TL;DR - A VASP is any business that exchanges, transfers, or custodies crypto for you, and under FATF rules it must verify your identity and screen your wallet for sanctions, mixer, and stolen-funds exposure before it lets funds move.
If a crypto exchange has ever asked you to verify your identity, held a deposit for review, or wanted to know where your coins came from, you have already dealt with a VASP. The term shows up in regulator filings, exchange terms of service, and compliance blogs, but rarely with a plain explanation of what it is or why it changes how your wallet gets treated. Most guides describe VASPs from the regulator's side; this one looks at what the label means for you, the person sending funds in.
What is a VASP (virtual asset service provider)?
A VASP, or virtual asset service provider, is any person or company that carries out crypto services on someone else's behalf as a business. The Financial Action Task Force (FATF), the global body that sets anti-money-laundering standards, coined the term in 2019 when it updated Recommendation 15 to bring crypto firms under the same rulebook as banks.
FATF defines a VASP by what it does, not what it calls itself. A business is a VASP if, for its customers, it does any of the following: exchanges crypto for regular currency, swaps one crypto for another, transfers crypto between addresses, holds or controls crypto on your behalf, or helps issue and sell a new token. In practice that covers centralized exchanges, custodial wallet apps, OTC trading desks, and many crypto ATM operators.
VASPs provide crypto services on your behalf and carry AML duties; a self-custody wallet you control alone does not.
What does a VASP have to do under AML rules?
Being classed as a VASP triggers the same core obligations a bank carries. The firm has to run a written anti-money-laundering programme, identify its customers (know your customer, or KYC), monitor transactions, keep records, and report suspicious activity to its regulator.
Two rules matter most to you as a user. The first is customer due diligence: the VASP has to know who you are, which is why you upload an ID and a selfie. The second is the Travel Rule, FATF Recommendation 16, which makes a VASP share sender and receiver details with the next VASP for transfers above a set threshold - FATF recommends USD/EUR 1,000, though some countries such as the United States use a higher figure. It is the same information-sharing logic banks use for wire transfers, applied to crypto. If you want the mechanics of how that affects peer-to-peer sends, see our explainer on the Travel Rule and self-custody transfers.
Why does a VASP screen your wallet?
An AML programme is not just about knowing your name. Before a VASP credits a deposit, it runs the incoming address through blockchain analytics - a process called know your transaction, or KYT. The check asks whether your funds trace back to anything on a sanctions list, a mixer such as Tornado Cash, a known hack or theft, a darknet market, or a scam cluster, and it does this across every chain the exchange supports.
If the screen comes back clean, you never notice it. If it flags exposure, the VASP can hold the deposit, ask for a source-of-funds letter, restrict withdrawals, or - in serious cases - freeze the account and file a report. This is the same wallet screening that decides whether a routine deposit clears in seconds or turns into a week of back-and-forth.
You can look up your own address on a block explorer such as Etherscan, but that only shows raw transactions, not whether any of those funds trace back to a sanctioned entity or a mixer. Plastron runs that risk screening instantly and for free: screen the address with Plastron to see sanctions, mixer, and stolen-funds exposure across Ethereum and six more EVM chains before a VASP ever sees it.
Every deposit to a VASP is screened for sanctions, mixer, and stolen-funds exposure before it clears.
Is your own self-custody wallet a VASP?
No. A wallet where you alone hold the private keys - a hardware wallet, or a self-custody app where the provider never controls your funds - is not a VASP, because no third party is providing the service of moving or holding crypto for you. The software maker is not acting on your behalf; you are.
The line gets blurry with some decentralized-finance front ends, and regulators are still arguing over which DeFi services should be treated as VASPs. But the everyday rule holds: if someone else can freeze, move, or control your coins, they are almost certainly a VASP and carry AML duties. If only you can, you are not one.
What does the VASP framework mean before you deposit?
The practical takeaway is that the moment your crypto touches a VASP, it gets judged - not on your intentions, but on the on-chain history of the coins themselves. Funds that passed through a mixer or brushed against a sanctioned address two or three hops back can trip a flag even if you did nothing wrong.
That is why screening your own wallet before you send it to an exchange is worth the two minutes. If the address is clean, you deposit with confidence. If it is not, you learn why before a compliance team does, and you can prepare a source-of-funds explanation instead of scrambling after a freeze.
FAQ
Is a VASP the same as a crypto exchange?
An exchange is the most common type of VASP, but the category is broader. Custodial wallet providers, OTC desks, and crypto ATM operators are also VASPs because they transfer or hold crypto on customers' behalf.
Does being a VASP customer mean my wallet is flagged?
No. It means the VASP will screen your deposits and verify your identity. A clean address passes without you noticing; only exposure to sanctioned, stolen, or mixed funds triggers a review.
Are decentralized exchanges VASPs?
It depends on how much control they exercise. A fully non-custodial protocol where users trade peer-to-peer may fall outside the definition, but many front ends add screening or custody features that pull them back in. Regulators are still clarifying this.
Why do VASPs ask for a source of funds?
When screening or transaction monitoring flags a deposit, the VASP must satisfy its AML obligations by understanding where the money came from. A source-of-funds request is how it documents that the funds are legitimate before releasing them.
Disclaimer: This article is for educational and informational purposes only and is not legal, financial, tax, or compliance advice. Crypto carries risk; you act on this information at your own risk. Always do your own research and consult a qualified professional before making decisions. Views are the author's own and do not constitute financial, legal, or investment advice.
About Plastron
Plastron is a free, non-custodial wallet screening tool. It checks Ethereum and six EVM chains for AML and KYT risk — sanctions exposure, mixer contact, and stolen-funds proximity — and returns a risk report in seconds. It reads public on-chain data only: it never takes custody of funds and never asks for private keys.