VASP licence in Czech republic ARROWS attorneys advice

The era when it was possible to operate a cryptocurrency exchange or wallet in the Czech Republic with minimal regulation is definitely over. Previously, all you had to do was register a free trade license No. 81, "Provision of services related to virtual assets," and you could start. This approach, which some called "punk," enabled the rapid growth of many projects, but at the same time brought considerable legal uncertainty. Today, the situation is completely different. In line with European trends, the Czech Republic has introduced a strict regulatory framework aimed at protecting consumers, ensuring market stability, and preventing the misuse of crypto assets for illegal activities.

Author of the article: ARROWS (JUDr. Jakub Dohnal, Ph.D., LL.M., office@arws.cz, +420 245 007 740)

To find your way around the new environment, it is essential to understand a few basic terms and actors that will shape your business.

• VASP (Virtual Asset Service Provider): According to the Czech Anti-Money Laundering Act (Act No. 253/2008 Coll., hereinafter referred to as the "AML Act"), a VASP, or virtual asset service provider, is a person who, in the course of their business, purchases, sells, stores, manages, or mediates transactions with virtual assets for third parties. This term has been the cornerstone of regulation to date.
• MiCA (Markets in Crypto-Assets Regulation): This European regulation represents a real revolution in regulation. Its aim is to harmonize rules for crypto assets across the European Union, increase investor protection, and strengthen financial stability. MiCA introduces a new, more strictly regulated category of service providers – CASPs.
• CASP (Crypto-Asset Service Provider): This is a new, pan-European definition of a crypto-asset service provider under MiCA. In practice, this means that most existing VASPs whose services fall under MiCA must become licensed CASPs. Although the terms VASP and CASP are often confused, CASP refers to an entity subject to harmonized and much stricter European regulation.

With the new regulation come key regulators who will become your new business partners. It is essential to communicate with them professionally and in accordance with the law.

• Financial Analytical Office (FAÚ): This is the main supervisory authority in the fight against money laundering (AML) and terrorist financing (CFT) in the Czech Republic. The FAÚ conducts inspections, imposes significant fines, and now also grants a specific type of license for services that do not fall under MiCA. It is crucial to note that all communication with the FAÚ must be in Czech.
• Czech National Bank (ČNB): It is becoming the central player responsible for licensing and supervising crypto-asset service providers (CASP) under MiCA. The involvement of the ČNB clearly signals that cryptocurrency businesses are now viewed as fully-fledged financial institutions.

The most significant change brought about by the new legislation is not just a set of new rules, but a fundamental reclassification of your business. The amendment to the AML Act moves virtual asset service providers into the category of financial institutions [section 1 (1)(b)(15) of the AML act]. This is not just a legal formality, but a paradigm shift. It means that you must abandon the mindset of a simple sole trader and adopt robust internal processes, risk management, and a compliance culture comparable to that of traditional banks. The operational complexity and costs of running a crypto business in the Czech Republic have thus increased dramatically, even though the actual cost of setting up a company remains relatively low.

This also marks the end of the era of regulatory arbitrage, when entrepreneurs chose the Czech Republic for its more lenient rules. The MiCA regulation is directly applicable throughout the EU, which means that the basic requirements for a CASP license (capital, governance, consumer protection) are now essentially the same in Prague, Berlin, and Paris.

The Czech Republic's attractiveness is thus shifting: it is no longer about being an "easy" jurisdiction, but about being a respected, stable, and fully compatible European center with a developed technological ecosystem.

The path to authorization: Two paths, one goal – legal operation

Your business model now directly determines which path you need to take in order to become legally authorised. The first and most important step is therefore to carefully analyze your services and classify them according to the new legislation. There are basically two main routes.

Route A: Authorisation from the FAU (for non-MIACA services)

This route is for a specific, narrower group of businesses.

• Who needs a permit? Primarily providers of services related to unique and non-representable tokens (NFTs), as these are generally exempt from the scope of MiCA. It also applies to services related to other virtual assets that do not fall under the MiCA definition of cryptoassets or other financial regulation.
• Key requirements:
  1. Reliability: you, those in your governing body and your beneficial owners must have a clean record of property and economic crimes. You must also have no record of serious tax or AML violations in the last 3 years.
  2. Debt-free: As an applicant, you must not have any recorded arrears with the Inland Revenue, Customs, health insurance companies or the Social Security Administration.
  3. Depositing a security: You must deposit a security of CZK 250 000 in a special FAU account no later than the date of application. This is a critical condition - if the deposit is not credited to the FAÚ account on time, the authority will terminate the procedure without further delay.
• The application itself is a complex document, the format and structure of which is precisely defined by Decree No 33/2025 Coll. It must include a detailed business plan, a description of the technological and organisational measures and, above all, a complete and tailor-made System of Internal Policies (SIP).

Contact our experts:

JUDr. Jakub Dohnal, Ph.D., LL.M.

associate, managing partner

• dohnal@arws.cz

Mgr. Marek Hučík

associate, partner

• hucik@arws.cz

Route B: CASP licence from the CNB (according to MiCA)

This route is for the vast majority of crypto service providers and constitutes a full-fledged financial license.

• Who needs a license? Anyone who provides services as defined in the MiCA regulation. These include, for example, custody of cryptoassets (custody), operating a trading platform (exchange), exchanging cryptoassets for fiat currencies, executing client orders, and more.
• Key requirements: the requirements here are significantly higher and reflect the status of the financial institution:
  1. Capital requirements: contrary to the myth of "starting a business for a crown", you must have real capital. The amount depends on the type of services provided and ranges from €50,000 to €150,000.
  2. Governance: The management of the company must demonstrate a good reputation and relevant experience. Robust internal control mechanisms, a risk management system and business continuity plans are essential.
  3. Consumer protection: MiCA places great emphasis on client protection. This includes strict rules for separating client assets from the firm's assets (asset segregation), transparent marketing messages and effective complaint handling procedures.

The biggest reward for the demanding process of obtaining a CASP licence is the so-called European passport. Once the CNB grants you a license in the Czech Republic, you can provide your services across all 27 EU member states without having to apply for another license in each country. This opens up a huge market of almost 450 million potential customers.

There is a key transition period for existing providers who were operating under a trade licence before 30 December 2024. They must submit an application for a new licence (to the FAU or the CNB) by 31 July 2025 at the latest. If they meet this deadline, they can continue to operate until the final decision of the authorities. Missing this date means an obligation to cease operations immediately.

ARROWS in practice: Our lawyers at ARROWS can help you with a key initial analysis of your business model and determine which licensing route is not only mandatory but also the most strategically advantageous for you. We will then provide you with complete documentation preparation, whether for an application to the FAU or for a complex licensing procedure with the CNB, protecting you from formal errors that can lead to rejection of your application.

The choice between an FAU licence and a CASP licence from the CNB is not just a matter of compliance, but a major strategic decision. You ask yourself: Do I want to be a specialized player in the Czech NFT market or am I building a pan-European platform? The FAU license is cheaper and administratively simpler, but limits you to the Czech market and a narrow segment of services. The CASP license is many times more expensive and challenging, but unlocks the entire EU market for you. ARROWS' legal opinions provide you with a solid foundation for this key decision that will affect your financing, marketing and overall corporate strategy.

AML law - The backbone of your compliance that you must not underestimate

Whether you go down the route of an authorisation from the FAU or a licence from the CNB, both paths are based on a common foundation: flawless compliance with your obligations under Act No. 253/2008 Coll. on Certain Measures against the Laundering of the Proceeds of Crime and the Financing of Terrorism (AML Act). As a provider of services with virtual assets, you are automatically a so-called obliged person under Section 2 of this Act. This role is not optional and brings with it a number of key obligations that form the backbone of your corporate compliance.

Know Your Customer (KYC)

Knowing who you do business with is the cornerstone. You need to identify every client with whom you enter into a business relationship or if the value of a single transaction exceeds €1,000. Identification involves establishing and verifying basic details such as name, birth number or date of birth, address and ID number and type. The law allows for several ways to carry out identification: traditional face-to-face, remotely using a bank identity (BankID) or indirectly via a notary or CzechPOINT.

Customer Due Diligence (CDD)

Identification is just the beginning. Customer due diligence goes much deeper. It means you need to understand the purpose and nature of the business relationship, identify the source of your client's funds and, most importantly, identify the Ultimate Beneficial Owner (UBO) if the client is a legal entity. The check also includes verifying that the client or its beneficial owner is not a politically exposed person (PEP) or a person on international sanctions lists.

Suspicious transaction reports (STRs)

If in the course of your business you come across any transaction that appears suspicious to you, you have a legal obligation to report it to the Financial Analysis Authority without undue delay. Red flags may include, for example, a transaction that is not consistent with normal client behaviour, has an unusually complex structure with no apparent economic rationale, or has links to high-risk countries. There is an electronic reporting form on the FAU website.

Core document: Internal Policy System (IPS)

All of the above procedures must be detailed in your Internal Policy System (IPS). This document is your "AML bible" - an internal manual that defines exactly how your company identifies and screens clients, assesses risk, trains employees, and handles suspicious trade detection.

We strongly caution against using generic, downloaded templates. The FAA and the CNB will immediately know upon inspection whether the GTC is merely a formal document or whether it is truly tailored to the risks of your particular business. A quality GTC is not only a necessity for licensing, but also a reflection of your company culture and respectability. A poorly drafted GMS can jeopardize the entire licensing process. Additionally, as a VASP/CASP, you are now required to submit your GMS for review by the FAA (or the CNB).

ARROWS in practice: creating a robust SOP is one of the most critical and most often underestimated responsibilities. Our experts at ARROWS will create customized internal guidelines for you that will not only pass the rigorous scrutiny of the FAU and CNB, but will also be a practical and functional tool for your team. We also provide training for employees, including certification, so that everyone understands their responsibilities and can follow these policies in practice.

Risks and draconian penalties: Real stories and how to avoid them

The transition from rules to real consequences is often shocking. The FSA actively monitors AML compliance and does not hesitate to impose hefty fines that can be devastating for many firms. These are not theoretical threats, but documented cases from practice. Publicly available FAA decisions show that service providers with virtual assets are under scrutiny.

An analysis of the fines imposed shows that the FAA is focusing on breaches of basic obligations. These are not formalities, but failures in key areas of AML prevention. The most common violations include:

• Failure to comply with information obligations to the FAA: Companies have been fined hundreds of thousands of crowns (e.g. CZK 600,000) for failing to provide the required information when requested by the authority.
• Failure to identify and control the client: fines were also issued for failing to properly verify with whom the firm was doing business.
• Failure to report suspicious trading: This is considered one of the most serious offences as it directly feeds into criminal activity.

In addition to the direct fines, which can be overwhelming, there are other, often more serious "invisible" costs associated with non-compliance:

• Reputational damage: posting a fine on the FAA website is a permanent scar on your company's reputation. You lose trust not only with existing and potential clients, but also with business partners and investors.
• Loss of banking services: Banks are extremely cautious of the crypto sector and conduct their own due diligence on clients' VASPs.
  Any record of AML transgressions is a huge warning sign for them and often leads to immediate termination of accounts. Without a bank account, a business is virtually paralyzed - unable to pay employees, vendors or receive payments from clients.

This relationship between compliance and banking services creates a vicious cycle. Failure to comply leads to fines, fines lead to loss of the bank account, and loss of the account leads to business closure. That's why proactive legal advice and precise setup of internal processes is the best form of insurance for your business.

ARROWS in practice: Our role is not just to prepare documents, but to actively protect your business. We provide legal advice that protects against fines and inspections, and if a problem does arise, we have extensive experience representing clients before the courts and administrative bodies such as the FAU and the CNB.

Build your crypto business on a solid foundation

The road to a legal and successful crypto business in the Czech Republic and the EU is more challenging than ever. It requires careful preparation, strategic decision-making and, above all, an uncompromising focus on regulatory compliance. The key steps are clear: correctly identify your status and scope of services, choose the right licensing route (FAU permit or CNB CASP license) and build a bulletproof system of internal rules in accordance with the AML Act.

Although it may seem that the new regulation only brings obstacles, the opposite is true. Clearly defined rules and the obligation to obtain a license are actually a huge opportunity. An official license becomes a valuable corporate asset. It builds trust with customers, opens doors to banking services that were previously unavailable, and attracts serious investors and institutional partners. In the new, regulated world, robust compliance is becoming a key competitive advantage that separates professional players from those who do not have a long-term future in the market.

Don't be caught off guard by the complexity of regulations that are constantly evolving. At ARROWS, we specialize in cryptoasset and FinTech regulation and help clients like you every day. Our experience will ensure the process runs smoothly for you. We are prepared to draft internal guidelines, prepare or revise contract documentation, and ensure that your documentation protects you from fines and penalties. We provide legal consultation to guide you through the entire process, and organize professional training for your team to stay one step ahead.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue. Although we strive for maximum accuracy in the content, legal regulations and their interpretation evolve over time. To verify the current wording of the regulations and their application to your specific situation, it is therefore necessary to contact ARROWS Law Firm directly (office@arws.cz). We accept no responsibility for any damage or complications arising from the independent use of the information in this article without our prior individual legal consultation and expert assessment. Each case requires a tailor-made solution, so please do not hesitate to contact us.