBDC): The exploration of a Philippine CBDC is a long-term trend that will redefine payment infrastructure and likely necessitate further updates to VASP rules, potentially positioning them as key distributors of the digital Peso.
Global Compliance: Future regulatory tightening will focus intensely on implementing stricter Travel Rule compliance Philippines and developing more definitive rules around unhosted wallet risk assessment, forcing VASPs to invest continually in advanced RegTech solutions to maintain compliance.
The deep regulatory structure, established by the BSP and AMLC, positions the Crypto License in the Philippines as a highly credible and necessary credential for any firm aiming for sustainable, long-term success in the dynamic Asia-Pacific digital asset market.
FAQ
The Philippines uses two primary licenses: VASP and CASP. VASP (Virtual Asset Service Provider) is issued by the central bank (BSP) and primarily focuses on crypto-fiat exchange and remittances (AML/CTF compliance). CASP (Crypto-Asset Service Provider) is a newer registration/license from the Securities and Exchange Commission (SEC). It governs all entities dealing with crypto-asset securities, custody, and platforms that offer crypto services to Filipino investors.
It depends on your core business model. You will likely need both for comprehensive operations: BSP (VASP): Required for any exchange involving Philippine Pesos (fiat) or cross-border money transfer activities. SEC (CASP): Required for any service involving custody of client assets, token offerings, or platforms dealing with tokens that qualify as securities.
Yes. The Bangko Sentral ng Pilipinas (BSP) has imposed an indefinite moratorium on accepting new VASP license applications (as of late 2025). This is a move to strengthen regulatory oversight and mitigate risks following the country’s removal from the FATF grey list.
Since the moratorium only applies to new applications, the most viable path for market entry is through the acquisition (M&A) of an existing, already licensed VASP. This process requires exhaustive due diligence and subsequent formal approval from the BSP for the change of control.
To register as a CASP, the applicant must be incorporated in the Philippines and meet a minimum paid-up capital of ₱100 million Philippine Pesos (excluding crypto-assets). This high threshold is designed to ensure financial resilience and enhanced investor protection.
The capital requirement for a BSP-licensed VASP is tiered based on its classification as a Money Service Business (MSB). This typically ranges from ₱10 million to ₱50 million, depending on the extent and complexity of the services offered (e.g., simple exchange vs. complex transfers).
Yes. Both the BSP (VASP) and SEC (CASP) frameworks explicitly mandate that the applicant must establish a registered local corporation and maintain a physical office presence within the Philippines.
The VASP must implement a robust compliance program that includes: Strict KYC/CDD (Know Your Customer/Customer Due Diligence) procedures. Continuous transaction monitoring and suspicious activity reporting (SARs). Full technical compliance with the FATF Travel Rule. Ongoing Enterprise-Wide Risk Assessment.
Absolutely. The BSP strictly enforces the Travel Rule compliance Philippines, which requires VASPs to securely transmit verifiable originator and beneficiary information for all crypto transactions exceeding the established threshold (generally ₱50,000).
No. The CEZA (Cagayan Economic Zone Authority) Crypto License is strictly an offshore license. It is designed for businesses serving international clients. Licensees must implement geofencing controls and are expressly forbidden from marketing to or transacting with Philippine residents or using the domestic financial system.
While the official timeline for BSP approval was previously around 2 months, the overall process—including corporate setup, IT Audit for Crypto Exchanges, development of AML manuals, and regulatory interviews—usually takes 6 to 12 months (excluding the current VASP moratorium period).
Both BSP and SEC require a mandatory, independent IT Audit to confirm the security architecture. This includes system resilience, key custody procedures, internal controls, and regular Penetration Testing (Pen-testing) to prove the VASP's ability to protect customer funds and data.
DATO (Digital Asset Token Offering) regulations are issued by CEZA and govern the issuance of digital tokens within the economic zone. If a token targets the domestic market or is classified as a security, it falls under the more stringent SEC CASP rules regarding registration and disclosure.