Regulatory Updates on AML, MiCAR, and CIF as a CASP 2025

1. Regulatory Framework: AML, MiCA, DORA, and MAR

The Cyprus Securities and Exchange Commission (CySEC) remains the competent authority for the supervision of Investment Firms and Funds managers, UCITS Management Companies, Administrative Service Providers (ASPs), CASPs, and persons providing services to CySEC-supervised entities, including their Cyprus branches. 

CySEC exercises its supervisory powers through the issuance of directives, the monitoring and evaluation of compliance, and the application of a Risk-Based Approach (RBA). This approach considers the ML/TF risks present in Cyprus, the frequency of on-site and off-site reviews, and both domestic and international risk exposures of obliged entities.  

The AML regime draws on several key EU Directives and national laws which collectively enhance the Risk-Based Approach (RBA), introducing country-level risk assessments, clarifying the definition of beneficial ownership (requiring disclosure of natural persons holding more than 25% ownership or control), and impose enhanced due diligence (EDD) for Politically Exposed Persons (PEPs). 

What is more, the Transfer of Funds Regulation (EU) 2023/1113 now extends to crypto-asset transfers, requiring CASPs to include the originator’s and beneficiary’s identifying information, such as name, crypto-asset account number, and Legal Entity Identifier (LEI) to ensure full traceability. 

Moreover, the Digital Operational Resilience Act (DORA) establishes mandatory requirements for managing ICT and cyber risks, incident reporting, testing, and oversight of third-party service providers.  

Meanwhile, the Market Abuse Regulation (MAR) continues to apply to both traditional and digital markets, establishing prohibitions on insider trading, unlawful disclosure of inside information and market manipulation, obligations that now extend to crypto-asset activities under MiCA.  

2. Money Laundering (ML) and Terrorist Financing (TF)

Money Laundering (ML) refers to the process of concealing the origins of illicitly obtained funds through placement, layering, and integration stages. Common methods include structuring, smurfing, and the use of cryptocurrencies to obscure transaction trails. 

Terrorist Financing (TF), by contrast, involves the collection or provision of funds to support terrorist acts or organisations. While ML aims to disguise the source of funds, TF often seeks to conceal their intended purpose. 

Despite these differences, both ML and TF exploit similar vulnerabilities within the financial system. The rise of crypto-assets has introduced additional risks, such as the use of mixers, privacy coins, and cross-border peer-to-peer transactions, prompting regulators to strengthen AML/CFT obligations for CASPs through enhanced monitoring and technological controls. 

3. Fiat Currency, Digital and Crypto Assets, and a CASP

What is more, it is important also to distinguish the difference between a Fiat Currency and Digital Assets. Fiat Currency refers to any government-issued legal currency established by the Central Bank of Cyprus, the European Central Bank, or equivalent foreign authorities. On the other hand, Digital assets, are assets issued or transferred using distributed ledger or blockchain technology. These include crypto assets, stablecoins, Non-Fungible Tokens (NFTs), Central Bank digital currencies (CBDCs) and security tokens. 

Under the MiCA adopted regulation, a Crypto-Asset Service Provider (CASP) is defined as a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and which is duly authorised to provide such services.

4. A CIF as Dual License: MiFID and MiCAR Services

Cyprus Investment Firms (CIFs) authorised under MiFID II may now extend their operations to include crypto-asset services under MiCA. To do so, according to Article 60 of MiCAR, a CIF must submit a notification to CySEC at least 40 working days prior to commencing such activities, providing:

• A detailed business plan;
• Group and organisational structure;
• An updated AML manual;
• Internal operations and ICT frameworks in line with DORA; and
• A business continuity plan.

CySEC has 20 working days to review the application and may request additional information once. Upon successful assessment, the CIF may begin providing crypto-asset services across the EU under MiCA passporting rights.

5. MiCA Regulation and Provisions for Crypto-Asset Service Providers (CASPs)

The Markets in Crypto-Assets Regulation (MiCA), formally Regulation (EU) 2023/1114, is part of the EU’s Digital Finance Package, providing a harmonised framework for the issuance, offering, and trading of crypto-assets and for the authorisation and supervision of CASPs. It sets uniform standards on transparency, disclosure, governance, and authorisation, aiming to foster innovation while safeguarding against systemic risks and market abuse.

Under MiCA, only authorised entities, including CASPs, credit institutions, or investment firms may provide crypto-asset services within the EU. CASPs must have a registered office and effective management within an EU Member State, comply with ongoing authorisation conditions and maintain a minimum capital ranging from €50,000 to €150,000 depending on the services offered. CASPs must also implement robust safekeeping arrangements to protect client ownership rights and prevent the misuse of assets, even in the event of insolvency. Outsourcing is permitted only if it does not impair the CASP’s responsibilities or supervisory oversight.

6. AML/CFT Obligations of MiCAR CASPs

CASPs are fully integrated into the EU AML/CFT framework and are expected to apply the EBA’s revised ML/TF Risk Factors Guidelines, which align their obligations with those of credit and financial institutions.

They must identify and assess risks linked to customers, jurisdictions, and products, and maintain automated transaction monitoring systems capable of analysing on-chain and off-chain activities. CASPs are required to document and store IP addresses, geolocation data, wallet addresses, and transaction hashes to identify anomalies or suspicious patterns.

Enhanced due diligence (EDD) must be applied to high-risk relationships and transactions involving privacy-enhancing or cross-border features. CASPs must also implement the TRUST (Travel Rule Universal Solution Technology) standard to ensure secure and privacy-conscious exchange of sender and recipient information.

Final Thoughts

The alignment of AML, MiCA, DORA, and MAR frameworks represents a new era of integrated financial supervision within the EU. Cyprus-regulated entities, particularly CIFs and CASPs now operate under a unified rulebook that balances regulatory consistency with innovation in digital finance.

The SALVUS Regulatory Compliance team can support CIF, CASP and other CySEC and CBC regulated entities, to fulfill their regulatory and reporting obligations, in meeting their evolving regulatory obligations.

For further guidance or information on our “Regulatory Updates on AML, MiCAR & CIF as a CASP 2025” course, offered in collaboration with the Institute for Professional Excellence (IforpE), contact us at education@salvusfunds.com.

#StayAhead

The information provided in this article is for general information purposes only. You should always seek professional advice suitable for your needs.