CASPs should separate the licensing work from the underlying control work. MiCA sets the market access perimeter, but AML/CFT, Travel Rule, and national rules still govern identity verification, screening, and evidence retention. The safest approach is to map each obligation to an owner, a workflow, and a document trail so the application reflects real operating discipline, not just legal interpretation.
Why This Matters for Security Teams
MiCA licensing can look like a legal filing exercise, but CASPs are usually judged on whether their controls work in operation. AML/CFT obligations, Travel Rule obligations, sanctions screening, and recordkeeping still apply even when the firm is focused on authorisation under MiCA. NIST Cybersecurity Framework 2.0 emphasises governance and risk management as ongoing disciplines, not one-time submissions, which is the right lens for this problem. The practical risk is that licensing teams document policy while operations continue to rely on weak identity, incomplete screening, or ad hoc evidence retention.
This is where NHI control quality becomes decisive. The Ultimate Guide to NHIs shows how often organisations under-estimate non-human identity exposure, and that matters because many CASP workflows depend on API keys, service accounts, and automation that touch customer data and transaction records. In practice, many security teams encounter licensing gaps only after an auditor asks for proof that AML/CFT controls were actually operating, rather than through intentional design.
How It Works in Practice
The safest approach is to treat MiCA readiness and AML/CFT readiness as connected but distinct workstreams. MiCA typically drives the application narrative: governance, prudential arrangements, complaints handling, operational resilience, and how the CASP manages outsourced and technical dependencies. AML/CFT work, by contrast, is about proving that customer due diligence, sanctions screening, transaction monitoring, Travel Rule exchange, escalation, and retention are wired into day-to-day processes.
That distinction matters because regulators and auditors rarely care whether the evidence was generated by a person or a workflow. They care whether the evidence exists, is complete, and can be traced back to an accountable owner. The control model should therefore define:
- an owner for each obligation, including compliance, security, and operations
- a workflow for onboarding, screening, alert review, and escalation
- an evidence trail showing who approved, who monitored, and what was retained
- identity controls for the systems performing those functions, including service accounts and API keys
For technical assurance, this is where current NHI guidance becomes useful. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives is helpful when mapping machine identities to audit evidence, while NIST Cybersecurity Framework 2.0 provides the governance vocabulary for assigning responsibility and proving control operation. A CASP preparing for authorisation should also keep identity proofing, screening logs, alert dispositions, and retention rules aligned so the compliance story is internally consistent. These controls tend to break down when AML/CFT workflows are spread across multiple vendors and the firm cannot reconstruct a single chain of custody for decisions or records.
Common Variations and Edge Cases
Tighter control mapping often increases operational overhead, requiring organisations to balance faster licensing against stronger evidence and review discipline. That tradeoff is unavoidable when the CASP uses third-party onboarding tools, shared wallets, or outsourced monitoring functions.
One edge case is when the licensing team assumes a vendor’s attestations cover the firm’s own obligations. Current guidance suggests that outsourcing can reduce execution burden, but it does not transfer accountability. Another edge case is a product with mixed activity, such as custody, exchange, and embedded finance, where AML/CFT scope changes by service line and customer segment. In those environments, the licensing pack should clearly separate what MiCA requires from what national AML laws still require, because they are not interchangeable.
CASPs should also watch for weak points in evidence retention. If screening decisions, Travel Rule data, or SAR/STR-related records are stored in multiple systems, the regulator may see fragmented controls even when individual teams believe they are compliant. The Hugging Face Spaces breach is a useful reminder that exposed automation and weak secret handling can turn a technical dependency into an operational control failure. Best practice is evolving here, but there is no universal standard for how much automation evidence a CASP must produce at authorisation, so firms should document their rationale and keep it consistent across compliance, security, and legal reviews.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | MiCA readiness depends on clear governance, scope, and accountability for AML/CFT controls. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Service accounts and API keys used in AML/CFT workflows need rotation and evidence of control. |
| NIST AI RMF | GOVERN | AI-assisted monitoring and screening need accountable oversight and documented operating rules. |
Define control ownership and evidence workflows so MiCA and AML/CFT obligations are operationally traceable.
Related resources from NHI Mgmt Group
- Who is accountable when licensing readiness and AML/CFT controls break down?
- How do organisations prepare for the EU AI Act without slowing AI adoption?
- How should organisations prepare for AI workload spikes without losing control?
- How should security teams prepare for ISO 27001 certification without creating audit churn?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 5, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org