MiCA KYC in 2026: CASP Onboarding, AML and the Travel Rule
MiCA KYC in 2026: what the term really means, who must comply, customer due diligence, the crypto Travel Rule and the compliance software it takes.
7 min read
24 views
Key takeaways: MiCA KYC in 2026 5
What MiCA KYC really means, who must comply and the stack it takes.
- KYC is AML law, not MiCA MiCA authorizes CASPs; the KYC duty comes from EU AML rules and the Travel Rule that bind the same firm.
- CASPs verify everyone CDD on every customer, EDD on higher-risk ones, plus sanctions and PEP screening at onboarding and after.
- Travel Rule, no threshold EU rules attach originator and beneficiary data to crypto transfers of any value, with no de minimis.
- Integrate, do not rebuild IDV, screening, analytics and Travel Rule are specialist regtech - build the orchestration, not the primitives.
- Both are live now MiCA and the Travel Rule apply since December 2024; the single AML Regulation follows from 2027.
MiCA KYC is one of the most searched and most misunderstood phrases in crypto compliance, because the rules that force a crypto business to verify its customers do not actually live inside MiCA. MiCA authorizes and supervises crypto-asset service providers (CASPs); the know-your-customer (KYC) duties come from the EU anti-money-laundering framework and the crypto Travel Rule, and they apply to the same firms. This guide explains MiCA KYC in 2026: what the term really means, who must comply, what they must verify, the Travel Rule and the software it takes, before you scope a build with a MiCA compliance software development partner.
In short: “MiCA KYC” is the customer due diligence a MiCA-authorized CASP must perform – but the obligation comes from EU anti-money-laundering law (the AML Directives, the new AML Regulation AMLR and the AML Authority AMLA) and the Transfer of Funds Regulation (TFR), not from MiCA itself. In practice a CASP must identify and verify every customer (CDD), apply enhanced due diligence (EDD) to higher-risk ones, screen against sanctions and politically exposed person (PEP) lists, run ongoing transaction monitoring, file suspicious activity reports, and attach originator and beneficiary data to crypto transfers under the Travel Rule – with no minimum threshold in the EU. MiCA has applied to CASPs since 30 December 2024 and the TFR since the same date; the single AML Regulation applies from 2027. The compliance stack – identity verification, sanctions and PEP screening, transaction monitoring, a Travel Rule solution and case management – is build-or-buy, and most CASPs integrate specialist regtech rather than building it from scratch.
What MiCA KYC actually means
MiCA – the Markets in Crypto-Assets Regulation – is about market integrity: it authorizes CASPs, sets conduct and prudential rules, governs stablecoins and white papers, and bans market abuse. It does not, by itself, set out KYC procedures. The duty to know your customer comes from the EU anti-money-laundering framework: the AML Directives, the new directly-applicable AML Regulation (AMLR), the EU Anti-Money Laundering Authority (AMLA), and the Transfer of Funds Regulation (TFR) that brings the FATF Travel Rule to crypto. The connection is that a MiCA-authorized CASP is also an “obliged entity” under that AML framework, so the two regimes bind the same firm at the same time. When people say “MiCA KYC” they mean the AML and Travel Rule obligations that every MiCA CASP has to meet. Getting this distinction right matters, because authorization under MiCA and AML compliance are separate workstreams with separate supervisors.
Who must comply and what they must verify
The obligations fall on CASPs – exchanges, custodians and wallet providers, brokers, trading platforms, and advisers – once they are authorized under MiCA. Each must run customer due diligence (CDD) on every customer: collect and verify identity, understand the purpose of the relationship, identify beneficial owners for corporate clients, and assign a risk score. Higher-risk customers – certain jurisdictions, complex ownership, large or unusual activity – trigger enhanced due diligence (EDD) with deeper checks and senior sign-off. Everyone is screened against sanctions lists and PEP databases at onboarding and continuously after. The whole approach is risk-based: the law sets the outcomes, and the CASP must show a documented, defensible process that matches effort to risk.
The Travel Rule for crypto transfers
The Travel Rule, implemented in the EU by the Transfer of Funds Regulation, requires that identifying information about the originator and the beneficiary travels with a crypto transfer between CASPs – much like a bank wire. The EU version is strict: there is no minimum threshold, so it applies to transfers of any value, and CASPs must collect, transmit and verify this data and screen the counterparties. Transfers to and from self-hosted (unhosted) wallets carry extra checks above certain amounts. Implementing the Travel Rule means connecting to an interoperable messaging network so CASPs can exchange originator and beneficiary data securely, which is a distinct piece of the stack from customer onboarding.
Ongoing monitoring and reporting
KYC is not a one-time gate at signup. CASPs must monitor the relationship for the life of the customer: transaction monitoring to flag unusual patterns, ongoing sanctions and PEP rescreening, periodic KYC refresh, and recordkeeping that stands up to audit. When something looks suspicious, the CASP must file a suspicious activity or transaction report (SAR/STR) with the national financial intelligence unit and, where required, freeze or block. The supervisory bar is rising: AMLA, the new EU authority being stood up in Frankfurt, will drive more consistent enforcement across member states, so a process that merely ticks boxes at onboarding but ignores monitoring will not pass.
The KYC and AML software stack
Meeting these duties is a software problem as much as a legal one. The typical stack has five parts: identity verification (IDV) with document checks and biometric liveness to verify a real person; sanctions and PEP screening against live watchlists at onboarding and continuously; transaction monitoring that scores on-chain and off-chain activity for risk, often with blockchain analytics; a Travel Rule solution that exchanges originator and beneficiary data with other CASPs; and case management with audit trail, reporting and SAR/STR filing. Each must integrate cleanly with the others and with the CASP’s core platform, because regulators expect one coherent, auditable picture of every customer and transaction – which is the hardest part to get right.
Build vs buy your compliance stack
Almost no CASP builds this from scratch. The IDV, screening, blockchain-analytics and Travel Rule layers are specialist products – IDV from vendors like Sumsub or Onfido, analytics from Chainalysis or Elliptic, Travel Rule messaging from networks like Notabene – and reinventing them is slow, expensive and risky. The right pattern is to integrate best-of-breed regtech and build the custom orchestration, risk engine and case-management layer that ties them to your platform and your risk policy. That custom layer is where the differentiation and the defensibility sit, because your risk scoring, your onboarding experience and your audit trail are specific to your business. The build work is integration and orchestration, not rebuilding the regulated primitives.
Cost, timeline and deadlines
Integrating a compliant KYC and AML stack – IDV, screening, transaction monitoring, Travel Rule and case management – typically costs $80,000 to $250,000 over 3 to 6 months in engineering, on top of the vendors’ own per-verification fees (often a few dollars per check) and annual platform subscriptions. A larger custom risk engine and case-management build pushes higher. On the regulatory clock: MiCA has applied to CASPs since 30 December 2024 and the Travel Rule under the TFR since the same date, so both are live now; the single AML Regulation (AMLR) applies from 2027, tightening and harmonizing the rules across the EU. For the full picture of what authorization and compliance cost, see our MiCA compliance cost guide and MiCA compliance checklist.
Common mistakes
The expensive errors repeat. Assuming MiCA itself contains the KYC rules and missing the separate AML and Travel Rule obligations that actually bind you. Treating KYC as a one-time onboarding gate and skipping ongoing monitoring, which is where supervisors now look hardest. Forgetting that the EU Travel Rule has no minimum threshold, then under-building transfer data handling. Bolting compliance tools together without a single case-management and audit layer, so you cannot show one coherent picture per customer. And building IDV or screening from scratch instead of integrating proven regtech, burning time and budget on solved problems.
How to get MiCA KYC right
Start by separating the two workstreams: MiCA authorization and conduct on one side, AML, KYC and the Travel Rule on the other, with the same firm responsible for both. Map your obligations to a risk-based process – CDD and EDD, sanctions and PEP screening, transaction monitoring, Travel Rule data and SAR/STR reporting – then integrate best-of-breed regtech for the regulated primitives and build the orchestration, risk engine and audit layer that makes them yours. If you are a CASP scoping this, our MiCA compliance software development and regtech teams can map the obligations, the stack, the integrations and the build with you, the same way we help teams that are building a crypto exchange from the ground up. For the wider CASP picture, see our guide to the 10 CASP services under MiCA.
FAQ
Quick answers to common questions about custom software development, pricing, process and technology.
Type to filter questions and answers. Use Topic to narrow the list.
Showing all 8
No matches
Try a different keyword, change the topic, or clear filters
-
“MiCA KYC” is the customer due diligence a MiCA-authorized crypto-asset service provider (CASP) must perform - identifying and verifying every customer, screening them, and monitoring their activity. The duty itself comes from EU anti-money-laundering law and the crypto Travel Rule rather than from MiCA, but it binds the same firms, so the phrase refers to the KYC and AML obligations every MiCA CASP must meet.
-
No. MiCA governs authorization, conduct, stablecoins, white papers and market abuse. The KYC and AML duties come from the EU AML framework - the AML Directives, the new AML Regulation (AMLR) and the AML Authority (AMLA) - and the Transfer of Funds Regulation that implements the Travel Rule. A MiCA-authorized CASP is also an AML “obliged entity”, so both regimes apply at once. Treating them as one is a common and costly mistake.
-
CASPs - crypto exchanges, custodians and wallet providers, brokers, trading platforms and advisers - once authorized under MiCA. Each must run customer due diligence on every customer, apply enhanced due diligence to higher-risk ones, screen against sanctions and PEP lists, and monitor activity for the life of the relationship.
-
The Travel Rule, implemented by the EU Transfer of Funds Regulation, requires that originator and beneficiary information travels with a crypto transfer between CASPs, like a bank wire. The EU version has no minimum threshold, so it applies to transfers of any value, and transfers to or from self-hosted wallets carry extra checks above certain amounts.
-
For the crypto Travel Rule, no - the EU Transfer of Funds Regulation applies to crypto transfers of any value, with no de minimis threshold. Customer due diligence is risk-based rather than threshold-based, so CASPs identify and verify customers as part of onboarding regardless of transaction size, with deeper checks where risk is higher.
-
The typical stack has five parts: identity verification (IDV) with document and biometric liveness checks, sanctions and PEP screening against live watchlists, transaction monitoring with blockchain analytics, a Travel Rule solution to exchange originator and beneficiary data with other CASPs, and case management with audit trail and suspicious-activity reporting. They must integrate into one coherent, auditable view of each customer and transaction.
-
Integrating a compliant stack - IDV, screening, transaction monitoring, Travel Rule and case management - typically costs $80,000 to $250,000 over 3 to 6 months in engineering, on top of vendor per-verification fees (often a few dollars per check) and annual subscriptions. A larger custom risk engine and case-management build pushes higher. Most CASPs integrate specialist regtech rather than building the regulated primitives from scratch.
-
MiCA has applied to CASPs since 30 December 2024, and the Travel Rule under the Transfer of Funds Regulation since the same date, so both are live now. The EU single Anti-Money-Laundering Regulation (AMLR) applies from 2027, tightening and harmonizing the AML rules, and the new AML Authority (AMLA) is being stood up to supervise them.
MiCA KYC glossary 8
- CASP (crypto-asset service provider)
- A firm authorized under MiCA to provide crypto services - exchange, custody, brokerage, trading or advice. CASPs are also AML "obliged entities", which is why they carry KYC duties.
- KYC (know your customer)
- The process of identifying and verifying who a customer is and assessing their risk before and during a business relationship. For CASPs it is mandated by EU AML law, not by MiCA itself.
- CDD (customer due diligence)
- The core KYC checks: verify identity, understand the purpose of the relationship, identify beneficial owners and assign a risk score. The baseline every customer goes through.
- EDD (enhanced due diligence)
- Deeper checks and senior sign-off applied to higher-risk customers - certain jurisdictions, complex ownership or unusual activity - on top of standard CDD.
- Travel Rule (TFR)
- The rule, brought to EU crypto by the Transfer of Funds Regulation, that originator and beneficiary information must travel with a crypto transfer between CASPs. The EU version has no minimum threshold.
- AMLR / AMLA
- The EU's single Anti-Money-Laundering Regulation (AMLR), directly applicable from 2027, and the new Anti-Money-Laundering Authority (AMLA) in Frankfurt that will supervise and harmonize enforcement.
- PEP (politically exposed person)
- A person in a prominent public role, or their close associates, who carries higher corruption risk and so triggers enhanced due diligence and ongoing screening.
- Transaction monitoring
- Continuously scoring customer activity - on-chain and off-chain - to detect unusual or suspicious patterns, often using blockchain analytics, and to trigger suspicious activity reports.
Role: Founder and CTO, Pharos Production
Focus: Architecture, Web3 products, smart contract security, high-load systems
Experience: 23 years in production delivery
