Sanctions Compliance for CASPs: What EU Crypto Firms Must Screen

Sanctions are not AML — and the difference is the whole article

The single most common sanctions failure at a crypto-asset service provider is conceptual, not operational: the firm treats sanctions screening as a sub-task of its AML framework. It is not. Sanctions compliance and AML/CFT are two separate regimes with two different logics, and conflating them builds a structural gap.

AML is risk-based. The whole AML framework runs on proportionate, risk-rated measures — a low-risk client gets lighter due diligence, a high-risk client gets enhanced measures. Discretion is built in.

Sanctions are strict-liability. EU restrictive measures do not have a “low-risk designated person”. If a client, counterparty, or wallet is subject to an asset freeze, processing a transaction is a breach — full stop, regardless of intent, regardless of the client’s risk rating, regardless of how well the firm knows the client. There is no risk-based discretion to apply.

A CASP that routes sanctions screening through its risk-based AML triage has applied discretion where the law allows none. That is the gap supervisors look for.

EU sanctions apply to CASPs directly

EU restrictive measures — the EU’s sanctions regime — bind all EU operators. A crypto-asset service provider is an EU operator. Sanctions apply to a CASP directly and in full, exactly as they apply to a bank or a payment institution. There is no crypto carve-out.

The core prohibitions are:

• Asset freeze — the funds and economic resources of designated persons and entities must be frozen
• No making available — funds or economic resources must not be made available, directly or indirectly, to or for the benefit of designated persons

Crucially, crypto-assets are within scope. They are treated as funds or economic resources. A CASP holding, transferring, or exchanging crypto-assets for a designated person is dealing in frozen economic resources — the same breach as a bank moving a designated person’s euros.

What sanctions compliance requires operationally

A CASP sanctions programme has to deliver, at minimum:

1. Client and counterparty screening against the EU consolidated list of designated persons and entities, at onboarding and on an ongoing basis
2. Wallet-address screening — incoming and outgoing — using chain-analytics tooling, because designated persons transact through addresses, not just names
3. Transaction screening — checking transactions before execution, not only after
4. Ownership-and-control analysis — screening beneficial owners and entities owned or controlled by designated persons, not only the named account holder
5. Freeze-and-report on a match — freeze without delay, do not execute, report to the competent national authority
6. Current-list management — screening against up-to-date consolidated lists and re-screening the client base when designations change

Why CASPs are specifically exposed

Crypto and sanctions evasion is an explicit policy and supervisory concern. Designated persons and sanctioned jurisdictions have an obvious incentive to move value through crypto rails, and CASPs are the regulated chokepoint. That makes a CASP’s sanctions controls a focus of supervisory attention.

The crypto-specific expectation is wallet-level screening. A bank screens names and account numbers. A CASP that screens only client names — and not the wallet addresses funds move to and from — has a control built for a different industry. Supervisors expect chain-analytics-based address screening as a core control, not an optional enhancement.

How sanctions sits alongside the rest of the compliance stack

For a CASP, sanctions screening interlocks with:

• AML/CFT — adjacent but separate. The MLRO and the AML framework handle money-laundering and terrorist-financing risk on a risk-based footing. Sanctions run alongside, on strict-liability footing. The two can share tooling; they cannot share logic.
• The Travel Rule (TFR) — Travel Rule data on originators and beneficiaries feeds sanctions screening. A counterparty or wallet surfaced by Travel Rule information must run through sanctions screening.
• Governance — sanctions is a board-level risk. A breach is not a process slip; it is a serious regulatory and reputational event.

What a clean sanctions posture looks like in a CASP file

A supervisory file that holds up on sanctions contains:

1. A sanctions policy separate from the AML policy, with strict-liability logic explicit
2. Documented client, counterparty, and wallet-address screening, including the chain-analytics tooling used
3. An ownership-and-control screening process for beneficial owners and controlled entities
4. A freeze-and-report procedure with named responsibilities and competent-authority reporting channels
5. List-management evidence — current consolidated lists, re-screening on designation changes
6. Board-level oversight of sanctions risk

Working with counsel on sanctions

The diagnostic for counsel and compliance advisers: ask whether they treat sanctions as a distinct strict-liability workstream or as a line item in the AML manual — and whether the screening design covers wallet addresses and ownership-and-control, not just client names. An adviser who folds sanctions into AML has the conceptual model wrong. The firms in our index with relevant financial-crime experience are listed below.