BSP Licensing for Crypto Exchanges and Virtual Asset Service Providers (VASP) in the Philippines

Introduction: Why BSP licensing matters for foreign crypto exchanges

Foreign blockchain companies that want to operate a cryptocurrency exchange or custodial wallet service in the Philippines must address two immediate realities: (1) Philippine regulators treat crypto-related services as financial activity with heightened consumer and financial-system risk, and (2) compliance is driven heavily by anti-money laundering (AML) controls and capitalization/financial capacity expectations. Even if a company is lawfully incorporated abroad, offering services to users in the Philippines can trigger local regulatory and AML obligations.

This article explains the typical legal steps and compliance building blocks foreign firms should prepare to meet BSP expectations—especially on AML and capital adequacy—so they can legally operate a crypto exchange or wallet service in the Philippines.

1) What a VASP is, and why the BSP is central to licensing

In the Philippines, VASPs are generally understood as entities that provide services involving virtual assets (e.g., exchange between virtual assets and fiat, transfer of virtual assets, custody/administration of virtual assets, and related financial services). While the detailed VASP definitions and licensing mechanics are found in BSP regulations (not reproduced in the materials provided here), the BSP’s gatekeeping role is strongly reinforced by statutes that expanded BSP oversight over non-bank financial services and payment-related activities.

A helpful illustration of the policy direction is that the Supreme Court has recognized how supervening legislation can confirm and broaden BSP authority over financial service providers that previously “fell into a crack” of regulation. In Bangko Sentral ng Pilipinas v. Werquick, Inc., G.R. No. 246028 (2025), the Court discussed legislative developments recognizing the need for BSP oversight over money service businesses and related actors, and treated the challenge to the issuance as mooted by a later law that addressed the same regulatory subject.

2) Threshold question for foreign companies: Are you “doing business” in the Philippines?

Before licensing, a foreign crypto company must assess whether its operating model amounts to doing business locally (e.g., maintaining an office, employing staff, appointing local agents with authority to bind the company, marketing and onboarding Philippine customers in a sustained way). If a foreign corporation is considered to be doing business in the Philippines, it generally needs authority to transact business locally.

Under the Revised Corporation Code, a foreign corporation that has complied with requirements may be issued a license to transact business in the Philippines. Upon issuance, it may commence business, subject to continuing conditions such as the post-licensing deposit requirement for the benefit of local creditors (with enumerated eligible securities and a minimum value stated by law). (R.A. No. 11232, Sec. 143, 2019)

3) Core compliance drivers: AMLA coverage and reporting expectations

Crypto exchanges and custodial wallet providers should assume that regulators will closely scrutinize them for AML/CTF risk because virtual assets can be used to move value quickly across borders. Philippine AML compliance is anchored on the Anti-Money Laundering Act (AMLA) and its amendments.

3.1 Who is regulated under AMLA

AMLA defines covered institutions and covered transactions, and creates a reporting ecosystem intended to detect suspicious activity. For example, AMLA defines “covered institution” broadly to include banks and many financial entities supervised by the BSP, Insurance Commission, and SEC. It also defines “covered transaction” by reference to amount thresholds and patterns of unusually large or complex transactions lacking credible purpose. (R.A. No. 9160, Sec. 3, 2001)

AMLA amendments also expanded “covered persons” to include certain non-financial service providers—while carving out an important limitation for lawyers and accountants acting as independent professionals in relation to client information, to protect client confidences and the attorney-client relationship. (R.A. No. 10365, 2013)

3.2 Confidentiality is limited where AML enforcement is involved

Firms should understand that AML investigations and prosecutions are designed to pierce confidentiality barriers when lawful processes are followed. In Republic of the Philippines v. Sandiganbayan, et al., G.R. Nos. 232724-27 (2021), the Supreme Court emphasized that AMLC functions include investigation and disclosure necessary for prosecution, and that AMLC cannot refuse compliance with a subpoena when the depositor has waived secrecy and the request is properly described and relevant.

3.3 Typical AML program elements regulators expect

While the exact BSP and AMLC rulebooks contain more detailed requirements, foreign crypto firms commonly need to build and document the following controls before applying:

• Customer Due Diligence (CDD/KYC): identity verification, beneficial ownership checks, risk profiling, and enhanced due diligence for higher-risk customers.
• Transaction monitoring: rules and systems to flag red flags (rapid in/out flows, layering patterns, use of mixers/tumblers, unusual geolocation activity, etc.).
• Sanctions/terrorist financing screening: screening customers and counterparties against relevant lists and implementing escalation procedures.
• Suspicious transaction reporting workflow: internal detection, investigation, documentation, and timely submission of required reports.
• Governance: appointment of a qualified compliance officer, board and senior management oversight, staff training, and independent audit/testing.

4) Capitalization and financial capacity: proving you can operate safely

Foreign VASPs should expect BSP to require evidence of adequate capitalization and financial capacity, both to protect customers and to ensure operational resilience. While the precise capitalization threshold depends on BSP’s current VASP regulations (not included in the provided materials), applicants should be prepared to show:

• Paid-up capital / net worth support appropriate to the risk level and scale of operations.
• Liquidity planning and treasury controls (especially if offering fiat on/off-ramps).
• Custody and safeguarding arrangements, including cold storage policies, key management, and segregation of client assets (where applicable).
• Technology and cyber risk controls (incident response, access controls, penetration testing, vendor risk management).

5) Payments angle: when your model triggers payment system regulation

If the crypto business model includes operating a payment system (for example, running rails that enable fund transfers among users or merchants), the National Payment Systems Act can become relevant. It requires payment system operators to register with the BSP and provides that operators of designated payment systems may need to incorporate as stock corporations and comply with BSP minimum requirements. It also restricts SEC registration of certain entities without a BSP certificate of authority. (R.A. No. 11127, Secs. 10–12, 2018)

6) Step-by-step: a foreign company’s typical route to legal operations

The details vary depending on the business model (exchange, broker, custodian wallet, cross-border remittance, on/off ramp, or a combination). A typical sequencing looks like this:

Step 1: Define the product and regulatory perimeter

Map your exact activities: exchange, custody, transfer, brokerage, issuance, staking, or derivatives. The licensing obligations differ depending on which regulated activity you are performing and whether you touch fiat rails or payment systems.

Step 2: Decide the Philippines operating structure

Choose between (a) a Philippine subsidiary or (b) a foreign entity seeking a license to do business (where applicable). If your intended model constitutes doing business locally, secure authority under the Revised Corporation Code’s foreign corporation licensing rules. (R.A. No. 11232, Sec. 143, 2019)

Step 3: Build the AML compliance program before filing

Prepare policies, workflows, and system capabilities aligned with AMLA expectations. AMLA’s structure (covered institutions/transactions) shows the importance of thresholds, pattern detection, and reporting. (R.A. No. 9160, Sec. 3, 2001)

Also address legal professional privilege boundaries correctly: if you engage Philippine counsel, note the statutory exclusion for lawyers acting as independent legal professionals in relation to client information, but do not treat this as a shield against the company’s own reporting obligations. (R.A. No. 10365, 2013)

Step 4: Prepare capitalization/financial proofs and governance documents

Assemble corporate approvals, audited financial statements (or equivalent), source-of-funds documentation, capital infusion plans (if needed), and governance materials (board charter, compliance officer appointment, risk management structure).

Step 5: Address data handling, cybersecurity, and disclosure readiness

Expect lawful requests for information in investigations. The Supreme Court’s discussion in AML-related litigation underscores that confidentiality is not absolute where lawful processes apply and relevance is shown. (Republic of the Philippines v. Sandiganbayan, et al., G.R. Nos. 232724-27, 2021)

Step 6: File BSP application and coordinate parallel registrations (if applicable)

File the BSP licensing application based on your VASP activity and, if relevant, register as a payment system operator under the National Payment Systems Act. (R.A. No. 11127, Sec. 10, 2018)

Step 7: Operationalize post-approval obligations

After approval, maintain continuing compliance: periodic reporting, independent compliance testing, renewal requirements (if any), and ongoing AML training and monitoring. If operating as a licensed foreign corporation, comply with continuing RCC conditions, including the statutory deposit requirement after license issuance (where applicable). (R.A. No. 11232, Sec. 143, 2019)

7) Common scenarios and compliance responses

Scenario A: Offshore exchange serving Philippine users via website/app only

If marketing is targeted and sustained toward Philippine users, and onboarding includes Philippine KYC and local payments, regulators may view the operation as functionally operating in the Philippines. Risk increases if there are local agents, customer support teams, or local collection/disbursement arrangements.

Scenario B: Custodial wallet with fiat cash-in/cash-out via local partners

This setup increases exposure to AML and payments regulation because the service bridges fiat rails and virtual assets. AML controls must cover partner onboarding, transaction monitoring, and suspicious activity escalation. (R.A. No. 9160, Sec. 3, 2001)

Scenario C: Corporate structuring using nominees or formation services

AMLA amendments explicitly brought “company service providers” into the AML coverage universe, reflecting regulatory concern over beneficial ownership opacity. Foreign firms should keep beneficial ownership documentation complete and audit-ready. (R.A. No. 10365, 2013)

8) Quick reference table: compliance areas regulators usually test

Area	What regulators look for	Main legal anchor (illustrative)
AML program	CDD/KYC, monitoring, reporting workflow, compliance officer, training, audit	R.A. No. 9160 (2001); R.A. No. 10365 (2013)
Confidentiality vs lawful process	Ability to comply with subpoenas/orders; documentation; lawful disclosure controls	Republic of the Philippines v. Sandiganbayan, G.R. Nos. 232724-27 (2021)
Payments regulation (if applicable)	Registration as payment system operator; BSP authority; corporate requirements for designated systems	R.A. No. 11127 (2018), Secs. 10–12
Authority to do business (foreign corp)	License to transact business; post-license deposit for creditors	R.A. No. 11232 (2019), Sec. 143

Conclusion: recommended preparation steps for foreign VASPs

To legally operate a crypto exchange or custodial wallet in the Philippines, foreign blockchain companies should prioritize (1) a clear determination of the regulated activities involved, (2) a licensing and corporate presence plan consistent with Philippine foreign corporation rules, and (3) a documented, operational AML program aligned with AMLA obligations. The BSP’s supervision of payment-related and financial service activities, supported by legislation and recognized in jurisprudence, reflects an enforcement environment where licensing and compliance are expected upfront rather than retrofitted later. (Bangko Sentral ng Pilipinas v. Werquick, Inc., G.R. No. 246028, 2025)

Before filing, it is advisable to complete a gap assessment against AMLA controls (CDD, monitoring, reporting, governance), assemble capitalization and source-of-funds documentation, and confirm whether the business model also triggers registration under payment system rules. (R.A. No. 9160, 2001; R.A. No. 11127, 2018; R.A. No. 11232, 2019)

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.