MiCA AML Requirements:

Six Controls Every CASP Must Get Right

10 April 2026

Vinay Vyas

The MiCA AML requirements are not a compliance wish list. They are specific obligations that national competent authorities assess during the CASP authorisation process. A firm that cannot demonstrate each one clearly is a firm that will face delays, requests for additional information, or refusal.

This article covers the six control areas that MiCA prioritises, what the regulations actually require, and where CASPs most commonly fall short.

How MiCA Frames Its AML Requirements

MiCA Title VI establishes the AML and CTF obligations for crypto-asset service providers. These obligations do not exist in isolation. They sit within the broader EU anti-money laundering framework and draw directly on FATF's Recommendations for virtual assets and VASPs.

The Transfer of Funds Regulation, as extended to crypto-asset transfers, introduces specific travel rule obligations. The FATF 2021 Virtual Assets guidance provides the global baseline that MiCA's national implementation reflects. Together, they set out what a well-functioning CASP AML programme looks like.

The six controls below map to the areas where national competent authorities most consistently focus their scrutiny.

Control 1: Customer Due Diligence That Reflects Actual Risk

MiCA requires CASPs to apply customer due diligence proportionate to the risks presented. That means risk ratings that are updated as customer circumstances change, enhanced due diligence for higher-risk customers, and simplified due diligence only where the lower-risk criteria are genuinely met.

Many CASPs apply CDD robustly at onboarding. The problem is lifecycle management. Customer risk ratings set at onboarding rarely reflect what the customer is actually doing twelve months later. A customer who opened an account as a low-risk retail user and is now trading high volumes through multiple wallets presents a different risk. If the monitoring thresholds have not changed, the monitoring is not working.

A well-functioning MiCA AML requirements response on CDD covers three things: initial onboarding, periodic refresh triggered by time or risk indicators, and event-driven refresh when specific risk indicators are detected.

Control 2: Transaction Monitoring Calibrated to Crypto Risks

Standard transaction monitoring rules were designed for conventional banking. They monitor amounts, frequencies, and counterparty patterns in a way that makes sense for bank transfers. They do not natively address the risks that are specific to crypto.

MiCA requires transaction monitoring that reflects the actual risk profile of a CASP's business. FATF's 2025 Targeted Update identifies four specific areas where many firms remain underprepared: stablecoin activity, DeFi interactions, unhosted wallet transactions, and chain-hopping or layering through multiple protocols.

Each of these risk areas requires purpose-built monitoring logic. A rule designed to detect structuring in a bank account does not detect structuring through a series of DeFi protocol interactions. A rule that screens for high-value transfers does not detect layering through multiple small stablecoin movements below reporting thresholds.

The monitoring logic must also be traceable. For each rule, you should be able to explain which regulatory requirement it addresses, what risk it is designed to detect, how the threshold was calibrated, and when it was last reviewed.

Case Study: Future-fit Crypto Compliance

Control 3: Sanctions Screening Across the Full Transaction Flow

Sanctions screening is a well-established control in traditional financial services. In crypto, it requires a different approach.

Named individual screening is necessary but not sufficient. Wallet address screening is essential. State-sponsored actors, ransomware operators, and sanctions-designated entities routinely transact through wallet addresses that are not linked to named individuals in conventional screening databases.

Your sanctions screening must cover the counterparty wallet address at both the sending and receiving ends of any transaction. It must also cover indirect exposure through chain-hopping, where funds move through multiple intermediary addresses to distance themselves from sanctioned sources.

Furthermore, MiCA's requirements sit within a broader EU sanctions framework. The obligations extend beyond OFAC to include UN and EU-designated lists. A firm that screens effectively against OFAC but not against EU designations does not meet the MiCA AML requirements on sanctions.

Control 4: Travel Rule Implementation That Works in Practice

The travel rule requires CASPs to transmit originator and beneficiary information alongside each crypto-asset transfer. FATF first applied the travel rule to virtual assets in 2019. MiCA's Transfer of Funds Regulation extension to crypto operationalised it for EU CASPs in 2024.

Passing the rule in legislation is not the same as implementing it effectively. FATF's 2025 Targeted Update notes that practical enforcement of the travel rule remains limited across many jurisdictions. National competent authorities know this.

Effective travel rule compliance requires more than a data transmission mechanism. It requires counterparty VASP verification: the ability to confirm that the counterparty is registered or licensed in its jurisdiction. It requires handling non-compliant counterparties: a clear procedure for what your firm does when a transfer arrives without the required originator information. And it requires data quality controls: a process for identifying and acting on incomplete or inconsistent data.

A CASP that can transmit travel rule data but cannot verify its counterparties, and has no procedure for handling non-compliance, does not have an effective travel rule programme.

Control 5: SAR Quality That Demonstrates Understanding

Suspicious activity reporting is where the quality of your broader AML programme becomes visible.

A high-quality SAR explains the suspicious activity clearly, references the specific risk indicators that led to the report, and demonstrates that the firm understands the nature of the risk. It does not simply repeat the alert information from the transaction monitoring system.

Regulators review SAR quality as a proxy for the quality of the entire AML programme. A firm that files formulaic SARs, where the description is essentially a copy of the alert trigger and the narrative adds nothing analytical, is a firm that is going through the motions. That conclusion extends to the controls that generated the alert and the oversight arrangements that reviewed it.

SAR quality is also a metric that the FIU uses to assess the value of your reporting. A firm known for high-quality, actionable SARs has a different relationship with its supervisors than a firm known for volume and little substance.

Control 6: Governance That Can Be Demonstrated

Every enforcement action has a governance dimension. The controls failed because they were not designed adequately. They were not maintained because no one was accountable for maintaining them. They were not reviewed because the board did not receive adequate information. The MLRO did not escalate because the escalation route was unclear.

MiCA's governance requirements for CASPs are explicit. The management body must understand and actively oversee the AML framework. The MLRO must have sufficient standing, independence, and resources. Compliance arrangements must be reviewed regularly and updated when the business changes.

For a national competent authority, governance is not a box-ticking exercise. It is a test of whether the firm takes its obligations seriously. A firm where the MLRO reports to the Chief Revenue Officer, where the compliance budget has been cut for three consecutive years, and where the board has received no AML management information in twelve months is a firm that has answered the governance question.

Assessing Your Position Against MiCA AML Requirements

The six controls above cover the areas where national competent authorities focus their scrutiny during CASP authorisation. A structured assessment that maps each control to your current practice will tell you where you stand.

Argus Pro has produced a free checklist for MLROs and CCOs preparing for MiCA authorisation. It draws on the FATF 2021 Virtual Assets guidance and MiCA's AML provisions, and covers all six of the control areas above.

Download: Free CASP AML Readiness Checklist

About the Author

Vinay Vyas is a Partner and Co-Founder of Argus Pro LLP. He led one of the world's largest forensic investigations into an Investment Bank suspected of complicity in tax evasion, resulting in a $2.6bn fine. He has led transaction monitoring reviews, FCA Section 166 remediation programmes, and global risk assessment systems while working for Big 4 Audit firms and major international financial institutions.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Argus Pro