Upgrading a VASP license to CASP: a step-by-step guide for business owners

Following the launch of MiCA, the old VASP model in the EU is gradually losing its former practical value. It is no longer simply a matter of registering a crypto company in a national register. To work with European clients, a business needs CASP status, and with it – a managed structure, clear AML controls, a financial model, safeguarding of client assets and readiness for regulatory scrutiny.

For companies that operated via Poland, the issue has become particularly sensitive. In the past, a VASP license was often seen as a quick way to legalise crypto services and start operations. Now, a crypto license in Poland requires a different approach: the regulator looks at the actual business model, the team, outsourcing, sources of funds, customer verification procedures, and the company’s ability to comply with MiCA requirements.

The transition from a VASP license to a CASP license rarely involves a mere formal update of documents. It is usually a separate project for the owner: involving an audit of the current structure, choosing the jurisdiction for the application, preparing internal policies, calculating the budget and communicating with the supervisory authority. The sooner a company identifies its weaknesses, the lower the risk of wasting time on revisions after the application has already been submitted.

Why VASP registration no longer meets the needs of the crypto industry

Previously, licenses in Poland for the crypto sector were primarily based on AML/CFT registration. A company would confirm its basic structure, undergo a review, and be permitted to provide the declared services under the national regime. For some projects, this model worked for years.

MiCA changes the very nature of the scrutiny. CASP authorisation covers more than just AML. The regulator assesses governance, the fit and proper status of senior management, internal controls, safeguarding, IT risks, outsourcing and financial stability. If a company holds client assets, conducts exchanges, transmits orders or manages wallets, each service must be described separately and supported by operational procedures.

For businesses with Polish VASP registration, the old status no longer appears to be the end of the road if the company plans to continue working with EU clients after the transition period. The old status may be part of the company’s history, but the new model must comply with the CASP conditions under MiCA.

Gap analysis prior to migrating to CASP

The first phase of the process is a gap analysis. This assesses the extent to which the current structure is ready for CASP and identifies areas where the regulator may raise questions. The review goes beyond simply checking the documentation; it compares the declared model, actual processes and MiCA criteria.

The gap analysis covers several areas:

• a list of crypto services and the actual operating model;
• AML/KYC, sanctions screening and transaction monitoring;
• safeguarding of client funds and crypto assets;
• governance, the roles of directors, the MLRO and the compliance officer;
• outsourcing of critical functions;
• IT security, data storage and incident management;
• the financial model, capital and expenditure plan.

This is precisely where discrepancies often arise. For example, an AML policy is in place, but transaction monitoring is carried out manually. Or custody is entirely reliant on an external provider, whilst oversight by the management team is described only superficially. It is better to rectify such issues before submission, rather than during correspondence with the regulator.

CASP in Poland or another EU jurisdiction: how to choose the right route

For companies with a Polish structure, the transition to CASP requires a separate assessment: it is necessary to review the company’s substance, compliance team, banking relationships and readiness for MiCA supervision. Furthermore, applying for CASP requires an assessment not only of the country but also of the future operating model. The owner needs to understand where the company will be able to demonstrate substance, maintain a compliance team, work with banks and undergo further supervision.

Sometimes a Polish company remains the operational hub, whilst CASP authorisation is obtained in another EU country, with subsequent access to the Polish market via passporting. A mistake at this stage can affect timelines, support costs and access to the payment infrastructure.

Please leave your contact details. One of our specialists will contact you within 30 minutes to discuss your enquiry.

Alla Sales Department Manager

Book a consultation! 

Book a consultation on CASP

Internal policies, governance and AML compliance at CASP

Once the route has been selected, work begins on preparing the compliance framework. The regulator requires documentation relating to the company’s day-to-day operations: clients, wallets, service providers, teams, cash flows and internal decision-making processes.

The basic package includes an AML/KYC policy, sanctions policy, risk management framework, outsourcing policy, safeguarding policy, complaints procedure, ICT security policy, business continuity plan and internal control rules. For custody, exchange, transfer or execution of orders, separate procedures specific to the service are added.

CASP’s AML compliance requires the involvement of more than just a lawyer. Data is needed from the operations team, the CTO, the MLRO and KYC/transaction monitoring providers. The application must demonstrate how the client undergoes onboarding, how a risk score is assigned, who processes alerts, how decisions on suspicious activity are recorded and where records are stored.

The governance section is assessed separately. Directors, owners, the MLRO, the compliance officer and other key individuals must undergo a fit-and-proper assessment. Nominal management does not work here: the regulator looks at who actually makes decisions and controls risks.

Business plan, safeguarding and financial model

A CASP crypto business plan is not prepared as a presentation for investors. It is a document for the regulator, setting out the services, markets, customer segments, revenue model, expenses, team, IT architecture and development plan. The financial model must demonstrate that the company will meet the CASP MiCA requirements and will be able to maintain its licence once it has been granted.

It is best not to leave safeguarding until the final stage. The company must describe how client and corporate assets are segregated, who has access to wallets, what limits apply within the system, how transactions are recorded, and what happens in the event of a failure, incident or change of provider.

A common mistake is to consider only the cost of the application. In reality, the budget includes the compliance team, the audit, technical providers, legal support, local substance, reporting and subsequent policy updates.

Submitting an application and liaising with the regulator

Once the documents have been gathered, an application file is compiled: a description of services, programme of activities, governance, AML section, safeguarding, policies, business plan, financial model, and details of management and key service providers. The package must read as a coherent whole. If there are discrepancies in roles, services or operational processes across different documents, the regulator will quickly spot this.

Communication after submission is also important. Responses to queries must be precise: a reference to the document, a brief explanation, supporting material, and a deadline for rectification. Long, general formulations here only prolong the review process.

Get a turnkey CASP Poland implementation

Intelligent Solution Group provides online support to crypto companies throughout every stage of the transition from VASP to CASP: from the initial gap analysis to document preparation and communication with the regulator. The team helps you choose the jurisdiction for your application, compile internal policies, and prepare the AML framework, business plan, financial model and roadmap tailored to your specific business structure.

If you are already operating as a VASP or plan to apply for a crypto license under MiCA, please contact us. We will analyse your model, identify any weaknesses and propose a clear path to transitioning to a CASP license within the EU.