TL;DR - Under MiCA, EU crypto service providers must screen wallet addresses for illicit flows before processing transactions.
Most MiCA guides focus on stablecoin reserves, white papers, and marketing disclosures. They skip the operational detail that affects every customer-facing team: wallet screening. The regulation places anti-money laundering obligations directly on CASPs. That means any exchange, broker, or custodial wallet provider in the EU needs a repeatable way to check whether an Ethereum or EVM address carries sanctions risk or taint from mixers before approving a deposit or withdrawal. Self-custody users are not the regulated entity, but the services they want to use are. If your business touches on-chain flows, the screening rules are not a future problem. They are an infrastructure problem you need to solve before your first audit.
What does MiCA require for wallet screening?
MiCA does not invent a brand new surveillance system. It folds crypto asset service providers into the existing EU anti-money laundering framework with clearer on-chain expectations. Providers must establish risk-based policies to identify whether a counterparty wallet is linked to sanctions lists or suspicious activity.
The rules expect you to look beyond a simple address label. You need to understand the origin of funds, especially when a user tries to deposit from a non-custodial wallet that has no traditional banking trail. If your platform handles Ethereum, Polygon, or other EVM chains, the screening must cover smart contract interactions and direct transfers alike. A contract call that forwards funds from a hidden proxy should not bypass your filter.
Supervisors will ask for evidence that your checks run before the transaction settles, not after a news story breaks. That timing distinction changes how you architect your compliance stack.
MiCA-ready screening starts with sanctions scans, taint analysis, risk scoring, and a final pass-or-review decision.
Who must comply with the new obligations?
The obligations hit crypto asset service providers, or CASPs, operating under an EU member state license. That category covers centralized exchanges, custody providers, and any business that holds or transfers crypto on behalf of clients. Non-custodial wallet developers without a CASP license generally fall outside the direct scope, but the providers they interact with do not.
A DeFi aggregator that routes user funds through a regulated custodian could still force that custodian to freeze a deposit if the source address carries mixer taint. National competent authorities will enforce these rules with passporting across the single market, so a Lithuanian exchange and a German broker face the same baseline expectations.
Small startups often assume they can delay compliance until they scale. That assumption is dangerous. Licensing queues are long, and supervisors treat wallet screening as a day-one requirement.
Which transactions trigger a check?
MiCA frames the trigger around risk. High-risk indicators include deposits from privacy coins, mixer outputs, and addresses flagged by OFAC or domestic sanctions lists. A customer moving funds from a known mining pool carries different weight than a customer sending funds from a recently activated address with no prior history. The regulation expects providers to calibrate thresholds.
A ten euro test deposit might still need a name match if the source address appears on a watchlist. You should define these triggers in your internal policy before the regulator asks to see them. Many firms start with a basic understanding of crypto wallet screening and then layer on MiCA-specific criteria.
CASPs need to document every screening decision and the rationale behind it. This includes the wallet address checked, the timestamp, the result, and the staff member or system that approved the pass or block. MiCA aligns with the broader EU Travel Rule expectation that data must be retrievable for audit.
If a compliance officer overrides an alert, the file must show why. Keeping screenshots of Etherscan pages is not enough. You need structured logs that connect the on-chain data to your customer record. That connection matters when a deposit is blocked and the user files a complaint.
Firms that fail to produce these files during an inspection face fines that scale with global turnover. Auditors prefer machine-readable exports over email chains.
How can teams prepare before the deadline?
Start by mapping every point where a customer wallet touches your platform. That means deposit addresses, withdrawal confirmations, and connected Web3 logins. Next, integrate a screening pipeline that checks sanctions, taint, and mixer exposure in real time. Many small CASPs begin with periodic batch reviews, but MiCA expects continuous monitoring around higher-risk events.
Train your support staff to recognize when an address gets blocked so they can explain the next steps to a customer without creating legal exposure. As a manual fallback during incident review, you can always screen the address with Plastron to verify sanctions status or mixer links. Finally, update your privacy notices to tell users that wallet screening is a condition of service. If they refuse to reveal a source address for a non-custodial deposit, you need a policy for that refusal.
FAQ
Does MiCA ban non-custodial wallets?
No. MiCA regulates service providers, not the wallet software itself. A user who self-custodies assets in a private key wallet can still transact freely. The rules apply when that user interacts with a regulated CASP, such as when depositing to an exchange or using a custodial on-ramp.
Can a wallet be screened after a transaction is complete?
Yes, but that is a reactive approach. MiCA expects risk checks before settlement. Post-transaction screening helps with investigations, yet it does not satisfy the preventive obligation. Most supervisors treat delayed screening as a control gap unless there is a documented exception.
Which chains fall under MiCA wallet screening?
The regulation is chain-agnostic. Any blockchain or EVM network that your platform supports must sit inside your screening scope. Ethereum, Polygon, Arbitrum, and BSC are all covered if your CASP handles them. Bitcoin and Solana fall under the same principle. You cannot exclude a network simply because it is harder to trace.
What happens if a CASP misses a sanctioned address?
National authorities can impose administrative fines, license restrictions, or public reprimands. Errors that facilitate sanctions evasion carry the heaviest penalties. Consistent backlogs or missing records compound the problem. A firm that cannot show it tried to identify the risk typically fares worse than one with a documented false positive.
Are DeFi protocols covered by MiCA screening rules?
Purely decentralized protocols without a legal entity or CASP license are not directly covered. However, any fiat on-ramp, custodial wallet, or front-end service that interfaces with the protocol likely is. Those touchpoints must perform screening. If a protocol team runs a legal entity that takes custody, the obligation applies fully.
Disclaimer: This article is for educational and informational purposes only and is not legal, financial, tax, or compliance advice. Crypto carries risk; you act on this information at your own risk. Always do your own research and consult a qualified professional before making decisions. Views are the author's own and do not constitute financial, legal, or investment advice.
About Plastron
Plastron is a free, non-custodial wallet screening tool. It checks Ethereum and six EVM chains for AML and KYT risk — sanctions exposure, mixer contact, and stolen-funds proximity — and returns a risk report in seconds. It reads public on-chain data only: it never takes custody of funds and never asks for private keys.