When the Markets in Crypto-Assets Regulation (MiCA) came into full force in December 2024, it was sold as the most comprehensive crypto rulebook in the world. A year on, the picture is more nuanced. The regulation has done what it set out to do — harmonising standards across the EU27 — but the downstream effects on day-to-day wallet screening have been sharper than most firms expected.
The first observable shift is in what compliance teams actually screen. Before MiCA, firms screened outbound withdrawals and high-value inbound transactions. Under the Transfer of Funds Regulation (ToFR), every transfer above zero euros involving a VASP now requires originator and beneficiary information. This has quadrupled the volume of screening events at the average European exchange.
That volume pressure has exposed a gap: rule-based screening, which flags transfers based on amounts and counterparty lists, produces unacceptable false-positive rates at scale. The teams we work with are migrating to risk-based screening, where an address's exposure profile — mixer contact, darknet adjacency, hack proximity — determines whether a transfer proceeds automatically, goes to review, or is blocked.
The second shift is in the definition of a "VASP relationship." MiCA requires VASPs to perform due diligence on counterparty VASPs. Historically, firms treated peer VASPs as low risk. Post-MiCA, we've seen that assumption collapse: a non-custodial wallet on the other side of a transfer can be anything from a retail user to an unregistered mixer front. Attribution quality matters more than ever.
A third, less-discussed effect: the explicit right of refusal. Article 33 confirms that VASPs may refuse to process a transfer where satisfactory information cannot be obtained from the counterparty. This has led to a standardisation of workflows: "three-strike" re-request patterns, automatic termination for non-responsive counterparties, and unified rejection reason codes across the industry.
Enforcement, for now, has been patchy. Germany's BaFin has been the most active, with eleven public enforcement actions between January and March 2026. France and the Netherlands have issued guidance but no fines. Southern European regulators have been markedly quieter. This divergence may not last — MiCA contemplates ESMA-level coordination once the transitional period ends in July 2026.
What does this mean for your screening programme? Three practical changes. First, if you are not already doing attribution-first screening, start. Rule-based lists cannot keep up with the volume or the nuance. Second, document your risk appetite in concrete terms: what mixer exposure, what darknet adjacency, what hack proximity, triggers what action. Examiners increasingly ask for this table. Third, invest in dispute handling. More transfers will be blocked or reviewed, and a process that handles disputes in hours — not days — is a competitive advantage.
At AMLRegister, we've rewritten our scoring methodology twice in the past year to keep up with the regulatory direction of travel. We've added explicit MiCA-aligned category weights, expanded our VASP attribution dataset, and introduced ToFR-ready exports. We expect the regulation to continue evolving through 2026; our commitment is to keep our customers one step ahead of each revision.
For compliance teams reading this: the most common question we hear is "does MiCA change what I screen or how I screen?" The answer is both. The what has expanded to every transfer. The how has to mature from rules to risk. Firms that make that transition are finding the new regime manageable. Firms that don't are being overtaken by the volume.
