The MiCA Fast Track for Cryptocurrency Licenses: Why OKX and BVNK Choose Malta

Author: CryptoLicense Lao Cheng

Previously, we discussed several popular cryptocurrency licenses, including MiCA CASP, Switzerland SRO, Abu Dhabi ADGM, and the unclear framework direction of Poland VASP, etc. (You can find this in past content; if you can't find it, feel free to message Lao Cheng privately).

Among these licenses, MiCA CASP is one of the most frequently asked about. Many friends feel that the threshold is high and the process is long. However, under the MiCA framework, some member countries are actually more suitable as the first license entry point for cryptocurrency businesses, and Malta, often referred to as the "Blockchain Island," is one of them.

Why is Malta's CASP license often considered the starting point for EU compliance? How can it be obtained? What types of businesses can CASP cover, and what can it not cover? Which companies are suitable for it? This article will discuss Malta, which is indeed the first license choice for many companies seeking EU compliance, but the market controversies that need to be clarified cannot be ignored.

1. Where to place the first MiCA license? Why is Malta often chosen?

MiCA has fully come into effect, and if you want to conduct cryptocurrency business in the EU, you must obtain CASP authorization. But the question arises: all 27 member countries plus 3 EEA countries can issue CASP licenses, so where should the first license be placed? This is the real choice that companies need to make. MiCA is a unified framework, but the execution varies greatly among member countries.

• France AMF: Known for its strict review process, OKX abandoned the French market due to high standards;

• Germany BaFin: Emphasizes that it issues "immediately effective formal licenses," not "principled approvals" from some jurisdictions, and KWG banking law and WpHG securities trading law overlay CASP; if it involves RWA tokenized securities, it means needing an additional investment company license;

• Netherlands AFM and DNB: Dual regulation, CASP approval requires coordination between two agencies; Crypto.com was once placed on the AFM warning list for operating without a license.

Lao Cheng will briefly supplement the background of MiCA: The European Commission first proposed it in September 2020, and the European Parliament officially passed it in April 2023, with full implementation in June 2024. It is a complete set of unified regulatory frameworks established by the EU for cryptocurrency asset service providers, stablecoin issuance, custody, trading, and related compliance governance, aiming to create a single rule system for the entire European market. The framework is unified, but differences emerge in how each country executes it.

It is against this backdrop that Malta has attracted attention. It is important to clarify a premise: the passporting mechanism under MiCA, simply put, is a "license passport." Once authorized in any member country, it can be used to expand services to other EU/EEA markets. This means that passporting is a mechanism shared by all EU member states.

So why do companies still prefer to choose Malta? Because where the first license is placed directly determines the launch path and efficiency of the entire EU business. Lao Cheng analyzes that there are three main reasons:

1. Market recognition inertia: To conduct cryptocurrency business in Europe, Malta is the most frequently mentioned starting point, and this label itself reduces communication costs for companies, investors, and partners.

2. Mature regulatory path: Malta had the VFA system early on and then smoothly transitioned to MiCA/CASP. Regulatory agencies, service providers, and legal advisors are more familiar with cryptocurrency businesses, and this "familiarity" itself is an advantage.

3. More suitable as a business combination entry point: Businesses such as exchanges, custody, exchange, and order execution that fall under CASP can be more easily integrated into a complete story in Malta, and then the business can be expanded throughout the EU through passporting.

2. Crypto giants like OKX cluster together, but market controversies cannot be ignored

The reason Malta is frequently mentioned in the market is that it has already accommodated various leading companies' compliance points, and the business models of these companies illustrate how combination landing works.

• OKX: Became the first global exchange to obtain MiCA pre-authorization in February 2025 and clearly stated that it would use Malta as its European center for EEA; by February 2026, OKX obtained a payment institution (PI) license in Malta, allowing its stablecoin-related payment services to continue under the frameworks of MiCA and PSD2. It is worth noting that OKX did not obtain a universal license but rather a CASP + PI combination, which precisely illustrates what CASP can do and what it cannot cover.

• Crypto.com: Earlier, in July 2021, it obtained a VFA third-class license and electronic money institution (EMI) license in Malta, indicating that Malta can accommodate not only exchange-type businesses but also cover payment, card issuance, and bank transfer-related compliance arrangements.

• BVNK: In February 2026, stablecoin payment infrastructure company BVNK obtained a CASP license under the MiCA framework issued by the Malta Financial Services Authority (MFSA), further indicating that this path is applicable not only to exchanges but also to stablecoin payments and other digital asset infrastructure companies.

However, the controversies are also evident.

The core of the doubts surrounding Malta is whether "the review is strict enough." There are voices at the EU level and in the market that believe if the review standards among different member countries vary too much, regulatory arbitrage will occur: companies tend to choose faster and more lenient jurisdictions to complete their first licenses and then expand throughout Europe through passporting.

In 2025, ESMA (European Securities and Markets Authority) conducted a peer review of Malta's MiCA authorization, questioning why some CASPs were approved while issues had not been fully resolved. Market comments are more direct, with some opinions comparing this rapid approval to "a la carte licensing," suggesting that while convenience is enhanced, it may also weaken the rigor of MiCA's unified regulation.

3. Current regulatory policies of "Blockchain Island" Malta

Against the backdrop of MiCA having fully come into effect, Malta's regulatory system has also completed its alignment with this unified framework.

Overview of the legal framework:

• Malta's cryptocurrency regulation has shifted from the early VFA era to the MiCA/CASP system.

• The EU Regulation (EU) 2023/1114 unified the basic rules for the issuance, public offering, trading, and related services of cryptocurrency assets.

• Malta has implemented this framework into its national law through the Markets in Crypto-Assets Act, 2024.

• MFSA as the competent authority is responsible for executing authorizations and ongoing supervision.

Malta's current regulatory focus revolves around CASP, ART, whitepaper notifications, and ongoing obligations. In terms of core requirements, the MFSA's MiCA Rulebook has clearly outlined content related to applications and authorizations, governance structure, capital and safeguards, customer asset protection, outsourcing management, information disclosure, ongoing reporting, and termination of authorization. In simple terms, Malta is no longer "local separate rules," but is connected to the EU's unified framework, emphasizing consistency and cross-border enforceability.

From a positioning perspective, Malta's role in the MiCA system is very clear: it is the member state most often regarded as the starting point for cryptocurrency business combinations. This "entry-type positioning" determines that its value mainly comes from the channel attributes of passporting, rather than the local market itself. Companies choose Malta because they aim to expand their business throughout the EU from here.

Specifically, Malta's entry-type positioning is reflected in three aspects:

1. CASP authorization supports multi-service integration: A single CASP authorization can specify multiple service types at the time of application, allowing trading platforms, custody, exchange, and order execution to be integrated into the same license without needing separate applications. In contrast, member countries like Hungary require parallel approvals for multiple types of businesses, which may extend the overall timeline to 9-18 months, while Malta typically follows a single CASP path, usually taking 6-12 months.

2. Additional authorizations can proceed in parallel within the same jurisdiction: Businesses not covered by CASP, such as stablecoin issuance requiring ART issuer authorization and payment services needing PI/EMI licenses, have corresponding application paths in Malta and can be advanced in sync with CASP. OKX's CASP + PI combination is a ready example.

3. Supporting ecosystem has taken shape: Malta has accumulated cryptocurrency regulatory experience since the VFA era, and local legal advisors, compliance consultants, and auditing firms are very familiar with cryptocurrency businesses. This "familiarity" can provide significant convenience in practice.

However, to be frank, MiCA is a unified framework, and Malta does not have a super license; its advantages lie in the efficiency of path integration and the maturity of the supporting ecosystem. Because of this, Malta's regulatory reputation will be scrutinized: once the approval standards are perceived as too fast or too lenient, the outside world will question whether it will weaken the rigor of MiCA's unified regulation. The more important the entry point, the stricter the scrutiny, which is inevitable.

4. Scope of CASP authorization and application process

According to Malta's Markets in Crypto-Assets Act and the MiCA Rulebook and application notice published by MFSA in 2025, new applicants should submit authorization applications to MFSA under the MiCA framework; for entities that already hold VFA licenses locally before December 30, 2024, there are transitional arrangements and simplified processes.

(1) What can CASP cover, and what can it not cover

This is a point that many friends get confused about, and Lao Cheng thinks it is necessary to clarify this before discussing the application process.

CASP authorization targets "cryptocurrency asset services," and a single CASP authorization can specify multiple service types at the time of application, covering them under one license after approval. MiCA specifies 9 items: operation of trading platforms, custody and management, exchange, order execution, receiving and transmitting orders, portfolio management, cryptocurrency asset consulting, token placing, and transfer services.

What types of businesses can these services support?

• Cryptocurrency exchanges: Trading platform operation + custody + exchange + order execution can all be covered by a single CASP license.

• Wallet and custody services: Custody + transfer services can handle both user asset safekeeping and on-chain transfers.

• Stablecoin transfers and exchanges: As long as stablecoins are not issued, providing custody, transfer, and exchange of stablecoins is sufficient with CASP.

• Trading and custody of RWA tokens: If RWA tokens are classified as cryptocurrency assets under the MiCA framework (rather than MiFID II securities), CASP can also cover their trading and custody.

However, the following businesses are not covered by CASP:

• Stablecoin issuance: Issuing asset-referenced tokens (ART) requires separate ART issuer authorization; issuing electronic money tokens (EMT) pegged to a single fiat currency can only be done by licensed EMI or credit institutions.

• Payment services: Businesses involving fiat and stablecoin payments require PI (payment institution) or EMI licenses under the PSD2 framework.

• RWA tokens: Depending on the token classification, if classified as financial instruments under MiFID II, they fall completely outside the scope of MiCA and require an investment company license; if classified as ART, ART issuer authorization is needed.

In other words, if you want to do a full-stack business of "exchange plus stablecoin issuance plus payment," a single CASP cannot handle it. This is why OKX obtained CASP plus PI. But if you are doing pure CASP services like "trading, custody, exchange," a single license can indeed cover it all at once during the application.

(2) Application process and core regulatory requirements

The entire application can be divided into three phases: preliminary preparation, formal submission, and review and approval.

Phase 1: Preliminary preparation

The core of this phase is to define the direction and implement the hard conditions before applying.

1. Define the business scope: First, determine what authorizations are needed, whether it is pure CASP services or a combination of CASP + ART issuer authorization, CASP + PI/EMI. Different combinations determine the subsequent application path and capital requirements.

2. Confirm capital requirements: According to CASP service types, the minimum capital is roughly divided into three tiers:

   • €50,000: Receiving and transmitting orders, cryptocurrency asset consulting

   • €125,000: Executing orders, token placing, portfolio management

   • €150,000: Trading platform operation, custody services

   • (If ART issuer authorization or EMI license is also needed, capital requirements will be higher; for example, the minimum capital benchmark for EMI is about €350,000. MFSA will review the source, structure, and sustainability of the funds.)

3. Establish a local entity and governance structure: Register a company in Malta, open a bank account, appoint directors and a company secretary. CASP requires a physical office address (Real Office) and must be able to accept on-site regulatory inspections.

   • Executive requirements: At least 2 executives with relevant experience, with at least 1 being a resident of Malta.

   • Key positions: Typically, a Compliance Officer, MLRO, Risk Manager, and Internal Auditor are also required.

   • Employee scale: Within six months after obtaining the license, the company should have at least 10 employees who actually work in Malta through employment or outsourcing.

4. Prepare application materials: Business plan, financial forecasts, key position arrangements, governance structure, AML/CFT and technical arrangements, outsourcing and control mechanisms.

Phase 2: Formal submission

1. Submit a Statement of Intent: Before formally applying, submit a Statement of Intent to MFSA, indicating the type of business and service scope intended for application.

2. Submit the formal application package: Fill out the CASP application form designated by MFSA and submit it along with all supporting documents and application fees.

3. Completeness check: MFSA will conduct a completeness check upon receiving the application, and any missing items will require resubmission.

Phase 3: Review and approval

1. Substantive review: Review each item according to MiCA rules.

2. Key position suitability assessment and interviews: Conduct background checks and interviews for directors, compliance officers, and other key personnel.

3. Inquiries and corrections: Response speed and quality will directly affect the approval timeline.

4. In-Principle Approval: Accompanied by pre-licensing conditions.

5. Formal license and pre-operational conditions: Issued after meeting pre-licensing conditions, which may include post-licensing conditions.

(3) From Malta authorization to EU Passporting

After obtaining MiCA authorization from MFSA in Malta, you can quickly enter other EEA markets through the passporting mechanism. In practice, simply submitting a notification to the regulatory authority of the target member country allows you to start operations, saving a lot of time.

However, the necessary steps cannot be skipped; before entering each EEA market, notifications and landing actions must be completed, and some countries may add localization requirements. Additionally, passporting eligibility is not permanent. If issues arise (such as major AML problems or revocation of authorization by MFSA), not only may the Malta license be revoked, but the operational rights in other EEA markets will also be affected.

5. Ongoing supervision after obtaining the license

In actual operations, obtaining a license is just the starting point; the real challenge lies in whether it can be maintained long-term:

• Governance and actual control: Major changes usually need to be reported to or approved by MFSA in advance.

• AML/KYC system: Regular reviews and optimizations cannot be neglected.

• Technical and security capabilities: Key management, asset custody, etc., need to operate stably over the long term.

• Compliance operations and external disclosures: Customer asset protection, complaint handling, internal control mechanisms, etc., are key points of regulatory inspection.

• Reporting and auditing obligations: Will continue to be under the supervision and assessment of MFSA.

6. From a practical perspective: Which companies are suitable?

At this point, Lao Cheng still wants to reiterate my long-held view: licenses are more about suitability. The cost-effectiveness will be higher for the following types of companies:

1. Those that already have a mature compliance team.

2. Those looking to enter the EU market, rather than just one country. (The core value lies in passporting)

3. Those with a clear business model who can accept a 4-9 month timeline and higher upfront costs.

4. Those needing multiple compliance pieces such as payment, custody, trading, and stablecoins. (For example, OKX)

7. Conclusion

In the MiCA era, Malta's positioning is very clear: suitable as the first license entry point for cryptocurrency business combinations and the foundation for EU expansion.

Malta's advantages exist, but the controversies are also unavoidable.

First, regarding certainty, CASP supports multi-service integration, additional authorizations can proceed in parallel within the same jurisdiction, and the supporting ecosystem is more mature than in most EU countries. Companies like OKX, Crypto.com, and BVNK have already navigated this successfully.

Then, regarding uncertainty, ESMA has reviewed Malta's approvals, and there are market claims of "a la carte licensing," which are not baseless.