Regulatory and banking glossary. Plain-English definitions of the terms our clients ask about.

Predecessor to 6AMLD. First EU directive to bring crypto-asset service providers explicitly into AML scope (mandatory registration with national authorities, KYC obligations on virtual currency exchanges).

The Sixth Anti-Money Laundering Directive expands and standardises the EU's criminal-law approach to money laundering, with member-state transposition required by 3 December 2020 and application to obliged entities by 3 June 2021. It harmonises the predicate offences for money laundering across the EU at 22 specified categories — including environmental crime, cybercrime, tax crimes, and trafficking — closing gaps that previously varied by member state. 6AMLD is most consequential for its introduction of criminal liability for legal persons (corporates can be prosecuted, not just individuals), 'aiding and abetting' liability for those who facilitate money laundering even without direct conduct, and minimum maximum sentences of four years' imprisonment. Sanctions also include corporate dissolution, exclusion from public benefits, judicial supervision, and temporary or permanent bans on commercial activities. For regulated entities, 6AMLD elevates the consequences of poor AML programmes — a breach is no longer just a regulatory matter resolved through fines but can become a criminal matter with personal consequences for senior managers. Most operators implement 6AMLD compliance as part of their broader AMLD framework rather than as standalone work; the directive is being progressively superseded by the AMLR for matters within its scope.

Direct-effect EU regulation replacing significant parts of the AML directive framework. Centralises AML standards across member states and reduces national-transposition variation. Applies from 10 July 2027.

DORA is an EU regulation that imposes a comprehensive operational-resilience framework on financial entities and their critical ICT third-party providers, fully applicable since 17 January 2025. The regulation has five main pillars: ICT risk management (the financial entity must operate a documented framework covering identification, protection, detection, response, recovery, learning, and communication for ICT-related events), ICT-related incident reporting (mandatory classification, escalation, and reporting of major ICT incidents to the relevant NCA), digital operational resilience testing (regular vulnerability assessments and, for significant entities, threat-led penetration testing every three years), third-party ICT risk management (a formal register of all ICT third-party arrangements, with enhanced contractual requirements for critical or important functions), and information sharing arrangements among financial entities to exchange threat intelligence. DORA applies to a wide population — banks, EMIs, PIs, investment firms, insurance undertakings, MiFID firms, CCPs, trade repositories, and (importantly for fintech) CASPs authorised under MiCA. Critical ICT third-party providers (cloud platforms, large SaaS vendors used by multiple regulated entities) can be designated as 'critical' by the European Supervisory Authorities and become subject to direct ESA oversight.

UK statute that supplements the UK GDPR. Includes specific provisions for law-enforcement processing and intelligence services data handling.

EU directive establishing the EMI authorisation regime, capital requirements, and safeguarding rules for e-money issuance.

EU regulation governing derivatives trading, central counterparty (CCP) requirements, and trade reporting. Out of scope for most fintechs but relevant for structured-product crypto and tokenised derivatives.

UK statute consolidating and modernising financial services regulation post-Brexit. Empowers HM Treasury and the FCA to set the UK's bespoke approach to crypto-assets and stablecoins.

The General Data Protection Regulation is the EU's comprehensive data protection law, applicable since 25 May 2018. It governs the processing of personal data of natural persons in the EEA regardless of where the processing entity is based, giving the framework explicit extra-territorial reach. GDPR sets out six lawful bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests) and a rich set of data-subject rights including access, rectification, erasure, restriction, portability, and objection. It mandates breach notification to the supervisory authority within 72 hours of awareness for breaches likely to result in risk to data subjects, and direct notification to affected individuals when the risk is high. Cross-border transfers outside the EEA are restricted to countries with adequacy decisions or supported by appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules, certifications). Penalties for non-compliance are significant — up to €20 million or 4% of global annual turnover, whichever is higher — and have been enforced against major technology companies by national supervisors. Each member state has its own supervisory authority (the ICO in the UK, CNIL in France, the BfDI in Germany, the AEPD in Spain, the DPC in Ireland), with the European Data Protection Board coordinating consistent application across the bloc.

MiCA is the European Union's harmonised regulatory framework for crypto-asset issuers and service providers, fully applicable across the EEA since 30 December 2024. It creates a single, passportable CASP (Crypto-Asset Service Provider) authorisation that allows authorised firms to operate across all 30 EEA member states without needing separate registration in each. The framework covers eight regulated services on crypto-assets — custody, trading-platform operation, exchange of crypto-assets for fiat or other crypto-assets, execution of orders, placement, reception and transmission of orders, advice, and portfolio management — and imposes parallel but distinct regimes for issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs). MiCA also sets prudential capital floors by service class (€50,000, €125,000, or €150,000 under Annex IV), substance and governance requirements, AML and conduct-of-business obligations, and white-paper disclosure rules for new crypto-asset offerings. A transitional grandfathering provision in Article 143 allows entities authorised under pre-existing national frameworks to continue operating until 1 July 2026 (or earlier where member states have shortened the period to 18 months) while applying for full MiCA authorisation.

EU framework for investment firms and trading venues. Out of scope for crypto-asset services post-MiCA, but still governs digital tokens that qualify as financial instruments under ESMA guidance.

UK regulations governing cookies, marketing communications, and electronic direct marketing consent. Enforced by the ICO alongside UK GDPR.

PSD2 is the EU directive that governs payment services across the European Economic Area, applicable since January 2018. It established the modern authorisation regimes for Payment Institutions (PIs) and Electronic Money Institutions (EMIs), set the rules for safeguarding client funds (Article 10), and introduced two structural innovations that shaped European fintech: Strong Customer Authentication (SCA), which mandates two-factor authentication for most electronic payments, and the open-banking access framework, which requires banks to expose account-information and payment-initiation services to authorised third-party providers via standardised APIs. PSD2 created the third-party-provider categories of Account Information Service Provider (AISP) and Payment Initiation Service Provider (PISP), enabling a wave of fintech innovation around aggregation, budgeting, and payment-orchestration tools. The directive is being succeeded by PSD3 and a complementary Payment Services Regulation (PSR), which together will tighten fraud-liability allocation, expand SCA exemptions, and modernise the open-banking framework — currently in the EU legislative pipeline with a target application date of 2026 onwards.

Proposed successor to PSD2. Will tighten fraud-liability allocation, expand SCA exemptions, and modernise the open-banking access framework. Expected to apply from 2026 onwards.

Companion regulation to PSD3. Covers areas requiring direct EU-wide application rather than member-state transposition.

The retained UK version of the EU GDPR, applied alongside the Data Protection Act 2018. Materially aligned with the EU GDPR but enforced by the UK Information Commissioner's Office (ICO).

International framework on bank capital adequacy, stress testing, and market liquidity. Applied through the EU Capital Requirements Regulation/Directive and the UK PRA Rulebook.

OECD/G20 framework to counter tax-avoidance strategies. Drives substance requirements and country-by-country reporting obligations for multinational corporate structures.

The Financial Action Task Force's 40 Recommendations form the global standard for combating money laundering, terrorist financing, and proliferation financing. The Recommendations cover seven broad areas: AML/CFT policies and coordination, money laundering and confiscation, terrorist financing and financing of proliferation, preventive measures (customer due diligence, record-keeping, suspicious-transaction reporting), transparency and beneficial ownership, the powers and responsibilities of competent authorities, and international cooperation. The 200+ member jurisdictions are subject to periodic mutual evaluations against these standards, with results published as country reports — failure to meet the standards can result in greylisting or blacklisting, which materially affects access to international financial markets. Recommendation 16, known as the Travel Rule, requires originator and beneficiary information to travel with wire transfers above defined local thresholds; it was extended to virtual asset service providers in the FATF's 2019 Updated Guidance, fundamentally changing the compliance posture for crypto-asset operators globally. The FATF also issues sector-specific guidance (most recently on virtual assets, NFTs, and decentralised finance) that progressively shapes how member jurisdictions apply the core Recommendations to new technology categories.

OECD-led 15% minimum effective corporate tax rate on multinational enterprises with revenue above €750M. Affects holding-company structures and licence-jurisdiction selection for larger fintechs.

The Travel Rule is the obligation derived from FATF Recommendation 16 that requires originator and beneficiary identifying information to travel with a funds transfer above a defined threshold. The thresholds vary by jurisdiction: the EU sets €1,000, the UK £1,000, the US $3,000 under the FinCEN Travel Rule, Switzerland CHF 1,000, Singapore SGD 1,500, Hong Kong HKD 8,000. Above the threshold, the sending institution must include the originator's full name, account number or unique identifier, and physical address (or alternatives such as date and place of birth, customer identification number, or national identity number), along with the beneficiary's name and account number — and the receiving institution must verify and act on that information. The rule was originally written for traditional wire transfers between banks and is implemented through SWIFT MT103 fields and ISO 20022 messaging. In 2019, FATF extended the rule explicitly to Virtual Asset Service Providers (VASPs), creating a substantial new compliance obligation for crypto-asset exchanges and custodians. VASP-side implementation requires specialist Travel Rule providers (Notabene, Sumsub, Sygna, Veriscope, OpenVASP) that handle counterparty identification and secure data exchange, because the SWIFT messaging layer used by banks does not exist between VASPs. Self-hosted wallet transactions — where one side is not a VASP — present an ongoing complexity that different jurisdictions resolve differently.

UK-specific term for a fully authorised PI under the Payment Services Regulations 2017. Distinguished from a Small PI (SPI), which has lighter requirements but transaction-volume caps.

BitLicense is the authorisation issued by the New York Department of Financial Services (NYDFS) under Title 23 of the New York Codes, Rules and Regulations (23 NYCRR Part 200) for virtual currency businesses serving New York residents. Introduced in 2015 as the first comprehensive crypto-asset regulatory regime by a major US state, BitLicense requires extensive disclosure across capitalisation, ownership, business model, AML programme, cybersecurity programme, consumer-protection arrangements, and disaster-recovery plans. The application process is notoriously demanding — multi-month review timelines, extensive document requirements, and (historically) seven-figure compliance build-out costs are typical. The BitLicense covers virtual currency exchange, transmission, storage, control, administration, issuance, buying or selling for sale to customers, and performance of exchange services. Operators serving New York residents without a BitLicense face enforcement risk including cease-and-desist orders and substantial fines; this includes online operators based outside the US that take New York customers without geo-blocking. BitLicense holders are also subject to ongoing supervisory examination and reporting, including specific transaction monitoring, sanctions screening, and consumer-complaint handling requirements that go beyond standard FinCEN MSB obligations.

A Crypto-Asset Service Provider is an entity authorised under MiCA Article 59 to provide one or more of the eight regulated crypto-asset services to clients in the European Economic Area: custody and administration of crypto-assets on behalf of clients, operation of a trading platform for crypto-assets, exchange of crypto-assets for funds or other crypto-assets, execution of orders on behalf of clients, placement of crypto-assets, reception and transmission of orders, advice on crypto-assets, and portfolio management of crypto-assets. CASP authorisation requires meeting minimum prudential capital floors set out in MiCA Annex IV — €50,000 for advice, reception/transmission, and order execution; €125,000 for portfolio management and exchange; €150,000 for custody and trading-platform operation — alongside fitness-and-propriety requirements for senior management, comprehensive AML/CFT obligations, governance structures, ICT risk frameworks aligned with DORA, and (for many services) safeguarding obligations for client crypto-assets. Once authorised by any EEA national competent authority (NCA), a CASP can passport its authorisation across all 30 EEA member states by giving notice to ESMA and the host-state NCA. The CASP regime replaces the patchwork of pre-MiCA national VASP registrations and creates the first single-market authorisation for crypto-asset services in the EU.

MiCA Annex IV groups CASP services into three classes for prudential capital purposes. Class 1: €50,000 minimum (advice, reception/transmission, execution). Class 2: €125,000 (portfolio management, exchange). Class 3: €150,000 (custody, trading platform).

Cyprus Securities and Exchange Commission (CySEC) authorisation for investment firms providing services covered by MiFID II.

Gibraltar Financial Services Commission authorisation regime under the DLT Provider Regulations 2017. Pre-dates MiCA; Gibraltar-licensed firms operate alongside MiCA via passporting where relevant.

An Electronic Money Institution is an authorised entity permitted to issue electronic money under the EU's Electronic Money Directive (EMD2, Directive 2009/110/EC) or the UK's Electronic Money Regulations 2011, depending on jurisdiction. Electronic money is defined as electronically stored monetary value representing a claim against the issuer, issued on receipt of funds for the purpose of making payment transactions, and accepted by a third party. EMI authorisation requires minimum initial capital of €350,000 (in most EEA member states) or higher depending on the volume of electronic money issued, alongside ongoing prudential capital based on a method specified in EMD2 Article 5. EMIs must safeguard customer funds — typically by depositing them in segregated accounts at a credit institution that are bankruptcy-remote, by investing in low-risk liquid assets, or by holding equivalent insurance — under PSD2 Article 10 obligations that apply via cross-reference. EMI authorisations passport across the EEA, allowing a Lithuanian, Maltese, Cypriot, or Irish-licensed EMI to provide its services in any other member state. EMIs are distinct from full credit institutions (banks): they cannot accept deposits in the banking sense, cannot lend in the way banks do, and do not benefit from deposit-insurance schemes — but they have substantially lighter authorisation and capital requirements.

Singapore Payment Services Act tier for payment institutions exceeding the SPI thresholds. Covers digital payment token services (DPTs), e-money issuance, account issuance, and merchant acquisition.

US state-level authorisation for money-transmission businesses. The 50-state patchwork is the dominant US compliance burden for fintechs, with per-state surety bonds, capital, and reporting.

Authorised institution permitted to provide payment services under PSD2. Lighter regime than an EMI: no e-money issuance, lower capital requirements.

UK lighter-regime payment-institution authorisation. Limited to a monthly transaction threshold (currently €3M) and restricted in passporting rights.

Hong Kong Monetary Authority authorisation for issuers of multi-purpose stored value facilities (closest equivalent to an EU EMI in HK).

Virtual Asset Service Provider is the FATF-defined regulatory category for any natural or legal person that conducts as a business one or more of the following activities for or on behalf of another natural or legal person: exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, transfer of virtual assets, safekeeping or administration of virtual assets or instruments enabling control over them, and participation in and provision of financial services related to an issuer's offer or sale of a virtual asset. The VASP category was introduced into the FATF Recommendations in 2018 and operationalised through the Updated Guidance of 2019, requiring jurisdictions to register or license VASPs and apply standard AML/CFT obligations to them — including the Travel Rule. Pre-MiCA, EEA member states implemented VASP registration under 5AMLD with significant variation between jurisdictions; under MiCA, VASPs operating in the EEA are progressively transitioning to the more comprehensive CASP authorisation regime, which covers a broader set of services with passportable authorisation. The VASP category remains active in non-EEA jurisdictions globally — Singapore (under MAS), the UAE (under VARA, FSRA, or DFSA depending on the geography), Hong Kong (where the SFC's VATP regime is the closest analogue), and many others — making it the dominant global term outside Europe.

Maltese MFSA authorisation regime introduced in 2018 for crypto-asset service providers. Largely superseded by MiCA but retained for legacy compliance and for certain specialist activities.

MiCA category for tokens referencing the value of multiple fiat currencies, commodities, or other crypto-assets. Subject to a separate authorisation regime distinct from EMTs and standard CASP services.

Storage of cryptographic private keys in a manner not connected to the internet (e.g. air-gapped hardware modules). One element of qualified custody; not by itself sufficient for regulatory compliance.

MiCA Article 19 disclosure document required before public offers of crypto-assets in the EEA. Includes information about the issuer, the project, the token, rights and obligations attached, and risks. Notified to the home-state NCA at least 20 working days before publication.

Singapore Payment Services Act category covering crypto-assets used or intended to be used as a means of payment. DPT services require MAS authorisation under the PSA framework.

MiCA category for tokens referencing the value of a single fiat currency. Issuance restricted to authorised credit institutions or EMIs.

Internet-connected crypto-asset wallet used for operational liquidity. Typically holds only the minimum balance required for client withdrawals and exchange operations.

Service that obscures the on-chain origin of crypto-assets by pooling and redistributing funds across multiple addresses. KYT systems flag mixer-derived funds; sanctions designations have been applied to specific mixers (e.g. Tornado Cash by OFAC in 2022).

Standard for crypto-asset safekeeping that meets regulator expectations (MiCA Article 70, HK SFC framework, UAE VARA): cryptographic key segregation, insurance coverage, internal controls, complete audit trail, and segregation from proprietary assets.

Assets held by an EMT or ART issuer to back the value of issued tokens. Subject to specific composition, custody, segregation, and audit requirements under MiCA Articles 36–47.

MiCA threshold designation triggering enhanced supervisory obligations: more than 10 million holders, reserve assets exceeding €5 billion, or >2.5 million transactions per day. Significant issuers fall under direct EBA supervision.

Bank or licensed institution that processes card payments on behalf of merchants. Settles funds to the merchant after deducting MDR; bears chargeback exposure.

8 or 11-character Business Identifier Code identifying a bank or bank branch on the SWIFT network. Used alongside IBAN to route international payments.

Card-network mechanism allowing the issuing bank to reverse a transaction back to the merchant on behalf of the cardholder. Triggered by fraud, dispute, non-delivery, or cardholder error. Excessive chargeback ratios trigger scheme penalties and potential MATCH listing.

Bank with direct membership of a payment system (e.g. CHAPS, Bacs, FPS in the UK; TARGET2 in the EU) and which can settle payments without an intermediary. Acts as a clearing partner for non-clearing banks and PSPs.

Correspondent banking is the arrangement under which one bank (the correspondent) provides services to another bank (the respondent), enabling the respondent bank to access markets, currencies, and payment infrastructure where it does not have its own direct presence. The correspondent holds deposits on the respondent's behalf, processes wire transfers in the correspondent's local currency, executes foreign-exchange transactions, settles trade-finance instruments, and provides cash-management services. Correspondent banking is the dominant infrastructure for cross-border payments globally — the SWIFT messaging network alone handles roughly 50 million payment instructions per day, the majority routed through chains of correspondent relationships. The architecture also creates regulatory exposure that flows back upstream: a respondent bank that onboards a problematic client exposes its correspondent to indirect AML/CFT risk, which is why correspondent banks impose extensive due-diligence requirements on their respondent relationships and have driven much of the de-risking pressure observed in the regulated-fintech sector. The Wolfsberg Group's Correspondent Banking Due Diligence Questionnaire (CBDDQ) is the de-facto standard for assessing respondent-bank AML controls. Where correspondent relationships are restricted — through de-risking, capital constraints, or sanctions — entire jurisdictions can lose access to the international payment system, a recurring concern in remittance-dependent economies and small-island financial centres.

Hierarchy in correspondent relationships. Tier-1 correspondents are global money-centre banks providing clearing in major currencies (USD, EUR, GBP, JPY). Tier-2 correspondents access Tier-1 services and onwards-clear for Tier-3 respondent banks. De-risking pressure flows downwards through the chain.

An escrow account is an account held by a neutral third party — usually a bank, law firm, or specialist escrow agent — that holds funds or assets on behalf of two contracting parties until predefined conditions are met. The mechanism mitigates counterparty risk in transactions where neither party is willing to perform first: the buyer places funds in escrow, the seller delivers goods or services, the escrow agent verifies fulfilment of the release conditions, and only then are the funds released to the seller. If the conditions fail, the funds are returned to the buyer (or distributed according to the escrow agreement's dispute-resolution provisions). Escrow accounts are common in mergers and acquisitions (where part of the consideration is held back to cover indemnification claims), real-estate transactions (deposits held until completion), construction projects (progress payments released against milestone delivery), large commercial contracts (performance bonds), online marketplaces (payment held until delivery confirmation), and crypto-asset transactions (smart-contract escrow programmatically replicates the same logic on-chain). Bank-administered escrow accounts are typically structured as trust accounts, with the bank acting as trustee — the legal effect is bankruptcy-remoteness: if the bank fails, the escrow funds are not part of the bank's general estate available to creditors. Escrow agreements specify the release conditions, the verification mechanism, the fee structure (typically 0.1–1% of escrowed value annually), and the dispute-resolution procedure if the parties disagree on whether release conditions have been met.

Standardised account-number format used in SEPA and many other jurisdictions. Up to 34 alphanumeric characters; encodes country code, check digits, bank identifier, and account number.

Modern XML-based payment messaging standard replacing legacy SWIFT MT messages. Supports richer remittance data, improved KYC/AML data fields, and structured beneficiary identification. Cross-border SWIFT MT-to-ISO migration completes November 2025.

A Letter of Credit is a bank-issued undertaking to pay a defined beneficiary a defined sum, on presentation of documents that exactly comply with terms specified in the credit. The mechanism mitigates counterparty risk in international trade: the buyer's bank (the issuing bank) substitutes its credit standing for the buyer's, giving the seller (the beneficiary) confidence to ship goods knowing payment will be made on document presentation, while the buyer is assured that payment will be released only on evidence that shipment has occurred. Standard documents include the commercial invoice, bill of lading, packing list, certificate of origin, and inspection certificate, with the precise list specified in the LC itself. Letters of credit are typically irrevocable (cannot be amended without the beneficiary's consent), and may be confirmed (the beneficiary's bank adds its own undertaking, useful when the issuing bank's credit is unfamiliar to the beneficiary), transferable (the beneficiary can transfer rights to a sub-supplier), or back-to-back (a second LC is issued against the security of the first). The mechanism is governed internationally by the International Chamber of Commerce Uniform Customs and Practice for Documentary Credits (currently UCP 600, in force since 2007), which provides the binding interpretive framework when the credit references its terms. Letters of credit remain dominant in trade finance for cross-border shipments, particularly in higher-risk corridors and for higher-value transactions where open-account terms would be commercially unacceptable to the seller.

Total fee charged to a merchant for accepting a card payment. Composed of interchange (paid to the card-issuing bank), scheme fees (paid to Visa/Mastercard), and the acquirer's mark-up.

SWIFT message type for a single customer credit transfer. Carries originator, beneficiary, payment details, and routing information. Migrating to ISO 20022 as part of CBPR+ reform.

Bank or PSP that accesses a payment scheme through a self-clearing sponsor. Cheaper to operate than direct participation; more dependent on the sponsor's operational and risk-management decisions.

Bookkeeping perspectives on a correspondent relationship. From Bank A's view: a Nostro account is Bank A's account at Bank B ("our account with you"). A Vostro account is Bank B's account at Bank A ("your account with us"). The same account, viewed from each side, has different names.

Technical service provider handling the technical authorisation and clearing of card-payment transactions. Distinct from the acquirer (who holds the merchant relationship and licence).

Acquirer-imposed liquidity cushion held back from a merchant's settlement to cover potential future chargebacks. Common in high-risk merchant categories. Released after a holding period (commonly 90-180 days).

Segregated account at a credit institution holding client funds on behalf of an EMI or PI, ring-fenced from the institution's own funds in the event of insolvency. Required under PSD2 Article 10 and the FCA's safeguarding rules.

Direct participant in a payment scheme that holds and operates its own settlement account at the central bank. No intermediary required for clearing within that scheme.

SEPA Instant Credit Transfer (SCT Inst) is the European Payments Council's real-time euro credit transfer scheme that delivers funds to the beneficiary's account within ten seconds of payment initiation, available 24 hours a day, every day of the year, including weekends and bank holidays. The scheme is mandatory for all payment service providers operating in the eurozone under the Instant Payments Regulation (Regulation EU 2024/886): receiving capability has been required since 9 January 2025, sending capability since 9 October 2025. The instant-payments mandate is the most consequential change to euro retail payments since the original SEPA Credit Transfer scheme launched in 2008, replacing the practical norm of next-business-day settlement with same-second settlement and enabling new commercial models around immediate confirmation, request-to-pay, and real-time treasury management. PSPs offering SCT Inst must price it no higher than equivalent standard SCT transfers, removing the historical premium that limited adoption. Verification of Payee (VoP) is bundled with the mandate: the sending PSP must verify that the IBAN matches the beneficiary name before initiating the transfer, reducing impersonation fraud. SCT Inst transactions are subject to the same per-transaction limit of €100,000 as standard SCT (raised from previous lower limits), making the scheme suitable for a wide range of B2B and B2C payments.

Standard euro credit transfer scheme covering 36 European countries. Standardised IBAN-based addressing; settlement typically next business day.

Final irrevocable transfer of value from payer to payee. Distinct from clearing (the netting and instruction-passing process before settlement).

Chartered bank that fronts payment-scheme access (or in the US, banking services) for a non-bank fintech. The sponsor bank carries the regulatory exposure and the fintech operates as a programme manager.

Letter of credit issued as a payment-of-last-resort guarantee rather than primary payment mechanism. Used in performance guarantees, project finance, and counterparty exposure mitigation.

SWIFT is the Belgium-headquartered member-owned cooperative that operates the standardised messaging network used by financial institutions worldwide for cross-border payment instructions, securities-settlement messages, treasury operations, and trade-finance communications. Founded in 1973 to replace the earlier telex-based system, SWIFT now connects more than 11,000 financial institutions in 200+ countries and territories. Crucially, SWIFT does not move funds itself: it transmits standardised messages (originally MT format, now migrating to ISO 20022) between member institutions, and the underlying funds settlement happens via correspondent banking relationships, central-bank payment systems (Fedwire, TARGET2, CHAPS), or netting through clearing houses. SWIFT messages are highly structured — each message type has a defined set of fields, with field formats specified to allow automated processing — and the message format is what enables the payment-system interoperability that defines the modern cross-border payment system. SWIFT is also a sanctions-enforcement choke point: when sanctioned institutions are excluded from SWIFT, they lose practical access to international correspondent banking even where local regulation would otherwise permit transactions. The sanctions-driven exclusions imposed on Russian banks following the 2022 invasion of Ukraine demonstrated SWIFT's geopolitical centrality. CBPR+ (Cross-Border Payments and Reporting Plus) is the ongoing migration to ISO 20022, replacing legacy MT messages with richer XML-based MX messages and completing in November 2025.

De-risking is the process by which a bank exits relationships with categories of clients — sometimes individual clients, sometimes entire client sectors, sometimes whole jurisdictional corridors — to reduce its regulatory, compliance, or correspondent-banking exposure. The decision is rarely driven by misconduct of the specific client; it is more commonly a portfolio-level decision shaped by internal risk-appetite policies that are stricter than the formal regulatory baseline, by supervisory examination feedback that flagged the bank as carrying disproportionate exposure, by correspondent-banking pressure from upstream USD-clearing partners, or by changes in board-level risk appetite following a CRO change. De-risking has been a sustained problem in the regulated-fintech sector — particularly for VASPs, CASPs, EMIs serving correspondent-payment use cases, and businesses operating in remittance corridors to FATF-listed high-risk jurisdictions. The practical experience for the affected client is opaque: a closure notice arrives in standard language, often without specific reason, with thirty to ninety days' notice. Resolution of de-risking issues typically requires either improving the documentation pack to address the underlying compliance concerns, substantively changing the activity profile, or accessing different banking partners whose risk appetite covers the affected category. The phenomenon has attracted regulatory attention internationally — FATF, the FSB, and the World Bank have all published research and guidance on responsible de-risking practices.

Non-binding indication from a regulator that an authorisation will be granted subject to specified conditions (capital deposit, hires, systems). Common in MAS (Singapore), HKMA (Hong Kong), and increasingly in MiCA-adjacent EU NCA processes.

Mastercard-operated database of merchants that have been terminated for serious reasons (chargebacks, fraud, AML breaches). Acquirers query MATCH before onboarding; listing makes new merchant-acquiring extremely difficult.

Informal indication from a banking partner that they would accept an applicant before a formal application is submitted. Distinct from a credit pre-approval in retail banking.

Formal compliance question from a bank to a client or applicant, typically during onboarding or periodic review. RFI volume is a leading indicator of how a banking application is likely to resolve.

Categorisation of banking partners by their willingness and process for fintech onboarding rather than balance-sheet size. Tier-1 covers major commercial banks with formal de-risking policies; Tier-2 covers specialist fintech-friendly banks; Tier-3 covers crypto-native and challenger banks.

The full set of obligations to identify, verify, and risk-rate customers. Includes KYC and KYB at onboarding plus ongoing monitoring of transactions and risk indicators.

Strengthened CDD applied to higher-risk relationships (PEPs, high-risk jurisdictions, complex ownership structures). Typically requires senior-management approval, additional source-of-funds documentation, and intensified ongoing monitoring.

Know Your Business is the identity-verification process applied to legal entities (corporates, partnerships, trusts, foundations) at onboarding. It is meaningfully more complex than KYC for natural persons because legal entities can layer through holding structures, hold beneficial ownership through trusts or nominees, and operate through cross-border arrangements that obscure control. A complete KYB process verifies the entity's existence and good standing through registry checks at the relevant company-registration authority (Companies House in the UK, equivalent registries in each EU member state, state-level registries in the US, and so on), maps the ownership and control structure up to the ultimate beneficial owners (UBOs) — defined as natural persons holding 25% or more under the EU thresholds, with lower thresholds applying in specifically high-risk circumstances — and verifies each UBO using the same standards applied in customer KYC. KYB also covers source-of-funds and source-of-wealth documentation for the entity, entity-level sanctions screening (against legal-entity sanctions lists in addition to natural-person lists), screening of senior management, review of the entity's licensing and regulatory status where relevant, and verification of the operational reality of the business. Specialist KYB vendors (Sumsub, Onfido, Veriff, Trulioo, ComplyAdvantage among others) automate the registry checks and structure-mapping; the source-of-funds and substance components remain heavily manual.

Know Your Customer is the identity-verification process applied to natural persons at onboarding into a regulated financial relationship. KYC sits inside the broader Customer Due Diligence (CDD) framework required under the EU Anti-Money Laundering Directives, the UK Money Laundering Regulations 2017, the US Bank Secrecy Act, and equivalent statutes globally. A standard KYC process includes verification of a government-issued identity document (passport, national identity card, or driving licence) using a combination of document-authenticity checks and biometric liveness verification; confirmation of residential address through a recent utility bill, bank statement, or government correspondence; sanctions screening against UN, EU, OFAC, UK OFSI, and other relevant lists; politically-exposed-person (PEP) screening; and adverse-media screening for negative news coverage. The depth of KYC required varies with the risk profile of the customer relationship: simplified due diligence (SDD) is permitted in specifically defined low-risk circumstances; enhanced due diligence (EDD) is required for higher-risk relationships including PEPs, customers from high-risk jurisdictions, and complex ownership structures. KYC is technology-supported by specialist vendors — Sumsub, Onfido, Veriff, Jumio are among the most widely used — though the regulatory accountability for the outcome remains with the regulated institution, not the vendor.

Know Your Transaction is the blockchain-analytics-driven monitoring layer that sits on top of conventional rule-based transaction monitoring, specific to digital-asset flows. KYT addresses risk dimensions that conventional transaction monitoring cannot see because it operates outside the regulated institution's own books: source-of-funds attribution via on-chain analysis traces the history of crypto-asset flows back through the chain to identify whether incoming funds derive from sanctioned addresses, mixers, darknet markets, theft, ransomware, or other categories of high-risk origin. Mixer and tumbler detection identifies funds that have passed through obfuscation services, which itself is a flag even where the ultimate origin is not directly attributable. Sanctions screening applies the same OFAC, EU, UN, and UK OFSI lists to wallet addresses as conventional sanctions screening applies to natural persons and legal entities — OFAC has designated specific mixer protocols (Tornado Cash, Blender.io) creating a clear set of wallet-address-level sanctions that VASPs must screen against. KYT is a distinct compliance layer from KYC (which is identity-driven, applied at onboarding) and from generic transaction monitoring (which is rule-driven, applied to internal transactions). A regulated VASP needs all three: KYC at onboarding to know who the customer is, internal transaction monitoring to detect suspicious patterns of customer behaviour, and KYT continuously to know what each customer is moving through the system on the broader blockchain. Vendors include Chainalysis, Elliptic, and TRM Labs as the market leaders.

Money-laundering stage at which illicit funds are moved through complex transaction chains to obscure their origin. Between placement and integration.

A Politically Exposed Person is an individual entrusted with prominent public functions, plus that person's immediate family members and close associates. The category covers heads of state and government, senior politicians and members of legislatures, senior judicial and military officials, senior executives of state-owned corporations, leaders of international organisations, and senior officials of political parties. Under EU and UK AML frameworks, PEPs trigger mandatory Enhanced Due Diligence: senior-management approval for the relationship, additional source-of-wealth and source-of-funds documentation, and intensified ongoing monitoring throughout the relationship. PEP status persists for at least 12 months after the public function ends, and many institutions apply longer cooling-off periods or treat former PEPs as 'risk-relevant' indefinitely. The enhanced controls reflect the elevated risk that public officials may use financial systems to launder proceeds of corruption — a risk identified in repeated FATF mutual evaluations and supported by major published cases (Petrobras, 1MDB, the Magnitsky cases) where PEP-linked accounts were used in massive money-laundering schemes. PEP screening is automated by specialist vendors (ComplyAdvantage, Refinitiv World-Check, Dow Jones Risk and Compliance) maintaining global PEP databases that are updated continuously. Domestic PEPs (officials of the institution's own country) are subject to the same EDD obligations as foreign PEPs under EU 5AMLD, though some jurisdictions (notably the UK) operate a tiered approach with reduced controls for low-risk domestic PEPs.

Underlying criminal activity from which proceeds may be laundered. 6AMLD harmonised the predicate offence list across the EU at 22 categories.

Process of checking customers, counterparties, and transactions against international sanctions lists (UN, EU, OFAC, UK OFSI) at onboarding and on an ongoing basis.

UK term for the report filed with the National Crime Agency under the Proceeds of Crime Act 2002 when suspicion of money laundering or terrorist financing arises. Comparable to STR in other jurisdictions.

Lighter CDD applied to specifically defined low-risk relationships (regulated EU financial institutions, listed companies on regulated markets). Available only when documented risk assessment supports it.

Breaking a large transaction into multiple smaller ones to evade reporting thresholds. Specifically prohibited under most AML frameworks.

The origin of the specific funds being transacted. Documented through bank statements, sale contracts, payslips, or other transactional evidence. Distinct from source of wealth.

The origin of a customer's overall financial standing. Documented through tax returns, business sale documentation, inheritance records, or career history. Required at higher CDD tiers.

Mandatory report to a national Financial Intelligence Unit when a regulated entity identifies a suspicious transaction. Filing protected from civil liability. Tipping off the customer is a separate criminal offence.

Disclosing to a customer that a SAR/STR has been filed about them, or that an investigation is underway. Criminal offence under POCA 2002 (UK) and equivalent statutes across the EU.

Ongoing automated and human review of customer transactions against patterns and rules to detect suspicious activity. Outputs alerts, which are dispositioned as either no action or escalated to a SAR/STR.

Ultimate Beneficial Owner is the natural person who ultimately owns or controls a legal entity, identified through ownership thresholds, control mechanisms, or a combination of the two. Under EU AML Directives (5AMLD as transposed into member-state law), the default UBO threshold is 25% direct or indirect ownership of shares or voting rights, with additional categories for persons who exercise control by other means (board control, contractual rights, dominant influence). Where no natural person meets the ownership thresholds, the senior managing official is treated as the UBO by default. UBO registers — public or partially-accessible databases of beneficial ownership — are now operating across the EEA following the 5AMLD transposition deadline of 10 January 2020, though the public-access component was substantially restricted by the November 2022 Court of Justice ruling that struck down the unrestricted-public-access provisions. The UK operates a similar People with Significant Control (PSC) register at Companies House, and the US implemented its Corporate Transparency Act beneficial-ownership reporting regime in 2024. UBO identification is a core component of every Know Your Business (KYB) process, and verifying UBOs at the natural-person level (using the same identity-verification standards applied in customer KYC) is required by the AML Directives. Complex multi-layer holding structures — frequent in international tax-optimised arrangements — make UBO identification operationally challenging and are a focus of FATF mutual evaluations.

Individual accountable for the institution's information-security programme. Specifically referenced in DORA's ICT-risk-management governance requirements.

Individual responsible for advising on and monitoring GDPR / UK GDPR compliance. Mandatory for public bodies, certain large-scale data processors, and processors of special-category data.

Regulatory test applied to senior individuals at authorisation and on an ongoing basis. Assesses honesty, integrity, reputation, competence, capability, and financial soundness. Reputational issues are routinely the rejection point in late-stage MiCA and EMI applications.

Individual responsible for the institution's overall AML/CTF compliance programme. In some firms identical to the MLRO; in larger firms, a separate role.

Senior individual responsible for receiving internal suspicious activity reports and deciding whether to escalate to the FIU. UK MLROs perform an SMCR-controlled function.

FCA / PRA framework for individual accountability in UK regulated firms. Senior Manager Functions require regulatory approval; certified persons are firm-attested annually.

Complete regulatory submission for a licence application. Includes Programme of Operations, AML policy suite, ICT risk framework (DORA), fitness-and-propriety attestations, capital adequacy report, governance documentation, and third-party-risk register.

Transitional arrangement allowing entities authorised under pre-MiCA national frameworks to continue operating until 1 July 2026 (or sooner, where member states have shortened the period to 18 months) while applying for full MiCA authorisation.

Mechanism allowing a firm authorised in one EEA member state to provide services across the rest of the EEA on a freedom-of-services or freedom-of-establishment basis. Available for EMIs, PIs, MiFID firms, and (post-MiCA) CASPs.

Informal pre-submission meeting offered by some NCAs (notably Bank of Lithuania, Cyprus, Malta) where prospective applicants can preview the proposed business model and receive feedback before formal authorisation file lodgement.

Required document in EU and UK financial-services authorisation applications. Walks through services offered, target customer base, AML framework, governance structure, ICT setup, and capital adequacy. The most common reason for late-stage application rejections.

Narrow MiCA exemption applying when a third-country firm is approached by an EEA customer entirely on the customer's own initiative, with no marketing into the EEA. Easily lost through any EEA-targeted advertising, EEA-language support, app-store storefronts, or affiliate referrals.

Regulatory expectation that an authorised entity has real local presence: directors physically resident in the jurisdiction, real employees, decision-making conducted locally. Increasingly tested by NCAs (notably Bank of Lithuania since 2023).

Automated check for negative news mentions of customers and counterparties. Used during EDD and periodic review cycles. Often packaged with sanctions and PEP screening.

Software platform automating identity verification at customer onboarding. Typically covers identity-document capture and verification, biometric liveness checks, sanctions-list screening, and PEP screening. Common vendors include Sumsub, Onfido, Veriff, and Jumio.

Blockchain-analytics platform monitoring crypto-asset transactions for source-of-funds attribution, mixer-derived funds, and sanctions exposure. Common vendors include Chainalysis, Elliptic, and TRM Labs.

Software platform checking customer and counterparty data against international sanctions lists (UN, EU, OFAC, UK OFSI). Both at onboarding and on a daily-batch ongoing basis.

Procedural and technical framework for the secure storage, rotation, and recovery of cryptographic seed phrases (the 12 or 24-word strings from which crypto-asset wallet keys are derived). Subject to specific operational requirements under BaFin's German crypto-custody licence regime, the Danish FSA's custody supervision, and equivalent frameworks elsewhere.

Rule-based software platform processing customer transactions to flag suspicious patterns. Outputs alerts for human disposition. Commonly built around scenario libraries covering smurfing, structuring, rapid movement, and known typology indicators.

Specialist vendor handling the originator-and-beneficiary information exchange required by FATF Recommendation 16. Common providers include Notabene, Sumsub Travel Rule, Sygna, and Veriscope.

Hawala is a centuries-old informal value-transfer system originating in South Asia and the Middle East and still in widespread global use today. The system operates through networks of trusted brokers known as hawaladars, who accept funds from a sender in one location and instruct a corresponding hawaladar in the destination location to release equivalent funds to the recipient. No physical movement of money occurs; settlement between hawaladars is reciprocal, accumulated over many transactions, and resolved through periodic netting, trade-based settlement, or in-kind transfers of goods. The system is fast (often delivering funds within hours), low-cost (typical commission is 0.25–1% versus the 3–8% charged by formal remittance corridors), and accessible in remittance corridors where formal banking is unreliable, expensive, or unavailable to the relevant population. Legal in regulated form in many jurisdictions: the UK requires hawaladars to register as Money Service Businesses (MSBs) with HMRC, the US imposes FinCEN registration as Money Service Businesses, the UAE supervises licensed hawala operators, and several EU member states apply equivalent registration regimes. Compliance obligations on regulated hawaladars include AML/CFT programmes, customer due diligence, transaction monitoring, suspicious-activity reporting, and (above the relevant threshold) Travel Rule information transmission. Unregulated hawala operations remain a significant AML/CFT risk globally and are a frequent focus of FATF mutual evaluations.

A Money Services Business is the regulatory category covering currency dealers and exchangers, money transmitters, cheque cashers, issuers and sellers of traveller's cheques and money orders, providers of prepaid access products, and (in the US under FinCEN rules since 2013) businesses dealing in convertible virtual currency. MSB is the umbrella designation under which most non-bank value-transfer activity sits in the United States, Canada, and the United Kingdom; equivalent categories exist in most other jurisdictions under different names. In the US, MSBs must register with FinCEN as a federal matter, then separately license at state level under the various state Money Transmitter Licence (MTL) regimes — a fifty-state patchwork that imposes substantial cost on operators with national reach. In the UK, MSBs must register with HMRC under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. In Canada, MSBs must register with FINTRAC. Across all jurisdictions, MSB registration triggers the standard AML/CFT obligations: written compliance programme, designated compliance officer, customer due diligence, transaction monitoring, suspicious-activity reporting, record-keeping, and ongoing training. Unlike a bank, an MSB does not accept deposits in the legal sense and does not benefit from deposit-insurance schemes — but it is also not subject to the prudential capital and supervisory regime that applies to credit institutions. The MSB category is broad enough to cover business models from a small currency-exchange kiosk to a global remittance operator.

Hong Kong-specific MSB analogue. Licensed by the Hong Kong Customs and Excise Department under the AMLO. Covers money changers and remittance operators. Crypto-asset firms in Hong Kong are not typically licensed as MSOs (the SFC VATP regime applies instead).

Cross-border transfer of funds, typically by an individual to family in their country of origin. The largest single use case for both formal MSBs and informal hawala networks.

Generic term for unregulated value transfer systems operating outside the formal banking system. Where specifically organised and trust-based, often referred to as hawala (South Asia / Middle East), fei ch'ien (China), or hundi (South Asia).

France's prudential supervisor (within the Banque de France). Supervises EMIs, PIs, credit institutions, and CASPs jointly with the AMF.

Netherlands conduct regulator for financial markets. Joint supervisor of CASPs alongside DNB.

France's market regulator. Co-supervises CASPs alongside the ACPR.

German Federal Financial Supervisory Authority. Authorises crypto-custody licences, EMIs, PIs, and credit institutions. Crypto-custody licence introduced in 2020; an early adopter of regulated digital-asset frameworks in the EEA.

Lithuania's central bank and EMI/PI supervisor. Has been a popular EMI-licensing jurisdiction since 2017 due to its fast authorisation timelines and English-speaking supervision.

Irish central bank and financial-services supervisor. Authorises EMIs, PIs, MiFID firms, and CASPs in Ireland.

Luxembourg financial-services supervisor. Authorises investment firms, PIs, EMIs, and CASPs.

Cyprus financial supervisor for investment firms (CIFs), AIFMs, and CASPs. Cyprus has historically been a popular MiFID II-passportable jurisdiction.

Netherlands central bank and prudential supervisor. Authorises credit institutions, EMIs, PIs, and (jointly with the AFM) CASPs.

EU-level supervisor for the banking sector. Issues MiCA technical standards covering EMTs, supervises significant EMT issuers, and produces AML/CFT guidance.

Central bank of the eurozone and direct supervisor of significant credit institutions through the Single Supervisory Mechanism.

EU-level supervisor for securities markets. Issues MiCA technical standards, maintains the CASP register, and directly supervises significant ART issuers.

The Financial Conduct Authority is the United Kingdom's conduct regulator for financial services, with operational independence from government and accountability to HM Treasury and Parliament. It supervises some 50,000 firms across retail and wholesale financial markets, including authorised banks (alongside the PRA), investment firms, EMIs and Payment Institutions under the Payment Services Regulations 2017 and Electronic Money Regulations 2011, mortgage lenders, insurance intermediaries, asset managers, consumer-credit firms, and (under the FSMA 2023 framework) crypto-asset firms within scope. The FCA's three statutory objectives are consumer protection, market integrity, and effective competition in the interest of consumers. Its enforcement powers include the ability to fine firms (penalties have included multi-hundred-million-pound fines against major banks), require remediation, restrict activities, withdraw authorisation, and pursue criminal prosecution for market abuse and other offences. The FCA operates the Senior Managers and Certification Regime (SMCR), which holds named senior individuals accountable for specific business areas; SMCR has produced a number of personal-accountability cases against senior bankers. The FCA's crypto-asset-related work has expanded significantly: it operates a register of crypto-asset firms required to comply with the Money Laundering Regulations 2017, supervises stablecoin issuance under emerging UK frameworks, and enforces the financial-promotion rules that brought retail crypto-asset advertising under FCA scope from October 2023.

Swiss federal financial-services supervisor. Authorises banks, asset managers, and DLT-trading-system operators under Switzerland's standalone (non-EU) DLT framework.

Gibraltar financial-services supervisor. Issues DLT Provider authorisations under the 2017 regulations, a pre-MiCA framework still operating in the British Overseas Territory.

United Kingdom data protection regulator. Enforces UK GDPR, DPA 2018, and PECR.

Malta financial-services supervisor. Authorised the original Virtual Financial Asset (VFA) regime in 2018; now also issues MiCA CASP authorisations.

United Kingdom prudential regulator (part of the Bank of England) for credit institutions, insurance firms, and major investment firms.

United States consumer-protection regulator for financial products. Regulates payment apps, prepaid cards, and (increasingly) digital-asset retail products.

United States federal regulator for derivatives markets. Asserts jurisdiction over crypto-asset commodities (notably Bitcoin and Ether spot markets where derivatives exist).

Council of Canadian provincial and territorial securities regulators. Coordinates the Canada-wide approach to crypto-asset trading platforms via Notices 21-329 and successor guidance.

United States deposit-insurance corporation and supervisor of state non-member banks. Issued joint guidance with the OCC and Federal Reserve on banks' crypto-asset activities.

United States central bank and bank holding company supervisor. Operates Fedwire and FedNow real-time settlement systems and supervises state-member banks.

FinCEN is a bureau of the United States Treasury Department responsible for safeguarding the financial system from illicit use, combating money laundering and terrorist financing, and promoting national security through the strategic use of financial authorities and intelligence. It administers the Bank Secrecy Act (BSA), the foundational US AML statute, and supervises a wide universe of regulated entities: banks (jointly with primary federal banking regulators), credit unions, money services businesses (MSBs) including virtual currency exchanges, casinos, securities and futures dealers, mutual funds, insurance companies, and dealers in precious metals, jewels, and stones. FinCEN registration is mandatory for MSBs operating in the US, and FinCEN-registered entities must implement comprehensive AML programmes, file Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs), and comply with the FinCEN Travel Rule for transactions above $3,000. FinCEN's enforcement authority has produced major settlements with banks and crypto-asset operators, including multi-hundred-million-dollar penalties for systematic AML failings. The Corporate Transparency Act, which FinCEN implemented from 2024, requires beneficial ownership reporting from millions of US legal entities — a significant expansion of US AML scope. FinCEN also operates the Financial Crimes Enforcement Network as a financial intelligence unit, receiving and analysing SARs and CTRs to support law enforcement and national-security investigations.

Canada's financial intelligence unit and AML supervisor. Registers and supervises money services businesses, including virtual currency dealers.

New York State financial-services regulator. Issues the BitLicense for virtual currency businesses serving New York residents and operates a separate trust-charter framework used by several major crypto-asset custodians.

United States federal banking regulator within Treasury. Charters and supervises national banks and federal savings associations. Issues guidance on banks' permissible crypto-asset activities.

The Office of Foreign Assets Control is the sanctions-enforcement arm of the United States Treasury Department, responsible for administering and enforcing US economic and trade sanctions against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. OFAC maintains the Specially Designated Nationals and Blocked Persons (SDN) List, which identifies individuals and entities owned, controlled, or acting on behalf of sanctioned countries, plus terrorists, narcotics traffickers, and others designated under various sanctions programmes. US persons (US citizens and permanent residents wherever located, US incorporated entities and their foreign branches, anyone in the US, and certain foreign entities owned or controlled by US persons) are prohibited from engaging in transactions with SDN-listed parties; the prohibition has extra-territorial effect on non-US persons through the threat of secondary sanctions and the centrality of the US dollar in international finance. OFAC enforcement has produced multi-billion-dollar settlements with major global banks for sanctions violations, and has expanded into the crypto-asset sector with designations of specific wallet addresses (Russian-linked malware operators, North Korean state actors), specific mixers (Tornado Cash, Blender.io), and specific exchanges (Garantex, Bitzlato). OFAC compliance is therefore a critical component of any sanctions-screening programme for VASPs and crypto-native financial institutions, alongside the parallel obligations under EU sanctions, UK OFSI sanctions, UN sanctions, and other jurisdictional regimes.

Canada's prudential regulator for federally regulated financial institutions.

United States federal securities regulator. Asserts jurisdiction over crypto-assets that meet the Howey test as investment contracts.

Japan's central bank. Operates the BOJ-NET settlement system and supervises payment-service market infrastructure jointly with the JFSA.

Hong Kong's central bank and prudential regulator. Authorises credit institutions and Stored Value Facility (SVF) issuers; jointly supervises stablecoin issuers under the Stablecoins Ordinance.

Hong Kong insurance regulator. Relevant to digital-asset firms providing insurance-linked products.

Japan's integrated financial regulator. Supervises Crypto Asset Exchange Service Providers under the Payment Services Act since 2017.

Self-regulatory organisation for licensed Japanese crypto-asset exchanges. Issues binding self-regulatory rules approved by the JFSA.

The Monetary Authority of Singapore is Singapore's central bank and integrated financial regulator, with statutory responsibility for monetary policy, banking supervision, capital-markets regulation, insurance supervision, and AML/CFT enforcement across the financial sector. MAS operates one of the most respected financial-services regulatory frameworks globally, with supervisory standards routinely cited as benchmarks by other Asian regulators. The Payment Services Act (PSA), in force since 28 January 2020 and substantially revised since, establishes the framework for payment-services authorisation in Singapore — covering account-issuance services, domestic and cross-border money-transfer services, merchant-acquisition services, e-money issuance, and digital payment token services (DPT services, the Singapore-specific term for crypto-asset services). The PSA defines three licence tiers — Money-Changing Licence (lowest, currency exchange only), Standard Payment Institution licence (SPI, capped at lower transaction volumes), and Major Payment Institution licence (MPI, full activity at scale) — with capital, audit, and ongoing-compliance requirements scaling accordingly. MAS has been particularly selective in granting DPT-service licences: as of 2024, fewer than 30 firms have obtained authorisation despite hundreds of applications, reflecting MAS's emphasis on AML/CFT, technology risk, and consumer protection. MAS also operates regulatory sandboxes and the FinTech Innovation Lab to support new financial-services innovation under controlled conditions.

Hong Kong securities regulator. Operates the Virtual Asset Trading Platform (VATP) authorisation regime introduced in 2023 for crypto-asset exchanges serving Hong Kong residents.

Abu Dhabi's English-common-law financial free zone, distinct from CBUAE-regulated onshore UAE. Supervised by the FSRA.

United Arab Emirates central bank. Supervises licensed banks, exchange houses, and onshore payment-service providers across the seven Emirates outside the DIFC and ADGM free zones.

Independent regulator of the Dubai International Financial Centre (DIFC) financial free zone. Authorises investment firms, banks, and crypto-asset service providers operating exclusively from the DIFC.

Dubai's English-common-law financial free zone. Operates its own court system and regulator (DFSA). Distinct from VARA-regulated mainland Dubai.

Regulator of the Abu Dhabi Global Market (ADGM) financial free zone. One of the earliest specialist crypto-asset frameworks globally, established in 2018.

United Arab Emirates federal securities regulator. Supervises onshore crypto-asset offerings outside the DIFC, ADGM, and Dubai (under VARA's authority).

VARA is Dubai's standalone virtual-assets regulator, established by Law No. 4 of 2022 as the world's first dedicated regulatory body for virtual asset activities. VARA authorises Virtual Asset Service Providers operating in or from the Emirate of Dubai (excluding the DIFC financial free zone, which is regulated by the DFSA, and excluding offshore activities by ADGM-registered entities, which are regulated by the FSRA). The VARA framework covers seven licensable activities: advisory services, broker-dealer services, custody services, exchange services, lending and borrowing services, virtual-asset management and investment services, and virtual-asset transfer and settlement services. The regulatory rulebook is comprehensive, covering market conduct, custody requirements, technology and information governance, AML/CFT obligations, prudential capital, complaints and dispute resolution, and a specific compulsory regime for virtual asset advertising (the marketing-restriction component is unusually strict among global regulators). VARA has positioned Dubai as a leading global hub for crypto-asset activity, with several major exchanges and custodians having obtained VARA authorisation. Compliance under VARA includes mandatory reporting to the regulator on transaction volumes, custody balances, and operational events, and supervisory examinations are routine. The regime is distinct from but generally compatible with FATF VASP standards and increasingly aligned with MiCA-era expectations.

Basel Committee on Banking Supervision. Sets the global capital, liquidity, and risk-management standards (Basel I, II, III, IV) implemented by national regulators.

International institution serving central banks. Hosts the Basel Committee on Banking Supervision and other standard-setting bodies.

Inter-governmental body setting international standards on AML, CFT, and counter-proliferation financing. Conducts mutual evaluations and maintains the high-risk-jurisdictions list.

International body coordinating national financial-stability work. Issues high-level recommendations for crypto-asset and stablecoin activities to G20 jurisdictions.

International financial institution. Issues policy guidance on crypto-asset frameworks for member countries; co-leads with the FSB on the G20 crypto-asset roadmap.

International standard-setting body for securities regulators. Issues recommendations on crypto-asset markets, decentralised finance, and tokenisation.