MiCA in Practice #2: Building Your AML/KYC Programme

This is Part 2 of our "MiCA in Practice" series. In Part 1, we covered the CASP licensing process. Here, we focus on the practical construction of an AML/KYC programme that satisfies both MiCA and the EU's anti-money laundering framework.

MiCA Article 68 requires CASPs to comply with the EU's anti-money laundering rules. With the Anti-Money Laundering Regulation (AMLR) — Regulation (EU) 2024/1624 — replacing the existing directive-based approach, CASPs now face a directly applicable, harmonised set of AML/CFT obligations across all 27 Member States. No more variation between national transpositions.

Building an effective AML/KYC programme for a crypto business is materially different from doing so for a traditional financial institution. The risks are different, the data sources are different, and the speed of transactions demands different technological solutions.

The Three Pillars of a Crypto AML Programme

Every CASP AML programme must rest on three foundational elements, each tailored to the specific risks of crypto-asset services:

1. Business-Wide Risk Assessment (BWRA)

Before designing any controls, you must understand your risk landscape. The BWRA is a documented assessment of the ML/TF risks inherent in your business model, customer base, geographic exposure, products, delivery channels, and transaction patterns.

For crypto businesses, this means going beyond traditional risk factors to include:

• Privacy-enhancing technologies — exposure to privacy coins (Monero, Zcash), mixers/tumblers (Tornado Cash), and CoinJoin implementations
• Cross-chain exposure — customers using bridges, wrapped assets, or multi-chain wallets that obscure the origin of funds
• DeFi interaction risk — deposits sourced from decentralised protocols with limited or no AML controls
• Geographic risk — customers in FATF grey/black-listed jurisdictions, or jurisdictions without CASP licensing regimes
• Peer-to-peer activity — high volumes of transfers to/from unhosted (self-custody) wallets

2. Policies, Controls, and Procedures

Your BWRA informs the design of your policies. At minimum, a CASP AML programme must include written policies covering:

• Customer due diligence (CDD) and enhanced due diligence (EDD)
• Customer risk classification and scoring
• Transaction monitoring rules and escalation procedures
• Sanctions screening (OFAC, EU, UN consolidated lists)
• Suspicious activity reporting (SAR/STR) to the relevant FIU
• Record keeping and data retention
• Staff training and awareness
• Independent audit and testing of AML controls

3. AML Governance Structure

MiCA and the AMLR require that CASPs appoint a Money Laundering Reporting Officer (MLRO) — a senior individual with direct access to the management body, responsible for the day-to-day operation of the AML programme. This person must have:

• Sufficient seniority and authority to escalate issues to the board
• Adequate resources (staff, budget, technology) to perform the role effectively
• Demonstrated knowledge of ML/TF risks specific to crypto-assets
• Independence from commercial functions (no conflicts of interest)

Customer Due Diligence: What CASPs Must Collect

Under the AMLR, CASPs must apply CDD measures before establishing a business relationship or carrying out an occasional transaction exceeding €1,000. For crypto-assets, this threshold is notably lower than the €15,000 threshold for traditional occasional transactions — reflecting the perceived higher risk of the sector.

Standard CDD Requirements

• Identify the customer — full name, date of birth, residential address, nationality, government-issued ID
• Verify identity — using reliable, independent sources (government ID documents, electronic verification, video identification where permitted)
• Identify the beneficial owner — for legal entities, identify any natural person who ultimately owns or controls the entity (25%+ ownership threshold, or effective control through other means)
• Understand the purpose and intended nature of the business relationship — what crypto services will the customer use, what is the expected volume and pattern of transactions?
• Ongoing monitoring — ensure that transactions are consistent with the customer's risk profile, and that CDD information remains current

Enhanced Due Diligence (EDD) Triggers

CASPs must apply EDD when the customer risk assessment indicates higher risk. Mandatory EDD triggers include:

• Politically Exposed Persons (PEPs) and their family members/close associates
• Customers in high-risk third countries (FATF grey/black list, EU high-risk list per Delegated Regulation)
• Complex or unusually large transactions without apparent economic purpose
• Non-face-to-face business relationships (standard for crypto, so the risk mitigation must be proportionate)
• Customers with significant exposure to privacy-enhancing services or high-risk protocols

Wallet-Level Due Diligence: The Crypto-Specific Layer

Traditional AML programmes focus on who the customer is. Crypto AML programmes must also assess what the customer's wallet has been doing. This is where on-chain analytics becomes essential.

When a customer deposits crypto-assets or provides a withdrawal address, the CASP should:

• Screen the wallet address against sanctions lists and known illicit addresses
• Assess source-of-funds risk — what is the on-chain history of the deposited assets? Have they passed through mixers, darknet markets, sanctioned entities, or known scam contracts?
• Evaluate counterparty risk — are withdrawal addresses associated with high-risk services or unlicensed exchanges?
• Monitor for pattern changes — a customer whose transaction patterns shift from low-risk exchange activity to high-volume mixer usage warrants additional scrutiny

This wallet-level analysis is not explicitly mandated by the text of MiCA or the AMLR, but it is rapidly becoming the supervisory expectation. EBA guidelines on ML/TF risk factors (EBA/GL/2021/02, as amended) specifically reference virtual asset risks and the need for transaction monitoring that accounts for blockchain-specific indicators.

Customer Risk Scoring: Building a Practical Model

Your CDD data and wallet analysis feed into a customer risk score — a composite rating that determines the level of ongoing monitoring applied to each relationship. A practical scoring model for a CASP should weight the following factors:

• Customer risk (30–40%) — PEP status, adverse media, sanctions proximity, jurisdiction of residence
• Product/service risk (15–20%) — custody-only vs. trading vs. DeFi access, anonymity-enhancing features
• Geographic risk (15–20%) — customer jurisdiction, counterparty jurisdictions, FATF status
• Transaction risk (20–30%) — on-chain source-of-funds analysis, mixer exposure, volume relative to declared activity

Customers scoring above your defined threshold move into EDD, which may include requests for source-of-wealth documentation, enhanced ongoing monitoring frequency, or — in cases where the risk cannot be adequately mitigated — exiting the relationship.

How BlockchainAnalysis Powers Your AML/KYC Programme

Building a compliant AML/KYC programme requires more than policies — it requires operational tools that can execute those policies at the speed of crypto. BlockchainAnalysis provides the data and analytics layer that CASPs need:

• Wallet Screening — real-time screening of deposit and withdrawal addresses against 297+ risk data sources, including OFAC SDN, EU sanctions, and our proprietary database of 1B+ labelled addresses
• Entity Risk Scoring — automated risk classification based on on-chain behaviour, counterparty exposure, and sanctions proximity
• KYB Verification — corporate customer verification against 63M+ company records, including UBO identification and PEP/sanctions cross-referencing
• Source-of-Funds Analysis — trace the origin of deposited crypto-assets through multiple hops to assess exposure to illicit activity

The platform integrates directly into your onboarding workflow, providing risk assessments in seconds rather than hours — enabling compliant onboarding at scale without creating bottlenecks.

Next in the series: MiCA in Practice #3 — Transaction Monitoring and Suspicious Activity Reporting, where we cover the operational design of a monitoring programme that catches real threats without drowning in false positives.