Crypto Compliance Frameworks Compared: FATF, MiCA, US, and Asia

Crypto Compliance Frameworks at a Glance

Crypto regulation has moved beyond white papers and consultation periods into enforceable law across every major financial center. The EU's MiCA regulation reached full application in December 2024. The US signed the GENIUS Act into law in July 2025. Japan, Singapore, and Hong Kong each run distinct licensing regimes with different scope, thresholds, and enforcement teeth. At the international level, the FATF sets baseline recommendations that member jurisdictions adapt into local law.

For anyone building or operating a crypto business, understanding which framework applies, and where they diverge, is the difference between staying operational and facing enforcement action. The following comparison covers the six most consequential regulatory regimes for crypto assets, with particular attention to KYC/AML requirements, licensing structures, and transaction monitoring obligations.

FATF: The Global Baseline

The Financial Action Task Force sets the international standard that most national frameworks reference. FATF Recommendation 15 requires countries to regulate Virtual Asset Service Providers (VASPs), and Recommendation 16 imposes the Travel Rule: VASPs must collect and transmit originator and beneficiary information for transfers above a USD/EUR 1,000 threshold.

As of the June 2025 Targeted Update, 85 of 117 surveyed jurisdictions (73%) have passed Travel Rule legislation, up from 65 in 2024. However, approximately 59% of jurisdictions with laws on the books have taken zero enforcement or supervisory actions, creating the so-called "sunrise problem" where compliant VASPs cannot find compliant counterparties to exchange data with.

The June 2025 revision of Recommendation 16 expanded its scope beyond AML/CFT to explicitly include fraud prevention and proliferation financing. It also introduced Confirmation of Payee (CoP) verification for cross-border transfers and aligned requirements with ISO 20022 messaging standards.

Note: FATF recommendations are not directly binding. Each member jurisdiction implements them through local legislation, which is why thresholds, data fields, and enforcement vary widely. Use our Travel Rule lookup tool to check country-specific requirements.

EU MiCA and the Transfer of Funds Regulation

The EU's Markets in Crypto-Assets Regulation (MiCA) is the most comprehensive single-jurisdiction crypto framework in force. Stablecoin rules (covering E-Money Tokens and Asset-Referenced Tokens) became applicable on June 30, 2024. Full CASP (Crypto-Asset Service Provider) authorization requirements took effect on December 30, 2024, with a grandfathering period for existing operators ending July 1, 2026.

MiCA establishes minimum capital requirements that scale with service type: EUR 50,000 for advisory services, EUR 125,000 for custody and exchange, and EUR 150,000 for trading platform operators. CASPs must meet governance, conduct, cybersecurity, and KYC/AML requirements, with authorization granted by national competent authorities and passportable across all 27 member states.

Running alongside MiCA, the EU Transfer of Funds Regulation (TFR) imposes a zero-threshold Travel Rule: every crypto transfer, regardless of amount, must include full sender and recipient identifying information. This is the strictest implementation globally and significantly exceeds the FATF's USD 1,000 recommended threshold.

For stablecoin-specific MiCA requirements, see our MiCA compliance checker. For a broader look at stablecoin regulation across jurisdictions, see our research on MiCA vs. US stablecoin frameworks.

United States: The Patchwork Approach

US crypto regulation is split across multiple agencies with overlapping and sometimes conflicting mandates. Three federal bodies share primary jurisdiction:

• FinCEN regulates crypto businesses as Money Services Businesses (MSBs) under the Bank Secrecy Act, requiring registration, AML programs, Suspicious Activity Reports (SARs) for transactions over $2,000, and Currency Transaction Reports (CTRs) for daily aggregates exceeding $10,000
• The SEC asserts jurisdiction over tokens that qualify as securities under the Howey Test, requiring registration or exemption for issuance and exchange listing
• The CFTC oversees digital asset derivatives and is seeking expanded spot market authority through the CLARITY Act, which cleared the Senate Banking Committee in May 2026

The GENIUS Act, signed into law in July 2025, created the first federal stablecoin framework. It requires 1:1 reserves in qualifying assets (US dollars, short-term Treasuries up to 93 days, overnight repos, money market funds), prohibits rehypothecation of reserves, and mandates monthly reserve composition reports. Issuers with under $10 billion outstanding can operate under state regulation; above that threshold, they must transition to federal oversight within 360 days.

The US Travel Rule threshold remains at $3,000, the highest among major jurisdictions. FinCEN has proposed reducing this to $250 for international transfers, but the rule change has not been finalized. Beyond federal requirements, operators must also obtain state money transmitter licenses in each state where they operate, creating significant compliance overhead.

Singapore: Payment Services Act and DPT Licensing

The Monetary Authority of Singapore (MAS) regulates crypto through the Payment Services Act (PSA), which classifies crypto exchange and transfer services as Digital Payment Token (DPT) services. Operators must obtain either a Standard Payment Institution (SPI) or Major Payment Institution (MPI) license, with the MPI threshold triggered when total transaction value exceeds SGD 5 million.

October 2024 amendments strengthened consumer protections: DPT service providers must now safeguard customer assets under statutory trust and face restrictions on facilitating lending and staking for retail customers. In June 2025, MAS clarified that all Singapore-incorporated digital token providers serving overseas clients must obtain a Part 9 license, closing a regulatory gap that had allowed some firms to operate without licensing.

Singapore's Travel Rule requires full originator and beneficiary information (name, account number, address or national ID) for transfers above SGD 1,500, with basic originator data required on all transactions regardless of amount.

MAS also finalized a stablecoin regulatory framework in August 2023, applying to single-currency stablecoins pegged to SGD or any G10 currency. Issuers must maintain 100% reserves in cash, cash equivalents, or government debt with maturity under 3 months, published through monthly independent attestations.

Japan: FSA Registration and Dual-Token Classification

Japan was one of the first major economies to regulate crypto exchanges following the 2014 Mt. Gox collapse. The Japan Financial Services Agency (JFSA) requires all crypto exchanges to register as Crypto-Asset Exchange Service Providers (CAESPs) under the Payment Services Act.

In April 2025, the FSA proposed a dual-token classification system: Type 1 tokens (used for fundraising and business purposes) face stricter disclosure and transparency requirements, while Type 2 tokens (high-circulation assets like Bitcoin and Ether) emphasize user-asset protection and custody standards. The May 2025 amendment to the PSA enacted stablecoin regulations and NFT classification rules.

Japan enforces one of the strictest Travel Rule implementations globally: zero threshold (all transactions covered), with full originator and beneficiary data required. As of April 2025, the FSA expanded the Travel Rule network to 58 jurisdictions, adding 30 new countries. For stablecoins, only banks, fund transfer service providers, trust banks, or trust companies licensed in Japan may issue Electronic Payment Instruments (EPIs) to residents.

Hong Kong: SFC VASP Licensing Regime

Hong Kong introduced its Virtual Asset Trading Platform (VATP) licensing regime in June 2023, requiring all platforms serving Hong Kong customers to obtain a license from the Securities and Futures Commission (SFC). As of early 2026, 12 platforms have been licensed, including OSL, HashKey Exchange, HKVAX, Bullish, and subsidiaries of major brokerages Futu Holdings and Tiger Brokers.

In November 2025, the SFC relaxed the 12-month track record requirement for professional investors and permitted licensed VATPs to integrate order books with global affiliate platforms for shared liquidity. The Financial Services and the Treasury Bureau (FSTB) plans to introduce legislation in 2026 that extends regulation beyond trading platforms to cover virtual asset dealers, custodians, advisers, and asset managers.

Licensing and Capital Requirements Compared

The following table compares licensing structures and capital requirements across the six frameworks. Capital figures represent minimum thresholds; actual requirements may be higher based on business volume and risk profile.

Enforcement Approaches

Frameworks differ sharply in how violations are penalized. The GENIUS Act carries civil penalties of up to $100,000 per day and criminal penalties of up to $1 million per violation with up to 5 years imprisonment. The SEC has pursued enforcement actions against crypto companies through existing securities law, resulting in settlements ranging from millions to billions of dollars.

MiCA enforcement is handled by each EU member state's national competent authority, with ESMA providing supervisory coordination for significant tokens. Japan's FSA has a track record of suspending exchange operations for compliance failures. Singapore's MAS has issued prohibition orders against individuals and revoked exemptions for non-compliant firms.

Hong Kong's SFC actively monitors for unlicensed operations: in 2024-2025, several platforms were added to the SFC's alert list for operating without authorization. The SFC has also referred cases for criminal investigation.

Travel Rule Compliance Protocols

Transmitting Travel Rule data between VASPs requires a messaging protocol. Four major solutions have emerged:

• TRISA (Travel Rule Information Sharing Architecture): open-source, uses PKI framework for privacy-preserving peer-to-peer data exchange
• TRP/OpenVASP: decentralized protocol with no membership or central registry required, using smart contracts for VASP identification
• Sygna Bridge: commercial API-based messaging service supporting 3,000+ virtual assets
• TRUST (Travel Rule Universal Solution Technology): backed by major exchanges including Coinbase for VASP-to-VASP data sharing

TRISA, TRP/OpenVASP, and Sygna Bridge have achieved interoperability, allowing cross-protocol Travel Rule message exchange. This is a significant development: the lack of interoperability was the primary obstacle to practical Travel Rule compliance in 2023-2024. For country-specific Travel Rule requirements, use our Travel Rule lookup tool.

Implications for Bitcoin and Stablecoin Payments

These compliance frameworks directly shape how stablecoin payment rails are built. Under MiCA's zero-threshold Travel Rule, every stablecoin transfer in the EU must carry full sender and recipient data, regardless of size. Under the US regime, the $3,000 threshold means smaller transfers require less overhead, but state-by-state money transmitter licensing adds complexity.

For Bitcoin-native stablecoins like USDB operating on Spark, the regulatory landscape determines which jurisdictions are accessible and what compliance infrastructure must be built into payment flows. Layer 2 protocols that support programmable compliance, such as embedding Travel Rule data into transfer metadata, can reduce friction for regulated operators building on top of them.

The stablecoin-specific rules under the GENIUS Act and MiCA also affect reserve management. Both require segregated, fully backed reserves with regular attestations. For a comparison of stablecoin rules by country, see our stablecoin regulation by country reference.

Frequently Asked Questions

What is the FATF Travel Rule for crypto?

The FATF Travel Rule (Recommendation 16) requires VASPs to collect and transmit originator and beneficiary information for virtual asset transfers above a USD/EUR 1,000 threshold. Required data includes the sender's full name, account number or wallet address, and physical address or national ID, plus the beneficiary's full name and account number. As of June 2025, 85 of 117 surveyed jurisdictions have enacted Travel Rule legislation, though enforcement remains inconsistent.

How does MiCA differ from US crypto regulation?

MiCA provides a single, unified framework across all 27 EU member states with a passportable CASP license. The US has no equivalent: regulation is split across the SEC (securities), CFTC (commodities), and FinCEN (money transmission), with additional state-by-state licensing requirements. MiCA also imposes a zero-threshold Travel Rule, whereas the US threshold is $3,000. The GENIUS Act addresses stablecoins specifically, but comprehensive legislation for non-stablecoin crypto assets is still pending in the US.

Which countries have the strictest crypto compliance requirements?

The EU (under MiCA and TFR) and Japan have the strictest requirements by several measures. Both impose zero-threshold Travel Rules covering all transactions. Japan requires FSA registration for all exchange operators and restricts stablecoin issuance to licensed banks and trust companies. The EU requires CASP authorization with minimum capital, governance standards, and cybersecurity requirements, with stablecoin issuers subject to 100% reserve mandates and monthly attestations.

Do I need a license to operate a crypto exchange?

Yes, in virtually every major jurisdiction. The EU requires CASP authorization under MiCA. The US requires FinCEN MSB registration plus state money transmitter licenses. Singapore requires an MPI or SPI license under the Payment Services Act. Japan requires FSA CAESP registration. Hong Kong requires an SFC license for virtual asset trading platforms. Operating without the appropriate license exposes firms to enforcement action, including fines, cease-and-desist orders, and criminal prosecution.

What is the sunrise problem in Travel Rule compliance?

The sunrise problem refers to the gap created when VASPs in jurisdictions that have implemented the Travel Rule attempt to share data with VASPs in jurisdictions that have not. Without a compliant counterparty, the originating VASP cannot complete the data exchange. With 27% of surveyed jurisdictions lacking Travel Rule legislation entirely, and 59% of those with laws having taken no enforcement action, compliant VASPs frequently encounter counterparties that cannot or will not participate in Travel Rule messaging.

What protocols are used for Travel Rule compliance?

Four major protocols handle Travel Rule data exchange: TRISA (open-source PKI-based), TRP/OpenVASP (decentralized, no central registry), Sygna Bridge (commercial API service), and TRUST (backed by Coinbase and other major exchanges). TRISA, TRP, and Sygna have achieved cross-protocol interoperability, meaning a VASP using one protocol can exchange Travel Rule data with a VASP on another. This interoperability was a major milestone for practical compliance adoption.

How does Hong Kong's VASP regime compare to Singapore's?

Both require licensing but differ in scope and approach. Hong Kong's SFC regime currently covers virtual asset trading platforms, with legislation planned in 2026 to extend to dealers, custodians, and advisers. Singapore's PSA covers a broader range of payment services from the outset, including DPT exchange and transfer. Hong Kong requires HKD 5 million minimum capital for platform operators; Singapore requires SGD 250,000 for Major Payment Institutions. Hong Kong has licensed 12 platforms as of early 2026; Singapore has granted licenses to a larger number of firms across its payment services categories.

This tool is for informational purposes only and does not constitute legal or financial advice. Regulatory frameworks change frequently. Data reflects publicly available information as of mid-2026. Always consult qualified legal counsel and verify current requirements with the relevant regulatory authority before making compliance decisions.