Jul 15 / Evdokia Pitsillidou

Regulatory Updates on AML and MiCA in 2025

about the author


Evdokia Pitsillidou

Global Chief Risk & Compliance Officer

Evdokia, a partner at SALVUS Funds, is actively advising and working on all matters related to licensing, regulatory compliance, and internal audit for investment firms, funds, Electronic Money Institutions (EMI) & Crypto-Asset Services Providers (CASP).


Member of the Global Institute of Internal Auditors (IIA)

Member of the Cyprus Investment Funds Association (CIFA)

Certified Actuarial Analyst (CAA)

CySEC Advanced Certified Person

CySEC certified Anti-Money Laundering Compliance Officer (AMLCO)

As the European Union finalises and enforces new requirements under the Markets in Crypto-Assets Regulation (MiCA), and the European Banking Authority (EBA) extends its AML/CFT framework to include Crypto-Asset Service Providers (CASPs), 2025 becomes a crucial year for financial institutions and virtual asset stakeholders. Regulators such as CySEC are intensifying their expectations, requiring firms not only to adapt to MiCA's regulatory architecture but also to enhance their AML procedures in line with EBA’s expanded risk-based approach.

CASPs and other obliged entities must now meet the same rigorous AML standards as credit and financial institutions. This shift introduces detailed expectations around customer profiling, transaction monitoring, wallet-level due diligence, and the implementation of the Travel Rule. In this complex environment, compliance teams are expected to rethink internal policies, monitoring tools, and governance structures to ensure both MiCA and AML/CFT alignment.

With this blog post, Evdokia Pitsillidou, the instructor of the module and Global Chief Risk & Compliance Officer at SALVUS, explains the major regulatory updates impacting AML compliance under MiCA. The course includes a comprehensive breakdown of the AML/CFT obligations introduced in 2025, including guidelines from the EBA, FATF interpretations, and CySEC expectations under the MiCA transition framework.

Towards the end of this blog post, you will find a summary of the key updates covered in the course. This blog is designed to help professionals understand and respond to the updated AML and MiCA obligations, integrating best practices for crypto compliance in 2025.

Understanding the Regulatory Shift: AML/CFT Expansion to CASPs
The EBA’s revised Guidelines on ML/TF Risk Factors became applicable to CASPs from December 2024. This marks the formal expansion of EU AML expectations into the virtual asset domain. CASPs are now considered obliged entities, with regulatory obligations that mirror those of traditional financial firms.

CASPs must now identify and assess ML/TF risks across customer types, products and services, delivery channels, and geographical locations. Specific risk factors include anonymity-enhancing services, self-hosted wallets, and decentralised exchange interfaces. Firms are expected to document, review, and update their risk assessments regularly, especially when launching new crypto services.

The EBA’s Guidelines introduce a tailored approach for CASPs, highlighting areas such as remote onboarding risks, non-face-to-face business relationships, and transaction analysis using blockchain analytics tools. Risk assessments are expected to incorporate both qualitative and data-driven metrics to prioritise monitoring and mitigation efforts effectively.

Applying Due Diligence Proportionally and Effectively
Under the updated AML regime, customer due diligence (CDD) becomes a layered process that must reflect the nature of the crypto service and the risk profile of the client. Simplified Due Diligence (SDD) may be applied under low-risk conditions, such as when the crypto-asset is not privacy-enhancing and the transaction is below a certain threshold.

Enhanced Due Diligence (EDD), on the other hand, is mandatory in cases involving high-risk clients, PEPs, jurisdictions with weak AML enforcement, or transactions involving high volumes or mixing services. CASPs must go beyond traditional KYC to verify the identity of wallet holders and confirm the legitimacy of crypto-asset sources.

The course outlines how firms must document the rationale behind SDD or EDD application, maintain audit trails, and include transaction-specific details such as wallet addresses, blockchain metadata, and the economic purpose of the transaction.

Strengthening Identity Verification and Ongoing Monitoring
CASPs are now expected to collect and analyse a broader set of identification data than before. In addition to name, address, and identification numbers, CASPs should collect information such as wallet addresses, IP logs, geo-location data, device identifiers, and transaction hashes.

This extended identity framework supports continuous monitoring obligations. Firms must implement controls to monitor transactions in real time, generate alerts, investigate red flags, and escalate suspicious activity. The monitoring system must account for changes in client behaviour, unusual transaction patterns, and the use of high-risk crypto instruments.

Internal controls must be documented and updated to reflect changes in service offerings, regulatory guidelines, and risk exposure. Firms must also ensure that monitoring tools and internal teams are capable of generating and handling Suspicious Transaction Reports (STRs) in a timely and compliant manner.

The Travel Rule and Wallet-Level Controls
Under Regulation (EU) 2023/1113 (the revised Transfer of Funds Regulation), CASPs must implement the Travel Rule for crypto-asset transfers. Effective from 30 December 2024, the Travel Rule requires firms to collect, verify, and transmit originator and beneficiary information during crypto-asset transfers exceeding EUR 1,000 or for all transfers when linked to higher risks.

Information to be collected includes:
  • Originator’s name, wallet address, and public identifier
  • Beneficiary’s name and wallet address
  • Purpose of transaction and proof of relationship

The course explains the operational and technological measures required to comply with this regulation, including how to implement automated solutions or secure communication frameworks that enable the exchange of sender and recipient information. Firms must ensure that their systems can handle incoming and outgoing Travel Rule messages, block non-compliant transfers, and retain relevant records for audits.

Additionally, CASPs are expected to exercise control over wallets, especially custodial ones, by implementing multi-signature schemes, cold storage for excess balances, and reconciliation tools. Due diligence on third-party custodians is also expected under MiCA and DORA.

CASPs Obligations under MiCA and CySEC’s Supervisory Role
MiCA introduces specific organisational, prudential, and conduct requirements for CASPs. These include governance and control frameworks, safeguarding procedures for client funds, risk management policies, and disclosure obligations to clients. CySEC, as the national competent authority in Cyprus, has started incorporating these obligations into its licensing and inspection process.

The AML obligations described in this course are aligned with both MiCA and CySEC Circulars, making the training highly relevant to professionals working at Cyprus Investment Firms (CIFs), CASPs, and other CySEC-regulated entities. Professionals must ensure that their internal manuals, control functions, and reporting structures reflect the new regulatory architecture.

What are the Regulatory Updates on AML and MiCA in 2025 course and what does it include?
The Regulatory Updates on AML and MiCA in 2025 course is developed by SALVUS and delivered by Evdokia Pitsillidou. It is specifically designed for professionals working at CASPs, CIFs, and other entities supervised by CySEC or the CBC. The course is equally relevant for AML Compliance Officers, legal professionals, internal auditors, and risk management personnel seeking to align with the latest AML/CFT and MiCA obligations.

The syllabus of the Regulatory Updates on AML and MiCA in 2025 course includes:

AML/CFT Regulatory Landscape – Scope and Developments
  • AML/CFT and CASPs
  • Regulatory updates from 2022 and 2023
  • New developments in 2024 and 2025
  • 2024 EBA Guidelines on ML/TF Risk Factors

Risk Assessment, EDD/SDD, CDD and the Travel Rule
  • ML/TF Risk Factors and practical implementation
  • CDD processes and onboarding obligations
  • Application of Enhanced and Simplified Due Diligence
  • Ongoing transaction monitoring procedures
  • Identification and management of AML/CFT red flags
  • Requirements under the revised Travel Rule

AML/CFT and MiCA
  • CySEC expectations for AML/CFT compliance
  • Overview of the MiCA regulatory framework
  • Risk-based monitoring obligations under MiCA
  • AML/CFT reporting requirements for MiCA-regulated entities

The course is delivered through online recordings and downloadable PDF slides, offering professionals the flexibility to study at their own pace. Learners can access the material at any time, revisit key sections, and deepen their understanding through structured content.

On completion, learners receive a certificate confirming 5 hours of CPD accreditation, recognised by CySEC, the Central Bank of Cyprus, and other professional supervisory bodies. The course contributes to the annual CPD requirements for CySEC Advanced and Basic Certification holders, as well as those registered with ICPAC and the Cyprus Bar Association.
Get in touch
If you have any questions about Despoina's course or any other questions related to your training requirements, please contact uswe would love to help.
From all of us at IforPE, the Institute for Professional Excellence,
Ancora Imparo