FAQ Frequently
Asked
Questions

Web3 legal consulting sits at the intersection of financial regulation, securities law, AML/CFT compliance, data privacy, and technology law — and demands genuine technical fluency in how blockchain systems actually function. A skilled general commercial solicitor may excel at contracts or M&A, but they are unlikely to understand why a token's smart contract architecture matters for its securities classification, or how the FATF Travel Rule applies to a cross-chain bridge.

In practical terms: web3 legal services covers four domains. Regulatory advisory — what rules apply to your business, now and as you scale. Legal structuring — how to build your entity and product architecture within those rules. Licensing — obtaining the authorisations you need to operate legally in each jurisdiction. Compliance — maintaining ongoing adherence and building systems that can withstand regulatory examination. Traditional law firms rarely offer all four with genuine web3 depth.

This is the single most costly mistake we see. Legal structuring is effective when it shapes the product — it becomes expensive, and sometimes impossible, when it has to react to a product that is already built and live.

The specific risks of delaying depend on your business type. For token issuers: a token designed without legal input may be classified as a security, requiring retroactive registration, investor refunds, and an SEC or FCA enforcement response — costs that dwarf any early-stage legal budget. For exchanges: operating without the correct VASP licence exposes founders personally to criminal prosecution in most jurisdictions. For DeFi protocols: deploying without considering regulatory reach can leave the founding team personally liable as an unincorporated association.

Our core practice spans the full legal lifecycle of a web3 business. On the regulatory side: regulatory risk assessments, token classification opinions, securities law analysis across multiple jurisdictions. On the licensing side: VARA licence applications in Dubai, MAS PSA licences in Singapore, SFC in Hong Kong, CASP authorisations under MiCA, and management of the full application process including regulator liaison.

On the compliance side: AML/CFT programme design, MLRO-as-a-Service, Travel Rule implementation, sanctions screening review, and ongoing compliance monitoring. On the structuring side: entity structure design across UAE free zones, Cayman, BVI, and Singapore, DAO legal wrappers, token governance frameworks, and cross-border holding structures. We also provide advisory and representation for enforcement matters and regulatory inquiries — including 48-hour emergency response.

We provide primary coverage across 40+ jurisdictions, with deepest expertise in the major web3 hubs: UAE (Dubai VARA, ADGM, DIFC), Singapore (MAS), Hong Kong (SFC), European Union (MiCA across all 27 member states), United Kingdom (FCA), Cayman Islands, BVI, Bahamas, and Switzerland (FINMA).

For jurisdictions outside our core coverage, we work through a network of specialist local counsel — meaning we coordinate multi-jurisdiction mandates and provide the client with a single point of contact rather than requiring them to manage relationships with firms in each country. Our team has coordinated concurrent cross-border legal mandates spanning Asia-Pacific, MENA, Europe, and the Americas.

We understand the pace of web3 businesses and our service model is designed for it. Initial regulatory opinions and basic token classification: typically 3–5 business days. Complex multi-jurisdiction risk assessments: 7–14 days. Licence application preparation (VARA, MAS, SFC): 4–8 weeks depending on complexity and regulatory authority requirements.

For emergency matters — enforcement notices, regulatory contacts, urgent compliance gaps before a launch — we offer 48-hour response to retained clients. The time to build a retained relationship is before you need it urgently.

We work across the full spectrum. Our client base includes centralised exchanges, custodians, OTC desks, DeFi protocol teams, DAO communities establishing legal wrappers, NFT marketplace operators, stablecoin issuers seeking MiCA compliance, RWA tokenisation platforms, and crypto-native investment funds.

DeFi and DAOs raise some of the most complex and unresolved questions in web3 legal — including the personal liability of governance token holders, the applicability of financial regulation to automated market makers, and the legal status of smart contract-based obligations. This is precisely the kind of evolving, high-stakes area where having specialist counsel makes the difference between getting it right and facing enforcement.

Whether your business requires a VASP licence depends on two things: what activities you conduct, and which jurisdictions you conduct them in or from. At a high level, licensing is typically required when you exchange virtual assets for fiat (or between virtual assets), hold or control virtual assets on behalf of others (custody), or facilitate the transfer of virtual assets between addresses on behalf of customers.

The analysis is more complex than it first appears. "Facilitating" transfers includes business models that may not consider themselves exchanges — including payment processors, OTC desks, certain wallet providers, and some DeFi front-ends. Most major regulators also assert jurisdiction over businesses serving their customers even if those businesses are incorporated elsewhere. The safest approach is a licensing analysis before you launch. Our team conducts licensing requirement assessments — typically 3–5 business days — that map your business model against the regulatory frameworks of every jurisdiction you intend to operate in.

The VARA licensing process in Dubai has four stages: Initial Approval, Minimum Viable Product (MVP) licence, Full Operational Licence, and (for certain activities) a VASP Licence. For most businesses, the meaningful operating permission begins at MVP stage, which permits limited operations while full licence review continues.

Total timeline from application submission to Full Operational Licence typically ranges from 6 to 18 months depending on the complexity of your business model, the quality of your application documentation, and VARA's current review backlog. Our experience indicates that well-prepared applications — with all documentation in order, robust AML/CFT frameworks in place, and fit-and-proper vetted senior management — consistently progress faster than the average. We manage the entire process, including VARA liaison and query responses, from initial filing through to licence grant.

MiCA (Markets in Crypto-Assets Regulation) became fully applicable in December 2024 and creates a single regulatory framework across all 27 EU member states. A business authorised as a CASP in one EU member state can passport that authorisation across the entire EU — a major commercial advantage over the previous patchwork of national frameworks.

Whether you need a CASP authorisation depends on: (a) whether you provide crypto-asset services to EU-based clients, and (b) what services you provide. MiCA covers exchange, transfer, custody, placing of crypto-assets, portfolio management, advice, and reception and transmission of orders. MiCA explicitly excludes certain activities — including NFTs (in most cases) and DeFi protocols with genuine decentralisation. Determining whether your product falls within or outside MiCA scope requires careful legal analysis rather than assumption.

In Singapore, crypto exchanges providing Digital Payment Token (DPT) services are regulated under the Payment Services Act 2019. Depending on your transaction volumes and business scope, you need either a Standard Payment Institution (SPI) licence (lower thresholds) or a Major Payment Institution (MPI) licence (higher volumes, full activity scope).

The MAS application process is known for its rigour — MAS has one of the highest bars of any crypto regulator globally, and a significant proportion of applications have been rejected or withdrawn since 2020. A strong application requires robust AML/CFT documentation, a credible compliance framework, experienced senior management with strong fit-and-proper track records, adequate technology infrastructure, and a credible business plan. We have guided multiple MPI licence applications through the full MAS process and can manage the complete submission.

It depends entirely on the jurisdiction and regulatory framework. Some jurisdictions provide a transitional operating window — VARA in Dubai offers an MVP phase permitting limited operations during licence review; certain EU member states provided transitional arrangements for existing VASPs under MiCA; Singapore's PS Act historically provided transitional provisions for businesses operating before the Act came into force.

What is universally true: operating without the required licence, where no transitional protection exists, is a criminal offence in most major jurisdictions. The analysis of whether a transitional arrangement applies to your specific situation requires careful legal review — it should not be assumed. We advise clients on this assessment as a standard part of licensing onboarding.

In Hong Kong, virtual asset trading platform (VATP) operators must be licensed by the Securities and Futures Commission (SFC) under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO). As of June 2023, all VATPs operating in Hong Kong or actively marketing to HK investors must be licensed. The SFC's VATP licensing requirements are comprehensive: robust AML/CFT programme, segregation of client assets, cybersecurity standards, responsible persons approved by the SFC, and compliance with the SFC's terms and conditions.

Note: Hong Kong's SFC framework has specific requirements around which tokens can be offered to retail investors. Security tokens may also require a Type 1 (dealing in securities) and/or Type 7 (providing automated trading services) licence. The interplay between the VATP licence, Type 1, and Type 7 requirements requires careful analysis for any exchange seeking to offer a broad range of tokens to retail customers.

The Howey Test is the primary US legal framework for determining whether a token is a security (investment contract). Under Howey, an instrument is a security if there is: (1) an investment of money, (2) in a common enterprise, (3) with an expectation of profit, (4) derived from the efforts of others. Most token sales satisfy all four elements — which is why the SEC has taken the position that the vast majority of tokens are securities.

Outside the US, different frameworks apply. MiCA in the EU distinguishes between crypto-assets, asset-referenced tokens, and e-money tokens. Switzerland's FINMA has its own categorisation. Singapore applies a separate securities analysis under the Securities and Futures Act. Token classification must be assessed jurisdiction by jurisdiction — a token that passes Howey in the US may be classified differently under EU or Swiss law. We provide formal token classification opinions covering all relevant jurisdictions as a standalone service.

A legally structured TGE begins with a token classification analysis covering all jurisdictions where the token will be offered or traded. This determines the regulatory framework that applies, what disclosure and registration obligations exist, and whether any jurisdictions should be explicitly excluded from the sale.

Based on that analysis, the key structural decisions include: the issuing entity (Cayman Islands Foundation or BVI entity are common for international TGEs); the jurisdiction from which the sale is conducted; investor eligibility criteria (geographic restrictions, accredited investor requirements); legal documentation (token sale agreement, terms of use, whitepaper legal review); and token distribution mechanics to ensure no securities law violations arise from the structure of the sale itself. We manage the full TGE legal process — from classification through to launch — and provide a legal opinion that the team and investors can rely on.

Governance tokens occupy one of the most legally uncertain positions in the digital asset landscape. The "pure governance" argument — that a token conferring only voting rights, with no economic interest, is not a security — has significant weaknesses in practice. Most governance tokens are also traded on secondary markets, were sold at a price determined by the issuer, and exist in a context where holders expect the token's value to rise based on the efforts of the development team. This is precisely what Howey was designed to capture.

The Ooki DAO enforcement case demonstrated that regulators are willing to pierce the "decentralisation" veil. The CFTC successfully argued that Ooki DAO was an unincorporated association, and that token holders who voted on governance proposals were personally liable as members. This significantly increased the risk profile for all governance token holders, not just issuers. The safest approach is to design the governance structure, wrapper entity, and token distribution to minimise securities characteristics — and to document that design rationale carefully from the outset.

Stablecoins face some of the heaviest regulatory requirements of any digital asset category. Under MiCA, stablecoins fall into two regulated categories: Asset-Referenced Tokens (ARTs, pegged to a basket of assets) and E-Money Tokens (EMTs, pegged to a single fiat currency). Both require authorisation from a national competent authority before issuance in the EU, with stringent reserve, redemption, and reporting obligations. "Significant" ARTs and EMTs face additional requirements including European Banking Authority supervision.

Outside the EU: UAE requires CBUAE approval for payment tokens. Singapore finalised its stablecoin regulatory framework in 2023 under MAS. The UK is developing specific stablecoin legislation. The US has multiple competing frameworks under development. The international picture for stablecoin issuers requires very careful multi-jurisdiction legal analysis — the regulatory burden is substantial and failure to comply prior to launch is not a viable option in any major market.

NFT projects face three primary legal risk areas. First: securities law — while most one-of-a-kind NFTs are unlikely to be securities, NFT collections that are sold with promises of future utility, revenue sharing, or are marketed as investments can attract securities law scrutiny. The SEC has pursued enforcement in cases where NFTs functioned economically like investment contracts. Second: intellectual property — NFT buyers often assume they are acquiring copyright in the underlying work. In most cases they are not: only the token is transferred, not the underlying IP. Clear, enforceable terms defining what rights are transferred are essential. Third: consumer protection and AML — NFT marketplaces may have AML/CFT obligations depending on their jurisdiction and transaction volumes, and consumer protection laws apply where buyers are retail customers.

A compliant AML/CFT programme for a web3 business covers six core pillars: (1) a documented business-wide ML/TF risk assessment; (2) written AML/CFT policies and procedures manual; (3) a KYC/CDD programme covering identity verification, customer risk rating, and ongoing due diligence; (4) automated transaction monitoring with blockchain analytics integration; (5) sanctions screening covering all major lists including wallet address screening against OFAC-designated addresses; and (6) a Travel Rule solution for virtual asset transfers above local thresholds.

All of this must be underpinned by governance: an appointed and regulator-approved MLRO, board-level AML oversight, staff training with records, independent annual audit, and a 5+ year record retention infrastructure. The specific requirements vary by jurisdiction — VARA's AML-CFT Standards, MAS PSN02, FCA SYSC 6, and MiCA Article 89 each impose distinct obligations. We design and implement programmes that meet all applicable standards simultaneously.

The FATF Travel Rule (Recommendation 16) requires VASPs to collect and transmit originator and beneficiary information for virtual asset transfers above threshold limits — typically USD/EUR 1,000, though the EU's Transfer of Funds Regulation (TFR) applies from €0. The information required includes originator name, account number (wallet address), and national ID/DOB, plus equivalent beneficiary data.

It applies to any business classified as a VASP — exchanges, custodians, OTC desks, and payment processors. The operational challenge is significant: blockchain transfers don't natively carry this data, so VASPs must implement separate messaging systems (Notabene, Sygna, VerifyVASP, TRP, TRUST, or similar). We advise on Travel Rule solution selection, implementation, and gap assessments — including managing the "sunrise problem" of trading with non-compliant VASP counterparties.

A Money Laundering Reporting Officer (MLRO) is the senior individual responsible for overseeing an organisation's AML/CFT compliance. In most licensed VASP jurisdictions — VARA, FCA, SFC, MAS — the MLRO must be approved by the regulator before the business can operate. The individual must demonstrate appropriate experience and competence to the regulator's satisfaction.

In practice, the MLRO owns the AML/CFT programme, reviews and approves policies, receives all internal suspicious activity reports from staff, decides whether to file Suspicious Transaction Reports (STRs) with the relevant Financial Intelligence Unit, provides AML reporting to the board, and liaises with regulators on AML matters. We offer MLRO-as-a-Service for businesses that cannot yet hire a full-time in-house MLRO — providing a pre-approved, experienced MLRO who performs all statutory functions while working closely with your team.

Sanctions compliance for crypto exchanges operates at two levels. Customer-level screening: all customers must be screened against OFAC SDN, EU Consolidated Sanctions List, UN Consolidated List, and applicable local lists at onboarding and whenever list updates occur. Wallet address screening: OFAC designates specific cryptocurrency wallet addresses (as it has done for Tornado Cash, among others), and exchanges must screen all incoming and outgoing wallet addresses against these designations — transacting with a sanctioned address triggers the same blocking obligations as transacting with a sanctioned person.

The stakes are high: OFAC violations can result in civil penalties of USD 1.1M+ per violation, and willful violations carry criminal liability. The Bittrex ($24M), BitPay ($507K), and Kraken ($362K) OFAC settlements illustrate the types of violations OFAC pursues in crypto. Blockchain analytics tools — Chainalysis, TRM Labs, Elliptic — are considered essential infrastructure for sanctions compliance at any meaningful transaction volume.

In practice, blockchain analytics tools have become a de facto mandatory requirement for any licensed VASP. While no regulation explicitly names Chainalysis or Elliptic by name, regulators including VARA, MAS, FCA, and the SFC expect VASPs to have technical capability to screen on-chain transactions, identify exposure to high-risk wallets (mixers, darknet markets, sanctioned addresses), and conduct transaction tracing. Without blockchain analytics, your transaction monitoring system is fundamentally incomplete for the crypto context.

Beyond regulatory expectation, blockchain analytics provides critical protection: it allows you to identify funds from ransomware payments, darknet markets, or hacks before they enter your platform — preventing you from unknowingly receiving proceeds of crime that then triggers your own AML exposure. Most serious licence applications will be questioned by regulators on what blockchain analytics tools are deployed and how they are used operationally.

There is no universally "best" jurisdiction — only the right jurisdiction for your specific business model, product, markets, and risk profile. The five criteria that matter most: (1) Regulatory clarity — does the jurisdiction have a clear, published framework for your business type? (2) Market access — does a licence here give you access to the markets you want to serve? (3) Banking access — can you open accounts and access payment infrastructure? (4) Tax efficiency — what is the effective corporate tax treatment of digital asset income? (5) Talent and operations — can you build and operate your team here?

The most common jurisdictions in our client base: UAE (Dubai, ADGM) for MENA-focused and global operations seeking regulatory clarity and tax efficiency; Singapore for Asia-Pacific; Cayman Islands for investment vehicles and holding structures; BVI for IP holding and token issuance; and EU member states for EU market access under MiCA passporting. Many sophisticated web3 businesses use multi-entity structures — an operating entity in a licensing jurisdiction, a holding entity in a tax-efficient jurisdiction, and a foundation for token governance.

A DAO without a legal wrapper is an unincorporated association — meaning every token holder who participates in governance may be personally and jointly liable for the DAO's obligations. This is not theoretical: the CFTC's enforcement against the Ooki DAO explicitly established personal liability for governance token holders who voted on proposals. Every DAO with real-world activities — employing contributors, entering contracts, holding treasury assets, operating a protocol — needs some form of legal entity to insulate participants from liability.

Common DAO legal wrapper structures include: Cayman Islands Foundation Company (most flexible, widely used for international DAOs), Marshall Islands DAO LLC (specifically designed for DAOs), Wyoming DAO LLC (US-centric), BVI Foundation, and Swiss Association. The right wrapper depends on your DAO's specific activities, governance model, community composition, and tax considerations. We design DAO legal structures as a core part of our web3 legal services practice.

The UAE has three distinct regulatory environments for financial services businesses. Mainland Dubai (outside free zones) is regulated for virtual assets by VARA — the Virtual Assets Regulatory Authority — which operates the most comprehensive and well-developed VASP licensing regime globally, covering exchanges, custodians, brokers, advisors, and lending/borrowing platforms through a clear activity-based framework.

ADGM (Abu Dhabi Global Market) is a financial free zone with its own independent regulator (FSRA) and English common law legal system. ADGM's Digital Assets Regulatory Framework is particularly well-suited for investment management, custody, and sophisticated financial services businesses. DIFC (Dubai International Financial Centre) is Dubai's premier financial free zone with an English law system and its own regulator (DFSA), historically more focused on traditional financial services but expanding its crypto remit. Our team advises on the optimal UAE structure based on each client's specific activity type and commercial objectives.

The Cayman Islands Foundation Company has become the dominant entity type for international token projects and DAO wrappers for several reasons. It has no shareholders or members, making it structurally more analogous to a decentralised governance model — the foundation's purpose is defined in its constitutive documents, and it can have supervisors (who perform an oversight role similar to board directors) and a council that manages day-to-day operations. This structure makes it easier to argue that no single party "controls" the protocol in the way that a shareholder-owned company does, which is relevant for securities analysis.

Practically: the Cayman Islands has a well-developed legal and corporate services ecosystem familiar with web3, no corporate income tax, strong legal certainty under English common law principles, and broad international recognition. The Foundation Company structure is well understood by institutional investors and exchanges as a legal issuing entity for tokens. It is not without its complexities — governance design, supervisory obligations, and substance requirements require careful legal drafting — but it remains the gold standard for international token project structuring in 2025.

A multi-entity structure separates different functions of a web3 business into different legal entities, typically incorporated in different jurisdictions chosen to optimise for each function. A common configuration: a Cayman Islands Foundation as the token issuer and protocol governance entity; a BVI or Cayman holding company that holds intellectual property and intercompany loans; an operating company in a licenced jurisdiction (UAE, Singapore) that holds the VASP licence and employs staff; and potentially additional entities for specific market access or regulatory purposes.

Whether you need a multi-entity structure depends on your scale and complexity. Early-stage projects often begin with a single entity and evolve. Businesses seeking to raise institutional capital, launch tokens publicly, obtain licences in multiple jurisdictions, or achieve significant tax efficiency typically benefit from multi-entity structuring — but the intercompany arrangements must be properly documented and economically substantiated to avoid transfer pricing and substance challenges. We design multi-entity structures as part of our pre-launch legal structuring work.

We work predominantly on fixed fees, project fees, or structured retainers — not open-ended hourly billing. We believe clients make better decisions when they know their legal spend in advance, and that unexpected invoices destroy the trust that a good legal relationship depends on. Before any engagement begins, we agree a scope and a fee. If scope changes materially, we discuss and agree revised fees before proceeding — no surprises.

The process is deliberately straightforward. Step one: a 30-minute initial consultation (free of charge) with a senior member of our team. In this call we understand your business, identify the key legal questions, and discuss whether we are the right fit. We don't use initial consultations to run a sales pitch — we use them to genuinely assess how we can help and to give you enough free information to make an informed decision about engaging us.

Step two: if there's a fit, we issue a brief scope of work and fee proposal within 48 hours. Step three: on agreement, we complete client onboarding (standard KYC for our own regulatory obligations), issue a letter of engagement, and assign your dedicated partner and team. From first contact to commencement of work typically takes 3–7 business days for standard engagements, and can be expedited for urgent matters.

Both. Most relationships start as project engagements — a licence application, a regulatory opinion, an AML programme review — and evolve into ongoing retainer relationships as the client grows. Our retainer model provides a fixed monthly fee for a defined scope: regulatory monitoring, ad hoc query responses, quarterly compliance check-ins, and priority access for emergency matters.

We also offer specialised retainers: MLRO-as-a-Service (acting as the appointed MLRO for your business), Compliance-as-a-Service (ongoing compliance programme management), and Regulatory Intelligence (monthly briefings on developments in your key jurisdictions). Many clients use a combination — a project retainer for a major licensing application, transitioning to an ongoing compliance retainer post-licence. This mirrors how a well-capitalised web3 business would use an in-house legal team, without the overhead cost.

All information shared with us is subject to strict confidentiality obligations. We do not disclose client information to any third party without your express consent, except where required by law — for example, under our own AML obligations if a suspicion arises (which is exceedingly rare in a legal advisory context).

Legal professional privilege protects confidential communications between a lawyer and their client made for the purpose of legal advice. Where our advice is sought in the context of regulatory or enforcement proceedings, privilege provides an additional protection layer — meaning regulators cannot compel us to disclose privileged communications. Preserving privilege requires care in how communications are structured and stored. We advise clients on this from the outset of any engagement with regulatory exposure.

We encourage you to ask directly. In the initial consultation, ask specifically about our experience with businesses like yours in the jurisdictions relevant to you. We will give you a straight answer — if we haven't worked on a particular jurisdiction or business type at the required depth, we will tell you honestly, and we will be direct about whether we should take the engagement or refer you to someone better placed.

What we can demonstrate: 200+ regulatory assessments delivered, successful VARA, MAS, SFC, and MiCA licence applications, AML/CFT programmes implemented across four continents, and a team that includes former regulators who have reviewed applications and conducted examinations from the other side. We are happy to provide client references in similar situations on request, subject to confidentiality.