AML Compliance for Crypto Firms: What the 6AMLD Requires (2026)

Crypto-Asset Service Providers operating in the EEA in 2026 face the most prescriptive AML regime in the financial sector. The Sixth Anti-Money Laundering Directive criminalised money laundering with EU-wide minimum penalties, the Transfer of Funds Regulation extended the FATF Travel Rule to crypto transfers above €1,000, and the new EU AML Package — Anti-Money Laundering Regulation, AMLD6 recast, and a new Anti-Money Laundering Authority — replaces the patchwork of national regimes from July 2027. Every CASP that is not building toward this end-state today is building toward a remediation programme tomorrow.¹^[1]²^[2]³^[3]⁴^[4]⁵^[5]

MiCA bolts onto this AML stack rather than replacing it. A MiCA CASP authorisation is contingent on a written ML/TF risk assessment, a documented AML/CTF programme, an MLRO approved by the national competent authority, blockchain analytics integration, sanctions and PEP screening at onboarding and ongoing, transaction monitoring with documented thresholds, and an annual independent audit of the AML function. Each component is reviewed line-by-line at authorisation and re-tested at every supervisory inspection.

This guide explains what the 6AMLD actually requires from a CASP, what changes under the AML Package taking effect in 2027, and the operational stack — risk assessment, CDD, EDD, transaction monitoring, Travel Rule, SAR filing, sanctions — that every regulated crypto firm must run. Penalties for failure are no longer notional: 6AMLD imposes minimum maximum sentences of 4 years for individuals and corporate criminal liability up to 10% of annual turnover under AMLR.

The Sixth Anti-Money Laundering Directive harmonised criminal liability for money laundering across all EU member states. Where the Fifth Anti-Money Laundering Directive had brought crypto exchange and wallet services into AML scope as obliged entities, the 6AMLD made the criminal consequences of failing those obligations consistent across the bloc.⁸^[6]

• Predicate offences. The 6AMLD lists 22 predicate offences whose proceeds count as money laundering when laundered — including cybercrime, tax crimes, market abuse, and environmental crimes. Crypto-funded ransomware is now an explicit predicate offence in every member state.

• Corporate criminal liability. Legal persons can be held liable for ML offences committed for their benefit by anyone in a leadership role. Sanctions include exclusion from public benefits, judicial winding-up, and fines up to 10% of annual turnover.

• Extended liability for aiding and abetting. Counselling, inciting, or attempting ML is a criminal offence — relevant for CASPs whose tooling could be argued to facilitate layering.

• Self-laundering. Laundering of one's own criminal proceeds is now a standalone offence in all member states.

• Minimum maximum penalty. Member states must provide for at least 4 years' imprisonment as the maximum sentence; aggravated cases reach 10 years.

The EU AML Package replaces the directive-based AML regime with a directly-applicable regulation plus a centralised supervisor. From 10 July 2027, every CASP in the EEA falls under a single rulebook with no national variations on the core AML perimeter.

AMLA is the structural change. For the first time, a Frankfurt-based EU agency will directly supervise a select number of obliged entities — initially the cross-border financial groups deemed highest-risk. CASPs operating in 6+ member states with significant volume should expect to come under AMLA direct supervision in the first selection round in 2028.

Under the AMLR, every CASP authorised under the Markets in Crypto-Assets Regulation is automatically an obliged entity. The same applies to legacy VASPs operating under transitional regimes until their authorisation expires.⁹^[7]

Obliged entity status pulls a CASP into the full AML compliance perimeter: written ML/TF risk assessment, customer due diligence at onboarding, ongoing monitoring of relationships, sanctions and PEP screening, transaction monitoring, suspicious activity reporting to the national FIU, training of all staff, an MLRO at board level, and annual independent audit of the entire programme.

The AMLR codifies three CDD tiers. The base level applies to every customer; SDD applies to demonstrably low-risk customers (very narrow); EDD is mandatory whenever risk is elevated. Crypto activity is inherently classified as elevated-risk under the EBA Guidelines — meaning a CASP applies effectively EDD-level diligence to most relationships.⁷^[8]

The Transfer of Funds Regulation extended FATF Recommendation 16 to crypto transfers, applicable from 30 December 2024. Every CASP must transmit originator and beneficiary information with every crypto-asset transfer of €1,000 or more, and must verify that information for inbound transfers from another CASP.⁶^[9]

Self-hosted wallets are the operational hard part. The TFR requires CASPs to identify the wallet holder for transfers to or from self-hosted addresses ≥ €1,000 and to verify that the wallet is controlled by the customer. This means address attribution, signature challenges, micro-deposit verification, or third-party blockchain analytics attribution as the standard architecture.

• Below €1,000: minimum data set (originator name, originator account, beneficiary name, beneficiary account).

• ≥ €1,000 inter-CASP: full data set (originator address, ID number, date of birth, beneficiary address). Verified before release of funds.

• ≥ €1,000 to/from self-hosted wallet: customer must self-identify as the wallet controller. CASP applies risk-based EDD on the address.

• Aggregation: linked transfers below €1,000 within a 24-hour window are aggregated. Structuring detection rules in the transaction monitoring system are mandatory.

MiCA does not mandate vendors but every supervisory inspection effectively does. The minimum operational AML stack for a 2026-vintage CASP combines six categories of tooling, integrated with each other and with the core ledger.

Every CASP must appoint a Money Laundering Reporting Officer with regulatory pre-approval. The MLRO is the natural person legally responsible for the AML programme, the SAR-filing decisions, and the relationship with the FIU. In Cyprus, Lithuania, Ireland and Germany the MLRO must be locally resident and approved by the NCA before they can take office.

• First line — front-line operations. KYC analysts, transaction monitoring analysts, customer-facing teams. Detect, escalate, document.

• Second line — compliance & MLRO. Owns the AML programme, files SARs, maintains the risk assessment, advises the board.

• Third line — internal audit. Independent assurance over the first two lines. Annual independent audit of the AML function is mandatory under EBA Guidelines.

When a CASP forms a suspicion that funds are derived from criminal activity or are linked to terrorist financing, it must file a Suspicious Activity Report with the national Financial Intelligence Unit. The threshold is suspicion — not proof, and not preponderance of evidence. Filing on the basis of suspicion is protected from civil liability; failing to file when suspicion is reasonably triggered exposes the MLRO and the CASP to criminal sanctions.

Once a SAR is filed, the tipping-off offence applies. The CASP must not disclose the existence of the SAR or the underlying investigation to the customer or to any third party. Tipping-off is a criminal offence in every member state and carries imprisonment under 6AMLD. CASPs must train customer-facing staff to handle frozen accounts and rejected withdrawals without volunteering the AML reason.

AML penalties have escalated materially under 6AMLD and AMLR. The combined exposure for a serious failure now includes:

• Criminal — up to 10 years' imprisonment for senior managers in aggravated cases.

• Corporate — fines up to 10% of annual turnover for legal persons; judicial winding-up in extreme cases.

• Regulatory — licence withdrawal, public censure, fitness-and-propriety findings against directors barring future appointments.

• Civil — direct customer claims plus class actions where AML failures led to customer losses.

• Reputational — banking de-risking, correspondent withdrawal, loss of payment processor relationships.

The 6AMLD is a directive — it required transposition by 3 December 2020. It applies to CASPs through national criminal law in each member state. The recast AMLD6 (Directive 2024/1640) replaces it from July 2027 alongside the directly-applicable AMLR. Until then, you operate under your member state's transposing legislation, which broadly mirrors the 6AMLD with national variations on penalty quantum.

5AMLD brought crypto exchange and custodial wallet services into AML scope as obliged entities, but the substantive AML obligations were transposed inconsistently across member states. A MiCA CASP authorisation embeds those obligations into a uniform pan-EEA licence: the AML programme, MLRO, blockchain analytics integration, and Travel Rule capability are all assessed at authorisation and passport with the licence. From July 2027, AMLR applies the same AML rulebook to both legacy VASPs and CASPs — the difference will dissolve.

Always for transfers between two CASPs. With a minimum data set below €1,000 and a full data set at €1,000 and above. For transfers to or from a self-hosted wallet, the €1,000 threshold triggers wallet-controller verification and risk-based EDD. The Transfer of Funds Regulation took effect 30 December 2024 and applies regardless of where in the EEA your CASP is licensed.

No — but you must investigate every hit and document the rationale for filing or not filing. The standard is suspicion. A direct sanctions match requires immediate freezing and FIU report; a high-risk score on a counterparty address requires investigation and case-by-case decision. Document the analyst's reasoning either way — supervisors will sample your case files at inspection and look for cases where high-risk hits were dismissed without rationale.

Probably not in the first selection. AMLA's direct supervision powers, operational from 2028, will initially apply to ~40 obliged entities deemed highest-risk based on cross-border footprint and AML/CTF risk profile. CASPs operating in 6+ member states with significant volume are candidates for the second-round selection. All other CASPs remain under their home NCA, but with AMLR providing the substantive rulebook and AMLA setting common standards.

A 30–80 page document covering: business-wide ML/TF risk assessment with named risk factors and ratings; CDD policy including SDD/EDD triggers; sanctions and PEP screening procedure with named provider; transaction monitoring rules with documented thresholds; suspicious activity reporting workflow into the national FIU; record-keeping policy (5 years minimum); training programme covering all staff annually; MLRO appointment letter; reporting lines to the board; and the annual independent audit plan. Generic templates are flagged on first review and downgrade the file to high-scrutiny.

• MiCA Compliance Guide for CASPs: Authorisation walkthrough — capital, governance, supplier stack

• How to Get a Bank Account for a VASP or CASP: The 2026 banking playbook for regulated crypto firms

• EEA vs UK vs Offshore: Where to Incorporate Your Crypto Business: Which jurisdiction maximises regulatory access and tax efficiency

• EMI vs PSP vs VASP vs CASP: Which financial licence do you actually need?

AML compliance for a CASP is no longer a documentation exercise — it is the difference between operating and being shut down. The CASPs surviving long-term are the ones that built a serious AML function before they needed to: a regulator-approved MLRO, named blockchain analytics and Travel Rule providers, a written and tested risk assessment, and board-level oversight that does not delegate accountability. The cost of doing this well is six figures a year. The cost of doing it badly is the entire business.