MiCA 2026: Crypto KYC and Identity Rules
MiCA CASP license requirements for 2026: KYC obligations, Travel Rule thresholds, Portugal CMVM/Banco de Portugal authorization process
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokOn July 1, 2026, the transition period for existing crypto-asset service providers under the Markets in Crypto-Assets Regulation ends. CASPs that have been operating under national registrations -- including France's PSAN regime -- must hold a full MiCA authorization by that date or cease operations. Combined with the Transfer of Funds Regulation (the "Travel Rule"), this creates the most demanding identity verification framework the crypto industry has ever faced. If your platform onboards users, processes transfers, or custodies assets in the EU, the compliance clock is running -- alongside other major 2026 deadlines such as France's mandatory electronic invoicing reform.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.
MiCA: The EU's Harmonized Crypto Framework
MiCA (Regulation 2023/1114) requires all crypto-asset service providers (CASPs) operating in the EU to hold a full authorization by July 1, 2026, with mandatory KYC identity verification at onboarding, the Travel Rule (Regulation 2023/1113) applying to every transfer regardless of amount, and wallet ownership verification for transactions exceeding EUR 1,000. CASPs that fail to obtain authorization must cease operations — there is no second grace period.
What MiCA Covers
Regulation (EU) 2023/1114, the Markets in Crypto-Assets Regulation, establishes a single regulatory framework for crypto-assets across all 27 EU member states. Before MiCA, each country applied its own rules -- France had the PSAN registration with the AMF, Germany had its BaFin licensing regime, and many member states had no crypto-specific regulation at all. That patchwork is over.
MiCA covers three categories of crypto-assets:
| Category | Definition | Supervisory Authority |
|---|---|---|
| Asset-referenced tokens (ARTs) | Tokens stabilized by reference to multiple assets, commodities, or currencies | National competent authority; EBA for significant ARTs |
| E-money tokens (EMTs) | Tokens stabilized by reference to a single official currency | ACPR (France) or equivalent national authority; EBA for significant EMTs |
| Other crypto-assets | All crypto-assets not classified as ARTs or EMTs, including utility tokens | AMF (France) or equivalent national competent authority |
The regulation also defines and licenses crypto-asset service providers (CASPs) -- any entity that provides custody, exchange, transfer, brokerage, advisory, or portfolio management services for crypto-assets. CASPs must obtain authorization under MiCA to operate anywhere in the EU, and that authorization acts as a passport across all member states.
The Critical Timeline
MiCA's application has been staggered. The provisions for stablecoins (ARTs and EMTs) have applied since June 30, 2024. The full CASP licensing regime has applied since December 30, 2024. But the transition provision in Article 143 gives existing CASPs -- those operating under national law before December 30, 2024 -- a grace period of up to 18 months, depending on the member state.
| Date | Milestone | Impact |
|---|---|---|
| June 30, 2024 | ART and EMT provisions apply | Stablecoin issuers must comply or cease issuance |
| December 30, 2024 | Full MiCA application for CASPs | New CASPs must obtain MiCA authorization before operating |
| July 1, 2026 | Transition period ends (maximum) | Existing CASPs under national regimes must hold MiCA authorization |
| December 30, 2025 | Simplified authorization window closes | CASPs with existing national licenses may apply under simplified procedure until this date |
France has adopted the maximum 18-month transition period. CASPs registered as PSANs (Prestataires de Services sur Actifs Numeriques) with the AMF can continue operating until July 1, 2026, provided they submitted their MiCA authorization application before the simplified procedure deadline. After July 1, 2026, a PSAN registration alone is no longer valid.
KYC Obligations Under MiCA
MiCA imposes explicit customer due diligence requirements on CASPs that go well beyond what most national crypto regimes previously required. These obligations apply at account opening, during the business relationship, and at transaction level.
Account Opening and Customer Onboarding
Every CASP must verify the identity of its clients before establishing a business relationship. Article 68 of MiCA requires CASPs to comply with the AML/CFT obligations set out in the Anti-Money Laundering Regulation (EU) 2024/1624. In practice, this means:
- Full name verification against a government-issued identity document (passport, national ID card, residence permit). As the eIDAS 2.0 EU Digital Identity Wallet rolls out across member states, cryptographic credential verification will progressively complement -- and for some use cases replace -- traditional document-based identity checks.
- Date of birth and nationality collection and cross-referencing.
- Residential address verification through a utility bill, bank statement, or official correspondence.
- Unique identification number extraction from the identity document (national ID number, passport number).
- Sanctions and PEP screening against EU consolidated sanctions lists, national watchlists, and politically exposed persons databases.
- Source of funds assessment for relationships presenting elevated risk indicators.
For corporate clients (legal entities using the platform), the obligations extend to full KYB verification: company registration documents, articles of incorporation, proof of registered address, identification of directors and ultimate beneficial owners, and verification of the corporate structure.
Ongoing Monitoring
KYC is not a one-time check at onboarding. MiCA and the AMLR require continuous monitoring throughout the business relationship:
- Transaction pattern analysis to detect behavior inconsistent with the client's declared profile.
- Periodic review of client information, with frequency determined by the client's risk classification.
- Trigger-based reviews when unusual activity is detected (sudden volume spikes, transfers to high-risk jurisdictions, structuring patterns).
- Sanctions list rescreening whenever lists are updated -- at minimum daily for EU and OFAC lists.
CASPs that fail to maintain effective ongoing monitoring face the same penalties as those that fail at onboarding: fines of up to EUR 5 million for individuals or up to 12.5% of annual turnover for legal entities under MiCA's own penalty framework, in addition to the AMLD6 penalties that apply to all obliged entities.
The Travel Rule: Identity Data for Every Transfer
What the Travel Rule Requires
The Transfer of Funds Regulation -- Regulation (EU) 2023/1113, adopted alongside MiCA -- extends the existing wire transfer rules to crypto-asset transfers. Often called the "Travel Rule" (borrowing the term from the FATF framework), it requires that identity information "travels" with every crypto transaction, just as it does with traditional bank transfers.
For every crypto-asset transfer, the originator's CASP must collect and transmit:
| Data Element | Originator | Beneficiary |
|---|---|---|
| Full name | Required | Required |
| Account number / wallet address | Required | Required |
| Address, national ID number, or date of birth | Required | Required |
| LEI or BIC (if legal entity) | Required where available | Required where available |
This data must be transmitted to the beneficiary's CASP before or simultaneously with the transfer. The beneficiary CASP must verify the information received and reject transfers with incomplete or inconsistent originator data.
The EUR 1,000 Threshold and Wallet Verification
Self-custody wallets become compliant under MiCA through wallet ownership verification: for any transfer exceeding EUR 1,000 to or from an unhosted wallet, the CASP must verify that the wallet belongs to the declared party using cryptographic message signing, micro-transfer verification, or on-chain attestation (Article 14, Regulation 2023/1113). This requirement applies regardless of whether the wallet holder is the CASP's own client or a third party, and non-compliance exposes the CASP to fines of up to EUR 5 million or 12.5% of annual turnover.
The Travel Rule applies to all crypto-asset transfers regardless of amount -- there is no de minimis exemption. However, transfers exceeding EUR 1,000 trigger an additional requirement: wallet ownership verification.
When a client sends or receives crypto-assets from an unhosted (self-custodied) wallet and the transfer exceeds EUR 1,000, the CASP must verify that the wallet belongs to the declared party. In practice, this is performed through:
- Cryptographic message signing: the client signs a message with the private key of the wallet, proving ownership.
- Micro-transfer verification: the client sends a small, pre-agreed amount from the wallet to demonstrate control.
- Technical attestation: the CASP may use a protocol-level solution (e.g., verifiable credential or on-chain attestation) to confirm wallet-address binding.
For transfers below EUR 1,000 to or from unhosted wallets, the CASP must still collect originator and beneficiary data but is not required to verify wallet ownership. However, if the CASP suspects money laundering or terrorist financing, full verification is required regardless of the transfer amount.
Impact on CASP Operations
The Travel Rule creates a data exchange obligation between CASPs that did not exist before in the crypto industry. Unlike traditional banking, where SWIFT messages carry standardized originator/beneficiary data, the crypto sector lacks a universal messaging standard. Several industry solutions have emerged -- including TRISA, OpenVASP, and Notabene -- but interoperability remains a challenge.
CASPs must implement systems capable of collecting originator data, transmitting it securely to the counterparty CASP, receiving and validating incoming data, screening all parties against sanctions lists in real time, rejecting transfers with incomplete data or sanctions matches, and retaining all transfer records for at least five years.
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesCASPs in France: The PSAN to MiCA Transition
AMF and ACPR: Dual Supervision
In France, crypto-asset supervision is split between two regulators:
| Regulator | Scope Under MiCA | Key Responsibilities |
|---|---|---|
| AMF (Autorite des marches financiers) | Crypto-assets excluding EMTs; CASP authorization and supervision | Licensing, conduct rules, market abuse surveillance, whitepaper approval |
| ACPR (Autorite de controle prudentiel et de resolution) | E-money tokens; AML/CFT supervision of all CASPs | Prudential oversight of EMT issuers, anti-money laundering controls, ongoing compliance inspections |
This dual-supervision model means that a French CASP must satisfy both the AMF (for its license and conduct obligations) and the ACPR (for its AML/CFT compliance, including all KYC requirements). The ACPR has historically been rigorous in its AML inspections of PSANs, and this rigor will only intensify under MiCA.
What Changes for Existing PSANs
PSANs currently registered with the AMF must transition to full MiCA authorization -- a comprehensive application covering governance, prudential requirements, business continuity, and AML/CFT procedures. A simplified procedure was available until December 30, 2025 for CASPs with existing national licenses, allowing the AMF to consider prior documentation while still verifying MiCA compliance.
CASPs that fail to obtain MiCA authorization by July 1, 2026 must wind down their activities. There is no second grace period.
UK crypto regulation: the FCA framework
The United Kingdom operates a separate crypto-asset registration regime administered by the FCA. Since January 2020, crypto-asset businesses operating in the UK must register with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. The FCA applies the same CDD and ongoing monitoring obligations that apply to other regulated financial services firms, and UK-registered crypto firms must comply with the Proceeds of Crime Act 2002 for suspicious activity reporting to the NCA. HM Treasury's forthcoming crypto-asset regulatory framework -- expected to build on the Financial Services and Markets Act 2023 -- will introduce a comprehensive UK licensing regime analogous to MiCA, with the FCA and PRA sharing supervisory responsibilities. UK-based CASPs serving EU clients will need to hold both FCA registration and MiCA authorisation.
Portugal: CMVM and Banco de Portugal as joint NCAs
Portugal applies a dual-authority model under MiCA. The Comissão do Mercado de Valores Mobiliários (CMVM) supervises CASPs providing exchange, brokerage, advisory, and portfolio management services. The Banco de Portugal handles AML/CFT supervision for all CASPs and oversees payment-related crypto services.
CASPs seeking a MiCA authorization in Portugal must meet the following requirements:
| Requirement | Detail |
|---|---|
| Minimum capital | €50,000 for custody and administration; up to €150,000 for exchange and brokerage services |
| EU-based management | At least one director resident in Portugal or the EU with genuine decision-making authority — no letter-box structures |
| AML/CFT programme | Full KYC/CDD procedures, transaction monitoring, Travel Rule compliance, SAR reporting to DCIAP (Portugal's Financial Intelligence Unit) |
| DORA alignment | ICT risk management framework aligned with Regulation (EU) 2022/2554 |
| Record keeping | Five-year retention for all client onboarding data and transaction records |
The authorization process in Portugal typically takes six to twelve months, including document review, Q&A rounds with the CMVM or Banco de Portugal, and potential board interviews. CASPs using Portugal as their EU passporting jurisdiction benefit from authorization valid across all 27 EU member states — a single CMVM/Banco de Portugal license covers France, Germany, Spain, and every other EU country without re-registration. As of March 2026, both authorities are processing a backlog of MiCA applications; CASPs should build the full twelve-month timeline into their compliance planning.
CheckFile's platform has processed over 92,000 enhanced KYC verifications for crypto clients, flagging 11.3% as high-risk — more than double the 5.1% rate observed in traditional banking KYC (CheckFile platform data, March 2026). The CheckFile Document Risk Index rates the crypto sector at 8.1/10, the highest of any sector tracked, reflecting the combination of cross-border operations, pseudonymous asset transfers, and the rapid pace of regulatory change under MiCA and the AMLR.
Documentary Requirements: What CASPs Must Collect and Retain
The combined effect of MiCA, the Travel Rule, and the AMLR creates a substantial documentary burden across client onboarding and transaction monitoring.
Client Onboarding Documents
| Document Type | Natural Persons | Legal Entities |
|---|---|---|
| Identity document | Passport, national ID, or residence permit | N/A |
| Proof of address | Utility bill, bank statement (< 3 months) | Registered office proof |
| Company registration | N/A | Extract from commercial register (< 3 months) |
| Articles of incorporation | N/A | Current certified copy |
| UBO declaration | N/A | Identification of all UBOs above 25% |
| Director identification | N/A | ID documents for all directors |
| Source of funds | Supporting evidence for high-risk profiles | Financial statements, funding documentation |
Transaction Records and Retention
For every crypto-asset transfer, CASPs must retain originator and beneficiary identity data, transaction amount and crypto-asset type, blockchain transaction hash, wallet addresses, wallet ownership verification results (transfers > EUR 1,000), sanctions screening results, and alert resolution records. All records must be retained for a minimum of five years after the end of the business relationship or the transaction date, whichever is later.
How Automation Addresses MiCA Compliance
The documentary obligations under MiCA make manual verification unsustainable for any CASP operating at scale. Every new user requires identity document verification, address proof validation, sanctions screening, and risk classification before executing a single transaction. Every transfer above EUR 1,000 to an unhosted wallet requires wallet ownership verification.
Document Verification at Onboarding
Automated document validation processes identity documents in seconds: extracting data fields (name, date of birth, document number, expiration date), verifying document authenticity (MRZ validation, security feature detection, tamper analysis), and cross-referencing extracted data against declared information. For CASPs processing thousands of onboarding applications per month, this is the difference between a 48-hour manual review queue and a real-time onboarding flow.
KYB for Corporate Clients
Corporate onboarding under MiCA requires verification of company registration, articles of incorporation, UBO identification, and director verification. Automated KYB workflows extract and cross-reference data across these documents, flagging inconsistencies (mismatched director names, expired registrations, UBO thresholds exceeded) before a compliance officer reviews the file.
Audit Trail Generation
Every verification step -- document received, checks applied, results obtained, decision taken -- generates a timestamped audit trail. When the ACPR requests evidence of your AML/CFT controls during an inspection, automated systems produce complete, machine-readable audit logs. Manual processes produce spreadsheets, email threads, and reconstructed timelines that rarely satisfy inspectors.
Sanctions Screening Integration
Automated systems screen every client and counterparty against sanctions lists in real time. When lists are updated, rescreening triggers automatically -- meeting both MiCA's ongoing monitoring requirement and the DORA requirement for systematic, auditable controls.
For a comprehensive overview, see our document compliance complete guide.
Go further
To dive deeper into this topic, explore our complete guide on document verification.
FAQ
What is MiCA and when does it fully apply?
MiCA (Markets in Crypto-Assets Regulation, EU 2023/1114) is the EU's harmonized regulatory framework for crypto-assets and crypto-asset service providers. The stablecoin provisions have applied since June 30, 2024. The full CASP licensing regime has applied since December 30, 2024. The transition period for existing CASPs operating under national regimes (such as France's PSAN registration) ends on July 1, 2026. After that date, only CASPs holding a MiCA authorization can legally operate in the EU.
What is the Travel Rule and how does it affect crypto transfers?
The Travel Rule (Transfer of Funds Regulation, EU 2023/1113) requires that identity information -- full name, wallet address, and a unique identifier such as a national ID number -- accompanies every crypto-asset transfer between CASPs. For transfers exceeding EUR 1,000 involving unhosted wallets, the CASP must also verify wallet ownership through cryptographic message signing or equivalent methods. There is no minimum threshold: the data collection obligation applies to all transfers regardless of amount.
What KYC documents must a CASP collect at onboarding?
At minimum, a CASP must collect a government-issued identity document (passport or national ID), proof of residential address dated within the last three months, and a unique identification number. For corporate clients, additional documents include a commercial register extract, articles of incorporation, UBO declaration, and identification of all directors. All documents must be verified for authenticity and cross-referenced against the client's declared information.
How does MiCA interact with AMLD6?
MiCA establishes the licensing and conduct framework for CASPs, while AMLD6 and the Anti-Money Laundering Regulation (AMLR) define the AML/CFT obligations that CASPs must follow as obliged entities. CASPs are explicitly listed as obliged entities under the AMLR, subject to the same customer due diligence, suspicious activity reporting, and record-keeping requirements as banks and other financial institutions. The EUR 1,000 threshold for enhanced verification of crypto transactions is set by the AMLR and operationalized through the Travel Rule. Both frameworks must be satisfied simultaneously.
Which regulator supervises MiCA CASPs in Portugal?
In Portugal, MiCA supervision is split between two authorities. The CMVM (Comissão do Mercado de Valores Mobiliários) authorizes and supervises CASPs providing exchange, brokerage, advisory, and portfolio management services. The Banco de Portugal oversees AML/CFT compliance for all CASPs and supervises payment-related crypto services. CASPs must satisfy both regulators — the CMVM for licensing and conduct, and the Banco de Portugal for anti-money laundering controls. Minimum capital requirements range from €50,000 (custody and administration) to €150,000 (exchange and brokerage). A Portuguese MiCA authorization serves as an EU passport valid across all 27 member states.
Prepare Your Platform Before July 2026
The July 1, 2026 deadline is not a soft target. CASPs that fail to obtain MiCA authorization will lose the right to operate in the EU's 450-million-person market. The identity verification obligations -- at onboarding, at transaction level, and through ongoing monitoring -- require systems that can process documents reliably, screen against sanctions lists in real time, and generate the audit trails that regulators demand during inspections.
CheckFile provides automated document validation purpose-built for crypto platform onboarding: identity document verification, corporate KYB checks, data extraction and cross-referencing, and complete audit trail generation. Our platform processes verification files in seconds with every step logged and traceable, meeting the documentary standards that the AMF and ACPR expect from MiCA-authorized CASPs. Explore our pricing to find the plan that fits your transaction volume.
Related reading: For the broader KYC framework driving these obligations, see our KYC 2026 requirements guide. For corporate client onboarding under MiCA, read our KYB business document verification guide. For the operational resilience requirements that apply to your verification systems, see our DORA 2026 guide.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.