CASP licensing is the formal authorisation required for a crypto-asset service provider to operate within a regulated market. It turns market participation into a supervised activity with defined accountability, evidentiary, and compliance obligations that must be demonstrated continuously, not just at launch.
Expanded Definition
CASP licensing is the regulatory permission framework that allows a crypto-asset service provider to operate under supervision, subject to ongoing controls rather than one-time registration. In practice, it defines who may custody assets, execute transfers, arrange trades, or provide related services, and what evidence must exist to prove those activities are governed.
For NHI Management Group, the important distinction is that licensing is not just a legal badge. It is an operating model that demands identity traceability, access control, record retention, incident readiness, and demonstrable accountability across systems and operators. That aligns closely with control expectations expressed in the NIST Cybersecurity Framework 2.0, especially where governance and risk management depend on provable process, not informal assurance. Definitions vary across jurisdictions, and the precise obligations depend on whether the provider is acting as an exchange, custodian, broker, or transfer service. The industry is still evolving on how far licensing should extend into technical architecture, but regulators increasingly expect evidence of control ownership, not just policy statements.
The most common misapplication is treating CASP licensing as a launch-time checklist, which occurs when firms assume approval alone is enough to sustain compliant operations.
Examples and Use Cases
Implementing CASP licensing rigorously often introduces evidence-collection and governance overhead, requiring organisations to weigh market access against the cost of continuous compliance operations.
- A crypto exchange documents wallet controls, segregation of duties, and transaction monitoring to satisfy licensing conditions before onboarding retail users.
- A custodian maps operator privileges to approved roles and keeps audit trails for key ceremonies, withdrawals, and emergency access events.
- A broker-dealer integrates case management, retention, and escalation workflows so that suspicious activity can be demonstrated to regulators after review.
- A newly licensed provider uses the Ultimate Guide to NHIs to align service-account governance with the same accountability standards expected for customer-facing operations.
- An operations team references NIST Cybersecurity Framework 2.0 to structure identity, resilience, and incident response controls around licensing evidence.
Some jurisdictions are still clarifying how licensing applies to multi-entity platforms, white-label providers, and outsourced technical operators, so firms should confirm scope before assuming a common model applies everywhere.
Why It Matters in NHI Security
CASP licensing matters to NHI security because regulated crypto operations depend on machine identities, API keys, signing services, and automation that can move value at machine speed. If those NHIs are unmanaged, a licensed provider may still fail the evidentiary standard expected by supervisors even when its policy set appears complete.
NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs from NHI Mgmt Group. That makes licensing directly relevant to key management, least privilege, rotation, offboarding, and auditability. The licensing question is no longer just whether a provider is allowed to operate, but whether its machine identities can withstand scrutiny during investigations, supervisory reviews, and incident response. For broader governance context, the NIST Cybersecurity Framework 2.0 reinforces the need for documented, repeatable controls that survive operational pressure.
Organisations typically encounter CASP licensing as an urgent operational constraint only after an audit, enforcement action, or major compromise, at which point identity evidence and control ownership become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | CASP licensing depends on clearly defined regulated-operating objectives and accountability. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Licensed CASPs rely on governed non-human identities, keys, and service accounts. |
| NIST SP 800-63 | Identity assurance principles inform strong authentication and lifecycle control expectations. |
Define the licensed operating scope, owners, and evidence requirements for all crypto-asset services.
Related resources from NHI Mgmt Group
- Who should own access governance when business applications affect audit and licensing?
- What do teams get wrong about per-seat licensing in agentic environments?
- Who is accountable when licensing readiness and AML/CFT controls break down?
- Who should own SaaS governance when access, licensing, and renewals overlap?
