MiCA Licensing in Practice: Where Crypto Companies Go Wrong on KYC

The window is closing. For businesses that treated MiCA as a distant problem, the grandfathering period is nearly gone. The options left are either a rushed exit from European markets or a last-minute scramble toward proper authorisation.

Looking at where companies get stuck, one pattern keeps repeating: customer due diligence and transaction monitoring. These two areas account for more delays and outright rejections than any other part of the application.

This piece breaks down how the requirements are structured, what a compliant KYC framework for crypto businesses actually looks like, and where most applicants fall short.

Note: This article is purely informational, and shouldn't be treated as legal advice. Anyone navigating a MiCA application should work with a qualified compliance professional or lawyer.

The Regulation in Brief

Markets in Crypto-Assets Regulation, a.k.a MiCA, came into force in June 2023. Unlike a directive, this EU regulation applies as law across all 27 member states automatically, with no separate national adoption required. The provisions governing crypto-asset service providers became fully effective on 30 December 2024.

Two things happen under MiCA simultaneously. A single authorisation framework replaces the fragmented national regimes that existed before, and a successful application gives passporting rights across the entire EU single market.

From VASP to CASP: A Different Kind of Obligation

The previous generation of EU crypto regulation used the FATF-derived term "Virtual Asset Service Provider." In practice, VASP registration was largely an AML exercise — customer due diligence, suspicious transaction reporting, basic controls. Some jurisdictions treated it more like a notification process than a genuine licensing regime.

That category no longer exists under MiCA. The same businesses are now Crypto-Asset Service Providers, and the obligations are substantially heavier.

A CASP authorisation requires demonstrated governance structures, fit-and-proper assessments for management, documented internal controls, client asset protection mechanisms, and ongoing supervisory reporting. AML compliance remains mandatory — it just isn't enough on its own anymore.

Prior VASP registration provides no transitional status. There is no carryover. Every business operating in European crypto markets needs to qualify under the new framework independently.

Where You Can Actually Get Licensed

MiCA is an EU regulation, but the practical ability to apply for a license depends on whether a given member state has enacted the implementing legislation needed to designate a national competent authority and open an authorisation process.

Jurisdiction selection isn't only about speed or corporate tax — it determines whether a license is available at all.

By late 2025, ESMA's central register showed 103 licensed CASPs. The Netherlands, Germany, France, and Malta processed the largest number of applications. Lithuania, Ireland, Czech Republic, Estonia, and Luxembourg all have functioning pipelines with active NCA review.

The situation in some jurisdictions is more complicated. Poland remains the only EU member state without MiCA implementing legislation as of May 2026. The national Crypto-Assets Market Act was vetoed by President Nawrocki in December 2025, then rejected again in February 2026 after parliament resubmitted it. No replacement bill has been introduced. Without that legislation, the KNF has no legal authority to process CASP applications.

Bulgaria and Romania also face legal uncertainty due to incomplete national implementation.

Who Falls Within Scope

MiCA covers any entity delivering crypto-asset services professionally to EU clients. The scope is wider than most companies initially assume.

Regulated activities include:

• custody and administration;
• running a trading platform;
• fiat-to-crypto and crypto-to-crypto exchange;
• order execution;
• reception and transmission of orders;
• portfolio management;
• transfer services;
• placement of crypto-assets.

Companies that positioned themselves as infrastructure providers or technology layers often discover this boundary matters. If the service involves client assets, executes transactions, or routes order flow, the "we're just tech" framing doesn't hold up under regulatory scrutiny.

Size is not a factor in the obligation to be authorised. A small OTC desk serving EU retail clients faces the same authorisation requirement as a major exchange. Certain requirements scale with complexity and volume, but the licensing threshold does not.

NFT platforms and DeFi protocols sit in a genuinely ambiguous position. MiCA excludes certain asset types, but the practical boundaries are unresolved. Businesses in those areas need specific legal analysis rather than assumptions.

CDD Requirements: Two Layers, Both Mandatory

MiCA itself doesn't prescribe CDD in detail. Article 72 obliges authorised CASPs to maintain procedures for detecting and reporting financial crime. The specifics come from a different source.

Under Article 68, every licensed CASP automatically falls within the scope of the EU AML framework — currently AMLD5. That directive defines what customer due diligence must actually contain.

This two-layer structure trips up a significant number of applicants. The application needs to satisfy both: MiCA's requirement that controls exist, and AMLD's requirements for what those controls must include.

Standard CDD under AMLD5 requires four elements for each customer:

• Verification of identity
• Identification of beneficial owners for corporate clients
• Understanding of the purpose and expected nature of the relationship
• A transaction profile — anticipated volumes, asset types, and counterparty patterns

That fourth element is where crypto-specific applications most often fail. Without a documented transaction baseline for each customer or segment, there's nothing for the monitoring system to measure against. Regulators pay attention to this gap.

For individual customers, the practical minimum is document verification, a liveness check, and proof of address. The exact technical requirements vary by jurisdiction and NCA, but the expectation of a documented, auditable, risk-based process is consistent across the EU.

For corporate customers, full UBO chain verification is required — corporate structure documentation, confirmation of control, and coherence with the declared business activity.

Enhanced due diligence applies where standard controls are insufficient. The main triggers:

• Politically Exposed Persons and close associates
• Customers from high-risk third countries on the European Commission list
• Correspondent relationships with non-EU CASPs
• Ownership structures that are complex or difficult to verify
• Transactions lacking a clear commercial rationale

Each EDD decision must be documented — what triggered the enhanced review, what additional steps were taken, and who approved the outcome. CDD records must be retained for at least five years.

Why Applications Get Rejected

In July 2025, ESMA reviewed how Malta's regulator handled CASP authorisations and identified gaps in client onboarding at the point of licensing. Those findings were directed at all NCAs across the EU as guidance.

The recurring failure points follow a consistent pattern.

The framework doesn't match the business model

CDD procedures written for a retail exchange look different from those designed for an OTC broker or a custody provider. Regulators read the application as a whole. If the onboarding section describes customer types, products, or transaction patterns inconsistent with the business plan, the inconsistency creates questions before formal Q&A even begins.

No transaction profiles

Identity verification gets documented. Expected transaction behaviour per customer rarely does. Monitoring systems need a baseline to function — without one, there's no basis for distinguishing normal from suspicious. Regulators will ask how the system makes that distinction.

Corporate onboarding isn't built out

A policy statement about UBO verification isn't the same as a working process. How does the firm handle holding companies? What happens with offshore entities or multi-layered structures? Who decides when an incomplete UBO chain is acceptable, and what's the escalation path? Applications that can't answer these operationally tend to generate follow-up queries.

EDD policy exists; EDD process doesn't

A policy describes what should happen. A process describes how it happens, who initiates it, who reviews the additional evidence, and who gives final approval. Regulators want to see the workflow, not the principle.

AMLD treated as background

Because MiCA is the licensing gate, some teams document exhaustively against MiCA and treat AMLD as an afterthought. The result is a framework that looks complete until regulators check the AML layer specifically — and the gaps show up quickly.

Tooling for Transaction Monitoring and KYC

At the transaction volumes a crypto platform handles daily, manual compliance review isn't viable. Automated tooling is what makes AMLD obligations practically achievable without an oversized compliance team.

For businesses building toward CASP authorisation, Allpass.ai combines KYC onboarding and blockchain transaction monitoring in a single platform. That means one place for audit trails, reports, and customer data — rather than separate tools that need to be reconciled.

Transaction and wallet monitoring runs in real-time. Each inbound and outbound transaction triggers an automated check and updates the customer's risk score. An entity checker allows verification of crypto exchanges as counterparties. Alerts are configurable across multiple channels.

The platform also supports manual data entry — wallets and transactions can be added without API integration during the setup phase, which is practical when infrastructure is still being built.

If you want to keep operating in the European market, you need a KYC system where you can build out your processes and have something to show to the NCA. Try Allpass.ai for free and see for yourself how easy it is to build your KYC compliance.