Crypto, EMI, PSP, Forex, Gaming, MSB Licences.

MiCA entered into force on 29 June 2023, with staggered application dates: rules on asset-referenced tokens (ARTs) and e-money tokens (EMTs) applied from 30 June 2024, and the full CASP regime became mandatory on 30 December 2024. By mid-2026, all crypto-asset service providers operating in the EEA must hold a MiCA CASP authorisation or an EMI/PI licence (if issuing e-money tokens and providing payment services).

Scope and Authorised Services

MiCA defines ten CASP services: custody and administration of crypto-assets on behalf of clients; operation of a trading platform; exchange of crypto-assets for funds or other crypto-assets; execution of orders; placing of crypto-assets; reception and transmission of orders; providing advice; portfolio management; transfer services; and providing transfer services for crypto-assets on behalf of third parties. Providers must be authorised for each service they intend to offer; reverse solicitation arguments—previously used to circumvent national rules—are no longer tenable under MiCA's activity-based test.

Prudential and Conduct Requirements

MiCA imposes initial capital ranging from €50,000 (custody only, Art. 67(1)(a)) to €150,000 (operating a trading platform, Art. 67(1)(b)) and €125,000 for other services. Larger CASPs or those handling client assets must meet ongoing own-funds requirements: the higher of initial capital, one-quarter of fixed overheads, or €750,000 if safeguarding client assets (Art. 67(3)). Authorised CASPs must maintain a €3 million professional-indemnity insurance or equivalent guarantee (Art. 67(4)), prepare audited financial statements (IFRS or national GAAP), and submit annual reports to the home-state competent authority.

Passport and Grandfathering

A MiCA licence issued by one EEA member state enables passporting across all 30 EEA jurisdictions without further local authorisation. Existing national crypto licences (e.g., Lithuania's VASP register, Estonia's former regime) enjoy transitional arrangements: firms lawfully operating under national law on 30 December 2024 may continue until 1 July 2026, provided they submit a MiCA application by that date (Art. 143). Failure to apply triggers immediate cessation of services.

Interaction with PSD2 and EMD2

E-money tokens that qualify as electronic money under EMD2 require dual compliance: issuers must be authorised as EMIs (or credit institutions) and meet MiCA's specific requirements for EMTs. Payment services ancillary to crypto-asset services (e.g., fiat on/off-ramps) fall under PSD2, requiring EMI or PI authorisation. Founders often pursue a combined EMI + MiCA CASP licence to cover the full value chain, a strategy particularly prevalent in Lithuania and Cyprus.

Understanding MiCA's layered regime is the first step; selecting the optimal jurisdiction and navigating capital, governance, and substance tests follow.

Jurisdiction selection turns on five variables: regulatory receptiveness, speed to authorisation, ongoing compliance burden, tax efficiency, and banking accessibility. No single jurisdiction dominates every dimension; trade-offs are inevitable.

Lithuania: Speed and Track Record

Lithuania has authorised over 100 EMIs/PIs and numerous VASPs (under the pre-MiCA regime). The Bank of Lithuania is regarded as pragmatic and comparatively fast: EMI/PI applications typically conclude in 6–9 months if documentation is complete, and early-stage CASP applications are receiving provisional timelines of 8–12 months. Lithuania imposes no corporate income tax on undistributed profits and offers a 15 per cent CIT on dividends. However, post-Brexit, the regulator has tightened substance requirements: at least two resident directors, local C-suite executives, and genuine operational activity (ledger hosting, risk-management, compliance performed in-country) are now scrutinised heavily. Banking remains a friction point—Lithuanian banks are selective, and founders often resort to EMI banking (Wallester, Pervesk) or EU correspondents.

Cyprus: Dual Licensing and Tax Treaty Network

Cyprus offers a "MiCA + CIF" dual-licensing pathway: a Cyprus Investment Firm licence (CIF) under MiFID II can be paired with a MiCA CASP authorisation, enabling both securities brokerage and crypto-asset services. The Cyprus Securities and Exchange Commission (CySEC) has published draft MiCA guidance and is accepting pre-application consultations. CIF timelines historically run 9–15 months; MiCA CASP applications are expected to align. Cyprus levies 12.5 per cent CIT, has 65+ double-tax treaties, and offers IP Box regimes (80 per cent deduction on qualifying IP income, effective rate ~2.5 per cent). The island's banking infrastructure is mature, and Cypriot banks (Hellenic, AstroBank) have fintech desks. Substance mandates are explicit: two Cyprus-resident directors (at least one must be Cypriot or EU national with permanent residency), office lease, payroll of 3–5 FTEs depending on scope, and risk/compliance functions based in-country. CySEC conducts on-site inspections during and post-authorisation.

Malta: Institutional Depth, Slower Process

Malta has long positioned itself as "Blockchain Island," and the Malta Financial Services Authority (MFSA) has deep experience with DLT frameworks and payment institutions. Malta's Virtual Financial Assets Act (VFA) will be replaced by MiCA; existing VFA licence-holders must migrate. MFSA timelines are 12–18 months for EMI/PI and anticipated to be similar for MiCA CASPs. Malta imposes 35 per cent headline CIT, but the full-imputation system with refunds reduces effective rates to 0–5 per cent for non-resident shareholders. Substance expectations are high: local directors, senior management, office, and staff; the MFSA publishes annual substance-monitoring reports and has revoked licences for shell arrangements. Banking is accessible via HSBC Malta, Bank of Valletta, and Sparkasse, though KYC is rigorous.

Estonia: Digital-First, Tightened Post-Scandals

Estonia previously offered a fast-track VASP registration; post-money-laundering scandals (Danske, Versobank), Finantsinspektsioon (FI) overhauled the regime. Under MiCA, Estonia will issue full CASP licences; FI has signalled 6–12 month timelines for well-prepared applicants. Corporate tax is 0 per cent on retained earnings, 20 per cent on distributions. Substance rules now require at least one Estonian-resident director, local compliance officer, office, and active operations. Banking remains the Achilles' heel: Estonian banks (SEB, Swedbank, LHV) are extremely cautious with crypto clients; many applicants open accounts in Lithuania or Germany pre-licence.

UAE Alternatives: VARA, ADGM, DIFC

For non-EEA market access, UAE free zones offer crypto licensing. VARA (Dubai) issues Virtual Asset Service Provider licences (minimum AED 50,000 capital, 6–9 months); ADGM and DIFC offer Financial Services Permission for crypto activities (regulatory capital ~USD 100,000–500,000, 9–12 months). UAE licences do not passport into the EEA under MiCA; they serve MENA, Asia, and global non-EU clients. US persons face FATCA/FBAR reporting; UK founders must manage CFC risks if the UAE entity is not genuinely trading.

Each jurisdiction demands bespoke structuring; Iverex Global maps founder domicile, target markets, and capital constraints to the optimal regulatory home.

Regulators assess three core pillars: minimum capital, governance and management suitability, and operational capability. Deficiencies in any pillar trigger refusal or protracted remediation.

Minimum Capital and Own Funds

MiCA CASP: €50,000–€150,000 initial capital (Art. 67(1)), escalating to €750,000 own funds if safeguarding client crypto-assets (Art. 67(3)). Own funds comprise share capital, audited reserves, and retained earnings, net of intangible assets and deferred tax. Crypto-assets held on the firm's balance sheet are excluded from own-funds calculations; only fiat capital qualifies. Capital must be paid-in and verified by the auditor before submission.

EMI: €350,000 initial capital (Art. 7 EMD2), maintained at all times. PIs range from €20,000 (payment-initiation services only, Art. 7(a) PSD2) to €125,000 (all payment services excluding money remittance, Art. 7(c)). Ongoing own-funds obligations depend on payment volume; the volume-based method (Art. 9 PSD2 Delegated Regulation) typically requires 10 per cent of fixed overheads or a percentage of payment turnover, whichever is higher.

CIF (Cyprus): €125,000 (reception/transmission, execution, portfolio management, investment advice); €150,000 (dealing on own account, underwriting); €730,000 (market-making or holding client funds). CIFs must also meet ongoing capital requirements per CRR (€730,000 or K-factor metrics under the Investment Firms Regulation).

Capital must be held in a segregated bank account in the applicant's name and evidenced by a bank letter. Letters of intent or SAFEs are insufficient; regulators require audited proof.

Fit-and-Proper Assessments

All directors, senior managers, and qualifying shareholders (>10 per cent) undergo fit-and-proper vetting. Regulators request:

• Criminal-records certificates (home country and country of residence, apostilled).
• CVs detailing financial-services experience; at least 3–5 years in relevant roles (payments, custody, trading, compliance) is expected.
• Professional references from regulated entities, auditors, or legal counsel.
• Financial soundness checks: personal credit reports, bankruptcy searches, tax-compliance certificates.
• Conflicts-of-interest declarations and sources-of-funds questionnaires for shareholders.

Red flags include prior regulatory sanctions, directorship of failed entities, tax disputes, or gaps in employment history. Non-EU nationals require residency permits or work authorisations in the licensing jurisdiction. The money-laundering officer (MLRO) must hold professional AML certifications (ICA Diploma, CAMS) and demonstrate hands-on experience; generic compliance officers are rejected.

Board Composition and Local Substance

Most EEA regulators mandate at least two local resident directors; Lithuania and Cyprus require one to be an EU/EEA national or hold permanent residency. The CEO and CFO must be physically present in-country, with employment contracts, payroll records, and tax registrations. Remote or "nominee" directors are grounds for immediate refusal. The board must meet quarterly in-country; minutes, attendance logs, and decision registers are audited.

Operational Capability: Policies, Systems, Premises

Applicants submit 20–40 policy documents: AML/CFT manual (mirroring 4AMLD/5AMLD/6AMLD and local AML law), risk-management framework, business-continuity plan, outsourcing policy, conflicts-of-interest policy, complaints-handling, data-protection (GDPR), cyber-security (aligned with DORA where applicable), safeguarding/segregation procedures (for client assets), and KYC/CDD procedures.

Technology stacks undergo review: wallet infrastructure (hot/cold storage ratios, multi-signature schemes, HSM usage), ledger and transaction-monitoring systems (Chainalysis, Elliptic, or in-house solutions), core banking platforms (for EMIs/PIs), and API security (PSD2 Strong Customer Authentication, Open Banking compliance). Regulators may request penetration-test reports and ISO 27001 or SOC 2 certifications.

Physical premises: lease agreement, floor plan, photographic evidence, and confirmation that servers (if on-premise) or co-location facilities are within the EEA. Cloud infrastructure (AWS, Azure, GCP) is acceptable provided data residency is EEA-bound and contracts comply with GDPR.

Professional-Indemnity Insurance

MiCA CASPs safeguarding client assets require €3 million annual aggregate cover (Art. 67(4)). Insurers (e.g., Lloyd's syndicates, AIG, Hiscox) demand underwriting questionnaires, systems audits, and often impose waiting periods or exclusions (e.g., hacking, rogue-employee theft). Premiums range from 1.5–4 per cent of the sum insured; founders should budget €50,000–120,000 annually.

Capital and governance are non-negotiable; undercapitalisation or weak management are the leading causes of refusal.

Fintech licensing is a 12–24 month journey from project inception to authorisation. Breaking the process into phases clarifies resource allocation and manages founder expectations.

Phase 1: Pre-Application (Months 1–3)

Gap analysis and feasibility: Iverex Global conducts a 2–4 week diagnostic: founder residency and tax exposure (US persons, UK CFC, OECD BEPS), target markets, service scope, technology readiness, and capital availability. We map these to MiCA/EMI/PI/CIF requirements and shortlist 2–3 jurisdictions.

Entity incorporation: Form a local company (SIA in Lithuania, Ltd in Cyprus, Plc in Malta). Share capital must be paid and evidenced. Appoint provisional directors (founders or Iverex nominees), register for VAT, open a corporate bank account (provisional; full banking post-licence), and establish local registered office.

Pre-application dialogue: Lithuania, Cyprus, and Malta permit informal consultations with the regulator. Submit a concept paper (2–5 pages): business model, target clients, technology stack, governance structure, capital plan. Regulators provide non-binding feedback (4–8 weeks) on viability and likely conditions. This phase is invaluable for surfacing deal-breakers early (e.g., unacceptable outsourcing, prohibited services).

Phase 2: Application Preparation (Months 4–7)

Documentation: Draft and iterate the business plan (3–5 year financials, market analysis, client-acquisition strategy, risk assessment), programme of operations, AML/CFT manual, all governance policies, and IT security documentation. Retain a Big Four or mid-tier auditor (PwC, Deloitte, BDO, Mazars) for capital verification and financial projections review; regulators weight audited submissions heavily.

Fit-and-proper dossiers: Collate criminal records, CVs, references, diplomas, passports, proof of address, and financial soundness evidence for every director, senior manager, MLRO, and >10 per cent shareholder. Apostille and translate (sworn translator) all non-English documents.

Systems build: Develop or integrate wallet custody (BitGo, Fireblocks, Copper, or proprietary), transaction-monitoring (TRM Labs, Chainalysis KYT), KYC onboarding (Onfido, Jumio, Sumsub), and ledger/accounting (Xero, NetSuite with crypto sub-ledgers). Conduct internal penetration testing and obtain a cyber-security attestation from an accredited firm.

Insurance: Secure binding professional-indemnity quotations; some regulators require a policy binder (pre-approved cover contingent on licence grant).

Phase 3: Submission and Regulatory Review (Months 8–15)

Submit the formal application via the regulator's portal (Lithuania: e-Gov; Cyprus: CySEC Portal; Malta: MFSA Online). Applications comprise 500–1,500 pages of documentation, structured per regulatory templates.

Regulators acknowledge receipt (1–2 weeks) and perform completeness review (4–6 weeks). Incomplete applications are returned; well-prepared submissions proceed to substantive assessment. Expect 1–3 rounds of questions (Requests for Information, RFIs): clarifications on financials, governance, AML controls, technology security, and substance. Each RFI cycle takes 3–6 weeks (regulator) + 2–4 weeks (applicant response). On-site inspections (Cyprus, Malta, sometimes Lithuania) occur mid-review: regulators visit the office, interview directors and key staff, inspect IT infrastructure, and verify operational readiness.

Concurrent bank-account opening: Many banks require a "licence-pending" status letter before onboarding. Apply to 3–5 banks in parallel (Lithuanian: Pervesk, Wallester; Cypriot: Hellenic, AstroBank; pan-European: Bankera, PayrNet). KYC is intensive: ultimate-beneficial-owner (UBO) declarations, source-of-funds, business-model explanations, transaction forecasts, and AML policy review. Budget 8–16 weeks from application to account activation.

Phase 4: Authorisation and Launch (Months 16–18)

Upon satisfactory review, the regulator issues a draft decision or approval-in-principle, often with conditions precedent: increase capital, appoint additional staff, upgrade IT systems, or amend policies. Address conditions (2–6 weeks), provide evidence, and receive the formal authorisation certificate. The licence is published in the regulator's public register and notified to ESMA (MiCA CASPs) or the EBA (EMIs/PIs) for passporting.

Post-authorisation setup: Finalise banking, onboard first clients (pilot cohort), activate insurance, register for FATCA/CRS reporting (if applicable), and commence ongoing reporting: quarterly financial returns (EMI/PI), annual audited accounts (all), transaction-monitoring reports (AML), and incident notifications (operational failures, security breaches).

Common Delays and Mitigations

• Incomplete fit-and-proper files: Missing criminal records or expired references. Mitigation: Start document collection in Month 1.
• Undercapitalisation: Capital held in non-EEA accounts or in crypto. Mitigation: Transfer fiat to EEA bank, obtain auditor verification before submission.
• Weak AML controls: Generic templates, no transaction-monitoring system. Mitigation: Engage specialist AML consultants (ComplyAdvantage, AML Advisory).
• Banking rejection: No account = no licence. Mitigation: Apply to EMI banks early; consider €50,000–100,000 deposit as relationship collateral.
• Substance deficits: Remote directors, no local staff. Mitigation: Hire EEA-resident CEO and MLRO on employment contracts (not consultancy) before submission.

A well-orchestrated application, with pre-submission regulator dialogue and robust documentation, concludes in 9–15 months; poor preparation extends timelines to 24+ months or results in refusal.

Founders routinely underestimate fintech licensing costs. A realistic all-in budget for a MiCA CASP or EMI/PI licence in Lithuania, Cyprus, or Malta is €300,000–€600,000 from inception to first client transaction. Breaking costs into categories aids financial planning.

Regulatory Capital (€50,000–€750,000)

MiCA CASP: €125,000–€150,000 initial capital for most services, €750,000 if safeguarding client assets. EMI: €350,000. PI: €125,000. CIF (Cyprus): €125,000–€730,000. This capital must remain on the balance sheet; it is not working capital—it sits idle, available only to cover losses or regulatory breaches. Opportunity cost is significant: €350,000 at 5 per cent annual return = €17,500 foregone income.

Professional Fees (€120,000–€250,000)

Legal counsel: €40,000–€80,000 for application drafting, regulator liaison, and policy preparation. Complex dual-licensing (EMI + CASP) or multi-jurisdictional setups increase fees to €100,000+. Iverex Global coordinates local counsel in Lithuania (Sorainen, Cobalt), Cyprus (Antonis Paschalides, Harneys), and Malta (Ganado, WH Partners).

Compliance consultancy: €30,000–€60,000 for AML/CFT manual, risk-management framework, business-continuity plan, and KYC/CDD procedures. Specialist crypto-compliance (Coinfirm, Scorechain) adds €10,000–€20,000 for blockchain-forensics integration.

Auditor: €15,000–€30,000 for capital verification, financial-projections review, and first-year statutory audit. Big Four charge upper range; mid-tier (BDO, Mazars, Grant Thornton) lower range.

IT security & penetration testing: €10,000–€25,000 for third-party pen-test, vulnerability assessment, and ISO 27001 gap analysis. SOC 2 Type II certification (often requested by institutional clients or banks) costs €25,000–€50,000.

Insurance broker & premiums: €5,000–€10,000 brokerage fee; annual premium €50,000–€120,000 for €3 million PI cover. First-year total: €55,000–€130,000.

Operational Setup (€50,000–€100,000)

Office lease: €1,500–€4,000/month × 12 = €18,000–€48,000. Regulators require 12-month leases minimum; co-working with private office (WeWork, Regus) is acceptable in Lithuania and Estonia, marginal in Cyprus/Malta.

Technology stack: Custody (BitGo: €2,000–€5,000/month; Fireblocks: €3,000–€8,000/month), transaction-monitoring SaaS (Chainalysis: €20,000–€50,000/year; TRM Labs: €15,000–€40,000/year), KYC (Onfido/Jumio: €0.50–€2 per verification, budget €10,000–€20,000 for pilot), core ledger (proprietary build: €30,000–€100,000; off-shelf: €10,000–€30,000 setup + €2,000–€5,000/month). First-year tech: €50,000–€150,000.

Payroll (first 12 months): CEO (€60,000–€100,000 gross), MLRO/Compliance Officer (€50,000–€80,000), CFO or part-time finance (€40,000–€60,000), developer/IT (€40,000–€70,000). Minimum team of 3–4 FTEs: €200,000–€300,000 annual gross payroll; first 12 months pro-rated if hired mid-process: €150,000–€250,000.

Entity Incorporation & Administration (€10,000–€20,000)

Company formation: €1,500–€3,000. Registered office (virtual or serviced): €1,200–€3,000/year. Corporate secretarial (annual filings, board minutes): €2,000–€5,000/year. Tax registration, VAT, FATCA/CRS setup: €3,000–€6,000. Total first-year administration: €10,000–€20,000.

Banking & Payment Rails (€5,000–€20,000 + Deposits)

Bank-account opening fees: €2,000–€5,000 per bank (many charge non-refundable application fees). Minimum deposits or compensating balances: €50,000–€100,000 (opportunity cost, not expense, but cash locked). SWIFT, SEPA, and card-acquiring setup: €3,000–€10,000. First-year transaction fees (if pilot clients): €5,000–€15,000.

Contingency & Working Capital (€50,000–€100,000)

RFI responses often require additional expert opinions (legal, technical, actuarial), specialist reports (penetration-test re-runs, updated financials), or emergency hires (interim MLRO if candidate withdraws). Budget 15–20 per cent contingency. Additionally, working capital to fund operations during the 6–12 month pre-revenue period (rent, salaries, SaaS subscriptions) is essential; this is separate from regulatory capital and often underestimated.

Sample All-In Budget: MiCA CASP (Lithuania, Safeguarding Client Assets)

• Regulatory capital (€750,000 own funds): €750,000
• Legal & compliance: €90,000
• Audit: €25,000
• IT security & pen-test: €20,000
• Insurance (broker + first premium): €80,000
• Technology stack (setup + 12 months SaaS): €100,000
• Payroll (4 FTEs, 12 months): €250,000
• Office & administration: €30,000
• Banking setup & deposits: €70,000 (€20,000 fees, €50,000 deposit)
• Contingency: €80,000
  Total: €1,495,000 (including €750,000 tied regulatory capital).

Excluding the €750,000 own-funds requirement, out-of-pocket spend is ~€745,000. For a lower-capital EMI (€350,000), out-of-pocket is ~€300,000–€400,000.

Cost-Reduction Strategies

• Phased hiring: Start with 2–3 FTEs (CEO, MLRO, developer); add CFO and support post-licence.
• Outsourced functions: Engage third-party compliance-as-a-service (CaaS) or IT-managed-security providers (lower upfront, higher per-transaction fees).
• Off-the-shelf technology: Avoid bespoke builds; use white-label platforms (Fintense, Crassula, Wallester for EMI; Alphapoint, Talos for crypto exchanges).
• Co-location with accelerators: Lithuania's FinBee, Cyprus's RISE, Malta's Blockchain Island offer subsidised office space and regulatory mentoring.

Transparency on costs prevents mid-application cash crunches and enables credible fundraising; investors scrutinise fintech licensing budgets closely.

Fatal Application Errors

1. Insufficient substance: The leading cause of refusal. Nominees or part-time directors with multiple concurrent directorships, no local employment contracts, or "virtual" offices trigger immediate rejection. Mitigation: Appoint at least two full-time, EEA-resident directors on payroll; lease physical office with photographic evidence and utility bills in the company's name; conduct board meetings in-country with signed minutes.

2. Undercapitalised or illiquid capital: Presenting crypto-assets, SAFEs, or letters-of-intent as proof of capital. Regulators require cash in a bank account, auditor-verified, before submission. Applicants who wire capital from non-EEA jurisdictions (BVI, Cayman) face source-of-funds interrogation; clean audit trails (sale of legitimate assets, documented loans from reputable lenders, venture-capital equity rounds) are essential. Mitigation: Transfer fiat from a regulated bank, obtain auditor confirmation, and include bank statement showing >6 months' liquidity.

3. Generic or copy-paste AML/CFT manuals: Regulators spot boilerplate policies instantly—references to irrelevant jurisdictions, missing local AML law citations, no firm-specific risk assessment. Mitigation: Bespoke manual referencing local AML legislation (Lithuania: Law on the Prevention of Money Laundering and Terrorist Financing; Cyprus: AML Law 188(I)/2007 as amended; Malta: PMLFTR), customer-risk matrices, transaction-monitoring thresholds, and SAR/STR filing procedures. Include evidence of MLRO training and ongoing monitoring systems.

4. Incomplete fit-and-proper documentation: Expired criminal records, unsigned CVs, missing professional references, or UBO declarations with gaps. Mitigation: Use a checklist; obtain fresh criminal records (<3 months old), apostilled and translated; secure notarised references from two independent referees (lawyers, accountants, former employers in regulated firms); complete UBO forms with full ownership chains (often to natural persons across multiple SPVs).

5. Technology without audit trail: Claiming proprietary custody or transaction-monitoring systems without penetration-test reports, code-review documentation, or third-party attestation. Mitigation: Engage accredited pen-testers (CREST, OSCP-certified); provide system-architecture diagrams, API documentation, and disaster-recovery test logs. If using third-party vendors (BitGo, Chainalysis), include signed service agreements and vendor due-diligence reports.

6. No banking relationship: Submitting applications without a provisional bank account or realistic banking pathway. Regulators know that "licence first, banking later" often means "no banking ever." Mitigation: Secure letters of intent or provisional account-opening approvals from 2–3 banks before submission; disclose these in the application and business plan.

Offshore Alternatives for Non-EEA Market Access

MiCA eliminates the viability of unlicensed crypto services targeting EEA clients. However, non-EEA domiciled entities serving non-EEA markets retain offshore options—with significant caveats.

BVI (British Virgin Islands): The Virtual Asset Service Providers Act 2022 (VASP Act) came into force 1 February 2023. BVI VASP licences require USD 100,000 minimum capital, fit-and-proper directors, AML/CFT compliance (aligned with FATF), and audited financials. Licensing timelines: 6–9 months; costs ~USD 80,000–150,000 (legal, application fees, first-year administration). BVI entities cannot passport into the EEA under MiCA and face banking challenges (most international banks decline BVI crypto firms). Suitable for Asia-Pacific and Caribbean clients, family offices seeking privacy, or holding-company structures. US persons: BVI companies are Controlled Foreign Corporations (CFCs) if >50 per cent US-owned; Subpart F income (passive, services income) is immediately taxable to US shareholders, and GILTI (Global Intangible Low-Taxed Income) applies, often resulting in 10.5–13.125 per cent US tax plus state tax. UK persons: BVI companies controlled by UK residents trigger CFC rules (TIOPA 2010, Part 9A); unless the entity-level exemption (local trading, <£500,000 profits, or acceptable distribution policy) applies, BVI profits are apportioned to UK and taxed at 25 per cent. Substance: BVI demands adequate presence (local directors, office, staff); Economic Substance Act penalties for non-compliance reach USD 400,000.

Cayman Islands: Cayman offers VASP registration under the Virtual Asset (Service Providers) Act 2020, effective 1 September 2020 (registration); licensing for higher-risk activities (custody, exchange) commenced 1 October 2020. Minimum capital varies (custodians: USD 100,000+); sandbox regime available for start-ups. Costs and timelines comparable to BVI. Cayman has no corporate income tax, but CFC and GILTI rules apply identically for US persons; UK CFC rules likewise. Cayman's banking environment is sophisticated (Cayman National, Butterfield) but highly selective. Suitable for institutional crypto funds, offshore family offices, and LATAM/Asia clients.

Singapore: Not offshore, but non-EEA. The Payment Services Act (PS Act) governs Digital Payment Token (DPT) services. A Major Payment Institution (MPI) licence for DPT covers exchange, custody, and transfer services; requires SGD 250,000 base capital + variable capital (3–6 months' operating expenses), fit-and-proper directors, local substance (Singapore-incorporated, local CEO/directors, office, compliance team), AML (Notice PSN02), technology-risk (Notice PSN01), and comprehensive policies. MAS (Monetary Authority of Singapore) timelines: 12–18 months; refusal rate historically ~80 per cent. Costs: SGD 200,000–400,000 (legal, compliance, first-year setup). Singapore has 17 per cent CIT, extensive tax-treaty network, and robust banking (DBS, OCBC, UOB have fintech desks). No EEA passport, but MAS licences confer credibility and access to ASEAN, ANZ, and global institutional clients. US-person and UK-CFC considerations apply.

Switzerland (non-EU, but EEA-aligned): Switzerland is not in the EEA but has equivalence agreements and mutual-recognition frameworks with the EU. FINMA (Swiss Financial Market Supervisory Authority) licences FinTech entities under the FinTech Licence (max CHF 100 million public deposits, no lending) or full Banking Licence (unrestricted). MiCA does not directly apply; however, FINMA aligns prudentially with EU standards. Swiss FinTech licences: CHF 300,000 minimum capital, 6–12 months, costs CHF 100,000–200,000. Banking: accessible (Hypothekarbank Lenzburg, Sygnum, SEBA for crypto). CIT: 11.9–21 per cent (federal + cantonal). No EEA passport; serves global clients. US/UK CFC and substance rules apply.

Reverse-Solicitation Fiction Post-MiCA

Pre-MiCA, providers argued that unsolicited approaches by EEA clients (reverse solicitation) exempted them from local authorisation under MiFID II precedent. MiCA extinguishes this defence: Art. 59 requires authorisation for providing CASP services to EEA persons, irrespective of who initiated contact. Offshore entities marketing (website, social media, ads, active outreach) to EEA clients or accepting EEA clients without geo-blocking commit criminal offences under member-state implementation laws and face regulatory enforcement (cease-and-desist, fines, director bans). Founders relying on offshore entities must geo-block EEA, document IP-address filtering, KYC-reject EEA applicants, and obtain legal opinions affirming no EEA nexus.

Iverex Global counsels: if your TAM is EEA, pursue MiCA licensing in-region; if targeting non-EEA, offshore domicile with genuine substance and clean tax structuring (navigating US/UK CFC, FATCA, OECD BEPS Pillar Two) is feasible but complex.

---

Next steps: For a jurisdiction-specific feasibility study, pre-application gap analysis, or end-to-end licensing project management, contact Iverex Global—we architect compliant fintech structures and navigate founders from concept to authorisation across Lithuania, Cyprus, Malta, Estonia, UAE, and Singapore.