EBA ¦ Supervisors should learn from recent Cases to prevent Financial Crime in Crypto Firms

EBA report sharpens focus on crypto AML/CFT risks — what supervisors and market players must do next

The European Banking Authority’s October 2025 report on tackling money‑laundering and terrorist‑financing risks in crypto‑asset services consolidates hard lessons from recent supervisory cases across the EU. MiCA and the strengthened AML/CFT framework already provide a far more consistent EU rulebook than existed before 2024, but the report shows that many practical vulnerabilities persist. Unauthorised operations, forum shopping, misuse of the reverse‑solicitation carve‑out, weak compliance by group structures, opaque ownership and multi‑entity workarounds continue to expose the market and consumers to ML/TF risks — and they can propagate rapidly once a CASP is authorised and passporting begins.

Why this matters

The combination of crypto‑native features (pseudonymous ledgers, rapid cross‑border movement, decentralised finance integrations) and complex corporate structures means that supervisory and intelligence gaps are particularly consequential. Authorised providers who have invested to meet EU standards face an unfair competitive environment when unauthorised or lightly supervised operators circle the market. More importantly, weak controls can create corridors that criminals and sanctioned actors exploit to move, layer and obscure illicit proceeds.

Core findings relevant to practitioners and supervisors

1. Operators continuing to evade authorisation

   Supervisors documented repeated cases of entities offering services in multiple Member States without registration or authorisation, operating from third countries with weak frameworks, or continuing to operate while appealing national sanctions or licence refusals. The MiCA grandfathering mechanism reduces abrupt market disruption but creates a transitional window during which legacy weak actors can continue harmful activity. Supervisors must plan clear exit and client‑safeguarding strategies for firms that fail authorisation, including contingency measures for client migration and asset protection.

2. Forum shopping is still a tool for regulatory arbitrage

   Where national approaches diverged, firms sought registrations in more permissive jurisdictions, withdrew when challenged and relaunched elsewhere. Passporting under MiCA reduces some arbitrage incentives, but divergent supervisory intensity and fragmented national practices during transition allow firms to persist. Strong, consistent decision‑making and timely information exchange are essential to prevent operators from hopping jurisdictions to avoid remediation.

3. Reverse solicitation remains a potential loophole

   Third‑country firms and group affiliates have attempted to rely on reverse solicitation to conduct business in the EU while avoiding authorisation. MiCA narrows this exemption — marketing or solicitations in the EU negate it — but supervisors must be proactive in detecting indirect promotion and structured offerings that mimic client‑initiated relationships.

4. Widespread weaknesses in AML/CFT implementation

   Supervisory reviews repeatedly uncovered: ineffective customer due diligence, inadequate enhanced due diligence for high‑risk clients, poor sanctions screening, weak suspicious activity reporting, incomplete Travel Rule implementation, insufficient staff training, and heavy outsourcing of critical AML functions to non‑EU group entities without robust EU oversight. Examples show that part‑time or transitory AML compliance officers, generic group policies not tailored to EU obligations, and absence of blockchain forensic capability materially increase vulnerability.

5. Opaque ownership, control and multi‑entity workarounds

   Complex shareholder structures, nominee arrangements, undisclosed ultimate beneficial owners and cross‑entity relationships have been used to hide control and continuity of business operations where national licences were refused. Supervisors found cases where entities transferred customers to related entities, acquired stakes below qualifying thresholds, or used local intermediaries to maintain market presence after enforcement actions against parent firms. These arrangements can defeat selective supervisory actions unless examined holistically.

6. Entanglement with higher‑risk partners and off‑shore issuance

   Stablecoins or e‑money tokens issued in compliance with MiCA can still suffer ML/TF contagion when traded or serviced by CASPs with deficient controls, or when identical tokens are issued by non‑EU affiliates (‘one‑leg‑out’ issuance). Where issuers partner with CASPs identified as high risk, the issuer’s own ML/TF exposure rises sharply.

Bastian Schwind-Wagner_Follow "The EBA’s report confirms that MiCA and the strengthened AML/CFT rules close important regulatory gaps but that effective supervision and consistent enforcement are essential to prevent persistent evasion strategies and ML/TF risks in the crypto sector. Immediate priorities are rigorous authorisation gatekeeping, active perimeter monitoring, and reinforced cross‑border cooperation."

Key supervisory priorities the EBA highlights

Treat authorisation as a true gatekeeper

Authorisations must include a thorough review of legacy compliance history, group structures, fitness and propriety checks, sanctions risks and effective remediation. Supervisors should decline or suspend authorisation where material AML/CFT deficiencies persist and insist on verified remediation before market access is granted.

Monitor the perimeter actively

Supervisors need better market surveillance tools — blockchain analytics, regulatory return analysis, customer complaint data, national account registers and targeted audits — to identify unauthorised or misrepresented providers. Public warnings and consumer outreach are useful complementary measures.

Close reverse‑solicitation and forum‑shopping gaps

National authorities must enforce the strict interpretation of reverse solicitation in MiCA, scrutinise marketing and pre‑contractual conduct, and share timely intelligence across Member States to prevent re‑establishment under different brands or entities.

Strengthen group‑level oversight and contractual clarity on outsourcing

Where critical AML/CFT functions are carried out outside the EU or by group entities, supervisors must require clear contractual responsibilities, demonstrable local oversight, onshore capacity for key compliance tasks, and proof that outsourced processes meet EU standards.

Improve beneficial‑ownership transparency and fitness assessments

Accurate, centralised beneficial‑ownership registers (AMLD6) and robust fitness and propriety frameworks are indispensable. Supervisors should reassess suitability when adverse information emerges, including ongoing criminal proceedings or enforcement actions in other jurisdictions, and should look beyond formal ownership thresholds to detect informal influence.

Focus on linked entities and multi‑entity structures

Supervisors should analyse associations across legal entities (shared directors, common shareholders, shared service arrangements, transactional links) and consider coordinated action where risk concentrations or control corridors exist. For complex groups, cross‑border supervisory cooperation is essential.

Build supervisory capacity and tools

Supervisors should invest in training, blockchain forensic capabilities, SupTech for transaction monitoring, and structured public–private dialogue with analytics providers and industry. Co‑developed red flags and typologies improve early detection of emerging ML/TF schemes.

Improve cross‑border cooperation and make the Central Contact Point effective

MiCA and AMLD6 strengthen cooperation mechanisms, but the value depends on responsiveness and resource allocation. Member States must ensure Central Contact Points have adequate authority, expertise and funding. Timely intelligence sharing between home and host supervisors, FIUs and prudential authorities is crucial to contain cross‑border spillovers.

Implications for CASPs, issuers and compliance leaders

Compliance leaders must treat EU authorisation standards as the baseline, not an aspiration. That means implementing EU‑tailored AML/CFT programmes, ensuring the AML compliance officer role is resourced and stable, embedding blockchain analytics and sanctions screening into transaction monitoring, and enforcing strict controls around onboarding of business partners and cross‑group service arrangements. Firms should assume supervisors will examine linked entities and past governance failures; proactive remediation, full transparency on ownership and control, and early engagement with authorities will materially improve authorisation prospects.

Conclusion: stronger rules require stronger implementation

The EBA report underscores that legislative progress — MiCA and the AML/CFT enhancements — is necessary but not sufficient. The highest risk is weaknesses in real‑world implementation: incomplete remediation of legacy failings, fragmented supervisory approaches, and deliberate organisational workarounds. Convergence in supervisory practice, better information sharing, sustained investment in supervisory skills and technology, and rigorous gatekeeping at authorisation will determine whether the new EU framework delivers on its promise to reduce ML/TF risks in the crypto sector. The message for market participants is clear: robust and demonstrable AML/CFT controls are now a prerequisite for operating across Europe, and superficial fixes will not withstand scrutiny.

Dive deeper

• EBA ¦ Supervisors should learn from recent cases to prevent financial crime in crypto firms, the EBA says ¦ Link