EU AML Package 2026: What Crypto Asset Service Providers Must Know
TL;DR
- The EU is tightening AML rules for crypto. A new authority (AMLA) and updated regulations will increase oversight of crypto companies.
- CASPs must strengthen their compliance systems, especially onboarding, customer checks, and reporting suspicious activity.
- The EU Travel Rule requires more transparency, meaning CASPs must collect and share information about the sender and receiver of crypto transfers.
- MiCA and the AML package work together: MiCA regulates crypto providers, while AML rules focus on preventing money laundering.
- Firms should prepare now, as those that improve compliance early will be better positioned with regulators and financial partners.
Introduction
AML (Anti-Money Laundering) has been viewed by many in crypto markets for a long time as a "post-launch/scaling" problem. This way of thinking about AML is becoming increasingly unsustainable. As crypto compliance becomes much more aligned with mainstream financial services regulation within the European Union, CASPs (crypto-asset service providers) which have historically viewed AML as a 'back office' concern will likely be among the first to feel the pressure of these changes.
This does not represent a single isolated regulatory change. Rather, it is the cumulative effect of MiCA's compliance mechanisms, the AML package's control mechanisms and the Travel Rule's impact on traceability that together demonstrate something very straightforward: the EU drives crypto out of the regulatory “grey area”, which is also the clearest answer to how MiCA affects AML compliance in practice.
Alt text: Satellite-style view of Earth with illuminated connection lines between major cities, illustrating global digital networks (link)
How the EU AML Package Changes Crypto Compliance Requirements
In May 2024, the Council adopted a new anti-money laundering package aimed at strengthening AML/CFT (anti-money laundering and countering the financing of terrorism) rules and closing regulatory gaps across the Union. The package consists of four main instruments: the regulation establishing the Anti-Money Laundering Authority (AMLA), the new Anti-Money Laundering Regulation (AMLR), the sixth Anti-Money Laundering Directive (6AMLD), and the revised Transfer of Funds Regulation (TFR), which extends traceability requirements to crypto-asset transfers. Together, these measures are intended to create a more harmonised EU AML framework and expand compliance obligations to crypto-asset service providers.
Alt text: AMLA Logo (link)
That matters for CASPs, since crypto asset service provision is now regulated as a licensed activity throughout the EU (as of Dec. 30th, 2024) via MiCA and the EU's new AML regulation, which has placed much of the crypto industry into a new regulatory scheme including a more consistent set of rules based on internal controls, risk assessment, CDD (customer due diligence, the process of verifying customer identity and assessing risk) requirements and STR (suspicious transaction reporting, when firms report potentially illegal financial activity to authorities) obligations.
The most obvious indicator that the EU wishes to regulate with a higher degree of oversight is AMLA, the EU’s new Anti-Money Laundering Authority, which answers the question of what AMLA is and how it affects crypto by centralising supervisory expectations and shaping how CASPs will be monitored across the Union. The AMLA FAQ and the European Commissions have both indicated that AMLA became operational in June 2025, the first selection process under the AMLA regime was scheduled to take place in 2027 and the first direct supervisory authority over selected high-risk financial entities will be assumed by AMLA in 2028. Not all CASPs may be subject to direct AMLA supervision; however, this misses the greater point. Once a centralized set of supervisory standards is established, it then moves through national regulators, banking relationships and ultimately through the markets themselves.
Big consulting firms broadly review the package in a similar way. Deloitte describes it as a broad reshaping of EU AML obligations rather than a narrow legislative update, while Jones Day frames MiCA and AMLR together as a new regulatory landscape for CASPs. That is the general outlook on the package: not as “just another law”, but as a change in the operating conditions of the business.
Key AML Compliance Pressure Points for CASPs Under MiCA & AMLR
The first pressure point is onboarding, which is also where the question of what CASPs need to do for AML/KYT (anti-money laundering / know your transaction, analysing blockchain transactions to detect suspicious activity) compliance becomes most concrete. A firm wishing to apply for authorization as a CASP is required to demonstrate that it has established and will maintain effective internal controls, policies and procedures for identifying, assessing and managing risks, including those related to money laundering and terrorist financing. As such, competent authorities may consult with anti-money laundering authorities prior to granting a license; and a license granted to a CASP may be withdrawn if the CASP does not have adequate anti-money laundering / anti-terrorism financing (AML/CTF) systems in place.
The second pressure point is traceability, and this is where the EU travel rule crypto requirements become especially important. Pursuant to Regulation (EU) 2023/1113, CASPs are required to collect and, when appropriate, report information regarding the identity of the originator(s) and beneficiary(ies) of each transfer of a crypto asset, regardless of the amount of the transfer; these EU travel rule crypto requirements extend traceability obligations across all categories of CASPs under MiCA. The EBA's (European Banking Authority) 2024 Travel Rule Guidelines provide further implementation guidance on CASPs' and Intermediary CASPs' obligations to identify missing or incomplete transfer information and take a risk-based approach to respond to those gaps. Thus, the process of crypto compliance becomes more relevant. Firms are expected to establish processes to determine how they will respond to transfers where required information is missing or appears to be inconsistent and this information gap also provides additional input into suspicious activity reporting.
The third pressure point is the increased complexity of cross border relationships. Based on the revised AML regulatory framework, CASPs are expected to implement additional risk mitigation protocols when establishing correspondent relationships with respondent entities providing crypto asset services outside of the EU, especially when the respondent entity is unlicensed or subject to less stringent supervisory oversight. To providers that have grown up in an environment that emphasizes continuous innovation, the need to adopt a more cautious and risk-focused compliance posture represents a significant shift in their business model.
The Compliance Challenges Crypto Companies Still Face
Clearer regulations, by themselves, do not provide a solution to the issues associated with managing risk in crypto. What they do provide is clarity on who bears the burden of compliance. After regulators have established clear expectations, financial institutions can no longer rely upon either the uncertainty associated with regulation or the lack of oversight to avoid the uncomfortable task of complying with regulations.
The most obvious area of pressure is at the intersection of regulated entities and unregulated wallet owners (i.e., self-hosted wallets). While EU law does not prohibit self-hosted wallets, it requires CASPs to identify, assess and evaluate the money laundering and terrorist financing risks associated with funds transferred to/from self-hosted wallets, and where necessary, implement additional due diligence and other mitigation measures to address such risks. Thus, this establishes an intermediate position: interaction with self-hosted wallets is still permitted; however, it is no longer considered to be free from risk.
The second challenge is that simply being able to see data does not mean a company has a sufficient level of awareness. The European Banking Authority's Sector-Specific Risk Guidance for CASPs identifies several indicators which may suggest a higher risk of ML/TF (money laundering and terrorist financing), such as transfers to & from self-hosted addresses, unauthorized service providers, anonymity enhancing functions, and customer behavior that is inconsistent with expected transactional behaviors. Therefore, having access to greater amounts of transaction data will not automatically create a viable means of managing risk. A financial institution must also have a method for interpreting the data and responding in time to prevent suspected illegal activity from creating a supervisory problem.
National Supervisors are already providing their own interpretations of these requirements through regulatory guidance. For example, in the Netherlands, the AFM's (Dutch Authority for the Financial Markets) 2025 Annex for CASPs identifies the increased risk of ML/TF related to crypto services, directs firms towards TFR compliance, and emphasizes the need for firms to develop tailored risk assessments and implement enhanced due diligence when risk increases.
CASP AML Compliance Checklist: What to Do Before AMLA Supervision Begins
The firms can't sit back and do nothing until 2027 since a major part of the system is already in place. MiCA has already been implemented. The travel rule has been around for some time for crypto transactions. EBA has also provided guidance and sectoral expectations for CASPs.
The best way forward for the firms to use this time frame is to start evaluating how they onboard and score customer risk today. Evaluate current transaction monitoring systems using real-world scenarios as opposed to simply testing policies. Determine the level of exposure one has to self-hosted wallets, non-EU counterparties and weaker service providers. Consider governance as an element of crypto compliance versus something independent of crypto compliance.
Additionally, it's worth noting that the firms who are proactive now will likely have a better relationship with regulators, banks and other entities than the firms who choose to wait until regulatory bodies force them into compliance.
Conclusion
The EU's AML package does not mean the end of crypto innovation; however, it means the end of crypto being able to grow without taking AML seriously. MiCA, AMLR, AMLA and the Travel Rule are all saying the same thing: more traceability, more consistent oversight and less tolerance for ambiguity. For CASPs, the debate is no longer "at what point will we have to adhere to stricter regulations of crypto?"; the debate is "who will take advantage of the AMLA transitional period to develop 'robust' internal control measures prior to when regulatory pressure builds." If the planning to develop such has not already started, now would be an appropriate time to begin. Please feel free to share this article and participate in our discussions regarding how the EU's regulations will affect the crypto markets.
.svg){kind=icon}
.png)
.jpeg)
.jpg)
