Regulatory Updates on AML, MiCAR & CIF as a CASP - 2 CPDs

CASPs and other obliged entities must now meet the same rigorous AML standards as credit and financial institutions. This shift introduces detailed expectations around customer profiling, transaction monitoring, wallet-level due diligence, and the implementation of the Travel Rule. 

With this blog post, Evdokia Pitsillidou, the instructor of the module and Global Chief Risk & Compliance Officer at SALVUS, explains the major regulatory updates impacting AML compliance under MiCA. The course includes a comprehensive breakdown of the AML/CFT obligations introduced in 2025, including guidelines from the EBA, FATF interpretations, and CySEC expectations under the MiCA transition framework.

Towards the end of this blog post, you will find a summary of the key updates covered in the course. This blog is designed to help professionals understand and respond to the updated AML and MiCA obligations, integrating best practices for crypto compliance in 2025.

CySEC continues to act as the competent authority overseeing Investment Firms, Fund Managers, UCITS, ASPs, CASPs and related service providers established in the republic of Cyprus. The EU’s Anti-Money Laundering (AML) framework including Directives (EU) 2015/849, 2018/843, and 2018/1673, alongside national transpositions, forms the cornerstone of Cyprus’s AML regime. In 2025, CySEC complements this framework by applying MiCAR (EU 2023/1114) for crypto-assets, DORA (EU 2022/2554) for digital operational resilience, and MAR (EU 596/2014) for market integrity in ensuring CIFs and CASPs operate under consistent standards of governance, security and transparency.  

The MiCAR (Markets in Crypto-Assets Regulation) establishes a harmonised framework for issuing, offering and trading crypto-assets in the EU by introducing authorisation, conduct and prudential requirements for CASPs and enables CIFs to extend their services to crypto-assets through notification to CySEC under Article 60 of MiCAR. These notifications need to include the business plan, organisational structure, internal operations, AML manuals, DORA-aligned Business Continuity Plan and relevant policies. 

The EBA’s revised Guidelines on ML/TF Risk Factors became applicable to CASPs from December 2024. This marks the formal expansion of EU AML expectations into the virtual asset domain. CASPs are now considered obliged entities, with regulatory obligations that mirror those of traditional financial firms. 

CASPs must now identify and assess ML/TF risks across customer types, products and services, delivery channels, and geographical locations. Specific risk factors include anonymity-enhancing services, self-hosted wallets, and decentralised exchange interfaces. Firms are expected to document, review, and update their risk assessments regularly, especially when launching new crypto services. 

Applying Due Diligence Proportionally and Effectively

Under the updated AML regime, customer due diligence (CDD) becomes a layered process that must reflect the nature of the crypto service and the risk profile of the client. Simplified Due Diligence (SDD) may be applied under low-risk conditions, such as when the crypto-asset is not privacy-enhancing and the transaction is below a certain threshold.

Enhanced Due Diligence (EDD), on the other hand, is mandatory in cases involving high-risk clients, PEPs, jurisdictions with weak AML enforcement, or transactions involving high volumes or mixing services. CASPs must go beyond traditional KYC to verify the identity of wallet holders and confirm the legitimacy of crypto-asset sources.

Strengthening Identity Verification and Ongoing Monitoring

CASPs are now expected to collect and analyse a broader set of identification data than before. In addition to name, address, and identification numbers, CASPs should collect information such as wallet addresses, IP logs, geo-location data, device identifiers, and transaction hashes. 

This extended identity framework supports continuous monitoring obligations. Firms must implement controls to monitor transactions in real time, generate alerts, investigate red flags, and escalate suspicious activity. The monitoring system must account for changes in client behaviour, unusual transaction patterns, and the use of high-risk crypto instruments. 

Internal controls must be documented and updated to reflect changes in service offerings, regulatory guidelines, and risk exposure. Firms must also ensure that monitoring tools and internal teams are capable of generating and handling Suspicious Transaction Reports (STRs) in a timely and compliant manner.

The Travel Rule and Wallet-Level Controls

Under Regulation (EU) 2023/1113, the revised Transfer of Funds Regulation, CASPs are required to implement the Travel Rule for crypto-asset transfers, ensuring compliance while safeguarding clients’ personal information. Top-tier compliance is achieved when personal data cannot be targeted by attackers and is securely exchanged only between verified TRUST members. As part of this framework, a proof-of-address ownership mechanism enables the receiving exchange to verify that it owns the destination crypto address before any customer information is transmitted. Furthermore, all TRUST members must meet core AML, security, and privacy standards prior to joining the network, maintaining the integrity and confidentiality of client data across transfers. 

The course explains the operational and technological measures required to comply with this regulation, including how to implement automated solutions or secure communication frameworks that enable the exchange of sender and recipient information. Firms must ensure that their systems can handle incoming and outgoing Travel Rule messages, block non-compliant transfers, and retain relevant records for audits.  

Additionally, CASPs are expected to exercise control over wallets, especially custodial ones, by implementing multi-signature schemes, cold storage for excess balances, and reconciliation tools. Due diligence on third-party custodians is also expected under MiCA and DORA.  

What are the Regulatory Updates on AML and MiCAR & CIF as a CASP course and what does it include?

The Regulatory Updates on AML, MICAR & CIF as a CASP - 2 CPDs course is developed by SALVUS and delivered by Evdokia Pitsillidou. It is specifically designed for professionals working at CASPs, CIFs, and other entities supervised by CySEC or the CBC. The course is equally relevant for AML Compliance Officers, legal professionals, internal auditors, and risk management personnel seeking to align with the latest AML/CFT and MiCAR obligations. 

The syllabus of the Regulatory Updates on AML, MICAR & CIF as a CASP course The syllabus of the  “Regulatory Updates o AML, MiCAR & CIF as a CASP” includes:  

Regulatory Framework: AML, MiCAR, DORA & MAR

The course is delivered through online recordings and downloadable PDF slides, offering professionals the flexibility to study at their own pace. Learners can access the material at any time, revisit key sections, and deepen their understanding through structured content.

On completion, learners receive a certificate confirming 2 hours of CPD accreditation, recognised by CySEC, the Central Bank of Cyprus, and other professional supervisory bodies. The course contributes to the annual CPD requirements for CySEC Advanced and Basic Certification holders, as well as those registered with ICPAC and the Cyprus Bar Association.