Can I get a new BSP VASP licence in 2026?

No. BSP imposed a 3-year moratorium on new VASP licences from 1 September 2022, then extended it indefinitely by Memorandum dated 20 August 2025, effective 1 September 2025. BSP cited consumer protection and cybercrime concerns. Market-entry alternatives are: acquire an existing BSP-licensed VASP, operate under SEC CASP if the activity falls in SEC remit, or wait for the periodic review.

What capital is required under BSP Circular 1108?

Two tiers per BSP Circular 1108. Type A. VASPs that include safekeeping or administration of virtual assets. PHP 50,000,000. Type B. VASPs without safekeeping or administration. PHP 10,000,000. New BSP applications are not being accepted under the current moratorium.

What is the SEC CASP regime?

SEC Memorandum Circular No. 04, Series of 2025 (Rules on Crypto-Asset Service Providers) and No. 05, Series of 2025 (Operational Guidelines), issued 30 May 2025 and effective 5 July 2025. CASPs offering crypto-assets that are securities, or conducting public offering or marketing, register with the SEC. Minimum paid-up capital is PHP 100,000,000 in cash or property excluding crypto-assets.

How long does a SEC CASP licence take?

Realistic end-to-end is 9 to 18-plus months, depending on completeness of the AML programme and corporate governance documentation. The BSP track is currently frozen. SEC review timelines are still settling, the rules took effect on 5 July 2025.

How is crypto taxed in the Philippines?

Corporate income tax of 25% (domestic corporations), or 20% for small domestic corporations under the CREATE Act with net taxable income up to PHP 5M and total assets up to PHP 100M. VAT of 12% may apply to crypto services depending on classification. There is no bespoke crypto tax regime, the BIR treats crypto gains under general income-tax principles.

How long does a BSP VASP application take when the moratorium is not in effect?

Historically, preparation of the corporate, capital and AML file takes 3 to 6 months, and BSP review under the Manual of Regulations for Non-Bank Financial Institutions takes 6 to 12 months or more, for a total of 9 to 18-plus months. As of April 2026 BSP is not accepting new VASP applications, the Monetary Board extended the moratorium indefinitely from 1 September 2025, with only periodic reviews committed.

Philippines Crypto Licence. BSP VASP & SEC CASP in 2026

Overview

The Philippines runs two parallel crypto licensing regimes. The Bangko Sentral ng Pilipinas (BSP) has licensed Virtual Asset Service Providers (VASPs) since BSP Circular No. 1108 took effect on 26 January 2021, but BSP has frozen new VASP licences since September 2022 and extended that moratorium indefinitely from 1 September 2025. The Securities and Exchange Commission (SEC) issued the new CASP Rules (MC 04-2025 and Operational Guidelines MC 05-2025) on 30 May 2025, effective 5 July 2025, capturing crypto-asset service providers offering tokens that are securities or conducting public offering or marketing.

The 2026 reality: a new BSP VASP file is not being accepted. The viable routes for new entrants are SEC CASP, or acquisition of one of the 13 BSP-licensed VASPs (PDAX, Coins.ph, Maya, UnionBank, GCrypto and others) on the BSP register.

Regulators

The BSP licences VASPs under BSP Circular No. 1108, amending the Manual of Regulations for Non-Bank Financial Institutions. Activities in scope include exchange between VAs and fiat, exchange between VAs, transfer of VAs, safekeeping or administration of VAs and provision of financial services related to issuer offers. The SEC Philippines licences CASPs under the SEC Rules on Crypto-Asset Service Providers (MC 04 / 05-2025). An exchange dealing in crypto-assets that are securities and converting to or from PHP needs both BSP VASP and SEC CASP registration.

AML/CFT obligations are supervised by the Anti-Money Laundering Council (AMLC). Tax administration sits with the Bureau of Internal Revenue (BIR), with corporate registration supported by the DTI. Offshore crypto operators targeting non-resident clients may alternatively look to the Cagayan Economic Zone Authority (CEZA) regime, separate from BSP/SEC.

Track 1. BSP VASP under Circular 1108

Capital tiers

Tier	Activities	Min paid-up capital
Type A	With safekeeping and/or administration of VAs (custody)	PHP 50,000,000
Type B	Without safekeeping/administration of VAs	PHP 10,000,000

BSP Circular 1108 also requires fit-and-proper directors and senior officers, an AML/CFT programme aligned with AMLC rules and BSP issuances, the Travel Rule, technology-risk management, and a robust customer-protection framework.

Application fees (BSP VASP)

Filing fee: PHP 1,000 (non-refundable), payable on submission.
Registration fee: PHP 100,000 on grant of the VASP authority.
Annual supervisory fee: PHP 300,000, payable each year a VASP holds the BSP authority.

These sit alongside the paid-up capital requirement (PHP 10M Type B / PHP 50M Type A) and the ongoing cost base for AMLC compliance, external audit and technology-risk management. SEC CASP registrants pay separate SEC filing fees scaled to paid-up capital under the SEC Memorandum Circular No. 03-2020 schedule.

Enforcement against unregistered operators

Operating a VASP or CASP in the Philippines without the relevant BSP or SEC authority is treated as an unauthorised financial activity. On 25 August 2025 the SEC publicly flagged five more unregistered crypto platforms; on the same cycle, BSP issued a reminder to banks and financial firms not to transact with unregistered VASPs. Penalties under the General Banking Law, the Securities Regulation Code and the Anti-Money Laundering Act include monetary fines, cease-and-desist orders, asset freezes by the AMLC, and criminal liability for responsible officers. Foreign platforms serving Filipino residents without SEC CASP registration fall within the same enforcement perimeter, the CASP Rules apply extraterritorially where marketing targets the Philippine public.

BSP moratorium, extended indefinitely

Status as of April 2026

BSP imposed a 3-year freeze on new VASP licences from 1 September 2022. The freeze was extended indefinitely by BSP Memorandum dated 20 August 2025, effective from 1 September 2025, citing consumer-protection and cybercrime concerns. The Monetary Board approved the extension and BSP indicated it will “periodically review” in line with industry and global trends. New BSP VASP applications are not being accepted.

Practical market-entry options:

Acquire an existing BSP-licensed VASP, the BSP register currently lists about 13 VASPs.
Operate under SEC CASP if the activities fall under SEC remit and do not require BSP licensure (e.g., security-token offerings without PHP fiat conversion).
Wait for the periodic review, and stage a file ready for the moment the freeze lifts.

Track 2. SEC CASP under MC 04-2025 and 05-2025

SEC Memorandum Circular No. 04, Series of 2025 (Rules on Crypto-Asset Service Providers) and No. 05, Series of 2025 (Operational Guidelines) were issued on 30 May 2025 and took effect on 5 July 2025.

Key requirements

Entity: SEC-registered domestic stock corporation.
Minimum paid-up capital: PHP 100,000,000 in cash or property, excluding crypto-assets.
Physical office in the Philippines.
Robust AML/CFT programme aligned with AMLC rules.
Public offering and marketing of crypto-assets subject to CASP Rules, disclosures, risk warnings, no misleading marketing.

High-level checklist

Domestic stock corporation registered with the SEC; physical office in the Philippines.
Capital satisfied: PHP 10M (BSP Type B), PHP 50M (BSP Type A), or PHP 100M (SEC CASP).
Fit-and-proper directors and key officers; controlling-shareholder review.
AML/CFT programme aligned with AMLC, BSP Manual or SEC CASP rules.
Travel Rule integration for VA transfers.
Customer-protection framework, disclosures, complaints, suitability assessment.
Technology-risk management framework, custody architecture, segregation.
Three-year business plan, financial projections, AML risk assessment.
File application. BSP via the Manual of Regulations process (currently frozen) or SEC via the new CASP rules.
Post-licensing: ongoing reporting, periodic on-site inspections, AMLC compliance.

Process and timeline

Step	BSP VASP	SEC CASP
Pre-application, entity, capital, AML programme	3–6 months	4–6 months
Regulator review	6–12+ months (frozen)	5–12+ months (settling)
Total realistic	Frozen	9–18+ months

Taxation

Corporate income tax: 25% (domestic corporations), or 20% under the CREATE Act for small domestic corporations with net taxable income ≤ PHP 5M and total assets ≤ PHP 100M.
VAT: 12%, may apply to crypto services depending on classification.
No bespoke crypto tax regime; the BIR treats crypto gains under general income-tax principles.

Type A vs Type B, which BSP VASP tier fits your model

The two-tier design of BSP Circular 1108 is often misreported by aggregators. The single distinguishing variable is custody, whether the VASP safekeeps or administers virtual assets on behalf of clients, or holds instruments enabling control over those VAs. Every other activity in the scope list (VA-to-fiat exchange, VA-to-VA exchange, transfer of VAs, issuer-related financial services) is available under either tier.

	Type A, custody-enabled	Type B, no custody
Minimum paid-up capital	PHP 50,000,000	PHP 10,000,000
Safekeeping / administration of client VAs	Yes	No
VA-to-fiat & VA-to-VA exchange	Yes	Yes
Transfer of VAs	Yes	Yes
Issuer-related financial services	Yes	Yes
Typical business model fit	Full-service exchange with hot/cold-wallet custody; custodial wallet; staking-as-a-service	Non-custodial DEX front-end, introducing broker, fiat on-ramp that sweeps to a third-party custodian, pure transfer/remittance
Technology-risk depth	Hardware-security-module architecture, multi-sig, insurance, proof-of-reserves	Lighter, client-asset segregation evidenced through third-party custodian SLAs

A common misstep is to assume Type B is available for a retail exchange that merely uses a third-party custodian for cold storage. BSP reads "safekeeping or administration" broadly, if the VASP controls the keys or directs movement of client assets, Type A applies. Many applicants default to Type A to avoid ambiguity. The PHP 50M versus PHP 10M gap is the single biggest cost variable in structuring the file; getting the tier right before capital is injected is the difference between a PHP 40M saving and a failed fit-and-proper review.

AMLC registration, CTR/STR thresholds and the Travel Rule

Both BSP-licensed VASPs and SEC-registered CASPs are covered persons under the Anti-Money Laundering Act. Covered-person registration with the AMLC sits alongside the BSP or SEC licence, it is not optional. The programme must be risk-based, board-approved, independently reviewed and aligned with AMLC issuances as well as the BSP Manual or the SEC CASP rules applicable to the licence held.

Reporting duties are two-pronged: Covered Transaction Reports (CTRs) and Suspicious Transaction Reports (STRs). Single transactions above the AMLA threshold trigger a CTR within the reporting window set by AMLC rules; STRs are triggered by red-flag indicators regardless of amount. Record-keeping runs five years minimum, and the AMLC has direct power to freeze assets of covered persons on ex-parte application. A missed or late CTR is treated as an administrative breach; a missed STR where indicators were present is read as a governance failure and scored against the AML compliance officer's fit-and-proper file.

On the FATF Travel Rule, BSP Circular 1108 already requires VASPs to obtain, transmit and preserve originator and beneficiary information on virtual-asset transfers above the regulatory threshold, in line with FATF Recommendation 16. SEC CASPs under MC 04-2025 and MC 05-2025 must run an AML/CFT programme aligned with AMLC rules within which Travel Rule integration is assumed. Practical implementation routes include IVMS-101 messaging, sunrise-issue mitigations for non-compliant counterparty VASPs, and sanctions screening calibrated to the AMLC and OFAC lists. The AML compliance officer, appointed in writing and cleared by the regulator, signs off on Travel Rule policy and on counterparty due diligence used to accept or reject transfers.

CEZA Cagayan, the offshore alternative path

A third regime sits outside the BSP and SEC perimeter. The Cagayan Economic Zone Authority (CEZA) licenses offshore Financial Technology Solutions and Offshore Virtual Currency Exchange (OVCE) operators inside the Cagayan Special Economic Zone. The CEZA regime is reserved for operators servicing non-resident clients only; onboarding Philippine residents under a CEZA licence is not permitted and places the operator back under BSP or SEC perimeter.

CEZA is not a workaround for the BSP moratorium for a domestic-facing business. It is relevant where the commercial target is non-resident retail or institutional flow, the group wants a Philippine presence, and the resident-exclusion condition is acceptable. Operators considering CEZA should map carefully against the SEC CASP Rules' extraterritorial reach, marketing that reaches the Philippine public pulls the operator back into the SEC register irrespective of the CEZA authority held. The BSP and SEC routes remain the default for groups serving the domestic market.

Bank-account access, the real bottleneck

A licence is necessary but not sufficient. Philippine banks apply enhanced due diligence to VASPs and CASPs under BSP AML guidance, and even licence-in-hand applicants routinely see 3–6-month onboarding cycles, monitored-account conditions, limited USD corridors and declined correspondent-bank relationships. Since BSP's August 2025 reminder to financial firms not to transact with unregistered VASPs, banks have tightened both sides of the screen, they verify licence status against the BSP register and the SEC CASP list before opening operating accounts.

Realistic sequencing: (i) incorporate the domestic stock corporation and fund paid-up capital into an escrow or initial deposit account; (ii) begin bank onboarding in parallel with the BSP or SEC file, not after approval; (iii) prepare detailed source-of-funds, UBO, AML-programme and sanctions-screening packs on day one; (iv) expect at least two banks to decline before one accepts; (v) plan operational continuity for a period where only one domestic bank and one overseas correspondent are live. Fit-and-proper clearances for directors and the AML compliance officer materially shorten this cycle, a clean AMLC file and a board with independent directors are read positively by bank AML committees.

FAQ

Can I file a new BSP VASP application?

No. BSP extended the moratorium indefinitely from 1 September 2025. The route is acquisition of an existing BSP VASP or SEC CASP if the activity fits.

What capital does SEC CASP require?

PHP 100,000,000 in cash or property excluding crypto-assets.

Are BSP and SEC overlapping?

Sometimes. Crypto-assets that are securities and converted to or from PHP can require both BSP VASP and SEC CASP. Many activities sit cleanly in one regulator's remit.

How does PH compare with neighbours?

For a fresh-start exchange in 2026, Thailand and Malaysia are easier paths than waiting on BSP. Labuan works for offshore profiles.

Will the BSP moratorium lift?

BSP committed to periodic review in line with global trends. There is no public timeline. Plan against it remaining in force, with a contingency to file quickly if it lifts.

What is the difference between BSP VASP Type A and Type B?

BSP Circular 1108 defines two tiers by reference to custody. Type A covers VASPs whose activities include safekeeping or administration of virtual assets (custody), minimum paid-up capital PHP 50,000,000. Type B covers VASPs without safekeeping or administration, for example, a non-custodial exchange, transfer or fiat on-ramp that does not hold client assets, at PHP 10,000,000 paid-up capital. All other scope activities (VA-to-fiat, VA-to-VA, transfer, issuer-related financial services) are available under both tiers.

How long does a BSP VASP application take (outside the moratorium)?

Historically, preparation of the corporate, capital and AML file runs 3–6 months, and BSP review under the Manual of Regulations for Non-Bank Financial Institutions runs 6–12+ months, a realistic 9–18+ months end-to-end. As of April 2026, BSP is not accepting new VASP applications; the Monetary Board extended the moratorium indefinitely from 1 September 2025, with only periodic reviews committed.

What are the AMLC obligations for a Philippines VASP or CASP?

Both BSP-licensed VASPs and SEC-registered CASPs are covered persons under the Anti-Money Laundering Act and must register with the AMLC, run a risk-based AML/CFT programme, conduct KYC and ongoing due diligence, keep records, and file Covered Transaction Reports and Suspicious Transaction Reports. The programme must align with AMLC rules and with the BSP or SEC issuance applicable to the licence held.

Does the Philippines apply the FATF Travel Rule?

Yes. BSP Circular 1108 requires VASPs to implement Travel Rule controls for virtual-asset transfers, alongside the AML/CFT programme and AMLC-aligned obligations. SEC CASPs under MC 04-2025 and MC 05-2025 must run a robust AML/CFT programme aligned with AMLC rules; Travel Rule integration is expected within that programme.

What staffing and governance does a licensee need?

BSP Circular 1108 and the SEC CASP Rules both require fit-and-proper directors and senior officers and a physical office in the Philippines. Licensees must appoint an AML compliance officer and staff the AML/CFT programme, operate technology-risk management, internal audit and customer-protection functions, and commission an annual external audit. SEC CASP additionally requires a domestic stock corporation with PHP 100M paid-up capital in cash or property excluding crypto-assets.

Which documents does an application require at a high level?

Domestic stock corporation registered with the SEC; paid-up capital proof (PHP 10M BSP Type B, PHP 50M BSP Type A, PHP 100M SEC CASP); fit-and-proper documentation for directors and key officers; AML/CFT programme aligned with AMLC, BSP Manual or SEC CASP rules; Travel Rule integration; customer-protection framework (disclosures, complaints, suitability); technology-risk framework, custody architecture and asset segregation; three-year business plan and financial projections; AML risk assessment.

What are the penalties for running an unregistered crypto exchange in the Philippines?

Operating without BSP VASP or SEC CASP authority is an unauthorised financial activity. Penalties under the General Banking Law, Securities Regulation Code and Anti-Money Laundering Act include monetary fines, cease-and-desist orders, AMLC asset freezes and criminal liability for responsible officers. SEC actively flags unregistered platforms, five were publicly listed on 25 August 2025, and BSP has instructed financial institutions not to transact with unregistered VASPs. The SEC CASP Rules apply extraterritorially where a foreign platform markets to the Philippine public.

What fees does a BSP VASP pay on top of capital?

BSP charges a PHP 1,000 non-refundable filing fee on submission, a PHP 100,000 registration fee on grant of the VASP authority, and a PHP 300,000 annual supervisory fee for each year the authority is held. These sit alongside the PHP 10M (Type B) or PHP 50M (Type A) paid-up capital and the ongoing cost base for AMLC compliance, external audit and technology-risk management.

Can CEZA replace BSP or SEC for domestic operations?

No. The CEZA Offshore Virtual Currency Exchange regime is reserved for operators servicing non-resident clients only. Onboarding Philippine residents under a CEZA licence is not permitted and pulls the operator back under BSP or SEC perimeter. CEZA is a complement for offshore-only business models, not a moratorium workaround for a domestic exchange.

Why is bank-account access considered the hardest step?

Philippine banks apply enhanced due diligence to VASPs and CASPs and routinely run 3–6-month onboarding cycles, monitored-account conditions and limited USD corridors. Since BSP's August 2025 reminder to financial firms not to transact with unregistered VASPs, banks verify BSP register and SEC CASP list status before opening operating accounts. Plan to begin bank onboarding in parallel with the BSP or SEC file, expect at least two declines before an acceptance, and keep fit-and-proper files and source-of-funds documentation ready from day one.

Who must be appointed as AML compliance officer and what is the fit-and-proper test?

Both BSP Circular 1108 and the SEC CASP Rules require a named AML compliance officer with sufficient seniority, authority and independence, cleared by the regulator under a fit-and-proper test covering integrity, competence, financial soundness and absence of disqualifying convictions or regulatory findings. Directors, senior officers and controlling shareholders are screened on the same basis. In our practice, AMLC-facing compliance-officer fit-and-proper reviews are the most common rejection trigger, the file benefits from a candidate with documented AMLA/CFT training, prior covered-person experience and a clean regulator record.