Crypto regulation and enforcement: Key risks, trends, and compliance priorities

Executive Summary

• Crypto-assets have rapidly evolved from a niche innovation to a central component of global finance, prompting regulators and enforcement authorities to intensify their scrutiny. Crypto complements, and is increasingly integrated into, the traditional investment, banking and payment systems, which has led to new regulatory frameworks and heightened compliance expectations.
• This article provides a comprehensive overview of the current regulatory landscape, with a particular focus on the EU’s Markets in Crypto-Assets Regulation (“MiCAR”). MiCAR introduces a harmonized set of rules for crypto-assets that fall outside the remit of “traditional” EU financial regulation across all EU Member States, introducing rules for stablecoins (e-money tokens and asset-referenced tokens) and other crypto-assets. Guidance notably from the European Securities and Markets Authority (“ESMA”) and the European Banking Authority (“EBA”) provides further detail on supervisory expectations, inter alia regarding the classification of crypto-assets, robust internal frameworks, and ongoing regulatory monitoring.
• Enforcement trends indicate that regulators are broadening their areas of attention, extending scrutiny beyond exchanges to banks, issuers, brokers and custodians. Recent enforcement actions in Germany, the EU, and the US illustrate the range of regulatory tools – from corrective measures to criminal prosecution – in response to alleged anti-money laundering (“AML”) failures and inadequate consumer protection.
• For financial institutions and crypto market participants, the challenge is to balance innovation with legal certainty. The article outlines practical steps for compliance officers, including risk mapping, gap analysis, enhanced transaction monitoring, and regular staff training. Board accountability and a culture of compliance are main drivers for building trust with regulators and stakeholders.
• Looking ahead, the regulatory environment for crypto-assets will continue to evolve, with additional technical standards and guidance anticipated from ESMA and national authorities. The long-term implications of these developments on the market structure and the competitiveness of the industry remain difficult to assess at this stage. Institutions that adjust their compliance frameworks in a timely manner and invest in robust governance will be best positioned to mitigate legal and reputational risks, and to seize opportunities in a rapidly changing market.

Regulatory overview

MiCAR

MiCAR is the central legislative framework in the EU for all crypto-assets that are not already in scope of “traditional” EU financial regulation, such as cryptocurrencies. It establishes uniform rules in all EU member states that are intended to enhance investor protection and market integrity. The scope of covered “crypto-assets” is broad, including both stablecoins and other crypto-assets. Rules apply to issuers, service providers, and market participants (traders). “Significant” stablecoins are subject to more stringent obligations. EU-based companies can offer services across all Member States without the need for separate authorizations, thanks to passporting. In summary, MiCAR provides a regulatory framework aimed at investor protection, financial stability and a fair crypto market.

1. Distinction between existing financial regulation and MiCAR

   The EU regulatory framework distinguishes between crypto-assets that are already covered by existing financial regulation and those that fall under the new MiCAR.

   MiCAR starts with a broad legal definition of a “crypto-asset”. According to Article 3 no. 1 (5) MiCAR, a crypto-asset is any

   “digital representation of a value or a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology”.

   This definition is designed to encompass a wide range of digital assets, including both current and future forms, irrespective of their specific legal structure and economic design. The relevant criteria are:

   1. the existence of a digital representation of value or rights and
   2. the ability to transfer and store it electronically via distributed ledger technology (“DLT”) or equivalent technology.

   However, MiCAR does not apply to all such crypto-assets. MiCAR provides for a broad range of exceptions where such crypto-asset already qualifies as another type of instrument (such as financial instrument, deposit, insurance product, etc., Art. 2(4) MiCAR).

   As a result, issuers and service providers are required to assess whether a crypto-asset qualifies as a traditional financial instrument or other type of instrument already in scope of EU financial regulation. If it does, existing financial regulation continues to apply. If not, the asset may fall within one of the categories established by MiCAR.

   MiCAR applies to all other crypto-assets not already in scope of EU financial regulation. It provides a harmonized regulatory framework across the EU and introduces specific requirements, most notably for issuers and service providers.

   Under MiCAR, crypto-assets are classified into two main categories:

   1. “Stablecoins”
      

      “Stablecoins” are crypto-assets whose value is linked to a stable reference, such as a currency or commodities like gold. They are generally less volatile than assets such as Bitcoin or Ether and are therefore positioned for use as digital money.

      E-Money Tokens

      E-Money Tokens are a specific type of stablecoin subject to strict regulation under MiCAR. They are always tied to exactly one official currency (for example, the euro or the US dollar) and must be backed one-to-one by that currency. One token always equals one currency unit and is redeemable at any time. In simple terms, E-Money Tokens are the EU’s regulated version of stablecoins, making them safer and more reliable than many unregulated alternatives.

      Asset-Referenced Tokens

      Asset-Referenced Tokens link their value to a basket of assets rather than a single currency. These assets can include several fiat currencies (for example, a mix of euros, dollars, and yen), commodities like gold, or even other crypto-assets. The purpose is to spread the value across multiple references so that the token does not depend on the stability of a single currency. Like E-Money Tokens, due to their potential impact on financial stability and monetary policy transmission, Asset-Referenced Tokens are subject to more stringent MiCAR requirements, including strict reserve requirements.

   2. Other crypto-assets

      This category covers all remaining crypto-assets that do not fall under the stablecoin definition. It includes cryptocurrencies like Bitcoin and Ether, as well as most utility tokens, that are used to access services or features within a platform. However, certain types of assets, such as Non-Fungible Tokens (“NFTs”), are explicitly excluded from this category under MiCAR. Stated simply, “other crypto-assets” is a catch-all group for digital tokens that are not designed to maintain a stable value and therefore are generally more volatile than stablecoins.

2. Further legal standards and guidelines

   Under MiCAR, the European Supervisory Authorities (notably ESMA and EBA) together with the EU Commission have drafted and issued a large number of further legal acts in the form of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). The EBA and ESMA are further mandated to issue guidelines.

   The ESMA has for example issued guidelines to help determine whether a crypto-asset falls under existing financial regulations (e.g., Markets in Financial Instruments Directive II (“MiFID II”) or within the scope of MiCAR). For entities engaging with crypto-assets, this guidance has several important implications.

   1. Early classification is key

   Companies should identify the type of crypto-asset at an early stage. Firms are expected to establish a robust internal framework and engage legal and compliance teams at the outset of product design. A legal assessment under ESMA guidance and MiCAR must take place before issuance or distribution. The classification result also informs product and distribution strategies, for example by restricting sales to professional investors.

   2. Regulatory obligations depend on classification

   Once classification is complete, firms must align obligations accordingly. Stablecoins under MiCAR are subject to strict rules on transparency, reserves, redemption, and consumer protection. Tokens that qualify as financial instruments trigger MiFID II requirements. These include obligations including licensing, prospectus duties, reporting duties, investor protection measures, and conduct standards. The classification result must inform product and distribution strategies. Restrictions may include limiting sales to professional investors.

   3. Documentation and Processes

   Crypto firms should maintain a central register of all tokens. Each entry must include the classification, rationale, and supporting evidence. A four-eyes principle should be applied to classification decisions, and all records must be securely stored and accessible for audits, supervisory checks, or regulatory investigations. Clearly defined responsibilities across compliance, legal, and business units ensure consistency.

   4. Ongoing Monitoring

   Because crypto regulation evolves rapidly, firms should establish a regulatory watch function or appoint external counsel. This allows them to monitor ESMA updates, Q&As, and national guidance. Internal compliance policies need regular review, at least once a year, or whenever major legal changes occur. Ongoing staff training ensures that business teams remain aligned with current requirements.

   Drawing on ESMA guidance assists in managing legal risks, strengthen compliance structures, and keep token offerings and related services consistent with EU regulations. In addition, national specifications and supervisory practices continue to play a role.

3. Key obligations for crypto issuers and firms

   Once it has been established that a crypto-asset falls under the scope of MiCAR, a set of rules applies to all activities involving the EU. Issuers of crypto-assets are required to prepare and publish a white paper that explains the project and comply with marketing and certain (limited) business conduct rules.

   For issuers of stablecoins, additional rules apply. They must be authorized and comply with prudential requirements designed to maintain safety. For stablecoins classified as significant, based by their size or potential impact on the wider market, authorities impose stricter oversight. These measures aim to uphold financial stability and protect holders.

   MiCAR also regulates intermediaries such as brokers, dealers, custodians, portfolio managers, and trading platforms. These actors are required to be authorized and comply with prudential, conduct, and AML obligations.

   Additional authorizations pursuant to MiCAR are not necessary for existing financial entities such as banks and investment firms where their activities under MiCAR resemble those they are already carrying out under existing financial regulation. In such cases, only a notification to the competent authority is required (Art. 60 MiCAR).

   In parallel, a dedicated market abuse regime establishes rules on insider dealing and market manipulation.

   Authorized firms can operate across the entire EU without separate approvals in each Member State under an EU “passporting” regime. However, national authorities usually handle supervision and authorization and work closely with ESMA to ensure consistent oversight throughout the EU.

   MiCAR applies to all crypto-asset activities in the EU, unless such activities are provided following so-called reverse solicitation. According to Article 61 MiCAR, a company from outside the EU can provide crypto-asset services to an EU customer without MiCAR authorization if the customer requests the service entirely on their own. This exemption only covers services specifically requested by the customer.

   However, ESMA emphasizes that the customer’s request must come from their own initiative. A company cannot assume it is outside MiCAR simply because a customer shows interest. Any form of advertising or marketing by the provider will require authorization.

DLT Pilot Regime

The DLT Pilot Regime constitutes a temporary EU framework under which the trading and settlement of certain tokenized financial instruments with distributed ledger technology is exempted from certain requirements that would otherwise apply to these activities. It remains in force until March 2026 and may be extended for three additional years.

The framework provides limited and optional exemptions from existing financial market rules, such as the possibility to combine trading and settlement within a single entity or to grant direct access to retail clients. To the extent such exemptions are granted, these activities do not require full compliance with all regulatory requirements but remain subject to strict safeguards.

Exemptions must be justified by the use of DLT and must be paired with compensatory measures. The DLT Pilot Regime operates under extensive oversight through close interaction between regulators and market participants, with ESMA conducting annual reviews and comprehensive assessments. The regime aims to balance regulatory flexibility with strong supervision to support the development of a more digital and integrated EU capital market structure.

For example, a central securities depository in an EU Member State received approval under the DLT Pilot Regime to act as a DLT Settlement System. In practice, this allows it to use blockchain technology to record and settle trades. The depository built a permissioned platform, open only to authorized participants, to maintain security and control. Regulators assess whether trades are legally final, audit trails are sufficiently transparent, and investors are protected. On this basis, the authority granted exemptions from certain settlement rules under the Central Securities Depositories Regulation (“CSDR”), while keeping the project under close supervision.

Enforcement trends

Crypto players in focus

Regulators no longer limit their focus to a narrow group of crypto firms. Attention now extends across the entire ecosystem. Risks can arise from multiple actors, not only from exchanges.

Trading platforms, whether centralized exchanges or protocols that facilitate peer-to-peer lending, remain a primary focus. However, in Germany such lending protocols are not yet directly covered by MiCAR, and related AML requirements apply only where other regulated activities are conducted. Due to their scale and role in managing client assets, these platforms may still present exposure to illicit financial flows. In the U.S., enforcement actions have addressed platforms alleged to have failed registration as securities exchanges or to have insufficient AML controls.

Banks that hold custody licenses are subject to supervisory scrutiny with respect to their crypto-asset custody services. Where crypto-assets are held on the bank’s own balance sheet, supervisors also assess whether prudential safeguards are observed.

Issuers of tokens, particularly in the context of Initial Coin Offerings and Security Token Offerings, continue to be subject to regulatory oversight. Concerns focus on disclosure adequacy and investor protection. For example, the French Financial Markets Authority has intervened in offerings that did not meet basic transparency requirements, requiring issuers to amend or withdraw their materials.

Brokers, custodians, and wallet providers are increasingly regarded as key gatekeepers. Compliance deficiencies at these firms may create immediate vulnerabilities across the system. In the United Kingdom, cases have shown that inadequate wallet security or insufficient transaction monitoring can lead to money laundering investigations and the freezing of client assets.

Even technology providers that build market-access infrastructure, such as payment processors or blockchain analytics firms, are increasingly seen as falling within the regulatory framework, if only indirectly. This can subject them to contractual and compliance obligations through the regulated entities they serve.

Crypto risk map

The evolving regulatory environment reflects a multi-layered risk landscape. Authorities place particular emphasis on AML rules, sanctions compliance, and the prevention of sanctions evasion.

At the same time, the opacity and volatility of crypto markets present risks related to fraud and market abuse. Operational and cyber risks add another potential layer of concern, as technical disruptions or security breaches have the potential to affect investor confidence.

Consumer protection continues to drive regulatory initiatives, especially where retail participation is high. Alongside these risks, non-compliance with regulatory frameworks exposes firms to severe enforcement action.

Beyond purely legal dimensions, reputational risk is a key factor, as market trust can decline rapidly in cases of misconduct. Increasingly, environmental, social, and governance considerations also play a role. Sustainability considerations start to influence market practices and supervisory expectations and set new expectations for firms that aim to maintain credibility in this evolving field.

Enforcement examples

Practical cases illustrate how enforcement unfolds in different parts of the crypto sector.

In Germany, authorities dismantled a trading platform allegedly linked to large-scale money laundering. Assets worth millions were seized, and operators were prosecuted. The case shows that European enforcement can escalate to full shutdowns and criminal liability when AML safeguards fail.

In Europe, supervisory authorities have addressed compliance deficiencies by stablecoin issuers, requiring adjustments to transparency and reporting. The case demonstrates how regulators use MiCAR in practice and highlights the role of early corrective measures in mitigating the risk of more severe penalties.

A global exchange operating in multiple regions failed an AML and KYC audit. Regulators imposed substantial fines, required stricter due diligence processes, and appointed external monitors. The case confirms that exchanges are treated as critical infrastructures and are expected to comply with standards comparable to those in traditional finance.

A European platform was found to have facilitated large-scale laundering. Investigators identified deficiencies in compliance structures, arrested senior managers, and seized assets in a cross-border operation. The case illustrates that regulators move beyond supervision and resort to criminal prosecution when misconduct coincides with criminal activity.

In the United States, a token issuer faced allegations of unregistered securities sales. The matter was resolved through a multimillion-dollar settlement without admission of liability. The case shows that cooperation with regulators can mitigate financial and reputational risks.

These cases demonstrate that regulators in the U.S. and Europe deploy the full spectrum of enforcement tools, ranging from corrective measures to criminal prosecution. Firms that fail to meet compliance obligations face not only significant financial penalties but also the risk of exclusion from the market.

Crypto compliance

Regulators now expect crypto market participants to establish compliance frameworks that are both robust and defensible. Cross-border alignment and risk-based approaches increasingly define the standard. Comprehensive documentation and legal reasoning are indispensable to withstand enforcement measures.

Recent supervisory actions across Europe illustrate this shift. Authorities across Europe have increased on-site inspections of registered crypto firms. They evaluate AML controls, risk management, and client fund protection. Regulators also determine which firms are ready for full EU authorization under the upcoming MiCAR framework. Many digital asset companies are registered, but only a few have received full regulatory approval. Several major and local platforms are currently under review.

The heightened scrutiny reflects a move toward harmonized oversight under MiCAR. It highlights the importance of early preparation for full licensing and signals that cooperation alone may no longer meet regulatory expectations. Member States are calling on ESMA to provide more centralized supervision to ensure consistent oversight of large exchanges and prevent regulatory arbitrage.

Crypto firms face growing challenges in preventing financial crime while complying with AML, KYC, and MiCAR requirements. Traditional methods can struggle with decentralized and pseudonymous transactions. KYC has become a core component of crypto compliance, required by regulators worldwide. It ensures identity verification, reduces risks of fraud and money laundering, and supports trust and transparency on crypto platforms. Historical enforcement actions demonstrate that failure to implement KYC measures can lead to criminal prosecution.

Technology assumes a central role in addressing these challenges. Blockchain analytics and AI are discussed as tools to support compliance by helping detect suspicious activity, trace fund movements, and maintain verifiable audit trails. Automated transaction surveillance, AI-based risk scoring, and anomaly detection tools enable firms to identify irregularities at scale. Digital audit trails support transparency and demonstrate that compliance processes remain verifiable to supervisory authorities. Regulatory guidance highlights that technology can enhance transparency and facilitate cooperation between firms and supervisory authorities.

A culture of accountability is an integral component of effective compliance. Companies are advised to appoint dedicated compliance officers with a direct reporting line to top management (such as the CEO or the executive board). Pay and performance evaluations should consider compliance with regulatory objectives alongside financial results.

For financial institutions operating in the crypto sector, these expectations require concrete measures. Risk assessments must be conducted regularly. Customer due diligence and onboarding procedures must be thorough. Sanctions screening and transaction surveillance need to be integrated into daily operations. Internal governance must ensure a clear allocation of responsibilities. Oversight of third-party providers must be systematic and documented. Together, these elements form the backbone of a resilient compliance strategy that aligns with regulatory requirements and reduces exposure to enforcement action.

Board accountability and management responsibilities

Effective crypto compliance depends on clear accountability at the highest levels of an organization. Regulatory authorities increasingly expect boards of directors and executive management to set the “tone from the top” by prioritizing compliance, risk management, and ethical conduct in all crypto-related activities.

Boards should consider the following:

• Oversee the development and implementation of crypto compliance frameworks.
• Ensure that sufficient resources and expertise are allocated to compliance functions.
• Regularly review and challenge management’s approach to crypto risk.
• Receive timely updates on regulatory changes and enforcement trends.

Executive management should ensure that compliance officers have direct access to the board and are empowered to escalate issues without fear of retaliation. This culture of accountability is essential for building trust with regulators and stakeholders, and for mitigating legal and reputational risks.

Practical next steps for compliance officers

Organizations can realize the potential of digital assets as soon as they establish regulatory and compliance foundations.

Immediate action items

The first priority is to establish a clear understanding of the institution’s exposure to crypto-related risks. This includes conducting comprehensive crypto risk mapping and performing a gap analysis of existing AML and sanctions controls against crypto-specific typologies. To strengthen monitoring capabilities, firms should identify and contract with blockchain analytics providers. In addition, compliance staff and front-office employees should be trained to recognize crypto-specific red flags to ensure early detection of suspicious activity.

Medium-term measures

In the second phase, firms should align internal policies with obligations under MiCAR and relevant AML frameworks. This ensures the secure exchange of transaction information and reduces the risk of compliance failures. Effective wallet screening protocols need to be developed and integrated into transaction monitoring systems. Moreover, vendor due diligence processes must be updated, particularly for fintech and crypto partnerships, as third-party risks continue to be a key focus of supervisory attention.

Long-term readiness

Over the longer horizon, institutions must anticipate supervisory audits and thematic reviews that are likely to include crypto-specific elements. Crypto activities should form part of the annual AML audit scope, supported by management dashboards that track key compliance indicators. Compliance must be viewed not only as risk control but as a strategic asset. Institutions that demonstrate regulatory readiness can gain a competitive edge by securing trust from regulators, clients, and investors.

Outlook: What’s next in crypto regulation

The regulatory landscape for crypto-assets continues to evolve rapidly. In the European Union, institutions should monitor updates from ESMA and national regulators, as additional guidance and Q&As are expected. The MiCAR framework is already under review, with some national authorities advocating a stronger supervisory role for ESMA and closer oversight of platforms outside the EU that serve EU clients.

Globally, regulators are increasing their focus on cross-border enforcement, operational resilience, and the integration of environmental, social, and governance (“ESG”) considerations into crypto compliance. Financial institutions should expect a rise in supervisory audits and thematic reviews that include crypto-specific elements.

At the same time, developments in compliance technology, such as blockchain analytics and AI, may help firms meet these evolving regulatory expectations. These tools can improve transparency and enable more effective monitoring of crypto transactions.

Staying ahead of these developments requires a proactive approach to regulatory monitoring and ongoing adaptation of compliance frameworks.

Key takeaways & conclusion

The regulatory environment for crypto-assets is in rapid transformation. Europe has established a harmonized regime under MiCAR. First signs of enforcement activity have already appeared. Supervisory authorities are increasingly willing to act.

For businesses, this creates both opportunities and challenges. Firms that address crypto compliance proactively strengthen governance frameworks, embed robust AML and sanctions controls, and align with upcoming regulatory standards. This approach places them in a stronger position to mitigate legal and reputational risks. Early compliance investments not only reduce the likelihood of enforcement action but can also become a differentiator in building trust with regulators, clients, and investors alike.

Compliance should no longer be viewed merely as a reactive defense mechanism, but rather as a forward-looking strategy. Institutions that invest today place themselves in a position of strength and gain an edge in a market shaped by higher expectations.

If you have any questions about how recent regulatory developments and enforcement actions may impact your business, please feel free to reach out to any member of our listed team or your regular Hogan Lovells contact.

Authored by Dr. Lukas Ritzenhoff and Annika Guterl.