Tackling the misuse of crypto-assets for ML-TF purposes

MiCAR has been amended to extend the scope of the AML-CTF framework to include crypto-asset service providers.

As a constantly evolving sector, the cryptoassets ecosystem presents continuous challenges, particularly in terms of money laundering and terrorist financing (ML-TF) risks.

To tackle the misuse of crypto-assets for ML-TF purposes, it is necessary to subject players active in this sector to anti-money laundering and counter terrorist financing (AML-CTF) supervision. Consequently, such players have been progressively included within the AML-CTF framework.

The framework initially covered professionals operating “virtual assets”. This scope has been amended to refer to professionals dealing with “crypto-assets”, following the adoption of Regulation (EU) 2023/1114 of the European Parliament and of the Council of May 31, 2023 on markets in crypto-assets (MiCAR).

Thus, it is worth reminding players of the amendments made to the current AML-CTF regime (Section 1 below) before focusing on the applicable AML-CTF requirements under MiCAR (Section 2).

1. Amendments to the current AML-CTF regime

 Overview of the current AML-CTF regime

Following the adoption of the amended Financial Action Task Force (FATF) Recommendation 15 and of Directive (EU) 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, virtual asset service providers (VASPs) have been brought within the scope of AML-CTF obligations.

As set out under the FATF recommendations, a VASP is a natural or legal person providing certain services in relation to virtual assets, such as the exchange between virtual assets and fiat currencies (or between one or more forms of virtual assets) or the transfer of virtual assets.

Consequently, VASPs are currently subject to the obligation to:

  1. be supervised for AML-CTF purposes and hence subject to a licensing or registration procedure depending on applicable national laws; and
  2. comply with AML-CTF requirements.

Changes brought by MiCAR

The regime currently applicable to VASPs is set to change following MiCAR’s upcoming entry into force, which marks a significant milestone for the cryptoassets sector.

MiCAR introduces a new category of professionals: crypto-asset service providers (CASPs), which are defined as legal persons that are duly authorised to engage in the provision of crypto-asset services on a professional basis. Among other obligations, CASPs are subject to specific AML-CTF obligations, which will need to be implemented by CASPs (see Section 2 below). 

Upon the date of applicability of MiCAR, CASPs will also be brought within the scope of AML-CTF obligations resulting from Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD). This derives from an amendment introduced by Regulation (EU) 2023/1113 of the European Parliament and of the Council of May 31, 2023 on information accompanying transfers of funds and certain crypto-assets. CASPs are indeed included within the category of financial institutions falling within the scope of application of AMLD and hence subject to AML-CTF requirements. These changes will apply beginning December 30, 2024.

Changes brought on by the AML-CTF Package

Pursuing the ongoing objective of managing and mitigating ML-TF risks inherent to crypto-assets, the proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing (AML Regulation), which has been published as part of the European Commission’s AML-CTF Package, will include CASPs as obliged entities under the AML Regulation.

2. AML requirements for CASPs under MiCAR

In the following section, we will analyze the specific AML-CTF related obligations that have been included for CASPs in MiCAR for:

  1.     programme of operations;
  2.     honorability requirements; and
  3.     policies and procedures.

Programme of operations

Entities wishing to apply for an authorisation as a CASP must provide the national competent authority (NCA) with a description of their internal control mechanisms, policies and procedures to identify, assess and manage risks, specifically ML-TF risks. These internal control arrangements must be adapted to the activities to be carried out, particularly to the crypto-asset services in their programme of operations.

There will be regulatory technical standards further developing MiCAR rules, which will specify the information to be included in the application for CASP authorization, and specifically in connection with AML-CTF topics.

In fact, before granting or refusing an authorisation as a CASP, NCAs may consult the local competent authorities and financial intelligence units for AML-CTF information, to verify that the applicant CASP has not been the subject of any investigation relating to ML-TF.

In addition, NCAs must withdraw the relevant authorization if the CASP does not have effective systems, procedures and arrangements in place to detect and prevent ML-TF.


CASPs are required under MiCAR to employ personnel with the knowledge, skills and expertise to discharge the responsibilities allocated to them, taking into account the scale, nature and range of crypto-asset services provided.

In particular, the members of the management body and direct and indirect CASP shareholders and members that have qualifying holdings are subject to specific requirements in connection with AML-CTF to ensure their honorability. In addition to the general honourability conditions applicable to them, MiCAR also requires that they must not have been convicted of any offence in the field of ML-TF.

Consequently, NCAs will refuse authorization as a CASP where there is objective and demonstrable evidence exposing the applicant CASP to serious risk of ML-TF.

Policies and procedures

CASPs must adopt the necessary policies and procedures effective in ensuring compliance with MiCAR. In particular, CASPs are required to define and implement an AML-CTF manual approved by the management body, which must be provided in the application for authorisation as CASP.

This manual typically encompasses comprehensive client due diligence, transaction monitoring, and reporting mechanisms, also in accordance with applicable European and local AML-CTF regulations.

Finally, MiCAR establishes the obligation for CASPs to carry out increased checks on financial transactions involving customers and financial institutions from third countries listed as high-risk third countries.

In conclusion, with MiCAR, CASPs are required to comply with a series of AML-CTF obligations.

Therefore, it is essential for entities contemplating a CASP authorization to be aware of these AML-CTF obligations imposed on them by the regulations and to prepare for their implementation. 

Aurélia Viémont is a partner in the Banking & Finance team, based in Luxembourg; Ricardo Plasencia is a partner of the Banking and Finance at CMS Albiñana & Suárez de Lezo, in charge of Financial Regulation; Raquel Garcia Lobato is a Financial Regulation lawyer at CMS Albiñana & Suárez de Lezo; and Mélanie Poirrier is a managing associate in CMS Luxembourg Banking & Finance, Regulatory and Insurance practices. CMS.