Virtual Asset (Service Providers) Act (2024 Revision)
The regulatory framework for persons providing services relating to virtual assets, commonly known as the VASP Act.
Virtual_Asset_(Service_Providers)Act(2024_Revision).pdf, Virtual_Asset_(Service_Providers)_(Amendment)_Act_2024.pdf
2026-04-27
The VASP Act regulates entities providing "virtual asset services" to ensure market integrity and compliance with aml-compliance standards.
Regulated Virtual Asset Services
A person is a Virtual Asset Service Provider (VASP) if they provide any of the following:
- Exchange: Between virtual assets and fiat currencies or other virtual assets.
- Transfer: Moving virtual assets from one address or account to another.
- Custody: Safekeeping or administration of virtual assets.
- Issuance: Participation in and provision of financial services related to a virtual asset issuance (ICO/STO).
Licensing and Registration
The application processes and fees for these categories are heavily detailed in the accompanying regulations (source: virtual-asset-service-providers-regulations-2020 and virtual-asset-service-providers-amendment-regulations-2025):
- Registration: Required for most standard VASP activities and virtual asset issuance within prescribed thresholds.
- Licensing: Required specifically for Virtual Asset Custody Services and the operation of a Virtual Asset Trading Platform. The 2025 amendment introduced a dedicated application form demanding extensive disclosures on cybersecurity, market integrity (e.g., insider trading controls), and clearing/settlement processes.
- Sandbox Licence: A temporary, one-year licence for innovative fintech services that require specific supervision not provided by standard licensing.
Key Compliance Requirements
- Travel Rule: VASPs must collect and maintain information on the originator and beneficiary of every transfer of virtual assets.
- Governance: Senior officers and beneficial owners must meet cima's fit and proper standards. Furthermore, all VASPs must have a minimum of three directors, including at least one independent director (source: virtual-asset-service-providers-amendment-act-2024).
- Cybersecurity: Licensees must implement robust cybersecurity safeguards to protect client information and assets.
- Audit and Reporting: VASPs are required to have their accounts audited annually. Auditors have a statutory duty to immediately report to CIMA if they suspect the VASP is operating in a fraudulent or criminal manner (source: virtual-asset-service-providers-amendment-act-2024).
Enforcement
CIMA holds significant powers to investigate and enforce the Act, including the ability to obtain warrants to search physical premises, electronic devices, and platforms if breaches of the VASP Act, AML laws, or beneficial ownership regulations are suspected (source: virtual-asset-service-providers-amendment-act-2024).