Crypto KYC in 2026: MiCA, TFR, AMLD6 and CASP obligations
The 2024-2026 regulatory turning point for crypto KYC
The crypto sector spent years operating in a gray zone. That era is over. Three texts now structure the European framework:
- December 30, 2024: full entry into application of the MiCA regulation (Markets in Crypto-Assets, the unified EU crypto-asset regulation, EU Regulation 2023/1114) for stablecoin issuers (ART and EMT tokens); entry into application on June 30, 2025 for crypto platforms and other CASPs.
- December 30, 2024: entry into force of the TFR (Travel Rule, the obligation to trace the sender and beneficiary of a crypto transfer, EU Regulation 2023/1113), which requires systematic identification of sender and beneficiary above the €1,000 threshold for crypto transactions.
- June 2025: French transposition of AMLD6 (the 6th EU Anti-Money Laundering Directive), which tightens KYC vigilance on crypto activities and requires full alignment with the classic AML/CFT framework (anti-money-laundering and counter-financing of terrorism).
July 1, 2026 marks the end of the transition period: any CASP operating in Europe without MiCA authorization must cease its activities. Starting in March 2026, the AMF (Autorité des marchés financiers, the French financial markets regulator) published its expectations for orderly wind-down plans. Compliance becomes competitive: what was a cost yesterday is an onboarding advantage today.
::: callout-info In brief
- MiCA: harmonized status for CASPs, AMF authorization with EU passport
- TFR: Travel Rule on crypto transfers above €1,000
- AMLD6: full AML/CFT alignment, enhanced supervision
- Timeline: mandatory authorization by July 1, 2026 at the latest
:::
Core obligations for CASPs
The former PSAN regime (Prestataires de Services sur Actifs Numériques, the pre-MiCA French status for digital-asset service providers) is replaced by the CASP authorization (Crypto-Asset Service Provider). The AMF is the competent authority in France and grants the authorization after reviewing a detailed application. The procedure is simplified for existing PSANs, but the full file (governance, protection of client assets, cybersecurity, minimum capital) must be filed no later than Q1 2026 to hope for a grant before the end of the transition period.
At end of 2024, around 100 entities were registered as PSAN in France. According to ESMA (the European Securities and Markets Authority, communiqué of February 2026), 140 CASPs were authorized in the EU in January 2026 — only a handful in France, versus 43 in Germany and 22 in the Netherlands. The pre-MiCA European market counted more than 3,000 entities: market consolidation is severe.
KYC no longer tolerates exemption thresholds. Any account opening on a regulated crypto platform now triggers a full procedure:
- Client identification (civil status, supporting documents, ID document)
- Electronic identity verification (eIDV, data-driven electronic identity verification) with substantial or high eIDAS (the EU electronic ID regulation) assurance level depending on the risk profile
- Client profile (source of funds, country of residence, PEP status)
- Sanctions screening (EU, OFAC, UN)
- Client risk assessment and scoring
- Retention of KYC data for 5 years after the end of the relationship
For professional clients, a KYB (Know Your Business, corporate verification) is added, with identification of beneficial owners.
The TFR regulation requires, for every crypto transfer from a user on platform A to a user on platform B above €1,000, the transmission of the full identity of both sender and beneficiary:
- First name, last name (or corporate name)
- Address
- Identification number (account or wallet)
- Official personal identifier (where applicable)
This obligation creates a major technical friction point between platforms. Interoperable solutions (TRP, Notabene, Sumsub Travel Rule, etc.) have become the market standard. TFR compliance now sits inside the KYC AML stack of every regulated crypto platform.
CASPs are required to perform ongoing monitoring of crypto transactions:
- Detection of atypical patterns (mixing, peeling, structuring)
- Alerts on wallets linked to sanctions or illicit marketplaces
- Suspicious-activity reports to Tracfin (the French financial intelligence unit)
- Enhanced prudential reporting per the regulatory technical standards (RTS) published in 2026
Compliance with KYC rules is now an audited matter, regularly reviewed by the ACPR (the French prudential supervisor for banks and insurance) and the AMF.
Specifics by type of crypto operator
Centralized exchanges (Binance, Coinbase, Bitstamp, Bitpanda and their European peers) carry the heaviest obligations:
- KYC + KYB on all users
- Travel Rule on outbound and inbound transfers
- Real-time transaction monitoring
- Tracfin reporting
- MiCA prudential reporting
This is the segment where onboarding fluidity matters most: competition between platforms often plays out on time-to-active.
Providers of custodial wallets (holding the private keys of their clients) are also CASPs under MiCA. They apply a full KYC at onboarding, with particular focus on secure custody of client assets (own-funds reserves, asset segregation, cybersecurity audits).
Non-custodial wallets (where the user holds their own keys) are in principle not covered by MiCA, but the 2026 regulatory direction tends to extend AMLD6 vigilance to any interface that offers an organized service to access crypto-assets.
Stablecoin issuers (ART for Asset-Referenced Tokens, EMT for E-Money Tokens) are subject to MiCA Titles III and IV:
- Prior authorization by the AMF or the EBA (European Banking Authority) depending on size
- 100% reserves in liquid assets, audited
- Publication of a whitepaper approved by the authority
- Volume caps: €200M/day and €1B outstanding for non-euro EMTs
- Ban on non-compliant algorithmic stablecoins
- Enhanced prudential reporting
These obligations have applied since December 30, 2024. Several non-compliant stablecoin issuers (Tether USDT in part) have been delisted from regulated European platforms for euro-denominated pairs.
DeFi (Decentralized Finance) platforms remain in a gray zone. MiCA excludes fully decentralized protocols (peer-to-peer without an identifiable intermediary that could qualify as a CASP). But as soon as an identifiable entity offers an organized interface (front-end, aggregator, centralized oracle), it can fall within the CASP perimeter and therefore the KYC obligation. The EBA and ESMA guidelines expected in 2026 should clarify some ambiguities.
NFTs are in principle excluded from MiCA if they are genuinely non-fungible (unique works, limited-edition collections). But hybrid NFTs (utility tokens, fractionalized, indexed to a financial asset) can be requalified as MiCA tokens. Marketplaces conducting an organized financial activity are then subject to CASP KYC.
Sanctions for non-compliance
Sanctions faced by a non-compliant CASP are graduated:
- AMF sanctions: withdrawal of authorization, administrative fines, public publication of decisions
- ACPR sanctions: fines of up to 10% of annual turnover for serious AML/CFT breaches
- Criminal sanctions: unlawful exercise of CASP activity after July 1, 2026 is punishable by 2 years' imprisonment and a €30,000 fine (article L.572-1 of the French Monetary and Financial Code); up to 5 years and €375,000 for established money laundering
European authorities multiplied preventive communications in 2024-2025. The AMF and ESMA published several alerts on the forced shutdown of non-authorized platforms, with orderly wind-down plans required since March 2026.
::: callout-warning Operational risk Beyond the administrative sanction, losing authorization triggers immediate service suspension across Europe, freezing of client funds under judicial escrow, and reputational damage that is hard to recover from. Anticipated compliance costs a fraction of the cost of an authorization withdrawal. :::
Why our data-driven eIDV fits the crypto sector
The crypto sector combines two constraints no other industry carries simultaneously at this scale:
1. Massive international onboarding volumes (often several hundred thousand accounts per month for major platforms) 2. Time-to-active sensitivity (a client who waits 24 hours for their KYC leaves for the competitor)
Today, everything can be forged — except real life and what people actually buy: document and biometric fraud progresses fast in crypto, but real transactions remain an anchor of truth. That is the foundation we build our transactional-data eIDV on, and it addresses both constraints at once:
- International transactional sources: we mobilize 4,000 sources across 197 countries and 1.5 billion individuals identified
- Frictionless onboarding: most of your clients are verified without uploading an ID document
- TFR compliance: integrated sanctions screening, direct feeding of the traveler fields
- Biometrics complement: for high assurance levels or residual-risk profiles, biometrics remain available as a second line
This data + biometrics articulation delivers the best KYC AML coverage on the market for CASPs, across the 197 source countries of crypto clients. You align MiCA, TFR and AMLD6 compliance in a single identification chain.
::: callout-success Use case: European centralized exchange On 5 million monthly verifications modeled, introducing a data-driven eIDV as the first line maintained conversion at 89% while absorbing the MiCA + TFR compliance overhead without degrading average onboarding time (under 90 seconds for 76% of clients). :::
Timeline and compliance trajectory through end of 2026
For a CASP operating in Europe, the operational timeline is as follows:
- Q1 2026: filing of the CASP authorization application with the AMF
- Q2 2026: TFR (Travel Rule) technical compliance with an interoperable protocol provider
- Q2-Q3 2026: industrialization of KYC AML (eIDV, screening, scoring, monitoring)
- June 30, 2026: end of the transition period for former PSANs
- Q4 2026: full AMLD6 alignment on ongoing vigilance
Beyond authorization alone, what separates viable players from the rest is the industrialization of the framework. MiCA compliance is a condition of existence; operational compliance is a condition of profitability.
::: cta-final Need to upgrade your crypto KYC framework for MiCA, TFR or AMLD6? Our free audit clarifies in one hour your regulatory perimeter, your volumes, and the identity verification method suited to your customer journeys. Talk to our experts :::