**CySEC Issues Warning to Financial Firms on Money Laundering Risks Post-MiCA Transition**
The Cyprus Securities and Exchange Commission (CySEC) has issued a critical warning to regulated financial firms regarding the need to enhance their anti-money laundering (AML) controls in light of the impending end of the European Union’s transition period under the Markets in Crypto-Assets Regulation (MiCA), set for July 1, 2026. This advisory follows the publication of new guidance by the EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), which highlights the potential risks of money laundering and terrorist financing as the crypto-asset market adapts to the new regulatory landscape.
In a circular released this week, CySEC emphasized that firms wishing to continue providing crypto-asset services within the EU must obtain authorization as MiCA-compliant Crypto-Asset Service Providers (CASPs) following the transition period. The regulator anticipates that this change will lead to substantial structural transformations within the EU crypto-asset sector, particularly as unauthorized virtual asset service providers exit the market. This transition may result in customers either closing their accounts or migrating to authorized providers.
AMLA has cautioned that the significant changes expected in the market could elevate money laundering and terrorist financing risks if firms do not implement adequate safeguards during this transition. CySEC has advised that authorized firms should adopt a risk-based approach when onboarding customers from unauthorized providers, rather than automatically rejecting them. Instead of applying blanket de-risking measures, firms are encouraged to conduct individual risk assessments and implement customer due diligence measures that are proportionate to the risk level presented by each client.
The circular also addresses the risks faced by firms that are exiting the market. CySEC noted that unauthorized providers may exhibit weakened AML and counter-terrorist financing controls during their wind-down processes, particularly if previous compliance deficiencies have been identified. To mitigate these risks, the regulator has recommended that firms develop robust and well-documented wind-down plans, as required by national legislation. Additionally, firms should maintain adequate governance structures, sufficient resources, and enhanced monitoring until all regulated activities have officially ceased.
CySEC highlighted that rapid market exits could diminish transparency regarding customer relationships and the movement of crypto assets, potentially creating opportunities for illicit funds to be concealed or transferred quickly, including for sanctions evasion. Firms are reminded to comply with all AML obligations throughout the wind-down process, which includes keeping customer due diligence information current and reporting any suspicious transactions or activities as necessary.
For authorized crypto-asset service providers, CySEC indicated that the transition could significantly alter their risk exposure as new customers migrate from firms that are no longer authorized to operate. The regulator warned that these shifts could change business models and customer portfolios, potentially concentrating higher-risk customers among authorized providers. To address these challenges, CySEC urged firms to ensure that their transaction monitoring systems are equipped to manage increased volumes of crypto-asset transfers.
Moreover, firms must ensure they have adequate staffing and system capacity to handle the increased workloads resulting from customer migration. The regulator stressed that a sudden influx of customers could place undue pressure on transaction monitoring systems and compliance functions, necessitating strengthened customer onboarding procedures and better integration of customer risk information.
CySEC reiterated that customer due diligence should remain a central component of the onboarding process, with enhanced due diligence applied when higher risks are identified. It is crucial that customers transferring from unauthorized virtual asset service providers are not automatically classified as high risk solely due to their previous provider; instead, they should be assessed on an individual basis using a risk-based approach.
Furthermore, CySEC reminded supervised entities of their ongoing responsibility to comply with AML and counter-terrorist financing obligations both during the transition period and after any customer migration or business wind-down has been completed. The regulator also referenced a report from the Financial Action Task Force (FATF) regarding the risks associated with offshore and unauthorized virtual asset service providers. Firms are expected to identify and assess the money laundering and terrorist financing risks linked to relationships, transactions, or business activities involving unauthorized providers and to implement appropriate mitigation measures.
In conclusion, CySEC has urged regulated entities to fully recognize the risks associated with the conclusion of the MiCA transition period and to bolster their risk-based controls in accordance with Cyprus’ Prevention and Suppression of Money Laundering Activities Law. The proactive measures outlined in the circular aim to safeguard the integrity of the financial system as the crypto-asset market undergoes significant regulatory changes.