About This Quick Version
This abbreviated version focuses on three critical compliance scenarios that highlight the most important regulatory challenges in crypto. Regulatory citations are pre-filled to save time - your focus is on making sound compliance decisions and explaining your reasoning.
Your Role: Chief Compliance Officer at CryptoSecure Exchange, a MiCA-licensed CASP operating in the EU with US customers.
Timeline (30 Minutes)
- FATF Travel Rule: Applies to transactions ≥ €1,000 (originator/beneficiary information required)
- Enhanced Due Diligence: Required for transactions ≥ €15,000 or high-risk customers/jurisdictions
- MiCA KYC: Full customer identification required before any service provision (no threshold)
- OFAC Sanctions: Iran is subject to comprehensive US sanctions (no threshold - all transactions prohibited)
- SAR Filing: Required when you know, suspect, or have reasonable grounds to suspect money laundering
Scenario 1: Withdrawal to Sanctioned Country
Situation: Your blockchain analytics tool flags that the destination wallet has received funds from mixers and has recent interactions with wallets located in Iran. The most recent deposit to this wallet came from an Iranian exchange 48 hours ago.
The customer states: "This is a business partner's wallet. We're working on a DeFi project together. He's Iranian but lives in Dubai now. The wallet might have Iranian connections but that's just where he used to trade."
- Destination wallet linked to sanctioned jurisdiction (Iran - OFAC sanctions)
- Recent interaction with Iranian exchange (48 hours ago)
- Mixer usage in destination wallet history
- Claim of Dubai relocation (common sanctions evasion tactic)
- OFAC Iran Sanctions: Comprehensive sanctions prohibit US persons from transactions with Iranian entities or involving Iranian jurisdiction. Violations: $250,000+ fines, criminal liability.
- EU Sanctions on Iran: EU also maintains Iran sanctions (Council Regulation 267/2012), though slightly different scope than US.
- FATF High-Risk Jurisdiction: Iran is on FATF's list of high-risk jurisdictions with strategic AML/CFT deficiencies.
- MiCA Sanctions Compliance: CASPs must screen against EU, UN, and OFAC sanctions lists.
Scenario 2: Suspicious Transaction Pattern
Situation: For 8 months, this customer has deposited €400-700 weekly (freelance payments), made small trades, and withdrawn about €2,000/month. Consistent pattern.
In the past 4 days:
- Day 1: €15,000 from UK company "TechConsult Ltd" → immediate conversion to USDT → transfer out
- Day 2: €12,000 from different UK company "Digital Solutions LLP" → immediate conversion to USDT → transfer out
- Day 3: €11,000 from Italian individual → conversion to BTC → withdrawal request pending
Customer states: "I landed three big design projects at once. Companies prefer to pay in crypto now. This is legitimate freelance income."
- 12x volume increase with no advance notice
- Rapid in-and-out pattern (deposits → immediate conversion → immediate withdrawal)
- Multiple different source accounts across jurisdictions (UK, UK, Italy)
- Inconsistent with 8-month historical pattern
- Classic "layering" behavior in money laundering
- MiCA Ongoing Monitoring: CASPs must monitor for deviations from expected transaction patterns (Article 70).
- FATF Travel Rule: €38,000 total volume requires Travel Rule compliance for each transaction >€1,000.
- Layering Detection: Rapid in-and-out transactions are characteristic of money laundering "layering" stage.
- Enhanced Due Diligence Trigger: Significant deviation from normal pattern triggers EDD requirements.
- SAR Consideration: Pattern matches known money laundering typology (possible mule account).
Scenario 3: DAO Treasury Onboarding
Situation: "GreenFuture DAO" wants to open an account and convert €5M of their native governance token into USDC for quarterly operational expenses. The DAO has no legal registration anywhere.
DAO Structure:
- 3,847 token holders worldwide participate in governance votes
- Treasury controlled by 9-person multi-sig wallet (5 signatures required)
- This transaction was approved by governance vote (73% approval, 1,247 voters)
- Representative can provide documentation of the 9 multi-sig signers across 7 countries
- DAO's stated purpose: fund climate change projects via grants
The representative states: "We need proper treasury management. DAOs are the future of organizations. We have full transparency - all transactions are on-chain. We shouldn't need traditional KYC because we're decentralized."
- No legal entity = who is "the customer" under MiCA?
- Multiple beneficial owners across jurisdictions (9 signers, 3,847 members)
- Cannot perform traditional KYC on a non-entity
- €5M threshold triggers highest level of due diligence
- Regulatory framework unclear on DAO treatment
- Governance token may be unregistered security
- MiCA Legal Entity Requirement: Article 3 definitions refer to "natural or legal persons." A DAO with no legal registration is neither.
- EU 5AMLD Beneficial Ownership: Must identify individuals with ≥25% ownership or control. In DAO with 3,847 token holders, this is impossible.
- MiCA KYC Obligations: Full customer identification required before service provision - but who is the customer?
- €5M Enhanced DD Threshold: This amount requires highest level of due diligence, which is impossible without legal entity.
- Securities Concerns: DAO governance token may be unregistered security under EU and US law.
Submission
Turn in: This completed worksheet with all three scenarios analyzed.
Grading (20 points total):
- Decision quality & reasoning: 12 points (4 per scenario)
- Risk assessment: 6 points (2 per scenario)
- Clarity of explanation: 2 points
© Joerg Osterrieder 2025-2026. All rights reserved.