AML & KYC for crypto CASPs under MiCA

Crypto-asset service providers are "obliged entities" under EU anti-money-laundering law. On top of MiCA's conduct rules, a CASP must run a full AML/CFT programme — customer due diligence, screening, monitoring, the Travel Rule and suspicious-activity reporting — and be able to evidence it. This guide is the practical checklist, with the 2026 deadlines that make it urgent.

The rulebook

A CASP's AML obligations come from the EU AML framework — the Anti-Money-Laundering Directives and the new single rulebook, the AML Regulation (EU) 2024/1624 (with the AML Authority, AMLA, coming online) — plus the crypto Travel Rule in Regulation (EU) 2023/1113. MiCA authorisation and AML registration go hand in hand: a regulator will not authorise a CASP whose AML programme isn't credible.

The programme — your checklist

Business-wide risk assessment — documented, current, and proportionate to your products and customers;
Customer due diligence (CDD) at onboarding — identify and verify the customer and beneficial owner;
Enhanced due diligence (EDD) for high-risk customers, PEPs and high-risk jurisdictions;
Sanctions & PEP screening at onboarding and on an ongoing basis;
The Travel Rule — transmit and receive originator and beneficiary information on crypto transfers;
Ongoing transaction monitoring with alert handling;
Suspicious activity/transaction reporting (SAR/STR) to your national Financial Intelligence Unit, without tipping off;
A nominated MLRO / compliance officer;
Record-keeping for at least five years;
Staff AML training, and independent audit of the programme.

Where small CASPs trip up

The common failures aren't exotic: a risk assessment that's a stale template, screening done once at onboarding but never repeated, no real transaction monitoring, and no evidence trail to show the programme actually operates. Supervisors increasingly want to see the working system and its outputs, not a binder of policies.

Deadline1 July 2026MiCA's transitional period ends — full CASP authorisation, which requires a credible, operating AML/CFT programme, or cease operating.

Check your AML programme readiness — free

Run the free AML check →

No signup · customer data never leaves your browser

This guide is general information, not legal advice. AML obligations vary by member state and are changing under the new EU AML package — confirm the current requirement with your national authority and qualified counsel before you rely on it.