The European Banking Authority has published a new report highlighting how the crypto industry has attempted to bypass new legislation like MiCA and its extended AML/CFT legislative framework. MiCA, which came fully into effect in late 2024, gave the 27-country economic bloc a unified set of rules governing crypto asset providers for the first time.
The EBA didn’t name any crypto firms specifically, but said that “attempts by some entities to circumvent regulatory requirements” may continue, adding that this poses a risk of a “significant and adverse impact on the integrity of the EU’s financial system.”
One of the risks the EBA touches on is what it calls “forum shopping.” This refers to companies attempting to get regulatory approval in one country it perceives as having less stringent approval mechanisms, so it can legally operate in other parts of the EU afterwards. This is also referred to as “passporting.”
The report said before MiCA was adopted, one unnamed entity submitted applications for registration and licensing in multiple countries within a short timeframe. It then “withdrew from jurisdictions where [authorities] asked questions or its application was challenged,” before beginning operations in the country where it went unchallenged.
“In practice, entities with weak AML/CFT controls have already entered and are operating in the EU market by selecting jurisdictions with lighter supervisory practices or previously lower market entry requirements,” the EBA wrote.
Although MiCA came fully into effect last year, it included a transition window that runs until July 1, 2026 giving firms until that date to either get license or be told they don’t meet the bar. The regulator adds that “emerging evidence suggests that there may be a risk that entities which were previously licensed in a Member State and have not met the authorisation conditions under MiCA but are appealing their case may continue to operate in the EU in the intervening time.”
Dr. Hendrik Müller-Lankow, a lawyer at German crypto law firm Kronsteyn, says that from his experience, “supervisory arbitrage and supervisory shopping are in fact occurring throughout the EU.”
However, he believes it’s a “phenomenon that one has to accept if EU regulators wish to realise a single market on the one hand while preserving certain degrees of supervisory powers on the other.”
“It is well known that people—and thus also authorities—in different Member States have different mentalities when applying laws,” he added.
Table of Contents
ToggleIs centralized EU authority the answer?
Müller-Lankow thinks the EU could address the issue by centralizing both the EU’s laws and their supervisory authorities.
“This is already happening to a large extent. However, it is well known that EU authorities are steadily working to enlarge their powers,” he added.
The regulator also pointed to how some crypto firms may be attempting to set up in the EU without clear beneficial ownership and governance structures, which can obscure ownership and accountability.
The report said that a virtual asset service provider, or VASP, that applied for an operating license in multiple EU jurisdictions was found by one crypto authority to “be jointly run by more than 20 distinct entities that were largely established outside the EU and outside regulatory oversight.” These types of opaque structures may “enable the misuse of front or shell companies, according to the EBA, which added: “Entities without genuine economic activity can act as vehicles to channel illicit funds under the guise of legitimate transactions.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
