The Cyprus Securities and Exchange Commission (CySEC) has warned regulated financial firms to strengthen their anti-money laundering controls following the end of the European Union’s transition period under the Markets in Crypto-Assets Regulation (MiCA) on July 1, 2026.

In a circular issued on this week, the regulator drew attention to new guidance published by the EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), which outlines the money laundering and terrorist financing risks that could emerge as the crypto-asset market adjusts to the new regulatory framework.

CySEC explained that, following the end of the transition period, firms wishing to continue providing crypto-asset services within the European Union must now be authorised as MiCA-compliant Crypto-Asset Service Providers (CASPs).

The regulator said the end of the transition period is expected to trigger significant structural changes across the EU crypto-asset sector, as unauthorised virtual asset service providers leave the market and their customers either close their accounts or transfer to authorised providers.

According to the circular, AMLA has warned that these changes could create heightened money laundering and terrorist financing risks if firms do not maintain appropriate safeguards during the transition.

CySEC said AMLA recommends that authorised firms adopt a risk-based approach when accepting customers from unauthorised providers, rather than refusing them automatically.

Instead of applying blanket de-risking measures, firms should carry out individual risk assessments and implement customer due diligence measures proportionate to the level of risk presented by each client.

The circular also highlights risks faced by firms exiting the market.

CySEC said unauthorised providers could experience weakened anti-money laundering and counter-terrorist financing controls during the wind-down process, particularly where deficiencies had already been identified in their compliance frameworks.

To reduce these risks, the regulator said firms should implement robust and well-documented wind-down plans where required under national legislation.

It added that firms should maintain adequate governance arrangements, sufficient resources and enhanced monitoring until all regulated activities have formally ceased.

CySEC also warned that rapid market exits may reduce transparency over customer relationships and the movement of crypto assets, creating opportunities for illicit funds to be concealed or transferred quickly, including for the purpose of sanctions evasion.

The regulator said firms should continue complying with all anti-money laundering obligations throughout the wind-down process, including maintaining up-to-date customer due diligence information and reporting suspicious transactions or activities where appropriate.

For authorised crypto-asset service providers, CySEC said the transition could lead to significant changes in their risk exposure, as new customers migrate from firms no longer permitted to operate.

The regulator warned that these shifts could alter business models and customer portfolios, potentially concentrating higher-risk customers among authorised providers.

To address this, CySEC said firms should ensure that their transaction monitoring systems are capable of handling higher volumes of crypto-asset transfers.

It also said firms should ensure they have adequate staffing levels and sufficient system capacity to cope with increased workloads resulting from customer migration.

The regulator further warned that a rapid influx of customers could place pressure on transaction monitoring systems and compliance functions, requiring firms to strengthen customer onboarding procedures and the integration of customer risk information.

According to the circular, customer due diligence should remain central to the onboarding process, while enhanced due diligence should be applied where higher risks are identified.

CySEC stressed that customers transferring from unauthorised virtual asset service providers should not be treated as high risk solely because of their previous provider, but should instead be assessed individually under a risk-based approach.

The regulator also reminded supervised entities that compliance with anti-money laundering and counter-terrorist financing obligations remains their responsibility both during the transition period and after any customer migration or business wind-down has been completed.

In addition, CySEC drew firms’ attention to a report published by the Financial Action Task Force (FATF) on the risks associated with offshore and unauthorised virtual asset service providers.

The regulator said firms are expected to identify and assess money laundering and terrorist financing risks arising from relationships, transactions or business activities involving unauthorised virtual asset service providers and to apply appropriate mitigation measures in line with a risk-based approach.

CySEC urged regulated entities to take full account of the risks arising from the end of the MiCA transition period and to strengthen their risk-based controls under Cyprus’ Prevention and Suppression of Money Laundering Activities Law.