MiCA is the world's first unified regulatory framework for digital assets, and the compliance clock is ticking. The final transitional deadline is July 1, 2026. After that date, every entity providing crypto-asset services to EU customers must hold MiCA authorization or stop operating.
For cross-border payment companies that use stablecoins in settlement flows, this determines which stablecoins you can use, which providers you can work with, and whether your EU payment flows are legal.
A CASP license under MiCA covers ten enumerated services including custody, trading, exchange, transfer, advisory, and order execution for crypto-assets [1].
The authorization process requires establishing a legal entity in an EU member state with genuine management presence (not a brass-plate subsidiary). Minimum capital is EUR 150,000 for most CASP categories. The applicant must submit a business plan, AML/KYC policies, a risk management framework, cybersecurity measures compliant with DORA, governance structure, and financial statements. Management must pass fit-and-proper assessments [2].
Regulator review typically takes 60 to 90 business days from complete application. Total cost from scratch runs EUR 50,000 to EUR 120,000 in legal and compliance preparation fees, plus the capital requirement [3].
The single most valuable feature of MiCA CASP authorization is passporting. One license from any EU member state covers all 27 member states. A CASP authorized in Lithuania can serve customers in Germany, France, Spain, and every other EU country without additional applications [1].
This replaces the pre-MiCA world where each country had its own VASP registration framework, and operating in five EU markets meant five separate registrations with five different compliance regimes.
Five jurisdictions have emerged as primary licensing hubs [4]. Germany attracts larger institutions seeking bank-grade regulatory optics. The Netherlands processed applications quickly and attracted on/off-ramp specialists. Luxembourg hosts global exchanges like Coinbase and Bitstamp. Malta has become home to OKX, Gemini, and Bitpanda. Lithuania is the cost-effective entry point for smaller fintechs transitioning from its existing VASP regime.
From March 2026, custody and transfer services involving E-Money Tokens may require both MiCA authorization and a separate payment services license under PSD2, because EMTs are functionally electronic money [5].
This dual licensing requirement could increase compliance costs substantially for providers handling euro-denominated stablecoins. The overlap has drawn criticism from the industry, with concerns that it undermines Euro stablecoin competitiveness. This is one of several parallel regulatory shifts across global payment markets that are reshaping compliance requirements in 2026.
Separately, Tether's USDT does not meet MiCA's EMT requirements. USDT has been delisted from major EU exchanges. For payment companies processing stablecoin settlements with EU counterparties, USDC (issued by MiCA-compliant Circle) is currently the primary compliant option [5].
If you process stablecoin payments involving EU customers, verify two things. First, that any stablecoin you use is issued by a MiCA-authorized entity. Second, that any intermediary handling settlement is authorized as a CASP or has a valid transitional arrangement that has not yet expired.
The July 1, 2026 deadline is the hard stop. After that, all remaining transitional provisions expire across the EU.
[1] Hacken. "MiCA Regulation: What Crypto Projects Must Know For 2026 Compliance." April 2026. https://hacken.io/discover/mica-regulation/
[2] LegalBison. "Secure Your MiCA License: Gateway to the EU Market." March 2026. https://legalbison.com/mica-license/
[3] Codono. "MiCA Compliance for Crypto Exchanges 2026." March 2026. https://codono.com/blog/mica-compliance-crypto-exchange-guide
[4] Sumsub. "MiCA Regulation and EU Crypto Rules: What Changes in 2026." https://sumsub.com/blog/crypto-regulations-in-the-european-union-markets-in-crypto-assets-mica/
[5] Cyfrin. "MiCA Regulation Explained." November 2025. https://www.cyfrin.io/blog/mica-regulation-explained-a-guide-to-eu-crypto-compliance
Disclaimer: Stablecoin-related services are provided exclusively by Tazapay Canada Corp, a FINTRAC-registered Money Services Business. Tazapay Pte. Ltd. (Singapore) does not provide Digital Payment Token services under the Payment Services Act 2019.
Hong Kong introduced its Virtual Asset Trading Platform (VATP) licensing regime in June 2023. Nine VATPs had been licensed by early 2025 [1]. That was phase one. Phase two is happening now, and the scope is dramatically wider.
In June 2025, the FSTB and SFC jointly published consultation papers proposing two new licensing categories: VA dealing (covering OTC spot trading, brokerage, and block trading beyond exchange matching) and VA custodian services (covering any entity safeguarding private keys or able to transfer client VAs) [2].
Following consultations, they published two additional categories in December 2025: VA advisory services and VA management (portfolio managers investing in virtual assets) [3].
All four regimes are being legislated under the AMLO. Draft legislation is expected in Hong Kong's Legislative Council in 2026 [4].
Unlike MiCA in the EU, Hong Kong's new categories will have a hard commencement date with no grandfathering [3]. Providers are being asked to contact the SFC proactively. An expedited process will be available for entities already licensed under VATP or regulated under the Securities and Futures Ordinance [2].
Penalties: up to seven years imprisonment and HK$5 million fine. The regime applies extraterritorially to overseas entities actively soliciting Hong Kong clients [3]. For companies navigating licensing requirements across multiple jurisdictions simultaneously, Hong Kong's hard commencement model stands in sharp contrast to the EU's extended transitional periods.
If your business touches virtual assets in Hong Kong, assess which of the six categories applies. This includes stablecoin payouts, on-ramp/off-ramp services, and custody. Early engagement with the SFC is not optional.
[1] Fireblocks. "Hong Kong's VATP Licensing: A Strategic Overview." February 2025. https://www.fireblocks.com/blog/hong-kong-virtual-asset-trading-platform-licensing-strategic-overview
[2] Sidley Austin. "Hong Kong Poised to Expand Licensing Regime." July 2025. https://www.sidley.com/en/insights/newsupdates/2025/07/hong-kong-poised-to-expand-licensing-regime-to-cover-virtual-asset-dealers-and-custodians
[3] Sidley Austin. "Hong Kong to Further Enhance Licensing Regime." January 2026. https://www.sidley.com/en/insights/newsupdates/2026/01/hong-kong-to-further-enhance-licensing-regime-for-virtual-assets-to-cover-advisors-and-managers
[4] CoinDesk. "Hong Kong Targets 2026 Legislation for VA Dealer and Custodian Rules." December 2025. https://www.coindesk.com/policy/2025/12/25/hong-kong-regulators-target-2026-legislation-for-virtual-asset-dealer-and-custodian-rules
Disclaimer: Stablecoin-related services are provided exclusively by Tazapay Canada Corp, a FINTRAC-registered Money Services Business. Tazapay Pte. Ltd. (Singapore) does not provide Digital Payment Token services under the Payment Services Act 2019.
For years, Canada's regulatory framework for cross-border payment companies was straightforward. Register as a Money Services Business with FINTRAC, build an AML compliance program, and you were covered. One federal registration, national scope, relatively light-touch compared to the US multi-state licensing grind.
That changed with the Retail Payment Activities Act.
The RPAA created a second layer of federal supervision. Payment service providers performing retail payment activities in Canada must now register with the Bank of Canada, in addition to their FINTRAC MSB registration [1].
The division of responsibility is specific. FINTRAC handles anti-money laundering and counter-terrorist financing: who is moving money, whether transactions are screened against sanctions lists, whether suspicious activity is reported. The Bank of Canada handles operational risk: how the PSP manages end-user funds, how it responds to cybersecurity incidents, whether it has adequate business continuity planning, and whether it reports breakdowns and incidents to the regulator [2].
These are genuinely different regimes. A company can be fully compliant with FINTRAC and still fail the Bank of Canada's RPAA requirements if it lacks a documented operational risk management framework or a fund safeguarding plan. Canada's dual registration is one of five major regulatory shifts happening simultaneously across global payment markets in 2026.
The RPAA applies to any individual or entity that meets all four criteria [3]: performs one or more payment functions not incidental to another service, performs those functions in connection with an electronic funds transfer in Canadian or foreign currencies, has a place of business in Canada regardless of where customers are, or is based outside Canada but directs payment services at Canadian end users.
In practice, this captures fintechs, payment processors, remittance companies, digital wallets, prepaid card programs, merchant acquirers, and most companies facilitating electronic fund transfers. Banks, credit unions, and securities firms are excluded.
For virtual asset businesses, the requirements layer further. You need FINTRAC MSB registration with the virtual currency permission, plus RPAA registration if you perform retail payment activities involving electronic funds transfers [4].
The Bank of Canada opened a 15-day registration window from November 1 to November 15, 2024. PSPs that submitted applications during that window could continue operating while the Bank reviewed applications. On September 8, 2025, the Bank published its PSP registry and began active supervision [5].
As of October 2025, Canada accounts for roughly 84% of all registered or in-review PSP entities, with international applicants from the US, UK, and other jurisdictions making up the rest [6].
PSPs that missed the window or that plan to start operating now must apply at least 60 days before commencing retail payment activities. Operating without registration after September 8, 2025 is a serious violation carrying fines up to $10 million CAD per violation and potential criminal liability for officers [7].
Beyond registration itself, every PSP must build and maintain three operational frameworks [2]:
Operational Risk Management. A written framework covering identification, assessment, mitigation, and monitoring of operational risks across all business lines, technology systems, and third-party relationships. This includes business continuity planning and periodic testing.
End-User Fund Safeguarding. If your PSP holds end-user funds at rest (not just in transit), you must implement a safeguarding framework. Methods include holding funds in trust, segregated accounts, or covered by a guarantee or insurance. The Bank of Canada expects legal opinions on safeguarding arrangements during periodic assessments [8].
Incident Response and Reporting. Documented procedures for detecting, responding to, and reporting operational incidents and breakdowns. Material changes to your business must be notified to the Bank before they take effect.
The first PSP annual report under the RPAA was due March 31, 2026, covering the previous calendar year [4].
If you operate in Canadian payments in any capacity, assess both regimes. The dual-registered MSB + RPAA entity is now the baseline for fintechs operating in Canada. Planning should account for the full compliance build: $100,000 to $200,000 CAD in Year 1 including legal, consulting, and internal staffing costs [7].
Companies already registered as FINTRAC MSBs should not assume they are covered. RPAA registration is a separate process with separate requirements, and FINTRAC compliance does not satisfy the Bank of Canada's operational risk expectations.
For a broader view of how Canada's dual registration fits into the global licensing landscape across five jurisdictions, including the US, EU, Hong Kong, and Singapore, see our complete licensing guide.
[1] Bank of Canada. "About Retail Payments Supervision Mandate." https://www.bankofcanada.ca/core-functions/retail-payments-supervision/about-retail-payments-supervision-mandate/
[2] Bank of Canada. "Supervisory Framework: Registration." https://www.bankofcanada.ca/core-functions/retail-payments-supervision/supervisory-framework-registration/
[3] ComplyFactor. "Retail Payment Activities Act (RPAA) Compliance Guide." January 2026. https://complyfactor.com/retail-payment-activities-act-rpaa-compliance-guide-complete-psp-registration-requirements-canada/
[4] 7Baas. "Canada 2025 MSB & PSP Rules: FINTRAC & RPAA Updates." November 2025. https://7baas.com/canada-2025-msb-psp-fintrac-rpaa-regulations/
[5] NCFA Canada. "Update on Retail Payments Supervision and PSP Registry." August 2025. https://ncfacanada.org/update-on-retail-payments-supervision-and-psp-registry/
[6] NCFA Canada. "Bank of Canada's PSP Registry Goes Live Under RPAA." October 2025. https://ncfacanada.org/bank-of-canadas-psp-registry-goes-live-under-rpaa/
[7] Canada-MSB. "RPAA Canada 2026: Bank of Canada Registration." May 2026. https://canada-msb.com/guide/rpaa/
[8] ComplyFactor. "RPAA Registration Guide." April 2026. https://complyfactor.com/rpaa-registration-guide/
Disclaimer: Stablecoin-related services are provided exclusively by Tazapay Canada Corp, a FINTRAC-registered Money Services Business. Tazapay Pte. Ltd. (Singapore) does not provide Digital Payment Token services under the Payment Services Act 2019.
