“Getting a license” is rarely the hard part; matching your product to a story that a bank and a reviewer can both defend is. This piece strips the process down to first principles—flows, custody, Travel Rule, and governance that exists outside a slide deck—so your v1 ships without rework. For teams that want the formal path and requirements in one place, see the overview for Crypto license.
The two-minute narrative (write this before any policy)
Start with a page a risk officer can read on the way into a meeting: who your users are, which assets and corridors you support on day one, and how funds or tokens travel from onboarding to withdrawal. Declare—plainly—whether you touch client assets. If you do (exchange, OTC, hosted wallet, on/off-ramp), you’re in full-scope territory. If you truly don’t (pure analytics, screening, UI orchestration), validate that no part of your stack controls routing, matching, or settlement. This single page becomes the reference text for your filing, website copy, contracts, and sales deck; when the wording matches everywhere, clarifications evaporate.
Q&A: Operator questions that decide your workload
Q1: What makes a crypto product “in scope” in most venues?
Flows, not labels. If users fund through your rails, hold balances you can move, or rely on you to execute transfers or trades, assume licensing plus AML/CTF, sanctions, monitoring, Travel Rule, and custody controls. “Non-custodial” stays lighter only if you truly never control keys or settlement—and your UI doesn’t funnel users into an execution path you govern.
Q2: How tight should v1 be?
Tighter than you think. Spot only if you list, a very short asset set with real liquidity, disclosures that explain fees/spreads, and no leverage/derivatives until the base is stable. State that scope in your narrative and mirror it in policies; add features later via board minutes, policy diffs, and new artifacts.
Q3: What does a “bank-ready” custody story look like?
It’s five sentences and two screenshots. Where keys live (HSM or audited multisig). Who approves movements (roles, not personal names). What gates withdrawals (dual approvals, limits, allow-lists for higher-risk cohorts). How segregation works (client vs company) and how often you reconcile with sign-off. Attach an approval-log snippet and a reconciliation extract that ties wallets/accounts to your ledger. That’s it—and it’s what banking teams repeat upstream.
Q4: How do we prove Travel Rule without overbuilding?
Wire your main corridors on a single provider that interoperates broadly. Save a handful of message traces: a clean success, a non-participant path, and your fallback behavior. Drop them into the evidence folder with timestamps. “We’ll implement later” buys weeks of clarifications you don’t need.
Q5: What do reviewers and banks actually read first?
The same four answers in every geography: ownership (clean UBO picture with evidence), activity (plain-English description that matches your website and contracts), fund flows (corridors, volumes, counterparties, currencies), and safeguards (segregation, reconciliations, sanctions/KYC, monitoring that actually fires). Put these on one page plus a simple flow diagram; keep documents, site copy, and policies aligned to the same wording.
Q6: How do we avoid the policy–product mismatch?
Write policies from screenshots, not imagination. Diagram onboarding → funding → action → withdrawal. If your app can’t yet do allow-lists or dual approvals, either ship them now or state a dated rollout; don’t pretend. Contradictions are what trigger long email threads.
Operator notes (from teams that moved fast)
Trim the menu. The exchange that cut leverage, trimmed listings to high-liquidity pairs, and shipped dual-approval withdrawals with an exportable log went from “come back later” to “send the pack” in one call. The trick wasn’t lawyering; it was scope sequencing and proof.
Evidence beats adjectives. A sanctions-hit screen with resolution notes is worth more than a page of prose. One monitoring alert with analyst timestamps beats three paragraphs about “robust controls.” A reconciliation PDF with sign-off dates beats a pledge to reconcile “regularly.”
Keep names and numbers consistent. Legal name, address, fee tables, and corridor volumes should match across contracts, invoices, your site, and the filing. Inconsistencies read as risk—even when the product is solid.
Your artifact bundle (tiny, sharp, and dated)
Capture an onboarding run ending in a real KYC decision, a sanctions hit and its disposition, one monitoring alert with analyst notes, a withdrawal approval record, and a reconciliation extract. Add three Travel Rule traces. Date filenames. Store everything in a tidy “Corporate / Banking / Contracts / Accounting / Compliance” tree. When the same bundle answers both regulatory and banking questions, momentum compounds.
Sequencing that avoids rework
First twenty days: map the flows, freeze v1 scope, pick vendors (KYC/KYB, sanctions, Travel Rule, custody tooling) that already serve your corridors. Next thirty: draft AML/CTF, sanctions, monitoring, custody, security, and disclosures straight from the diagram; appoint the Compliance Officer; minute policy approvals; collect screenshots and logs as you configure—don’t leave evidence to the end. Then file a complete pack and answer clarifications with short, artifact-backed replies. In parallel, open a fintech-friendly EMI/PSP so invoicing and payroll aren’t hostage to the last email; add a bank or second EMI once volumes justify redundancy.
Cost reality (avoid the single-number trap)
Budget across three buckets: setup (advisory, policy build, application prep), technology & security (KYC/KYB, sanctions/Travel Rule providers, custody tooling, monitoring stack, pen-testing where sensible), and ongoing compliance (officer time, audits, reporting, training, renewals). Under-resourcing any one of these shows up as delays or refusals—both pricier than a small buffer now.
Common blockers and boring fixes
Vague activity descriptions (“crypto platform”) that contradict the UI; expired or blurry KYC and missing UBO evidence; custody promises that your app can’t demonstrate; Travel Rule “later”; documents that don’t match legal names or fee tables. Fixes are unglamorous: write the two-minute narrative first and mirror it everywhere; triple-check identity evidence; only claim controls you can screenshot today; wire two corridors and save traces before submission; sweep contracts and invoices so names, addresses, and fees align.
Closing thought
A credible v1 is narrow, boring on purpose, and proven with small artifacts. Ship that, and adding features becomes a matter of governance updates and new evidence—not a restart. If you’d rather have someone run the filings and assemble the bank-ready bundle while you focus on product, a seasoned partner can lead the heavy lifting and keep policies tied to what your app actually does—more at legalbison.com.