The LATAM Crypto Compliance Map (2026): Licensing, Custody, and Regulatory Risk for Stablecoin Operators
Phoebe Duong
Author
[TL;DR]
- Latin America is not one market. A custody flow that operates under a light-touch registration requirement in Argentina can trigger authorization obligations in Mexico if routed through a regulated financial entity, while the same product may run under sandbox conditions in Colombia where no formal VASP licensing regime currently exists. Same product, three different regulatory realities.
- Ten countries across the region now have some form of crypto-related regulatory treatment, of some kind, but having a framework does not mean licensing is required, enforcement is active, or banking access is straightforward. These three factors rarely move in the same direction at the same time.
- Brazil is the most advanced and time-sensitive market. If you are entering or already serving Brazilian users, the October 30, 2026 VASP authorization deadline is the only deadline that matters right now.
- Mexico and Argentina are the next two priority markets. Mexico has one of the region’s most restrictive and actively monitored frameworks outside Brazil. Argentina has among the highest retail crypto penetration in the region with a relatively light registration regime.
- The common infrastructure thread across all markets: asset segregation, AML/KYC, and auditable transaction logs. Operators who build these into their custody architecture from the start spend less time and money adapting per market.
A fintech operator expanding into Latin America cannot use a single compliance template for the region. A custody product that requires only AML registration in one country may trigger formal authorization obligations in another, while the same setup could operate under sandbox conditions somewhere else with no mandatory VASP licensing at all.
This article maps the regulatory landscape across Latin America's key markets, grouped by regulatory maturity. It is written for operators outside the region who are evaluating where to enter, how to structure their custody infrastructure, and what the actual compliance floor looks like in each market.
Brazil is covered separately in a dedicated article.
Full breakdown here: Brazil's VASP 2026: What Stablecoin Payment and Remittance Operators Need to Prepare for Custody.
LATAM Crypto Market 2026: $730B Volume and the State of VASP Regulation
Latin America recorded more than $730 billion in crypto transaction volume in 2025, a 60% increase year-on-year. Stablecoins drove the majority of that activity, with inflation, currency depreciation, and the high cost of cross-border remittances as the structural demand drivers.
The regulatory response to this growth has been uneven. Some countries have passed dedicated VASP frameworks with active licensing and enforcement.
Others have created registration requirements with limited oversight.
Several have no crypto-specific rules at all, but retain general AML, securities, and consumer protection laws that still apply to crypto activities regardless.
The table below maps ten markets across three groups: Advanced, Emerging, and Early-Stage or Special Case. The Enforcement Maturity and Banking Access columns matter most for operators assessing real entry conditions, because in several LATAM markets, regulatory status and operational readiness do not match.
| Country | Regulator | Framework | Licensing or Registration | Enforcement Maturity | Banking Access | Urgency |
|---|---|---|---|---|---|---|
| Brazil | BCB | BCB Resolutions 519-521 (2026) | Full licensing required | High | Stable, gated by authorization | Critical: Oct 30 2026 deadline |
| Mexico | CNBV + Banxico | Fintech Law 2018, Banxico Circular 4/2019 | Authorization required for regulated entities | High | Restricted without authorization | High |
| Argentina | CNV | CNV Resolution 1058/2025 | VASP registration required | Moderate | Limited, improving | Medium |
| Chile | CMF | Fintech Law 21.521 (2023) | Registration with CMF required | Moderate | Limited | Medium |
| Colombia | SFC | Sandbox framework only, no mandatory licensing yet | No national VASP licensing | Low | Difficult | Watch |
| El Salvador | CNAD | Digital Assets Law (2023, reformed 2025) | DASP or BSP license required | Moderate | Limited | Opportunity |
| Bolivia | UIF | AML decree (2025) | AML reporting only | Low | Difficult | Monitor |
| Peru | SBS | DS 006-2023-JUS (AML only) | AML reporting for VASPs | Low | Limited | Monitor |
| Venezuela | SUNACRIP | VASP framework exists | Registration exists | Unpredictable | Severely restricted (sanctions) | High risk |
| Panama / Uruguay | Drafting | Partial or in progress | None yet | Minimal | Varies | Monitor |
What this table does not tell you: Regulatory status does not equal operational readiness. In several markets, banking relationships are harder to establish than licensing requirements suggest. In others, enforcement is light enough that operators run with informal structures that will not survive regulatory maturity. Both situations carry risk that is easy to underestimate from the outside.
Advanced Markets - Crypto Custody Regulation in Brazil and Mexico
Brazil
Brazil is the most developed and most urgent crypto market in Latin America. The BCB published three resolutions on November 10, 2025 that came into effect on February 2, 2026, creating the first formal authorization regime for VASPs under Law 14,478/2022. After October 30, 2026, no BCB-licensed bank or payment institution may transact with unauthorized VASPs.
Resolution 520 sets out the core operational requirements. Asset segregation is explicit: client BRL must be held in individualized payment or deposit accounts, and virtual assets must be segregated into distinct wallets with monthly proof of reserves, subject to biennial audits by an independent firm. The framework requires robust cybersecurity standards and internal controls. MPC or HSM-based key management satisfies these requirements in practice, as a software-only key management setup with no threshold controls is unlikely to pass BCB scrutiny, though the BCB regulates outcomes rather than prescribing a specific cryptographic architecture by name.
Brazil's Travel Rule applies with no minimum transaction threshold, implemented via Article 44 of Resolution 520, with a phased schedule running through February 2, 2028: domestic transfers come first, international transfers follow. During both phases, SPSAVs may rely on client self-declarations while building full counterparty identification infrastructure.
Mexico
Framework: Ley para Regular las Instituciones de Tecnología Financiera (Fintech Law, 2018), Banxico Circular 4/2019
Mexico passed one of the earliest formal crypto frameworks in Latin America. The Fintech Law of 2018 was the first legislation in the region to formally recognize virtual assets and bring them into the financial regulatory perimeter. Banxico Circular 4/2019 then defined how regulated financial entities can interact with virtual assets: licensed financial institutions and fintech companies operating within Mexico's regulated system may only conduct virtual asset operations for internal use, not as services marketed directly to the public, unless they obtain explicit Banxico authorization.
The practical implication for operators is this distinction between operating inside and outside the regulated financial system. Operators offering custody or crypto-linked financial services through a regulated Mexican entity, or integrating with local banking rails or fiat on-ramps, may trigger authorization requirements under the Fintech Law framework, depending on the specific structure of the service.
The cross-border servicing situation is more nuanced: operators serving Mexican users from an offshore entity without local incorporation face a separate set of obligations, particularly around AML reporting to the Unidad de Inteligencia Financiera (UIF).
AML obligations under Mexico's Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita (LFPIORPI) apply to entities conducting virtual asset activity above thresholds defined under Mexico's AML framework for virtual asset activities, with reporting to the UIF. The CNBV requires entities offering crypto-related services to register and maintain AML/KYC programs consistent with those thresholds.
Enforcement: Regulatory scrutiny under the CNBV and Banxico has increased materially since 2025, with Mexico's FATF leadership role signaling intensifying attention on AML compliance for crypto operators.
Custody implications: Mexico does not specify cold storage ratios or MPC controls explicitly. Requirements are principles-based: adequate security controls, AML compliance, and segregation of client assets. Regulators increasingly focus on outcomes (segregation, governance, recoverability, auditability) rather than prescribing a single technical architecture.
Banking access: Restricted without authorization. Financial institutions under CNBV supervision face legal risk if they maintain relationships with unauthorized crypto operators.
Emerging Markets - Crypto Frameworks in Argentina, Chile, and Colombia
Argentina
Framework: Ley 27.739 (2024), CNV Resolution 1058/2025
Argentina is a market that combines factors that do not usually appear together: among the highest retail crypto penetration in the region, a strong structural demand for stablecoins driven by peso depreciation, and a relatively light registration-based regulatory regime rather than a full prudential licensing framework.
Argentina ranked first in LATAM for monthly active user penetration, with approximately 12% of the population actively using crypto, accounting for over a quarter of regional crypto activity in 2025. Stablecoins account for over 60% of Argentine crypto activity, functioning as a practical hedge against inflation and capital controls rather than a speculative instrument.
The current framework requires VASPs to register with the Comisión Nacional de Valores (CNV) under Resolution 1058/2025, which sets compliance obligations including KYC/AML programs, internal controls, governance systems, transaction monitoring, and suspicious activity reporting to the UIF. This is a registration regime, not a licensing regime in the prudential sense. The requirements focus on transparency and AML compliance rather than capital adequacy, independent audits, or custody-specific technical standards. Foreign companies serving Argentine clients through local or digital presence must also register with the CNV under the resolution.
Custody implications: Resolution 1058/2025 does not prescribe specific technical custody standards such as cold storage ratios or multi-party signing controls. Operators must demonstrate adequate security and segregation of client assets as part of their AML and governance obligations. Other markets in the region with similar macroeconomic conditions are producing comparable stablecoin adoption patterns, which suggests Argentina's regulatory approach will serve as a regional reference point.
Banking access: Limited and improving. Argentina's banking sector has historically been cautious about crypto relationships, but regulatory clarity under the CNV framework is gradually opening access for registered operators.
Chile
Framework: Ley 21.521 Fintec (published January 5, 2023, in force February 3, 2023), CMF regulatory circulars
Chile's Fintech Law establishes a registration and oversight framework for financial technology service providers, administered by the Comisión para el Mercado Financiero (CMF). It covers seven categories of regulated services, including custody of financial instruments, alternative transaction systems (which encompass crypto exchanges), and payment services.
The law's treatment of digital assets requires precise description. Ley 21.521 defines crypto-assets as "representaciones digitales de valor, bienes o servicios" (digital representations of value, goods, or services), and regulates general crypto-assets as investment instruments in the context of the seven covered service categories. Separately, stablecoins are recognized as potential payment instruments ("medios de pago"), but only to the extent they meet standards and requirements to be established by the Banco Central de Chile. Those Banco Central standards had not been fully finalized as of early 2026. The law does not classify all digital assets as "digital money" or grant them any form of legal tender status.
Operators offering digital asset custody, exchange, or payment services in Chile must register with the CMF as a financial technology service provider (Proveedor de Servicios Financieros Basados en Tecnología, PSFT). Registration requirements may include: local incorporation, CMF registration, KYC/AML protocols, periodic cybersecurity audits, disclosure of fees and risks, and submission of audited financial statements, depending on the service category.
Chile has also committed to implementing the OECD's Crypto-Asset Reporting Framework (CARF) from 2027, which will require crypto service providers to automatically report tax-relevant transaction data to the Chilean authorities, aligning Chile with international transparency standards.
Custody implications: Ley 21.521 explicitly lists custody of financial instruments as a regulated service, meaning custody providers must register with the CMF. Specific technical custody standards are left to operator-level controls and continuing CMF guidance.
Banking access: Limited. Chile's banking sector has been cautious about crypto relationships, and CMF registration does not automatically unlock banking access.
Colombia
Framework: No mandatory national VASP licensing. Superintendencia Financiera de Colombia (SFC) regulatory sandbox. General AML law applies.
Colombia does not yet have a dedicated national licensing regime for crypto VASPs. The SFC has operated a regulatory sandbox since 2020, allowing supervised pilot projects between banks and crypto platforms under controlled conditions. This approach gives Colombian regulators transaction-level visibility into specific business models before committing to a formal framework, a pattern increasingly used by emerging crypto regulators globally.
The practical result is that no mandatory VASP registration or licensing currently exists for operators serving Colombian users. This does not mean the market is unregulated. General AML law, consumer protection regulation, and securities law apply to crypto activities to the extent they fall within their scope. Operating in Colombia without a licensing requirement does not remove the obligation to comply with applicable general financial law.
Colombia, Peru, Panama, and Uruguay are all expected to move toward formal VASP frameworks between 2025 and 2026. Colombia's trajectory is worth monitoring closely: currency volatility and deepening fiscal pressure are driving stablecoin inflows in a pattern that echoes Argentina's trajectory in earlier years. If macro conditions continue to deteriorate, demand-driven adoption will accelerate ahead of formal regulation, creating a compressed compliance window for operators already in the market.
Banking access: Difficult. Without formal licensing, banking relationships for crypto operators remain challenging and depend heavily on individual bank risk appetite.
Special Cases & Early-Stage Markets – Crypto Regulation in El Salvador, Venezuela, Bolivia, Peru, Panama, and Uruguay
El Salvador
Framework: Digital Assets Law (2023), reformed January 2025 under IMF agreement. Licensing by the Comisión Nacional de Activos Digitales (CNAD).
El Salvador's Bitcoin experiment is frequently mischaracterized in crypto coverage, so the timeline matters. The 2021 law made Bitcoin mandatory for commercial acceptance and required all merchants to accept it. Surveys showed Bitcoin usage declining steadily, from 25.7% of the population in 2021 to 8.1% by 2024. In December 2024, El Salvador agreed to a $1.4 billion IMF loan that required rolling back Bitcoin's mandatory status. The Legislative Assembly voted 55-2 in January 2025 to substantially revise the law. Businesses are no longer legally required to accept Bitcoin. Bitcoin can no longer be used to pay taxes. The state-backed Chivo wallet was phased out.
What El Salvador is now is distinct from what it was attempting in 2021. The government shifted from a retail adoption strategy to a reserve strategy, building government Bitcoin reserves while positioning the country as a crypto-friendly licensing destination. Bitcoin use in the private sector remains voluntarily permitted.
For operators, the relevant part of El Salvador's current framework is the CNAD licensing structure. Two license categories exist: Bitcoin Service Provider (BSP) for Bitcoin-related services, and Digital Asset Service Provider (DASP) for services involving other cryptocurrencies. El Salvador continues offering significant tax incentives for certain crypto-related activities and foreign-source income structures, though AML/KYC compliance and reporting to CNAD remain mandatory for all licensed entities.
El Salvador's regulatory environment is lighter-touch than Brazil or Mexico, with active government positioning around crypto-friendly licensing. For operators evaluating regional entry points, it is a legitimate licensing option with lower overhead than the larger markets, though with a smaller domestic addressable market.
Venezuela
Framework: SUNACRIP operates a VASP registration and oversight framework. Formal registration is possible.
Venezuela requires direct treatment because the compliance picture is more complex than the "high-risk emerging market" label typically conveys.
Venezuela ranks among the top 20 globally for crypto adoption, driven by currency collapse and a population that turned to stablecoins as a practical store of value. The on-chain volumes are real and substantial.
The compliance risk for operators is not primarily Venezuela's domestic VASP framework. It is sanctions exposure. Stablecoins now account for a growing share of flows to sanctioned entities and jurisdictions globally, and Venezuelan-origin stablecoin activity is high-volume and structurally embedded in regional P2P and remittance channels. This makes distinguishing legitimate from sanctions-linked flows difficult without blockchain-level entity and wallet screening.
The practical question for any operator processing LATAM stablecoin volume is not only whether they directly serve Venezuelan users. It is whether their transaction flows touch wallets with a Venezuela or OFAC-designated nexus, and whether their AML systems can detect this at the entity and wallet level rather than the jurisdiction level alone. An operator whose banking partner identifies Venezuela-linked flows without adequate screening risks account closure regardless of intent.
Venezuela is not a recommended primary entry market. It is a compliance risk factor that affects any operator handling significant LATAM stablecoin volume.
Bolivia
Framework: AML decree (2025). Unidad de Inteligencia Financiera (UIF) designated VASPs as reporting entities.
Bolivia reversed a decade-long crypto ban in June 2024, authorizing regulated digital asset transactions. In 2025, the UIF designated VASPs as reporting entities subject to AML obligations, including registration and suspicious transaction reporting. A specific regulatory instruction detailing the full scope of AML and CFT obligations for VASPs had not been formally approved as of early 2026.
No dedicated VASP licensing regime currently exists in Bolivia. The trajectory is positive, but the framework is early-stage. Operators considering Bolivia should monitor regulatory development rather than building custody infrastructure investment now.
Peru
Framework: Decreto Supremo 006-2023-JUS and associated SBS resolution (AML obligations for VASPs)
Peru classifies crypto operators as virtual asset service providers for AML purposes under DS 006-2023-JUS, requiring them to report suspicious transactions to the Unidad de Inteligencia Financiera del Peru. No dedicated VASP licensing regime exists. The SBS continues to evaluate broader crypto regulation, with Peru among the countries expected to formalize frameworks between 2025 and 2026.
Peru's crypto app downloads grew 50% in 2025, with 2.9 million downloads, reflecting strong retail adoption ahead of formal licensing. AML obligations apply and the timeline for formal frameworks is compressing. Operators entering Peru now should structure their compliance program to accommodate incoming registration requirements.
Panama and Uruguay
Both are in active regulatory development. Panama has advanced VASP-related legislation through the legislature through multiple bill iterations since 2022. Uruguay's approach centers on payments regulation, with some crypto activity falling under existing payment provider frameworks. Neither has mandatory VASP licensing as of early 2026. These are markets to track rather than targets for near-term full custody infrastructure investment.
The Cross-Border Problem Most Operators Underestimate
Most LATAM market entry starts offshore. An operator incorporates outside the region, builds a product, and serves LATAM users through an app or web interface without a local presence. This structure is common and has worked in the past. It is increasingly unreliable as a long-term approach.
Licensing triggers across LATAM are converging on a shared set of factors, even where formal rules differ:
- Local marketing or solicitation directed at residents of a jurisdiction
- Fiat on-ramps or off-ramps that touch local banking rails
- Custody of assets belonging to local users
- Partnerships with locally licensed financial institutions
- Local employees, offices, or operational infrastructure
Brazil is the clearest example of where this is going: Brazil’s framework increasingly evaluates activity based on servicing Brazilian users and integration with the domestic financial system, not only incorporation location. Other markets in the region, including Mexico and Argentina, are also moving toward frameworks where serving local users can trigger registration or compliance obligations depending on the operational structure, even without full extraterritorial reach codified in law today.
The practical implication is that an offshore structure which avoids formal licensing obligations today may not continue to do so as enforcement matures and regulatory perimeters expand. Operators who build custody architecture, AML systems, and asset segregation to meet the most demanding standard in their target markets will have less to rebuild when that standard becomes mandatory elsewhere in the region.
What Your Infrastructure Needs to Handle Across These Markets
Regulatory requirements across LATAM do not converge on a single technical standard. But the direction all active frameworks are moving toward is consistent.
Every market with an active or emerging framework is requiring: asset segregation demonstrable at the technical level rather than just at the accounting level, AML/KYC with transaction monitoring and suspicious activity reporting, auditable transaction logs sufficient for regulatory review, and key management controls that prevent single points of failure.
Regulators across the region increasingly regulate outcomes, including segregation, governance, recoverability, and auditability, rather than prescribing a single cryptographic architecture. No LATAM market currently mandates MPC by name, but MPC-based custody architecture aligns with the broader regulatory direction toward stronger operational controls and demonstrable asset separation. Operators relying solely on software-based key management without strong segregation or threshold controls may face increasing difficulty demonstrating operational resilience expectations as frameworks mature.
The stablecoin chains that matter most for LATAM: USDT on TRON and USDC on Solana and Ethereum account for the majority of regional stablecoin flows. Any custody infrastructure entering LATAM at scale needs multichain coverage that does not require fragmented key management per chain.
If you are mapping your LATAM custody infrastructure, the Fystack team can work through your specific setup: chain coverage, key placement, and what self-hosted MPC looks like in your target regulatory context.
Frequently Asked Questions
Do I need a license to offer crypto services in Latin America?
It depends on the country, the structure of your service, and whether you interact with local banking rails or regulated financial entities. Brazil requires full VASP authorization by October 30, 2026. Mexico requires authorization for custody or crypto-linked financial services offered through regulated entities. Argentina and Chile require VASP registration. Colombia, Peru, Bolivia, Panama, and Uruguay do not yet have mandatory VASP licensing, though general AML, securities, and consumer protection obligations apply in most jurisdictions regardless.
Which LATAM countries have the strictest crypto regulations?
Brazil and Mexico have the most developed and actively monitored frameworks. Brazil has explicit technical custody requirements, a Travel Rule mandate with phased implementation through 2028, and a hard authorization deadline. Mexico has the earliest formal framework in the region and increased regulatory scrutiny under the CNBV and Banxico. Argentina and Chile have formal registration regimes with lighter enforcement. Colombia operates a sandbox model with no mandatory national licensing.
Is crypto legal in Argentina?
Crypto ownership and trading are not prohibited in Argentina. Operators offering VASP services must register with the CNV under Resolution 1058/2025 and comply with AML/KYC and governance requirements. No dedicated prudential licensing with capital adequacy requirements or specific custody technical standards currently exists.
What is the difference between Brazil's VASP rules and Mexico's Fintech Law?
Brazil's framework under BCB Resolutions 519-521 is a full prudential authorization regime with explicit technical custody requirements: asset segregation at the on-chain level, monthly proof of reserves, and biennial independent audits by a qualified firm. Mexico's Fintech Law and Banxico Circular 4/2019 are principles-based: regulated financial entities must obtain authorization and comply with AML standards, but no specific cold storage ratio, cryptographic standard, or proof-of-reserves cadence is mandated. Brazil has a hard deadline; Mexico has active regulatory oversight of an existing framework.
Does operating in LATAM require separate custody infrastructure per country?
Not necessarily, but legal entity structure, AML program design, and node or key placement need to reflect each market's specific requirements. The same signing infrastructure can serve multiple markets if designed around the most demanding standards in the target set. Building to Brazil's BCB requirements creates an architecture that aligns with the direction most other LATAM markets are moving toward, even where formal standards are not yet explicit.
Regulatory requirements evolve. Verify current standards directly against SFC and HKMA publications before making licensing decisions. This article does not constitute legal advice.
Share what you are building: contact Fystack here
Follow on LinkedIn: Fystack
