EU Authorities Warn MiCAR Deadline Could Create New Money Laundering Risks During Crypto Market Reshuffle

Key Takeaways

• MiCAR Transition Enters Final Phase: The EU's MiCAR transitional period ends on July 1, 2026, requiring crypto-asset firms to operate as authorized Crypto-Asset Service Providers (CASPs) or cease providing crypto-asset services in the bloc.
• Market Restructuring Creates AML/CFT Risks: Authorities warn that the wind-down of unauthorized Virtual Asset Service Providers (VASPs), customer migrations and market consolidation could create opportunities for money laundering, terrorist financing, sanctions evasion and reduced visibility over crypto-asset flows.
• Risk-Based Customer Onboarding Is Critical: Authorized CASPs are urged to strengthen transaction monitoring, ensure compliance systems can scale with increased customer volumes and assess incoming customers individually rather than applying blanket de-risking.
• Supervisory Coordination Will Be Essential: AML/CFT supervisors and Financial Intelligence Units (FIUs) are encouraged to strengthen cross-border cooperation, oversee wind-down processes closely and monitor how customer transfers and money flows affect emerging financial crime risks.
• Compliance Obligations Continue Through Wind-Down: Unauthorized VASPs should maintain customer due diligence, suspicious activity reporting and AML/CFT governance until all regulated activities have formally ceased.

Deep Dive

The European Union's crypto market changes shape on July 1. After that date, firms that have continued operating under MiCAR's transitional arrangements must either hold authorization as Crypto-Asset Service Providers (CASPs) or stop providing crypto-asset services in the bloc. That regulatory milestone has been discussed for months as a licensing event. European anti-money laundering authorities are treating it as something else entirely: a financial crime event.

A note issued ahead of the deadline argues that the greatest risks may emerge not from the firms that remain in the market, but from the movement between those that leave and those that stay. Unauthorized Virtual Asset Service Providers (VASPs) will wind down operations. Customers will move elsewhere or close their accounts altogether. Business that was once spread across a broader field of firms will become concentrated among a smaller number of authorized CASPs. Each of those changes creates new blind spots for anti-money laundering and counter-terrorist financing controls.

The guidance is less concerned with the legal fact of authorization than with the mechanics of transition. Markets rarely become safer simply because a deadline arrives. Assets move. Customers move. Compliance teams absorb unfamiliar business at speed. It is during those moments, the note suggests, that illicit money has the greatest opportunity to disappear into legitimate activity.

The Risks Are Different for Firms Leaving and Firms Staying

For unauthorized VASPs, regulators see the immediate danger in the pressure of an orderly exit. Firms racing to cease operations may struggle to maintain the AML/CFT controls expected of them until the very last customer relationship has been closed. Those already known to have weaknesses in their compliance frameworks present a particular concern.

Authorities also warn that abrupt market exits can reduce transparency over customer relationships and crypto-asset flows. As firms wind down, illicit actors could exploit the disruption to conceal transactions, move criminal proceeds quickly or evade sanctions while attention is focused elsewhere.

The recommendation is straightforward. Where national legal frameworks require wind-down plans, firms should execute them in a structured, well-documented manner while maintaining adequate AML/CFT governance, staffing and monitoring until all regulated activity has ceased. Customer due diligence information should remain current throughout the process, and suspicious activity reporting obligations do not diminish simply because a business is closing.

The challenge changes once customers arrive at authorized CASPs. An influx of new accounts may alter a firm's risk profile almost overnight. Higher-risk customers could become concentrated among a smaller number of providers. Transaction monitoring systems built for one level of activity may suddenly be expected to process another.

Authorities urge CASPs to ensure their compliance functions can absorb that growth without sacrificing effectiveness. Transaction monitoring systems should be capable of handling increased volumes of crypto-asset transfers, while onboarding processes should incorporate customer risk information effectively from the outset.

One recommendation stands out because it pushes against a response that regulators evidently expect some firms may consider. Customers arriving from unauthorized VASPs should not be rejected simply because of where they came from. Instead, CASPs should assess each customer individually under a risk-based approach, applying enhanced due diligence only where higher risks are identified.

A Test for Supervisors as Well

The document devotes equal attention to the public authorities responsible for overseeing the transition. AML/CFT supervisors could lose visibility just as customer relationships are moving between firms. The simultaneous wind-down of unauthorized providers and rapid onboarding by authorized CASPs creates the possibility of supervisory blind spots around customer transfers, shifting money flows and changing institutional risk profiles.

Those risks become harder to manage if supervisory practices differ across Member States. Inconsistent approaches to authorization, wind-down oversight or AML/CFT expectations could create opportunities for regulatory arbitrage, allowing illicit actors to exploit differences between jurisdictions.

The guidance encourages supervisors, where national legal frameworks permit, to prioritize oversight of exit planning and customer transfers while coordinating closely with counterparts across borders. Information sharing, the note argues, will be critical to understanding how risks evolve as business consolidates within the authorized market.

Financial Intelligence Units face a similar problem from a different angle. Large-scale customer migrations could produce new money laundering typologies, particularly if illicit funds are routed rapidly through multiple CASPs or jurisdictions to obscure their origin. That activity may also generate a sharp increase in suspicious transaction reports, placing additional demands on FIUs at precisely the point when market activity is being reconfigured.

The note calls for stronger domestic and cross-border cooperation so intelligence linked to exiting VASPs and receiving CASPs can be shared quickly when emerging risks are identified.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.