CASP AML Compliance: What MiCA Requires of Your Controls
CASP AML compliance is not simply about having a policy document. Under MiCA, your national competent authority will assess whether your controls are working as intended. The question is not whether you have an AML programme. The question is whether you can demonstrate that it functions in practice.
The transitional window for CASP authorisation closed on 1 July 2026. Firms still trading now sit under direct supervision, not a lighter regime. The question has moved from whether you applied to whether your controls hold up.
Supervision Has Started, and the Scrutiny Is Closer Than the Headlines Suggest
MiCA's transitional window let firms under older national regimes keep trading while they converted to full authorisation. That window has now closed.
Supervision will become the day-to-day reality. National competent authorities will look at your governance, policies, transaction-monitoring controls, KYC processes, and risk management. They will judge whether each one works, not whether it exists on paper.
The firms that do well from now on will find their gaps before a supervisor does. They will build a position they can stand behind. The firms that wait for a supervisor to find the gap are building a problem.
What MiCA Expects from Your AML Programme
MiCA Title VI establishes specific AML and CTF obligations for CASPs. These obligations draw on the FATF Recommendations for virtual assets and VASPs, the EU's Transfer of Funds Regulation as applied to crypto-asset transfers, and the anti-money laundering directive framework.
In practice, the most scrutinised areas are those where CASPs have historically been weakest. The following six areas are where firms most commonly encounter difficulty during authorisation assessments.
The Six Areas Where CASPs Most Commonly Fall Short
1. CDD and KYC Lifecycle Management
Customer due diligence in a crypto context is not a one-time event. Regulators expect firms to maintain KYC throughout the customer lifecycle, update risk ratings when circumstances change, and apply enhanced due diligence to higher-risk customers.
Many CASPs have initial onboarding in place but lack robust ongoing monitoring. That gap is visible to regulators. It is also exploitable by bad actors.
2. Transaction Monitoring
Standard transaction monitoring rules were designed for traditional banking. They miss the risks specific to crypto: stablecoins, DeFi interactions, unhosted wallet activity, chain-hopping, and cross-border flows through high-risk jurisdictions.
MiCA requires transaction monitoring that reflects the actual risk profile of your business. Regulators will want to understand how your rules were designed, what they are designed to detect, and how you know they are working.
3. Sanctions Screening
Sanctions exposure in crypto is real and growing. State-sponsored actors, ransomware operators, and illicit finance networks use crypto precisely because it enables them to evade traditional screening controls.
Your sanctions screening must cover wallet addresses and transaction counterparties, not just named individuals. Regulators will expect you to demonstrate that your screening is effective across the full transaction flow.
4. Travel Rule Compliance
The travel rule requires CASPs to transmit originator and beneficiary information alongside crypto-asset transfers. Implementation has been inconsistent across the industry, and regulators know it.
Your travel rule compliance must cover data collection, transmission, counterparty verification, and handling of non-compliant counterparties. Incomplete implementation is a common finding.

5. SAR Quality
Suspicious activity reporting is one of the areas where regulators most clearly distinguish between firms that understand their obligations and firms that are going through the motions.
High-quality SARs are specific, well-evidenced, and demonstrate that the firm understands the risk it is reporting. Tick-the-box SARs raise further questions about the quality of your broader controls.
6. Governance and Oversight
Governance failings underpin most enforcement actions. Regulators want to see that your board and senior management understand their compliance obligations, that accountability is clear, and that compliance has sufficient resources and standing.
A firm where the MLRO sits in a weak position, where the compliance budget is constrained, or where controls have not been reviewed against MiCA requirements, is a firm that will struggle to secure authorisation.
How Argus Pro Supports CASP AML Compliance
Argus Pro's AFC framework covers the regulatory instruments that apply directly to CASPs under MiCA: FATF Recommendation 15 and the Virtual Assets guidance, MiCA Title VI, the EU Transfer of Funds Regulation, and applicable national implementation.
Delivered through Aegis Compass, the assessment measures both the maturity and the effectiveness of your CASP AML compliance controls across each domain. The output is a prioritised gap analysis, an executive dashboard, and a traceability pack that maps your position to specific regulatory requirements.
This is not an audit. Argus Pro is not an auditor and does not provide audit opinions.
Our frameworks support readiness, prioritisation, and improvement planning, before and after authorisation.
Download: Is Your CASP AML Programme MiCA-Ready?
This free checklist covers the six compliance areas that national competent authorities scrutinise most closely during CASP authorisation. It draws on the FATF 2021 Virtual Assets guidance and MiCA's AML provisions.
The checklist is designed for MLROs and CCOs. It gives you a practical way to see where your programme stands today. It also shows where a supervisor is most likely to look first.
- 30 assessment questions across six compliance domains
- A four-point maturity scale for each area
- Specific regulatory references for each question
- A clear guide to interpreting your results
The Difference Between Compliant on Paper and Defensible Under Scrutiny
A RegTech client came to us with a brief for 40 transaction monitoring rules. When we showed them the regulatory landscape ahead, they made a different decision.
We delivered 254 implementation-ready rules, anchored to FATF and mapped to 12 regulatory bodies. Those rules were built to hold up under scrutiny, not just to satisfy a contract.
That is the distinction that matters when a regulator comes knocking.
Talk to Argus Pro About Your Controls
We can help in three situations. You are operating under a licence and want to show your controls work. You are moving customers into a licensed entity. Or you are rebuilding for a later application.
