Nikita Veremeev
06.02.2026 | 6 min read
Updated: 06.02.2026
I have been leading COREDO since 2016, and from the early years I saw how international business in fintech faces not “barriers” but labyrinths. Company registration, obtaining financial licenses, AML/sanctions compliance, building processes across different jurisdictions — these are not a set of disparate tasks but a single architecture of risk management. The COREDO team builds this architecture in the EU, the United Kingdom, Singapore and Dubai, truly integrating legal, financial and technological solutions. Below I share how to think about MiCA, DeFi and compliance today so as not to “keep up with” regulation, but to get ahead of it and monetize predictability.
MiCA: regulation of crypto-assets in the EU
The MiCA regulation ends the phase of “ruleless experiments” in Europe. Crypto-asset service providers (CASP) have received clear licensing requirements, passporting across the entire EU and obligations on disclosure, risk management and operational resilience. National regulators issue authorisations, while ESMA and EBA set supranational standards and coordinate supervision, including through MiCA technical reporting standards. In practice this means uniform approaches to capital, internal controls, outsourcing and incident reporting.
The token classification under MiCA distinguishes, in particular, e‑money tokens (EMT) and asset‑referenced tokens (ART), including significant asset‑referenced tokens (significant ART). For issuers, there are separate prudential requirements, capitalization and reserve funds for stablecoins, requirements on reserves, liquidity management and MiCA whitepaper obligations. Issuer liability under MiCA increases responsibility for the accuracy of the whitepaper, marketing messages and continuous disclosure of risks, which directly affects the cost of capital and listing conditions.
MiCA has created a new transparency standard: disclosure and whitepaper requirements, proof‑of‑reserves and independent attestation methodologies, passporting requirements for access to the EU market, as well as oversight by ESMA/EBA on top of national control. COREDO’s practice confirms: competent early preparation for licensing of CASP halves time‑to‑market thanks to the right group structure, proactive IT audit and readiness for regulatory questions.
Who is responsible in DeFi under MiCA?
A pressing question is the application of MiCA to DeFi and the regulation of decentralized finance in Europe. Regulators look at actual control and “points of contact” with the user: the front‑end, hosting, search aggregators and gateway sites; key contributors; DAO decisions that affect protocol parameters; oracle operators and administered treasury multisigs. If there is a centralized provider that operates the interface, routes traffic, manages upgrades or receives fees, it may be qualified as a CASP with licensing requirements.
The legal status of DAOs in Europe remains fragmented, but predictability is emerging: a legal wrapper mechanism for DAOs (foundation model vs corporate wrapper) is used to fix liability, enter into contracts and implement AML/KYC for on‑ramps and off‑ramps. The COREDO team has implemented structures with foundations and operator companies that allocate responsibility between on‑chain governance and off‑chain governance through clear corporate documents, upgrade and delegation policies. This reduces front‑end liability risks and simplifies engagement with regulators and exchanges.
Extraterritorial application of rules and enforcement is a reality: if a service is available to EU clients, it may be required to be brought into compliance with MiCA and AMLD5/AMLD6. Inter-regulatory cooperation (ESMA, EBA, and central banks) strengthens data and practice sharing, and this raises the stakes: it is better to build compliance‑by‑design in advance than to respond to external requests.
Requirements for stablecoin issuers
Stablecoins under MiCA are divided into e‑money tokens (EMT) and asset‑referenced tokens (ART). For EMT, rules similar to electronic money apply: capital requirements, issuance and redemption at par, segregation of funds and liquidity. For ART — obligations on reserves and their management, including high‑quality liquid assets, regular reports, stress tests and, for significant ART, higher buffers and EBA supervision. Disclosure via the whitepaper and ongoing disclosures supports investor and partner confidence.
Proof‑of‑reserves: a working tool, but not a silver bullet. It needs methodologies covering not only assets but liabilities, related parties, as well as exception procedures and incident reporting. COREDO experts introduce combined procedures: independent attestations, on‑chain evidence, SLAs with custodians and auditors, and mechanisms to suspend operations when reserve covenant breaches occur. The result is liquidity resilience and a reduction in the risk premium on listing and partner integrations.
AML/KYC in DeFi – compliance with FATF/MiCA
Compliance with AML requirements and conformity with FATF and MiCA are the basis for access to banking services and partner ecosystems. FATF guidelines (VASP and FATF guidance for DeFi) and the European AMLD5/AMLD6 framework enshrine CDD (customer Due Diligence), beneficial ownership, sanctions lists, the travel rule and SAR (suspicious activity reporting). For DeFi teams the key is to separate the on‑ramp/off‑ramp and protocol parts, implementing a risk‑based approach (RBA) for critical points: fiat on‑ramps, token bridges, centralized infrastructure components.
Sanctions compliance and monitoring of on‑chain transactions require integrating blockchain analytics providers, counterparty risk assessment scenarios, sanctions lists and on‑chain blocking when prohibited addresses are detected. At COREDO we build escalation and SAR playbooks, automate flags and reporting, and establish compliance KPIs so the board of directors can see the dynamics: share of automated decisions, time to escalation, number of cases involving law enforcement.
The travel rule is not only a legal but also a technical challenge. For CASP and VASP we design routing of identifiers, exchange of payer/recipient attributes, storage of minimally sufficient data and rejections when a counterparty is absent. In decentralized applications we address this via on‑ramp/off‑ramp, gateway services and partner VASPs, which allows preserving the permissionless core of the protocol while meeting requirements.
How to implement KYC in a DEX without compromising UX
Choosing a “strict KYC for everyone” approach is simple but costly in terms of liquidity outflow. A more resilient option is flow segmentation: KYC for functionality that triggers legal requirements (for example, fiat on‑ramp; elevated limits; professional accounts), and risk scoring for the rest of the traffic. zk‑KYC and privacy‑preserving KYC based on zero‑knowledge proofs help verify attributes without revealing personal data to the protocol. This enables a balance between privacy and transparency (privacy vs transparency) without compromising AML.
Integrating KYC providers with on‑chain UX requires an architecture: where to store proofs, how to synchronize statuses on the front end, how to handle appeals. The solution developed at COREDO includes a modular API layer, an event log, sanctions monitoring logic and re‑verification mechanisms. For the travel rule we apply messaging protocols between VASPs and configure failure modes at the smart contract/front end level when attributes are absent.
Smart contract risks and compliance
Smart contract audits and compliance requirements are not a formality. We build a secure development lifecycle with threat modeling, static/dynamic analysis, bug bounty programs and formal verification of smart contracts when justified by risk. Smart contract upgradeability and fork risks are addressed by upgrade policies, timelocks, on-chain governance and audit logs. Fork governance and allocation of responsibilities are recorded in documentation to avoid ‘surprises’ during contentious upgrades and emergency patches.
Oracles are a critical component. We translate oracle risks and their legal regulation into practical oracle SLAs: update frequency, sources, failure procedures, deviation limits, as well as oracle decentralization across multiple providers and a fallback mechanism. Methods to mitigate oracle risk include TWAP, cross-checking sources, quorum confirmations and a trading halt mechanism for extreme deviations. This is an important part of operational resilience and the SLA requirements regulators ask about.
MEV, frontrunning and regulatory risks are no longer exclusively a technical topic. We set up MEV-bot monitoring, implement anti-frontrunning mechanisms (private mempool, commit-reveal, batching) and document a risk disclosure policy for users. For AMMs and DEXs legal requirements differ from CEXs: centralized exchanges carry full responsibility for custody and execution, while DEXs focus on front-end liability, analytics data and points of centralized control. Liquidity pools and pool mechanics require disclosure of impermanent loss as a business risk and description of effects for LPs in the whitepaper and the interface.
Flash-loan attacks and legal response mechanisms include incident reporting, interaction with law enforcement and regulators, freezing funds at partners’ custody nodes and a documented response playbook. Custody vs non-custodial: legal consequences differ; for custodial models custodian requirements apply, including multisignature wallets (multisig), threshold signature schemes (TSS) and multi-party computation (MPC) for custody, controlled through internal policies and external audits.
Finally, third-party and supply chain software risk, cloud-hosting risks and provider dependencies require a registry of critical dependencies, supplier due diligence, resilience tests and contractual SLAs. Operational resilience is a separate MiCA module: continuity plans, stress scenarios, backup channels, availability KPIs and reporting on security incidents and breaches.
Consequences of MiCA for blockchain startups
Our experience at COREDO has shown: MiCA is not only a “cost of compliance”, but also a reduction in the cost of capital and barriers to market entry. Passporting of services under MiCA (passporting) opens up scaling in the EU without re‑licensing in each country, provided CASP capital requirements are met and risk policies are configured. For cross‑chain compliance and bridges it is important to address cross‑border enforcement and jurisdictional risks: record the place of service provision, KYC/sanctions policies at transitions, and locking mechanisms.
risk management of composability risk requires a registry of dependencies: oracles, lending markets, insurance, bridges. TVL (total value locked) as a risk metric is not an end in itself: liquidity resilience, creditor concentration and correlations with external shocks are more important. Emission policy and token regulation must take into account the legal status of tokens and tokenomics: for governance tokens, legal liability arises when holders or a council of delegates exercise de facto control. The separation of on‑chain governance vs off‑chain governance through corporate documents and regulations helps here.
Regulatory sandboxes for DeFi are an effective tool for testing KYC models, the travel rule and oracle solutions. In a COREDO project with a startup in the EU, a sandbox allowed agreeing on a zk‑KYC mechanism and tuning SAR automation before production launch. For due diligence when launching a DeFi project we perform legal and technical audits, assess smart‑contract insurance and market solutions, and also plan protocol migration under MiCA: action plan, timelines, KPIs and budget.
Assessment of compliance costs and ROI for DeFi projects includes a cost‑benefit analysis of AML implementation, compliance efficiency metrics and KPIs, as well as an evaluation of the effect of listings, partnerships and banking access. Compliance‑as‑a‑service reduces fixed costs through outsourcing reporting, monitoring, the travel rule, sanctions screening and incident management. When the board of directors sees transparent metrics, the decision to invest in compliance ceases to be a “necessary evil” and becomes a growth driver.
COREDO launch plan under MiCA
- Jurisdictional strategy. Define the entry point into the EU considering the type of services (CASP), capital requirements and operational base. Take into account access to talent, regulatory practice and authorization timelines with the national regulator.
- Licensing and passporting. We assemble the licensing package, describe controls, and plan passporting to the second wave of EU countries. We embed MiCA technical reporting standards and procedures for interaction with ESMA/EBA.
- AML/sanctions and the travel rule. We design RBA, CDD, beneficial ownership, SAR and sanctions processes. We set up KYC for on‑ramp and off‑ramp; travel rule: technical and legal implementation, rejection policies.
- Technology and security. SDLC, audits and formal verification, upgrade policy, oracle SLA, MEV controls, custody architecture (multisig/TSS/MPC). We set up incident reporting and a response playbook.
- Transparency and disclosure. Whitepaper obligations under MiCA, best practices for risk disclosure (impermanent loss, oracle/MEV, liquidity), proof-of-reserves and methodology limitations.
- Governance and DAO. Legal wrapper for the DAO (foundation or corporate), allocation of responsibilities, on‑chain/off‑chain governance rules, front‑end liability and agreements with providers.
- Operational resilience. SLA, continuity plan, redundancy, third‑party and cloud risks, stress-scenario testing, incident reporting and interaction with law enforcement.
- Listing and scaling. Preparation for listings/integrations, compliance KPIs, passporting, inter-regulatory communications and a migration plan for MiCA updates.
Case studies: practice becomes the standard
First case — a DEX with Asian roots that requested access to EU clients. The COREDO team implemented a hybrid model: a permissionless core of the protocol, KYC/AML and the travel rule on on‑ramp/off‑ramp and professional accounts, zk‑KYC to preserve UX and integration with blockchain analytics providers. As a result, the project obtained CASP licensing for part of the services, a whitepaper on MiCA and a passporting route. The user funnel and TVL grew thanks to institutional partners for whom compliance predictability is critical.
Second case, an issuer of a stablecoin of the asset‑referenced token (ART) type with the ambition to reach significant ART status. We built a reserve policy, developed a proof‑of‑reserves with independent attestations and on‑chain publication, as well as liquidity stress tests and risk disclosures. The regulator accepted the whitepaper and the continuity plan, and custodian partners confirmed SLAs for the reserve assets. This is a typical example where regulatory requirements became the foundation for listing and integrations into payment rails.
Third case, a DAO launching a lending protocol with oracle dependencies. At COREDO we proposed a legal wrapper via a foundation and an operating company with a clear allocation of responsibilities, implemented oracle decentralization and a fallback mechanism, an upgrade policy and a timelock. Additionally, we set up MEV monitoring and SAR procedures, recorded front‑end liability in contracts with hosting and gateway sites. The project passed due diligence with institutions and obtained smart contract insurance with a premium discount thanks to a mature SDLC.
Compliance: tools and automation
Automation of compliance and compliance-as-a-service is KPI dashboards, AML scenarios, control points for the travel rule and sanctions, and dependency registers for composability risks. We implement on-chain analytics and blockchain forensics, build SAR and reporting channels, and configure performance metrics: share of alerts closed automatically, average TTR/TTI, flag accuracy, conversion to listings/partnerships after compliance improvements. This approach makes it possible to relate compliance CAPEX/OPEX to revenue and ROI metrics.
For proof-of-reserve we apply combined methodologies: cryptographic proofs, confirmations from custodians, independent attestations of liabilities, and reports for users and regulators. We are candid about PoR’s limitations and propose countermeasures: reporting frequency, coverage completeness, and ‘red button’ mechanisms. Transparency: it’s not a one-time publication, it’s a process.
Frequently asked questions and answers
- CEX vs DEX: regulatory distinction. Centralized exchanges have the full range of CASP obligations, including custody. For DEXs, attention is on the interface, centralized components, AML on on-/off-ramps and the responsibility of DAOs/developers when there is de facto control.
- Who bears responsibility in permissionless protocols? Where there is control or influence (front-end, admin keys, oracles, treasury), the regulator sees those responsible. A legal wrapper for the DAO and distribution of functions reduce risks and improve manageability.
- How to apply the travel rule in decentralized applications? Through partner VASPs for fiat and centralized bridges, attribute exchange, refusing transfers when data is absent, and logic on the front-end/contracts.
- Proof‑of‑reserves: limitations. Without accounting for liabilities and affiliated risks, PoR is misleading. A combined methodology and regular independent audits are needed.
- MEV and frontrunning: how to reduce regulatory risk? Implement anti-frontrunning mechanisms, disclose risks, monitor abuses, document response policies and incident reporting.
Compliance as a scaling strategy
MiCA raised the bar, but at the same time made the market predictable. When a founder has a clear roadmap, CASP licensing, AML/KYC and the travel rule, operational resilience, proof‑of‑reserves, a whitepaper and passporting – access to capital and partnerships expands. At COREDO this is not theory: the practice of projects in the EU, the UK, Singapore and Dubai has shown that mature compliance reduces the cost of risk and accelerates sales.
I am convinced: DeFi and decentralized protocols will grow where the architecture of legal and technological solutions is designed in advance. The COREDO team helps embed compliance‑by‑design into the product: from a legal wrapper for DAOs and governance models to oracle SLAs, SDLC and automated AML. If you are facing the decision to register a structure in the EU, come under MiCA, obtain licenses for crypto services and build AML frameworks, there should be no guesswork — only data, methodologies and a partner you can trust for the long term. This is exactly how we build projects that withstand scrutiny by the market and time.