Licentium

Licensing Hub

Isle of Man

The Isle of Man Financial Services Authority registers VASPs under the Designated Businesses Act 2015 and AML/CFT Code. The regime is AML-focused, not full prudential licensing.

Available licences

Designated-Business Registration as VASP

IOMFSA designated-business registration under the Designated Businesses (Registration and Oversight) Act 2015 for VASP activities carried on by way of business for or on behalf of another person, including fiat/virtual-asset exchange, virtual-asset/virtual-asset exchange, transfer, safekeeping/administration, instruments enabling control and issuer-offer-related financial services. Application requires identification, business description, addresses, specified persons and the prescribed non-refundable fee. IOMFSA must refuse registration if the applicant or a specified person is not fit and proper. Type A VASP 2026 application fee £3,747; annual fee £3,747 (1 employee) up to £8,565 (>25 employees).

AML/CFT Code 2019 Compliance

Substantive AML/CFT compliance obligations under the Proceeds of Crime Act 2008 and AML/CFT Code 2019. VASPs must establish AML/CFT procedures and controls (Code compliance, sanctions screening, internal controls, communications, employee awareness, ML/TF risk management), maintain business, customer and technology risk assessments (technology risk assessments before launching new products or technologies), perform customer due diligence with reliable independent source verification, identify and verify beneficial owners and controllers, appoint an MLRO with sufficient seniority and resources, maintain suspicious-activity reporting procedures and retain records at least five years.

Travel Rule (Transfer of Virtual Assets) Code 2024

Travel Rule Code in operation from 28 October 2024. All virtual asset transfers are treated as cross-border. Originator-side VASPs must obtain and securely submit beneficiary name, beneficiary account identifier, originator name, originator account identifier, a unique transaction identifier where applicable and one of originator's address, national identity number or date and place of birth. Beneficiary-side VASPs must verify received information and apply risk-based policies for missing or inconsistent information. The Code covers unhosted-wallet transfers and de minimis transfers, treats travel-rule information as CDD information for recordkeeping purposes, and requires availability of information to the Isle of Man FIU on request. March 2026 amendments should be checked for unhosted-wallet and civil-penalty wording.

Financial Services Act 2008 Licence (Securities / Investment / Money Transmission)

Where a token is a digital representation of fiat currency, a security or another financial asset, activity may fall outside the VASP definition but inside the Financial Services Act 2008 framework. The Regulated Activities Order 2011 treats dealing, arranging, managing, safeguarding and advising on investments as investment business; investments include shares, debentures, government securities, warrants, collective investment scheme units, options, futures and contracts for differences. Tokenised securities, fund interests, derivatives and money-transmission activity require separate licensing analysis.

Detailed overview

Isle of Man: Designated-Business VASP Registration and AML/CFT Oversight

Regulator

The Isle of Man Financial Services Authority is the relevant regulator for virtual asset service providers under the designated-business registration and AML/CFT oversight framework.

The Isle of Man regulates virtual asset service providers primarily through the Designated Businesses (Registration and Oversight) Act 2015, the Proceeds of Crime Act 2008, the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019, and the Travel Rule (Transfer of Virtual Assets) Code 2024.

A business engaged in VASP activity is a designated business. It must register with the Isle of Man Financial Services Authority unless an exemption applies. The regime is primarily an AML/CFT registration and oversight regime. It is not, by itself, a full prudential crypto exchange licensing regime.

Registration requirement

A person must not carry on, or hold itself out as carrying on, a designated business in or from the Isle of Man unless it is registered or exempt, acts in accordance with its registration or exemption conditions, and complies with AML/CFT legislation.

A business may be treated as operating in the Isle of Man if it has a permanent place of business in the Island or carries out designated-business activity in the Island. It may be treated as operating from the Isle of Man if it is an Isle of Man company, Isle of Man 2006 Act company, Isle of Man limited liability company, Isle of Man foundation, registered foreign company, Isle of Man limited partnership or Isle of Man resident individual carrying on designated business outside the Island.

Website, email and domain wording can also be relevant. A person can be treated as holding itself out as carrying on designated business in or from the Isle of Man if the wording of a website, web page, email name, email address, email subject or domain name indicates that the business is carried on in, from or in connection with the Island.

Virtual asset and VASP definitions

A virtual asset is a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. Digital representations of fiat currencies, securities and other financial assets are excluded.

A virtual asset service provider is a natural or legal person that, by way of business, conducts one or more covered activities for or on behalf of another person. Covered activities include exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, transfer of virtual assets, safekeeping or administration of virtual assets or instruments enabling control over virtual assets, and participation in or provision of financial services related to an issuer’s offer or sale of a virtual asset.

Licensable and registrable activities

A business is likely to fall within the VASP registration perimeter where it operates a virtual asset exchange, crypto-fiat conversion service, OTC desk, custodial wallet, hosted wallet, virtual asset transfer service, virtual asset safekeeping service, private-key control service, token-sale support service, or financial service connected with another person’s virtual asset offer or sale.

The registration analysis should focus on actual functions rather than labels. A business that calls itself a wallet, payment processor, liquidity provider, exchange desk, tokenisation platform or software provider may still be a VASP if it performs a covered activity by way of business for or on behalf of another person.

Activities outside the VASP perimeter

A token may fall outside the virtual asset definition if it is a digital representation of fiat currency, a security or another financial asset. That does not mean the activity is unregulated. It may instead be regulated under the ordinary Isle of Man financial-services framework.

The Financial Services Act 2008 separately regulates financial-services activities carried on by way of business. These include investment business, services to collective investment schemes and money-transmission activity. A person must not carry on, or hold itself out as carrying on, a regulated activity in or from the Isle of Man unless it has the required licence and complies with licence conditions.

The Regulated Activities Order 2011 treats dealing, arranging, managing, safeguarding and advising on investments as investment business. Investments include shares, debentures, government securities, warrants, certificates representing securities, units in collective investment schemes, options, futures, contracts for differences, long-term insurance and related rights or interests. Tokenised securities, fund interests, derivatives or other financial assets may therefore require separate licensing analysis.

Application process

An applicant for designated-business registration must apply to the Isle of Man Financial Services Authority unless exempt. The application must be in the form determined by the Authority, include information reasonably required by the Authority, identify the applicant, describe the designated business, state relevant business addresses, identify specified persons and include the prescribed non-refundable fee.

The Authority may require additional information. The applicant must notify the Authority immediately of any alteration, inaccuracy or material event affecting the application before determination.

The Authority may register the applicant with or without conditions or refuse registration. It must refuse registration if it is not satisfied that the applicant or a specified person is fit and proper. Fit-and-proper issues include AML/CFT offences, dishonesty offences, relevant regulatory breaches, false or misleading application information and other reasons linked to money-laundering or terrorism-financing risk.

Ongoing oversight

A registered VASP must submit an annual return and pay the annual fee. The annual return must include a declaration about the extent to which the business meets AML/CFT legislation requirements and any other information required by the Authority.

The Authority may conduct inspections and investigations, inspect books, accounts and documents, investigate transactions, take possession of documents where necessary and exercise powers where it reasonably suspects that a person is carrying on designated business while unregistered.

AML and CFT obligations

VASPs are subject to the Isle of Man AML/CFT framework. The Proceeds of Crime Act 2008 applies the AML/CFT Code to businesses and activities in the regulated sector, including VASP activities.

A VASP must establish, record, operate and maintain AML/CFT procedures and controls. These controls must cover Code compliance, sanctions screening, internal controls, communications, employee and worker awareness and the management and mitigation of money-laundering and terrorism-financing risks. Ultimate responsibility for compliance remains with the VASP even where it outsources functions or relies on third parties.

A VASP must maintain a business risk assessment, customer risk assessments and a technology risk assessment. The technology risk assessment must be undertaken before new products, business practices, delivery methods, delivery systems or new and developing technologies are launched or implemented.

Customer due diligence must include customer identification, verification using reliable independent source documents, data or information, verification of legal status, information on the nature and intended purpose of the relationship and reasonable measures to establish source of funds. The VASP must also identify and verify beneficial owners and persons exercising control where required.

A VASP must appoint an MLRO with sufficient seniority, experience, authority, access, time and resources. It must maintain suspicious-activity reporting procedures and retain required records for at least five years, with longer retention where required by an FIU disclosure, investigation or competent-authority request.

Travel rule

The Travel Rule Code applies to relevant persons undertaking VASP or intermediary VASP activity. It came into operation on 28 October 2024. All virtual asset transfers under the Code are treated as cross-border transfers, even where the originator and beneficiary are in the same country.

An originator-side VASP must obtain and hold required information and submit it to the receiving VASP immediately and securely. Required information includes the beneficiary name, beneficiary account identifier, originator name, originator account identifier, a unique transaction identifier where applicable and one of the originator’s address, national identity number or date and place of birth. Originator information must be accurate.

A beneficiary-side VASP must ensure that it has received the required information and that the information is accurate and consistent with its own records for the beneficiary name and account identifier where applicable. It must maintain risk-based policies and procedures for missing, incomplete or inconsistent information and for follow-up action, including whether to apply the transfer and whether to make an internal disclosure.

The Code contains rules for unhosted-wallet transfers and de minimis transfers. It treats travel-rule information as customer due diligence information and applies AML/CFT recordkeeping requirements to that information. Information obtained under the Code must be made available to the Isle of Man Financial Intelligence Unit on request.

Official March 2026 legislative materials list the Travel Rule (Transfer of Virtual Assets) (Amendment) Code 2026 and the Anti-Money Laundering and Countering the Financing of Terrorism Civil Penalties Travel Rule Amendment Regulations 2026. Businesses should verify the current consolidated wording before implementing unhosted-wallet controls or final civil-penalty analysis.

Fees

For 2026, the application fee for a Type A virtual asset service provider designated-business registration is £3,747.

Annual fees for Type A VASPs are based on employee numbers. The annual fee is £3,747 for one employee, £4,283 for two to five employees, £5,354 for six to ten employees, £6,424 for eleven to fifteen employees, £7,494 for sixteen to twenty-five employees and £8,565 for more than twenty-five employees.

Regulatory outlook

The Isle of Man has an established VASP AML/CFT registration regime and a statutory travel-rule framework. The main current point for verification is the March 2026 Travel Rule amendment package, especially the final wording for unhosted-wallet transfers and civil-penalty treatment.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started