Introduction
On 9 October 2025, the European Banking Authority (EBA) published a report on tackling money laundering and terrorist financing risks in crypto asset services through supervision, presented as lessons learned from recent cases which are intended to support effective implementation of Regulation (EU) 2023/1114 (MiCAR) and the updated EU AML framework. The report synthesises supervisory experience before and after the new framework and sets out where competent authorities should focus to prevent past weaknesses from re-emerging under MiCAR and the AML package.
Background
The crypto asset sector is technologically dynamic and expanding quickly, yet it remains exposed to misuse for money laundering and terrorist financing purposes, which led the European Union (EU) in 2018 to bring certain crypto asset activities within the scope of its AML and CFT regime. On 30 December 2024 MiCAR introduced a unified rulebook for issuance, trading and service provision, while the Union’s AML and CFT framework was extended to cover a broader set of crypto asset activities, creating a more comprehensive regulatory and supervisory toolkit for this sector.
Responsibilities under MiCAR are shared between the European Securities and Markets Authority (ESMA) and EBA, with ESMA as the primary authority for the regulation and supervision of crypto asset service providers and the EBA as the main authority for issuers of asset referenced tokens and e-money tokens. AML and CFT powers are expected to transfer to the Anti-Money Laundering Authority (AMLA) from the end of 2025, as it becomes operational. ESMA and the EBA will continue to address financial crime within their MiCAR mandates after 2025.
Key takeaways
What went wrong under the old patchwork?
Supervisors detected recurring strategies used by some firms to avoid or weaken oversight. The report highlights unauthorised activity, forum shopping between Member States, misuse of reverse solicitation, weak AML/CFT controls, opaque ownership and governance, and multi entity set-ups linked to higher risk actors.
A single EU authorisation with passporting and tighter limits on reverse solicitation
MiCAR introduces an EU-wide authorisation that replaces national registrations and licences and brings harmonised prudential, organisational, governance and AML/CFT standards. Passporting applies once authorised. During the transition until 1 July 2026, grandfathered firms can operate only in their home Member State and cannot passport. MiCAR also restricts reverse solicitation and allows competent authorities to act where that exemption is abused.
Supervisors are expected to manage exits and monitor the perimeter
As grandfathering winds down, authorities are told to plan controlled exits for firms that do not obtain MiCAR authorisation, to coordinate between home and host supervisors (including the EBA, ESMA and AMLA, where relevant), and to monitor the market with data, analytics and consumer warnings in order to detect unauthorised activities early.
AML/CFT obligations must keep pace with innovation
Under the new framework entities must assess their exposure and maintain policies, controls and procedures that are commensurate with risk. The report stresses evolving exposures including DeFi links, crypto ATMs and crypto payment cards and encourages ongoing risk identification and the use of supervisory technology (SupTech) and data aggregation tools, as well as structured public-private dialogue to keep controls up to date.
Transparency, governance and beneficial ownership will be tested more rigorously
The framework raises the bar on suitability, ownership clarity and governance. It calls for the reassessment of fitness and propriety where adverse information emerges, including where criminal proceedings are ongoing, and it expects supervisors to look through complex or indirect control structures and to monitor linked entities closely.
Cooperation and transparency are central to convergence
The report calls for timely information sharing across competent authorities and the use of practical tools such as ESMA’s public register of authorised Crypto Asset Service Providers (CASP(s)) and, where required by host states, central contact points, where required by host Member States, for cross border activity. It also notes that uneven application and limited resources still create frictions that authorities need to address.
What is next?
Until 1 July 2026 supervisors will prioritise MiCAR authorisations, act on misuse of reverse solicitation, monitor the perimeter and plan exits where authorisation is not obtained. The EBA will transfer its standalone AML and CFT tasks to AMLA by the end of 2025 yet it remains involved through its MiCAR mandate, with cooperation supported by ESMA’s public register and, where required by host states, central contact points and by features introduced under AMLD6 such as group wide supervision and AML and CFT colleges. The message is clear. Effective gatekeeping at authorisation and consistent supervision are needed from the outset of MiCAR implementation.
Feel free to get in touch with our Investment Management team should you wish to receive more information or if you are interested in establishing a crypto fund.
Key competencies
arrow_forward Private equity – Fund structuring
arrow_forward Venture capital funds
arrow_forward Real estate – Fund structuring
arrow_forward Hedge funds
arrow_forward Crypto funds
arrow_forward Private debt funds
arrow_forward Infrastructure funds
arrow_forward Sustainable finance and ESG funds
arrow_forward Regulatory and compliance
arrow_forward Restructuring and insolvency
arrow_forward Investment fund litigation
Related news
Related posts:
- CSSF updates its FAQ for investments in virtual assets: Impact on AIFs
- Security tokens now admitted on Luxembourg exchange’s Securities Official List
- CSSF publishes white paper on risks and opportunities of blockchain and DLT
- Crypto funds – CSSF clarifies that Luxembourg AIFs can invest in virtual assets
