As digital assets have become more widely adopted throughout the global economy, financial institutions — historically focused on servicing customers utilizing fiat currency — have had to adapt. They’ve built new crypto-enabled business lines. They’ve created new digital asset custody and brokerage options. And they’ve implemented processes to maintain compliance with regulations around cryptocurrencies and other digital assets. 

The process by which financial institutions decide which Virtual Asset Service Providers (VASPs) they want to work with — and in what capacity — has also become more complex and nuanced. Conducting comprehensive entity due diligence checks on crypto exchanges, custody providers, and other VASPs — prior to onboarding them as customers or partners — is one of the most critical steps any financial institution will take as part of its crypto compliance program. 

This guide provides a roadmap for financial institutions looking to apply a repeatable framework for evaluating VASPs before bringing them into the fold. Asking these questions will help give you a complete picture of a VASP’s risk exposure — in turn helping you make more informed decisions for your business and your customers.

{{premium-content_chapter-divider}}

<span class="premium-content_chapter">CONSIDERATION 1</span>

What is the jurisdictional footprint of the crypto entity you are facing?

{{10-key-considerations-for-entity-due-diligence-jurisdictional-footprint}}

Why this is important to know

Understanding the jurisdictional footprint of a VASP helps you uncover answers to questions like:

• Does the crypto entity have a global customer base?
• Do they have exposure in high-risk jurisdictions?
• Are they operating in jurisdictions with limited regulations or enforcement?
• What fiat currencies does this entity support?

These kinds of questions are critical for evaluating whether the VASP is subject to adequate regulation or avoiding regulatory scrutiny by arbitraging jurisdictions. The jurisdiction the VASP operates within will also determine which laws apply to the VASP in case of dispute or investigation. So it’s important to address whether the VASP can comply with your institution’s own cross-border obligations, and proactively identify any potential conflicts between regulatory regimes that could affect collaboration with law enforcement agencies or regulators.

Having a grasp on a VASP’s jurisdictional footprint is also critical for protecting your institution from unwanted sanctions or geopolitical risk. For example, a VASP with servers in a sanctioned jurisdiction — even if incorporated elsewhere — could expose your institution to significant penalties.

Jurisdictional footprint discovery checklist

Here’s a checklist of important follow-up questions to ask once you’ve identified the jurisdictional footprint of the VASP you are investigating.

Licensing and regulatory status

• Is the VASP registered or licensed in its home jurisdiction?
• Which regulatory bodies oversee the VASP's activities?
• What specific licenses or authorizations does the VASP hold?
• Are those licenses still valid and up to date?
• Does the VASP operate in jurisdictions where it is not registered or licensed?

Anti-money laundering (AML) / combatting the financing of terrorism (CFT) compliance standards

• What AML/CFT regulations is the VASP subject to in each jurisdiction?
• Are these jurisdictions compliant with Financial Action Task Force (FATF) Recommendations?
• Does the VASP apply a global AML standard, or does it vary by jurisdiction?
• Has the VASP implemented the Travel Rule? If so, how?

Operational presence and transparency

• Where are the VASP’s main operational teams, servers, and decision-makers located?
• Does the VASP rely on third-party partners in other jurisdictions?
• Do they provide full transparency into their entity structure and beneficial ownership?

Sanctions and risk exposure

• Does the VASP operate in, or have exposure to, any sanctioned jurisdictions?
• Are they screening their customer base and counterparties against global sanctions lists (e.g. Office of Foreign Assets Control (OFAC) or EU)?
• Have they ever been subject to enforcement actions or regulatory investigations related to sanctions breaches?

Audit and oversight

• Is the VASP regularly audited by third parties?
• Are financials and compliance reports publicly available or accessible on request?
• Have they ever failed a regulatory examination or been fined?

Cross-border risk management

• How does the VASP ensure compliance with multiple regulatory regimes?

{{10-key-considerations-for-entity-due-diligence-trm-kye-1}}

{{premium-content_chapter-divider}}

<span class="premium-content_chapter">CONSIDERATION 2</span>

Does the VASP have licenses to operate in its respective jurisdictions?

This question directly addresses a VASP's legal legitimacy, regulatory alignment, and risk profile — all of which are crucial for a financial institution's decision to engage.

Some jurisdictions have a strong regulatory framework with strict licensing mandates for crypto activity. For instance, if a firm has US customers or legal entities in the US and facilitates the transmission of crypto assets, they must be registered with FinCEN. Working with a VASP that is operating as an unregistered entity in any particular jurisdiction where it is required exposes your institution to significant regulatory and reputational risk.

Licensure signals that the VASP is willing to operate transparently and within the rule of law. For financial institutions held to high standards, only working with licensed entities protects their reputation and customer trust. Licenses also specify what services the VASP is authorized to perform (e.g. spot trading, custody, or token issuance). If a VASP claims to offer services beyond its licensing scope, that should raise a regulatory red flag for your institution.

VASP licensure discovery checklist

Here’s a checklist of important questions for VASPs you are considering working with, to ensure they are correctly licensed.

Licensing and registration status

• Are you currently licensed or registered as a VASP?
• Which regulatory authority issued your license(s)?
• Can you provide the license or registration numbers and expiration dates?
• Are your licenses publicly verifiable (e.g. via a regulator’s website)?
• What is the legal name and entity under which you are licensed?

Jurisdictional coverage

• In which countries or jurisdictions are you licensed to operate?
• Are you licensed in every jurisdiction where you actively serve customers or conduct business?
• Are there any jurisdictions where you operate without formal regulatory authorization?
• Have you applied for licensure in any new jurisdictions? If so, what is the status?

Scope and limitations of licenses

• What specific services are you authorized to perform under your licenses (e.g. exchange services, custody, brokerage, token issuance, staking)?
• Do your licenses allow for cross-border operations?
• Are there any restrictions on the type of customers you can serve (e.g. retail vs. institutional)?

License maintenance and renewal

• When were your licenses issued, and when are they due for renewal?
• Have any of your licenses ever lapsed or been suspended due to non-renewal or non-compliance?
• What processes do you have in place to ensure licenses remain in good standing?

Regulatory history and oversight

• Have you ever been the subject of a regulatory investigation or enforcement action?
• Have any of your license applications been rejected, delayed, or withdrawn?
• Have you ever received fines or sanctions from regulators? If so, please provide details.
• Are you regularly audited by regulators or third-party firms as part of maintaining your licensure?

Operational transparency and documentation

• Can you provide documentation to support your current licensing status?
• Do you have a centralized compliance team managing regulatory relationships across jurisdictions?
• How do you keep up with changing regulatory requirements in the jurisdictions where you operate?

Red flags and compliance assurance

• Have any of your partner VASPs or affiliates lost their licenses or been penalized?
• Are any of your licenses provisional, temporary, or conditional?
• Have any licenses been obtained through third-party service providers or intermediaries?

{{10-key-considerations-for-entity-due-diligence-supporting-evidence}}

{{premium-content_chapter-divider}}

<span class="premium-content_chapter">CONSIDERATION 3</span>

What is the type of crypto exposure?

Understanding the crypto exposure of a VASP directly informs your institution’s understanding of risk exposure, financial health, operational dependencies, and compliance obligations.

For example, it’s important to consider the volatility of the assets the VASP holds. A VASP with large holdings in speculative or illiquid tokens may face solvency risks during market downturns, potentially jeopardizing its counterparties and customers. The type of crypto exposure also often reflects how dependent the VASP is on specific blockchain assets or networks — so it’s important to consider concentration risk or exposure to protocol-level vulnerabilities, which could impact service continuity, security, or regulatory treatment.

Crypto exposure also sheds light on how the VASP handles assets. It’s important to consider whether the VASP holds customer funds on its balance sheet (custodial risk); whether it offers access to DeFi via smart contract proxies; and whether it acts as an intermediary, facilitator, or market participant.

Crypto exposure discovery checklist

Here’s a checklist of important questions to ask VASPs with regards to their crypto exposure.

General exposure

• Does the activity expose the firm to direct on-chain transactions? For example:
  
  • The firm’s customers are buying, selling, or transferring bitcoin (BTC) on the bank’s records
  • The firm’s proprietary trading desk is directly engaging in liquidity pool trading
• What types of crypto assets does your platform support or interact with?

Custodial arrangements

• Do you custody crypto assets on behalf of clients? If yes, do you use a third-party custodian or self-custody?
• Are client and company crypto assets segregated?
• What controls are in place to manage private key security and asset recovery?

Token-specific risks

• Do you support or allow trading of privacy-focused coins (e.g. Monero, Zcash)?
• Do you interact with tokens or protocols under regulatory scrutiny (e.g. those considered potential securities)?
• Do you offer tokens that are thinly traded or have low liquidity?

DeFi and protocol exposure

• Do you interact with decentralized finance (DeFi) protocols? If so, which ones and how?
• Do you offer staking, lending, or yield-generating services tied to DeFi protocols or Decentralized Autonomous Organizations (DAOs)?
• Are users exposed to smart contract risks, or do you intermediate these services directly?

Stablecoins and fiat-linked assets

• Do you support or hold stablecoins? If so, which ones (e.g. USDC, USDT, DAI)?
• What due diligence do you conduct on the issuers of those stablecoins?
• Have any of the stablecoins you use experienced depegging or regulatory pressure?

Operational and business model dependency

• What percentage of your revenue is generated from services directly tied to crypto assets?

Documentation and disclosures

• Can you provide documentation of your crypto holdings, risk policies, and portfolio composition?
• Do you disclose your crypto exposure to regulators, clients, or partners?
• Are crypto exposures included in your financial audits or risk reports?

{{premium-content_chapter-divider}}

<span class="premium-content_chapter">CONSIDERATION 4</span>

What are the crypto assets and products the entity supports?

This question serves as a foundational insight into the scope, risk profile, regulatory exposure, and operational complexity of the VASP's business. 

Because different crypto assets and products carry varying levels of financial, operational, and regulatory risk, it’s important to have a granular understanding of exactly which kinds of digital assets the VASP does business with to best evaluate whether the VASP’s offerings fit within the institution’s risk appetite and internal controls.

Certain tokens are more commonly associated with illicit finance, while others may trigger heightened due diligence. Knowing what assets are supported helps you tailor your transaction monitoring systems and flag high-risk tokens or protocols to mitigate unwanted exposure to money laundering, sanctions evasion, or terror financing. Understanding the VASP’s product range also helps you assess regulatory obligations and exposure, including whether or not the VASP is operating within a compliant framework.

Crypto assets and products discovery checklist

Here’s a checklist of questions to use to ensure the VASP’s supported crypto assets and products are inline with your institution’s needs.

Crypto asset support

• Which crypto assets do you currently support (e.g. BTC, ETH, USDT, MATIC, etc.)?
• How many total assets are available for customers to trade, transfer, or hold?
• What are your top ten supported assets by trading volume and user activity?
• Do you support privacy coins (e.g. Monero, Zcash)? If so, why and under what controls?
• Do you support algorithmic stablecoins or tokens that have experienced recent depegging events?
• How do you assess the legitimacy, security, and compliance risk of each asset before listing it?
• Is there a large token/coin offering?
  
  • A large asset offering could, as an example, look like hundreds of tokens listed with no standards on onboarding new assets
• Do you have an internal or external token listing committee?

Regulatory classification and oversight

• How do you monitor changes in regulatory status of the tokens you support?
• Do you delist tokens that become subject to enforcement actions or regulatory scrutiny? If so, what’s your process?

Product types and functional offerings

• What types of crypto products or services do you offer?
  
  • Spot trading
  • Custody
  • Lending or borrowing
  • Staking or yield generation
  • Tokenized securities
  • Derivatives or leveraged products
  • NFT support
  • Access to DeFi protocols
• Do you offer or facilitate access to decentralized applications or platforms (e.g. DEXs, DAOs)?
• Are any of your products available to retail users? If so, how do you assess product suitability and risk disclosures?

Risk management and monitoring

• Do you conduct risk assessments on all supported tokens and products?
• How often are asset and product risk assessments reviewed or updated?
• Do you monitor trading behavior for manipulation or wash trading involving specific assets?
• Are there enhanced controls for high-risk tokens (e.g. higher transaction thresholds, enhanced KYC)?

Governance and listing controls

• What is your formal asset onboarding and delisting process?
• Do you conduct smart contract audits for tokens and DeFi products offered through your platform?
• Do you rely on third-party data providers for token risk intelligence or ratings?
• Can you share your asset listing policy or framework?

Transparency and disclosures

• Do you publicly disclose the list of supported assets and products?
• Do you provide educational or risk disclosure materials to users for complex products?
• Do you track and report user exposure to specific assets (e.g. for institutional clients)?

{{10-key-considerations-for-entity-due-diligence-trm-kye-2}}

{{premium-content_chapter-divider}}

<span class="premium-content_chapter">CONSIDERATION 5</span>

What is the strength of the VASP’s AML/KYC controls?

This question helps you get to the core of understanding a VASP’s financial crime risk posture, regulatory compliance readiness, and suitability as a partner or counterparty.

Indicators of strong controls could include:

• Robust and tailored fiat and crypto transaction monitoring
• Risk-tiered customer due diligence (CDD) and enhanced due diligence (EDD) onboarding procedures
• Frequent sanctions screening
• Significant compliance staffing

Conversely, indicators of weak controls could include:

• Sanctions screening only at onboarding
• Crypto transaction monitoring tools that don't cover all of the VASP’s listed assets
• No government documentation required for KYC

A VASP with weak or poorly enforced AML and KYC controls may become a conduit for illicit finance like money laundering, terrorist financing, sanctions evasion, or other such fraudulent transactions. If your institution partners with a VASP that fails to identify and mitigate these risks, it could unknowingly facilitate illegal activity, creating legal liability and lasting reputational damage.

Knowing the strength of a VASP’s AML/KYC controls helps you set appropriate onboarding risk tiers, determine ongoing monitoring intensity, and decide whether EDD is required by your institution. Further, strong controls indicate the VASP is aligned with global standards — including FATF Recommendation 15; the Travel Rule; and national AML regulations laid out by regulators like FinCEN, FCA, and MAS — helping to protect your institution from reputational or legal fallout. 

AML/KYC discovery checklist

Here’s a checklist of questions to better understand a VASP’s AML/KYC controls and determine whether they’re compatible with your institution’s standards.

KYC policies and procedures

• Do you have a documented KYC policy? Can you share it?
• At what point in the customer journey do you collect KYC information (e.g. onboarding, before transactions)?
• What customer data do you collect as part of KYC (e.g. full name, address, government ID, selfie, etc.)?
• How do you verify customer identity (e.g. automated KYC provider, manual review)?
• Do you apply KYC to both retail and institutional clients?
• Do you have processes for KYC refresh or periodic re-verification?

Geographic and customer risk assessment

• Do you conduct risk assessments for customers based on geography, transaction patterns, and customer type?
• Do you restrict or prohibit users from high-risk or sanctioned jurisdictions?
• Do you screen for politically exposed persons (PEPs)? If so, how?
• Do you apply EDD for high-risk customers or jurisdictions?

AML transaction monitoring and controls

• Do you have an automated transaction monitoring system in place?
• What types of suspicious activity do you screen for (e.g. structuring, rapid layering, darknet usage)?
• Do you have rules or models that flag high-risk behavior on-chain and off-chain?
• How are alerts triaged and reviewed by your compliance team?
• What blockchain analytics tools or third-party services do you use to monitor crypto transactions?

Compliance with FATF Travel Rule

• Do you comply with the FATF Travel Rule?
• Which Travel Rule solution or protocol do you use (e.g. TRISA, IVMS 101, Notabene)?
• How do you exchange required originator/beneficiary information with other VASPs and institutions?
• Do you reject or quarantine transactions that fail to meet Travel Rule requirements?

Sanctions and watchlist screening

• Do you screen customers and wallet addresses against global sanctions lists (e.g. OFAC, UN, EU)?
• How frequently are your screening databases updated?
• Do you screen all inbound and outbound wallet transactions for potential sanctions exposure?

Compliance governance and staffing

• Do you have a designated Money Laundering Reporting Officer (MLRO) or equivalent?
• How large is your compliance team? What qualifications do they hold?
• Do you conduct ongoing compliance training for staff?
• Do you perform internal audits or third-party reviews of your AML/KYC program?

Recordkeeping and reporting

• How long do you retain KYC documentation and transaction records?
• Do you file Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs)?
• To which regulatory bodies do you report (e.g. FinCEN, FCA, AUSTRAC)?
• Do you maintain audit logs of AML investigations and decisions?

Program effectiveness and metrics

• How many SARs/STRs did you file in the past year?
• What percentage of accounts or transactions trigger alerts?
• Do you measure the false positive rate of your monitoring system?
• Have you ever undergone a regulatory inspection or audit? What were the outcomes?

{{10-key-considerations-for-entity-due-diligence-trm-kye-3}}

{{premium-content_chapter-divider}}

Conclusion: A repeatable due diligence framework

In today’s dynamic regulatory and risk environment, financial institutions must approach relationships with VASPs with diligence and a structured, repeatable evaluation framework. The considerations outlined in this guide — jurisdictional footprint, licensing status, crypto exposure, supported assets and products, and the strength of AML/KYC controls — provide a foundational roadmap for assessing whether a VASP aligns with your institution’s risk tolerance, regulatory obligations, and operational standards.

Each of these areas represents a critical layer of insight into a VASP’s business model and risk profile. Taken together, they enable a holistic understanding of the VASP’s regulatory compliance, governance maturity, and ability to safely engage with your institution and its customers. By consistently applying this framework and adapting it to evolving standards and market conditions, financial institutions can make more confident, informed decisions and build partnerships that are both compliant and resilient.

{{premium-content_chapter-divider}}

About TRM Labs

TRM Labs provides blockchain analytics solutions to help law enforcement and national security agencies, financial institutions, and cryptocurrency businesses detect, investigate, and disrupt crypto-related fraud and financial crime. TRM’s blockchain intelligence platform includes solutions to trace the source and destination of funds, identify illicit activity, build cases, and construct an operating picture of threats. TRM is trusted by leading agencies and businesses worldwide who rely on TRM to enable a safer, more secure crypto ecosystem. TRM is based in San Francisco, CA, and is hiring across engineering, product, sales, and data science. To learn more, visit www.trmlabs.com.