ARTs and CASPs must align financial crime, governance and suitability standards with MiCAR

At a glance
 

With Circulars 25/872, 25/875, 25/878 and 25/879, the Commission de Surveillance du Secteur Financier (CSSF) is setting a clear tone: An effective anti-money laundering (AML) framework, robust governance, and clear suitability are non-negotiable for firms seeking to operate under Markets in Crypto Assets Regulation, or MiCAR.

These circulars enforce the full application of the European Banking Authority (EBA) and European Securities and Markets Authority (ESMA) Guidelines—impacting issuers of asset-referenced tokens (ARTs) and crypto-asset service providers (CASPs). Firms would need to prove not just regulatory intent, but operational and human readiness. Whether firms are onboarding key personnel or submitting a CASP/ART license application, the AML and governance frameworks, board composition, and shareholder structure will face deeper scrutiny.

A closer look

AML/CFT standards

On 8 April 2025, the CSSF published two new circulars (CSSF 25/878 and CSSF 25/879) aligning with updated EBA guidelines on AML/CFT risk factors and fund transfer requirements. These circulars introduce specific obligations for crypto-asset service providers (CASPs) and payment service providers (PSPs), reinforcing risk-based approaches and transparency under the evolving EU regulatory framework:

• Circular CSSF 25/878 – Adoption of the revised EBA Guidelines on money laundering and terrorist financing risk factors, complementing Circulars CSSF 23/842 and 21/782
• Circular CSSF 25/879 – Adoption of the EBA Guidelines on information requirements in relation to transfers of funds and certain crypto-asset under Regulation (EU) 2023/1113 (“Travel Rule Guidelines”)

These circulars mark two key regulatory developments for Luxembourg-based crypto-asset and payment service providers, reinforcing AML/CFT expectations and operational readiness under the Markets in Crypto-Assets Regulation (MiCAR) and the EU Travel Rule.

Circular CSSF 25/878 integrates updated EBA Guidelines on money laundering and terrorist financing (ML/TF) risk factors, introducing tailored guidance for managing crypto-asset related risks within AML frameworks. The circular requires:

• Integration of Crypto-Asset Risk Factors: The revised EBA Guidelines now include specific risk factors related to crypto-assets and CASPs, acknowledging the unique ML/TF risks in this sector. ​
• Guidance for Credit and Financial Institutions: The guidelines provide detailed instructions for credit and financial institutions on managing ML/TF risks associated with clients offering crypto-asset services, especially those not regulated under the Markets in Crypto-Assets Regulation (MiCAR).
• Sector Specific Guidance for CASPs: A new guideline offers CASPs considerations for assessing ML/TF risks in their business relationships, including risks linked to transactions with unregulated entities, products with anonymity features, and certain customer types that may raise red flags. ​
• Mitigating Measures for CASPs: The guidelines suggest various ways CASPs can mitigate risks in both high and lower ML/TF risk scenarios.

Circular CSSF 25/879 adopts the EBA’s Travel Rule Guidelines, detailing information and compliance requirements for transfers of funds and crypto-assets under Regulation (EU) 2023/1113. The circular requires:

• Implementation of the Travel Rule: The EBA's Travel Rule Guidelines specify the information that must accompany transfers of funds and crypto-assets to prevent their misuse for money laundering and terrorist financing. This includes details about the originator and beneficiary, ensuring transparency and traceability in financial transactions.​
• Obligations for service providers: Payment service providers (PSPs), Intermediary PSPs (IPSPs), CASPs, and intermediary CASPs (ICASPs) are required to detect and manage transfers that lack the necessary information. They must establish procedures to identify missing or incomplete data and take appropriate actions to mitigate associated risks.​
• Consistency with FATF standards: The guidelines align the EU's legal framework with the Financial Action Task Force (FATF) standards by extending the obligation to include information about the originator and beneficiary to CASPs, thereby enhancing the EU's anti-money laundering and countering the financing of terrorism (AML/CFT) regime.

The EBA Guidelines underlying these circulars became applicable on 30 December 2024, while CSSF Circulars 25/878 and 25/879 are effective immediately upon their publication.

Governance and suitability standards

Moreover, on 25 February 2025, the Commission de Surveillance du Secteur Financier (CSSF) published two new circulars confirming the joint guidelines from the EBA and ESMA. These guidelines will require improved governance and suitability assessments under MiCAR and will be fully applied in Luxembourg with immediate effect:

• Circular CSSF 25/872 – Application of the EBA Guidelines on governance arrangements for issuers of asset-referenced tokens (ARTs)
• Circular CSSF 25/875 – Application of joint EBA/ESMA Guidelines on the suitability assessment of both ARTs and crypto-asset service providers (CASPs):
  • ART issuer and CASP management body members
  • Shareholders or members (direct or indirect) with qualifying holdings in ART issuers and CASPs

Circular CSSF 25/872 requires that issuers of ARTs implement a clear, proportionate, and effective governance framework that is consistent with MiCAR Art. 36(2). The framework must embed risk management, compliance, internal audit, and board oversight at a substantive—not merely formal—level.

The governance framework must also clearly define roles and responsibilities for all key functions including independent control functions, such as risk management, compliance, internal audit. The management body must also collectively possesses adequate knowledge, skills, and experience, and should maintain mechanisms for managing conflicts of interest.

Circular CSSF 25/875 states that firms must conduct formal suitability assessments of board members (including heads of control functions) and direct/indirect shareholders with qualifying holdings. These assessments must evaluate reputation, competence, experience, and financial soundness, and must also be regularly reviewed.

Firms must also develop structured and well-documented suitability assessment processes for:

➤ Management body members:

• Experience and qualifications aligned to the firm’s risk profile
• Collective competence as it relates to governance, compliance, information and communications technology (ICT), risk, and crypto-related domains
• Ongoing monitoring and re-assessment (e.g., following role changes or material incidents)

➤ Shareholders with qualifying holdings:

• Background checks for criminal, regulatory or financial misconduct
• Assessments of financial stability and origin of funds
• Evaluation of potential influence over the firm’s decision-making

While these guidelines are not new at the EU level, their binding application in Luxembourg reinforces the CSSF’s supervisory expectations in the run-up to full MiCAR implementation.

How Deloitte can help

Deloitte’s specialists and dedicated services can help you tackle not only the compliance challenges but also the opportunities arising from ambitious new circulars and regulations.

We can support you in the following critical areas:

• Reviewing your corporate or compliance strategy regarding crypto-asset services
• Designing your operating and risk model along with the control framework
• Performing regulatory and operational gap analysis
• Supporting with preparing and filing the license application

We help crypto businesses and CASPs improve their compliance with prudential requirements while still maintaining operational efficiency.