Crypto Assets, CASPS, and AML/CFT Compliance: The New European Regulatory Landscape Under MiCA and AMLR

On May 30, 2024, the European Parliament and the Council adopted a package of new anti-money laundering rules aimed at reinforcing the efficacy of the fight against money laundering and terrorist financing in the EU by enabling a greater harmonization of AML rules and establishing a new European AML authority, the European Anti-Money Laundering Authority (the "AMLA"). This Commentary is the third in our "New EU AML Package: Impacts and Challenges" series, which addresses the key elements of these new rules. (The other articles in this series can be found here, as they are released.)

Crypto Assets Preexisting AML Legal Framework in the EU

5^th Anti-Money Laundering Directive ("AMLD5"). AMLD5 (Directive (EU) 2018/843 of 30 May 2018), which was implemented in January 2020, represented a significant step in the regulation of crypto assets by bringing cryptocurrency exchanges and custodian wallet providers under the scope of EU AML laws. As a result, crypto exchanges and wallet providers were included on the list of "obliged" entities, meaning that they were already required to perform customer due diligence checks, ongoing monitoring, and suspicious activity reporting.

Transfer of Funds Regulation ("TFR"). TFR (Regulation (EU) 2023/1113 of 31 May 2023), which was implemented in December 2024, extended the scope of CASPs subject to AML rules and requires crypto-asset service providers to collect and store information on the source and beneficiary of the funds for each transaction. This rule, known as the "travel rule," already exists in traditional finance and requires that information on the source of the asset and its beneficiary travels with the transaction and is stored on both sides of the transfer. CASPs are required to provide this information to competent authorities if an investigation is conducted into money laundering and terrorism financing. For more information about TFR and travel rule application to CASP, please see our July 2022 Alert, "EU Extends Travel Rule to Crypto-Assets."

MiCA Regulation as a New Framework for Crypto Assets in the EU

MiCA was adopted on May 31, 2023, and entered into force on June 29, 2023, with phased application starting in December 2024 for most provisions and June 2024 for stablecoins. MiCA establishes a single licensing regime for CASPs; aims to ensure legal certainty, investor protection, and market integrity; and applies to:

• Utility tokens;
• Asset-referenced tokens, or ARTs;
• E-money tokens, or EMTs; and
• Service providers on crypto assets, including exchanges, custodians, and brokers.

Under Title V of MiCA, any CASPs must obtain prior authorization from its national competent authority (Article 59 of MiCA). In order to do so, MiCA provides for several provisions and measures related to AML regulation:

• The application submitted by a CASP must demonstrate robust internal controls, policies, and procedures to identify, assess and manage risks, including money laundering and terrorism financing risks (Article 62 of MiCA);
• Before granting or refusing an authorization as a CASP, competent authorities "may consult the competent authorities for anti-money laundering and counter-terrorist financing, and financial intelligence units, in order to verify that the applicant crypto-asset service provider has not been the subject of an investigation into conduct relating to money laundering or terrorist financing" (Article 63 of MiCA); and
• Competent authorities shall withdraw the authorization of a CASP if it fails to have in place effective systems, procedures and arrangements to detect and prevent money laundering and terrorist financing. (This is worth also highlighting that competent authorities shall withdraw the authorization of an issuer of an asset-referenced token when "the issuer's activity poses a serious threat to market integrity, financial stability, the smooth operation of payment systems or exposes the issuer or the sector to serious risks of money laundering and terrorist financing" (Articles 24 and 64 of MiCA).

In this regard, MiCA interacts closely with the AML framework: CASPs must comply with AML regulations through their prudential and conduct obligations.

AMLR: Strengthening the EU's AML/CFT Framework for CASPs

AMLR explicitly includes CASPs in its scope. This aligns with the Financial Action Task Force recommendations, which define Virtual Asset Service Providers, or VASPs, as obliged entities.

Under AMLR and TFR, CASPs are in particular subject to:

• Customer, simplified and enhanced due diligence depending on the client's risk profile;
• Suspicious transaction reporting, or STRs, to Financial Intelligence Units, or FIUs;
• Retention of records for at least five years; and
• Compliance with the "travel rule" under the TFR, applicable to all crypto-asset transfers (Article 14 TFR).

CASPs must also disclose beneficial ownership and assist authorities in tracing illicit flows via blockchain analysis and automated monitoring systems.

Some CASPs might also be directly supervised by the AMLA (i.e., in particular CASPs that will be identified as high-risk—article 12 of Regulation (EU) 2024/1620). The AMLA will also maintain a central EU register of CASPs, linked with other databases such as the European Banking Authority and European Securities and Markets Authority supervisory portals.