Panama's virtual asset framework is governed by Law 23 of 2015 (as amended), which established the regulatory structure for anti-money laundering and counter-terrorism financing obligations applicable to virtual asset activities. The supervisory authority for non-financial subjects, including virtual asset service providers, is the Superintendencia de Sujetos No Financieros (SSF). Suspicious transaction reports are filed with the Unidad de Análisis Financiero (UAF), Panama's financial intelligence unit. Corporate establishment flows through the Ministerio de Comercio e Industrias (MICI).
Panama has historically attracted crypto firms due to its competitive tax environment, US dollar economy, and established corporate infrastructure. However, the AML enforcement environment has strengthened materially following Panama's addition to the FATF grey list in 2019 and its subsequent remediation process, which resulted in removal from the grey list in 2023. Firms registering in Panama today operate in a substantially more scrutinised environment than those who established Panamanian structures before 2019. The consequence is clear: a Panama VASP registration that cannot demonstrate genuine AML controls offers limited protection and creates meaningful counterparty risk.
This guide covers the full registration process for a Panama crypto licence in 2026: the legal framework, who is caught, corporate and substance requirements, the AML/CFT programme the SSF/UAF expects, cybersecurity standards, the application process step by step, Panama's current standing with international counterparties, and the operational security layer that sustains a registration through supervisory examination.
Panama's Virtual Asset Regulatory Framework
Law 23 of 2015 is the cornerstone of Panama's AML/CFT framework. It was originally enacted to address deficiencies identified in Panama's 2012 FATF mutual evaluation and has been progressively amended to address further deficiencies and to incorporate updated FATF standards, including Recommendation 15 on virtual assets. The law establishes the category of "obligated entities" subject to AML supervision and the core obligations those entities must meet. VASPs are included as obligated entities under the amendments that incorporated FATF Recommendation 15.
The Superintendencia de Sujetos No Financieros (SSF) was established specifically to supervise non-financial businesses and professions subject to AML obligations under Law 23. The SSF maintains the register of supervised entities, conducts supervisory examinations, and has authority to impose sanctions for non-compliance. For VASPs, the SSF is the primary regulatory contact for AML programme registration and examination.
The Unidad de Análisis Financiero (UAF) functions as Panama's financial intelligence unit, receiving and analysing suspicious transaction reports from all obligated entities. The UAF is responsible for producing financial intelligence that supports law enforcement investigations and for international cooperation with foreign FIUs. VASP obligations to file STRs with the UAF are independent of the SSF registration requirement: a VASP must both be registered with the SSF and comply with ongoing UAF reporting obligations.
Unlike some jurisdictions, Panama does not operate a separate "crypto-specific" licensing regime distinct from its general AML framework. The Panama crypto licence is in substance the registration of the VASP as an obligated entity under Law 23, combined with corporate establishment through MICI. This simplicity is both an advantage, in terms of lower compliance cost and faster setup, and a constraint, in that the framework does not address crypto-specific risks such as DeFi, token issuance, or staking with the granularity of more developed regimes like MiCA or Brazil's BCB framework.
Who Must Register and What Activities Are Covered
Under Law 23 as amended to incorporate virtual assets, the following activities trigger the registration obligation for firms operating in or from Panama:
- Virtual currency exchange services, including fiat-to-crypto and crypto-to-crypto conversion
- Virtual asset custody services, including safekeeping of private keys on behalf of clients
- Virtual asset transfer services, including payment settlement routed through virtual assets
- Operation of virtual asset exchange platforms or trading venues accessible to Panamanian residents
- Participation in and provision of financial services related to token issuances
The registration obligation is tied to the location of incorporation or the provision of services to Panamanian-resident clients. Foreign firms that serve Panamanian residents through online platforms are technically within scope of the Law 23 obligations, though enforcement against purely foreign operators without a Panamanian legal presence is more limited in practice. Firms that incorporate in Panama, use a Panamanian registered agent, or operate a physical office in Panama are unambiguously within scope.
The distinction between activities requiring UAF registration and those requiring additional MICI authorisation is primarily a corporate law question rather than a financial regulation question. MICI authorisation is the commercial operating licence; UAF/SSF registration is the AML supervisory requirement. Both are necessary for a compliant operation. Firms that obtain MICI authorisation but fail to register with the SSF are operating in breach of their AML obligations, and firms registered with the SSF that fail to maintain their MICI corporate status create structural compliance gaps.
Corporate and Substance Requirements
The standard vehicle for a Panamanian crypto operation is a Sociedad Anónima (S.A.), Panama's joint-stock company form. The S.A. is deeply embedded in Panamanian corporate law, well understood by local counsel and banking institutions, and accommodates complex shareholder structures suitable for institutional investors. Alternative structures such as a Sociedad de Responsabilidad Limitada (S.R.L.) are available but less commonly used for regulated businesses.
A registered agent is mandatory for all Panamanian S.A. entities. The registered agent must be a licensed Panamanian law firm or individual, and the registered agent relationship is a legal requirement rather than merely an administrative convenience. The registered agent receives official correspondence and is responsible for maintaining the company's records with the Public Registry. For AML purposes, the registered agent is itself an obligated entity under Law 23 and must conduct due diligence on its clients, including VASPs.
A local office or local representative is expected by the SSF for entities seeking registration as supervised obligated entities. The SSF does not require a large physical establishment, but a brass-plate address with no operational connection to Panama will not satisfy the supervisory requirement. The SSF expects to be able to contact the firm's management through a Panamanian address and to conduct examinations at a location in Panama. Firms that outsource all operations offshore while maintaining a nominal Panamanian presence face increased scrutiny.
The AML compliance officer appointment is mandatory and must be documented in the SSF registration. The compliance officer must have appropriate qualifications and must be accessible to the SSF for supervisory purposes. Panama does not impose a residence requirement on the compliance officer in all cases, but the officer must be available to respond to SSF enquiries on a timely basis and must be capable of appearing in Panama for supervisory examinations when required.
Fit and proper assessments apply to directors and controlling shareholders. The SSF requires declarations from management regarding criminal records, regulatory history in other jurisdictions, and any prior adverse findings by financial regulators. Directors with regulatory sanctions or criminal convictions related to financial crime in any jurisdiction are disqualifying.
AML/CFT Operational Requirements
Panama's AML/CFT requirements for VASPs under Law 23 are operationally comprehensive. The written AML/CFT programme submitted to the SSF must reflect the firm's actual business model and risk profile, not a generic template. The SSF's post-grey-listing enforcement posture has made the quality of this documentation a material factor in registration approval and ongoing supervisory assessments.
The core components of a compliant Panamanian AML/CFT programme include:
- Customer Due Diligence (CDD): identity verification for all customers at onboarding, including documentary evidence of identity and address. For corporate clients, beneficial ownership identification down to the ultimate controlling individual is required. Reliance on intermediaries for CDD must be documented and the intermediary must itself be an AML-supervised entity.
- Enhanced Due Diligence (EDD): heightened procedures for high-risk customers, including politically exposed persons (PEPs), customers from high-risk jurisdictions, and customers with complex or opaque ownership structures. EDD requires source-of-funds and source-of-wealth documentation and senior management sign-off before onboarding.
- Beneficial ownership identification: Law 23 requires identification and verification of the ultimate beneficial owner of all corporate and legal arrangement customers. Panama's beneficial ownership registry, established as part of the FATF remediation programme, must be consulted and records maintained.
- Transaction monitoring: automated systems capable of identifying unusual patterns, structuring behaviour, transactions involving high-risk jurisdictions, and activity inconsistent with the customer's stated profile. The monitoring system must be calibrated to the firm's specific business and must generate documented alerts that are reviewed and resolved.
- Suspicious transaction reporting (STR): STRs must be filed with the UAF within the timeframes prescribed by Law 23. The obligation to file is not conditioned on certainty of wrongdoing; reasonable suspicion is the threshold. Failure to file when suspicion exists is itself a breach of Law 23.
- Employee training: all staff handling client transactions or onboarding must receive regular AML training. Training records must be maintained and available for inspection by the SSF.
- Record retention: KYC documentation, transaction records, and AML programme documentation must be retained for a minimum of five years from the end of the business relationship or the date of the transaction, whichever is later.
The UAF's supervisory examination approach post-2023 focuses heavily on operational effectiveness. Examiners do not accept documentation as evidence of compliance; they look for alert logs, STR filing histories, EDD case files, and evidence of training completion. A Panamanian VASP that presents a well-written AML programme but cannot produce operational records fails the examination regardless of the programme's quality on paper.
For detailed guidance on building an KYC and AML operational controls infrastructure that satisfies UAF scrutiny, the operational layer is the critical differentiator between registrations that sustain supervisory examination and those that do not.
Cybersecurity and Technology Security Requirements
Panama does not yet have a dedicated cybersecurity regulation for VASPs equivalent to BCB Resolution 85/2021 or the technical standards being developed under MiCA/DORA in the EU. However, the SSF expects registered VASPs to maintain documented technology security controls as part of their overall risk management framework. The operative standard in the absence of specific Panamanian regulation is FATF guidance on virtual asset risk management, which addresses the technology risks specific to VASP operations.
In practice, the SSF examination process assesses technology security through the lens of operational risk management. Examiners look for evidence of:
- A documented IT security policy that addresses access controls, key management, and data protection
- An incident response procedure covering cyber incidents, including those resulting in loss of client assets or compromise of the firm's signing infrastructure
- Secure custody arrangements for client virtual assets, including segregation of client assets from firm assets and documented key management procedures
- Evidence of third-party security assessments, including penetration tests or security audits, particularly for internet-facing systems
- Business continuity arrangements that address technology failures and cyber incidents
The absence of Panamanian-specific cybersecurity regulations is not a licence to ignore technology security. Firms that suffer a significant cyber incident, particularly one involving loss of client assets, and cannot demonstrate that they had adequate security controls in place face both regulatory and civil liability. The UAF and SSF take the view that a VASP that loses client assets due to inadequate key management or access controls has failed its operational risk management obligations under Law 23, even where no specific cybersecurity regulation is breached.
Institutional partners and correspondent banks that deal with Panama-registered VASPs increasingly conduct their own technology security due diligence as part of onboarding. A VASP that cannot produce evidence of security assessments, documented controls, and a credible incident response framework will face difficulties establishing the banking and institutional relationships that make a Panamanian operation commercially viable.
Application and Registration Process
The process for establishing a compliant VASP operation in Panama involves two parallel tracks: corporate establishment through MICI and AML registration through the SSF/UAF. Both tracks must be completed before regulated operations commence.
Step 1: Corporate incorporation via MICI. The S.A. is incorporated through a Panamanian notary and registered with MICI's Registro Público. Required documents include a public deed of incorporation, identification documents for all directors and beneficial owners, and the engagement of a registered agent. Corporate incorporation typically takes 2 to 4 weeks from instruction to completion. The incorporation creates the legal entity but does not authorise regulated virtual asset activity.
Step 2: UAF/SSF registration as an obligated entity. Following incorporation, the entity must register with the SSF as a supervised non-financial entity under Law 23. The registration submission includes: the entity's corporate documents, a complete AML/CFT programme, identification documents and fit-and-proper declarations for directors and the AML compliance officer, a description of the virtual asset services to be provided, and evidence of the firm's technology security arrangements. The SSF reviews the submission and may request clarifications or additional documentation before issuing registration confirmation.
Step 3: Banking establishment. Obtaining a Panamanian business bank account for a VASP is a distinct and material challenge, discussed in detail in the section on Panama as a crypto hub below. Banking setup should be pursued in parallel with registration, as delays in banking establishment are the most common cause of operational delay for new Panama VASPs.
Typical timelines are: corporate setup 4 to 8 weeks; SSF registration 2 to 3 months for a complete and well-prepared submission. Total time from instruction to commencement of operations is typically 4 to 6 months when banking establishment is included. The costs of Panamanian legal counsel, AML programme preparation, and ongoing compliance are materially lower than comparable costs in EU jurisdictions or Brazil, making Panama a cost-competitive entry point for LATAM VASP registration.
Panama's FATF History and Current Standing
Panama's inclusion on the FATF grey list (Jurisdictions Under Increased Monitoring) from 2019 to 2023 had significant practical consequences for firms registered in Panama. Correspondent banking institutions applied heightened due diligence, some withdrew services from Panama-connected entities entirely, and institutional counterparties scrutinised Panama-registered VASPs more carefully in their own onboarding processes.
The grey-listing reflected FATF's assessment of deficiencies in Panama's AML/CFT system: inadequate beneficial ownership transparency, weak law enforcement cooperation on financial crime, and insufficient supervision of non-financial obligated entities including VASPs. Panama's response involved legislative amendments to Law 23, strengthened SSF supervisory capacity, improved beneficial ownership registry requirements, and demonstrated increases in law enforcement cooperation and asset restraint.
FATF removed Panama from the grey list in October 2023, recognising that the required measures had been substantially implemented. This removal was an important signal for the jurisdiction's credibility, but it has not instantly restored the correspondent banking relationships and institutional trust that were disrupted during the grey-listing period. Banks and institutional counterparties that developed enhanced due diligence processes for Panama during the grey-listing period continue to apply additional scrutiny, and this heightened attention is likely to persist for several years.
For VASPs registering in Panama in 2026, the practical consequence is that registration alone does not resolve counterparty risk. Firms must be prepared to demonstrate their AML programme's operational effectiveness to banks, institutional partners, and potential investors as part of standard commercial due diligence. A Panama-registered VASP with a strong, demonstrable AML and security programme is in a substantially better position than one relying on the registration alone.
Ongoing Compliance Obligations
SSF registration is not a one-time event. Registered VASPs in Panama carry an ongoing compliance programme with both periodic and event-driven obligations.
Annual AML programme review: registered VASPs must review and update their AML/CFT programme at least annually, or following material changes to the business. The annual review must be documented and the updated programme submitted to or available for the SSF. The review must address whether the programme's controls remain effective given changes in the firm's products, customer base, transaction volumes, or risk environment.
STR filing obligations: suspicious transaction reporting to the UAF is continuous. There is no minimum threshold below which reporting is not required; the threshold is reasonable suspicion. Firms with high transaction volumes should expect their STR filing rate to be a data point in SSF supervisory assessments.
UAF notification of material changes: registered entities must notify the UAF/SSF of material changes to the business, including changes to ownership or control, appointment or departure of the compliance officer, material changes to services offered, and significant technology incidents. The definition of "material" should be construed broadly.
Supervisory examination cooperation: the SSF has authority to conduct on-site and desk-based examinations of registered entities. Firms must maintain all required documentation in a form accessible for examination and must cooperate fully with SSF examiners. Obstruction or failure to produce documentation in a supervisory examination is an aggravating factor in any subsequent enforcement action.
FATF monitoring period requirements: although Panama is no longer on the grey list, FATF's follow-up monitoring process involves ongoing review of the jurisdiction's continued compliance. Firms registered in Panama should anticipate that the SSF will maintain its heightened supervisory approach for the duration of the monitoring period, as demonstrating sustained improvement is part of Panama's post-grey-list obligations to FATF.
Panama as a Crypto Hub: The Operational Reality
Panama has attracted significant interest from crypto firms for a set of genuine structural advantages. These advantages are real, but they must be understood alongside equally real operational constraints.
The tax advantages are material: Panama applies a territorial tax system, meaning that income earned outside Panama is not subject to Panamanian income tax regardless of where the company is incorporated. For a crypto firm whose clients are primarily outside Panama, this can result in a very low effective corporate tax rate. There are no capital gains taxes on foreign-source income. This tax profile compares favourably with most EU jurisdictions and with Brazil.
The US dollar economy eliminates exchange rate risk for firms that operate primarily in USD or USD-pegged stablecoins. Panama has used the US dollar as its de facto currency for over a century, creating stable monetary conditions and alignment with the dominant global reserve currency.
The legal infrastructure is well developed by LATAM standards. Panama has an established tradition of corporate and financial law, an English-speaking legal profession capable of advising on international transactions, and courts with reasonable commercial law competence. The registered agent industry is professionally developed and experienced in dealing with regulated financial businesses.
The banking access challenge is the most significant operational constraint for Panama VASPs and should not be minimised. Panamanian banks remain cautious about serving crypto firms as direct customers. The major domestic banks impose stringent due diligence requirements on VASP clients, and several have policies that effectively preclude onboarding new crypto businesses regardless of their regulatory status. The grey-listing period intensified this conservatism, and it has not fully dissipated since removal from the list.
Firms seeking to establish banking in Panama for a VASP operation should: prepare a comprehensive due diligence package demonstrating their AML programme's operational effectiveness, engage a bank-experienced Panamanian law firm to facilitate introductions, expect a 3 to 6 month banking establishment timeline even with strong preparation, and consider maintaining banking facilities in additional jurisdictions to ensure operational continuity. Firms that arrive at the banking stage without adequate preparation or that have a weak AML programme will find the process significantly longer and potentially unsuccessful.
Panama vs. Brazil vs. El Salvador: LATAM Comparison
The three most commonly evaluated LATAM jurisdictions for crypto VASP registration are Panama, Brazil, and El Salvador. Each serves a different strategic purpose, and the right choice depends on the firm's target market, capital availability, institutional partner requirements, and risk appetite.
Panama offers the fastest setup, lowest capital requirements, and strongest tax advantages for foreign-source income. The regulatory framework is lighter-touch than Brazil's, and the cost of professional services is competitive. The constraints are banking access and the residual reputational drag from the FATF grey-listing period. Panama is most suitable for firms whose primary target market is outside Panama and the Americas, or for firms seeking a cost-effective LATAM regulatory footprint to complement a primary EU or Asian licence.
Brazil is the most demanding and most credible option for firms targeting the Brazilian market or seeking a LATAM registration that carries weight with institutional counterparties. The Brazil crypto licence process involves higher capital, longer timelines, and more operationally demanding AML and cybersecurity requirements. The upside is direct access to the largest crypto user base in Latin America and a BCB registration that institutional partners, correspondent banks, and international regulators recognise as substantive. Firms serious about the Brazilian market have no viable alternative to BCB registration.
El Salvador pioneered Bitcoin as legal tender and has positioned itself as a crypto-friendly jurisdiction through its DASP registration framework. The DASP licence in El Salvador is lighter in capital and compliance cost than Brazil's, and the political environment has historically been supportive of crypto innovation. El Salvador is most suitable for firms seeking a first-in-region regulatory footprint at manageable cost, particularly those with Bitcoin-centric business models or products. The market size is substantially smaller than Brazil or Panama, but the regulatory credibility has been growing as the framework matures.
For firms seeking a pan-LATAM presence, the combination of BCB registration in Brazil for the primary market, Panamanian registration for operational flexibility and tax efficiency, and the MiCA compliance pathway for EU access represents a comprehensive multi-jurisdiction strategy. However, each registration requires its own fully operational compliance programme, and the resource requirements scale accordingly. The Estonia crypto licence remains the most accessible EU entry point for firms building a European CASP registration to complement their LATAM presence.
Operational Security and UAF Scrutiny
The UAF's examination framework post-2023 has become materially more rigorous, driven by Panama's need to demonstrate to FATF's monitoring process that its supervisory system produces effective outcomes rather than merely registering entities. For VASPs, this means that a UAF examination tests whether the firm's AML programme is operationally effective, not whether the documentation meets a formal standard.
The most common findings in UAF examinations of VASPs involve failures in the operational layer: transaction monitoring systems that generate alerts but have no documented review process, KYC programmes that collect documents at onboarding but do not perform ongoing review, EDD procedures that exist on paper but show no case files, and STR filing rates that are inconsistent with the firm's transaction volumes. Each of these failures signals to the UAF examiner that the AML programme is a documentation exercise rather than a genuine control.
The operational security layer for a Panamanian VASP must address both AML controls and technology security. Key management for client custody operations, access controls for systems that process client transactions, monitoring for anomalous access patterns, and documented procedures for responding to technology incidents are all evaluated in the context of whether the firm has genuine operational controls or merely documented intentions.
Security4Web3 builds the operational security and AML controls infrastructure that sustains Panama VASP registrations through UAF examination. This includes implementing genuine transaction monitoring integrations with documented alert management, building key management systems that segregate client assets from firm assets with proper access controls, establishing incident response rehearsal processes that produce documentary evidence of testing, and constructing third-party risk management frameworks that satisfy both SSF and institutional partner due diligence requirements.
Firms that engage Security4Web3 before their SSF registration submission benefit from a compliance infrastructure that is built for examination from the outset, rather than retrofitted after a registration is obtained. The registration process itself is faster and less subject to supplemental information requests when the operational programme is genuine and well documented. And the ongoing supervisory examination process confirms operational controls rather than exposing the gaps that arise when compliance is treated as a documentation project.
Frequently Asked Questions
What law governs crypto licensing in Panama?
Law 23 of 2015 is the foundational AML legislation in Panama that applies to virtual asset service providers. It established the regulatory framework for anti-money laundering and counter-terrorism financing obligations, administered by the Superintendencia de Sujetos No Financieros (SSF) under the broader oversight of the Unidad de Análisis Financiero (UAF). Amendments and supplementary regulations have progressively tightened requirements, particularly following Panama's FATF grey-listing in 2019 and subsequent remediation process. VASPs are explicitly included as obligated entities under the Law 23 framework as amended to incorporate FATF Recommendation 15.
Does Panama require a specific crypto licence?
Panama does not issue a dedicated standalone crypto licence equivalent to a full financial services authorisation. Instead, virtual asset service providers must: incorporate a Panamanian legal entity through MICI, register with the SSF/UAF as a supervised obligated entity under Law 23, and submit an AML/CFT programme for approval. This combination constitutes the authorisation framework for operating as a VASP in Panama. The SSF maintains the register of supervised non-financial entities including VASPs, and registration on that register is the operative authorisation for conducting virtual asset business in Panama.
What AML requirements apply to crypto firms in Panama?
Crypto firms in Panama must maintain a written AML/CFT programme meeting the standards of Law 23. Core requirements include: customer due diligence and enhanced due diligence for high-risk clients, beneficial ownership identification, PEP screening, transaction monitoring, suspicious transaction reporting to the UAF, employee training, and five-year record retention. The UAF conducts supervisory examinations and assesses whether controls are operationally effective, not merely documented. Post-grey-listing enforcement has become materially stricter, and document-only AML programmes without operational records consistently fail UAF examinations.
Is Panama a good jurisdiction for a crypto company?
Panama offers genuine advantages for crypto companies: no capital gains tax on foreign-source income, a US dollar economy, a strong English-speaking legal profession, and competitive setup costs compared to EU jurisdictions. The regulatory framework is less capital-intensive and faster to navigate than Brazil's BCB registration. The principal practical constraint is banking: Panamanian banks remain cautious about serving crypto firms, and obtaining a business bank account for VASP operations in Panama requires careful preparation and proof of genuine AML controls. Firms that approach Panama as a low-effort regulatory footprint rather than a genuine operational base typically encounter difficulties in banking, institutional partnerships, and supervisory examinations.
What happened to Panama's FATF grey-listing?
Panama was added to the FATF grey list (Jurisdictions Under Increased Monitoring) in 2019 following a mutual evaluation that identified deficiencies in AML/CFT implementation. Panama undertook a comprehensive remediation programme, strengthening its AML framework, improving law enforcement cooperation, and demonstrating effective supervision of obligated entities. FATF removed Panama from the grey list in October 2023, recognising that the identified deficiencies had been substantially addressed. However, institutional counterparties and correspondent banks continue to apply heightened due diligence to Panama-based entities, and this scrutiny is likely to persist for several years following removal from the list.