QuantChainAnalysis/ Intelligence/ Regulation · EU / MiCA
Regulation MiCA · CASP · AML/CFT June 2026 · 5 min read

MiCA Licences Are Live.
Here Is What CASPs Are
Actually Required to Do.

Major crypto firms across Europe have secured their MiCA CASP authorisation. The deadline is not a distant problem anymore. Here is what the licence demands, what ongoing obligations look like, and which part of the compliance stack most firms are not yet ready for.

Hard deadline
1 July 2026
Passporting reach
30 EEA states
No licence after deadline
Cease operations
← Back to Intelligence MiCA CASP licence framework: bank, shield and trading screen connected by compliance chain

For most of the past decade, running a crypto exchange, custody service, or trading platform in Europe meant navigating a patchwork of national rules. Germany had one framework. Estonia had another. Malta had a third. That era is over. MiCA has arrived, and with it a single authorisation regime covering all 30 European Economic Area states. The firms that have already secured their CASP licences are now operating under a set of obligations that look much more like a bank than a technology startup. Understanding what those obligations actually entail matters both for firms inside the regime and for the infrastructure they choose to rely on.

// The Terminology Shift

VASP (Virtual Asset Service Provider) was the old term, drawn from FATF guidance and implemented differently by each EU member state. CASP (Crypto-Asset Service Provider) is the MiCA term. All existing VASPs operating in the EU were required to transition to a CASP authorisation during the 18-month window that closes on 1 July 2026. After that date, operating without a CASP licence is a regulatory violation regardless of prior registration status.

Who Has Actually Secured a Licence

The pattern of where firms chose to register tells its own story. Luxembourg attracted Coinbase, Bitstamp, and Clearstream, drawn by fast passporting and a capital-markets-friendly regulator. Malta became the exchange hub, pulling in OKX, Crypto.com, Gemini, and Bitpanda. The Netherlands saw a strong crypto-native cohort including Bitvavo and MoonPay. Germany, predictably, became home to regulated banks adding CASP services: Commerzbank, N26, Trade Republic, and custodians like BitGo and Tangany secured authorisation there.

The common thread is that the heaviest-resourced firms moved early. What remains to be resolved is the question of the second and third tier of operators, many of whom are still mid-application or have not yet filed at all. For those firms, the options are narrowing quickly.

What the Licence Actually Requires

Getting a CASP licence is the beginning of the obligation, not the end of it. The authorisation itself covers ten regulated service categories ranging from custody and exchange to portfolio management and transfer services. But the ongoing operational requirements are where most firms will feel the weight of the new regime.

// Core Licence Conditions Under MiCA
  • Governance
    Fit and proper management, at least one EU-resident director, effective risk management framework, conflict of interest policies, and a documented business continuity plan. National competent authorities assess governance as part of the authorisation review and continue to monitor it post-licence.
  • Capital Requirements
    Three tiers: EUR 50,000 for advisory and order transmission services. EUR 125,000 for custody and exchange. EUR 150,000 for trading platforms. Capital must be maintained on an ongoing basis, not just at authorisation.
  • ICT and Operational Security
    MiCA incorporates DORA (Digital Operational Resilience Act) requirements. CASPs must maintain documented ICT risk management frameworks, incident reporting procedures, and third-party vendor risk controls. This is significantly more demanding than any previous national VASP registration.
  • Consumer Protection
    Enhanced client asset safeguarding, clear disclosure of risks, and explicit civil liability for incorrect or misleading information in white papers. Retail clients gain a right of withdrawal within defined periods.
  • AML/CFT and Travel Rule
    Fully implemented AML/CFT processes including Customer Due Diligence, transaction monitoring, and Travel Rule compliance. Under MiCA Article 68, CASPs must screen transactions and supply originator and beneficiary data on transfers at or above EUR 1,000. The EU Transfer of Funds Regulation 2023/1113 extends this obligation to all crypto-asset transfers regardless of amount.
  • Reporting and Transparency
    Machine-readable transaction reporting in standardised JSON schema per ESMA technical standards, order book records, and regular supervisory reporting to the national competent authority. ESMA maintains a public interim MiCA register updated weekly.

The Part Most Firms Are Not Ready For

Of all the obligations above, AML/CFT transaction screening is the one that tends to be underestimated. Governance documentation and capital requirements are demanding but familiar: lawyers, accountants, and compliance consultants have been helping firms navigate equivalent obligations in other regulated sectors for decades. What is genuinely new under MiCA is the expectation around transaction-level screening, specifically the requirement to assess and act on risk before a transfer is executed, not after it settles.

Compliance cannot begin the moment a transaction appears on-chain. By then, the only option is reactive reporting. The obligation is to screen before broadcast, when intervention is still possible.

MiCA Article 68 Implementation Context

This is a fundamental change from how most existing VASP compliance programmes operated. Legacy AML frameworks are built around monitoring confirmed transactions: flagging them, filing SARs, and reporting to financial intelligence units. That workflow assumes the transaction has already occurred. MiCA, combined with the Travel Rule, places obligations at the point of transfer initiation. A CASP that cannot demonstrate systematic pre-transfer screening of counterparty risk is not just operationally exposed; it is non-compliant with the licence it worked to obtain.

Where Pre-Mempool Screening Fits

Pre-mempool AML screening refers to analysing the risk profile of a wallet and transaction before the transfer is signed and broadcast to the network. At that stage, the transaction exists as an unsigned intent, and the sender can still choose not to proceed. Once it hits the mempool and miners or validators process it, the window for pre-broadcast intervention has closed permanently.

This is the specific gap that MiCA Article 68 creates. The obligation to screen and the obligation to attach originator data both apply at or before transfer. A CASP cannot attach Travel Rule data to a transaction retrospectively; it must be gathered and verified in advance. And a CASP cannot demonstrate that it assessed counterparty risk on a transfer that it cannot prove it screened before broadcasting.

Compliance Stage Legacy AML (Post-Broadcast) MiCA-Compliant (Pre-Broadcast)
Timing After transaction confirms on-chain Before transaction is signed and broadcast
Intervention possible No. Reporting only. Yes. Transaction can be held or blocked.
Travel Rule Data attached retrospectively, if at all Originator/beneficiary data gathered before broadcast
Sanctions screening Flagged after settlement Assessed at point of transaction initiation
MiCA Article 68 compliance Does not satisfy the obligation Satisfies the obligation

QCA operates at exactly this stage. Its QARS v1.0 engine analyses the wallet address, counterparty exposure, transaction value anomalies, bridge interactions, velocity patterns, and Travel Rule completeness across 12 risk dimensions before the transaction is broadcast. The result is a deterministic risk score with a gate decision: PASS, BIOMETRIC REQUIRED, or PRE-MEMPOOL BLOCK. Each decision is accompanied by a cryptographically sealed certificate suitable for inclusion in compliance records and, where required, SAR filings.

To be clear about what QCA is and is not: it is a transaction-level AML risk scoring engine, not a full MiCA compliance stack. It does not handle governance documentation, capital reporting, ICT risk management frameworks, or white paper filing. What it provides is the specific technical capability that existing compliance programmes typically lack, specifically the ability to screen and gate transactions at the point of broadcast, with court-admissible output on every analysis.

// The Honest Scope

A CASP licence requires many things. QCA addresses one of them, and it happens to be the one that is hardest to operationalise with legacy tools: pre-broadcast, transaction-level AML/CFT screening with Travel Rule completeness checking and audit-ready output. It is one component of a compliant operation, not a shortcut to the whole thing.

What Happens After 1 July 2026

The transitional window closes, and there is no further grace period. Firms without CASP authorisation must cease providing regulated crypto-asset services in the EU. ESMA has been explicit: last-minute applications will face heightened regulatory scrutiny. Firms continuing to operate without authorisation face sanctions, enforcement action, and reputational damage that cannot be undone by a late licence application.

For firms that have secured their authorisation, the work is only beginning. Supervisory relationships with national competent authorities will become ongoing rather than episodic. Reporting obligations will be quarterly or monthly. AML/CFT programmes will be audited. The question for newly licensed CASPs is not whether they have crossed the threshold but whether their operational infrastructure can sustain compliance month over month at the standard MiCA requires.

// QCA and MiCA Article 68

Pre-broadcast screening built for the obligation that matters most.

QARS v1.0 screens wallet and transaction risk across 12 dimensions before broadcast, including Travel Rule completeness, sanctions cluster proximity, and velocity structuring patterns. Gate decisions are deterministic, reproducible, and accompanied by a cryptographically sealed certificate on every analysis.

For CASPs evaluating how to satisfy their Article 68 transaction monitoring obligations with court-admissible, audit-ready output, contact the team at contact@quantchainanalysis.com.