Thinking about Panama for your next crypto build and wondering what it actually takes to get green-lit? Start here. This Q&A is written for operators who want a clean read on scope, documents, custody, and banking signals—so v1 ships without rework. For the official route and requirements, see Panama VASP license.
Is Panama the right venue for our model?
It can be—provided your narrative is crisp and your controls match reality. Panama appeals to teams seeking predictable supervision and partner recognition across the Americas. If your app touches client assets (exchange, brokerage/OTC, hosted wallets, payments/on-ramps), expect full AML/CTF responsibilities and a custody story that stands up in front of banks and reviewers. If you’re truly non-custodial (no key control, no routing/matching, no settlement), the burden is lighter, but validate scope early to avoid architectural rework.
What exactly pulls a crypto product into “VASP” scope?
Labels don’t decide—flows do. If users onboard, fund, transact, and withdraw through your stack and you can move or safeguard their assets, you’re in scope. Exchange/brokerage, hosted wallets, transfers, and on/off-ramps are the usual triggers. Yield or staking features invite extra scrutiny because of custody and counterparty risk. The closer your platform looks to a market or balance-holding service, the deeper the expectations across custody, monitoring, and disclosures.
What should our governance look like from day one?
Name a Compliance Officer with a direct line to the board (or top management) and document fit-and-proper for directors and UBOs. Keep an ownership chart that a banker can understand in one glance. Approve your policy suite via board minutes—short, dated, searchable. This isn’t paperwork for paperwork’s sake; it’s what counterparties expect to see before they trust you with rails and accounts.
Our architecture options—what passes scrutiny?
Non-custodial tool: safest on custody, but watch hidden brokerage (order routing or auto-swap). If you nudge users into trades, you may be in scope anyway. Custodial wallet: plan key governance (HSM or audited multisig), role-based access, withdrawal approvals, and daily/weekly reconciliations you can evidence. Exchange/OTC: keep v1 to spot; separate market-making from client flows; document conflict controls. Payments/on-ramp: Travel Rule interoperability, sanctions, source-of-funds, and a clean counterparty policy (exchanges, custodians) are make-or-break.
Which documents actually move the needle?
Think “evidence pack,” not just a checklist. You’ll still assemble the corporate basics—articles, registers, org chart, IDs and addresses for controllers/UBOs, short CVs, a realistic business plan—but reviewers speed up when they see controls working. Include anonymized screenshots of onboarding, sanctions hits being handled, example monitoring alerts with analyst notes, withdrawal approval logs, and a reconciliation excerpt. A one-page narrative (what you do, who you serve, flows, corridors, currencies) ties it all together.
How should we prove Travel Rule coverage without overbuilding?
Pick an interoperable provider early, configure it for your main corridors, and capture a handful of message traces as proof. Don’t promise “later”—show messages actually moving, including negative paths (e.g., counterparty not participating) and how you handle them. Reviewers and banks both read this as maturity.
What do banking and PSP partners really check?
Four things, over and over: ownership (clean UBO picture), activity (plain-English description that matches your site and contracts), fund flows (corridors, monthly volumes, counterparties, currencies), and safeguards (segregation of client assets, reconciliation cadence, AML in action). If those four are neat, onboarding feels routine. If they’re fuzzy, you’re in the slow lane.
How do we avoid the policy–product mismatch?
Write policies from screenshots, not imagination. Start by diagramming onboarding → funding → action → withdrawal; then describe exactly what the screens do and where decisions happen. If your app can’t yet do something (e.g., address allow-lists or dual approvals), don’t claim it. Either ship it first or state the staged rollout date. Contradictions are what trigger long clarification loops.
What does a minimal “bank-ready” custody setup look like?
HSM or well-audited multisig for keys; strict role-based access; hot/cold thresholds; dual approvals for withdrawals; allow-lists for higher-risk cohorts; daily or weekly reconciliations aligned to ledger entries; incident playbooks for compromise, vendor outage, or chain forks. Keep the evidence—approval logs, rec screenshots, and a brief key-ceremony note—in your data room.
Where do teams usually lose time?
With vague activity narratives (“crypto platform” means nothing), missing UBO proof, and contracts that contradict the website. The other sinkhole is Travel Rule hand-waving. Fix it with a one-page activity story, consistent documents, and a working Travel Rule demo. Most “complex” delays are really consistency problems.
What’s a sensible sequencing so we don’t stall shipping?
Week 1–2: model mapping, gap analysis, choose vendors (KYC/KYB, Travel Rule, custody). Week 3–6: draft AML/CTF, sanctions, monitoring, custody, security, and disclosures tied to real flows; appoint the Compliance Officer; assemble the evidence pack. Week 6+: file a complete submission and answer clarifications with short, evidenced replies. In parallel, open a fintech-friendly EMI/PSP to keep invoices moving; add a bank or second EMI later for redundancy and currencies. Scope creep (leverage, derivatives, complex listings) waits until v1 is stable.
How should we budget without getting blindsided?
Think in buckets: one-off setup (advisory/policies, application build), technology and security (KYC/KYB, Travel Rule, custody tooling, monitoring stack, pen-testing), and ongoing compliance (officer time, audits, monitoring/reporting, training, renewals). Chasing a single “license fee” number is how under-resourcing happens; gaps are what delay approvals or block banking.
Can we say we’re “out of scope” if we never hold keys?
Maybe—but be honest about embedded brokerage, routing, or settlement. If your UI nudges a user into an execution path you control, you’re likely in scope. Have counsel sanity-check the design before you ship. If you’re truly tooling only, keep the sales copy and contracts aligned with that reality.
What short FAQ should we keep on hand for reviewers?
Do you segregate client assets? Yes—separate ledgers, distinct wallets/accounts, and reconciliation with approvals. Do you screen sanctions continuously? Onboarding and ongoing; we also screen material vendors. How do you handle suspicious activity? Monitoring rules + case notes and a documented escalation path; STR/SAR workflow defined. How do you meet the Travel Rule? Provider X, tested across our main corridors; message traces available. Keep these answers short and evidenced.
Final operator notes
Keep v1 narrow and real; avoid promising features your stack can’t yet support. Approvals accelerate when reviewers see the same story across your website, contracts, policies, and logs. And remember: evidence beats adjectives—screenshots, extracts, and timestamps calm almost any concern faster than more prose.
If you prefer to skip the guesswork around scoping, filings, and the bank-ready evidence pack, an experienced team can run point end-to-end so you can focus on product. LegalBison typically leads the heavy lifting and aligns controls with what you’re actually building—details at legalbison.com.