What's the difference between an issuer license and a CASP authorization?

An issuer license (MiCA EMT/ART, GENIUS Act issuer charter) is required to mint a stablecoin. A CASP authorization (MiCA Title V) is required to custody or transfer crypto-assets on behalf of clients. Most builders need neither — they consume the issuer's token through a CASP-authorized wallet provider.

As a builder integrating USDC, do I need to be MiCA-licensed?

Almost always no. Circle handles the EMT side. Your wallet provider handles the CASP side. Your obligations are KYC, sanctions screening, financial-promotion compliance, and registration if you actively solicit in a member state.

What's the July 2026 MiCA cliff and does it affect me?

After 2026-07, non-EU wallet providers cannot custody assets for EU users without full CASP authorization (or a narrow reverse-solicitation defense). If your wallet rail is a non-EU shop with no CASP roadmap, your EU users get cut off.

Does the GENIUS Act affect me if I'm not issuing a stablecoin?

Indirectly. GENIUS defines which tokens count as 'qualified stablecoins' for federally-regulated US rails (banks, credit unions, payment networks). If your app moves stablecoins to/from US bank rails, you'll prefer GENIUS-compliant issuers (Circle, Paxos, SG-Forge equivalents). Non-compliant tokens face downstream friction.

Do I need FinCEN MSB registration?

If you're a US-based business transmitting value (sending stablecoins between users or to bank rails) above the de-minimis threshold, yes. State MTL stacks on top.

Is OFAC sanctions screening optional?

No. It applies to all US-touching transactions, regardless of your jurisdiction of incorporation. Tornado Cash precedent (2022) confirms smart-contract address screening is in scope.

What's the Travel Rule and when does it apply?

The FATF Travel Rule requires the originating service provider (your wallet provider, typically) to transmit sender + beneficiary data to the receiving provider for transfers above a threshold (€1,000 in EU TFR; $3,000 in US FinCEN). Sub-threshold transfers are increasingly in scope under recent national transpositions.

Can I avoid licensing by being 'decentralized'?

Not credibly in 2026. Regulators (MiCA, FinCEN, MAS) explicitly assess the economic activity rather than the legal wrapper. If users rely on you for service continuity, you're a service provider.

How do I pick a compliance-aware wallet rail?

Three checks: (a) does it expose KYC vendor hooks (or does it lock you in?), (b) does it support Travel Rule originator-data exchange, (c) does it have a CASP authorization (or roadmap) for EU? If any answer is no, you'll pay for it at a regulator cliff.

2026-07 (MiCA non-EU CASP cliff), 2026-09 (UK FCA stablecoin authorization gateway opens), 2027-01 (GENIUS Act effective for issuers), 2028-07 (GENIUS Act integrator/DASP cliff). Re-audit each.

Stablecoin Regulation and Licensing 2026: Obligations by Role and Jurisdiction

Updated: May 2026. Refreshed for the 2026-07 MiCA non-EU CASP transition cliff, the GENIUS Act July 2025 signing and 2028-07 full-effective date, and EU TFR (in force since 2024-12).

The global stablecoin market crossed $200B in float in 2025 and regulators caught up. The result: a stack where three roles carry distinct obligations — the issuer (Circle, Paxos, SG-Forge), the wallet provider (the rails apps embed), and the builder (the app integrating USDC, PYUSD, EURC into a product). Most "stablecoin regulation" content is written by and for issuers. This pillar maps what attaches to whom, per jurisdiction, with the 2026 cliff dates that move teams next.

Part 1: Understanding the stablecoins Part 2: Infrastructure and tools to build with stablecoins Part 3: Navigating regulation for stablecoin (You're here)

TL;DR — three roles, six jurisdictions, one map

If you're a builder embedding USDC into a consumer app, you do not need an issuer license. You do need to map which obligations cross your perimeter — usually KYC, sanctions screening, and (depending on jurisdiction) registration as a wallet provider or payment institution.

Role	What you ARE responsible for	What you are NOT responsible for
Issuer (Circle, Paxos, SG-Forge, Société Générale–Forge, Stripe Bridge for USDB)	Reserve backing, redemption at par, whitepaper, audited reserves, capital floor, prudential reporting	The integrator's KYC perimeter
Wallet provider (Openfort and peers)	CASP authorization where required (EU), Travel Rule originator data if you control sender data, sanctions screening at the SDK layer, transaction monitoring hooks	Issuer reserve backing; the builder's user-onboarding decisions
Builder / integrator (your app)	KYC perimeter at user onboarding, sanctions screening, registration where you market, customer-facing complaints handling	Issuer licensing; underlying chain compliance

Read the rest of this guide as: pick your row, then read your column in each jurisdictional block.

Why role-based regulation now (the 2026 shift)

Three forces converged:

MiCA fully operational. Live since 2025-01. The first wave was issuer-side (EMT / ART). The CASP-side cliff for non-EU wallet providers operating into the EU lands 2026-07 — weeks from this update.
GENIUS Act signed 2025. Capital floor and reserve rules phase in through 2028-07. The 2025 → 2028 staircase is predictable, which means builders can plan migrations rather than firefight.
The integrator population eclipsed the issuer population. Hundreds of consumer apps now embed USDC / PYUSD / EURC / USD1. The regulatory question for each is not "do I get licensed as an issuer" — it's "which of my activities cross which perimeter."

Travel Rule and KYC

The obligations-attached-to-WHO model

Issuer obligations

If you are minting a fiat-referenced token, you carry:

Reserve backing. 1:1 in high-quality liquid assets. Under MiCA EMT this is segregated bank deposits or short-dated sovereign debt; under GENIUS Act it is U.S. Treasuries, repo-backed cash, or insured deposits. Quarterly attestation (Circle's monthly Deloitte attestation sets the de-facto bar).
Redemption at par. EMT holders must be able to redeem in fiat at par, on demand, free of charge. MiCA Art. 49.
Whitepaper + ongoing disclosure. ESMA-format whitepaper; quarterly reserve composition reports; material-change notices.
Capital floor. EU EMT: minimum €350K own funds or 2% of average outstanding e-money (whichever higher). EU ART: €350K → up to 3% with concentration risk. US GENIUS Act: capital and liquidity requirements are set by the primary federal regulator through rulemaking (tailored to the issuer) rather than as a fixed EU-style floor.
Significant-issuer regime. Above thresholds (€5B EMT or €100M daily transaction volume), supervision elevates to the EBA directly. Practical takeaway: USDC and EURC are in this category in the EU.

Examples: Circle (USDC, USDT [via Tether's separate path]), Paxos (USDP, PYUSD, USD1), Société Générale–Forge (EURCV), Banking Circle (in progress), Stripe Bridge (USDB).

Builders: this row is not yours. Skip to "wallet-provider obligations" or "builder/integrator obligations."

Wallet-provider obligations

This is the rail Openfort sells. If a wallet provider takes custody of user assets (even programmatically, via smart accounts where the SDK controls signer access), it is a Crypto-Asset Service Provider under MiCA Art. 3(1)(15)(a) — "providing custody and administration of crypto-assets on behalf of clients."

The cleanly-attached obligations:

CASP authorization (EU). National regulator. Capital floor (€50K–€150K depending on services). Wind-down plan. Outsourcing register. Non-EU CASPs serving EU users have until 2026-07 to be authorized or stop serving EU users — reverse-solicitation exemption is narrow.
Travel Rule originator data. Under the EU Transfer of Funds Regulation (TFR, in force since 2024-12), the originating CASP must transmit sender + beneficiary data to the receiving CASP on every crypto-asset transfer regardless of amount, with enhanced verification for transfers above €1,000 involving self-hosted wallets.
Sanctions screening. OFAC SDN, EU consolidated sanctions list, UK OFSI — screened at the SDK layer before signing.
Transaction monitoring. Suspicious activity reporting (FinCEN SAR in US, MROS in CH, EU FIU equivalents).

Where this maps to product: a wallet SDK that exposes (a) policy hooks before signing, (b) KYC hand-off slots before account creation, (c) Travel Rule data fields on transfer construction, (d) sanctions-screening hooks at signer init — that is the rail compliant builders need. (Openfort's embedded wallet plus policy engine expose exactly these surfaces.)

Builder / integrator obligations

You are not minting tokens. You are not running a wallet SDK. You are integrating one into a product. Your obligations cluster around the user perimeter:

KYC at onboarding. Tiered to risk: passive holding may permit light-touch KYC; cash-out to bank rail requires full identity verification. Vendor choice is yours (Sumsub, Persona, Dotfile, in-house).
Sanctions screening at user onboarding. OFAC SDN + jurisdictional lists. Re-screened periodically (typical: daily for active users).
Registration where you market. If you "actively solicit" users in a jurisdiction (FCA financial-promotions test, BaFin Tatbestand test, etc.) you may need local registration even if you're not a wallet provider.
Customer complaints + dispute resolution. EU PSD2/PSR equivalents require defined SLAs and escalation paths.

The role × obligation matrix:

Obligation	Issuer	Wallet provider	Builder/integrator
Reserve backing	Required	N/A	N/A
Whitepaper / prospectus	Required	N/A	N/A
Capital floor (regulator-set)	Required	Required (if CASP)	Conditional (only if also wallet provider)
CASP authorization (EU)	Separate path	Required (custody)	Conditional (only if custodial)
Travel Rule (originator data)	N/A	Required	Conditional (only if data-controller)
KYC at onboarding	N/A (issuer never sees end-user)	Hook layer (SDK provides plumbing)	Required (you hold the user relationship)
Sanctions screening	Required (mint side)	Required (signer side)	Required (user side)
Customer complaints	Issuer process	Wallet provider process	Required (your product = the contact surface)

Travel Rule and KYC

Per-jurisdiction blocks

European Union — MiCA + Transfer of Funds Regulation

Status: MiCA fully operational since 2025-01-01 (Title III/IV stablecoin provisions) and 2024-12-30 (Title V CASP regime).

Issuer side (EMT / ART):

EMT (e-money token, 1:1 single fiat): authorization from national regulator + EBA notification. Capital floor €350K or 2% of float. Daily reserve reconciliation. Quarterly disclosure.
ART (asset-referenced token, basket or non-fiat): higher capital floor; ESMA significant-ART regime above thresholds.
Algorithmic stablecoins prohibited without fiat backing.

Wallet-provider side (CASP):

Authorization from national regulator. Capital floor scales with service mix: €50K (advice only), €125K (custody + transfer), €150K (full operator).
Non-EU CASP cliff: 2026-07. After this date, a non-EU wallet provider cannot custody assets for EU users without (a) full EU authorization, (b) reverse-solicitation defense (narrow), or (c) tolerated grandfathering at member-state discretion (variable).
National regulator routes: AMF (FR), BaFin (DE), CNMV (ES), CBI (IE), MFSA (MT), CSSF (LU), CNB (CZ).

Builder side:

TFR Travel Rule applies to your transfers via your CASP. Practical: choose a CASP that already handles originator-data exchange.
Financial-promotion rules vary by member state. Cross-border marketing requires per-state notification under MiCA Art. 65.

Move that matters for builders: in 2026, choose a wallet-provider rail with EU CASP authorization on its roadmap. Otherwise, your EU users get cut off at the 2026-07 cliff.

United Kingdom — FCA

Current state (mid-2026):

Cryptoasset registration with the FCA under MLR 2017 — required for any UK-based crypto firm conducting custody, exchange, or transfer.
Financial-promotion regime in force since 2023-10. Promoting crypto to UK users requires FCA authorization OR exemption (s.21 FSMA).
FSMA 2023 secondary legislation is now in place: the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026 were made on 4 February 2026, bringing qualifying-stablecoin issuance into the FCA's remit. The FCA authorization gateway opens 30 September 2026 and the full regime comes into force 25 October 2027. Systemic sterling stablecoins are jointly overseen by the FCA and the Bank of England.

Practical for builders:

If you market to UK users: financial-promotion compliance is non-optional, fines material.
If you take custody for UK users: cryptoasset registration with FCA required.
Stablecoin payments under the new regime will require a specific authorization once it lands; treat as a 2026–2027 watch item.

United States — federal layer

GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins Act). Signed July 2025 (Public Law 119-27); effective for issuers in early 2027, with a 3-year transition to 2028-07 for integrators (exchanges, custodians, wallet providers).

Issuer side: 100% high-quality liquid reserves (Treasuries, insured deposits, repo-backed cash). Monthly reserve disclosures, plus annual audited financial statements for issuers above $50B in outstanding issuance. Federal regulation (OCC) for non-bank issuers above $10B in outstanding issuance; the state-qualified route is preserved for issuers at or below that threshold where the state regime is certified substantially similar.
Builder side: not directly licensed under GENIUS, BUT the act creates downstream constraints — only GENIUS-compliant issuers' tokens are "qualified stablecoins" for federally-regulated rails (bank fintech, credit unions).

FinCEN — Money Services Business (MSB) registration.

Required for any domestic builder transmitting value (sending stablecoins from one user to another, or to a bank rail) above the de-minimis threshold.
Federal registration is one step; state MTL is the next.

OFAC sanctions screening. Applies to all US-touching transactions. Smart-contract address screening (Tornado Cash precedent), counterparty screening, jurisdictional screening.

SEC / CFTC perimeter. Out of pillar scope, BUT: stablecoins explicitly excluded from "security" under GENIUS Act for compliant issuers. Non-compliant or yield-bearing stablecoins remain at SEC risk.

United States — state layer (MTL matrix)

If you transmit value to/from US users, you face a fifty-state matrix. Top-15 by population for prioritization:

State	Stablecoin / MSB rule	Practical step
New York	BitLicense OR NY Trust charter required for custody/transfer	File or use an MTL-as-a-service partner
California	DFPI registration under DFPL (Digital Financial Assets Law, effective 2025-07)	DFPI registration
Texas	MTL via TX Dept of Banking; crypto-specific guidance	Texas MTL
Florida	MTL via OFR	Florida MTL
Pennsylvania	MTL via DoBS	Pennsylvania MTL
Illinois	MTL via IDFPR	Illinois MTL
Ohio	MTL via Dept of Commerce	Ohio MTL
Georgia	MTL via Dept of Banking	Georgia MTL
North Carolina	MTL via NCCOB	North Carolina MTL
Michigan	MTL via DIFS	Michigan MTL
New Jersey	MTL via DOBI	New Jersey MTL
Virginia	MTL via Bureau of Financial Institutions	Virginia MTL
Washington	MTL via DFI	Washington MTL
Arizona	MTL via DoIFI	Arizona MTL
Massachusetts	MTL via DOB	Massachusetts MTL

Special routes:

Wyoming SPDI charter — Special Purpose Depository Institution. Functional crypto-bank charter; preempts other-state MTL for chartered-activity scope.
NY BitLicense — Long timeline, high cost, but blue-chip credential.

Builders typically use an MTL-as-a-service partner (e.g., regulated payment institutions that hold the MTL stack on behalf of integrators) rather than filing 50 times.

Singapore — MAS Payment Services Act

Major Payment Institution (MPI) license for digital payment token (DPT) service providers above transaction thresholds.
Single-currency stablecoin (SCS) framework for SGD- or G10-pegged stablecoins. Issuer-side requirements: capital floor, reserve backing, redemption at par. MAS finalized the SCS framework in 2023; implementing amendments to the Payment Services Act are progressing.
Travel Rule applies via MAS Notice PSN02.

UAE — VARA (Dubai) + ADGM FSRA (Abu Dhabi)

VARA (Virtual Assets Regulatory Authority, Dubai mainland + DMCC): virtual asset license categories include Custody Services, Transfer & Settlement, Issuance. Required for activities targeting UAE users.
ADGM Financial Services Regulatory Authority: Fiat-Referenced Token (FRT) regime within ADGM free zone. Separate from VARA. Distinct authorization and prudential requirements.
Travel Rule via UAE Central Bank Stablecoin Payment Token Services Regulation (2024).

Other relevant — Hong Kong, Japan, India

Hong Kong (HKMA): Stablecoins Ordinance effective 2025-08-01. Issuer license for fiat-referenced stablecoins; 100% reserve backing; HK$25M minimum paid-up capital.
Japan (FSA): "Electronic payment instruments" registration. Strict AML.
India (RBI): KYC obligations apply; no dedicated stablecoin framework as of 2026, and the RBI remains cautious on private/unbacked stablecoins.

Where the wallet provider sits — the rail builders embed

A wallet SDK is the enforcement layer. The obligations above don't get satisfied in a PDF — they get satisfied in code at signer init, before each signature, and on transfer construction.

What a compliance-aware wallet rail exposes:

KYC hand-off hooks. You bring the vendor (Sumsub, Persona, Dotfile, your in-house tier). The wallet doesn't lock you in.
Sanctions screening at signer init. Before a wallet is constructed for a user, screen against OFAC SDN + EU consolidated + UK OFSI. Re-screen periodically.
Travel Rule originator data plumbing. Pre-built fields and exchange partners for the originator + beneficiary data the TFR / FinCEN / MAS require.
backend-wallet-policies = compliance constraints in code. Per-user limits, allowed destinations, allowed tokens, allowed methods. The same policy engine that gates a token's max daily spend is the policy engine that enforces a per-user limit set by your compliance team.

When law firms recommend a "compliance-aware wallet rail," this is the architectural shape they describe. Openfort builds it.

→ Embedded wallet quickstart → Policy engine → Pricing

Implementation guide — seven steps for builders (not issuers)

Identify your role(s). Issuer? Probably not — skip to step 2. Wallet provider? Only if you self-build custody. Builder? You're here.
Identify every jurisdiction your users sit in. Geo-IP is a start, KYC residency is the answer. EU users → CASP cliff applies; UK users → financial-promotion + cryptoasset register; US users → state MTL.
Map (role × jurisdiction) cells. Use the matrix above. One row per user-population cluster.
Choose the KYC + Travel Rule vendor. Don't pick the wallet provider that locks you in; pick the one that exposes hooks.
Wire wallet-level policies. Per-user limits, allowed tokens, allowed destinations, allowed methods. This is where compliance teams stop sending emails and start writing JSON.
Document for due-diligence. SOC2 control mapping. Vendor questionnaires. Regulator letters.
Re-audit on cliff dates. 2026-07 (MiCA non-EU CASP), 2026-09 (UK FCA authorization gateway opens), 2027-01 (GENIUS Act effective for issuers), 2028-07 (GENIUS Act integrator cliff).

Regulatory cliff calendar

Date	Jurisdiction	What changes	Who's affected
2026-07	EU	Non-EU CASP transition period ends	Wallet providers serving EU users; builders relying on them
2026-09	UK	FCA stablecoin authorization gateway opens (full regime live 2027-10)	Builders targeting UK users for stablecoin payments
2027-01	US	GENIUS Act effective date for issuers	Stablecoin issuers, downstream — qualified-stablecoin scope
2028-07	US	GENIUS Act integrator/DASP compliance cliff	Exchanges, custodians, wallet providers handling US-touching stablecoins

Further reading on Openfort:

Talk to us if you're wiring KYC + Travel Rule + sanctions screening hooks into your wallet flow → openfort.io/pricing.