FINMA and the regulatory framework for crypto businesses
Switzerland has long been one of the most stable and forward-thinking jurisdictions for crypto businesses, thanks to its well-designed regulatory system and the country’s strong financial culture. FINMA has established a comprehensive framework that covers all categories of crypto service providers: from wallets and exchanges to investment platforms and custodians. This approach creates a safe and predictable market environment, reduces risks for users, and increases the confidence of banks, partners, and institutional investors. The Swiss model is built on precise token classification, transparent AML controls, and the principle of risk-based supervision tailored to the specifics of digital assets. This is why Switzerland has become a hub for blockchain innovation and one of the key destinations for crypto projects, with Zug widely known as the «Crypto Valley». In this article, we will take a detailed look at FINMA’s regulatory framework and explain the requirements crypto companies must meet when entering the Swiss market.
FINMA as a key regulator of the Swiss financial and crypto market
The Swiss regulator FINMA (Swiss Financial Market Supervisory Authority) ensures the stability of the financial system, oversees banks, fintech companies, and crypto providers, and is responsible for licensing and supervising all activities related to digital assets. Its approach is defined by high legal transparency, predictability, and strict AML/CTF requirements, making Switzerland one of the safest jurisdictions in Europe and worldwide. FINMA follows FATF international standards, cooperates closely with EU regulators, and applies risk-based supervision – a model in which the level of oversight corresponds directly to the risk profile of each business.
FINMA’s mandate and scope of supervision
FINMA has authority over all participants of the Swiss financial market: banks, investment firms, payment providers, crypto brokers, and custodians. The regulator is responsible for licensing, monitoring, inspections, enforcement actions, and preventing market abuse. Within the crypto sector, FINMA supervises custody of digital assets, exchange and brokerage activities, tokenization, trading platforms, custodial services, and investment products that include tokenized instruments.
Risk-based supervision
FINMA does not apply a «one-size-fits-all» model – its oversight is built on an assessment of individual business risks. If a company holds client funds, works with derivatives, or provides asset management services, the regulatory requirements are significantly higher. Companies with limited or infrastructure-focused services (e.g., those that do not hold client assets) may qualify for a simplified regime. This approach reduces unnecessary regulatory burden while strengthening control over high-risk business models.
FINMA’s token classification
One of the foundational elements of Swiss crypto regulation is FINMA’s token classification, introduced in the official Guidelines for inquiries regarding the regulatory framework for initial coin offerings (ICOs). It divides tokens into three categories:
- Payment tokens – cryptocurrencies used as a means of payment (e.g., Bitcoin, Litecoin);
- Utility tokens – tokens granting access to a platform or specific functions;
- Asset tokens – tokens treated as securities (equity-like), including tokenized shares or other financial instruments.
This classification determines whether a license is required, which regulatory regime applies, and whether the project falls under the Financial Services Act (FinSA) or the Financial Institutions Act (FinIA).
Licensing and authorization for crypto-businesses
Switzerland applies a technology-neutral regulatory model: a crypto company does not receive a crypto license, but rather the status of whichever type of financial intermediary its business model falls under. FINMA evaluates the scope of activity, the risk profile, and the client-protection mechanisms, not just the nature of the token or digital asset. This section explains the categories of financial intermediaries and the regulatory requirements that apply to projects operating with tokens and digital infrastructure.
FINMA-authorised financial intermediaries
This regime applies to companies that provide financial services professionally and directly handle client assets. FINMA conducts prudential supervision and requires full compliance with strict capital, risk-management, and governance standards.
Who qualifies as a FINMA-licensed intermediary:
- Custody providers holding client digital assets;
- Crypto brokers executing client orders;
- Platforms performing settlement or clearing functions;
- Trading services acting as dealers.
Core obligations for FINMA-licensed intermediaries:
- Minimum capital (depending on the model, from CHF 100,000 to several million CHF);
- Corporate governance requirements: board of directors, independent oversight, dedicated Risk and Compliance functions;
- Full AML/KYC framework;
- External and internal audits;
- Ongoing FINMA supervision and regular reporting.
Such companies receive the highest level of trust from banks and institutional partners, but the regime requires significant investment in infrastructure and governance.
SRO / VQF – regulation through self-regulatory organisations
Switzerland also offers an alternative pathway: instead of direct FINMA licensing, a company can join an SRO (Self-Regulatory Organization), such as VQF, which is officially recognised by FINMA. This is a popular route for startups and smaller crypto platforms. An SRO supervises AML compliance but does not perform prudential supervision, which significantly reduces regulatory and operational costs.
Who benefits from SRO membership:
- OTC brokers;
- Crypto exchanges without custody services;
- Crypto payment providers;
- Entry-level tokenisation platforms;
- Crypto projects that do not manage client assets.
Requirements:
- Implementation of an AML program in accordance with the AMLA;
- Appointment of an AML Officer;
- Source-of-funds verification and customer identification;
- Internal risk-management procedures;
- Annual SRO audits.
SRO membership is a flexible and cost-efficient model suitable for early-stage businesses, but it does not allow custody services or asset management.
Licensing of banks, brokers and custodians
Some crypto companies, due to the nature of their business model, fall under the traditional regulatory regimes for financial institutions. In such cases, FINMA assesses the project within the existing standards of banking or securities supervision.
Banking License (Bankengesetz)
A banking license is required if a company:
- Accepts deposits;
- Manages client funds exceeding regulatory thresholds;
- Holds cryptoassets under conditions similar to a bank deposit.
This is the highest level of regulation, involving stringent capital requirements, reserve obligations, advanced risk-management systems, and daily reporting obligations.
Securities Dealer / Broker-Dealer
This regime applies when a company:
- Trades tokens classified as securities;
- Provides services as a dealer or market maker;
- Operates trading infrastructure or manages client portfolios.
The obligations include internal control mechanisms, minimum capital requirements, investor-protection standards, and continuous audits.
Custody Providers
The concept of a custodian in Switzerland is based on the DLT Act and banking standards and applies to services that hold client keys or digital assets. Depending on the operational model, a custodian may fall under:
- FINMA-licensed intermediary requirements;
- Banking regulation;
- The DLT Trading Facility regime (if custody is integrated into exchange infrastructure).
Custodians must ensure a high level of cybersecurity, liability insurance, segregation of client assets, and comprehensive BCP/DRP and incident-reporting procedures.
Conditions of incorporation: capital, structure, directors, reporting
Registering a crypto company in Switzerland requires more than meeting formal criteria – it involves demonstrating the real managerial, operational, and financial robustness of the business. FINMA assesses corporate governance, the quality of risk controls, the origin of capital, and the existence of clear operational processes. An applicant must prove that the company can maintain compliance continuously, not only at the moment of submitting the application.
Capital and financial soundness
Financial requirements vary depending on the regulatory model: from SRO supervision to obtaining a payment intermediary or custody license. FINMA evaluates a company’s ability to absorb risks, maintain liquidity, and demonstrate verified capital sources.
The regulator focuses on:
- Adequacy of capital relative to the business model;
- Verified Source of Funds / Source of Wealth;
- A credible financial plan ensuring sustainability over a 12–24-month horizon.
Corporate structure and governance
The company’s structure must be transparent, and management must be substantive, not nominal. Switzerland does not permit shell companies and expects that leadership, key decisions, and control functions are carried out within the country.
FINMA analyses:
- Real presence: office, staff, and local management;
- Clear ownership structure without opaque holding chains;
- Proper segregation of management, control, and risk functions.
Management and key function holders
FINMA applies a strict fit-and-proper standard. Executives must have experience in the financial sector or risk management, and control functions must demonstrate independence and professional competence.
A company must appoint qualified officers, such as a Compliance Officer, MLRO, Risk Officer, or an equivalent function. The regulator examines biographies, reputation, absence of conflicts of interest, and the ability to maintain strong governance and risk frameworks.
Reporting and ongoing supervision
Even after obtaining approval, the company remains under continuous oversight. Reporting is one of the core components of the Swiss regulatory model. FINMA requires documented evidence that the business properly maintains risk monitoring, AML procedures, and transactional records.
Key expectations from FINMA and SROs include:
- Regular internal and external audits;
- Retention of client data and transaction logs;
- AML reporting (STR, SAR) and reporting of operational incidents;
- Maintaining up-to-date internal policies and procedures.
Special schemes: DLT-Trading Venue, Crypto-Fund, Custody Providers
Switzerland became one of the first countries to implement a full regulatory regime for DLT platforms and crypto-oriented financial institutions. These models are supervised differently from standard VASP or MSB operations: capital requirements are higher, oversight is deeper, and risk controls are significantly stricter. FINMA treats such structures as financial market infrastructure, meaning that the regulatory approach is almost comparable to that applied to banks, exchanges, and clearing facilities.
DLT-Trading Venue (DLT exchanges and trading systems)
A DLT-Trading Venue is an innovative Swiss regulatory model introduced through the DLT Act. It allows platforms not only to list tokenized assets, but also to perform clearing, settlement, and custody operations within a single infrastructure. Unlike traditional crypto exchanges, DLT platforms fall under the regulation of trading facilities and must demonstrate the ability to manage market, operational, and technological risks.
FINMA evaluates:
- The resilience of the trading infrastructure and execution mechanisms;
- Systems for preventing manipulation, front-running, and insider trading;
- Security of smart contracts and DLT modules;
- Preparedness for cyber incidents, failures, and operational disruptions.
Crypto-Fund (crypto investment funds supervised by FINMA)
Funds that invest predominantly in crypto assets are regulated as Collective Investment Schemes (CIS). This is one of the strictest regimes in Europe. FINMA examines the fund’s portfolio strategy, asset liquidity, custody arrangements, and overall risk-management framework.
Mandatory components include:
- A FINMA-licensed Asset Manager;
- A custodian meeting CISA/CISO requirements;
- A detailed valuation policy for crypto assets;
- Restrictions on the use of derivatives and leverage.
Custody Providers
Custody providers holding clients’ crypto assets fall under one of the most demanding supervisory regimes. FINMA treats digital-asset custody as high-risk financial activity and requires evidence of comprehensive operational and technological readiness. The key focus is on client-asset protection, account segregation, key-management security, and operational continuity.
FINMA examines:
- Storage models (cold, warm, MPC solutions) and their robustness;
- Segregation of proprietary and client assets;
- Key-recovery procedures and emergency plans;
- Operational-risk management and IT controls.
How to choose the right regulatory regime for your crypto business?
Choosing the appropriate regulatory regime in Switzerland depends not only on the set of services but also on the business model, risk profile, corporate structure and future plans for international expansion. FINMA expects companies to identify their category in advance (VASP, financial intermediary, trading venue, custodian or investment fund) and to demonstrate that this regime accurately reflects their activities. A mistake at this stage leads to delays, additional rounds of inquiries and potential refusals.
Switzerland’s system is built on the principle of activity-based regulation: what the company does matters more than what it calls itself. This is why selecting the correct licence requires a detailed analysis of services and operational structure.
Assess the nature of activities and services
The first step is to determine which functional group the business belongs to. FINMA classifies crypto services according to their risk level and the degree of involvement in managing client assets.
Key criteria include:
- Whether the company provides custody of cryptoassets;
- Whether it executes operations on behalf of clients (agency model);
- Whether it works with tokenised securities;
- Whether it provides trading infrastructure (matching, clearing, settlement);
- Whether it manages client assets or develops investment products.
Analyse capital requirements and internal controls
Each regulatory regime comes with different expectations regarding audit, operations and supervisory obligations. For some companies, choosing a lighter regulatory category is more cost-efficient if their activities do not require enhanced oversight.
The general principle is straightforward:
- Low risk → VASP / SRO-supervised financial intermediary,
- Medium risk → stricter AML controls and internal policies,
- High risk → FINMA authorisation (custody, trading, asset management).
Evaluating capital, substance, governance and IT infrastructure helps determine whether the company is ready for a full licence or whether a lighter regime is more appropriate.
Determine whether special authorisations are required
Certain business models automatically place the company into stricter regulatory sectors. You fall under direct FINMA supervision if you:
- Hold client assets (custody);
- Operate a trading platform or marketplace;
- Launch a crypto fund or tokenised investment product;
- Work with tokenised securities or derivatives.
If your activities are limited to exchange, transfers or brokerage services without holding client funds, a lighter regime (SRO / VASP) is appropriate.
Consider future strategy, not only current services
FINMA evaluates a company’s future plans: expanding services, launching custody, attracting investors or entering institutional markets. Therefore, the project should define its strategic direction in advance. Sometimes it is more efficient to obtain a higher level of authorisation from the start to avoid a new licensing procedure later.
Conduct legal token and model qualification
Switzerland uses a three-tier token classification (payment, utility, asset), and this determines the required regulatory regime. Incorrect token qualification is one of the main reasons for FINMA remarks and refusals.
Companies must conduct:
- A Financial Instruments Test,
- A legal analysis of token characteristics,
- An assessment of investment features (if applicable),
- A determination of whether the asset falls under CISA, FMIA or the DLT regime.
Legal qualification is the foundation of licence selection.
Obtain a preliminary consultation from experts
FINMA does not formally conduct preliminary interviews for all applicants, but a legal pre-assessment is an essential step to minimise risks. It allows you to identify:
- Whether the model fits the chosen category;
- Whether there are regulatory risks or AML/KYC gaps;
- Whether custody authorisation or financial intermediary status is required;
- Which documents need to be prepared in advance;
- What the optimal structure is (local entity, branch, holding).
How can Key2Law help to pass the licensing procedure in Switzerland?
FINMA expects crypto projects to demonstrate not only a transparent corporate structure but also real substance, a robust system of internal controls, proven managerial competence, and mature AML/IT processes. A mistake in choosing the regulatory regime, weak documentation or incomplete compliance with governance requirements leads to delays, additional queries or refusals. To complete the licensing procedure on the first attempt, a company needs a advisory team that understands FINMA’s logic and can structure the project in line with regulatory expectations. Key2Law team assists crypto companies at every stage: from preliminary analysis to post-authorisation supervision.
- Comprehensive assessment of the project.We determine the correct regulatory regime: VASP, financial intermediary, DLT platform, custody provider or investment structure.
- Preparation of the corporate and compliance framework. We build the required substance, appoint local directors and key function holders, establish governance procedures and responsibility matrices.
- Development of the full document set for FINMA. AML/KYC framework, Risk Assessment, Internal Controls, IT policies, BCP/DRP, and detailed descriptions of the business model and technological infrastructure.
- Communication with FINMA and management of regulatory requests. We support the company through due diligence, interviews, technical reviews and required adjustments, accompanying the process until full authorisation is granted.
- Ensuring continuous compliance after authorisation. We prepare regulatory reports, update policies, conduct internal reviews and help scale operations without regulatory risks.
If you plan to launch a crypto company in Switzerland or want to obtain authorisation without delays or uncertainty, the Key2Law team is ready to assist. We will ensure full compliance with FINMA requirements and build a transparent structure capable of withstanding any audit. Contact us to receive a personalised consultation and a tailored licensing roadmap.