On 27 November 2025 the Austrian Financial Market Authority (FMA) granted KuCoin EU Exchange GmbH a licence as a crypto-asset service provider (CASP) a licence as a crypto-asset service provider (CASP) under the MiCA regime for CASPs (Title V MiCA).
With this single administrative act, KuCoin obtains EU-wide passporting rights: from Vienna, it can now offer regulated crypto services across almost the entire EEA under Europe’s new Markets in Crypto-Assets Regulation (MiCA / MiCAR).
At first glance this looks like a success story of “crypto finally coming under proper regulation.”
On closer inspection, it raises uncomfortable questions.
KuCoin`s recent money laundering history
Because KuCoin is not some boring, low-risk retail broker. It is a global exchange that, within the last twelve months,
pleaded guilty in the United States to operating an unlicensed money transmitting business, agreeing to pay roughly USD 297 million and to exit the US market for at least two years, after prosecutors alleged systematic failures in KYC/AML and billions in suspicious transactions linked to darknet markets, malware, ransomware and fraud.
was hit by Canada’s AML watchdog FINTRAC with what was – at the time – its largest ever administrative monetary penalty: CAD 19.55 million (about USD 14 million) for three serious violations, including failure to register as a foreign MSB and failure to report thousands of reportable transactions and suspicious activity.
FMA granted Bybit also a MiCA License
Earlier this year, the FMA also granted Bybit EU GmbH a MiCA license, likewise under Article 63 MiCAR, authorising custody, exchange, placement and transfer services for crypto-assets from Vienna into the EEA.
Bybit, too, comes with regulatory baggage:
Ontario’s Securities Commission brought enforcement against Bybit for trading crypto-securities without registration or prospectus compliance, resulting in a settlement with multi-million-dollar disgorgement and undertakings.
The Dutch central bank (DNB) fined Bybit Fintech Limited EUR 2.25 million for offering crypto services in the Netherlands between 2020 and 2023 without the legally required registration for AML purposes.
Japan’s Financial Services Agency has repeatedly warned that Bybit is operating towards Japanese residents without proper registration.
In the UK, Bybit withdrew and was later effectively banned for retail derivatives; it is currently not permitted to serve UK customers under the FCA’s regime.
So within roughly half a year, Austria – via MiCA – has become the European home of two of the most enforcement-exposed offshore exchanges.
From a consumer-protection perspective, that combination should ring alarms – not least considering that Austria still does not even offer the possibility to file criminal complaints for cybercrime cases online.
What MiCA is supposed to do – and what is actually happening
MiCA was sold politically as the answer to Europe’s crypto chaos: a harmonised framework for issuing and trading crypto-assets, designed to protect investors, safeguard financial stability and support innovation.
Under MiCAR, a CASP licence under Article 63 is not just a formality. It comes with:
governance and internal control requirements,
prudential safeguards,
obligations to manage conflicts of interest and operational risks,
and explicit references to AML/CFT compliance via the general EU framework.
The FMA has been positioning itself as a “balanced and professional” digital-finance supervisor and as a guide through the MiCA approval process.
But in the KuCoin and Bybit cases, the optics are difficult:
US and Canadian authorities describe multi-year, systemic failures by KuCoin to implement basic KYC/AML measures, report suspicious transactions, or even register properly – capped by a guilty plea and a near-USD-300-million package of fines and forfeitures.
FINTRAC explicitly labelled its CAD 19.55 million penalty against KuCoin’s operator as its largest ever at the time, pointing to thousands of unreported large-value transactions and widespread non-compliance.
DNB and OSC describe Bybit serving major markets for years without the required registration and AML controls, only to settle once caught.
And yet, under MiCA, both exchanges now present themselves as fully authorised, “compliance-first” European players headquartered in Vienna
Evident questions to be raised are:
What is the threshold at which a history of enforcement action becomes incompatible with authorisation under MiCA?
What exactly did the FMA check and require from KuCoin and Bybit before granting these licences?
How transparent is this assessment for investors and the public?
What about the victims of the past crimes of KuCoin and Bybit?
Austria as “rehab jurisdiction” – or just regulatory arbitrage?
MiCA works with passporting: one licence in one member state, access to 27+ markets. This creates an obvious incentive for jurisdiction shopping: exchanges will locate their EU hub where the authorisation process is fastest, most “pragmatic” and reputationally convenient.
The public narrative around Bybit and KuCoin now sounds almost identical:
“Compliance-first approach,”
“major milestone,”
“trusted European gateway,”
“MiCA licence validates our standards.”
At the same time, other jurisdictions – the US, Canada, the Netherlands, Japan – have spent years documenting severe deficiencies in their controls.
From a consumer-protection angle, the risk is obvious:
For retail users across the EU, a MiCA licence will be marketed as “fully supervised, safe and compliant.” Few will read multi-page US plea agreements or FINTRAC penalty decisions.
For fraud victims, the combination “MiCA-licensed exchange” + glossy marketing is exactly what creates misplaced trust – the trust that MiCA was supposed to channel into genuinely cleaned-up platforms, not into exchanges with unresolved questions in multiple major jurisdictions.
For regulators, MiCA licences granted to such actors risk turning Europe into a kind of reputational laundromat: past misconduct remains, but the EU label dilutes the stigma and grants market access that other regions have just restricted.
The FMA is of course applying MiCA within a European framework. But precisely because Austria is now the entry door for some of the highest-risk exchanges, the bar for transparency and scrutiny must be higher – not lower.
Bybit: not (much) better
It is tempting to contrast KuCoin as the “bad actor” and Bybit as the more benign, “proactive” player. Bybit itself and its advisers emphasise how proud they are to be among the first global exchanges with a MiCA licence in Austria
But the public record tells a more nuanced story:
Canada (OSC) – settlement over unregistered securities trading and lack of registration, with Bybit paying over USD 2.5 million and agreeing to compliance undertakings.
Netherlands (DNB) – EUR 2.25 million fine for providing crypto services without legally required AML registration between October 2020 and September 2023.
Japan (FSA) – repeated warnings over unregistered activity, followed by a halt to new user registrations as of October 2025 “for regulatory compliance reasons.
United Kingdom (FCA) – Bybit is not authorised, and retail access to its derivative products has been curtailed in line with the UK’s restrictive stance on crypto derivatives.
From a supervisory standpoint, KuCoin and Bybit are simply different shades of the same problem: global exchanges with long histories of regulatory friction now repositioning themselves as European “good citizens” on the basis of a national MiCA licence from one relatively small member state.
What should regulators – and users – demand now?
If MiCA is to maintain any credibility, a licence for a high-risk global exchange must not be a black box.
At minimum, FMA and other European authorities should make clear:
Which remediation measures were imposed
Has KuCoin implemented a completely new AML/KYC framework?
Are there independent compliance monitors in place as in US banking settlements?
What about Bybit’s control environment after the DNB fine and the OSC settlement?
How past enforcement was weighed in the “fit and proper” assessment
Did the FMA treat the US guilty plea and the FINTRAC record fine as “historic issues” or as current risk indicators?
Which thresholds would lead to refusal of a MiCA licence?
How cross-border supervisory cooperation will work
Are there MoUs or concrete cooperation channels between FMA, DOJ, FINTRAC, DNB, OSC, FSA and others concerning KuCoin/Bybit?
How will suspicious activity detected on MiCA-licensed EU platforms be shared with authorities who already sanctioned the same groups elsewhere?
What happens if there is a repeat
Under what conditions would a MiCA licence be suspended or withdrawn in light of new offences in third countries?
How are EU users and investors protected in that scenario?
Without such clarity, MiCA risks degenerating into the very thing its supporters always claimed it was not: a rubber stamp that confers an aura of safety on players whose track records would make traditional financial institutions unbankable in many markets.
EFRI´s view
Austria has now granted a MiCA licence to two exchanges that were only recently on the receiving end of some of the most serious enforcement actions in global crypto.
From a victim-protection perspective, this combination is risky and – without transparency – deeply unsatisfying.
Trust in financial markets is not created by press releases and MiCA badges. It is created by hard evidence of changed behaviour, visible supervision and credible consequences if things go wrong again.
