Stay Updated on Crypto Compliance & Crypto Regulation in the EU
Stay informed about the latest events, webinars, and news on crypto compliance in the European Union. Join our community of compliance professionals and ensure your business stays ahead of regulatory changes.


Your Hub for Cryptocurrency Compliance in the European Union
Welcome to your go-to resource for all things related to crypto compliance in the EU. Here, you’ll find the latest news, upcoming events, and insightful webinars to keep you informed and compliant.
Recent News on Crypto Regulation in the EU
Stay up-to-date with the latest news articles, regulatory updates, and industry insights on crypto compliance in the EU.
On 11 June, Notabene hosted a panel of leading policy and compliance experts to take stock of MiCA's implementation journey and look ahead to what comes next. Here's what we heard.
The EU's crypto regulatory experiment has entered its final chapter. On 1 July 2026, MiCA's transitional period ends across all member states. From that date, crypto asset service providers operating in the EU must operate under full MiCA authorization — no exceptions.
At the same time, the European Commission has opened a targeted consultation asking a pointed question: is MiCA, as written today, still fit for purpose? The consultation covers stablecoins, DeFi, offshore CASPs, tokenization, and the relationship between MiCA and broader EU financial regulation — opening the door to MiCA 2.0, even before MiCA 1.0 has been fully implemented.
To make sense of this pivotal moment, Notabene's Director of Regulatory & Compliance, Catarina Veloso, hosted a panel of senior experts from Bitpanda, VASPnet, Chainalysis, and Fireblocks for an honest assessment of where we are and where we're going.
What MiCA Got Right
The panel kicked off on a positive note. Acknowledging that despite implementation friction, the framework itself has delivered something meaningful: a harmonized regulatory perimeter that replaced a fragmented patchwork of national regimes.
Neil Samtani, CEO of VASPnet, put it directly: before MiCA, firms operated across 27 different national registers, with wildly uneven supervisory maturity — "silver and gold plating" practices that prevented a level playing field . MiCA replaced that with a single standard, a clear route to market, and genuine access to the EU single market via passporting.
"Today we have a mature, harmonized regulatory perimeter that's been drawn out — and that's especially valuable when you compare it to what things looked like pre-MiCA. There is a clearer route to market, and especially access to the single market, which is so important." — Neil Samtani CEO, VASPnet
Michał Truszczyński from Bitpanda made the operational stakes concrete: before MiCA, Bitpanda held 17 separate licenses and registrations across EU member states. One MiCA license now replaces that entire stack.
Matthias Bauer-Langgartner from Chainalysis highlighted a less-discussed benefit: MiCA has forced traditional financial services firms to engage seriously with crypto for the first time. He sees banks, MiFID firms, and EMIs now exploring stablecoin arrangements, custody, and trading platforms — participation that simply didn't exist before the regulatory legitimacy MiCA provided. Beyond its impact on market participation within Europe, Bauer-Langgartner also emphasized MiCA's growing role as a reference point for crypto regulation globally.
"MiCA has provided a global standard that is the baseline of discussions for other jurisdictions — which is extremely important, particularly around crypto assets, which are inherently global. It's not only a common standard for Europe, it actually sets the baseline for the international community, particularly the US and other jurisdictions now." — Matthias Bauer-Langgartner Head of Policy Europe, Chainalysis
Dea Markova from Fireblocks pointed to evidence of this institutional adoption in the licensing data. In some EU markets, roughly half of all CASP and issuance licenses have gone to banks or bank-affiliated entities, underscoring how traditional financial institutions are embracing the opportunities created by MiCA. Markova also observed that MiCA has attracted significant non-European players who are choosing Europe precisely because of the regulatory certainty it provides. Large global crypto firms are increasingly selecting EU member states as their MiCA domicile — a vote of confidence in the framework despite the compliance burden.
The Numbers Behind the Transition
Drawing on VASPnet's tracking of crypto businesses' regulatory footprints across Europe, Neil painted a striking picture of consolidation. Pre-MiCA, there were approximately 3,500 active VASP registrations EU-wide. Today, 1,700 transitional registrations remain active across member states still inside the grandfathering window — and just over 220 full MiCA licenses have been issued. His projection: roughly 400 CASPs will hold MiCA licenses once the dust settles.

But Neil stressed that this should not be viewed simply as a shrinking market. While some businesses exited the market amid more challenging regulatory and commercial conditions, much of the reduction reflects regulatory consolidation enabled by passporting: firms that previously maintained multiple registrations across Europe can now serve the entire EU under a single MiCA license. The numbers have also been shaped by M&A activity, as larger firms acquire smaller operators.
With around 60% of CASP authorizations concentrated in just five jurisdictions — Germany, the Netherlands, France, Malta, and Cyprus — some observers have questioned whether MiCA is encouraging regulatory arbitrage or a race among member states to attract crypto firms. Matthias pushed back on any reading of this as a regulatory race to the bottom. The concentration in Germany, the Netherlands, France, Malta, and Cyprus — roughly 60% of CASP authorizations — is, in his view, a direct product of pre-MiCA history. Germany required banking licenses for crypto custody before MiCA existed; France ran a full DASP regime. Firms that were already operating inside a proper prudential framework had a materially easier path to MiCA authorization than firms accustomed to AML-only registration. The licensing map, in other words, largely reflects where regulatory infrastructure was already built. He also drew an important distinction between where firms are licensed and where crypto activity actually takes place.. Spain and Italy — countries with far fewer licensees — rank alongside the Netherlands in the top five for on-chain transactional inflows.
That gap is passporting working as intended, but it is also, as Matthias put it, precisely why supervisory convergence across member states matters. A firm can be domiciled in one jurisdiction and serve customers across the bloc. If the NCA in that jurisdiction is under-resourced or slower to act, the entire EU's consumer base carries the risk.
The Offshore CASP Problem
With full MiCA supervision beginning, one of the most urgent enforcement questions becomes: what happens to crypto firms that are not authorized and continue to serve EU customers?
Neil walked through research VASPnet conducted on the top 78 centralized exchanges:
- 8 held a MiCA license
- 20 were operating under at least one legacy member state registration
- 50 had no EU regulatory presence — but their terms of service didn't restrict European business
That last figure is the enforcement challenge. MiCA's reverse solicitation provisions are tight — Michał noted that even making a product available in EU app stores, in EU languages, or at EU-targeted conferences could constitute solicitation. But enforcement requires NCA capacity that varies significantly across member states.
Neil's read on Article 19B of the Transfer of Funds Regulation is particularly significant in this context: if an EU-licensed CASP is transferring value to an offshore firm, that relationship carries correspondent-level due diligence obligations. In other words, the Travel Rule isn't just a compliance checkbox — it's becoming a mechanism to map and contain the offshore CASP problem from within the authorized perimeter.
The MiCA Review: Fine-Tuning or Major Overhaul?
Here the panel's views were nuanced — and the audience's poll result was revealing.

When asked whether MiCA 2 is on the horizon, a clear majority of the audience expected a legislative follow-on.
Michał's reaction: Bitpanda would vote no on a major MiCA 2.0 overhaul.
"MiCA itself has 150 pages. The 47 implementing acts beneath it run to 2,000–3,000 pages. Add TFR and DORA, and you're looking at 5,000 to 10,000 pages of compliance reading in an industry that moves at pace. The ask from industry isn't a new framework — it's simplification and supervisory convergence."— Michał Truszczyński Senior Specialist Public Affairs, Bitpanda
The panel broadly agreed that the priority should be fine-tuning at levels 2 and 3. There are 47 implementing acts beneath MiCA's level 1 text — and beyond MiCA, firms must also contend with TFR and DORA running in parallel. The ask from industry isn't a new framework — it's simplification, coherence, and supervisory convergence across member states.
With firms and regulators still adapting to MiCA, launching a new legislative process too soon could create uncertainty, divert resources from implementation, and risk disrupting a framework that is only beginning to deliver the benefits of regulatory harmonization. The consensus was that Europe should focus first on making MiCA 1 work as intended before considering a more ambitious second phase of reform.
The Stablecoin Question
Euro-denominated stablecoins were a key discussion topic for the panel — and to ground the conversation in live audience sentiment, we put a question drawn directly from the Commission's consultation to the room:

The results didn't go unchallenged. Dea pushed back on the skeptical reading. While acknowledging that domestic payments within the Eurozone don't have much friction, with SEPA and instant payments regulation having done significant work, the case for euro stablecoins, she argued, is strongest elsewhere: cross-border and programmable payment contexts, intraday yield, AI-native payment flows, and tokenized money market fund access all become meaningfully easier with a euro-denominated on-chain asset.
By creating efficient, regulated payment rails between Europe and key international corridors, euro stablecoins could allow more value to move directly in euros rather than requiring conversion into dollars or local currencies at multiple points in a transaction. In that sense, stablecoins could strengthen the international role of the euro by embedding it more deeply into digital payment infrastructure.
Matthias agreed with the direction but noted the scale reality: less than 0.5% of on-chain crypto activity is currently denominated in euros. The deepest, most liquid pools remain dollar-denominated. The opportunity for euro stablecoins is real, but demand and liquidity still have a long way to go before they can rival the dollar's dominance.
The Multi-Issuance Debate
Closely related is the multi-issuance question: can the same stablecoin be issued through separate legal entities in different jurisdictions, and how does that interact with MiCA's reserve, redemption, and supervision requirements?
Matthias framed the multi-issuance debate as one of MiCA's most difficult unresolved questions: how to preserve the global utility and fungibility of stablecoins while maintaining European supervisory standards and consumer protections. He noted that stablecoins are inherently global instruments, with cross-border payments among their clearest use cases, yet MiCA must also account for concerns around monetary sovereignty, reserve location, and redemption rights for EU holders. Splitting a stablecoin into separate EU and non-EU versions may look attractive from a supervisory perspective, but in practice it risks fragmenting liquidity, duplicating smart contract infrastructure, and making the token less useful across both DeFi and centralized markets. For Matthias, the challenge is supervising global stablecoins without undermining the very cross-border functionality that makes them valuable. Enhanced supervisory cooperation, such as the recent EBA–NYDFS memorandum of understanding, may be an important step toward that balance, but the path to globally usable, well-supervised stablecoins remains complex.
What Comes Next
Two important milestones now sit directly ahead of the industry. On July 1, MiCA's grandfathering period comes to an end across the EU, closing the transition window that allowed firms to continue operating under pre-MiCA national registrations. At the same time, the European Commission's consultation on the future evolution of MiCA remains open until 31 August, inviting industry feedback on everything from stablecoins and global issuance models to DeFi, staking, and tokenized deposits.
As Michał explained, the expiry of the grandfathering period should bring the market closer to a true level playing field. Firms operating in the EU are expected to be authorized under MiCA, reducing the inconsistencies that existed under the previous patchwork of national regimes.
The next test is supervision. Michał emphasized that tighter enforcement will be essential, but also acknowledged that this remains new territory for national competent authorities. NCAs differ in resources, risk appetite, and supervisory focus, and the interaction between home and host member states — and with ESMA — will become increasingly important.
The consultation raises a different but connected question: how much MiCA should now evolve. Dea's view is MiCA should be improved, not reinvented. The first draft was written roughly six years ago, in response to a very different market environment. Since then, particularly in payments, use cases for stablecoins have become far more concrete. For Dea, that makes the consultation a timely opportunity to be somewhat bolder in revisiting the payments titles, while preserving MiCA's broader architecture.
The panel's message was consistent: the priority is to make MiCA work in practice, while using the consultation to identify targeted improvements where experience has exposed genuine gaps.
Watch the full webinar on demand → https://notabene.id/webinars/from-transition-to-transformation-mica-grandfathering-ends
Today marks the half-year anniversary of the European Union’s Transfer of Funds Regulation (TFR). As we reach the mid of 2025, it’s worth looking back at the path that shaped today's regulatory reality. The year 2023 was defined by the entry into force of the Travel Rule in the UK. In 2024, the EU followed suit. Now, six months into this new phase, the time is ripe to assess the progress of the TFR, draw comparisons with the UK’s experience, and uncover the lessons that can guide the effective implementation of Travel Rule regimes.
What the Data Tells Us
In 2023, our team at Notabene was fully mobilized to prepare the UK crypto industry for the arrival of the Travel Rule compliance, set to take effect on September 1, 2023. We engaged across multiple fronts: running testnets with cohorts of VASPs under the FCA's regulatory sandbox, co-chairing the Travel Rule working group within CryptoUK, and participating in numerous industry events, both as hosts and speakers.

By year’s end, true to our usual practice, we started examining the results of our annual State of Crypto Travel Rule Survey. It was one of those gratifying moments when the effort feels justified: the data showed that 100% of UK respondents reported being compliant with the Travel Rule, a clear signal that industry readiness had been achieved.
In 2024, with equal dedication, we turned our focus to supporting the rollout of the Travel Rule across the European Union. Our approach was similarly comprehensive: we published detailed guides, launched an in-depth certification course dedicated to EU Travel Rule requirements, delivered a three-part webinar series covering the regulations, hosted an EU-wide testnet for CASPs and regulators, and ran a series of targeted workshops for our customers.

Yet, when we reviewed the latest survey data, the results were surprising. Despite the significant groundwork, 71.2% of EU respondents indicated they were not yet compliant with the Travel Rule, with 40.4% identifying the first quarter of 2025 as their intended compliance timeline.

These figures stood in contrast to the momentum we observed within our own Network. In the months leading up to the TFR’s enforcement date of December 30th, 2024, we witnessed a marked increase in Travel Rule activation among EU CASPs. Between January 2024 and January 2025, transaction volumes originating from EU entities on the Notabene network surged by 200x, compared to the 8x growth seen in non-EU originated volumes over the same period. This contrast reflects the significant role the EU Transfer of Funds Regulation in catalyzing Travel Rule adoption within our network.
However, looking beyond our immediate ecosystem, it is clear that the UK rollout achieved a higher degree of readiness at an earlier stage. With children, we often say that each develops at their own pace and should not be compared. But with regulatory frameworks, understanding why one implementation advanced more rapidly than another can offer valuable insights.
With that in mind, the following sections explore how the UK and EU approaches diverge. We’ll examine their defining features, points of friction, and attempt to trace the root causes behind the differences in industry readiness.
The Road to Travel Rule Implementation: Centralised in the EU and Industry-led in the UK
🇬🇧 UK
When the UK implemented the Travel Rule on September 1, 2023, it followed a legislative and regulatory process that deliberately placed industry expertise at the centre.
The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 (MLRs) introduced Travel Rule obligations for crypto firms registered with the FCA, covering both inter-cryptoasset transfers and unhosted wallet transactions.
What set the UK approach apart was the collaborative model that followed. The Joint Money Laundering Steering Group (JMLSG), a private sector body made up of UK financial trade associations, led the drafting of practical guidance for firms. To support the efforts by JMLSG, CryptoUK established a dedicated Travel Rule working group, co-chaired by Notabene, bringing together compliance officers, legal experts, and operational teams to directly work with JMLSG to shape the guidance based on day-to-day implementation realities.
This industry-developed guidance was reviewed and validated by the FCA and HM Treasury, ensuring alignment with regulatory expectations while keeping operational challenges front and centre.
Furthermore, in August 2023, just before the rule took effect, the FCA published targeted guidance to clarify issues raised during the grace period, most notably the “sunrise issue” involving transactions with jurisdictions that had not yet adopted the Travel Rule.
The result was a regulatory framework supported by practical, actionable guidance.
This collaborative process - combining early regulatory engagement and industry ownership - played a decisive role in the UK achieving high levels of readiness by the time the Travel Rule came into force.
🇪🇺 EU
The EU set out to tackle a far more ambitious task than the UK: introducing uniform Travel Rule obligations across all 27 Member States through a single, binding regulation. This was achieved via the recast of Regulation (EU) 2015/847, better known as the Transfer of Funds Regulation (TFR), which was formally adopted on May 31, 2023 to extend the Travel Rule to crypto transfers.
The creation of detailed implementation guidelines was primarily led by the European Banking Authority (EBA).
The EBA made several efforts to incorporate industry perspectives. A public consultation on the Travel Rule Guidelines launched on November 24, 2023, alongside public hearings and the formation of Technical Expert Groups (TEGs)—which included industry representatives like Notabene.
However, unlike the UK’s process, where industry actors drafted the practical guidance with regulatory validation, in the EU it was the reverse: regulators drafted the guidelines, and the industry was invited to provide feedback along the way. While this structure provided transparency and some opportunity for dialogue, it inevitably limited the extent to which day-to-day operational challenges of CASPs could shape the final rules.
Takeaway
Guidance developed by industry practitioners and backed by regulatory oversight delivers the hands‑on, pragmatic advice firms need for readiness. In contrast, a top‑down model can miss key nuances encountered in day‑to‑day operations.
Using Grace Periods Strategically
| Jurisdiction | Legislation Published | Entry into Force | Grace Period Length |
| UK 🇬🇧 | July 21, 2022 | September 1, 2023 | 13 months, 11 days |
| EU 🇪🇺 | May 31, 2023 | December 30, 2024 | 18 months, 30 days (approx. 19 months) |
EU CASPs were granted nearly six additional months to prepare compared to their UK counterparts. A long grace period in the EU was the right approach given the complexity of implementing uniform requirements across 27 Member States.
However, based on our experience, the length of a grace period is far less important than how that time is used. A grace period should serve as structured preparation time for both regulators and industry, particularly with the Travel Rule, which directly affects transaction flows, operational processes, and customer experience.
🇬🇧 UK
The UK offers a textbook example of this. Throughout the 13-month grace period, the FCA worked closely with the industry. This started with the acceptance of Notabene's Travel Rule testnets into the FCA regulatory sandbox. This hands-on engagement allowed the FCA to better understand the technical and operational nuances of implementing Travel Rule programs. The FCA also conducted targeted outreach to VASPs, requesting detailed implementation plans and offering feedback based on insights gained from the testnets. As a result, potential gaps were identified early and firms had time to adjust, which led to the high compliance rates we saw post-deadline.
🇪🇺 EU
It would be unrealistic to expect the same degree of coordinated engagement across the EU, where the regulation had to be rolled out simultaneously across 27 jurisdictions and regulatory bodies. However, the grace period fell short even in resolving fundamental questions - for example, when exactly do Travel Rule obligations start to apply?
Even after the Travel Rule formally entered into force on December 30, 2024, confusion persisted among industry participants:
- Some CASPs misinterpreted the transitional period outlined in the EBA Guidelines, assuming it postponed Travel Rule obligations entirely until 31 July 2025. In reality, this period only allows temporary technical limitations in solutions, but full compliance with the TFR is expected regardless of technical limitations.
- Others argued that the TFR only applies once a CASP obtains full authorisation under MiCA, meaning firms operating under transitional arrangements were exempt. The EBA explicitly rejected this interpretation in its July 2024 response to public comments, stating:
"The EBA stresses that non-compliance with Regulation (EU) 2023/1113 is not accepted."
Takeaway
The UK experience offers a clear takeaway: the success of a regulatory rollout is not defined by how long the grace period is, but by how strategically that time is used. The UK's collaborative, proactive use of its grace period - bringing together regulators and industry to stress-test real-world implementation - was instrumental in achieving early, widespread readiness.
Managing Self‑Hosted Wallets: Risk‑Based Principles or Prescriptive Rules?
🇬🇧 UK
The UK has adopted a non-prescriptive, principles-based approach to regulating interactions with self-hosted wallets, built around risk assessments and operational discretion. Under Regulation 64G(2) of the MLRs, crypto-asset businesses (CBs) are required to assess the risks associated with unhosted wallet transactions and determine whether collecting additional customer information is appropriate.
The JMLSG provides further operational guidance, encouraging CBs to seek additional information when dealing with self-hosted wallets in higher-risk situations. Factors such as transaction size, frequency, and the overall customer relationship inform these assessments. Where higher risks are identified, CBs are expected to apply enhanced due diligence, which may include verifying control over the self-hosted wallet using mechanisms such as micro-deposits or cryptographic signatures.
Crucially, the UK’s framework avoids imposing rigid or overly prescriptive requirements. This allows CBs to adjust their controls based on risk assessments. As a result, UK market participants have largely maintained the ability to support these types of transactions while remaining compliant and adopting robust risk-mitigation policies.
🇪🇺 EU
The EU has taken a more prescriptive stance toward regulating self-hosted wallets, with obligations set out in the TFR and further operational detail provided by the EBA Travel Rule Guidelines.
Under the TFR, crypto-asset transfers involving self-hosted wallets are subject to escalating requirements based on transaction size. For transactions exceeding €1,000, CASPs must verify that their customer owns or controls the receiving self-hosted wallet. The EBA Guidelines elaborate on this obligation by providing a non-exhaustive list of acceptable verification methods, while also making clear that at least one method must be applied in all applicable cases.
A key source of market friction stems from the disconnect between the TFR’s legislative text and the EBA guidelines in what concerns third-party self-hosted wallet transfers. While the TFR does not explicitly impose verification requirements for transactions involving third-party self-hosted wallets, the EBA Guidelines extend obligations to these transactions, creating expectations for due diligence that many CASPs find impractical or disproportionate to implement.
The result has been a marked trend toward de-risking within the EU. According to Notabene's 2025 State of Crypto Travel Rule Report, VASPs in the EU are 55% more likely to prohibit transactions with self-hosted wallets compared to the global average, reflecting a significant de-risking trend driven by regulatory uncertainty. Faced with operational uncertainty and the high cost of compliance, 15.4% of EU-based VASPs have implemented complete prohibitions on such transactions, compared to a global average of 9.9%.

Takeaway
In this rapidly evolving industry, prescriptive rules often struggle to keep pace with technological change, leading to unintended consequences such as market exclusion and de-risking. The UK's principles-based, risk-driven approach to regulating self-hosted wallets demonstrates how flexible frameworks can promote compliance without stifling innovation or market participation. By contrast, the EU's more prescriptive model has amplified operational uncertainty, prompting many VASPs to restrict legitimate transactions to avoid having to navigate complex, often impractical requirements. Striking the right balance between risk mitigation and operational feasibility requires regulation that empowers firms to apply proportionate and evolving controls.
Counterparty Due Diligence Obligations: All or Nothing?
🇬🇧 UK
In the UK, Counterparty VASP Due Diligence (CVDD) is not explicitly required under the Travel Rule, nor is it addressed in the JMLSG or FCA guidance. This was a conscious decision by UK regulators, who determined that existing frameworks such as data privacy laws and sanctions compliance already provide sufficient oversight. The UK’s approach aims to avoid introducing additional, potentially duplicative obligations that could complicate compliance without clear added benefit.
While this streamlined framework reduces regulatory burden, the lack of specific CVDD guidance may create operational uncertainty for VASPs.
🇪🇺 EU
In contrast, Article 38 of the EU’s TFR amends the 4th Anti-Money Laundering Directive (AMLD4) to expand the definition of correspondent relationships and explicitly include those established for transactions or transfers in crypto-assets. Recital 60 further clarifies that relationships between CASPs and third-country entities executing crypto-asset transfers share similarities with correspondent banking relationships and should be subject to enhanced due diligence measures similar in principle to those applied in traditional banking.
The EBA further issued the EBA/GL/2024/01 Guidelines to specify firms’ obligations where the respondent or its customers are providers of services in crypto-assets, other than CASPs authorised under MiCA, or where they are deemed to present an increased ML/TF risk.
Takeaway
The UK's decision to avoid prescriptive Counterparty VASP Due Diligence (CVDD) requirements reflects a desire to avoid duplicating existing oversight mechanisms. However, the absence of explicit CVDD expectations in the Travel Rule context can create operational uncertainty for VASPs navigating cross-border interactions.
Conversely, the EU’s approach imposes comprehensive CVDD obligations rooted in correspondent banking standards. As the FATF itself acknowledges, Travel Rule compliance requires a more proportionate approach. Unlike in the banking sector, many cross-border VASP-to-VASP transfers happen without an established, ongoing relationship, making traditional correspondent banking due diligence ill-suited in this context.
Neither extreme - a complete absence of guidance nor rigid, banking-style obligations - proves effective. Instead, CVDD requirements should be proportionate and aligned with the realities of the crypto-asset sector.
Reporting Non-compliant Counterparties
🇬🇧 UK
Beneficiary and intermediary CBs are required to report repeated failures by counterparties to provide required Travel Rule information to the FCA. Reporting must include details of both the non-compliance and the remedial steps taken. The UK applies a risk-based approach, allowing firms to determine what constitutes “repeated failure” based on transaction volumes, size, or frequency.
By the time the Travel Rule regulations came into force, formal processes for reporting non-compliant counterparties had not yet been established by the FCA. These procedures are currently being rolled out in the UK.
🇪🇺 EU
In the EU, Article 17(2) of the TFR mandates that CASPs assess whether non-compliance is repeated, using both quantitative criteria (e.g., percentage of missing data transfers, unanswered follow-ups) and qualitative criteria (e.g., cooperation level, reasons for non-provision).
If repeated non-compliance is identified, CASPs must report repeatedly non-compliant counterparties to the relevant AML/CTF authority within three months. Reports should include details on the VASP’s identity, the nature and frequency of breaches, explanations given, and actions taken.
Similarly to the UK, EU CASPs faced uncertainty as the Travel Rule entered into force without clear reporting processes fully established by regulators. The operationalization of these requirements is now underway in key markets like Germany.
Takeaway
Both the UK and EU frameworks mandate reporting non-compliant counterparties as a key enforcement mechanism. However, the absence of established reporting processes at the regulation’s start created uncertainty for VASPs in both regions. While the UK is now actively rolling out clearer reporting protocols, EU jurisdictions still face fragmented implementation.
According to the Notabene State of Travel Rule Report, only 32.7% of EU respondents are prepared to report non-compliant counterparties, including 26.9% who have set up reporting processes but have yet to use them. Actual reporting is low, at just 5.8%, likely reflecting regulatory ambiguity and operational challenges. Additionally, 15.4% of respondents indicate a lack of clear guidance in their jurisdiction.

This highlights the need for streamlined procedures to enable VASPs to fulfil reporting obligations effectively.
Lessons Learned
As we mark six months since the Travel Rule came into force in the EU and reflect on the UK’s earlier experience, several clear lessons emerge from the comparative rollout of these pivotal regulations:
- Industry‑Led Operational Guidance Drives Readiness
Regulatory frameworks grounded in operational realities succeed. Industry practitioners are well positioned to lead the drafting of practical implementation guidelines, with regulators providing validation and oversight. This collaborative model yields actionable, context-sensitive rules that help firms achieve compliance more effectively.
- Grace Periods Work Only When Used Strategically
The duration of a grace period is far less important than how the time is utilised. Structured, ongoing engagement between regulators and industry is critical to turning a grace period into a true window of preparation rather than merely a delay.
- Principles-Based, Risk-Driven Approaches Outperform Rigid Prescription
In fast-evolving sectors like crypto-assets, flexible, risk-based frameworks outperform one-size-fits-all mandates. Such principles-led approaches enable firms to calibrate controls proportionate to risks, fostering compliance without stifling innovation or excluding legitimate market participants.
- Feasibility of Implementation Is Key to Compliance
Regulatory mandates that are operationally impractical - such as the overly stringent obligations for third-party self-hosted wallets or unclear procedures for reporting non-compliant counterparties - drive firms toward non-compliance or excessive de-risking. Clear, feasible requirements and well-established processes are essential to avoid unintended consequences that undermine regulatory goals.
A combination of principle-based legislative mandates, industry-crafted operational playbooks, and purposeful, collaborative transition periods is key to building effective frameworks that serve both regulatory goals and industry realities, turning compliance from a challenge into a foundation for sustainable innovation and trust.
Today, the European Banking Authority (EBA) released an explainer entitled Preventing Money Laundering and Terrorism Financing in the EU’s Crypto-Assets Sector. As the crypto landscape evolves, the EU is tightening its grip on compliance with the introduction of MiCAR (Markets in Crypto-Assets Regulation) and its accompanying AML/CFT rules, including the Transfer of Funds Regulation (TFR).
One common misconception among crypto-asset service providers (CASPs) is that MiCAR includes a “grandfathering” exemption under the new European Travel Rule.
Let’s set the record straight: this is definitively not the case.
▶︎ Watch this special video message from Lana Schwartzman, Head of Regulatory & Compliance at Notabene, explaining why compliance with TFR is so important, as what consequences may face CASPs that fail to comply.
What Does Article 143(3) of MiCAR Really Say?
The much-discussed Article 143(3) states:
“Crypto-asset service providers that provided their services in accordance with applicable law before 30 December 2024, may continue to do so until 1 July 2026 or until they are granted or refused an authorization pursuant to Article 63, whichever is sooner.”
At first glance, this might appear to grant a blanket reprieve for CASPs operating before the cut-off date. In reality, the provision is far more limited in scope.
What This Provision Actually Means
While this transitional clause provides a limited window for CASPs to continue operating while applying for MiCAR authorization, it is not a free pass to avoid compliance. CASPs operating under existing frameworks—such as AMLD (Anti-Money Laundering Directive) or domestic AML/CFT regimes—must still adhere to all applicable AML/CFT requirements and that includes the Regulation (EU) 2023/1113, also know as the Transfer of Funds Regulation (TFR).
In simple terms:
- Yes, CASPs can keep operating during the transitional period.
- No, this does not exempt them from complying with the updated AML/CFT framework (including TFR).
The same stringent rules that apply to credit and financial institutions also apply to “grandfathered” CASPs.

The Travel Rule is Here to Stay
A major component of these regulations is the European Travel Rule, requiring CASPs to ensure that crypto transfers include comprehensive information about both originators and beneficiaries with the goal of preventing illicit activities like money laundering and terrorist financing in the crypto ecosystem and reporting it. This rule is non-negotiable and applies equally to CASPs during the transitional period.
Furthermore, CASPs engaging in transactions with self-hosted wallets or operating across borders will need to implement robust measures to trace and verify transfers.
Why Compliance Matters Now
While the transitional period may offer some operational flexibility, CASPs that delay in meeting compliance requirements risk jeopardizing their long-term viability. Here’s why:
- Increased Scrutiny: The EBA and upcoming EU AML Authority are tasked with enforcing strict compliance.
- Reputation at Stake: Operating without adherence to AML/CFT standards could harm trust with customers, partners, and regulators. As a matter of fact, we published earlier this year the results of our State of Crypto Travel Rule Report which showed from the survey that 66% of VASPs restrict withdrawals that do not comply with Travel Rule requirements
- Operational Risks: Failure to comply could lead to service suspension, fines, or denial of authorization.

For more on the risks of not complying with TFR, read our recent article on the Consequences of Non-Compliance with EU's Travel Rule After December 30th.
The Path Forward for CASPs
For CASPs looking to thrive under the new regime:
- Act Now: Begin implementing Travel Rule solutions and robust AML/CFT measures immediately.
- Understand the Framework: Familiarize yourself with MiCAR, Regulation (EU) 2023/1113, and the EBA Travel Rule Guidelines.
- Prepare for Licensing: Gather the necessary documentation and establish a compliance-first culture to streamline your MiCAR authorization process.
Debunking the Myth
The takeaway is clear: there is no blanket “grandfathering clause” exempting CASPs from compliance. The transitional provision simply ensures continuity while maintaining full AML/CFT obligations.
As the compliance deadline of December 30, 2024 approaches, proactive measures will separate the leaders from those left scrambling to catch up. The time to act is now—ensure your operations are Travel Rule-ready and compliant with the evolving regulatory landscape.
Let’s work together to build a safe, compliant, and thriving crypto ecosystem in the EU. 🌍
FATF Travel Rule Requirements in the European Union

Resources for Crypto Compliance
Explore our collection of whitepapers, case studies, and guides to deepen your understanding of crypto compliance in the EU.
On 11 June, Notabene hosted a panel of leading policy and compliance experts to take stock of MiCA's implementation journey and look ahead to what comes next. Here's what we heard.
The EU's crypto regulatory experiment has entered its final chapter. On 1 July 2026, MiCA's transitional period ends across all member states. From that date, crypto asset service providers operating in the EU must operate under full MiCA authorization — no exceptions.
At the same time, the European Commission has opened a targeted consultation asking a pointed question: is MiCA, as written today, still fit for purpose? The consultation covers stablecoins, DeFi, offshore CASPs, tokenization, and the relationship between MiCA and broader EU financial regulation — opening the door to MiCA 2.0, even before MiCA 1.0 has been fully implemented.
To make sense of this pivotal moment, Notabene's Director of Regulatory & Compliance, Catarina Veloso, hosted a panel of senior experts from Bitpanda, VASPnet, Chainalysis, and Fireblocks for an honest assessment of where we are and where we're going.
What MiCA Got Right
The panel kicked off on a positive note. Acknowledging that despite implementation friction, the framework itself has delivered something meaningful: a harmonized regulatory perimeter that replaced a fragmented patchwork of national regimes.
Neil Samtani, CEO of VASPnet, put it directly: before MiCA, firms operated across 27 different national registers, with wildly uneven supervisory maturity — "silver and gold plating" practices that prevented a level playing field . MiCA replaced that with a single standard, a clear route to market, and genuine access to the EU single market via passporting.
"Today we have a mature, harmonized regulatory perimeter that's been drawn out — and that's especially valuable when you compare it to what things looked like pre-MiCA. There is a clearer route to market, and especially access to the single market, which is so important." — Neil Samtani CEO, VASPnet
Michał Truszczyński from Bitpanda made the operational stakes concrete: before MiCA, Bitpanda held 17 separate licenses and registrations across EU member states. One MiCA license now replaces that entire stack.
Matthias Bauer-Langgartner from Chainalysis highlighted a less-discussed benefit: MiCA has forced traditional financial services firms to engage seriously with crypto for the first time. He sees banks, MiFID firms, and EMIs now exploring stablecoin arrangements, custody, and trading platforms — participation that simply didn't exist before the regulatory legitimacy MiCA provided. Beyond its impact on market participation within Europe, Bauer-Langgartner also emphasized MiCA's growing role as a reference point for crypto regulation globally.
"MiCA has provided a global standard that is the baseline of discussions for other jurisdictions — which is extremely important, particularly around crypto assets, which are inherently global. It's not only a common standard for Europe, it actually sets the baseline for the international community, particularly the US and other jurisdictions now." — Matthias Bauer-Langgartner Head of Policy Europe, Chainalysis
Dea Markova from Fireblocks pointed to evidence of this institutional adoption in the licensing data. In some EU markets, roughly half of all CASP and issuance licenses have gone to banks or bank-affiliated entities, underscoring how traditional financial institutions are embracing the opportunities created by MiCA. Markova also observed that MiCA has attracted significant non-European players who are choosing Europe precisely because of the regulatory certainty it provides. Large global crypto firms are increasingly selecting EU member states as their MiCA domicile — a vote of confidence in the framework despite the compliance burden.
The Numbers Behind the Transition
Drawing on VASPnet's tracking of crypto businesses' regulatory footprints across Europe, Neil painted a striking picture of consolidation. Pre-MiCA, there were approximately 3,500 active VASP registrations EU-wide. Today, 1,700 transitional registrations remain active across member states still inside the grandfathering window — and just over 220 full MiCA licenses have been issued. His projection: roughly 400 CASPs will hold MiCA licenses once the dust settles.

But Neil stressed that this should not be viewed simply as a shrinking market. While some businesses exited the market amid more challenging regulatory and commercial conditions, much of the reduction reflects regulatory consolidation enabled by passporting: firms that previously maintained multiple registrations across Europe can now serve the entire EU under a single MiCA license. The numbers have also been shaped by M&A activity, as larger firms acquire smaller operators.
With around 60% of CASP authorizations concentrated in just five jurisdictions — Germany, the Netherlands, France, Malta, and Cyprus — some observers have questioned whether MiCA is encouraging regulatory arbitrage or a race among member states to attract crypto firms. Matthias pushed back on any reading of this as a regulatory race to the bottom. The concentration in Germany, the Netherlands, France, Malta, and Cyprus — roughly 60% of CASP authorizations — is, in his view, a direct product of pre-MiCA history. Germany required banking licenses for crypto custody before MiCA existed; France ran a full DASP regime. Firms that were already operating inside a proper prudential framework had a materially easier path to MiCA authorization than firms accustomed to AML-only registration. The licensing map, in other words, largely reflects where regulatory infrastructure was already built. He also drew an important distinction between where firms are licensed and where crypto activity actually takes place.. Spain and Italy — countries with far fewer licensees — rank alongside the Netherlands in the top five for on-chain transactional inflows.
That gap is passporting working as intended, but it is also, as Matthias put it, precisely why supervisory convergence across member states matters. A firm can be domiciled in one jurisdiction and serve customers across the bloc. If the NCA in that jurisdiction is under-resourced or slower to act, the entire EU's consumer base carries the risk.
The Offshore CASP Problem
With full MiCA supervision beginning, one of the most urgent enforcement questions becomes: what happens to crypto firms that are not authorized and continue to serve EU customers?
Neil walked through research VASPnet conducted on the top 78 centralized exchanges:
- 8 held a MiCA license
- 20 were operating under at least one legacy member state registration
- 50 had no EU regulatory presence — but their terms of service didn't restrict European business
That last figure is the enforcement challenge. MiCA's reverse solicitation provisions are tight — Michał noted that even making a product available in EU app stores, in EU languages, or at EU-targeted conferences could constitute solicitation. But enforcement requires NCA capacity that varies significantly across member states.
Neil's read on Article 19B of the Transfer of Funds Regulation is particularly significant in this context: if an EU-licensed CASP is transferring value to an offshore firm, that relationship carries correspondent-level due diligence obligations. In other words, the Travel Rule isn't just a compliance checkbox — it's becoming a mechanism to map and contain the offshore CASP problem from within the authorized perimeter.
The MiCA Review: Fine-Tuning or Major Overhaul?
Here the panel's views were nuanced — and the audience's poll result was revealing.

When asked whether MiCA 2 is on the horizon, a clear majority of the audience expected a legislative follow-on.
Michał's reaction: Bitpanda would vote no on a major MiCA 2.0 overhaul.
"MiCA itself has 150 pages. The 47 implementing acts beneath it run to 2,000–3,000 pages. Add TFR and DORA, and you're looking at 5,000 to 10,000 pages of compliance reading in an industry that moves at pace. The ask from industry isn't a new framework — it's simplification and supervisory convergence."— Michał Truszczyński Senior Specialist Public Affairs, Bitpanda
The panel broadly agreed that the priority should be fine-tuning at levels 2 and 3. There are 47 implementing acts beneath MiCA's level 1 text — and beyond MiCA, firms must also contend with TFR and DORA running in parallel. The ask from industry isn't a new framework — it's simplification, coherence, and supervisory convergence across member states.
With firms and regulators still adapting to MiCA, launching a new legislative process too soon could create uncertainty, divert resources from implementation, and risk disrupting a framework that is only beginning to deliver the benefits of regulatory harmonization. The consensus was that Europe should focus first on making MiCA 1 work as intended before considering a more ambitious second phase of reform.
The Stablecoin Question
Euro-denominated stablecoins were a key discussion topic for the panel — and to ground the conversation in live audience sentiment, we put a question drawn directly from the Commission's consultation to the room:

The results didn't go unchallenged. Dea pushed back on the skeptical reading. While acknowledging that domestic payments within the Eurozone don't have much friction, with SEPA and instant payments regulation having done significant work, the case for euro stablecoins, she argued, is strongest elsewhere: cross-border and programmable payment contexts, intraday yield, AI-native payment flows, and tokenized money market fund access all become meaningfully easier with a euro-denominated on-chain asset.
By creating efficient, regulated payment rails between Europe and key international corridors, euro stablecoins could allow more value to move directly in euros rather than requiring conversion into dollars or local currencies at multiple points in a transaction. In that sense, stablecoins could strengthen the international role of the euro by embedding it more deeply into digital payment infrastructure.
Matthias agreed with the direction but noted the scale reality: less than 0.5% of on-chain crypto activity is currently denominated in euros. The deepest, most liquid pools remain dollar-denominated. The opportunity for euro stablecoins is real, but demand and liquidity still have a long way to go before they can rival the dollar's dominance.
The Multi-Issuance Debate
Closely related is the multi-issuance question: can the same stablecoin be issued through separate legal entities in different jurisdictions, and how does that interact with MiCA's reserve, redemption, and supervision requirements?
Matthias framed the multi-issuance debate as one of MiCA's most difficult unresolved questions: how to preserve the global utility and fungibility of stablecoins while maintaining European supervisory standards and consumer protections. He noted that stablecoins are inherently global instruments, with cross-border payments among their clearest use cases, yet MiCA must also account for concerns around monetary sovereignty, reserve location, and redemption rights for EU holders. Splitting a stablecoin into separate EU and non-EU versions may look attractive from a supervisory perspective, but in practice it risks fragmenting liquidity, duplicating smart contract infrastructure, and making the token less useful across both DeFi and centralized markets. For Matthias, the challenge is supervising global stablecoins without undermining the very cross-border functionality that makes them valuable. Enhanced supervisory cooperation, such as the recent EBA–NYDFS memorandum of understanding, may be an important step toward that balance, but the path to globally usable, well-supervised stablecoins remains complex.
What Comes Next
Two important milestones now sit directly ahead of the industry. On July 1, MiCA's grandfathering period comes to an end across the EU, closing the transition window that allowed firms to continue operating under pre-MiCA national registrations. At the same time, the European Commission's consultation on the future evolution of MiCA remains open until 31 August, inviting industry feedback on everything from stablecoins and global issuance models to DeFi, staking, and tokenized deposits.
As Michał explained, the expiry of the grandfathering period should bring the market closer to a true level playing field. Firms operating in the EU are expected to be authorized under MiCA, reducing the inconsistencies that existed under the previous patchwork of national regimes.
The next test is supervision. Michał emphasized that tighter enforcement will be essential, but also acknowledged that this remains new territory for national competent authorities. NCAs differ in resources, risk appetite, and supervisory focus, and the interaction between home and host member states — and with ESMA — will become increasingly important.
The consultation raises a different but connected question: how much MiCA should now evolve. Dea's view is MiCA should be improved, not reinvented. The first draft was written roughly six years ago, in response to a very different market environment. Since then, particularly in payments, use cases for stablecoins have become far more concrete. For Dea, that makes the consultation a timely opportunity to be somewhat bolder in revisiting the payments titles, while preserving MiCA's broader architecture.
The panel's message was consistent: the priority is to make MiCA work in practice, while using the consultation to identify targeted improvements where experience has exposed genuine gaps.
Watch the full webinar on demand → https://notabene.id/webinars/from-transition-to-transformation-mica-grandfathering-ends
Today marks the half-year anniversary of the European Union’s Transfer of Funds Regulation (TFR). As we reach the mid of 2025, it’s worth looking back at the path that shaped today's regulatory reality. The year 2023 was defined by the entry into force of the Travel Rule in the UK. In 2024, the EU followed suit. Now, six months into this new phase, the time is ripe to assess the progress of the TFR, draw comparisons with the UK’s experience, and uncover the lessons that can guide the effective implementation of Travel Rule regimes.
What the Data Tells Us
In 2023, our team at Notabene was fully mobilized to prepare the UK crypto industry for the arrival of the Travel Rule compliance, set to take effect on September 1, 2023. We engaged across multiple fronts: running testnets with cohorts of VASPs under the FCA's regulatory sandbox, co-chairing the Travel Rule working group within CryptoUK, and participating in numerous industry events, both as hosts and speakers.

By year’s end, true to our usual practice, we started examining the results of our annual State of Crypto Travel Rule Survey. It was one of those gratifying moments when the effort feels justified: the data showed that 100% of UK respondents reported being compliant with the Travel Rule, a clear signal that industry readiness had been achieved.
In 2024, with equal dedication, we turned our focus to supporting the rollout of the Travel Rule across the European Union. Our approach was similarly comprehensive: we published detailed guides, launched an in-depth certification course dedicated to EU Travel Rule requirements, delivered a three-part webinar series covering the regulations, hosted an EU-wide testnet for CASPs and regulators, and ran a series of targeted workshops for our customers.

Yet, when we reviewed the latest survey data, the results were surprising. Despite the significant groundwork, 71.2% of EU respondents indicated they were not yet compliant with the Travel Rule, with 40.4% identifying the first quarter of 2025 as their intended compliance timeline.

These figures stood in contrast to the momentum we observed within our own Network. In the months leading up to the TFR’s enforcement date of December 30th, 2024, we witnessed a marked increase in Travel Rule activation among EU CASPs. Between January 2024 and January 2025, transaction volumes originating from EU entities on the Notabene network surged by 200x, compared to the 8x growth seen in non-EU originated volumes over the same period. This contrast reflects the significant role the EU Transfer of Funds Regulation in catalyzing Travel Rule adoption within our network.
However, looking beyond our immediate ecosystem, it is clear that the UK rollout achieved a higher degree of readiness at an earlier stage. With children, we often say that each develops at their own pace and should not be compared. But with regulatory frameworks, understanding why one implementation advanced more rapidly than another can offer valuable insights.
With that in mind, the following sections explore how the UK and EU approaches diverge. We’ll examine their defining features, points of friction, and attempt to trace the root causes behind the differences in industry readiness.
The Road to Travel Rule Implementation: Centralised in the EU and Industry-led in the UK
🇬🇧 UK
When the UK implemented the Travel Rule on September 1, 2023, it followed a legislative and regulatory process that deliberately placed industry expertise at the centre.
The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 (MLRs) introduced Travel Rule obligations for crypto firms registered with the FCA, covering both inter-cryptoasset transfers and unhosted wallet transactions.
What set the UK approach apart was the collaborative model that followed. The Joint Money Laundering Steering Group (JMLSG), a private sector body made up of UK financial trade associations, led the drafting of practical guidance for firms. To support the efforts by JMLSG, CryptoUK established a dedicated Travel Rule working group, co-chaired by Notabene, bringing together compliance officers, legal experts, and operational teams to directly work with JMLSG to shape the guidance based on day-to-day implementation realities.
This industry-developed guidance was reviewed and validated by the FCA and HM Treasury, ensuring alignment with regulatory expectations while keeping operational challenges front and centre.
Furthermore, in August 2023, just before the rule took effect, the FCA published targeted guidance to clarify issues raised during the grace period, most notably the “sunrise issue” involving transactions with jurisdictions that had not yet adopted the Travel Rule.
The result was a regulatory framework supported by practical, actionable guidance.
This collaborative process - combining early regulatory engagement and industry ownership - played a decisive role in the UK achieving high levels of readiness by the time the Travel Rule came into force.
🇪🇺 EU
The EU set out to tackle a far more ambitious task than the UK: introducing uniform Travel Rule obligations across all 27 Member States through a single, binding regulation. This was achieved via the recast of Regulation (EU) 2015/847, better known as the Transfer of Funds Regulation (TFR), which was formally adopted on May 31, 2023 to extend the Travel Rule to crypto transfers.
The creation of detailed implementation guidelines was primarily led by the European Banking Authority (EBA).
The EBA made several efforts to incorporate industry perspectives. A public consultation on the Travel Rule Guidelines launched on November 24, 2023, alongside public hearings and the formation of Technical Expert Groups (TEGs)—which included industry representatives like Notabene.
However, unlike the UK’s process, where industry actors drafted the practical guidance with regulatory validation, in the EU it was the reverse: regulators drafted the guidelines, and the industry was invited to provide feedback along the way. While this structure provided transparency and some opportunity for dialogue, it inevitably limited the extent to which day-to-day operational challenges of CASPs could shape the final rules.
Takeaway
Guidance developed by industry practitioners and backed by regulatory oversight delivers the hands‑on, pragmatic advice firms need for readiness. In contrast, a top‑down model can miss key nuances encountered in day‑to‑day operations.
Using Grace Periods Strategically
| Jurisdiction | Legislation Published | Entry into Force | Grace Period Length |
| UK 🇬🇧 | July 21, 2022 | September 1, 2023 | 13 months, 11 days |
| EU 🇪🇺 | May 31, 2023 | December 30, 2024 | 18 months, 30 days (approx. 19 months) |
EU CASPs were granted nearly six additional months to prepare compared to their UK counterparts. A long grace period in the EU was the right approach given the complexity of implementing uniform requirements across 27 Member States.
However, based on our experience, the length of a grace period is far less important than how that time is used. A grace period should serve as structured preparation time for both regulators and industry, particularly with the Travel Rule, which directly affects transaction flows, operational processes, and customer experience.
🇬🇧 UK
The UK offers a textbook example of this. Throughout the 13-month grace period, the FCA worked closely with the industry. This started with the acceptance of Notabene's Travel Rule testnets into the FCA regulatory sandbox. This hands-on engagement allowed the FCA to better understand the technical and operational nuances of implementing Travel Rule programs. The FCA also conducted targeted outreach to VASPs, requesting detailed implementation plans and offering feedback based on insights gained from the testnets. As a result, potential gaps were identified early and firms had time to adjust, which led to the high compliance rates we saw post-deadline.
🇪🇺 EU
It would be unrealistic to expect the same degree of coordinated engagement across the EU, where the regulation had to be rolled out simultaneously across 27 jurisdictions and regulatory bodies. However, the grace period fell short even in resolving fundamental questions - for example, when exactly do Travel Rule obligations start to apply?
Even after the Travel Rule formally entered into force on December 30, 2024, confusion persisted among industry participants:
- Some CASPs misinterpreted the transitional period outlined in the EBA Guidelines, assuming it postponed Travel Rule obligations entirely until 31 July 2025. In reality, this period only allows temporary technical limitations in solutions, but full compliance with the TFR is expected regardless of technical limitations.
- Others argued that the TFR only applies once a CASP obtains full authorisation under MiCA, meaning firms operating under transitional arrangements were exempt. The EBA explicitly rejected this interpretation in its July 2024 response to public comments, stating:
"The EBA stresses that non-compliance with Regulation (EU) 2023/1113 is not accepted."
Takeaway
The UK experience offers a clear takeaway: the success of a regulatory rollout is not defined by how long the grace period is, but by how strategically that time is used. The UK's collaborative, proactive use of its grace period - bringing together regulators and industry to stress-test real-world implementation - was instrumental in achieving early, widespread readiness.
Managing Self‑Hosted Wallets: Risk‑Based Principles or Prescriptive Rules?
🇬🇧 UK
The UK has adopted a non-prescriptive, principles-based approach to regulating interactions with self-hosted wallets, built around risk assessments and operational discretion. Under Regulation 64G(2) of the MLRs, crypto-asset businesses (CBs) are required to assess the risks associated with unhosted wallet transactions and determine whether collecting additional customer information is appropriate.
The JMLSG provides further operational guidance, encouraging CBs to seek additional information when dealing with self-hosted wallets in higher-risk situations. Factors such as transaction size, frequency, and the overall customer relationship inform these assessments. Where higher risks are identified, CBs are expected to apply enhanced due diligence, which may include verifying control over the self-hosted wallet using mechanisms such as micro-deposits or cryptographic signatures.
Crucially, the UK’s framework avoids imposing rigid or overly prescriptive requirements. This allows CBs to adjust their controls based on risk assessments. As a result, UK market participants have largely maintained the ability to support these types of transactions while remaining compliant and adopting robust risk-mitigation policies.
🇪🇺 EU
The EU has taken a more prescriptive stance toward regulating self-hosted wallets, with obligations set out in the TFR and further operational detail provided by the EBA Travel Rule Guidelines.
Under the TFR, crypto-asset transfers involving self-hosted wallets are subject to escalating requirements based on transaction size. For transactions exceeding €1,000, CASPs must verify that their customer owns or controls the receiving self-hosted wallet. The EBA Guidelines elaborate on this obligation by providing a non-exhaustive list of acceptable verification methods, while also making clear that at least one method must be applied in all applicable cases.
A key source of market friction stems from the disconnect between the TFR’s legislative text and the EBA guidelines in what concerns third-party self-hosted wallet transfers. While the TFR does not explicitly impose verification requirements for transactions involving third-party self-hosted wallets, the EBA Guidelines extend obligations to these transactions, creating expectations for due diligence that many CASPs find impractical or disproportionate to implement.
The result has been a marked trend toward de-risking within the EU. According to Notabene's 2025 State of Crypto Travel Rule Report, VASPs in the EU are 55% more likely to prohibit transactions with self-hosted wallets compared to the global average, reflecting a significant de-risking trend driven by regulatory uncertainty. Faced with operational uncertainty and the high cost of compliance, 15.4% of EU-based VASPs have implemented complete prohibitions on such transactions, compared to a global average of 9.9%.

Takeaway
In this rapidly evolving industry, prescriptive rules often struggle to keep pace with technological change, leading to unintended consequences such as market exclusion and de-risking. The UK's principles-based, risk-driven approach to regulating self-hosted wallets demonstrates how flexible frameworks can promote compliance without stifling innovation or market participation. By contrast, the EU's more prescriptive model has amplified operational uncertainty, prompting many VASPs to restrict legitimate transactions to avoid having to navigate complex, often impractical requirements. Striking the right balance between risk mitigation and operational feasibility requires regulation that empowers firms to apply proportionate and evolving controls.
Counterparty Due Diligence Obligations: All or Nothing?
🇬🇧 UK
In the UK, Counterparty VASP Due Diligence (CVDD) is not explicitly required under the Travel Rule, nor is it addressed in the JMLSG or FCA guidance. This was a conscious decision by UK regulators, who determined that existing frameworks such as data privacy laws and sanctions compliance already provide sufficient oversight. The UK’s approach aims to avoid introducing additional, potentially duplicative obligations that could complicate compliance without clear added benefit.
While this streamlined framework reduces regulatory burden, the lack of specific CVDD guidance may create operational uncertainty for VASPs.
🇪🇺 EU
In contrast, Article 38 of the EU’s TFR amends the 4th Anti-Money Laundering Directive (AMLD4) to expand the definition of correspondent relationships and explicitly include those established for transactions or transfers in crypto-assets. Recital 60 further clarifies that relationships between CASPs and third-country entities executing crypto-asset transfers share similarities with correspondent banking relationships and should be subject to enhanced due diligence measures similar in principle to those applied in traditional banking.
The EBA further issued the EBA/GL/2024/01 Guidelines to specify firms’ obligations where the respondent or its customers are providers of services in crypto-assets, other than CASPs authorised under MiCA, or where they are deemed to present an increased ML/TF risk.
Takeaway
The UK's decision to avoid prescriptive Counterparty VASP Due Diligence (CVDD) requirements reflects a desire to avoid duplicating existing oversight mechanisms. However, the absence of explicit CVDD expectations in the Travel Rule context can create operational uncertainty for VASPs navigating cross-border interactions.
Conversely, the EU’s approach imposes comprehensive CVDD obligations rooted in correspondent banking standards. As the FATF itself acknowledges, Travel Rule compliance requires a more proportionate approach. Unlike in the banking sector, many cross-border VASP-to-VASP transfers happen without an established, ongoing relationship, making traditional correspondent banking due diligence ill-suited in this context.
Neither extreme - a complete absence of guidance nor rigid, banking-style obligations - proves effective. Instead, CVDD requirements should be proportionate and aligned with the realities of the crypto-asset sector.
Reporting Non-compliant Counterparties
🇬🇧 UK
Beneficiary and intermediary CBs are required to report repeated failures by counterparties to provide required Travel Rule information to the FCA. Reporting must include details of both the non-compliance and the remedial steps taken. The UK applies a risk-based approach, allowing firms to determine what constitutes “repeated failure” based on transaction volumes, size, or frequency.
By the time the Travel Rule regulations came into force, formal processes for reporting non-compliant counterparties had not yet been established by the FCA. These procedures are currently being rolled out in the UK.
🇪🇺 EU
In the EU, Article 17(2) of the TFR mandates that CASPs assess whether non-compliance is repeated, using both quantitative criteria (e.g., percentage of missing data transfers, unanswered follow-ups) and qualitative criteria (e.g., cooperation level, reasons for non-provision).
If repeated non-compliance is identified, CASPs must report repeatedly non-compliant counterparties to the relevant AML/CTF authority within three months. Reports should include details on the VASP’s identity, the nature and frequency of breaches, explanations given, and actions taken.
Similarly to the UK, EU CASPs faced uncertainty as the Travel Rule entered into force without clear reporting processes fully established by regulators. The operationalization of these requirements is now underway in key markets like Germany.
Takeaway
Both the UK and EU frameworks mandate reporting non-compliant counterparties as a key enforcement mechanism. However, the absence of established reporting processes at the regulation’s start created uncertainty for VASPs in both regions. While the UK is now actively rolling out clearer reporting protocols, EU jurisdictions still face fragmented implementation.
According to the Notabene State of Travel Rule Report, only 32.7% of EU respondents are prepared to report non-compliant counterparties, including 26.9% who have set up reporting processes but have yet to use them. Actual reporting is low, at just 5.8%, likely reflecting regulatory ambiguity and operational challenges. Additionally, 15.4% of respondents indicate a lack of clear guidance in their jurisdiction.

This highlights the need for streamlined procedures to enable VASPs to fulfil reporting obligations effectively.
Lessons Learned
As we mark six months since the Travel Rule came into force in the EU and reflect on the UK’s earlier experience, several clear lessons emerge from the comparative rollout of these pivotal regulations:
- Industry‑Led Operational Guidance Drives Readiness
Regulatory frameworks grounded in operational realities succeed. Industry practitioners are well positioned to lead the drafting of practical implementation guidelines, with regulators providing validation and oversight. This collaborative model yields actionable, context-sensitive rules that help firms achieve compliance more effectively.
- Grace Periods Work Only When Used Strategically
The duration of a grace period is far less important than how the time is utilised. Structured, ongoing engagement between regulators and industry is critical to turning a grace period into a true window of preparation rather than merely a delay.
- Principles-Based, Risk-Driven Approaches Outperform Rigid Prescription
In fast-evolving sectors like crypto-assets, flexible, risk-based frameworks outperform one-size-fits-all mandates. Such principles-led approaches enable firms to calibrate controls proportionate to risks, fostering compliance without stifling innovation or excluding legitimate market participants.
- Feasibility of Implementation Is Key to Compliance
Regulatory mandates that are operationally impractical - such as the overly stringent obligations for third-party self-hosted wallets or unclear procedures for reporting non-compliant counterparties - drive firms toward non-compliance or excessive de-risking. Clear, feasible requirements and well-established processes are essential to avoid unintended consequences that undermine regulatory goals.
A combination of principle-based legislative mandates, industry-crafted operational playbooks, and purposeful, collaborative transition periods is key to building effective frameworks that serve both regulatory goals and industry realities, turning compliance from a challenge into a foundation for sustainable innovation and trust.
Today, the European Banking Authority (EBA) released an explainer entitled Preventing Money Laundering and Terrorism Financing in the EU’s Crypto-Assets Sector. As the crypto landscape evolves, the EU is tightening its grip on compliance with the introduction of MiCAR (Markets in Crypto-Assets Regulation) and its accompanying AML/CFT rules, including the Transfer of Funds Regulation (TFR).
One common misconception among crypto-asset service providers (CASPs) is that MiCAR includes a “grandfathering” exemption under the new European Travel Rule.
Let’s set the record straight: this is definitively not the case.
▶︎ Watch this special video message from Lana Schwartzman, Head of Regulatory & Compliance at Notabene, explaining why compliance with TFR is so important, as what consequences may face CASPs that fail to comply.
What Does Article 143(3) of MiCAR Really Say?
The much-discussed Article 143(3) states:
“Crypto-asset service providers that provided their services in accordance with applicable law before 30 December 2024, may continue to do so until 1 July 2026 or until they are granted or refused an authorization pursuant to Article 63, whichever is sooner.”
At first glance, this might appear to grant a blanket reprieve for CASPs operating before the cut-off date. In reality, the provision is far more limited in scope.
What This Provision Actually Means
While this transitional clause provides a limited window for CASPs to continue operating while applying for MiCAR authorization, it is not a free pass to avoid compliance. CASPs operating under existing frameworks—such as AMLD (Anti-Money Laundering Directive) or domestic AML/CFT regimes—must still adhere to all applicable AML/CFT requirements and that includes the Regulation (EU) 2023/1113, also know as the Transfer of Funds Regulation (TFR).
In simple terms:
- Yes, CASPs can keep operating during the transitional period.
- No, this does not exempt them from complying with the updated AML/CFT framework (including TFR).
The same stringent rules that apply to credit and financial institutions also apply to “grandfathered” CASPs.

The Travel Rule is Here to Stay
A major component of these regulations is the European Travel Rule, requiring CASPs to ensure that crypto transfers include comprehensive information about both originators and beneficiaries with the goal of preventing illicit activities like money laundering and terrorist financing in the crypto ecosystem and reporting it. This rule is non-negotiable and applies equally to CASPs during the transitional period.
Furthermore, CASPs engaging in transactions with self-hosted wallets or operating across borders will need to implement robust measures to trace and verify transfers.
Why Compliance Matters Now
While the transitional period may offer some operational flexibility, CASPs that delay in meeting compliance requirements risk jeopardizing their long-term viability. Here’s why:
- Increased Scrutiny: The EBA and upcoming EU AML Authority are tasked with enforcing strict compliance.
- Reputation at Stake: Operating without adherence to AML/CFT standards could harm trust with customers, partners, and regulators. As a matter of fact, we published earlier this year the results of our State of Crypto Travel Rule Report which showed from the survey that 66% of VASPs restrict withdrawals that do not comply with Travel Rule requirements
- Operational Risks: Failure to comply could lead to service suspension, fines, or denial of authorization.

For more on the risks of not complying with TFR, read our recent article on the Consequences of Non-Compliance with EU's Travel Rule After December 30th.
The Path Forward for CASPs
For CASPs looking to thrive under the new regime:
- Act Now: Begin implementing Travel Rule solutions and robust AML/CFT measures immediately.
- Understand the Framework: Familiarize yourself with MiCAR, Regulation (EU) 2023/1113, and the EBA Travel Rule Guidelines.
- Prepare for Licensing: Gather the necessary documentation and establish a compliance-first culture to streamline your MiCAR authorization process.
Debunking the Myth
The takeaway is clear: there is no blanket “grandfathering clause” exempting CASPs from compliance. The transitional provision simply ensures continuity while maintaining full AML/CFT obligations.
As the compliance deadline of December 30, 2024 approaches, proactive measures will separate the leaders from those left scrambling to catch up. The time to act is now—ensure your operations are Travel Rule-ready and compliant with the evolving regulatory landscape.
Let’s work together to build a safe, compliant, and thriving crypto ecosystem in the EU. 🌍
Travel Rule Compliance in the European Union: Summary
FATF Travel Rule Requirements in the European Union
Travel Rule Compliance in the European Union: An In-Depth Analysis of the Transfer of Funds Regulation (TFR) and the EBA’s Travel Rule Guidelines
From Transition to Transformation: MiCA Grandfathering Ends
Notabene Customer Workshop - EU Travel Rule (Session 2)
Notabene Customer Workshop - EU Travel Rule
Introducing SafeConnect Components: Seamless end-to-end TFR Compliance
Become an Expert on Travel Rule in the EU
Compliance Deep Dive: Travel Rule in the European Union (2022)
Navigating Crypto Regulations in the UK and EU in 2021
Response to the Public Consultation on the Draft Legislative Decrees for Adapting National Legislation to the 'MiCAR' and 'TFR' Regulations on Crypto-Assets
Upcoming Events on EU Crypto Industry Compliance
Join us at the latest events focused on crypto compliance in the EU. Network with industry leaders and gain insights into the latest regulatory developments.

Get Certified as an Expert in EU Travel Rule Compliance
Sign up for our course to teach you everything you need to know about Travel Rule compliance in the EU.
FAQs
What is crypto compliance in the EU?
Crypto compliance in the EU involves adhering to regulatory standards set by the European Union for cryptocurrency operations, including anti-money laundering (AML) and counter-terrorism financing (CTF) measures.
What is the EU Travel Rule?
The EU Crypto Travel Rule requires cryptocurrency exchanges and wallet providers to share specific information about transactions to comply with AML and CTF regulations. This rule aims to enhance transparency and security in crypto transactions.
How does financial crime impact crypto compliance?
Financial crime, such as money laundering and fraud, poses significant risks to the crypto industry. Crypto compliance measures, including AML and CTF regulations, are crucial in mitigating these risks and ensuring the integrity and security of cryptocurrency transactions.
Are stablecoins regulated?
Yes, stablecoins are regulated to ensure they adhere to financial regulations, particularly concerning anti-money laundering (AML) and counter-terrorism financing (CTF) standards. Regulatory bodies require stablecoin issuers to maintain transparency and ensure that their assets are properly backed and audited.
What regulations do crypto exchanges need to comply with?
Crypto exchanges need to comply with a range of regulations, including:
- Anti-Money Laundering (AML): Implement measures to detect and prevent money laundering activities.
- Know Your Customer (KYC): Verify the identity of users to prevent fraud and illegal activities.
- Counter-Terrorism Financing (CTF): Ensure transactions do not facilitate terrorism financing.
- Crypto Travel Rule: Share specific transaction information to comply with international regulatory standards.
- Data Protection: Adhere to data protection laws such as GDPR to ensure user privacy and data security.
Hosting these gateways within the VASP's own infrastructure, such as a data center or cloud account, is advised for optimal security. This approach, particularly when using an enclave server, allows for enhanced security measures, aligning with the principle that control over the hosting environment can significantly bolster security.


