Hong Kong VASP regime — what the new RO regime actually requires
This brief covers what the RO requirement actually demands in practice — not what the circulars say, but what the SFC has scrutinised across our active Hong Kong dossiers.
The RO requirement — what it actually means
Every licensed VATP must appoint a minimum of two Responsible Officers. At least one must be an executive director who actively participates in managing the licensed activity. The second must be genuinely available to step in — a passive appointment is not compliant, and the SFC has become adept at identifying nominees who exist on paper only.
The RO must be fit-and-proper under SFC criteria, an executive director or senior management figure with effective control over the regulated activity, able to demonstrate substantive understanding of the VA products the platform handles, and demonstrably present in Hong Kong for regulatory accountability purposes. The residency point is less rigid than it sounds — “regularly present” has meant demonstrable travel patterns in practice, not domicile. But the SFC has rejected nominees clearly inserted for the application without operational substance.
The RO is not a compliance checkbox. The SFC treats it as the individual personally accountable if the platform fails. Nominating a figurehead is the fastest route to a deficiency notice.GSS Legal internal note — Hong Kong VASP practice
Fitness and properness in practice
The SFC’s assessment goes considerably beyond a criminal background check. Across our active dossiers we have seen the SFC request five-year employment histories verified against public records, written explanations of any gaps or departures from regulated firms, and confirmation from prior regulated employers where the RO held a licence elsewhere. Non-disclosure discovered during review has in at least two cases resulted in full application withdrawal. For platforms whose proposed ROs have DeFi backgrounds — where regulatory history is sparse but the track record may include projects that attracted enforcement attention — disclosure strategy is the most important early decision in the engagement.
The 10–15 month review window
The SFC’s published timeline is 6 months from complete submission. In practice, across our active Hong Kong book, the first RFI arrives between weeks 8 and 14, with subsequent rounds extending the review. Most approvals have taken 10–15 months from initial filing to grant. The principal drivers: RO fit-and-proper queries (typically 3–6 weeks per round, frequently multi-round); AML/CFT programme gaps; custody architecture documentation; and business plan plausibility — the SFC increasingly asks for volume projections tied to existing or pipeline institutional relationships.
Applications that arrive with incomplete RO packages, template-derived AML programmes, or custody architecture that is described but not evidenced run to the 15-month end of the range. Applications that arrive prepared clear faster.
Custody and insurance
The SFC requires VATPs to hold at least 98% of client assets in cold storage. The insurance requirement applies to assets in hot storage: operators must hold adequate cover against loss, theft, or hack for the full value of hot-wallet assets at any time. Qualifying insurance is expensive and market-limited — effectively concentrated among a small number of Lloyd’s syndicates and specialist crypto insurers. We recommend operators secure insurance term sheets at the engagement scoping stage, not post-grant. Third-party custodian arrangements with Hex Trust, BitGo, or Fireblocks-equivalent providers are an increasingly accepted structure.
What operators do now
If you are at the pre-application stage, the three things to address before filing: RO identification and fit-and-proper pack preparation; AML programme drafting against the SFC’s specific VA guidance (not a generic template); and custody architecture commitment — operational or contractually committed, not a plan. One hour with a partner on the Hong Kong VASP regime is available at no retainer — the fastest way to identify where a dossier will attract scrutiny before it is submitted.
Anjouan vs Curaçao — where the offshore iGaming licence market actually settled
The Curaçao LOK reform, effective September 2023, replaced the master-sublicence model with a direct-to-regulator framework under the Curaçao Gaming Authority (CGA). Every operator now requires its own direct CGA licence, issued as a Gaming Service Licence (GSL). The practical impact: cost and timeline for a Curaçao licence increased materially. A CGA licence costs EUR 24,000 in annual fees plus an application fee; the review runs 6–8 weeks for a Temporary Operating Licence, with full GSL conversion taking a further 4–6 weeks. The era of the EUR 5,000 sublicence is over.
What Anjouan actually is
Anjouan is one of the three islands of the Comoros archipelago. It has issued gaming licences since 2005 but remained obscure until Curaçao’s reform prompted operators to look for alternatives. The Anjouan Offshore Finance Authority issues interactive gaming licences with a timeline of 3–5 weeks and total first-year costs around USD 15,000–25,000 all-in. Compliance requirements are lighter than post-LOK Curaçao — an AML policy is required but the depth of review is shallower, and there is no platform certification requirement equivalent to the CGA’s technical standards.
Anjouan is a legitimate, functioning jurisdiction — not a flag-of-convenience scam. The question is not whether it is real. The question is whether its recognition profile matches your operator’s needs.GSS Legal internal note — iGaming practice
Practical differences for operators
Curaçao has been accepted by most Tier-2 and Tier-3 payment processors for a decade, with recognition among affiliate networks, B2B platform suppliers, and white-label clients. Anjouan is newer to market and its recognition profile varies significantly by processor, affiliate, and B2B partner. Operators whose business model depends on specific payment processors or affiliate relationships should verify Anjouan’s acceptance with those partners before committing. For B2C operators targeting markets where the licence is used primarily for regulatory signalling to end-users — rather than institutional banking or processor onboarding — Anjouan works well at lower cost.
Banking and payment processor acceptance
Post-LOK Curaçao licences are accepted by the major iGaming-specialist processors. Anjouan is accepted by a growing but narrower processor set — primarily second-tier processors already onboarding high-risk gaming operators. The gap is narrowing as Anjouan’s market share grows and processors update their approved jurisdiction lists, but it remains a real difference in 2026. EMI banking for both jurisdictions is available through iGaming-specialist EMI providers in Lithuania, Estonia, and the UK.
Which to choose in 2026
For cost-sensitive operators whose payment processor and affiliate requirements can be met with Anjouan’s current acceptance profile: Anjouan is the faster, cheaper path and delivers a genuine licence. For operators whose business plan depends on Tier-2 processor acceptance, established affiliate partnerships, or B2B platform supplier relationships requiring Curaçao specifically: post-LOK Curaçao is the right call. For operators who are genuinely uncertain: the engagement starts with a processor and affiliate verification exercise, not a jurisdiction recommendation. We do not recommend by default.
When tier-1 banks de-risk a regulated VASP — the first 72 hours
Understanding what actually happened
De-risking notices come in several forms: a 30–60 day notice of account closure (formally a business decision, rarely with a stated reason, almost always with a compliance trigger underneath); a payment freeze pending review, which may convert to closure or resolve; or, rarest but most damaging, immediate suspension of outgoing payments. The stated reason is rarely the full picture. “Changes to our risk appetite” typically means a transaction monitoring flag the bank’s compliance team cannot clear, a change in internal policy on virtual asset clients, or correspondent banking pressure from the bank’s upstream USD relationships. Getting the actual reason, in writing, requires asking directly and repeatedly at senior relationship level.
The first 72 hours
Hours 1–4: Get the notice in writing. Call the relationship manager at senior level. The goal: confirmation of the actual trigger and confirmation of the close date and any freeze on outgoing payments. Do not accept verbal assurances that payments will continue processing normally — get that in writing too. Hours 4–24: Map every operational payment flow that depends on this account. Prioritise client fund segregation accounts, operational expense accounts, and LP settlement accounts. Identify the 30-day minimum viable payment infrastructure. Hours 24–72: Open parallel banking conversations with at least three alternative providers simultaneously. Do not wait for the primary bank situation to resolve before starting alternatives — the 30–60 day notice window is shorter than it looks once you account for onboarding timelines.
The operators who handle bank de-risking well are the ones who started secondary banking relationships before they needed them. The ones who struggle are the ones who treated primary-bank continuity as a given.GSS Legal — banking and EMI practice
Running parallel banking effectively
The target is not one replacement bank. The target is two operational banking channels within 60 days — one primary, one warm backup. Single-bank dependency rebuilt at a different institution recreates the same vulnerability. The realistic EMI and banking tier in 2026 includes: Lithuanian and Estonian EMIs (faster onboarding, lower capital minimums, limited correspondent reach); Tier-2 European banks in Switzerland, Liechtenstein, and the Czech Republic (slower onboarding, stronger correspondent relationships); and the Singapore/HK neobank tier for SGD and HKD operational accounts.
Addressing the root cause
Parallel banking buys time. It does not address the reason the primary bank de-risked you. If the trigger was a transaction monitoring flag, that pattern will recur at the replacement bank unless the underlying activity changes or the monitoring framework improves. Post-de-risking is the correct moment to commission an independent AML review — a genuine assessment of the transaction patterns, customer risk classification, and monitoring rules that may have triggered the bank. Operators who do this proactively find the replacement banking conversation significantly easier.
Prevention is cheaper
The full cost of a bank de-risking event — lost float, business disruption, advisory fees, onboarding costs at the replacement provider, and diverted management time — typically runs EUR 150,000–400,000 for a mid-sized operator. The cost of a proactive banking diversification strategy and annual AML health-check is a fraction of that. We run a one-hour banking resilience review for active clients — mapping current exposure, identifying minimum viable payment infrastructure, and prioritising secondary relationship development before a crisis requires it.
MiCA Phase II — what the August 2026 RTS draft changes for CASPs
What Phase II covers
MiCA’s technical standards are issued in phases. Phase I covered classification of crypto-assets and disclosure requirements for ARTs and EMTs. Phase II covers operational requirements for CASP authorisation: capital adequacy, organisational requirements, complaints handling, and business continuity. The August 2026 draft represents the finalised operative text that NCAs across the EU are now applying. For operators holding CASPs granted under the transitional period (national registrations grandfathered into CASP status), Phase II standards apply from the next annual review cycle. Lithuania’s FI has been among the more active NCAs in requiring updates.
Capital adequacy — what changed
The base capital requirement under Phase I was EUR 50,000–150,000 depending on service type. Phase II introduces a variable overlay: the higher of the fixed minimum or a percentage of fixed overhead, calculated annually. For active CASPs with meaningful revenue, the effective capital floor rises as the business grows. The calculation methodology — using the prior year’s fixed overhead — creates a one-year lag that can produce capital requirement spikes for fast-growing operators. Phase II also clarifies that capital must be held in instruments qualifying as Tier 1 under the relevant national capital adequacy framework.
The variable overlay is the change most existing CASP holders have not modelled correctly. A EUR 2M overhead business has a capital floor well above the EUR 150,000 minimum — typically EUR 500K–750K depending on the service category multiplier.GSS Legal — MiCA practice
Complaints handling and operational resilience
Phase II introduces a formal complaints handling framework: a written complaints policy published on the CASP’s website; a dedicated complaints channel for EU-resident clients; a 15 business day acknowledgment requirement; a 35 business day resolution target; and quarterly complaints data reporting to the NCA. Operational resilience requirements have been strengthened materially — CASPs must maintain a tested business continuity plan, a technology and cybersecurity risk framework aligned to DORA, and incident reporting to the NCA within 4 hours of a major operational incident. Several operators who received CASP authorisations before DORA’s crypto coverage was clarified are now retrofitting their ICT risk frameworks.
Travel Rule alignment
Phase II confirms MiCA’s Travel Rule requirements align with the FATF standard: CASPs must collect and transmit originator and beneficiary information for all transfers above EUR 1,000. For CASP-to-CASP transfers, transmission must be machine-readable and automated — manual workarounds used during the transitional period are no longer compliant. For transfers to unhosted wallets above EUR 1,000, operators must apply risk-based measures and obtain originator self-certification.
Impact on existing CASP holders
For CASPs authorised under the transitional period, NCA review cycles are the trigger for Phase II compliance assessments. Lithuania’s FI has notified holders that Phase II compliance will be assessed at the first annual review after the August 2026 effective date. The compliance gap is typically concentrated in three areas: variable capital recalculation, DORA-aligned ICT risk framework, and complaints handling infrastructure. For operators currently in the application pipeline, NCAs have indicated they will not accept Phase I dossiers for applications filed after September 2026.
What operators do now
Three immediate actions for existing CASP holders: recalculate your capital floor using the Phase II variable overlay against your most recent annual accounts; commission a gap assessment of your ICT risk framework against DORA Article 6 requirements; and document your complaints handling procedure and publish it before your next NCA review. For operators in the pipeline, confirm that the dossier being prepared reflects Phase II standards — not the Phase I templates in wide circulation through mid-2026.
Mauritius FSC vs Labuan FSA — the principal-risk broker decision in 2026
The FATF delisting and what changed
Mauritius’s grey-listing in March 2020 materially damaged its standing with Tier-2 banks and prime brokers. Correspondent relationships were suspended; LP due-diligence for Mauritius-licensed brokers became significantly more difficult. Labuan absorbed a meaningful share of the principal-risk broker market during this period. Post-delisting, Mauritius has been active in rehabilitating its institutional standing — tightening licensing requirements, investing in supervisory capacity, and engaging proactively with prime brokers and correspondent banks. By mid-2025, most Tier-2 LP relationships had resumed accepting Mauritius FSC-licensed operators, and several Tier-1 universal banks have reactivated Mauritius on their approved jurisdiction lists.
Mauritius in 2026
The Mauritius FSC issues Investment Dealer licences (full service and broker categories). First-year total cost for an Investment Dealer (full service): approximately USD 40,000–60,000 all-in. Timeline: 4–6 months. Capital requirement: USD 200,000. Key advantages: strong double-tax treaty network including India (material for brokers with Indian client flows), recovering institutional recognition, and OECD-compliant substance requirements built in since the grey-listing reforms. Key limitation: the recovery in LP and bank acceptance, while real, is not yet uniform — some Tier-1 prime brokers and correspondent banks have not fully re-cleared Mauritius, and due-diligence burden per relationship remains higher than for Labuan.
Labuan in 2026
The Labuan FSA Money Broking licence covers spot FX and currency exchange; the Labuan Investment Bank licence covers CFDs and multi-asset products. First-year total cost: approximately USD 45,000–65,000. Timeline: 4–6 months. Capital requirement: MYR 300,000 (approximately USD 65,000). Corporate tax rate: 3% on net profit from Labuan business activity. Key advantages: never grey-listed, stable LP and processor acceptance, access to Malaysia’s 70+ DTT network, and IBFC status that provides institutional recognition beyond pure offshore jurisdictions. Key limitation: no formal passporting regime, and the Labuan brand is less recognised by institutional clients in Europe and the Gulf than EU or UAE-regulated equivalents.
The Mauritius grey-listing era created a cohort of Labuan-licensed brokers who might have chosen Mauritius otherwise. Some are now considering adding Mauritius as a second jurisdiction for specific market access rather than replacing Labuan. That is often the right answer.GSS Legal — FX and forex practice
The practical differences
Tax: Labuan’s 3% rate on Labuan-source business income is the key differentiator for profitable brokers. Mauritius’s standard rate is 15%, with a partial exemption regime for Global Business Companies — but the 3% certainty of Labuan is simpler to model. India access: if Indian client flows or LP relationships are material, Mauritius’s DTT with India provides advantages Labuan does not. Substance requirements: both jurisdictions now require genuine substance. Neither is a brass-plate jurisdiction any longer.
Banking and LP access
For Tier-2 LP relationships and major iGaming-adjacent payment processors, both jurisdictions are broadly accepted. For Tier-1 prime brokerage, Labuan has the more consistent acceptance profile. For Indian and South Asian correspondent banking, Mauritius has advantages. For operators whose primary LP relationships are European — accessing LMAX, CMC Connect, or similar — neither has a material advantage; the due-diligence process is comparable for both.
Making the decision
The decision is not “which is better” — it is “which fits your specific LP relationships, client geography, tax model, and institutional banking requirements.” Our engagement starts with a jurisdiction selection memo that maps those criteria against both options, identifies any specific processor or LP relationships that constrain the choice, and gives a clear recommendation. We do not default to one jurisdiction based on volume.
Lithuanian EMI year-one — what the Bank of Lithuania actually scrutinises in supervision
The first year of EMI supervision
The Bank of Lithuania’s supervisory approach for newly licensed EMIs involves an initial on-site inspection within 6–12 months of licence grant. The inspection is structured around three areas: AML/CFT programme implementation, capital adequacy and client funds safeguarding, and governance and outsourcing arrangements. The BoL’s inspectors are technically proficient and have reviewed enough EMI operations to immediately distinguish between programmes that have been genuinely implemented and those that exist as documents but have not translated into operational practice.
The majority of findings from first-year inspections fall into two categories: alert-triage backlog management (the EMI is generating more alerts than its compliance team can clear within policy timelines), and documentation gaps in customer risk re-rating (the EMI has not re-assessed customer risk profiles against the criteria it committed to in its risk methodology). Both are addressable. Neither is treated as a critical finding on first occurrence, provided the EMI can demonstrate a credible remediation plan within 30 days of the inspection report.
AML programme scrutiny
Inspectors review AML programme implementation in detail: the customer risk methodology as written vs. as applied; the alert-triage process (timeline from alert generation to case closure, and whether that is within the policy commitment); the STR/CTR filing record (are filings being made within the required 3 business day window with narratives that reflect genuine analysis?); and the transaction monitoring rule set (have rules been calibrated against actual transaction patterns, or are they generic templates generating excessive false positives?).
The BoL has been particularly focused on customer risk re-rating — the process by which customers move from low to medium to high risk as their transaction patterns evolve. EMIs that conduct initial KYC rigorously but then do not re-assess customer risk profiles at defined intervals are consistently flagged. The policy commitment is typically “annual review for low-risk customers, quarterly for high-risk” — inspectors check whether those reviews are happening and documented.
The BoL inspectors know exactly what a genuine AML programme looks like and what a template looks like. The programmes that pass inspection are the ones where the compliance team can answer specific questions about specific customers and transactions — not just point to a policy document.GSS Legal — EMI and compliance practice
Capital adequacy and client funds safeguarding
Lithuania’s EMI capital requirement is the higher of EUR 350,000 or a method-based calculation using payment volume. What inspectors examine is not just whether the capital exists, but whether it is held in qualifying instruments and whether quarterly capital adequacy reports filed with the BoL reflect the actual calculation correctly. Client funds safeguarding — holding customer funds in a safeguarded bank account or invested in secure liquid assets — is an area of frequent findings. The common failures: commingling of operational and safeguarded funds; safeguarding account held at a bank whose credit quality does not meet BoL expectations; and safeguarding coverage gaps during intraday settlement windows.
Outsourcing and governance
Almost every EMI outsources significant operational functions — technology, compliance, MLRO support, sometimes customer service. The BoL’s outsourcing requirements under PSD2 and the EBA Guidelines require material outsourcing arrangements to be documented in written agreements including the right to audit, and subject to a formal vendor risk assessment. The inspection looks at whether the outsourcing register is current, whether vendor risk assessments have been conducted in the prior 12 months, and whether right-to-audit provisions have been exercised or are credibly exercisable.
Regulatory reporting
Lithuanian EMIs must file: quarterly capital adequacy reports, quarterly payment statistics, annual accounts, and ad hoc notifications for significant events. Late or inaccurate filings are a consistent source of minor findings. The most common failure is the quarterly payment statistics report, which requires more granular data than most EMIs’ reporting systems produce natively — typically either late or inaccurate in year one as the reporting infrastructure catches up.
Patterns across 24 engagements
Across our 24 EMI engagements through first-year supervision, the average finding count at first inspection is 3.2, with zero critical findings. The consistently recurring medium-severity findings: alert-triage backlog (16 of 24 engagements), documentation gaps in customer risk re-rating (14 of 24), and outsourcing register gaps (9 of 24). The consistently clean areas: capital adequacy calculation (2 of 24 had findings), ownership and governance structure (1 of 24), and STR/CTR filing timeliness (3 of 24). The pattern suggests where to invest pre-inspection preparation: alert management infrastructure and customer risk re-rating discipline are the two highest-return areas.
Travel Rule implementation across SEA — six months in
State of play across the region
The FATF Travel Rule — requiring VASPs to collect and transmit originator and beneficiary information for virtual asset transfers above threshold — is now live in the two major Asian financial centres. For VASPs with multi-jurisdictional operations across Southeast Asia, the practical challenge is managing different implementation timelines, threshold amounts, and technical standards simultaneously. There is no single “SEA Travel Rule” — each jurisdiction has its own rule, threshold, and technical requirements for data transmission.
Singapore: live and enforced
MAS implemented the Travel Rule as part of its 2024 Payment Services Act amendments. The threshold is SGD 1,500. The requirement applies to all transfers — VASP-to-VASP and VASP-to-unhosted wallet above threshold. For VASP-to-VASP transfers, transmission must be automated and machine-readable; MAS expects use of a TRISA-compatible solution (Notabene, Sygna, TRP) rather than manual processes. MAS has been examining implementation in practice — the first supervision cycle has flagged several operators whose “risk-based measures” for unhosted wallet transfers were insufficiently documented and whose self-certification processes were not being consistently applied.
Hong Kong: live for licensed VATPs
The SFC’s Travel Rule requirements apply to licensed VATPs with an HKD 8,000 threshold. For VATPs on the AMLD system, major TRISA-compatible solutions are integrated; for smaller operators, manual compliance processes remain in use but are attracting increasing SFC scrutiny. The SFC has indicated in supervisory guidance that it considers manual Travel Rule processes insufficient for VATPs with material transaction volumes — without specifying what “material” means, causing uncertainty.
Malaysia: phased rollout
Bank Negara Malaysia and the Securities Commission have implemented the Travel Rule in phases. Phase 1 (effective January 2025): Travel Rule applies to transfers between licensed DAX operators above MYR 3,000. Phase 2 (expected June 2026): Travel Rule extends to cover transfers from licensed DAX to unhosted wallets above threshold. As of the date of this brief, Phase 2 implementation guidance has not been finalised — DAX operators should prepare for the unhosted wallet requirement without a confirmed technical standard.
A VASP with operations in Singapore, Hong Kong, and Malaysia is managing three different Travel Rule standards simultaneously — different thresholds, different technical requirements, and different enforcement postures.GSS Legal — AML and compliance practice
Thailand, Philippines, Vietnam
Thailand’s SEC has committed to Travel Rule implementation as part of its broader VASP regulatory framework, expected Q3 2026. The Philippines’ SEC and BSP have indicated Travel Rule requirements will follow the FATF standard, expected as part of the VASP regulatory framework update in 2026. Vietnam has not published a Travel Rule timeline — the Ministry of Finance’s VASP framework consultations, ongoing since 2024, do not yet include specific Travel Rule provisions.
What compliance actually requires
For VASPs with operations across multiple SEA jurisdictions, the minimum viable Travel Rule compliance stack in 2026 involves: a TRISA-compatible solution handling Singapore and Hong Kong’s automated transmission requirements; a documented risk-based framework for unhosted wallet transfers with self-certification processes meeting MAS’s documented-evidence standard; transaction monitoring rules flagging transfers at or near threshold amounts in each relevant jurisdiction; and a compliance matrix mapping each jurisdiction’s requirements, updated as Malaysia’s Phase 2 and Thailand’s implementation develop. The operational overhead of manual Travel Rule compliance at scale is now material enough that most operators above USD 50M in monthly transaction volume are better served by one of the automated solutions, even accounting for integration costs.
PAGCOR after the POGO sunset — what the IGL pathway looks like
The POGO sunset and what it means
POGOs were Chinese-facing online gaming operations based in the Philippines, leveraging PAGCOR offshore gaming licences to serve players outside Philippine jurisdiction. The ban applies specifically to offshore gaming operations whose primary market is outside the Philippines. Onshore and domestic gaming operations under PAGCOR are unaffected. The IGL framework is not a POGO rebrand. It is a substantially different licensing structure with different compliance requirements, different ownership restrictions, and materially more rigorous due diligence. Operators who held POGO licences and are evaluating the IGL should not approach it as a continuity exercise.
The IGL framework
The Integrated Gaming Licence replaces the POGO, the Special Economic Zone gaming licence, and several other PAGCOR licence categories with a single unified framework. The IGL permits both online and land-based gaming operations, with separate conditions for each channel. PAGCOR retains direct licensing authority — no master-sublicence structure. All IGL holders are subject to direct PAGCOR supervision, with AML and KYC requirements explicitly aligned to AMLC standards and mandatory beneficial ownership disclosure to ultimate beneficial owners. The IGL is an onshore Philippine licence, requiring a Philippine corporation or a licensed foreign branch. 100% foreign ownership is permitted for IGL holders in most gaming categories.
Practical requirements
The IGL application requires: incorporation of a Philippine entity or branch registration; minimum paid-up capital of PHP 1 billion (approximately USD 17.5 million) for online gaming category; a compliance officer resident in the Philippines; a fully documented AML programme meeting AMLC standards; technical platform certification; and evidence of financial capacity including audited accounts and a 3-year financial projection. The PHP 1 billion capital requirement is the most significant barrier for smaller operators — it represents a genuine financial commitment, not a nominal threshold.
The IGL is not a POGO with better branding. The capital requirements, the onshore structure, and the AML scrutiny represent a genuine step-change in the compliance commitment PAGCOR expects.GSS Legal — iGaming practice
Timeline and cost
From engagement to IGL grant: 6–12 months based on applications observed through the first cycle. The first-year total investment — licence fees, Philippine incorporation, capital deposit, compliance infrastructure setup, and professional fees — runs approximately USD 2.5–4 million for online gaming category operators. This is a licence for operators with established online gaming operations who need a legitimate Philippine presence for market access, institutional banking, or regulatory credibility with platform partners — not for cost-sensitive operators.
Who the IGL suits
The IGL is appropriate for: established online gaming operators with the capital and operational capacity to meet onshore requirements; operators with genuine Southeast Asian player markets who need a Philippine domestic licence for payment processing and banking access; and B2B platform suppliers requiring a Philippine regulatory vehicle to satisfy their B2C operator clients. It is not appropriate for operators seeking an offshore licence for low-cost regulatory signalling.
What operators do next
If you held a POGO licence and are evaluating the IGL: the first step is a clean-break assessment — reviewing whether the POGO entity’s compliance history and ownership structure is compatible with the IGL’s disclosure requirements. Several former POGO operators have concluded that incorporating a new Philippine entity with a clean compliance history is safer than applying through the legacy structure. We run IGL scoping calls at no retainer — 45 minutes to assess whether the IGL is the right vehicle for your specific situation and what the pathway looks like.
UAE VARA Category 4 — when the licence cost is the easy part
VARA categories and what Category 4 covers
VARA issues virtual asset service licences across seven service categories. Category 4 (VA Exchange) authorises spot exchange of virtual assets, OTC desk operations, order-book exchange operations, and brokerage — effectively the full-service exchange model. It is the category sought by established centralised exchanges wanting a Dubai institutional presence, OTC desks expanding from other MENA jurisdictions, and trading platform operators seeking VARA authorisation for Gulf institutional client onboarding. Categories 2 (Broker-Dealer) and 3 (Custody) are often required alongside Category 4 for operators whose model includes discretionary trading or custody services.
The cost picture — licence fees vs. total first-year investment
VARA’s published Category 4 licence fee is AED 200,000 (approximately USD 54,500) per year. This is the number that appears in most jurisdiction comparison tables. It is not the relevant cost figure for planning purposes. The total first-year investment runs USD 500,000–1.2 million depending on the exchange model and custody approach. The major components beyond the licence fee: DIFC or mainland Dubai entity incorporation and freezone registration (AED 50,000–150,000 depending on structure); physical office establishment and lease (AED 180,000–400,000 annually in DIFC or DMCC); compliance officer hire or secondment (AED 360,000–600,000 annually for a qualified Chief Compliance Officer); AML programme development and technology (USD 80,000–150,000); and custody infrastructure — where the real variance sits.
VARA Category 4 applicants consistently underestimate two things: the custody insurance premium, and the time required to find a compliant custodian. Budget for both from day one, not from grant date.GSS Legal — VARA practice
Substance requirements
VARA requires genuine operational substance in Dubai: a physical office (DIFC, DMCC, or mainland — VARA accepts all three, with DIFC being the most institutionally recognised), minimum two senior management personnel resident in Dubai, a UAE-resident Chief Compliance Officer, and a Board with at least one UAE-resident or UAE-experienced director. VARA’s inspectors conduct site visits during the review process and have found and acted upon situations where the “Dubai office” existed on paper only. The compliance officer hire is typically the critical path item — the market for qualified CCOs with both VARA and crypto exchange experience is limited, and hiring timelines often exceed 90 days.
Custody architecture and insurance
VARA’s custody requirements for Category 4 are stringent: client virtual assets must be held in cold storage, segregated from operator assets, with daily reconciliation. The insurance requirement for hot wallet assets is the cost item that most surprises applicants. VARA does not prescribe a minimum insurance amount, but its guidance indicates that hot-wallet insurance coverage should reflect the actual value of assets held intraday. For a mid-sized exchange with USD 50–100M in daily hot-wallet volume, qualifying insurance premiums run USD 200,000–600,000 annually. The market for qualifying VA custody insurance in the UAE is concentrated among a handful of Lloyd’s syndicates and two or three specialist crypto insurers active in MENA. Lead times for insurance placement are 8–12 weeks from initial broker engagement.
Banking and settlement infrastructure
VARA Category 4 licence holders need AED, USD, and ideally EUR settlement infrastructure. The practical banking options in 2026: Emirates NBD, Mashreq, and RAKBANK have active crypto-business onboarding programmes for VARA-licensed entities; Tier-1 international banks (Standard Chartered UAE, HSBC UAE) are accessible for operators with institutional-grade substance and operational history. The banking onboarding process for a new VARA licensee typically runs 8–16 weeks from initial application. Running the banking application in parallel with the VARA review — rather than sequentially after grant — is essential for achieving operational commencement within a reasonable period post-grant.
Timeline in practice
VARA’s published review timeline for Category 4 is 3–9 months. In practice, across our active VARA mandates, the range is 5–12 months from complete application submission to grant. The primary determinants of review duration: completeness of the initial dossier (applications with gaps in the AML programme or custody architecture attract RFIs that extend the review by 2–4 months); compliance officer appointment timing (VARA has asked about CCO candidates during review, and operators who have not yet hired create delays); and business plan credibility (VARA reviews financial projections for plausibility).
Who Category 4 suits
Category 4 is appropriate for: established exchange operators seeking a Tier-1 MENA presence to access Gulf institutional clients and UAE-based family office capital; OTC desks with existing MENA business who need regulatory authorisation to continue operating; and operators who have received institutional LP or banking inquiries requiring VARA authorisation as a condition. It is not appropriate for early-stage exchanges that have not yet achieved operating scale — the total first-year investment and ongoing compliance costs are calibrated for operations that can support them. The engagement starts with a 45-minute scoping call to assess whether Category 4 fits the operator’s actual model, capital position, and timeline — before any commitment to the application process.