Overview

The European Securities and Markets Authority (ESMA) has released a Supervisory Briefing on the authorization of Crypto-Asset Service Providers (CASPs) under the Markets in Crypto-Assets Regulation (MiCA). The document provides regulatory guidance for National Competent Authorities (NCAs) to ensure harmonized supervision across the European Union.

ESMA emphasizes that CASPs present high financial crime risks due to their cross-border nature, transaction speed, and exposure to anonymity-enhancing technologies. As a result, robust compliance and AML controls are mandatory.
 

Key Compliance Measures for CASPs

• Independent Compliance Function: CASPs must establish a dedicated compliance team with clear reporting lines and authority.
• Regulatory Oversight: Compliance teams must be involved in strategic decisions, particularly in crypto-asset selection and third-party partnerships.
• Annual Compliance Audits: Firms must review and adjust compliance policies annually to align with MiCA.
• Integration with EU AML/CFT Regulations: CASPs must adhere to the EBA Guidelines on AML/CFT Compliance Officers, ensuring a risk-based approach.

Enhanced AML & CFT Controls: Mitigating Financial Crime Risks in Crypto Markets
What Are the Key Risks?

ESMA categorizes CASPs as high-risk entities for money laundering (ML) and terrorist financing (TF) due to:

• Cross-border transactions that enable seamless fund movement.
• Pseudonymous crypto wallets, increasing challenges in ownership verification
• Use of high-anonymity assets, such as privacy coins and crypto mixers.
   

AML/CFT Requirements Under MiCA

• Risk-Based AML Approach: CASPs must assess and mitigate ML/TF risks in line with EBA’s ML/TF Risk Factors Guidelines.
• AML Controls & Monitoring: Firms must implement internal control frameworks to detect suspicious activities and high-risk transactions.
• Suspicious Transaction Reporting: Compliance teams must report suspicious activities to Financial Intelligence Units (FIUs) and cooperate with EU AML authorities.
• AML Responsibilities Cannot Be Outsourced: While third-party providers may assist in risk screening, the ultimate responsibility remains with the CASP’s executive board. 

Outsourcing and Compliance Risks

• CASPs cannot become “letter-box” entities by outsourcing key functions, i.e. ESMA states that firms must not rely excessively on outsourcing as it could result in the lack of real operational control from CASPs. 
• AML and compliance roles must remain with the CASP, ensuring full regulatory oversight.
• Firms must maintain control over outsourced services, conducting regular audits of external providers.

Regulatory Implications for CASPs

• Higher Scrutiny for Large CASPs:
• Firms with 1,000,000+ yearly active users in the EU or a €3 billion balance sheet will be subject to elevated regulatory scrutiny.
• Stricter Governance Requirements:
  • CASPs must demonstrate autonomous decision-making within the EU.
  • Based on Article 59(2), Recital 74, and Recital 76, at least one executive board member must be based in the EU for regulatory oversight.
• EU-Wide Coordination:
  • CASPs operating across multiple jurisdictions must ensure full transparency with NCAs.
  • CASPs with more than 200,000 yearly active users outside the home Member State will be subject to an elevated level of scrutiny.

Ensuring Compliance Readiness

The evolving MiCA framework imposes stringent compliance, AML, and governance requirements on CASPs, emphasizing the need for structured regulatory oversight. Aligning with ESMA’s expectations demands a proactive approach to risk-based AML and KYC procedures, as well as robust governance measures. We support firms in navigating these requirements by providing advanced regulatory intelligence, risk screening solutions, and data-driven compliance tools. Through AI-powered risk assessment and enhanced due diligence capabilities, we help financial institutions and CASPs seamlessly integrate MiCA-compliant processes, ensuring effective risk mitigation and regulatory adherence.

Takeaways

ESMA’s Supervisory Briefing on MiCA underscores the high-risk nature of CASPs and the urgent need for robust AML and compliance controls. Firms that fail to align with these directives risk regulatory penalties, reputational damage, and potential business disruptions.

With MiCA reshaping the European crypto regulatory framework, proactive compliance is no longer optional; it's a necessity.

The full text of ESMA’s Supervisory Briefing on the Authorisation of CASPs under MiCA is available here.