Applying for a virtual asset license means building out AML frameworks, governance structures, capital adequacy documentation, operational assessments, custody arrangements, and consumer protection protocols simultaneously.
The security workstream is where timelines break. Regulators assess technical security as a foundational layer of the application, and they assess it early. Incomplete or inadequate security infrastructure is the most common reason applications stall between submission and approval.
What Regulators Evaluate
Requirements vary by jurisdiction, but the evaluation pattern is consistent. CertiK works across multiple licensing frameworks, and regulators assess security across key dimensions.
1. Smart Contract and Code Security
Regulators want evidence that deployed code has been reviewed by a qualified independent party. Some jurisdictions mandate a formal smart contract audit before tokens can be admitted for trading or before provisional authorization converts to full authorization. Others embed the requirement within broader operational resilience obligations.
The audit must be recent, must cover the codebase as currently deployed, and must include evidence that identified vulnerabilities were remediated. An 18-month-old audit on a materially modified codebase has limited compliance value. Regulators increasingly expect remediation evidence and ongoing monitoring alongside the audit report.
Where Applicants Stumble
The audit was conducted on a testnet or staging version of the code. The production deployment differs. The regulator asks for confirmation that audited code matches what is live. The applicant cannot provide it.
2. Custody Architecture and Key Management
Regulators evaluate cold-to-hot storage ratios, key management processes (generation, storage, rotation, recovery), multi-signature or MPC configurations, and insurance coverage relative to assets under custody.
Several regimes set explicit cold storage minimums, ranging from 80% to 98%. Beyond the ratio, regulators want to see documented key ceremony procedures, segregation of duties between key holders, and a disaster recovery process that has been tested.
Where Applicants Stumble
The cold storage ratio meets requirements, but the applicant has no documented key management procedure covering generation ceremonies, role separation, or recovery protocols. The regulator requests a third-party assessment of the custody architecture. The applicant has not arranged one.
3. Transaction Monitoring and Surveillance
AML compliance in digital assets is a technology problem. Regulators expect applicants to demonstrate real-time suspicious pattern identification, cross-chain fund provenance tracing, and sanctions screening that covers wallet addresses linked to sanctioned entities.
Many applicants write their AML policy documentation before selecting and integrating monitoring tools. The regulator then asks for a live demonstration. In markets with active Travel Rule enforcement, applicants must also show real-time originator and beneficiary data transmission across counterparty VASPs.
Where Applicants Stumble
Strong AML policy on paper. No blockchain analytics tool or transaction monitoring system integrated. The regulator asks for sample alert workflows and escalation procedures. The applicant cannot demonstrate a functioning system.
4. Penetration Testing and Vulnerability Management
Multiple frameworks require independent penetration test results as part of the authorization package. Some regulators specify that the testing must come from a qualified third party and reserve the right to reject the assessor. Some can mandate threat-led penetration testing on live production systems under regulatory supervision.
Beyond the initial test, regulators evaluate the continuous vulnerability management process: identification, triage, remediation cadence, third-party dependency tracking, vulnerability disclosure policy, and incident handling procedures.
Where Applicants Stumble
The penetration test scopes only the web application layer. Smart contract infrastructure, API endpoints, and the custody system are excluded. The regulator asks about scope coverage. The applicant must re-engage and re-test.
5. Incident Response and Business Continuity
Regulators expect preparation. The requirements: a documented incident response plan that has been tested, a communication protocol for notifying the regulator and affected users, and a business continuity plan ensuring client asset accessibility during a security event.
The bar is higher than a plan document. Regulators may request evidence of tabletop exercises, defined escalation paths, forensic investigation firm relationships, and mandatory insurance coverage calibrated to the platform's risk profile. Some jurisdictions use the insurer's assessment of the applicant's security posture as an input to the licensing evaluation.
The Licensing Security Checklist
Build these components in parallel with legal and compliance workstreams. Sequential execution, where security starts after legal wraps, is the most reliable way to blow a licensing timeline.
What Changed in the Last 12 Months
Regulators Are Rejecting Weak Assessments
Some regulators now explicitly reserve the right to reject a security assessor and require a new assessment from a different firm. They have seen applicants submit boilerplate reports that identify no critical issues in codebases that clearly have them. The choice of auditor matters. A report from a firm without recognized expertise in the relevant stack can damage the application.
Enforcement Shifted Toward Operational Failures
In 2024, global enforcement focused on securities classification disputes. In 2025, the center of gravity moved to operational failures. AML penalties surged 417% in H1 2025, reaching $1.23 billion globally.
This tells applicants what regulators currently care about most. An application demonstrating strong operational controls and functioning monitoring systems is aligned with current enforcement priorities.
Audit Scope Is Expanding
Early security mandates focused narrowly on smart contract code. That scope is widening. Regulators now expect assessments covering the full operational stack: smart contracts, custody systems, API layers, key management, monitoring infrastructure, and incident response. The terminology varies (risk assessment, technology audit, independent assessment), but the direction is uniform.
Structuring the Security Workstream
The most common mistake: treating security as a late-stage compliance exercise. The team builds the platform, hires lawyers, drafts policies, then realizes six weeks before submission that they need an audit and a pen test. A meaningful-scope audit takes weeks. Remediation takes additional weeks. Re-testing takes more.
Applicants that move through licensing fastest treat security as a parallel workstream from the start. Security architecture is designed alongside platform architecture. The audit is scoped and engaged early enough that findings inform development decisions. Monitoring tools are integrated and tuned before the regulator asks to see them.
One frequently missed dependency: insurance underwriting requires completed security documentation. The insurer wants the audit report, pen test results, custody architecture, and incident response plan before quoting coverage. A late security workstream cascades into a late insurance workstream, and both hold up the application.
Recommended Sequencing
Month 1: Security architecture review and gap assessment. Scope definition for audit and pen test. Assessor selection.
Month 2-3: Smart contract audit and penetration test execution. Transaction monitoring integration. Custody architecture documentation.
Month 4: Remediation and re-testing. Incident response plan development and tabletop exercise.
Month 5: Insurance engagement. Final security evidence package compilation for submission.
After the License
Most regimes impose ongoing obligations: periodic re-assessment, continuous monitoring, incident reporting within specified timeframes, and supervisory technology reviews at the regulator's discretion. Some mandate annual penetration testing at minimum.
Firms that build security solely to pass the initial assessment and then let it degrade accumulate regulatory risk. The regulator will conduct ongoing supervision. The security infrastructure supporting the application needs to be maintained as the platform grows, the codebase changes, and the threat landscape evolves.
Continuous monitoring (real-time on-chain surveillance, automated vulnerability scanning, compliance dashboards) creates a durable posture that satisfies ongoing requirements without periodic scrambles before each supervisory review.
Security as a Competitive Advantage
In competitive licensing environments where regulators process applications in batches, a complete security evidence package reduces follow-up questions and compresses the review timeline. Applicants arriving with current audit reports, pen test results, functioning monitoring, documented custody controls, and a tested incident response plan send a clear signal of operational readiness.
Incomplete security documentation signals the opposite. In markets where regulators license a small number of firms or enforce time-bounded application windows, that signal can be the difference between approval and an extended review that effectively becomes a denial.
CertiK works with VASPs, exchanges, and institutional platforms pursuing regulatory authorization across multiple jurisdictions. Our team supports licensing readiness through smart contract audits, penetration testing, custody architecture review, and ongoing monitoring via Skynet Enterprise. We provide transaction monitoring and AML compliance infrastructure through SkyInsights.
For a confidential discussion about your licensing timeline, contact us at certik.com.
Frequently Asked Questions
What security documentation do I need before submitting a VASP license application?
A complete security evidence package includes a current smart contract audit of production code with remediation evidence, a full-scope penetration test covering application/infrastructure/APIs/smart contracts, documented custody architecture with key management procedures, a functioning transaction monitoring system with alert workflows, a continuous vulnerability management program, a tested incident response plan, and insurance coverage calibrated to custody risk.
How far in advance should I start the security workstream for licensing?
Six months minimum. Smart contract audits alone take weeks, remediation takes additional time, and re-testing follows. Insurance underwriting depends on completed security documentation, so a late security workstream cascades into a late insurance workstream. The recommended sequence runs month 1 for gap assessment and assessor selection, months 2-3 for audit and pen test execution, month 4 for remediation and incident response testing, and month 5 for insurance engagement and final evidence compilation.
Can a regulator reject my security auditor?
Yes. Some regulators explicitly reserve the right to reject an assessor and require re-performance by a different firm. They have seen boilerplate reports that flag no critical issues in codebases that clearly have them. The choice of auditor matters. A report from a firm without recognized expertise in the relevant technology stack can damage the application.
What is the most common reason license applications stall?
Incomplete or inadequate security infrastructure. Applicants typically staff legal and compliance early but treat security as a late-stage exercise. The most frequent failure modes: audit reports that don't match production code, no documented key management procedures, AML policies without a functioning monitoring system behind them, and penetration tests scoped too narrowly to satisfy the regulator.
Do security obligations end once the license is granted?
No. Most regimes impose ongoing requirements including periodic re-assessment, continuous monitoring, incident reporting within specified timeframes, and supervisory technology reviews at the regulator's discretion. Firms that build security solely to pass the initial assessment and let it degrade accumulate regulatory risk.
