CEZA Rules for Virtual Asset Service Providers (VASPs) in the Philippines: Licensing and Compliance Overview

Jurisdiction: Philippines • Focus: Cagayan Economic Zone Authority (CEZA) regime for virtual asset activities, and how it interacts with national regulators (BSP, SEC, AMLC). This is a general legal overview, not legal advice.

---

Executive Summary

The Cagayan Economic Zone Authority (CEZA) operates a special regulatory framework for fintech and virtual asset activities conducted from within the Cagayan Special Economic Zone and Freeport (CSEZFP). CEZA’s rules are primarily designed for offshore-facing operations (i.e., servicing non-Philippine residents), and they run in parallel with national Philippine regimes administered by the Bangko Sentral ng Pilipinas (BSP) for VASPs and the Securities and Exchange Commission (SEC) for securities/token offerings.

In practice:

• CEZA can license offshore virtual asset exchanges and related services set up in the Freeport, with bespoke requirements on capitalization, governance, cybersecurity, custody, market integrity, and consumer protection.
• BSP regulates VASPs that deal with Philippine residents and the peso (fiat on/off-ramps, custodial wallet providers, etc.).
• SEC regulates the “securities” side (token offerings and trading of tokens that meet the securities test), and AMLC implements anti-money laundering/counter-terrorist financing (AML/CFT) rules that bind covered institutions nationwide.

A compliant structure often requires multiple alignments: CEZA license for the offshore exchange operation, BSP authorization for any peso/fiat services touching Philippine residents or banks, SEC clearance for securities-type token activity, and AMLC registration/controls.

---

Legal Bases and Institutional Roles

1. CEZA

   • Created under Republic Act No. 7922 and implementing rules to operate and regulate enterprises in the CSEZFP.
   • Issued a Financial Technology Solutions and Offshore Virtual Currency Exchange (FTSOVCE) framework and Digital Asset Token Offering (DATO) rules designed for offshore-facing virtual asset activity.
   • Acts as the economic zone regulator: issues permits, prescribes prudential/operational rules, supervises compliance, and conducts inspections within the Freeport.

2. Bangko Sentral ng Pilipinas (BSP)

   • Regulates virtual asset service providers nationally (including exchanges and custodial wallet providers) to the extent they serve persons in the Philippines or interface with the domestic financial system (e.g., peso deposits/withdrawals, remittances).
   • Core expectations include fit-and-proper, capital, risk management, IT/cyber, outsourcing, and consumer protection standards (plus FATF “Travel Rule”).

3. Securities and Exchange Commission (SEC)

   • Oversees securities (including tokenized instruments that are “investment contracts” or other securities).
   • Reviews/token offerings, exchange trading of security tokens, broker-dealer functions, and advertising/solicitation rules.

4. Anti-Money Laundering Council (AMLC)

   • Implements the Anti-Money Laundering Act (AMLA) and related rules.
   • VASPs and exchanges (CEZA-licensed or otherwise) that are covered persons must register with the AMLC’s systems and implement KYC/CDD, sanctions screening, suspicious transaction reporting (STR) and covered transaction reporting (CTR).

Takeaway: CEZA regulates where and how you operate inside the Freeport (with an offshore orientation). BSP/SEC/AMLC regulate what you do when your services touch Philippine residents, fiat, banks, or securities/public solicitation—even if you hold a CEZA license.

---

Scope: What Can a CEZA-Licensed VASP/Exchange Do?

• Operate an offshore-facing virtual asset exchange from within the CSEZFP.
• Offer order-book matching, OTC, market-making, staking (subject to prudential and custody controls), wallet/custody, token listings, and ancillary fintech solutions consistent with CEZA rules.
• Serve non-Philippine residents as a general rule. Engagements with Philippine residents are restricted and, where permitted, typically trigger BSP/SEC requirements.

Key limitations (typical policy features):

• No solicitation to Philippine residents for trading services unless separately authorized by national regulators.
• Use of CEZA-accredited custodians, auditors, certifiers (as required by current CEZA circulars).
• Separation of client and house assets, with cold-hot wallet policies and reconciliation routines.
• Risk disclosures and robust complaints handling.

---

License Architecture Under CEZA (Typical Features)

CEZA’s regime has historically provided for tiers of authorization often described as:

• Principal/Exchange License – to operate an offshore virtual asset exchange platform (core matching, market access).
• Regular/Ancillary Licenses – for specific services such as brokerage, market-making/OTC, wallet/custody, analytics, clearing/settlement-type functions, or technology provisioning to licensed exchanges.

Capitalization & financial soundness: CEZA prescribes minimum paid-up capital, working capital, and liquidity buffers appropriate to the licensed activity. Firms must maintain prudential ratios, insurance or surety/guarantee arrangements (where applicable), and external audit.

Fit-and-proper: Controllers, directors, and key officers must meet integrity, competence, and financial soundness standards, with disqualification grounds (e.g., fraud convictions, regulatory bans).

Physical and “mind and management” presence:

• Registered seat in the CSEZFP, with core management, compliance, and technology functions demonstrably in-zone (even with some distributed operations).

Systems & venues:

• If offering a multilateral trading facility, the matching engine and surveillance stack must satisfy availability, integrity, latency, capacity, and best-execution expectations, with fair access and conflict-of-interest safeguards.

---

Application: Step-by-Step

1. Pre-filing engagement

   • Confirm business model mapping (exchange, custody, brokerage, OTC, staking, token listing); assess offshore vs. onshore touchpoints.
   • Discuss sandbox or phased roll-out if complex/novel.

2. Documentary submission (illustrative)

   • Corporate documents; beneficial ownership disclosures.
   • Business plan (products, markets, client profiles, liquidity strategy).
   • Compliance program: AML/CFT manual, sanctions policy, risk assessment, Travel Rule tooling.
   • IT/cybersecurity program: architecture diagrams, key controls (e.g., HSMs, MPC), logs/monitoring, incident response, BCP/DR.
   • Custody framework: wallet segregation, key management, withdrawal controls, insurance/attestations, reconciliation routines.
   • Market integrity: surveillance rules, anti-manipulation program, listing/delisting criteria, conflicts and market-maker rules.
   • Consumer protection: disclosures, T&Cs, complaints, outage/incident notification plans.
   • Financials: capitalization proof, projections, external audit scope.
   • Third-party oversight: outsourcing register, vendor due diligence, exit strategies.

3. Technical validation

   • Independent security assessment (e.g., code reviews, pen-tests), wallet/custody attestations, and stress/latency tests for the matching engine.
   • Travel Rule interoperability tests and sanctions screening efficacy.

4. Fit-and-proper vetting

   • Background checks of controllers/key persons; board charters; committees (audit, risk).

5. Conditional approval & go-live

   • Satisfy pre-opening conditions (capital paid-in, local presence, final system sign-offs), post surety/insurance (if required), register with AMLC systems, designate Compliance Officer and MLRO.
   • Execute a user-acceptance testing (UAT) plan; produce a go-live attestation.

6. Post-licensing

   • Periodic regulatory reporting (prudential, volume/liquidity, incident, complaints).
   • On-site/remote examinations and thematic reviews.

---

Ongoing Obligations

1) AML/CFT, Sanctions, and the Travel Rule

• Risk-based KYC/CDD (including enhanced due diligence for higher-risk clients, PEPs).
• Ongoing monitoring with typology-driven alerts (mixers, chain-hopping, privacy coins, sanctioned wallets, mule patterns).
• FATF “Travel Rule” implementation for VA transfers: collect/transmit originator and beneficiary information above mandated thresholds, both inbound and outbound.
• STR/CTR filings to AMLC; name-screening against UN and domestic lists; geofencing/IP screening for sanctioned jurisdictions.

2) Custody & Client Assets

• Segregation of client assets (on-chain and off-chain), distinct from house funds.
• Key management (MPC/HSM), withdrawal policies (multi-person approvals, velocity limits), and cold-hot ratios appropriate to risk.
• Daily reconciliations, proof-of-reserves/segregation attestations (where required), and insurance or guarantee mechanisms as available.

3) Market Integrity & Conduct

• Listing standards (token due diligence, circulating supply verification, protocol risks, governance risks).
• Surveillance for spoofing, wash trades, layering, pump-and-dump, front-running.
• Fair access and best execution policies; clear conflict-of-interest rules for proprietary trading and affiliated market-makers.
• Transparent fees, outage communications, and incident disclosures.

4) IT, Cybersecurity, and Resilience

• Information security program aligned with globally recognized baselines (e.g., ISO/IEC 27001 controls).
• Secure SDLC, change management, and access controls (least privilege, strong MFA).
• BCP/DR with RPO/RTO targets; DDoS protection; key compromise playbooks.
• Independent audits and penetration tests at defined intervals.

5) Governance & Risk

• Board accountability, with Risk and Audit functions independent from revenue lines.
• Compliance Officer and MLRO with direct access to the board.
• Policies for outsourcing, cloud, data protection/privacy (aligning with the Data Privacy Act), and records retention.

6) Reporting & Supervision

• Regular prudential and statistical returns; technology incident and breach reports; material change notifications (ownership, key staff, new products).
• On-site inspections and remediation tracking; possible administrative fines for breaches.

---

Token Offerings Under CEZA (DATO Framework)

Where token issuance is contemplated:

• Classification analysis: utility vs. asset/securities characteristics (rights to profits, managerial efforts of others, etc.).
• Whitepaper review focused on use of proceeds, tokenomics (emissions, vesting), protocol governance, risks, conflicts, and related-party transactions.
• Issuer obligations: escrow of proceeds or staged release, periodic disclosures, material event reporting, and ongoing AML/CFT controls for primary sales.
• Interplay with SEC: if a token is a security, national securities laws apply to offers to Philippine residents and to exchange trading accessible in the Philippines, regardless of CEZA licensure.

---

Interfacing With Philippine Residents and the Domestic Financial System

A CEZA-licensed exchange is typically offshore-facing. If the business model involves any of the below, BSP and/or SEC authorization is generally required even if the firm is CEZA-licensed:

• Peso (PHP) on/off-ramp, remittance, e-money, or other regulated payment services.
• Custodial wallet services marketed to or used by Philippine residents.
• Solicitation, advertising, or distribution of tokens or exchange services to persons in the Philippines.
• Trading or distribution of security tokens to the Philippine public.

Practical control set: IP geoblocking, onboarding controls (residency checks), T&Cs restricting Philippine users, and compliance testing to verify no unauthorized onshore activity.

---

Tax and Incentives Considerations

• Enterprises registered with CEZA may be eligible for incentives available to Freeport enterprises (subject to prevailing fiscal rules and national incentive harmonization).
• Standard Philippine tax rules apply to onshore income and to Philippine-sourced transactions; carefully allocate revenues between offshore exchange activity (CEZA) and any onshore-regulated services (BSP/SEC lines).
• Withholding tax, VAT, and documentary stamp issues can arise depending on the instrument and service line. Obtain tax rulings where appropriate.

---

Enforcement, Penalties, and Remediation

• CEZA may impose administrative fines, suspensions, or revocations for breach of license conditions, misrepresentation, inadequate capitalization, AML/compliance failures, IT lapses, or consumer-protection violations.
• AMLC can pursue administrative and criminal remedies for AMLA breaches, including failure to register, defective CDD, or failure to file STR/CTR.
• BSP/SEC may act for onshore violations, including unlicensed VASP/payment activity, unauthorized securities offerings, misleading ads, or improper cross-border access.
• Remediation plans, independent monitors, and heightened supervisory engagement are common outcomes short of revocation.

---

Common Structuring Models

1. Pure CEZA Offshore Exchange

   • CEZA principal/exchange license; offshore client base only; fiat legs handled through non-PHP channels; strong geofencing and onboarding controls.

2. Dual-Track: CEZA + BSP

   • CEZA exchange for offshore clients; BSP-licensed affiliate provides PHP on/off-ramp or custodial wallets to Philippine residents; strict Chinese wall and service demarcation.

3. Technology Provider in CEZA

   • CEZA-licensed technology or back-office provider supporting a separately licensed BSP/foreign exchange; limited customer-facing risk; rigorous outsourcing and data controls.

---

Practical Compliance Checklist

• Regulatory mapping memo (who is the customer? where are they? what instruments?)
• License scoping call with CEZA; confirm principal vs. ancillary authorizations.
• BSP/SEC triggers analysis; pre-consult when any onshore exposure exists.
• AMLC registration and enterprise-wide risk assessment.
• Travel Rule solution selection and bilateral testing.
• Wallet/custody architecture (MPC/HSM, segregation, insurance) with documented SOPs.
• Market integrity: listing manual, surveillance playbooks, market-maker rules, conflicts controls.
• IT/Cyber: ISO-aligned policies, logging/SIEM, DR drills, third-party risk, bug bounty.
• Consumer protection: disclosures, downtime/incident notices, complaint handling, fee transparency.
• Board governance: charters, KRIs, regulatory reporting calendar, compliance testing plan.
• Advertising and geofencing controls to avoid unauthorized onshore solicitation.
• Tax & transfer-pricing framework for cross-border group flows.

---

Frequently Asked Questions

1) Does a CEZA license permit me to serve Philippine residents? Generally no. CEZA licensing focuses on offshore-facing operations. BSP/SEC requirements apply for Philippine residents/fiat or securities activity.

2) Can I do token offerings under CEZA? Yes, subject to DATO requirements and securities analysis. If an offering targets Philippine residents and the token is a security, SEC rules apply.

3) If I never touch fiat, do I still face BSP oversight? If you serve Philippine residents or integrate with onshore payments/banking, BSP oversight is typically triggered even for crypto-to-crypto models.

4) What about stablecoins? Issuance or distribution raises additional prudential, reserve, disclosure, and securities/payment considerations. Expect heightened scrutiny and coordinate with national regulators if any onshore nexus exists.

5) Are DeFi services covered? Where an entity organizes, markets, or controls access (front-ends, custody, key governance roles), regulators may treat it as a VAS or securities intermediary. Analyze substance over form.

---

Final Notes

• CEZA’s framework is special-zone and offshore-oriented. It is not a substitute for national licenses where activities touch Philippine residents, the peso, or securities/public solicitation.
• The landscape evolves (capital thresholds, reporting templates, technical standards). Before committing capital or going live, obtain formal written guidance and keep a regulatory change log mapped to your controls.

If you’d like, I can adapt this into a board-ready memo, an internal compliance program checklist, or a step-by-step playbook for your intended model.