How do crypto companies circumvent anti-money laundering rules?

Crypto firms have in the past taken advantage of fragmented European regulations to circumvent anti-money laundering (AML/CFT) controls. A recent and sharp report from the European Banking Authority (EBA) exposes these avoidance strategies. The central message: the new European regulation on crypto asset markets (MiCAR) is a powerful weapon, but it will only be effective if all national regulators in the EU are aligned and enforce the rules uniformly.

The crux of the problem: fragmented oversight

Before the introduction of MiCAR, the regulation of crypto assets was a patchwork of national rules. Some had strict licensing requirements, while others had looser registration requirements. This fragmentation was an open invitation for rogue or negligent parties to seek loopholes.

The EBA report identifies six core tactics that crypto firms have employed to evade AML/CFT supervision. These strategies remain a significant risk even under the new MiCAR regime if supervision is not harmonized.

1. Operating without a permit

The most direct strategy was to simply offer services in an EU member state without the required local registration or license. This often occurred from third countries (outside the EU) or even from another EU member state where they were licensed, but without the appropriate passporting rights (if any). Regulators noted that warnings and fines often had little effect, and that these entities ended their activities only after an explicit cease-and-desist order.

Forum shopping': looking for the weakest regulator 2.

Entities that did seek a permit engaged in forum shopping. They submitted applications to multiple EU member states simultaneously, hoping to find a jurisdiction with a (supposedly) more lenient permitting policy or less stringent oversight. As soon as a regulator started asking critical questions, such as about AML controls, the company withdrew its application and tried again in another member state.

3. Abuse of 'reverse solicitation'

A common legal fiction is the invocation of "reverse solicitation. The crypto-provider then claims that the EU customer has contacted it himself and on his own initiative, which would make the provider (usually based in a third country) not subject to EU rules. However, the EBA found that companies were pushing the boundaries of this by, for example, offering websites in the language of specific EU member states or using other marketing techniques that clearly amounted to active solicitation.

4. Weak internal AML/CFT controls and outsourcing.

Even among licensed entities, the EBA found serious and recurring deficiencies in internal AML/CFT procedures. A notable trend is the outsourcing of crucial compliance tasks (such as customer due diligence and transaction monitoring) to entities within the same group, but located outside the EU. These "group policies" were often not adapted to specific EU requirements, and in practice the local EU office had little or no control over these outsourced processes.

In addition, there was often:

• High turnover and instability among AML/CFT Compliance Officers.
• Appointing part-time compliance officers who had to split their time across multiple institutions.
• Ignoring risks associated with DeFi (Decentralized Finance), where the crypto provider acted as an "on-ramp" and "off-ramp" without adequately assessing the risks.

5. Unclear ownership structures (UBOs).

EBA warns of widespread practice of opaque and overly complex ownership structures. The use of multiple layers of companies, often offshore, made it extremely difficult for regulators to identify beneficial owners (UBOs). In one case, the same entity gave conflicting information about its owners and structure to regulators in different EU countries.

6. Complex group structures and linked entities.

Linked to the previous point, companies used affiliated entities to stay under the radar. A troubling example: a VASP (Virtual Asset Service Provider) was not licensed in Member State A and was ordered to cease operations. This VASP then bought shares in another licensed VASP in the same country (just below the threshold for a "qualifying holding") and transferred its clients to that entity. Thus, by a roundabout way, it was still able to continue to serve the market and avoid supervision.

The new weapons arsenal: how MiCAR and AMLR are closing loopholes

The new European framework, with MICAR and the strengthened AML/CFT package (including the AML Regulation), is specifically designed to address these problems.

• One European Passport: MiCAR replaces the 27 national regimes with one harmonized licensing procedure. A Crypto-Asset Service Provider (CASP) applies for a license in one member state and, once approved, may offer its services throughout the EU (via 'passporting'). This makes 'forum shopping' theoretically impossible.
• Strict 'reverse solicitation' rules: MiCAR codifies a very strict interpretation. Only services provided exclusively at the initiative of the customer are covered by the exception. Any marketing, direct or indirect (e.g., through influencers or affiliates), invalidates the exception.
• Higher transparency and governance requirements: MiCAR and AML rules impose strict "competence and reliability" requirements on directors and shareholders (UBOs). Complex and opaque structures designed to disguise control must be actively investigated and may prevent licensing.

A crucial warning: legislation is not enough

The EBA's report is more than a historical analysis; it is a clear warning for the future. The EBA emphasizes that the same risks and avoidance tactics will persist if MiCAR's application and enforcement is not done consistently across all member states.

A significant risk is the handling of 'legacy issues'. The EBA cites a troubling example where a VASP, which was already classified as 'high risk' under the old national law and where enforcement actions were pending, was nevertheless licensed shortly after MiCAR came into force.

If regulators are stricter in one state than another, the "forum shopping" simply shifts from "where do I apply for my registration?" to "where do I apply for my MiCAR passport?

The EBA concludes that effective and constant information exchange between all national regulators (both within the EU and beyond) is essential. Only harmonized and coordinated supervision can ensure the integrity of the European crypto market.

Conclusion

The EBA report puts its finger on the problem. It illustrates how the crypto industry has exploited the EU's divisive nature. MiCAR provides the legal framework to stop this, but its success hinges on the willingness of 27 national regulators to act as one. For crypto businesses, this means that the days of "regulatory arbitrage" are over; having a robust and watertight AML/CFT policy that demonstrably meets the strictest EU standards is no longer optional.