MiCA is now in force across the European Union. Crypto asset service providers applying for authorisation must demonstrate a fully documented, operationally ready AML compliance programme before the NCA will grant a licence. For many CASPs, the AML component of the application is the part that takes longest to build and the most common reason for application delays.
This article sets out every AML requirement MiCA imposes on CASPs, what the NCA actually looks for in each area, and the documentation that needs to be in place before submission.
MiCA Title VI brings crypto asset service providers within the full scope of the EU AML framework. This means all obligations under AMLD6 apply to CASPs in addition to the MiCA-specific requirements. Generic AML programmes built for EMIs or payment institutions are not sufficient for CASP applications: the crypto-specific requirements around unhosted wallets, Travel Rule compliance, on-chain monitoring and AMLCO appointment all require specific procedural design.
MiCA Regulation (EU) 2023/1114, Title VI establishes specific AML and CFT obligations for CASPs. These operate alongside AMLD6 (Directive (EU) 2018/843) and the Transfer of Funds Regulation (EU) 2023/1113, which extends Travel Rule requirements to crypto asset transfers.
EBA guidelines on ML/TF risk management for CASPs (EBA/GL/2024/01) provide specific supervisory expectations for CASP AML programme quality, AMLCO credentials and on-chain monitoring requirements.
A named AML Compliance Officer with specific authority, resources and access to carry out the function independently. The AMLCO must have demonstrable AML expertise and experience relevant to crypto asset activities.
Full CDD for all customers, EDD for high-risk individuals, PEPs, and customers using privacy-enhancing technologies. Unhosted wallet attribution is a specific procedural requirement for most CASPs.
Collection, verification and transmission of originator and beneficiary information for crypto transfers above EUR 1,000. Requires protocol selection, VASP counterparty screening, and documented exception handling.
Monitoring of blockchain transactions for suspicious patterns: mixing, tumbling, high-risk jurisdiction exposure, darknet associations. Requires integration with a blockchain analytics tool.
A documented BWRA covering crypto-specific risk factors: asset types (privacy coins, stablecoins), customer segments (DeFi, institutional, retail), geographic exposure and transaction channels.
Documented escalation procedures for suspicious transaction reporting. On-chain analytics evidence must typically accompany crypto STRs to substantiate the suspicion adequately.
The following is the documentation set that CASPs need to have completed and available for NCA review at the point of application. Missing items are the most common reason for AML-related delays or application returns.
Having the documentation in place is necessary but not sufficient. NCAs also assess whether the programme is operationally credible. This means the AMLCO must be able to speak to the content of the policies, the rationale behind the risk scoring methodology, and the expected workflow for a suspicious transaction. A programme that reads well but that no one in the organisation can operate is a red flag.
MFSA (Malta) focuses heavily on the quality and specificity of the BWRA. They want to see that the risk assessment reflects the CASP's actual customer base and asset types, not a generic template. The AMLCO credentials and independence are also assessed in detail.
CySEC (Cyprus) applies a detailed review of the customer risk scoring methodology and the on-chain monitoring tool integration. They expect evidence of tool configuration against the CASP's specific risk profile, not default settings.
Central Bank of Ireland places particular emphasis on the independence of the AMLCO and the quality of board-level AML reporting. Their examination approach includes detailed questioning of the AMLCO directly.
Bank of Lithuania has one of the more structured pre-registration review processes for CASPs. The AML programme must be complete before submission. The Bank of Lithuania expects specific evidence of Travel Rule protocol selection, counterparty VASP screening procedures, and on-chain monitoring tool integration.
The most common reason for CASP application delays: an AML programme that is structurally complete but that lacks specificity to the CASP's actual operations. NCAs increasingly reject applications where the documentation appears generic or where the AMLCO cannot demonstrate familiarity with the programme's content and rationale.
For a CASP starting from scratch, a complete MiCA-compliant AML programme typically takes 8 to 16 weeks to build, depending on the complexity of the customer base, the asset types offered, and whether Travel Rule implementation requires significant technical work.
The BWRA is usually the first deliverable: it takes 2 to 3 weeks and drives the design of all subsequent policies. The policy suite then takes 4 to 6 weeks. Travel Rule implementation is often the longest-lead item because it has a technical integration component that depends on the CASP's own engineering resources.
Scanlex builds MiCA-compliant AML programmes for CASPs applying for authorisation with MFSA, CySEC, Central Bank of Ireland, Bank of Lithuania, and other EU NCAs. We also provide KYC/ODD teams for crypto customer onboarding and AMLCO support for post-registration operation.
View MiCA / CASP AML service →For CASPs that also need an independent review of an existing AML programme ahead of an NCA examination, see our AML Audit and Advisory service.
The Travel Rule, implemented in the EU by Regulation (EU) 2023/1113, requires CASPs to collect, hold and transmit information about the originator and beneficiary of crypto asset transfers above EUR 1,000. For transfers below this threshold, certain information must still be available on request.
In practice, Travel Rule compliance requires technical integration with a Travel Rule solution capable of exchanging data with counterparty VASPs and CASPs, VASP/CASP identification workflows, and a process for handling transfers where the counterparty cannot be identified or does not respond. NCAs treat Travel Rule readiness as a hard condition for registration.
Legal references
[1] Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA): Title VI sets out the AML obligations applicable to crypto asset service providers. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1114
[2] Directive (EU) 2018/843 (AMLD5) and Directive (EU) 2021/2101 (AMLD6): the EU AML framework within which CASPs operate as obliged entities.
[3] Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets: the EU Transfer of Funds Regulation as extended to crypto asset transfers. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1113
[4] EBA Guidelines on the application of the AML/CFT obligations to crypto asset service providers: risk-based approach expectations for CASP customer due diligence and on-chain monitoring.
This article is provided for informational purposes only and does not constitute legal advice.
A senior advisor will review your details and come back with an honest assessment of which service fits your situation. No obligation.