CASP AML Compliance: What MiCA Requires of Your Controls
CASP AML compliance is not simply about having a policy document. Under MiCA, your national competent authority will assess whether your controls are working as intended. The question is not whether you have an AML programme. The question is whether you can demonstrate it functions in practice.
The deadline for CASP authorisation across the EU is 1 July 2026. Firms that have not secured authorisation by that date will be operating outside the law. Several member states are behind on implementation. That does not reduce your obligation.
The July 2026 Deadline For CASP AML Compliance Is Closer Than It Looks
MiCA's transitional provisions give firms operating under pre-existing national regimes limited time to convert to full CASP authorisation. That window is closing.
The authorisation process requires firms to demonstrate, in detail, that their AML and compliance arrangements meet MiCA's requirements. National competent authorities will review your governance, policies, transaction-monitoring controls, KYC processes, and risk management framework.
The firms that will secure authorisation are preparing now. They are identifying gaps before regulators do. They are building a position they can defend.
The firms that are waiting are building a problem.
What MiCA Expects from Your AML Programme
MiCA Title VI establishes specific AML and CTF obligations for CASPs. These obligations draw on the FATF Recommendations for virtual assets and VASPs, the EU's Transfer of Funds Regulation as applied to crypto-asset transfers, and the anti-money laundering directive framework.
In practice, the most scrutinised areas are those where CASPs have historically been weakest. The following six areas are where firms most commonly encounter difficulty during authorisation assessments.
The Six Areas Where CASPs Most Commonly Fall Short
1. CDD and KYC Lifecycle Management
Customer due diligence in a crypto context is not a one-time event. Regulators expect firms to maintain KYC throughout the customer lifecycle, update risk ratings when circumstances change, and apply enhanced due diligence to higher-risk customers.
Many CASPs have initial onboarding in place but lack robust ongoing monitoring. That gap is visible to regulators. It is also exploitable by bad actors.
2. Transaction Monitoring
Standard transaction monitoring rules were designed for traditional banking. They miss the risks specific to crypto: stablecoins, DeFi interactions, unhosted wallet activity, chain-hopping, and cross-border flows through high-risk jurisdictions.
MiCA requires transaction monitoring that reflects the actual risk profile of your business. Regulators will want to understand how your rules were designed, what they are designed to detect, and how you know they are working.
3. Sanctions Screening
Sanctions exposure in crypto is real and growing. State-sponsored actors, ransomware operators, and illicit finance networks use crypto precisely because it enables them to evade traditional screening controls.
Your sanctions screening must cover wallet addresses and transaction counterparties, not just named individuals. Regulators will expect you to demonstrate that your screening is effective across the full transaction flow.
4. Travel Rule Compliance
The travel rule requires CASPs to transmit originator and beneficiary information alongside crypto-asset transfers. Implementation has been inconsistent across the industry, and regulators know it.
Your travel rule compliance must cover data collection, transmission, counterparty verification, and handling of non-compliant counterparties. Incomplete implementation is a common finding.
5. SAR Quality
Suspicious activity reporting is one of the areas where regulators most clearly distinguish between firms that understand their obligations and firms that are going through the motions.
High-quality SARs are specific, well-evidenced, and demonstrate that the firm understands the risk it is reporting. Tick-the-box SARs raise further questions about the quality of your broader controls.
6. Governance and Oversight
Governance failings underpin most enforcement actions. Regulators want to see that your board and senior management understand their compliance obligations, that accountability is clear, and that compliance has sufficient resources and standing.
A firm where the MLRO sits in a weak position, where the compliance budget is constrained, or where controls have not been reviewed against MiCA requirements, is a firm that will struggle to secure authorisation.
How Argus Pro Supports CASP Authorisation Readiness
Argus Pro's AFC framework covers the regulatory instruments that apply directly to CASPs under MiCA: FATF Recommendation 15 and the Virtual Assets guidance, MiCA Title VI, the EU Transfer of Funds Regulation, and applicable national implementation.
Delivered through Aegis Compass, the assessment measures both the maturity and the effectiveness of your CASP AML compliance controls across each domain. The output is a prioritised gap analysis, an executive dashboard, and a traceability pack that maps your position to specific regulatory requirements.
This is not an audit. Argus Pro is not an auditor and does not provide audit opinions. Our frameworks support readiness, prioritisation, and improvement planning.
Download: Is Your CASP AML Programme MiCA-Ready?
This free checklist covers the six compliance areas that national competent authorities scrutinise most closely during CASP authorisation. It draws on the FATF 2021 Virtual Assets guidance and MiCA's AML provisions.
The checklist is designed for MLROs and CCOs. It gives you a practical framework for assessing where your programme stands today and where to focus your preparation.
- 30 assessment questions across six compliance domains
- A four-point maturity scale for each area
- Specific regulatory references for each question
- A clear guide to interpreting your results
The Difference Between Compliant on Paper and Defensible Under Scrutiny
A RegTech client came to us with a brief for 40 transaction monitoring rules. When we showed them the regulatory landscape ahead, they made a different decision.
We delivered 254 implementation-ready rules, anchored to FATF and mapped to 12 regulatory bodies. Those rules were built to hold up under scrutiny, not just to satisfy a contract.
That is the distinction that matters when a regulator comes knocking.
Talk to Argus Pro About Your MiCA Authorisation
If your firm is preparing for CASP authorisation, or if you want to understand your current position before beginning the process, we can help.