Skip to content
In the news TRM Labs × Finray — audit-ready crypto transaction monitoring for banking
Finray
Book a briefing

CASP MiCA compliance operating model

Crypto-Asset Service Providers authorised under MiCA Title V must operate a compliance model spanning AMLR, AMLD6, TFR, FATF Travel Rule and DORA obligations. This decision graph maps 94 nodes and 139 edges across 18 regulatory anchors, 10 control domains, 20 vendor nodes and 37 product nodes for buyer due diligence. XZiel recused from ranking.

Cluster
XZiel
Published
Version
1.0.0
Disclosure
Finray product recused from ranking

Last reviewed   ·  Version 1.0.0  ·  Evidence cutoff 

The CASP MiCA compliance operating model graph maps the decision a Crypto-Asset Service Provider faces when assembling its compliance stack: regulatory anchors (MiCA Title V, AMLR, AMLD6, Transfer of Funds Regulation, FATF Travel Rule, DORA, NIS2), the controls those anchors require (KYC/CDD, sanctions, transaction monitoring, Travel Rule, market abuse surveillance, ICT risk, governance), and the vendor products that implement those controls today.

The graph is vendor-neutral on every category in which Finray Technologies Ltd does not ship a product. XZiel is Finray’s transaction-risk-monitoring platform; it is recused from any ranking, scoring, or “best of” recommendation and is included as a referenced product node only. Every product node carries its primary-source URL with an accessed-date suffix; gaps are flagged as [evidence pending — vendor outreach required] rather than filled by inference.

Click any node or edge to inspect its evidence. The legend, top-right of the canvas, maps node colour to type. Pan with click-drag; zoom with the wheel; reset with double-click on background.

Layout
cose
Nodes
94
Edges
139
Last reviewed
2026-04-30
Evidence cutoff
2026-04-30
Pending outreach
37
  • firm-segment
  • regulator
  • regulation
  • standard
  • control
  • vendor
  • product
  • finray product (COI)

Reference index

The interactive decision graph above and the tables below cover the same data. The graph is for visual exploration; the tables index every regulation, standard, control, vendor and product in plain text with primary-source links — for search engines, citation tools and readers who prefer linear reading.

Regulators (5)

National Competent Authorities, supervisory authorities, and pan-EU European Supervisory Authorities indexed in this radar. Each row links to the regulator's primary-source URL with the date the source was last accessed. Listing is alphabetical by jurisdiction code; inclusion is editorial, not a directive. Volume of regulators per jurisdiction reflects the local supervisory architecture (single-supervisor vs sectoral split) and is not a quality signal.

Regulators indexed in this radar with their jurisdiction and primary-source URLs.
Regulator Jurisdiction Scope Primary source
AMLA EU AML/CFT authority Incoming AML authority relevant to future direct-supervision selection. View source
EBA EU banking authority MiCA ART/EMT anchor with adjacent effects for CASPs handling ARTs or EMTs. View source
ESMA EU securities markets regulator MiCA Level 2/3 and supervisory-convergence anchor for CASPs. View source
FATF global AML/CFT standard setter Global source for Recommendation 16 and VASP/virtual-asset AML guidance. View source
National Competent Authorities generic member-state supervisors Generic node for NCAs; individual NCAs are intentionally not enumerated. Pending

Regulatory anchors and supervisory standards

The legal instruments and supervisory standards an institution in this segment must satisfy. Each row links to the primary source — official journal page, supervisor circular, or standards body — with the date the source was last accessed.

Regulatory anchors and supervisory standards covered in this radar, with primary-source links.
Anchor Scope Primary source
MiCA Regulation (EU) 2023/1114 — Title V Regulation Primary legal anchor for CASP authorisation and operating obligations. View source
MiCA Regulation (EU) 2023/1114 — Title III Regulation Adjacent anchor for ART issuers and CASP groups handling ART issuance or admission. View source
MiCA Regulation (EU) 2023/1114 — Title IV Regulation Adjacent anchor for EMT issuers and CASP+EMI overlap. View source
AMLR Regulation (EU) 2024/1624 Regulation Binding AML package anchor for future harmonised CDD, monitoring and risk controls. View source
AMLD6 Directive (EU) 2024/1640 Regulation Directive anchor for national AML implementation and FIU-facing procedures. View source
AMLA Regulation (EU) 2024/1620 Regulation Institutional anchor establishing AMLA. View source
Transfer of Funds Regulation (EU) 2023/1113 Regulation Direct EU anchor for information accompanying crypto-asset transfers. View source
DORA Regulation (EU) 2022/2554 Regulation ICT operational resilience anchor for CASP operating models. View source
eIDAS 2 Regulation (EU) 2024/1183 Regulation Adjacent anchor for digital identity wallet and trust-service onboarding flows. View source
FATF Recommendation 16 and VA/VASP guidance Standard Global Travel Rule methodology for originator and beneficiary information. View source
IVMS 101 Standard Common data model for required Travel Rule party information. View source
TRP — Travel Rule Protocol Standard Open protocol option for Travel Rule data exchange between VASPs. View source
OFAC SDN and consolidated screening data Standard US sanctions-list data input for global screening programs. View source
EU consolidated financial sanctions list Standard EU sanctions-list data input for EU CASP sanctions screening. View source
ISO/IEC 27001 Standard Security baseline for vendor and internal ICT assurance. View source
ISO 20022 Standard Payments message standard relevant at CASP+EMI and fiat-rail intersections. View source
IETF JMAP Standard Technical reference for structured JSON object workflows; not a MiCA mandate. View source
OpenID Connect Standard Identity protocol reference for authenticated digital identity assertions. View source

Controls

The control domains those regulatory anchors require. Each control sits at the intersection of one or more regulations and one or more vendor products that implement it.

Control domains required by the regulatory anchors above.
Control What it covers
KYC/CDD onboarding Lifecycle onboarding control covering IDV, risk rating, source of funds and refresh.
Sanctions screening Control for screening customers, counterparties, wallets and transactions against sanctions/watchlists.
Transaction monitoring Control for detecting suspicious fiat and crypto behaviour through scenarios, models and case workflows.
Wallet-address attribution and risk scoring Control for address attribution, clustering, exposure scoring, typology tags and blockchain coverage.
Travel Rule routing Control for sending, receiving, validating and reconciling Travel Rule information.
Suspicious activity reporting Control for escalating suspicious activity and producing FIU-ready SAR/STR narratives.
Custody-asset segregation Control for separating own funds, client funds, client crypto-assets and custody key evidence.
MiCA whitepaper publication and notification Control for token whitepaper publication, notification and product governance where relevant.
ICT operational resilience Control for ICT risk, incidents, resilience testing and third-party dependency governance.
Internal audit and audit-trail evidence retention Control for preserving defensible evidence across onboarding, alerts, investigations and filings.

Vendors and products

Named vendors active in this control space and the specific products each ships. Listing is alphabetical within the graph's evidence set; inclusion is editorial, not commercial, and is not a recommendation. Finray Technologies Ltd ships products in this space and is recused from any ranking — see the methodology page for the conflict-of-interest framework.

Vendors and the specific products each ships into this control space.
Vendor Products Vendor source
Chainalysis Inc. Blockchain analytics vendor.
  • Chainalysis Reactor — Crypto investigations product for tracing funds and entity exposure. ( product page )
  • Chainalysis KYT — Crypto transaction monitoring product for platform-scale risk assessment. ( product page )
  • Chainalysis Crypto Investigations Solutions — Investigation solution for tracing funds across blockchains. ( product page )
Vendor site
Elliptic Enterprises Ltd Blockchain analytics vendor.
  • Elliptic Lens — Wallet screening and alert-to-decision workflow product. ( product page )
  • Elliptic Investigator — Investigation product referenced in Elliptic VASP compliance materials. ( product page )
  • Elliptic Navigator — Transaction monitoring product referenced in Elliptic VASP compliance materials. ( product page )
Vendor site
TRM Labs Inc. Blockchain intelligence vendor.
  • TRM Forensics — Blockchain intelligence product for investigations and fund-flow analysis. ( product page )
  • TRM Insights — Not verified as a currently marketed standalone software product during this session.
  • TRM Tactical — Mobile-first blockchain intelligence tool for investigators. ( product page )
Vendor site
Merkle Science Blockchain analytics vendor.
  • Merkle Science Tracker — Crypto investigation and blockchain tracing product. ( product page )
  • Merkle Science Compass — Transaction and wallet monitoring product for AML and risk reporting. ( product page )
Vendor site
Notabene Inc. Travel Rule vendor.
  • Notabene SafeTransact — Pre-transaction crypto compliance and Travel Rule solution. ( product page )
Vendor site
Sumsub Holdings KYC, AML and Travel Rule platform vendor.
  • Sumsub KYC — KYC onboarding component of Sumsub verification platform. ( product page )
  • Sumsub AML — AML screening and monitoring component of Sumsub platform. ( product page )
  • Sumsub Travel Rule — Travel Rule solution for VASP/CASP data exchange and compliance workflows. ( product page )
Vendor site
VerifyVASP Travel Rule platform vendor.
  • VerifyVASP Travel Rule Platform — Platform for VASPs to exchange required FATF R.16 information. ( product page )
Vendor site
Shyft Network Vendor/network behind Veriscope Travel Rule tooling.
  • Shyft Veriscope — Travel Rule product/network for counterparty VASP discovery and data sharing. ( product page )
Vendor site
Entrust / Onfido Entrust identity verification vendor including Onfido acquired in 2024.
  • Onfido Studio / Entrust Workflow Studio — Identity-verification workflow builder now in Entrust materials. ( product page )
  • Onfido Verify / Entrust IDV API — Identity verification API and flows formerly associated with Onfido. ( product page )
Vendor site
Veriff OÜ Identity verification vendor.
  • Veriff Identity Verification — Document, identity and liveness verification product. ( product page )
  • Veriff IDV+ — Separate IDV+ product page was not verified during this session.
Vendor site
Persona Identities Inc. Identity workflow and report vendor.
  • Persona Workflows — Workflow product for identity-verification journeys and decisioning. ( product page )
  • Persona Reports — Report products for profile, watchlist and adverse-media checks. ( product page )
  • Persona Trust — Trust page is modeled as a use-case label, not a verified standalone product. ( product page )
Vendor site
Jumio Identity verification and AML vendor.
  • Jumio Identity Verification — Identity verification product for onboarding and KYC/AML checks. ( product page )
  • Jumio AML — AML compliance product for customer-risk controls. ( product page )
Vendor site
ComplyAdvantage Ltd AML risk-intelligence vendor.
  • ComplyAdvantage Mesh — AML risk-intelligence platform for screening and monitoring. ( product page )
  • ComplyAdvantage Customer Screening — Customer screening product for sanctions, PEP and adverse-media risk. ( product page )
Vendor site
LSEG Risk Intelligence / Refinitiv Risk-intelligence vendor behind World-Check.
  • World-Check — LSEG/Refinitiv screening product for KYC and financial-crime risk. ( product page )
Vendor site
Dow Jones Risk & Compliance Risk-data and due-diligence vendor.
  • Dow Jones RiskCenter — RiskCenter product for financial-crime due diligence and monitoring. ( product page )
  • Dow Jones Anti-Corruption — Anti-corruption due-diligence product/use-case. ( product page )
Vendor site
Sanctions.io GmbH Sanctions and AML screening API vendor.
  • Sanctions.io Screening API — Sanctions and AML screening API. ( product page )
Vendor site
Sardine AI Inc. Fraud and AML risk platform vendor.
  • Sardine — Fraud and AML platform with transaction-monitoring documentation. ( product page )
Vendor site
Hummingbird RegTech Financial-crime case-management and reporting vendor.
  • Hummingbird Platform — Financial-crime platform with investigations and regulatory reporting. ( product page )
  • Hummingbird Regulatory Reporting — Regulatory reporting product for SAR/STR/CTR filing workflows. ( product page )
Vendor site
Featurespace ARIC platform vendor for fraud and financial crime.
  • Featurespace ARIC — ARIC Risk Hub/AML solution for fraud and financial-crime monitoring. ( product page )
Vendor site
Finray Technologies Ltd Finray vendor node for XZiel; excluded from ranking. Finray Technologies — recused from ranking
  • Finray XZiel — Finray product for transaction-risk analysis, sanctions screening and audit-ready workflows; recused from ranking. ( product page )
Vendor site

What changed

Cut-off 2026-04-30 — initial published snapshot. No prior snapshot to diff.

Primary source https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica · accessed 2026-04-30

Evidence register, not legal advice. Point-in-time, not real-time, not exhaustive. Reasons are not inferred — they live in the linked primary source.

Certificate of Registration NQA · UKAS Management Systems
ISO/IEC 27001:2022 Certificate of Registration issued by NQA to Finray Technologies Ltd, certificate number 215646, valid 21 October 2025 to 21 October 2028
Search
Type to search across Finray, products, company, and journal.

    Press Esc to close · to open the highlighted result.

    Book a briefing 01 / 03

    Step 01

    Identify the institution

    Who is requesting the briefing.