Meet KYC / AML standards for cryptocurrencies

Human development has brought constant change across every aspect of our lives, from the way we communicate and work to how we exchange value.

Payment methods have also evolved over time. From barter systems and minted coins to the emergence of digital money, technology has progressively transformed the way financial transactions are understood.

Bitcoin marked the start of the crypto industry’s expansion. What initially emerged as an alternative model for digital exchange has evolved into an environment shaped by exchanges, stablecoins, decentralised platforms and new digital financial services.

Nevertheless, the growth of crypto has also brought new challenges linked to anonymity, fraud and regulatory oversight, issues that barely existed within the sector only a few years ago.

As the market has expanded, so too have the requirements imposed on exchanges and digital platforms regarding identity verification, transaction monitoring and anti-money laundering controls.

How compliance is changing across the crypto industry

European regulation on crypto-assets are forcing providers to rethink how they manage identity verification and transaction oversight.

Processes that until recently could be handled with minimal controls now require systems capable of verifying identities, detecting suspicious activity and assessing risks associated to international transactions.

How MiCA is changing KYC processes for exchanges

The arrival of the MiCA regulation is significantly raising the regulatory bar across the European crypto sector.

From 1 July 2026, no CASP (“Crypto-Asset Service Provider”) will be allowed to operate in Spain without a MiCA licence. This directly affects exchanges, custodians and crypto-asset service providers operating within the European Union.

Beyond governance and transparency obligations, MiCA also requires stronger KYC and AML controls from the outset of the onboarding process.

This includes:

• Identity verification
• Sanctions and PEP screening
• Transaction monitoring
• Continuous risk monitoring

For many crypto platforms, the challenge is not simply complying with regulation, but doing so without slowing down the user experience or adding excessive friction during onboarding.

How the Travel Rule affects exchanges and self-hosted wallets

One of the main changes introduced by the Travel Rule relates to transaction oversight and the supervision of non-custodial wallets.

EU Regulation 2023/1113, commonly referred to as the Travel Rule, requires all crypto-asset transfers to include identifying information for both the sender and the beneficiary, in much the same way as traditional bank transfers.

This directly affects international transfers and transactions involving exchanges and self-hosted wallets.

The exchange sending the funds must ensure the transfer includes verifiable user information, while the receiving provider must be able to detect incomplete data and decide whether to execute, suspend or reject the transaction.

In addition, Article 16 states that when a user transfers crypto-assets from a cold wallet to an exchange and the transaction exceeds €1,000, the platform must:

• Obtain information linked to that wallet
• Retain that information
• Verify ownership of the wallet
• Assess whether there is any risk associated with the address

AMLA, AMLR 2027 and the end of anonymous crypto transactions

The new AMLR 2027 regulation explicitly includes crypto-asset service providers as obliged entities within the European anti-money laundering framework. This represents another major regulation tightening for the industry.

At the same time, the creation of the AMLA (“Anti-Money Laundering Authority”) marks one of the biggest structural changes within the European financial ecosystem. This new authority will supervise certain providers operating across borders and classified as high risk, while also improving coordination between national bodies and European authorities.

This increases pressure on exchanges and digital platforms to demonstrate that they can correctly identify users, detect suspicious transactions, monitor fund movements, and provide access to account and transaction data whenever requested by competent authorities.

Furthermore, the new AML/CFT framework further tightens requirements around anonymous wallets and fund monitoring within the crypto ecosystem.

The aim is to progressively reduce opacity linked to certain transactions and strengthen oversight of digital asset movements across the European Union.

Verifying identities is no longer enough

One of the major changes introduced by the new European AML framework is that identity verification is no longer treated as a standalone step within digital onboarding.

Until relatively recently, many exchanges focused most of their controls on checking identity documents before allowing users access to the platform. But the problem no longer lies solely there.

Regulatory pressure is increasingly shifting towards user behaviour itself: transactions that do not match a user’s normal profile, transfers linked to high-risk jurisdictions, sudden changes in transaction volume or wallets displaying suspicious activity.

As a result, obligations related to due diligence and continuous customer monitoring are becoming significantly stricter.

The evolution of digital fraud

Attacks based on deepfakes, synthetic identities generated through artificial intelligence and manipulated documentation are becoming increasingly sophisticated.

The use of biometrics and liveness detection is becoming essential to verify that a genuine person is behind the registration process rather than a manipulated or artificially generated identity.

The EBA and the new regulatory treatment of stablecoins

The arrival of MiCA has not fully clarified how certain stablecoin operations should fit within the European financial framework.

One of the main areas of uncertainty in the sector concerns payment services.

The European Banking Authority (EBA) considers that certain stablecoin transactions should be treated as traditional payment services and therefore fall under PSD and electronic money regulations. This has forced many platforms to accelerate additional licensing applications in order to continue offering certain services within the European Union.

The issue is that many entities assumed a MiCA licence alone would be sufficient.

This situation has already created significant tension within the industry, particularly after the EBA initially set March 2026 as the deadline for offering these services without additional authorisation. The authority later partially extended the transitional period for platforms that had already started their applications.

Beyond the deadlines themselves, the broader message is clear: Europe is leaving less and less room for crypto platforms to operate outside the traditional rules of the financial system.

EBA guidelines on remote onboarding: EBA Remote Onboarding Guidelines

DORA and the growing pressure around security in the industry

For years, much of the digital asset industry grew by prioritising speed, scalability and product launches. Technological security and operational continuity simply did not carry the same weight they do today.

With DORA (“Digital Operational Resilience Act”), exchanges and crypto service providers will now need to pay much closer attention to cybersecurity, incident management and operational resilience across the European Union.

It is no longer just the platform’s security that matters. Increasing importance is also being placed on external providers, critical infrastructure and third-party technological services supporting day-to-day operations.

All of this is happening alongside the progressive adaptation to MiCA and the new authorisation process for CASPs within the European Union.

The reality is that it is becoming increasingly difficult to separate compliance (KYC/AML), cybersecurity and technological resilience within today’s crypto-asset services.