MiCA 2026: Crypto KYC and Identity Rules
MiCA regulation and the Travel Rule: crypto service provider KYC obligations, identity verification thresholds, and the July 2026 compliance deadline.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokOn July 1, 2026, the transition period for existing crypto-asset service providers under the Markets in Crypto-Assets Regulation ends. CASPs that have been operating under national registrations -- including France's PSAN regime -- must hold a full MiCA authorization by that date or cease operations. Combined with the Transfer of Funds Regulation (the "Travel Rule"), this creates the most demanding identity verification framework the crypto industry has ever faced. If your platform onboards users, processes transfers, or custodies assets in the EU, the compliance clock is running -- alongside other major 2026 deadlines such as France's mandatory electronic invoicing reform.
MiCA: The EU's Harmonized Crypto Framework
What MiCA Covers
Regulation (EU) 2023/1114, the Markets in Crypto-Assets Regulation, establishes a single regulatory framework for crypto-assets across all 27 EU member states. Before MiCA, each country applied its own rules -- France had the PSAN registration with the AMF, Germany had its BaFin licensing regime, and many member states had no crypto-specific regulation at all. That patchwork is over.
MiCA covers three categories of crypto-assets:
| Category | Definition | Supervisory Authority |
|---|---|---|
| Asset-referenced tokens (ARTs) | Tokens stabilized by reference to multiple assets, commodities, or currencies | National competent authority; EBA for significant ARTs |
| E-money tokens (EMTs) | Tokens stabilized by reference to a single official currency | ACPR (France) or equivalent national authority; EBA for significant EMTs |
| Other crypto-assets | All crypto-assets not classified as ARTs or EMTs, including utility tokens | AMF (France) or equivalent national competent authority |
The regulation also defines and licenses crypto-asset service providers (CASPs) -- any entity that provides custody, exchange, transfer, brokerage, advisory, or portfolio management services for crypto-assets. CASPs must obtain authorization under MiCA to operate anywhere in the EU, and that authorization acts as a passport across all member states.
The Critical Timeline
MiCA's application has been staggered. The provisions for stablecoins (ARTs and EMTs) have applied since June 30, 2024. The full CASP licensing regime has applied since December 30, 2024. But the transition provision in Article 143 gives existing CASPs -- those operating under national law before December 30, 2024 -- a grace period of up to 18 months, depending on the member state.
| Date | Milestone | Impact |
|---|---|---|
| June 30, 2024 | ART and EMT provisions apply | Stablecoin issuers must comply or cease issuance |
| December 30, 2024 | Full MiCA application for CASPs | New CASPs must obtain MiCA authorization before operating |
| July 1, 2026 | Transition period ends (maximum) | Existing CASPs under national regimes must hold MiCA authorization |
| December 30, 2025 | Simplified authorization window closes | CASPs with existing national licenses may apply under simplified procedure until this date |
France has adopted the maximum 18-month transition period. CASPs registered as PSANs (Prestataires de Services sur Actifs Numeriques) with the AMF can continue operating until July 1, 2026, provided they submitted their MiCA authorization application before the simplified procedure deadline. After July 1, 2026, a PSAN registration alone is no longer valid.
KYC Obligations Under MiCA
MiCA imposes explicit customer due diligence requirements on CASPs that go well beyond what most national crypto regimes previously required. These obligations apply at account opening, during the business relationship, and at transaction level.
Account Opening and Customer Onboarding
Every CASP must verify the identity of its clients before establishing a business relationship. Article 68 of MiCA requires CASPs to comply with the AML/CFT obligations set out in the Anti-Money Laundering Regulation (EU) 2024/1624. In practice, this means:
- Full name verification against a government-issued identity document (passport, national ID card, residence permit). As the eIDAS 2.0 EU Digital Identity Wallet rolls out across member states, cryptographic credential verification will progressively complement -- and for some use cases replace -- traditional document-based identity checks.
- Date of birth and nationality collection and cross-referencing.
- Residential address verification through a utility bill, bank statement, or official correspondence.
- Unique identification number extraction from the identity document (national ID number, passport number).
- Sanctions and PEP screening against EU consolidated sanctions lists, national watchlists, and politically exposed persons databases.
- Source of funds assessment for relationships presenting elevated risk indicators.
For corporate clients (legal entities using the platform), the obligations extend to full KYB verification: company registration documents, articles of incorporation, proof of registered address, identification of directors and ultimate beneficial owners, and verification of the corporate structure.
Ongoing Monitoring
KYC is not a one-time check at onboarding. MiCA and the AMLR require continuous monitoring throughout the business relationship:
- Transaction pattern analysis to detect behavior inconsistent with the client's declared profile.
- Periodic review of client information, with frequency determined by the client's risk classification.
- Trigger-based reviews when unusual activity is detected (sudden volume spikes, transfers to high-risk jurisdictions, structuring patterns).
- Sanctions list rescreening whenever lists are updated -- at minimum daily for EU and OFAC lists.
CASPs that fail to maintain effective ongoing monitoring face the same penalties as those that fail at onboarding: fines of up to EUR 5 million for individuals or up to 12.5% of annual turnover for legal entities under MiCA's own penalty framework, in addition to the AMLD6 penalties that apply to all obliged entities.
The Travel Rule: Identity Data for Every Transfer
What the Travel Rule Requires
The Transfer of Funds Regulation -- Regulation (EU) 2023/1113, adopted alongside MiCA -- extends the existing wire transfer rules to crypto-asset transfers. Often called the "Travel Rule" (borrowing the term from the FATF framework), it requires that identity information "travels" with every crypto transaction, just as it does with traditional bank transfers.
For every crypto-asset transfer, the originator's CASP must collect and transmit:
| Data Element | Originator | Beneficiary |
|---|---|---|
| Full name | Required | Required |
| Account number / wallet address | Required | Required |
| Address, national ID number, or date of birth | Required | Required |
| LEI or BIC (if legal entity) | Required where available | Required where available |
This data must be transmitted to the beneficiary's CASP before or simultaneously with the transfer. The beneficiary CASP must verify the information received and reject transfers with incomplete or inconsistent originator data.
The EUR 1,000 Threshold and Wallet Verification
The Travel Rule applies to all crypto-asset transfers regardless of amount -- there is no de minimis exemption. However, transfers exceeding EUR 1,000 trigger an additional requirement: wallet ownership verification.
When a client sends or receives crypto-assets from an unhosted (self-custodied) wallet and the transfer exceeds EUR 1,000, the CASP must verify that the wallet belongs to the declared party. In practice, this is performed through:
- Cryptographic message signing: the client signs a message with the private key of the wallet, proving ownership.
- Micro-transfer verification: the client sends a small, pre-agreed amount from the wallet to demonstrate control.
- Technical attestation: the CASP may use a protocol-level solution (e.g., verifiable credential or on-chain attestation) to confirm wallet-address binding.
For transfers below EUR 1,000 to or from unhosted wallets, the CASP must still collect originator and beneficiary data but is not required to verify wallet ownership. However, if the CASP suspects money laundering or terrorist financing, full verification is required regardless of the transfer amount.
Impact on CASP Operations
The Travel Rule creates a data exchange obligation between CASPs that did not exist before in the crypto industry. Unlike traditional banking, where SWIFT messages carry standardized originator/beneficiary data, the crypto sector lacks a universal messaging standard. Several industry solutions have emerged -- including TRISA, OpenVASP, and Notabene -- but interoperability remains a challenge.
CASPs must implement systems capable of collecting originator data, transmitting it securely to the counterparty CASP, receiving and validating incoming data, screening all parties against sanctions lists in real time, rejecting transfers with incomplete data or sanctions matches, and retaining all transfer records for at least five years.
CASPs in France: The PSAN to MiCA Transition
AMF and ACPR: Dual Supervision
In France, crypto-asset supervision is split between two regulators:
| Regulator | Scope Under MiCA | Key Responsibilities |
|---|---|---|
| AMF (Autorite des marches financiers) | Crypto-assets excluding EMTs; CASP authorization and supervision | Licensing, conduct rules, market abuse surveillance, whitepaper approval |
| ACPR (Autorite de controle prudentiel et de resolution) | E-money tokens; AML/CFT supervision of all CASPs | Prudential oversight of EMT issuers, anti-money laundering controls, ongoing compliance inspections |
This dual-supervision model means that a French CASP must satisfy both the AMF (for its license and conduct obligations) and the ACPR (for its AML/CFT compliance, including all KYC requirements). The ACPR has historically been rigorous in its AML inspections of PSANs, and this rigor will only intensify under MiCA.
What Changes for Existing PSANs
PSANs currently registered with the AMF must transition to full MiCA authorization -- a comprehensive application covering governance, prudential requirements, business continuity, and AML/CFT procedures. A simplified procedure was available until December 30, 2025 for CASPs with existing national licenses, allowing the AMF to consider prior documentation while still verifying MiCA compliance.
CASPs that fail to obtain MiCA authorization by July 1, 2026 must wind down their activities. There is no second grace period.
Documentary Requirements: What CASPs Must Collect and Retain
The combined effect of MiCA, the Travel Rule, and the AMLR creates a substantial documentary burden across client onboarding and transaction monitoring.
Client Onboarding Documents
| Document Type | Natural Persons | Legal Entities |
|---|---|---|
| Identity document | Passport, national ID, or residence permit | N/A |
| Proof of address | Utility bill, bank statement (< 3 months) | Registered office proof |
| Company registration | N/A | Extract from commercial register (< 3 months) |
| Articles of incorporation | N/A | Current certified copy |
| UBO declaration | N/A | Identification of all UBOs above 25% |
| Director identification | N/A | ID documents for all directors |
| Source of funds | Supporting evidence for high-risk profiles | Financial statements, funding documentation |
Transaction Records and Retention
For every crypto-asset transfer, CASPs must retain originator and beneficiary identity data, transaction amount and crypto-asset type, blockchain transaction hash, wallet addresses, wallet ownership verification results (transfers > EUR 1,000), sanctions screening results, and alert resolution records. All records must be retained for a minimum of five years after the end of the business relationship or the transaction date, whichever is later.
How Automation Addresses MiCA Compliance
The documentary obligations under MiCA make manual verification unsustainable for any CASP operating at scale. Every new user requires identity document verification, address proof validation, sanctions screening, and risk classification before executing a single transaction. Every transfer above EUR 1,000 to an unhosted wallet requires wallet ownership verification.
Document Verification at Onboarding
Automated document validation processes identity documents in seconds: extracting data fields (name, date of birth, document number, expiration date), verifying document authenticity (MRZ validation, security feature detection, tamper analysis), and cross-referencing extracted data against declared information. For CASPs processing thousands of onboarding applications per month, this is the difference between a 48-hour manual review queue and a real-time onboarding flow.
KYB for Corporate Clients
Corporate onboarding under MiCA requires verification of company registration, articles of incorporation, UBO identification, and director verification. Automated KYB workflows extract and cross-reference data across these documents, flagging inconsistencies (mismatched director names, expired registrations, UBO thresholds exceeded) before a compliance officer reviews the file.
Audit Trail Generation
Every verification step -- document received, checks applied, results obtained, decision taken -- generates a timestamped audit trail. When the ACPR requests evidence of your AML/CFT controls during an inspection, automated systems produce complete, machine-readable audit logs. Manual processes produce spreadsheets, email threads, and reconstructed timelines that rarely satisfy inspectors.
Sanctions Screening Integration
Automated systems screen every client and counterparty against sanctions lists in real time. When lists are updated, rescreening triggers automatically -- meeting both MiCA's ongoing monitoring requirement and the DORA requirement for systematic, auditable controls.
FAQ
What is MiCA and when does it fully apply?
MiCA (Markets in Crypto-Assets Regulation, EU 2023/1114) is the EU's harmonized regulatory framework for crypto-assets and crypto-asset service providers. The stablecoin provisions have applied since June 30, 2024. The full CASP licensing regime has applied since December 30, 2024. The transition period for existing CASPs operating under national regimes (such as France's PSAN registration) ends on July 1, 2026. After that date, only CASPs holding a MiCA authorization can legally operate in the EU.
What is the Travel Rule and how does it affect crypto transfers?
The Travel Rule (Transfer of Funds Regulation, EU 2023/1113) requires that identity information -- full name, wallet address, and a unique identifier such as a national ID number -- accompanies every crypto-asset transfer between CASPs. For transfers exceeding EUR 1,000 involving unhosted wallets, the CASP must also verify wallet ownership through cryptographic message signing or equivalent methods. There is no minimum threshold: the data collection obligation applies to all transfers regardless of amount.
What KYC documents must a CASP collect at onboarding?
At minimum, a CASP must collect a government-issued identity document (passport or national ID), proof of residential address dated within the last three months, and a unique identification number. For corporate clients, additional documents include a commercial register extract, articles of incorporation, UBO declaration, and identification of all directors. All documents must be verified for authenticity and cross-referenced against the client's declared information.
How does MiCA interact with AMLD6?
MiCA establishes the licensing and conduct framework for CASPs, while AMLD6 and the Anti-Money Laundering Regulation (AMLR) define the AML/CFT obligations that CASPs must follow as obliged entities. CASPs are explicitly listed as obliged entities under the AMLR, subject to the same customer due diligence, suspicious activity reporting, and record-keeping requirements as banks and other financial institutions. The EUR 1,000 threshold for enhanced verification of crypto transactions is set by the AMLR and operationalized through the Travel Rule. Both frameworks must be satisfied simultaneously.
Prepare Your Platform Before July 2026
The July 1, 2026 deadline is not a soft target. CASPs that fail to obtain MiCA authorization will lose the right to operate in the EU's 450-million-person market. The identity verification obligations -- at onboarding, at transaction level, and through ongoing monitoring -- require systems that can process documents reliably, screen against sanctions lists in real time, and generate the audit trails that regulators demand during inspections.
CheckFile provides automated document validation purpose-built for crypto platform onboarding: identity document verification, corporate KYB checks, data extraction and cross-referencing, and complete audit trail generation. Our platform processes verification files in seconds with every step logged and traceable, meeting the documentary standards that the AMF and ACPR expect from MiCA-authorized CASPs. Explore our pricing to find the plan that fits your transaction volume.
Related reading: For the broader KYC framework driving these obligations, see our KYC 2026 requirements guide. For corporate client onboarding under MiCA, read our KYB business document verification guide. For the operational resilience requirements that apply to your verification systems, see our DORA 2026 guide.