Tackling ML/TF risks in crypto-asset services through supervision

A comprehensive summary of the EBA report as published in October 2025

General overview

The report published by the European Banking Authority (EBA) analyses how crypto-asset service providers (CASPs) have attempted to evade anti-money laundering and counter-terrorist financing (AML/CFT) supervision, and how such practices can be addressed under the Markets in Crypto-Assets Regulation (MiCA) and the EU AML legislative package (AMLR, AMLD6 and AMLAR). The report draws on concrete supervisory cases to identify vulnerabilities and formulate lessons for effective implementation.

The report is structured around two core observations. First, the crypto-asset sector has experienced rapid technological and economic growth, which increases its vulnerability to misuse for money laundering and terrorist financing. Second, prior to the application of MiCA, national supervisory approaches across Member States diverged significantly. This fragmentation enabled firms to exploit regulatory gaps, thereby undermining the integrity of the EU financial system.

MiCA seeks to address these issues by replacing fragmented national entry regimes with a single EU authorisation framework, supported by passporting and coordinated supervision. Together with the AML legislative package, MiCA promotes more consistent AML/CFT requirements across the Union. However, the report stresses that consistent enforcement remains essential.

Regulatory context

The regulatory framework examined in the report consists of MiCA, the Anti-Money Laundering Regulation (AMLR), the Sixth Anti-Money Laundering Directive (AMLD6), and the Anti-Money Laundering Authority Regulation (AMLAR). Under this framework, supervisory responsibilities are divided between ESMA (authorisation and supervision of CASPs), the EBA (issuers of asset-referenced tokens and e-money tokens, and AML/CFT coordination until end-2025), and AMLA, which will assume central AML/CFT supervisory powers from the end of 2025.

MiCA governs who may enter the crypto-asset market and under which conditions. CASPs must meet requirements relating to governance, operational resilience, transparency and consumer protection, and demonstrate adequate systems, qualified management and clear organisational structures.

AMLR introduces directly applicable AML/CFT rules, including customer due diligence, transaction monitoring, sanctions screening and risk management. AMLD6 strengthens supervisory cooperation, clarifies powers of national authorities and improves access to beneficial ownership information. AMLAR establishes AMLA and enables direct supervision of selected high-risk entities and coordination of national supervisors.

Evasion of supervision

The EBA identifies six evasion strategies observed before and immediately after the entry into application of the new regulatory framework in December 2024.

1. Operating without authorization

Entities provided crypto-asset services in Member States without the required registration, licence or authorisation, including from other EU jurisdictions without host permission or from third countries with weaker supervisory frameworks.

Risk: The absence of supervision facilitates illicit financial flows and leaves customers unprotected. It also distorts competition, as authorized firms experience significant compliance costs that unauthorised firms avoid.

Response: Article 143 MiCA provides transitional arrangements until July 2026. After this period, unauthorised entities must exit the EU market. Competent authorities are expected to monitor residual unauthorised activity and enforce cessation.

2. Forum shopping

Prior to MiCA, firms strategically selected jurisdictions perceived as having lighter supervision. When challenged, they withdrew applications and reapplied elsewhere. Some obtained national licences shortly before MiCA entered into application to benefit from longer transitional periods.

Risk: Forum shopping enables regulatory arbitrage, allowing ML/TF risks to spread across the Single Market through cross-border activity. It also increases the likelihood that high-risk entities with weak AML/CFT controls obtain market access and distorts competition by enabling artificially inflated profit margins.

Response: MiCA introduces a single authorisation regime with passporting. Enhanced supervisory cooperation and information-sharing reduce the ability of firms to reapply elsewhere after refusal. The report also highlights a risk that, depending on national law, some firms may continue operating while appealing rejected authorisation decisions.

3. Exploitation of the reverse solicitation exemption

Third-country providers falsely claimed that EU clients initiated contact, while actively marketing services through targeted online strategies.

Risk: This enables unsupervised market entry by high-risk offshore entities and creates blind spots in AML/CFT enforcement.

Response: Supervisors are expected to strictly enforce the narrow interpretation of reverse solicitation in line with ESMA guidelines. Any form of active or indirect marketing voids the exemption and subjects the provider to full authorisation requirements.

4. Weak AML/CFT compliance and risk management

Licensed entities displayed serious deficiencies, including inadequate customer due diligence, outsourcing of AML functions abroad without effective oversight, and unstable or underqualified compliance officers.

Risk: These weaknesses directly facilitate money laundering and undermine supervisory effectiveness.

Response: Robust AML/CFT systems are a precondition for authorisation. Supervisors may withdraw licences for AML/CFT breaches. Clear requirements on outsourcing, governance and staff competence are mandated by EBA and ESMA regulatory technical standards.

5. Opaque beneficial ownership and governance

Complex offshore structures were used to obscure ultimate beneficial owners, with inconsistencies between public records and supervisory filings.

Risk: Opaque structures conceal control, enable shell companies and obscure illicit sources of capital.

Response: AMLD6 mandates centralised beneficial ownership registers. MiCA and AMLR require disclosure of ownership and governance structures at authorisation stage, supported by suitability (fitness and propriety) requirements.

6. Multi-entity arrangements with high-risk partners

Firms used affiliated entities, including payment institutions, e-money institutions or banks, to maintain market access while avoiding scrutiny.

Risk: These arrangements enable banned or unfit entities to re-enter the market, spread poor compliance cultures across groups, and complicate attribution of AML/CFT responsibility.

Response: Supervisors are expected to assess linked entities and group structures during authorisation, apply fit-and-proper checks to cross-border ownership and outsourcing arrangements, and engage in joint supervision where appropriate.

Safeguards and implementation

MiCA introduces key safeguards: a single authorisation and passporting regime; strict limits on reverse solicitation; enhanced enforcement powers; strengthened governance and transparency requirements; and improved cross-border cooperation, including public registers of authorised CASPs.

The report highlights several supervisory priorities to ensure effective implementation, including managing the grandfathering period, planning orderly exits for unauthorised entities to protect client assets, monitoring the regulatory perimeter, resolving AML/CFT issues before authorisation, maintaining dynamic risk awareness, ensuring governance transparency, reassessing fitness and propriety, supervising linked entities, strengthening cross-border cooperation, and requiring central contact points for cross-border firms.

Conclusion

The EBA concludes that while the new regulatory framework significantly strengthens EU defences against ML/TF risks in the crypto-asset sector, effective implementation and supervisory cooperation remain critical. Although the EBA will transfer its standalone AML/CFT powers to AMLA by the end of 2025, it will continue to contribute under its MiCA mandate to promote supervisory convergence and early risk detection.

 

Read more articles here.