Major crypto firms across Europe have secured their MiCA CASP authorisation. The deadline is not a distant problem anymore. Here is what the licence demands, what ongoing obligations look like, and which part of the compliance stack most firms are not yet ready for.
For most of the past decade, running a crypto exchange, custody service, or trading platform in Europe meant navigating a patchwork of national rules. Germany had one framework. Estonia had another. Malta had a third. That era is over. MiCA has arrived, and with it a single authorisation regime covering all 30 European Economic Area states. The firms that have already secured their CASP licences are now operating under a set of obligations that look much more like a bank than a technology startup. Understanding what those obligations actually entail matters both for firms inside the regime and for the infrastructure they choose to rely on.
VASP (Virtual Asset Service Provider) was the old term, drawn from FATF guidance and implemented differently by each EU member state. CASP (Crypto-Asset Service Provider) is the MiCA term. All existing VASPs operating in the EU were required to transition to a CASP authorisation during the 18-month window that closes on 1 July 2026. After that date, operating without a CASP licence is a regulatory violation regardless of prior registration status.
The pattern of where firms chose to register tells its own story. Luxembourg attracted Coinbase, Bitstamp, and Clearstream, drawn by fast passporting and a capital-markets-friendly regulator. Malta became the exchange hub, pulling in OKX, Crypto.com, Gemini, and Bitpanda. The Netherlands saw a strong crypto-native cohort including Bitvavo and MoonPay. Germany, predictably, became home to regulated banks adding CASP services: Commerzbank, N26, Trade Republic, and custodians like BitGo and Tangany secured authorisation there.
The common thread is that the heaviest-resourced firms moved early. What remains to be resolved is the question of the second and third tier of operators, many of whom are still mid-application or have not yet filed at all. For those firms, the options are narrowing quickly.
Getting a CASP licence is the beginning of the obligation, not the end of it. The authorisation itself covers ten regulated service categories ranging from custody and exchange to portfolio management and transfer services. But the ongoing operational requirements are where most firms will feel the weight of the new regime.
Of all the obligations above, AML/CFT transaction screening is the one that tends to be underestimated. Governance documentation and capital requirements are demanding but familiar: lawyers, accountants, and compliance consultants have been helping firms navigate equivalent obligations in other regulated sectors for decades. What is genuinely new under MiCA is the expectation around transaction-level screening, specifically the requirement to assess and act on risk before a transfer is executed, not after it settles.
Compliance cannot begin the moment a transaction appears on-chain. By then, the only option is reactive reporting. The obligation is to screen before broadcast, when intervention is still possible.
MiCA Article 68 Implementation ContextThis is a fundamental change from how most existing VASP compliance programmes operated. Legacy AML frameworks are built around monitoring confirmed transactions: flagging them, filing SARs, and reporting to financial intelligence units. That workflow assumes the transaction has already occurred. MiCA, combined with the Travel Rule, places obligations at the point of transfer initiation. A CASP that cannot demonstrate systematic pre-transfer screening of counterparty risk is not just operationally exposed; it is non-compliant with the licence it worked to obtain.
Pre-mempool AML screening refers to analysing the risk profile of a wallet and transaction before the transfer is signed and broadcast to the network. At that stage, the transaction exists as an unsigned intent, and the sender can still choose not to proceed. Once it hits the mempool and miners or validators process it, the window for pre-broadcast intervention has closed permanently.
This is the specific gap that MiCA Article 68 creates. The obligation to screen and the obligation to attach originator data both apply at or before transfer. A CASP cannot attach Travel Rule data to a transaction retrospectively; it must be gathered and verified in advance. And a CASP cannot demonstrate that it assessed counterparty risk on a transfer that it cannot prove it screened before broadcasting.
| Compliance Stage | Legacy AML (Post-Broadcast) | MiCA-Compliant (Pre-Broadcast) |
|---|---|---|
| Timing | After transaction confirms on-chain | Before transaction is signed and broadcast |
| Intervention possible | No. Reporting only. | Yes. Transaction can be held or blocked. |
| Travel Rule | Data attached retrospectively, if at all | Originator/beneficiary data gathered before broadcast |
| Sanctions screening | Flagged after settlement | Assessed at point of transaction initiation |
| MiCA Article 68 compliance | Does not satisfy the obligation | Satisfies the obligation |
QCA operates at exactly this stage. Its QARS v1.0 engine analyses the wallet address, counterparty exposure, transaction value anomalies, bridge interactions, velocity patterns, and Travel Rule completeness across 12 risk dimensions before the transaction is broadcast. The result is a deterministic risk score with a gate decision: PASS, BIOMETRIC REQUIRED, or PRE-MEMPOOL BLOCK. Each decision is accompanied by a cryptographically sealed certificate suitable for inclusion in compliance records and, where required, SAR filings.
To be clear about what QCA is and is not: it is a transaction-level AML risk scoring engine, not a full MiCA compliance stack. It does not handle governance documentation, capital reporting, ICT risk management frameworks, or white paper filing. What it provides is the specific technical capability that existing compliance programmes typically lack, specifically the ability to screen and gate transactions at the point of broadcast, with court-admissible output on every analysis.
A CASP licence requires many things. QCA addresses one of them, and it happens to be the one that is hardest to operationalise with legacy tools: pre-broadcast, transaction-level AML/CFT screening with Travel Rule completeness checking and audit-ready output. It is one component of a compliant operation, not a shortcut to the whole thing.
The transitional window closes, and there is no further grace period. Firms without CASP authorisation must cease providing regulated crypto-asset services in the EU. ESMA has been explicit: last-minute applications will face heightened regulatory scrutiny. Firms continuing to operate without authorisation face sanctions, enforcement action, and reputational damage that cannot be undone by a late licence application.
For firms that have secured their authorisation, the work is only beginning. Supervisory relationships with national competent authorities will become ongoing rather than episodic. Reporting obligations will be quarterly or monthly. AML/CFT programmes will be audited. The question for newly licensed CASPs is not whether they have crossed the threshold but whether their operational infrastructure can sustain compliance month over month at the standard MiCA requires.
QARS v1.0 screens wallet and transaction risk across 12 dimensions before broadcast, including Travel Rule completeness, sanctions cluster proximity, and velocity structuring patterns. Gate decisions are deterministic, reproducible, and accompanied by a cryptographically sealed certificate on every analysis.
For CASPs evaluating how to satisfy their Article 68 transaction monitoring obligations with court-admissible, audit-ready output, contact the team at contact@quantchainanalysis.com.