What Banks Actually Evaluate When Onboarding a CASP (2026)

Most CASP applicants approach bank diligence the way they approach NCA authorisation — with a generic Programme of Operations, a hopeful pitch deck, and the assumption that the licence does the talking. Banks evaluate seven dimensions before they open the file properly. Get the seven right and you compress onboarding from 16 weeks to 8. Get any one of them wrong and the file sits in committee limbo while compliance asks the same gap questions four times.

The structural reality is that crypto firms are disproportionately demanding clients for any bank. EBA Guidelines treat crypto exposure as elevated AML risk by default; the Basel Committee's prudential treatment of cryptoasset exposures imposes meaningful capital charges on bank-side deposit holdings; the EBA Opinion on de-risking documented the supervisory pressure that drives mass-category exits. Banks onboarding a CASP take on real regulatory risk and real capital cost — and they price that risk at the diligence stage by demanding evidence in seven specific areas before the credit committee meets.¹^[1]²^[2]³^[3]

This guide unpacks the seven dimensions, the order banks examine them, the rejection reasons that cluster around each, and the document evidence that converts a 16-week diligence cycle into an 8-week one. The framing is directly from the credit-committee and financial-crime-committee perspective — the two committees most CASPs never see but whose decisions determine whether the file converts.

Each of the seven sits inside a documented bank policy framework. None is negotiable on its own; together they decide whether the CASP file goes to credit committee or stays with the relationship manager.

Licence quality is the gatekeeper. A MiCA CASP authorisation from a credible NCA — Bank of Lithuania, Central Bank of Ireland, BaFin, CySEC, MFSA — opens conversations that a pre-MiCA national VASP registration does not. Banks treat legacy VASP registrations as expiring credentials in 2026 because the transitional period ends between 1 July 2026 and 30 December 2026; a CASP applicant relying on a VASP registration without a CASP file in flight is effectively already de-banked at onboarding.

The licence brand matters more than the licence type. A BaFin-authorised CASP carries materially more institutional credibility than a Cypriot CASP at equivalent scope, even though both are MiCA passport-equivalent. Licence quality is also assessed in the negative — limited-scope permissions disclosed as full-scope is one of the fastest paths to a credit-committee rejection.

Two EEA-resident executive directors, a regulator-approved MLRO, an independent compliance officer, and a board-level risk chair are now table stakes for a Tier-1 EU bank. Banks examine each individual through the lens of the Joint EBA/ESMA Guidelines on suitability — fitness, knowledge, experience, independence, time commitment. A flying-in MLRO and a board of three founders without an independent risk chair fails this dimension regardless of licence quality.

The AML programme is read line-by-line at the financial-crime committee. Banks expect: a written 30–80 page programme covering risk assessment, CDD/EDD, sanctions screening, transaction monitoring rules with documented thresholds, Travel Rule capability with a named provider, blockchain analytics integration with a named provider, MLRO appointment and approval evidence, and SAR-filing history. Generic templates lifted from EBA Guidelines without crypto-specific typology coverage are flagged on first review and downgrade the file to high-scrutiny.

Banks score customer base on three sub-dimensions: geographic split (where do customers reside), retail vs institutional (institutional-only is materially easier to bank), and KYC tier discipline. A CASP serving global retail customers without robust geographic restrictions is now an automatic decline at most Tier-1 EU banks. The right framing in the cover memo: 'EEA-resident retail with documented KYC tiers, plus EU-headquartered institutional clients' — backed by geographic-split evidence at submission.

Asset mix is the dimension where credible CASPs surprisingly fail. Bitcoin and major fiat-pegged stablecoins are easy. Privacy coins (Monero, Zcash) are an automatic decline at every Tier-1 EU bank in 2026. Tokens with sanctions nexus — through issuer, major holder, or smart-contract interaction with sanctioned addresses — fail asset-mix screening. Mixer-tainted asset support, even if the assets are technically permissible, is treated as a sanctions-risk amplifier.

Volume is double-edged. Too small and the AML overhead is not justified for the bank; too large and you become a concentration risk on the bank's own deposit book. The sweet spot for a mid-tier EU bank is €5–€50 million in monthly volume — large enough to generate meaningful revenue, small enough to not breach concentration limits. CASPs with €100M+ monthly volume face a different conversation entirely; banks at that scale require institutional-grade governance evidence and often refer to capital-markets counterparts.

The minimum capital test is straightforward — 18–24 months of operating capital plus prudential capital fully segregated and demonstrable. The harder test is source of funds. Capital arriving from offshore unregulated entities, capital with UBO chains touching FATF grey-list jurisdictions, and capital with undisclosed nominee structures all fail at this dimension. Banks expect bank statements plus a Big-4 or Tier-2 audit letter on the source-of-funds package.

Banks read the cover memo first. A serious cover memo is 8–15 pages, structured to map directly to the seven dimensions, and includes specific page references for the supporting evidence. The full file behind it follows a standard inventory.

• Dimension 1 — Pre-MiCA VASP-only registration without an active CASP application; limited-scope CASP authorisation oversold as full-scope.

• Dimension 2 — MLRO not regulator-pre-approved; non-resident directors; absence of independent compliance.

• Dimension 3 — Generic AML programme without crypto-specific typologies; no named Travel Rule provider; no named blockchain analytics provider.

• Dimension 4 — 'Global retail' customer description; KYC tiers light or limit-based.

• Dimension 5 — Privacy coins listed; tokens with documented sanctions exposure; mixer-tainted asset support.

• Dimension 6 — Volume projection without underlying customer commitments; concentration risk above the bank's appetite.

• Dimension 7 — Capital from offshore unregulated entities; undisclosed nominee structures; UBOs in FATF grey-list jurisdictions.

8–16 weeks at a Tier-1 EU bank for a clean file. The faster end (6–8 weeks) is for CASPs with regulator-pre-approved MLRO, named blockchain analytics and Travel Rule contracts in hand, and a coherent customer-base story. The slower end (16+ weeks) is where the file iterates through 2–3 rounds of gap-questions and an external diligence firm is engaged. Plan 12 weeks as the realistic working assumption; pad to 16 if you have any open authorisation conditions still being closed.

Dimension 4 — customer base — and dimension 7 — capital source — are the two highest-frequency rejection causes in 2026 onboarding files. Customer base because most CASPs underestimate how unwelcome 'global retail' is at credit committee; capital source because most founder-led structures have UBO disclosure gaps that surface only at fund-tracing diligence. Dimensions 1 and 2 (licence and governance) are easier to rectify pre-application; dimensions 4 and 7 require substantive structural decisions.

Marginally. A serious non-EU licence (VARA full licence, MAS Major Payment Institution, Hong Kong SFC VATP) evidences regulatory experience, but EU banks substantively diligence the EU-specific MiCA position separately. Operators with both a non-EU and an EU licence sometimes find the non-EU licence speeds up customer-base evidence (geographic diversification) without changing the core MiCA file requirements. The non-EU licence is supportive evidence, not a substitute.

Named, contracted, and operationally-deployed blockchain analytics and Travel Rule providers at submission. Files that name vendors and attach signed contracts skip three rounds of gap-questions; files that promise 'we will procure post-onboarding' enter immediate high-scrutiny review. The marginal cost of the analytics + Travel Rule contracts pre-onboarding is small; the time saving on diligence is material.

AMLR codifies harmonised CDD, EDD, and beneficial-ownership rules across all 27 member states. Banks already aligned to EBA Guidelines will not see major substantive change; banks running national-variation positions tighten toward the AMLR baseline. For CASP applicants, the practical effect is that AMLR-aligned AML programmes (drafted to AMLR text rather than national 6AMLD transposition) become the diligence baseline — a CASP file submitted in late 2026 should be drafted to AMLR rather than to legacy national text.

Yes, but only after material remediation. Rejected files sit in the bank's diligence record for 12–24 months at most institutions; reapplying without a documented remediation memo addressing the rejection grounds is rarely successful. The right interval is 9–18 months with explicit remediation evidence on the original rejection reason. In parallel, prioritise applications at 4–6 alternative institutions — single-bank concentration on the rejection reaction is itself a structural mistake.

• How to Get a Bank Account for a VASP or CASP: The 2026 banking playbook for regulated crypto firms

• MiCA Compliance Guide for CASPs: Authorisation walkthrough — capital, governance, supplier stack

• De-Banking Response Playbook for CASPs: What to do when your bank closes your account

• Multi-Bank Treasury Architecture for Regulated Fintechs: The four-layer model — operating, safeguarding, EMI rails, capital

Bank diligence on a CASP is structured, predictable, and pattern-rich. Banks evaluate seven dimensions in a fixed order; they reject for documented reasons that recur across files; they reward applicants who present evidence in the order the credit committee reads it. The CASPs that get banked in 2026 are the ones that built the diligence file before they applied — not the ones that started building it after the first round of gap-questions arrived.