GRCpay logoGRCpay
On this page

Legal overview for self-hosters

An orientation pass, not advice, for anyone running GRCpay against their own Gridcoin wallet to accept payments commercially. Read it before you flip your checkout from sandbox to live, and talk to a lawyer in your jurisdiction before you do anything important.

Overview

GRCpay is a small piece of open-source software. The authors publish it; you the merchant run it. The moment you start running it commercially, you become the operator of crypto-payment infrastructure under the laws applicable to you. That is a meaningful step.

This page is a heads-up about the regimes that typically engage when small operators in the EU, US, UK, Switzerland, Singapore, and the UAE start accepting crypto payments. None of it is exhaustive, some of it will be wrong by the time you read it, and all of it depends on your specific facts. Treat it as a checklist of things to ask your lawyer about, not as a substitute for asking.

Where the line sits

The single most important legal distinction in this whole space is the line between publishing software and operating a service. Almost every regulator's test, in practice, collapses to one question: are you holding customer funds, forwarding them to someone, or otherwise standing between two parties to a payment?

The GRCpay maintainers publish source code. They do not provide a service to your customers and have no relationship with them. The operator of a self-hosted GRCpay instance (you) is on the other side of that line, because your wallet daemon receives customer funds and your software forwards them. Most of what follows is about your side of the line, not theirs.

Two things shrink your exposure regardless of jurisdiction:

  • Receive only for your own business. If the wallet receives payments only for goods or services you sell, and forwards nothing onward to other merchants, you are accepting payment in crypto for your own business. That is widely treated as ordinary merchant activity, not as a payment service. The moment you start receiving on behalf of someone else and routing funds to them, the legal class changes sharply.
  • Hold briefly, sweep often. The longer you hold customer funds, and the more of them, the more your activity looks like custody. Sweeping into cold storage on a fixed cadence and disclosing the wallet structure to your accountant is the boring, defensible pattern.

EU regulatory map

If you serve EU customers, or are established in the EU, four regulations are worth being aware of.

MiCA (Regulation 2023/1114)

Provides the EU’s authorisation regime for Crypto-Asset Service Providers (CASPs). Two of its service categories are relevant: custody and administration of crypto-assets on behalf of clients (Article 3(1)(17)) and providing transfer services for crypto-assets on behalf of clients (Article 3(1)(26)). A merchant accepting payment for their own goods is generally not providing those services to anyone — they are simply a payee. A merchant routing payments to other merchants is.

The transitional period for legacy national registrations expires 1 July 2026. After that, EU CASP authorisation is the only credible route to professional payment-service activity in the bloc. Capital requirement for custody + transfer services is €125,000.

Transfer of Funds Regulation (Regulation 2023/1113)

In force since 30 December 2024. The EU’s “Travel Rule”: CASPs must collect and transmit originator and beneficiary information for every crypto-asset transfer, with no de-minimis threshold between CASPs. Self-hosted-wallet transfers above €1,000 require proof of customer control. Whether this engages a self-hosting merchant depends on whether they fall within the CASP definition above.

AMLR (Anti-Money-Laundering Regulation)

Phasing in through July 2027. Imposes KYC for occasional transactions ≥€1,000, suspicious-activity reporting, sanctions screening, beneficial-ownership registration, and (from 2027) restrictions on handling anonymity-enhanced cryptoassets. Engages any “obliged entity,” which CASPs are.

DAC8 (Directive 2023/2226)

In force from 1 January 2026. Crypto-asset service providers report annual user transaction data to tax authorities, exchanged across Member States.

VAT

CJEU Hedqvist (C-264/14, 2015) treats the exchange of crypto for fiat as a VAT-exempt currency exchange. Receipt of GRC for goods or services is, however, a normal taxable supply at VAT rates applicable to those goods or services; the tax base is the GRC amount converted to fiat at the time of supply. Talk to your accountant about invoicing, the time of supply, and the FX rate methodology.

United States

The federal regime is FinCEN under the Bank Secrecy Act. Per the 2013 and 2019 FinCEN guidance, an “exchanger” or “administrator” of convertible virtual currency is a money transmitter and must register as a Money Services Business. A merchant accepting cryptocurrency for their own goods is generally not a money transmitter; a service that holds and forwards customer funds to other merchants generally is.

States are the harder layer. ~50 separate Money Transmitter Licenses, with varying scope, capital, and surety-bond requirements. New York’s BitLicense is the most restrictive. Operating unlicensed where licensure is required is a federal crime under 18 USC § 1960 (5 years + $250,000 per principal), with strict liability on the licensing element — not knowing the rule is not a defence.

OFAC sanctions apply with strict liability to any transaction touching a sanctioned address, regardless of intent. Merchants accepting GRC should screen counterparty addresses they know about and avoid comprehensively-sanctioned jurisdictions.

UK & other major jurisdictions

UK: the Financial Conduct Authority operates a registered cryptoasset business regime under the MLRs since January 2020. Service-shaped activity (custody, exchange) needs registration; merchant acceptance generally does not, but the line is fact-specific. The Online Safety Act and consumer duty layer on top.

Switzerland: FINMA + a self-regulatory body (typically VQF) governs crypto-payment activity. Distinguishes custodial from non-custodial models cleanly and is one of the friendliest regimes for small operators.

Liechtenstein: TVTG (Blockchain Act 2020) is among the cleanest in Europe and passports into the EEA. Worth knowing about if you ever scale beyond hobbyist size.

Singapore: Monetary Authority of Singapore Payment Services Act, Digital Payment Token regime. Strict, well-run.

UAE / Dubai: Virtual Assets Regulatory Authority (VARA). Licensed but expensive.

Other jurisdictions vary widely. Check before you serve customers across a border.

AML, KYC, and sanctions

GRCpay does not perform any anti-money-laundering function. It accepts an order shape, mints an address, watches for inbound funds, and forwards them. Whether KYC, sanctions screening, or suspicious-activity monitoring applies to your usage depends entirely on what you're doing and where you're doing it.

Practical baseline for a small merchant:

  • Don't knowingly transact with sanctioned counterparties or comprehensively-sanctioned jurisdictions. If a customer's wallet appears on a public sanctions list, refund and decline.
  • For larger or recurring transactions, consider name-based KYC at the order layer rather than the payment layer: your storefront collects enough customer information to satisfy the AML rules that apply to you, independent of what GRCpay does.
  • Keep records: order id, customer info you collected, GRCpay wallet address, recipient address, transaction id, fiat-equivalent at time of payment. Useful for tax, dispute resolution, and any later regulatory question.

The Travel Rule

FATF Recommendation 16 (the “Travel Rule”) requires regulated crypto service providers to collect and transmit originator and beneficiary information for transfers above local thresholds. The EU has implemented this through the TFR (no de-minimis between CASPs); the US through FinCEN’s Travel Rule ($3,000 threshold, with proposed lowering to $250 for cross-border CVC transfers); the UK through the MLRs.

The Travel Rule engages regulated CASPs / VASPs / MSBs, not ordinary merchants. If you're a merchant receiving payment for your own goods, the rule generally does not apply to you on the receiving side. If your activity drifts into providing payment services to others, it does. Sustained ambiguity is the case to ask a lawyer about.

Tax orientation

Three tax events typically arise from accepting GRC for goods or services:

  1. The supply itself. Receipt of GRC for goods or services is a normal taxable supply at the VAT/GST rate applicable to what you sold. The tax base is the GRC amount converted to your reporting currency at the time of supply.
  2. Income / corporate tax. The fiat-equivalent of the GRC received at the time of supply is income for income-tax / corporate-tax purposes. Your books should record the GRC amount and the conversion rate used.
  3. Capital gain / loss on disposal. If you later convert that GRC to fiat or use it to pay an expense, you realise a gain or loss against the cost basis from step 2. In some jurisdictions this is treated as ordinary business income; in others as a capital gain.

None of this is automatic in GRCpay. Pull transaction data into your accounting system, settle on a consistent FX-rate methodology with your accountant, and keep the receipts.

When to talk to a lawyer

Worth a one-hour scoping call (typically €300–€600, often free at startup clinics or via NGO programmes) if any of the following are true:

  • you intend to receive payments on behalf of other merchants, not just yourself;
  • your monthly inbound volume reaches the level where a tax authority might notice (varies, but once you're doing four or five figures a month routinely, the answer is yes);
  • you serve customers across borders, especially EU↔non-EU or any direction crossing the US;
  • you accept GRC for anything in a regulated sector (financial services, gambling, adult, age- or licence-gated goods, healthcare);
  • you receive a notice from any tax authority, central bank, financial regulator, or law enforcement that mentions cryptoassets.

Choose a lawyer or law firm with crypto-payment practice in your country, not a generalist. Bring the Terms of Service and a description of your actual flow; an hour with the right lawyer answers more than a week of reading.

This is not legal advice

This page is an orientation pass authored by software developers, not lawyers. It is offered as a starting point for your own research and as a list of things to ask your own counsel about. It is not, and is not intended to be, legal advice. The GRCpay maintainers, the gridcoin.club family contributors, and the operators of the public instance accept no responsibility for any decision you make based on this page or for any liability arising from your use of GRCpay.


Self-hosted Gridcoin payment facilitator. Privacy-first by design.Terms · Legal overview

Made with by @gridcat · Part of Gridcoin Club ↗ · Testnet