MiCA CASP AML guidelines

EBA’s amended guidelines to include MiCA CASP and their AML/CFT obligations

With the publication of the Markets in Crypto Assets (MiCA) Regulation in the official journal of the European Union (EU), regulatory authorities have embarked on a rigorous compliance journey. In addition to the extensive and comprehensive provisions of MiCA, Crypto-Asset Service Providers (CASP) are now required to adhere to the European anti-money laundering (AML) legislative framework.

In line with these developments, the European Banking Authority (EBA) has commenced a revision process for its ML/TF Risk Factor Guidelines, expanding their applicability to include CASP. This indicates the recognition of CASP obligations within the framework of anti-money laundering and counter-terrorism financing (AML/CFT) to be the same as credit and financial institutions. This categorises CASP, along with credit and financial institutions, and it is significant as it requires the upholding of the same AML/CFT requirements and standards. This is one of the building blocks that pave the way towards wider acceptance by credit institutions to establish relationships with CASP.

In this article, the SALVUS Crypto-Assets team delves into the AML/CFT obligations applicable to crypto-asset service providers operating under the MiCA regulation. The team also examines the newly introduced EBA guideline designed specifically for the CASP sector. The article focuses on key areas, including:

1. Identifying ML/TF risk factors
2. Assessing the ML/TF risk
3. Customer Due Diligence, Enhanced and Simplified
4. CASP ML/TF specific factors
5. How SALVUS can assist a CASP registration under CySEC

We regularly share bite-sized insights on LinkedIn such as those found in this article

1. Identifying ML/TF risk factors

As obliged entities, CASP are required to identify the risk factors associated with their:

  • customers – requires the collection of information about the professional activity, reputation, as well as the nature and behaviour of customers and their beneficial owners.
  • countries and geographical areas – mandates the examination of the jurisdictions in which the customer and its beneficial owners reside, conduct business, and maintain personal and business links.
  • products and services – expects the evaluation of the products’ or services’ transparency, complexity, value or size.
  • delivery channels – considers the way that products or services are obtained by customers, whether it’s on a non-face-to-face basis or through intermediaries.

In this context, customers identified by CASP or other obliged entities, as having close links with unregulated businesses that provide services related to crypto assets are considered of higher risk.

2. Assessing the ML/TF risk

After identifying the specific ML/TF risk factors, CASP are expected to utilise the collected information to assess the overall risk to which the organization is exposed. CASP entities should adopt a holistic approach, considering all ML/TF risk factors that collectively determine the level of risk associated with a business relationship.

The relative significance of each factor relies on the informed judgment of the CASP, as risk factors may be weighted differently in the context of a business relationship or occasional transaction.

3. Customer Due Diligence, Enhanced and Simplified

To gain a better understanding of the risks associated with individual business relationships and occasional transactions, CASP are required to conduct the Customer Due Diligence (CDD) process. As part of the process, CASP should identify the appropriate level of CDD to be applied to each business relationship or occasional transaction.

In addition, CASP must implement suitable procedures for customer identification and verification, as well as determine the nature and purpose of potential business relationships. Following the initial assessment of a customer, CASP are responsible for deciding the level of monitoring and the circumstances under which it should be applied.

In this regard, CASP regulated entities may apply Simplified Due Diligence (SDD) in cases where the ML/TF risk associated with a business relationship is assessed as low. Conversely, Enhanced Due Diligence (EDD) is to be applied when the ML/TF risk is assessed as high.

It is important to note that SDD does not exempt CASP from conducting Customer Due Diligence rather, it involves adjustments to the timing, quantity, and quality of the information collected. On the other hand, Enhanced Due Diligence requires additional measures beyond regular CDD, which cannot be substituted by the latter.

4. CASP ML/TF specific factors

Due to their unique business model and technology which enables instant transfer of crypto-assets and customer onboarding across multiple jurisdictions, CASP face new ML/TF risks. Various factors can contribute to an increase in risk, while other factors may help mitigate or reduce risk.

For instance, certain activities such as processing transactions or providing products and services that incorporate privacy-enhancing features or offer a higher level of anonymity, such as mixers or tumblers, contribute to an increased ML/TF risk. On the contrary, products with limited functionality, such as low transaction volumes or values, or products that facilitate transactions exclusively among identified and verified customers, help reduce the ML/TF risk.

For that purpose, CASP must ensure that they possess appropriate transaction monitoring and advanced analytics tools that align with the nature and volume of their activities. The said, tools shall take into account the types of crypt assets offered for trading or exchange, as well as the crypto-asset services provided.

In our view, EBA requiring crypto-asset service providers to operate as obliged entities under the AML/CFT framework with the same requirements as credit and financial institutions, in combination with MiCA’s entry into force, will have multiple benefits. CASP entities will gain the credibility and reliability necessary to ensure the integrity of the European crypto-asset markets. It will further enhance investor protection and at the same time enable CASP entities to maintain their global competitiveness while adhering to regulatory standards.

Furthermore, the implementation of effective AML/CFT measures by CASP, will encourage financial and credit institutions to be more receptive in establishing business relationships with them. In this regard, we shall emphasise that CASP entities registered with the Cyprus Securities and Exchange Commission (CySEC) are obliged to comply with AML/CFT requirements from the very beginning.

5. How SALVUS can assist a CASP registration under CySEC

The SALVUS Crypto-Assets team has extensive expertise in obtaining licenses and registering crypto-asset service providers of various business models. We utilise our project management approach to gain insight into the operational model and determine the specific crypto-asset services that align with our clients’ business strategies and goals.

Through our CASP registration service, we guide our clients throughout the entire application process until a successful registration is achieved. We collaborate closely with our clients’ teams to gather the necessary information and documentation, ensuring a complete and well-supported application that meets the registration requirements.

Once your CASP business is successfully registered with CySEC, our Regulatory Compliance team works closely with you to activate your license and ensure compliance with your regulatory obligations. Our post-registration services include establishing appropriate policies and procedures and fulfilling reporting requirements.

Contact us at info@salvusfunds.com or call us at +357 7000 7898 should you require support with your CASP registration or help to fulfil your AML/CFT CASP regulatory obligations.


Should you be interested to read more about MiCA, CySEC CASP or the AML/CFT framework, please visit the selected articles below:

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.

Share this post