1. MiCA (Markets in Crypto-Assets Regulation) - EU

Overview

MiCA is the EU's comprehensive regulatory framework for crypto-assets, effective 2024. It establishes licensing requirements for crypto-asset service providers (CASPs) and issuers.

Key Provisions for CASPs

Requirement Details
Authorization CASPs must be authorized in one EU member state (single passport valid across EU). Must be a legal entity established in EU.
Capital Requirements €150,000 initial capital OR 2% of average fixed overheads. Additional capital for large operations.
KYC Obligations Full customer identification before service provision. Beneficial ownership for legal entities. PEP screening mandatory.
Transaction Monitoring Ongoing monitoring for suspicious activities. Risk-based approach to customer due diligence.
Record Keeping Maintain records for 5 years after end of customer relationship or transaction.

MiCA Transaction Thresholds

Threshold Requirement
€1,000+ Enhanced customer due diligence for occasional customers (not regular account holders)
€10,000+ Mandatory suspicious transaction reporting consideration
€15,000+ Enhanced due diligence for high-risk jurisdictions or customer types
MiCA on Stablecoins (E-Money Tokens & Asset-Referenced Tokens)

E-Money Tokens (EMTs): Stablecoins pegged 1:1 to single fiat currency (e.g., USDC, EURC). Require e-money institution license. Full reserves required.

Asset-Referenced Tokens (ARTs): Stablecoins backed by basket of assets (e.g., algorithmic stablecoins). Stricter requirements, including own funds and liquidity management.

Critical MiCA Compliance Point: CASPs cannot offer services to customers in sanctioned jurisdictions or involving sanctioned individuals. Must maintain updated sanctions screening against EU, UN, and OFAC lists.

2. FATF Travel Rule (Recommendation 16)

Core Requirement

The "Travel Rule" requires Virtual Asset Service Providers (VASPs) to obtain, hold, and transmit originator and beneficiary information for virtual asset transfers above €/USD 1,000.

Required Information

Originator Information

  • Full name
  • Account number (or unique reference)
  • Physical address OR national identity number OR date and place of birth

Beneficiary Information

  • Full name
  • Account number (or wallet address)

Travel Rule Thresholds

Transaction Value Requirement
Below €1,000 No Travel Rule obligation (but still maintain transaction records)
€1,000 - €15,000 Full Travel Rule compliance: collect and transmit all originator/beneficiary data
Above €15,000 Travel Rule + Enhanced Due Diligence (verify source of funds, beneficial ownership)
Unhosted Wallet Challenge: When customers transfer to self-hosted wallets (non-custodial), you cannot obtain beneficiary information. FATF recommends enhanced monitoring and possible transaction limits for unhosted wallet transfers.

Implementation Protocols

  • TRISA: Travel Rule Information Sharing Architecture (open-source)
  • TRP: Travel Rule Protocol (CipherTrace/Mastercard)
  • OpenVASP: Open Virtual Assets Service Provider standard
  • Manual compliance: Email exchange with counterparty VASPs (least efficient)

3. US Regulatory Landscape

Multi-Agency Jurisdiction

Unlike the EU's unified MiCA framework, US crypto regulation involves multiple agencies with overlapping and sometimes conflicting mandates.

Key US Regulatory Bodies

Agency Jurisdiction Key Requirements
FinCEN Money Services Businesses (MSBs)
AML/CTF compliance
  • MSB registration required for exchanges
  • State-by-state money transmitter licenses
  • Suspicious Activity Reports (SARs) for transactions ≥$2,000
  • Currency Transaction Reports (CTRs) for cash ≥$10,000
SEC Securities
(most crypto tokens)
  • Howey Test applied to determine if token is a security
  • Broker-dealer registration for security-based tokens
  • Accredited investor requirements for security token offerings
CFTC Commodities
(BTC, ETH)
  • Derivatives registration for crypto futures/options
  • Fraud and manipulation enforcement
  • BTC and ETH classified as commodities
OFAC Sanctions compliance
(all entities)
  • Block transactions to/from sanctioned addresses
  • Screen against SDN (Specially Designated Nationals) list
  • Immediate blocking and reporting of sanctioned entity interactions
Regulatory Uncertainty: The SEC vs. CFTC jurisdictional debate is ongoing. Most tokens are treated as securities by SEC, but CFTC claims authority over "digital commodities." Exchanges must navigate both frameworks until Congress provides clarity.

US vs. EU Comparison

Aspect EU (MiCA) US
Regulatory Approach Unified, comprehensive framework Fragmented, multi-agency enforcement
Licensing Single EU authorization Federal + 50 state licenses
Stablecoin Treatment Explicit rules (EMT/ART categories) Unclear (securities vs. money transmitter)
DeFi Partially addressed in MiCA Largely unregulated (evolving)

4. KYC/AML Requirements

Customer Due Diligence (CDD) Levels

Level When Required Information Collected
Standard CDD All new customers
  • Full name, date of birth
  • Residential address
  • Government-issued ID (passport, driver's license)
  • Source of funds declaration
Enhanced Due Diligence (EDD) High-risk customers:
- PEPs
- High-value transactions (€15k+)
- High-risk jurisdictions
  • All Standard CDD information
  • Source of wealth documentation
  • Beneficial ownership (for legal entities)
  • Purpose of business relationship
  • Expected transaction patterns
  • Senior management approval
Ongoing Monitoring All customers (continuous)
  • Transaction pattern analysis
  • Deviation from expected behavior
  • Periodic KYC refresh (annually for high-risk)
  • Sanctions screening (daily)

Beneficial Ownership Rules (Legal Entities)

MiCA/EU 5AMLD: Identify and verify all individuals owning ≥25% of entity OR exercising control through other means (voting rights, board appointment, etc.).

FinCEN (US): Identify individuals with ≥25% ownership OR significant control (CEO, CFO, etc.). Beneficial Ownership Information (BOI) report required.

5. Red Flags for Suspicious Activity

Customer Behavior Red Flags

  • KYC avoidance: Reluctance to provide ID, falsified documents, frequent account changes to avoid verification
  • Structuring: Multiple transactions just below reporting thresholds (e.g., multiple €900 transactions to avoid €1,000 Travel Rule)
  • Inconsistent information: Employment doesn't match transaction volumes, vague source of funds explanations
  • Unusual patterns: Dormant account suddenly active, 10x+ volume increases, immediate in-and-out transactions
  • PEP without disclosure: Customer is politically exposed but didn't declare it

Transaction Pattern Red Flags

  • Rapid movement: Funds deposited → immediately converted → immediately withdrawn (classic layering)
  • Round-tripping: Funds sent to external wallet, then return to same account through different path
  • Mixer/tumbler usage: Interaction with known mixing services (CoinJoin, Tornado Cash, etc.)
  • High-risk destinations: Transfers to darknet market addresses, sanctioned entities, unregistered exchanges
  • Uneconomical behavior: Paying high fees for rapid transactions without business justification
  • Funnel accounts: Many small deposits from different sources, consolidated, then withdrawn

Jurisdictional Red Flags

  • FATF blacklist countries: North Korea, Iran, Myanmar (full counter-measures)
  • FATF graylist countries: Enhanced monitoring required (check current list - changes quarterly)
  • Offshore havens: BVI, Cayman Islands, Panama - require enhanced due diligence for entities
  • Non-compliant VASPs: Counterparty exchanges not registered, no Travel Rule compliance, privacy-focused platforms

When to File Suspicious Activity Report (SAR)

EU (MiCA): File with national Financial Intelligence Unit (FIU) when you know, suspect, or have reasonable grounds to suspect money laundering or terrorist financing. No minimum threshold.

US (FinCEN): File SAR within 30 days when transaction ≥$2,000 involves known/suspected criminal activity, appears designed to evade regulations, or lacks business purpose.

Critical: Do NOT notify customer that SAR has been filed (tipping off is criminal offense).

6. Risk-Based Decision Framework

Risk Level Indicators Recommended Action
LOW
  • Fully verified KYC
  • Consistent with historical pattern
  • Clear source of funds
  • Low-risk jurisdiction
  • Transparent blockchain trail
 Approve with standard monitoring
MEDIUM
  • Slight deviation from pattern
  • New transaction type for customer
  • Moderate value (€10k-50k)
  • Some missing information
  • Medium-risk counterparty
 Flag for review - Request additional documentation, enhanced monitoring, possible senior approval
HIGH
  • Multiple red flags present
  • Sanctions screening hit
  • Unexplainable fund source
  • KYC avoidance behavior
  • Privacy coin / mixer involvement
  • FATF blacklist jurisdiction
 Reject or block - Consider SAR filing, possible account termination, report to authorities if sanctions violation
Compliance Officer's Dilemma

Often there is no perfect answer. Your role is to balance:

  • Regulatory compliance: Following the letter and spirit of AML/KYC laws
  • Business reality: Not rejecting legitimate customers unnecessarily
  • Risk management: Protecting your exchange from regulatory sanctions and reputational damage
  • Innovation: Supporting legitimate crypto use cases while preventing abuse

When in doubt, escalate to senior management and legal counsel. Document your reasoning thoroughly.

© Joerg Osterrieder 2025-2026. All rights reserved.