The European Banking Authority (hereinafter referred to as “EBA”), has recently issued a landmark Supervisory Report exposing how some crypto-asset service providers have exploited regulatory gaps to facilitate financial crime. The October 2025 report identifies six recurring red flags that supervisors across the EU have encountered in recent cases, which expose systemic weaknesses in the sector.
As the EU prepares for a harmonised regulatory framework under the Markets in Crypto-Assets Regulation (MiCA) and the new AML package, firms that fail to address these vulnerabilities, risk being left behind, or being shut out entirely.
The “Red Flags”
- Unauthorized Operations
The first and most immediate concern is unauthorized or unregistered activity. Several crypto-asset service providers (hereinafter referred to as “CASPs”), were found servicing EU clients without holding proper authorization in any Member State.
In certain cases, these entities of third countries origin, operated offering exchange, wallet, or transfer services directly to EU residents. They often targeted clients through online platforms, mobile apps, and influencer marketing, exploiting gaps in national supervisory capacity.
This lack of registration means there’s no AML/CFT supervision, no consumer protection, and no accountability, while creating uneven competition with regulated firms, at the same time.
EBA’s Advice: Supervisors must collaborate more closely to ensure consistent application of rules and prevent entities from exploiting weaker frameworks.
- Forum Shopping
The second red flag concerns Forum Shopping, which corresponds to a deliberate strategy used by some firms to find the most lenient jurisdiction to register.
Instead of adapting to robust standards, these entities apply simultaneously in multiple Member States and gravitate toward those with weaker entry requirements, slower review processes, or less supervisory scrutiny.
This tactic not only undermines regulatory consistency across the EU but also allows higher-risk operators to establish themselves in jurisdictions with limited enforcement capacity.
EBA’s Advice: Supervisors should cooperate closely, share intelligence on applicants, and ensure uniform application of MiCA standards to prevent “jurisdiction-hopping.”
- Misuse of the Reverse – Solicitation Exemption
“Reverse solicitation” was designed as a narrow exception, for the purpose of allowing non-EU entities to provide services when a client initiates contact on their own.
Despite the above, the EBA came to the conclusion that many firms use this exemption as a shield to avoid authorization, even when they actively market to EU customers through ads, websites, and partnerships.
This practice blurs the line between genuine reverse solicitation and regulatory evasion. It’s especially problematic because these firms operate outside EU supervision while targeting EU clients.
EBA’s Advice: Compliance with MiCA, which will tighten the conditions for reverse solicitation, making it far harder for firms to exploit this loophole.
- Weakness in the AML/CFT Controls
Weak compliance remains one of the sector’s most critical vulnerabilities. The EBA found systemic shortcomings in anti-money laundering and counter-terrorist financing frameworks, including:
- Inadequate customer due diligence (CDD) at onboarding;
- Lack of enhanced due diligence for high-risk clients;
- Poor transaction monitoring and sanctions screening;
- Over-reliance on outsourcing key AML functions to third-country affiliates;
- Understaffed or unstable compliance teams;
These weaknesses make it easier for criminal networks to move illicit funds through CASPs, often unnoticed or unreported.
EBA’s Advice: CASPs must align their AML/CFT programmes with standards already expected of banks and payment institutions.
- Unclear Beneficial Ownership and Governance Structures
Many entities present complex, fragmented, or opaque ownership structures. Moreover, some register multiple entities across jurisdictions, submit inconsistent information to different regulators, or obscure ultimate beneficial ownership through layers of corporate vehicles.
This lack of transparency hampers supervisory due diligence and makes it difficult to identify who is actually in control, increasing the risk that sanctioned individuals, criminal networks, or bad actors hide behind these structures.
EBA’s Advice: MiCA and the EU AML framework introduce clearer governance rules, stricter fit-and-proper assessments, and beneficial ownership disclosure to close this gap.
- Multi-Entity Structures used to Bypass Supervision
A growing number of crypto firms operate through complex webs of affiliated entities, often spread across multiple jurisdictions. EBA found that some firms, use these structures in order to evade regulatory scrutiny or continue operating despite restrictions placed on one part of their group.
In practice, this often involves shifting services to another entity within the same group after a supervisory intervention or acquiring a locally registered firm to regain access to the market without undergoing full authorization checks. This strategy allows firms to keep business flowing while regulators play catch-up.
These arrangements undermine the effectiveness of enforcement measures and create serious challenges for national authorities that typically supervise entities on a solo basis.
EBA’s Advice: Regulators must adopt a group-wide supervisory approach, ensuring that enforcement follows the activity and not just the legal shell. Under MiCA, group transparency and coordinated supervision will be critical to closing this loophole.
The EBA’s Report sends a clear message:
The time for crypto firms to operate in regulatory shadows will not be sustained.
With MiCA’s implementation imminent, regulators across Europe will no longer tolerate gaps or evasions.
The six red flags revealed the structural weak points of Europe’s crypto ecosystem.
MiCA and the EU AML framework will turn what used to be loopholes into high-risk liabilities, and supervisors will have the tools to back it up.
The smartest firms will treat this report not as a warning, but as a checklist for survival and leadership in the next phase of Europe’s digital finance evolution.
Firms that align with this new reality will shape the future market.
The Report can be found at: Report on tackling ML TF risks in crypto-asset services through supervision.pdf
By Stefania G. Christofidou
Compliance & Advisory Consultant