What is the compliance stack a CASP has to build?
A licensed crypto-asset service provider has to stand up three compliance pillars at the same time: an AML/CFT programme, transfer-level Travel Rule and TFR compliance, and DORA operational resilience. These are not sequential nice-to-haves. A regulator reviewing an authorisation application expects to see all three designed, documented, and staffed before it grants a licence, and a thin showing on any one of them is a common reason applications stall.
It helps to think of them as answering three different questions. AML/CFT asks: do you know who your customers are and can you spot and report financial crime? The Travel Rule asks: does the right information travel with each transfer? DORA asks: can your systems keep running and recover when something breaks? A firm that is strong on one and weak on the others is not ready.
Pillar one: the AML/CFT programme and the MLRO
The first pillar is a written AML/CFT programme owned by a named Money Laundering Reporting Officer. The MLRO is the accountable individual — not a committee — responsible for the anti-money-laundering and counter-terrorist-financing controls, and regulators want to see a real person with authority, seniority, and time for the role.
At a high level the programme has to cover customer due diligence and identity verification, ongoing transaction monitoring, a risk-based approach that treats higher-risk customers and products differently, sanctions screening, record-keeping, staff training, and a clear route for filing suspicious-activity reports. It also needs governance: policies that are actually approved, tested, and updated, not a template sitting in a drawer. The standards trace back to FATF recommendations and, in the EU, to the anti-money-laundering framework applied to CASPs. Specific thresholds and formats depend on jurisdiction and change, so confirm current local rules with your regulator.
Pillar two: the Travel Rule and the EU TFR
The second pillar is making sure required information travels with each crypto-asset transfer. The FATF Travel Rule is the global standard: when value moves between service providers, originator and beneficiary details have to accompany the transaction so it can be traced. In the EU this is implemented through the Transfer of Funds Regulation, which extends the same logic to crypto-asset transfers.
In practice a CASP has to collect and verify the right data on both sides of a transfer, transmit it securely to the counterparty provider, and handle cases where the counterparty is unknown or non-compliant — including so-called unhosted or self-hosted wallets, which carry their own checks. This usually means adopting a Travel Rule messaging solution and building procedures for missing or inconsistent information. It sits on top of the AML pillar rather than replacing it: the Travel Rule governs the transfer, while CDD and monitoring govern the relationship. The exact data fields and de-minimis treatment depend on jurisdiction and change, so verify the current text.
Pillar three: DORA and operational resilience
The third pillar is operational resilience under the Digital Operational Resilience Act. DORA addresses a different risk from money laundering — it asks whether a firm’s technology can withstand and recover from disruption, whether that is an outage, a cyber-attack, or a failed provider. For an EU CASP it is now part of the same authorisation conversation as AML.
At a high level DORA sets duties across five areas: ICT risk management with clear internal ownership; incident classification and reporting to authorities; digital operational resilience testing; oversight and contractual control of third-party technology providers, including critical cloud services; and information-sharing on cyber threats. Because crypto businesses run on outsourced infrastructure, the third-party oversight requirements matter a great deal, and mapping every critical provider is often the heaviest lift. As with the other pillars, precise reporting timelines and testing expectations depend on the applicable rules and change, so confirm the current requirements.
Attribution
The framing above draws on public commentary from practitioners who advise regulated firms on crypto, AML, and payments compliance. Among them, Arun Srivastava, a partner at Paul Hastings in London, writes and speaks on UK and EU crypto authorisation, money-laundering compliance, and payment-services regulation. See his firm profile in the sources and expert references for his published work; this box cites his public expertise and does not represent an endorsement of this index.