How to Add Crypto-Asset Services to a Regulated Financial Institution: Licensing, Banking & Infrastructure

What You Need to Add Crypto-Asset Services

A regulated financial institution adding crypto-asset services in 2026 needs five infrastructure components on top of its existing licensed perimeter: a regulatory routing decision (simplified notification or full authorisation), a custody and settlement layer, a banking-and-fiat-rail extension, a compliance overlay covering MiCA, DORA, and the Transfer of Funds Regulation, and a governance and conflicts framework that ring-fences the crypto business from the existing book.

Unlike a crypto-native start-up that builds from zero, an incumbent bank, MiFID investment firm, electronic-money institution, UCITS management company, or AIFM already holds most of the regulatory chassis. A crypto-asset service provider (CASP) is, under MiCA Article 3(1)(15), a legal person whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis.^[1] The question for an authorised firm is not “how do I become a CASP from scratch” but “which of the ten MiCA crypto-asset services do I want to add, and which existing authorisation does each one fit under.” That decision drives every other component on the stack.

Infrastructure Checklist

Choosing the Right Jurisdiction

Jurisdiction selection for an incumbent adding crypto-asset services is rarely a clean-slate choice. The firm already has its primary regulated entity somewhere, and the practical question is whether to add the crypto perimeter inside the existing licensed entity, set up a sister entity in the same jurisdiction, or establish a new subsidiary in a different regime that better fits the target client base. Four jurisdictions cover the realistic option set for 2026: Estonia and Cyprus inside the EU MiCA passport, the United Arab Emirates for non-EU institutional reach, and Hong Kong for Asia-Pacific banking and asset-management distribution.

The decision framework runs across four variables: which authorisation framework already governs the firm, where the target clients are located, whether passporting matters, and whether the institution prefers a single-regulator or a federated-regulator structure. An EU credit institution already authorised under the Capital Requirements Directive can in most cases use MiCA Article 60 to notify the home regulator and add crypto services without a separate CASP authorisation; a non-EU bank cannot. A MiFID investment firm has the same Article 60 advantage but must map each crypto-asset service in MiCA Article 3 against an existing MiFID activity to identify the gap. A US bank-holding company has neither MiCA Article 60 nor a single federal crypto-asset regime, and selects its non-US base on different grounds.

Jurisdiction Comparison

Choose Estonia if the institution is an EU-authorised credit institution, MiFID investment firm, EMI, UCITS management company, or AIFM that wants the lowest-cost route to a MiCA-passportable crypto service line, using either Article 60 notification through Finantsinspektsioon or a full CASP authorisation. The fact pattern that drives Estonia is a Northern or Western European bank or broker with EU clients, where the cost of a new authorisation is the binding constraint and the Article 60 route is unavailable because the existing authorisation does not sit in an EU Member State. See the full Estonia crypto licensing guide for the file-progress data.

Choose Cyprus if the institution is a Cyprus Investment Firm (CIF), an existing Cyprus EMI, or a non-EU asset manager that wants a credible EU base with both AIFM and MiCA exposure under a single regulator (CySEC) and an established institutional services ecosystem. Cyprus is the natural EU upgrade for a Middle East or CIS-origin asset manager that wants UCITS, AIFMD, and MiCA together with non-domicile tax treatment for senior management. See the full Cyprus crypto licensing guide.

Choose UAE if the target client base is institutional, sovereign, or high-net-worth, and either ADGM (FSRA-regulated, English common law) or DIFC (DFSA-regulated, English common law) better fits the firm’s existing licensing architecture than an EU base. The UAE is the standard non-EU institutional jurisdiction for a global asset manager extending into crypto, for a Middle East private bank adding tokenised investment products, or for a brokerage that needs a Gulf and South Asia distribution base. See the full UAE crypto licensing guide.

Choose Hong Kong if the institution is an Asia-Pacific bank, securities firm, or asset manager already authorised by the HKMA or SFC, and the priority is Asia-Pacific banking and distribution rather than EU passporting. Hong Kong’s strength is the integration between the HKMA Authorised Institution regime, the SFC’s Type 1/4/7/9 licences, and the VATP and stablecoin-issuer frameworks; the weakness is cost and timeline. The Stablecoins Ordinance (Cap. 656) imposes HK$25m paid-up share capital plus HK$3m liquid capital, 100% reserve backing, and penalties of up to HK$5m or seven years’ imprisonment for unlicensed issuance. See the full Hong Kong crypto licensing guide.

Setting Up Your Company

For most institutions adding crypto-asset services, no new entity is needed. The crypto perimeter sits inside the existing authorised entity under Article 60 notification (EU) or under a variation of the existing licence (UAE, Hong Kong). The entity question only becomes material where one of four situations applies: the firm wants to ring-fence the crypto business from the rest of the group for capital, conflicts, or reputational reasons; the existing authorisation does not extend to the target market and a new jurisdictional base is needed; the existing entity sits in a non-EU jurisdiction and EU access requires a new MiCA-authorised subsidiary; or the firm wants a parallel issuance entity for stablecoin or asset-referenced token issuance, which under MiCA Article 48 must be an EMI or a credit institution.

Where a new entity is needed, the choice between Estonia, Cyprus, UAE, and Hong Kong is the same set canvassed in the previous section, and the formation mechanics are jurisdiction-specific. Estonia uses the osaühing (OÜ); Cyprus uses the private limited company; the UAE uses ADGM SPC or DIFC Co Ltd for the financial-services free-zone routes; Hong Kong uses the private limited company under the Companies Ordinance (Cap. 622). For an EMT or ART issuance entity, the company must be either a credit institution (already CRR-authorised) or an EMI under Directive 2009/110/EC; this is MiCA Article 48(1) and is not negotiable.

Substance and management residency are the most underestimated formation factors for an incumbent adding crypto. EU competent authorities apply substance tests to the management function under MiCA Article 62 read together with MiFID II Article 9, the Capital Requirements Directive, and the relevant national-law overlays; “substance” in this context means a real registered office, real management resident in the jurisdiction, a real MLRO, and real operational personnel. A holding-company-only entity will not survive the first information request from Finantsinspektsioon or CySEC. The UAE FSRA and DFSA apply equivalent substance and residency standards; Hong Kong applies a similar approach through the SFC’s Manager-in-Charge regime.

Formation by Jurisdiction

The most common formation mistake for an incumbent is to incorporate a holding company in a jurisdiction with no operational substance and then to discover, mid-application, that the home regulator treats the operating entity’s parent as part of the regulated perimeter for fit-and-proper purposes. An EU credit institution adding an Estonia OÜ to host its CASP services, with no Estonia-resident management, will face a Finantsinspektsioon information request that effectively requires Estonia substance regardless of where the corporate-group head is registered. The cleaner structure is operating entity in the licensing jurisdiction, one layer of holding above, substance in both places.

Licensing Requirements

A regulated financial institution adding crypto-asset services has two distinct paths in the European Union and a third path outside it: the MiCA Article 60 simplified notification, the full CASP authorisation under MiCA Title V, and the non-EU equivalent (variation of existing UAE FSRA / DFSA permission, HKMA / SFC uplift in Hong Kong, FCA cryptoasset gateway in the UK from 30 September 2026, or state-by-state money-transmitter routing in the US). The Article 60 route is the single most important regulatory mechanism for an incumbent because it eliminates the duplicate-authorisation problem that crypto-native firms cannot avoid.

MiCA Article 60 simplified notification

Under MiCA Article 60(1), the following entities may provide crypto-asset services without a separate CASP authorisation, provided they notify the competent authority that authorised them:^[1]

• Credit institutions authorised under the Capital Requirements Directive.
• Central securities depositories authorised under the CSD Regulation.
• Investment firms authorised under MiFID II that hold the relevant authorisation for each equivalent crypto-asset service.
• Market operators authorised under MiFID II.
• Electronic-money institutions authorised under EMD2.
• UCITS management companies authorised under the UCITS Directive.
• Alternative investment fund managers authorised under the AIFMD.

The notification must be made at least 40 working days before the entity starts providing crypto-asset services and must contain the information set out in MiCA Article 60(7): a programme of operations, a description of internal control mechanisms and risk-management procedures, evidence of compliance with the relevant Title V operational requirements, and the identity of natural and legal persons providing the services in the entity’s name. The competent authority assesses completeness within the 40-working-day window and may extend the assessment by up to 20 working days where the file is incomplete (Article 60(8)).

This is a structural distinction in Article 60 itself: a credit institution under Article 60(1) may provide any of the ten MiCA crypto-asset services under a single notification, whereas an investment firm under Article 60(3) may provide only the crypto-asset services that are equivalent to the MiFID II investment services for which it is already specifically authorised under Directive 2014/65/EU. ESMA Q&A 2088 (29 January 2024) confirms two practical points on top of the statutory text: the credit-institution notification operates without prejudice to the national procedures transposing Directive 2013/36/EU (CRD) for the authorisation of the underlying banking activities (per MiCA Recital 78), and a credit institution that does not hold the underlying CRD authorisation for a service such as custody may in practice have difficulty evidencing the Article 60(7) information requirements for the corresponding crypto-asset service.^[19]

Article 60 Level 2 instruments. The European Commission adopted Delegated Regulation (EU) 2025/303 and Implementing Regulation (EU) 2025/304 on 18 December 2024, both in force from 12 March 2025. The Delegated Regulation prescribes the regulatory technical standards on the content, formats and templates of the Article 60 notification; the Implementing Regulation prescribes the corresponding implementing technical standards. Filings submitted from 12 March 2025 onwards must use the prescribed templates; pre-12-March filings made under the early transitional approach remain valid but must be supplemented on the regulator’s request.^[18]

The Article 60 route does not displace the operational requirements of MiCA Title V. The notifying entity must comply with the conduct, organisational, custody, segregation, and capital provisions of Title V to the extent they apply to the specific crypto-asset services provided. It is not a back door. It is a procedural shortcut that recognises the firm’s existing authorisation as the foundation on which the crypto-asset service obligations sit. The common mistake is reading the 40-working-day notification window as the binding timeline; in practice, the load-bearing work is extending the existing MiFID or CRR control stack to absorb on-chain settlement, blockchain-address sanctions screening, custody-key governance, and the DORA third-party register entries for the crypto-execution and custody-technology providers, and that operational uplift typically runs three to six months in parallel with the Article 60 file rather than after it.

Equivalence mapping between MiFID II investment services and MiCA crypto-asset services

MiCA Article 60(2) sets out an equivalence table between the eight MiFID II investment services in Section A of Annex I and the ten MiCA crypto-asset services in Article 3(1)(16).^[1] The mapping is direct:

• Reception and transmission of orders: maps to the same crypto-asset service.
• Portfolio management: maps to portfolio management of crypto-assets.
• Investment advice: maps to advice on crypto-assets.
• Execution of orders: maps to execution of orders for crypto-assets on behalf of clients.
• Placing of financial instruments: maps to placing of crypto-assets.
• Operation of an MTF or OTF: maps to the operation of a trading platform for crypto-assets.

The investment firm may provide each crypto-asset service for which it holds the equivalent MiFID II authorisation. Where the firm wants to provide a crypto-asset service for which there is no MiFID II equivalent (custody and administration of crypto-assets on behalf of clients, exchange of crypto-assets for funds or other crypto-assets, transfer services for crypto-assets), it must add the relevant authorisation either through a MiFID II variation if the regulator treats it as ancillary, or through a separate CASP authorisation if the activity falls outside the MiFID perimeter.

Capital and own funds

For an entity using Article 60 notification, the capital requirement is the higher of the existing sectoral floor (CRR own funds for a credit institution, MiFID II initial capital for an investment firm, EMD2 initial capital for an EMI) and the MiCA Article 67 / Annex IV minimum capital floor for the crypto-asset services provided. Under MiCA Article 67(1)(b), the firm must also hold prudential safeguards equal to one quarter of the preceding year’s fixed overheads where higher than the Annex IV floor; for established credit institutions and Cyprus Investment Firms this fixed-overheads safeguard is typically the binding constraint, not the nominal class floor.

MiCA Annex IV sets three classes:

• Class 1: EUR 50,000 (reception and transmission, advice, execution, placing, portfolio management, transfer).
• Class 2: EUR 125,000 (custody and administration, exchange).
• Class 3: EUR 150,000 (full Class 2 plus operation of a trading platform).

For a credit institution, the CRR own-funds requirement will in almost every case exceed the MiCA floor and the MiCA capital floor effectively drops out. For a MiFID investment firm or an EMI, the binding floor depends on the service mix. The EBA Opinion of 10 June 2025 (EBA/Op/2025/08) clarified the stacking rule for entities that custody or transfer e-money tokens: these activities are PSD2 payment services as well as MiCA crypto-asset services, and the firm must comply cumulatively with both regimes. The transitional regime ended on 2 March 2026.^[8]

MiFID II / MiCA boundary

Crypto-assets that qualify as financial instruments under MiFID II Section C of Annex I (transferable securities, money-market instruments, units in collective investment undertakings, derivatives) remain inside MiFID II and outside MiCA. MiCA Recital 14 and Article 2(4) draw this boundary explicitly: a tokenised bond, a tokenised equity, a tokenised fund unit, or a security token is regulated under MiFID II, the Prospectus Regulation, and the relevant national-law overlays, not under MiCA.^[2] The EU DLT Pilot Regime (Regulation (EU) 2022/858) provides a parallel sandbox for DLT-based market infrastructures and has been operational since 23 March 2023.^[6] The boundary matters because firms adding tokenised securities, tokenised funds, or asset-referenced derivative products are doing MiFID II business with a DLT settlement layer, and the authorisation route is a MiFID II variation rather than a CASP authorisation.

Reverse solicitation under MiCA Article 61

A third-country firm may provide crypto-asset services to clients established in the EU at the exclusive initiative of the client, without authorisation under MiCA, under MiCA Article 61(1). The carve-out is narrow. ESMA Guidelines on reverse solicitation under MiCA (ESMA35-1872330276-2030), published 26 February 2025 and applicable from 27 April 2025, identify targeted advertising, EU-language websites, country-code TLDs, sponsorship of EU events, EU-based influencers, and affiliate or referral programmes directing EU traffic as triggers that defeat the carve-out.

The Guidelines also confine further same-type marketing to the context of the original transaction, and Article 61(2) restricts ongoing relationships entered into at the client’s initiative to the same type of service as initially solicited.^[7] A US or APAC institution that wants to serve EU clients on a continuing basis cannot rely on reverse solicitation; it needs an EU subsidiary or an Article 60 notification through an EU-authorised entity.

Non-EU licensing pathways

United Kingdom. The UK is transitioning from the FCA cryptoasset registration regime under the Money Laundering Regulations 2017 to a full regulated-activities regime under SI 2026/102 (the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, made 4 February 2026). The new authorisation gateway opens on 30 September 2026 and closes on 28 February 2027 for firms operating under transitional arrangements; the regime commences fully on 25 October 2027. UK banks adding cryptoasset activities will need an additional Part 4A FSMA permission for the new regulated cryptoasset activities.^[11]

United States. A federal-state matrix operates. The GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025) was signed into law on 18 July 2025; the Act becomes effective on the earlier of 18 January 2027 or 120 days after the primary federal payment-stablecoin regulators issue final implementing regulations (Section 20). The OCC issued Notice of Proposed Rulemaking Bulletin 2026-3 on 25 February 2026 (60-day comment period closed 1 May 2026); FDIC, NCUA, and Treasury proposed rules followed between February and May 2026. State money-transmitter licences remain required for non-bank crypto-asset transfer services in most states; OCC Interpretive Letters IL 1183 of 7 March 2025 and IL 1184 of 7 May 2025 confirmed that national banks may provide crypto-asset custody and execution services subject to OCC notification and risk-management standards.^[17]

Alongside GENIUS, the Digital Asset Market Clarity (CLARITY) Act, which addresses crypto-asset market structure and the SEC/CFTC perimeter for digital commodities, passed the U.S. House on 17 July 2025 (294 to 134) and was advanced by the Senate Banking Committee on 14 May 2026 (15 to 9); a Senate floor vote is pending as of 19 May 2026.

United Arab Emirates. Three regulators operate in parallel: VARA for Dubai retail virtual asset activity, ADGM FSRA for Abu Dhabi free-zone financial services, and DIFC DFSA for Dubai financial-centre activity, each with its own permission structure and capital floors. An institutional firm typically routes through ADGM or DIFC rather than VARA; a retail-facing crypto exchange routes through VARA.

Hong Kong. The SFC supervises VATP and tokenised-securities activity; the HKMA supervises stablecoin issuance and Authorised-Institution banking activity. The Stablecoin Issuer Ordinance has been in force since 1 August 2025 and applies to fiat-referenced stablecoin issuers irrespective of the underlying currency.^[14]

Banking

Banking is rarely the binding constraint for an incumbent adding crypto-asset services in the way it is for a crypto-native start-up. The institution already has correspondent banking, treasury operations, and SEPA / SWIFT access for its existing book. The crypto-specific banking question is narrower: where does the crypto-fiat conversion sit, which segregated client-money account holds the fiat leg of crypto-asset trades, and which institution clears the on-ramp and off-ramp flows.

The conversion question is operational, not regulatory. MiCA Title V requires the CASP (or the Article 60 firm acting as a CASP) to segregate client crypto-assets and client funds, but it does not prescribe the banking architecture. The standard model uses three settlement components: a fiat segregated client-money account for client deposits and withdrawals, a treasury account for the firm’s own balances, and a flow account for the conversion leg between client crypto and client fiat. For an existing bank or EMI, all three accounts sit inside the existing institution. For a MiFID investment firm, UCITS management company, or AIFM without internal banking capability, the three accounts sit at one or more credit institutions or EMIs that have explicit crypto-business onboarding capability.

The cross-border banking complication for an incumbent extending into crypto is that not every existing correspondent will tolerate crypto-flows on the wire. A European bank’s US correspondent may impose new flow-monitoring conditions, restrict the volume of stablecoin-related settlement, or in some cases withdraw from the relationship. Jagelski & Partners’ banking network covers ninety-plus banking and payment institutions across the EU, UK, Middle East, Asia-Pacific, Caribbean, and Americas, with explicit institutional-grade crypto onboarding capability. The network supported fourteen billion euros in client turnover in 2025. We match the firm to one or more institutions based on the specific crypto-asset services, the client geography, and the existing correspondent footprint, and we pre-qualify each institution before any formal application goes in. There is no markup and no onboarding fee on the banking line.

Ongoing Compliance

Compliance is where the gap between a crypto-native firm and an incumbent adding crypto-asset services narrows fastest. The incumbent is already running MiFID II conduct and conflicts frameworks, MAR market-abuse surveillance, AML transaction monitoring, suspicious activity reporting, and ICT-risk governance. Adding crypto-asset services extends each of these into a new asset class rather than building from zero, but the extension is non-trivial: most existing systems were calibrated for cash equities, fixed income, FX, and derivatives, and the parametrisation for crypto-asset volatility, on-chain flow-tracing, sanctions screening against blockchain addresses, and DLT-specific operational risk has to be added.

Dual-regime obligations

A MiFID investment firm providing crypto-asset services under Article 60 notification operates under MiFID II conduct rules and MiCA Title V conduct rules in parallel; where the two diverge, the firm applies the more stringent requirement. The MiCA Title V conduct overlay covers fair-and-honest treatment of clients (Article 66), conflicts of interest (Article 72), outsourcing (Article 73), white-paper compliance for crypto-asset offerings (Title II), and market-abuse-equivalent provisions for trading platforms (Article 76 onwards). For an existing trading venue operator extending into crypto-asset trading platforms, the MiFID II MAR regime sits on top of MiCA Title VI market-abuse provisions, and the firm must run a single market-abuse surveillance function that catches both.

DORA

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) has applied since 17 January 2025 to credit institutions, investment firms, payment institutions, electronic-money institutions, central securities depositories, central counterparties, alternative investment fund managers, UCITS management companies, and CASPs.^[3] An incumbent already in DORA scope as a credit institution or MiFID firm is already DORA-compliant for its existing book; adding crypto-asset services requires the firm to extend the ICT third-party risk register, the digital operational resilience testing programme, and the major ICT-related incident reporting framework to include crypto-asset service providers, custody-technology providers, and any DLT-infrastructure dependencies.

Anti-money-laundering and the Transfer of Funds Regulation

The recast Transfer of Funds Regulation (Regulation (EU) 2023/1113) has applied to crypto-asset service providers since 30 December 2024, in parallel with MiCA’s full application date.^[4] The TFR requires originator and beneficiary information on every crypto-asset transfer, with no de-minimis threshold for CASP transfers; for an existing bank or EMI, this extends the existing FATF Recommendation 16 wire-transfer infrastructure to the crypto rail. The new AML Regulation (Regulation (EU) 2024/1624) applies in full from 10 July 2027 and tightens the customer-due-diligence, beneficial-ownership, and risk-based-supervision framework for all obliged entities, including CASPs.^[5]

Conflicts of interest and internal segregation

MiCA Article 72, read together with MiFID II Article 23 and the relevant national overlays, requires CASPs to identify, prevent, manage, and disclose conflicts of interest. For an incumbent providing crypto-asset services alongside an existing investment-services book, the conflicts framework must address: cross-trading between crypto and non-crypto assets, internalisation of client crypto orders, proprietary trading in crypto-assets that the firm also recommends to clients, and the conflicts that arise where the firm acts as both custodian and exchange counterparty. Internal segregation typically requires functional separation, Chinese walls, and where necessary structural separation through a sister entity or sub-licensed subsidiary.

Upcoming regulatory milestones

Two milestones bear watching in the next twelve months. The European Commission’s MiCA review under Article 140 is scheduled for 30 June 2027 but consultation activity will accelerate during 2026. The UK FCA cryptoasset authorisation gateway opens on 30 September 2026; UK-domiciled banks and brokers should have their permission-variation files prepared by Q3 2026.^[11]

Realistic Timeline and Costs

The realistic end-to-end timeline for an incumbent adding crypto-asset services in 2026 runs from four months (MiCA Article 60 notification through an existing EU-authorised entity) to eighteen months (full CASP authorisation in a new EU subsidiary, or a non-EU regime with no existing footprint). The notification path is procedurally compressed; the authorisation path is not. Where the firm holds an existing CRR-authorised credit-institution licence or an EU MiFID II investment firm authorisation, the timeline anchor is the 40 working-day notification window plus three to six months of parallel preparation for the operational and compliance overlay. Where the firm needs a new authorisation, the anchor is the regulator’s authorisation timeline, which sits in the six to fifteen-month range depending on jurisdiction and file quality.

The cost envelope is similarly bimodal. Professional fees for an Article 60 notification through an existing EU entity sit in the EUR 50,000 to EUR 150,000 range, depending on the breadth of crypto-asset services notified and the depth of the operational-policy build. Professional fees for a full CASP authorisation in a new EU subsidiary sit in the EUR 80,000 to EUR 250,000 range. The UAE FSRA or DFSA route sits at USD 200,000 to USD 500,000. Hong Kong sits at HKD 3m to HKD 8m. These figures exclude regulatory capital, banking float, and technology procurement; they cover legal, regulatory, compliance, and project-management fees only.

Cost Breakdown by Phase

The single biggest cost driver inside these ranges is the custody-and-technology line. Firms that elect self-custody with on-chain settlement carry a much heavier integration burden than firms that sub-custody to a qualified custodian and treat the crypto-asset book as a settlement layer on top of an external infrastructure. The choice is not regulatory: MiCA Article 75 permits both. The choice is operational and strategic, and it is the most important architectural decision the project will make.

Frequently Asked Questions

References