One Rulebook, 27 Queues: How the Wait for a MiCA Licence Became the Real Competitive Event
Most AI-in-AML analysis treats AMLR Article 76(5) as current law. It applies from 10 July 2027. This piece maps the six regulatory layers, what is resolved, what is not, and what a CASP should be doing between now and then.
Analysis of AI in AML for EU CASPs as of July 2026: MiCA is the authorisation gatekeeper with no AI-specific provisions; transitional grandfathering ended EU-wide 1 July 2026. Four layers bind today: MiCA authorisation, TFR plus national AMLD5-transposed statutes, GDPR Article 22 (sharpened by CJEU C-203/22 Dun and Bradstreet Austria, 27 Feb 2025), and DORA third-party ICT governance for AML vendors. Two layers are quoted early: AI Act Article 50 transparency from 2 Aug 2026; Annex III high-risk deferred to 2 Dec 2027 (standalone) / 2 Aug 2028 (embedded) via Digital Omnibus adopted June 2026. Commission draft Article 6 guidelines (19 May 2026): fraud detection exception is main-purpose only, does not cover AML/CFT, but standalone AML monitoring usually outside Annex III Point 5(b) (creditworthiness). AMLR Article 76(5) is the actual EU legal basis for automated/AI AML decisions (three conditions: CDD-limited data, meaningful human intervention, explanation right except STR) but applies from 10 July 2027 only. Scenario map covers biometric onboarding, transaction monitoring, alert triage, sanctions screening, AML-to-credit scoring, LLM SAR copilots. National variation: Germany Section 11a GwG has no AI automated-decision bridge; Malta ESMA peer review gaps. Operators building copilot human-in-loop ahead of 2027. Related agentic-client gap: separate Micahub piece on machine clients and Travel Rule. Seven compliance officer diagnostic questions. FINMA SupTech, Goldman SR 11-7 cadence vs adaptive agents.
AI in AML Under MiCA: The Rule Everyone Cites Isn't Law Yet MiCA Edge Cases | Where Innovation Meets Regulation Discussion note: A question circulated in the compliance community this month: which analysis of AI in AML under MiCA actually holds up. Most of what is being shared treats a regulation that is not yet in force as though it were already binding law. This piece starts by fixing that, then maps what is actually resolved, what is not, and what a CASP should be doing about it between now and 10 July 2027. On 19 May 2026, three months late, the European Commission published its draft guidelines on Article 6 of the AI Act. Buried in the section on Annex III, Point 5(b), sits a clarification that compliance content has spent June repeating without its second half: the fraud detection exception does not extend to AI systems used for AML/CFT checks, but those same AML/CFT systems are usually outside Point 5(b) in the first place, because they were never intended to assess creditworthiness. Both sentences are true. Only the first one is getting quoted, which is how you end up with two competing pieces of LinkedIn wisdom this quarter: one insisting your AML model is now high risk, the other insisting it is exempt. Neither is citing the rule that actually authorises AI driven AML decisions at a CASP today, because that rule is not in MiCA, and it does not apply for another year. The Legal Architecture: Six Layers, Two Not Yet Live MiCA is the gatekeeper, not the AI rulebook. The Article 62 authorisation file requires a business plan, governance charts, and documented AML/CFT risk assessment procedures. Management and qualifying shareholders face a fit and proper bar that specifically excludes anyone convicted of money laundering or terrorist financing offences. None of that says a word about artificial intelligence, profiling, or automated decision making, because MiCA was never drafted to. The transitional grandfathering that let existing operators trade without a licence ended across every EU and EEA member state on 1 July 2026. From that date, an unauthorised CASP is not in a grey zone. It is in breach. Below MiCA sit two layers that are already doing the actual AML work. The Transfer of Funds Regulation, 2023/1113, requires originator and beneficiary data on every crypto asset transfer between CASPs, with no de minimis threshold. Alongside it sits whatever each member state's own AMLD5 transposed statute says, because the directive framework that TFR and MiCA were built against is still the live one. Neither instrument contains an AI provision either. The rights layer is GDPR, and it is already sharper than most AML teams have priced in. Article 22 restricts decisions based solely on automated processing that produce legal or similarly significant effects, unless an exception applies, one of which is authorisation by Union or Member State law that lays down suitable safeguards. On 27 February 2025 the Court of Justice ruled in Case C 203/22, Dun and Bradstreet Austria, that an entity relying on an automated assessment must give the affected person an explanation that describes the procedure and principles actually applied, in terms they can understand and contest. A complex formula is not sufficient. A step by step technical description is not sufficient either, if it fails the intelligibility test. That standard did not arrive with the AI Act. It arrived from a €10 a month phone contract in Vienna, and it now sits over every AML decision that touches a natural person. DORA governs the fourth layer, and it governs it regardless of what the AI Act ultimately decides about your model. Whoever sold you the transaction monitoring engine is a third party ICT provider, and DORA's audit rights, sub processor visibility, and exit plan requirements apply to that relationship today, independent of the model's eventual AI Act classification. The fifth and sixth layers are the ones everyone is quoting six months early. The AI Act's Article 50 transparency obligations remain live from 2 August 2026, untouched by the Digital Omnibus. Its Annex III high risk regime is a different story: the European Parliament adopted the Digital Omnibus on AI on 16 June 2026 by 423 votes to 57, the Council gave final approval on 29 June, and the amending regulation enters into force in July 2026. The result pushes the application date for standalone Annex III systems from 2 August 2026 to 2 December 2027, and for systems embedded in regulated products to 2 August 2028. Within Annex III, Point 5(b) covers AI systems evaluating a natural person's creditworthiness or credit score, with an exception for fraud detection. The Commission's 19 May 2026 draft guidelines interpret that exception narrowly: it applies only where fraud detection is the system's main intended purpose, it does not extend to AML/CFT checks, and consultation on the guidelines runs to 23 July 2026. The sixth layer is the one that actually matters, and it is not applicable yet. AMLR, Regulation 2024/1624, Article 76(5), permits obliged entities to adopt decisions from automated processes, including profiling and AI systems, on three conditions: the data processed is limited to what was obtained under the regulation's customer due diligence chapter; any decision to enter, refuse, or maintain a business relationship, to carry out or refuse a transaction, or to adjust the level of due diligence, is subject to meaningful human intervention; and the customer can obtain an explanation and challenge the decision, except in relation to a suspicious transaction report. That is the provision every AI and AML article this year has been treating as current law. It is not. AMLR applies from 10 July 2027. One footnote in the official text still cross references the AI Act as "Regulation (EU) 2024/xxx," a placeholder from when AMLR went to the Official Journal slightly ahead of the regulation it was pointing at. Nobody has bothered to correct it, which tells you roughly how urgently Brussels expects anyone to be relying on Article 76(5) before 2027. !The six layers governing AI in AML for a CASP, and which two are not yet law The Scenario Map | AI use case | Governing rule today (before 10 Jul 2027) | AI Act status | AMLR status from 2027 | | | | | | | Biometric onboarding, liveness checks | GDPR Article 9, EBA remote onboarding guidelines (EBA/GL/2022/15), DORA vendor terms | Annex III, Point 1, biometric identification. High risk where triggered, timeline delayed to 2 Dec 2027 | Same CDD decision also needs Article 76(5) safeguards | | Transaction monitoring, no credit linkage | National AMLD5 transposed law, TFR, EBA risk factor guidelines, GDPR Article 22 where a decision follows | Generally outside Point 5(b). Check other Annex III points on the facts | Governs any resulting relationship decision from 2027 | | Alert triage with human sign off | Same as above. Human in loop is already standard vendor design | Likely covered by the Article 6(3) narrow procedural exemption if genuinely advisory | Consistent by construction with Article 76(5)(b) | | Sanctions and PEP screening | EBA sanctions guidelines, TFR | Generally outside Point 5(b) | Article 76(5) applies to any resulting relationship decision | | AML scoring feeding a credit or lending decision | National law, GDPR Article 22 | Inside Point 5(b), high risk from 2 Dec 2027, unless fraud detection is the documented main purpose | Article 76(5) governs the AML side, Annex III governs the credit side, both apply | | LLM copilot for SAR or STR drafting | GDPR data minimisation and DPIA, DORA vendor terms | Likely exempt under Article 6(3) if an analyst reviews and files | Article 76(5)(c) explanation right is expressly carved out for the report itself | What Is Resolved and What Is Not Resolved. MiCA carries no AI specific obligations and was never meant to; it is the authorisation gatekeeper, and its Article 62 file is where AML/CFT governance gets tested befo