Home › Licensing Framework

Licensing Framework

Licensing categories are organized around operational risk, custody exposure, and the nature of client-facing activity. Requirements scale with complexity, cross-border flow exposure, and the safeguarding responsibilities of the firm. This page provides a structured overview of categories and baseline expectations.

Start Application Pathway Ongoing Obligations Guidance Library

Categories Eligibility Core requirements Control modules Evidence standards

What this page covers

A high-level view of licensing categories and baseline requirements. Detailed expectations, templates, and supervisory notes are maintained in the guidance library. Where needed, applications should be prepared via registered agents under the application pathway.

License categories (core)

Categories reflect the primary activities of the firm and the degree of client asset exposure. Firms operating multiple activities may require combined scoping, and should be prepared to demonstrate how controls scale across products, regions, and client segments.

Virtual Asset Exchange

Platforms facilitating order matching, routing, or execution of virtual asset transactions. Expectations emphasize market integrity, listing governance, surveillance capability, and client communication discipline.

Listing and delisting governance, disclosures, and conflicts management
Market surveillance, abuse monitoring, and escalation pathways
Client onboarding standards, suitability measures where applicable
Segregation and safeguarding model when client assets are held

Custody Provider

Entities responsible for safeguarding private keys, wallets, or client digital assets. Controls emphasize segregation, key management, operational resilience, incident handling, and recovery readiness.

Key management model and access control governance
Segregation of client assets and reconciliation discipline
Incident response, breach handling, and client notification readiness
Business continuity and disaster recovery planning

Broker-Dealer (Digital Assets)

Intermediaries arranging or executing transactions on behalf of clients, including agency and principal dealing models. Controls emphasize suitability, conflicts management, and execution governance.

Client categorization, disclosure standards, and conduct controls
Execution governance and order handling discipline
Conflicts, inducements, and remuneration management
Risk disclosures tailored to product and client type

Token Issuer

Issuers conducting token issuance or distribution. Controls emphasize disclosure quality, governance discipline, and distribution safeguards, including marketing standards and conflicts management.

Disclosure framework and governance approvals for issuance materials
Distribution risk controls and communications discipline
Conflicts management and transparency standards
Custody/escrow controls where funds or assets are held

Stablecoin Operator

Operators managing stablecoin issuance, reserves, or redemption arrangements. Controls emphasize reserve governance, transparency practices, redemption readiness, and risk disclosures.

Reserve management principles and asset segregation model
Transparency and reporting expectations around reserves
Redemption policies, stress readiness, and operational resilience
Conflict management and disclosure discipline

Infrastructure Provider

Technology services with material impact on client flows, custody posture, or security controls. Expectations emphasize operational resilience, change management, access controls, and third-party risk governance.

Access control governance and privileged access management
Change management and deployment controls
Incident response readiness and security testing practices
Outsourcing governance and contractual controls

Eligibility (baseline)

Eligibility screening focuses on ownership transparency, governance accountability, and the ability to operate effective controls. Firms should expect enhanced scrutiny where custody exposure is high or where business models present elevated cross-border or technology risk.

Entity and governance readiness

Applicants should be able to demonstrate clear governance, accountability, and operational substance aligned to the activity scope.

Transparent ownership and control structure
Defined leadership responsibilities and control owners
Operational substance appropriate to activity and scale
Third-party dependency mapping and oversight model

Conduct and risk posture

Applicants should evidence a risk-aware operating model, with documented conduct controls and a realistic compliance capability.

Client communications discipline and risk disclosures
Conflicts management policy and escalation procedures
Complaint handling and customer support governance
Incident readiness, including cyber and operational events

Core requirements (overview)

Core requirements apply across categories, with additional modules based on custody exposure and product complexity. Requirements are intended to be proportionate, but applicants should be prepared to evidence control effectiveness through artefacts, logs, testing, and governance documentation.

Capital & substance

Baseline financial resilience, appropriate operational substance, and accountable control functions.

Fit-for-purpose capitalization approach (risk-aligned)
Local and cross-border operational mapping
Control owners and governance artefacts

Fit & proper standards

Integrity, competence, and suitability assessment for key persons and control owners.

Key person identification and role mapping
Competence evidence and responsibilities
Integrity checks and conflict disclosures

AML / CFT controls

Risk-based AML framework, sanctions screening, monitoring, and reporting triggers.

CDD, EDD, and ongoing monitoring
Sanctions and adverse media screening approach
Recordkeeping and reporting governance

Safeguarding & custody

Segregation model, reconciliation discipline, access controls, and recovery readiness.

Client asset segregation and wallet architecture
Key management and privileged access design
Incident handling and client notification pathways

Market conduct

Disclosures, conflicts management, complaint handling, and communications discipline.

Risk warnings and product communications
Conflicts policy and inducement controls
Complaint handling and retention expectations

Technology & cyber

Security controls, resilience planning, change management, and testing discipline.

Access control, logging, and monitoring practices
Change management and deployment governance
Security testing and incident response readiness

Control modules (risk-based)

Modules apply based on activity type and risk profile. For example, a custody-focused operator will require stronger safeguarding, key management, and recovery controls, while an exchange operator will require listing governance and surveillance capability. Modules are evidence-based and should be supported with operational artefacts.

AML / Travel Rule readiness

Applicants should define risk appetite, customer segmentation, monitoring scenarios, and travel rule implementation approach where applicable.

Risk assessment methodology and monitoring coverage
Sanctions screening, escalation, and reporting triggers
Travel rule policy mapping (where applicable)
Recordkeeping and audit trail integrity

Custody & safeguarding module

Where client assets are held, safeguarding controls should be explicit, tested, and demonstrably effective.

Wallet architecture and segregation approach
Key management and privileged access governance
Reconciliation, incident response, and recovery readiness
Client disclosures on custody risk and limitations

Market integrity module

Market integrity controls support fair dealing, surveillance, and proper disclosures, especially for exchange-like models.

Listing governance and delisting decision controls
Surveillance and abuse monitoring capabilities
Conflicts management and inducement controls
Complaint handling and communications discipline

Technology risk module

Technology controls should address security, resilience, change governance, and third-party dependencies.

Access control, logging, and security monitoring
Change management and deployment controls
Security testing and vulnerability remediation
Third-party risk and outsourcing governance

Evidence standards (document-led)

Licensing assessments are evidence-led. Policies alone are insufficient; applicants should provide artefacts demonstrating how controls operate in practice, including monitoring logs, testing records, governance minutes where relevant, and incident readiness documentation.

What “evidence” means in practice

Applicants should be able to demonstrate control design and control effectiveness.

Policies + procedures + role mapping + escalation paths
Logs and records: monitoring, approvals, and change history
Testing: internal checks, audit trails, and remediation actions
Training and accountability: assignment of responsibilities

Common gaps that delay review

Incomplete evidence typically slows completeness checks and increases follow-up cycles.

Unclear scope: category mismatch vs. actual activity
Generic AML policies without monitoring coverage mapping
Custody model unclear, or key management not documented
No change management evidence or incident response drill records

Go to Application Process Read Detailed Guidance See Ongoing Obligations

Next: application process and registered agent pathway

Follow the structured submission flow and prepare evidence modules aligned to your licensing category.

Registered Agents Application Process