ESMA: Unauthorised CASPs Must Wind Down
On 23 June 2026, the European Securities and Markets Authority (ESMA) issued a clear warning to crypto-asset service providers (CASPs) that have not obtained authorisation under the Markets in Crypto-Assets Regulation (MiCA).
After the end of the MiCA transitional period on 1 July 2026, unauthorised CASPs must wind down their EU activities in an orderly manner. They must stop onboarding new EU clients, stop opening new client relationships or accounts, and cease marketing and solicitation
Their remaining activity should be limited to what is necessary to sell or transfer crypto-assets, reallocate assets, or close positions. Custody may continue only for the period strictly necessary to complete an orderly exit.
Reverse Solicitation Is Not a Loophole
ESMA also reminds non-EU CASPs that they cannot provide MiCA services to EU clients or solicit EU clients unless the service is provided strictly at the client’s own exclusive initiative.
That is the narrow reverse-solicitation exception. It is not a broad permission for offshore crypto firms to continue targeting EU customers while avoiding MiCA authorisation.
The Consumer Protection Gap
ESMA’s consumer warning is direct: clients of unauthorised CASPs, whether EU or non-EU entities, do not benefit from MiCA safeguards, including protections for client assets.
This matters because many consumers do not know whether the crypto platform they use is authorised. They may only see a bank transfer, card payment, payment account, IBAN, payment processor or merchant descriptor. The regulatory status of the crypto provider is often invisible to them.
The Missing Question: Who Enables the Fiat Ramp?
ESMA’s statement focuses on unauthorised CASPs. But the practical enforcement question goes further.
What should European banks, EMIs, payment institutions, card acquirers and other fiat-ramp intermediaries see in their own systems?
If an EU customer sends money to a crypto platform that is not authorised to service EU clients, this should not be treated as an ordinary low-risk payment. It may indicate that the customer is being serviced by a firm operating outside the MiCA perimeter.
That creates risk for the customer. It also creates risk for the financial institution processing the payment.
Payments to Unauthorised CASPs Are a Red Flag
A payment to an unauthorised CASP does not automatically prove misconduct. But after MiCA, repeated or structured payment flows to unauthorised crypto providers should become a visible red flag.
The relevant risks are not limited to licensing. They include:
- consumer harm;
- fraud and investment scams;
- money-laundering risk;
- sanctions exposure;
- conduct risk;
- asset-safeguarding risk;
- disguised merchant or counterparty structures;
- use of payment intermediaries to obscure the real crypto recipient.
A regulated financial institution should not treat the fiat ramp as neutral infrastructure. The fiat ramp is often the operational access point between EU consumers and offshore or unauthorised crypto providers.
What Banks and Payment Institutions Should Check
Banks and payment institutions should ask whether they can identify payments to crypto-asset service providers, distinguish authorised CASPs from unauthorised entities, and detect indirect payment routes.
Key control questions include:
- Are outgoing customer payments to crypto platforms being identified?
- Is the recipient checked against the ESMA MiCA register and national registers?
- Are offshore CASPs still servicing EU customers through EU payment rails?
- Are payment descriptors, IBANs, merchant names and intermediaries masking the true crypto counterparty?
- Are repeated payments to unauthorised CASPs escalated as a financial-crime and consumer-protection risk?
- Are crypto payments linked to online investment scams, social media ads, recovery scams or high-pressure sales models?
MiCA Needs Enforcement at the Payment Layer
MiCA defines the regulatory perimeter. But the payment system determines whether that perimeter works in practice.
If unauthorised CASPs can still receive funds from EU customers through European banks, EMIs, payment processors or card acquirers, the licensing regime risks becoming only partially effective.
Regulatory Registers Must Become Part of Payment Monitoring
The ESMA MiCA register and relevant national registers should not be treated as passive reference tools for consumers only. They should become part of the risk-control environment of banks, EMIs, payment institutions and card acquirers.
Where a financial institution identifies payments to a crypto-asset service provider, it should be able to assess whether that provider is authorised under MiCA, operating under a valid transitional arrangement, or appears to be outside the authorised perimeter. The same applies where payments are routed through intermediaries, merchant accounts, payment processors or offshore entities that may obscure the real crypto counterparty.
This is particularly important because ESMA has warned that clients of unauthorised CASPs do not benefit from MiCA safeguards, including protections for client assets. If financial institutions continue to process payment flows to such providers without effective screening, monitoring and escalation, the regulatory perimeter may fail exactly where it matters most: at the point where EU consumers transfer real money into high-risk crypto structures.
The challenge is operational. Searching the MiCA register is simple. Detecting millions of payment flows to crypto-related counterparties, offshore platforms, shell entities and disguised payment routes is harder.
But that is exactly the type of control problem regulated financial institutions are expected to address through risk-based controls
Conclusion: No MiCA Compliance Without Fiat-Ramp Controls
ESMA has made clear that unauthorised CASPs must wind down.
The next question is whether European financial institutions will continue to process payments that allow such firms to remain commercially accessible to EU customers.
For consumer protection, this matters.
For AML/CFT and sanctions compliance, this matters.
For financial-crime prevention, this matters.
And for the credibility of MiCA, it also matters!
