The TFR Is Live, What’s Next for CASPs?

Recently, with the TFR live, we have been asked, “What’s next for CASPs?” To answer this question, we turned to crypto compliance expert Delphine Forma. Delphine, with 8 years in crypto compliance and 10 years in TradeFi, reminded us that: 

“Compliance does not end with the TFR; CASPs need to realise that the real challenge begins now—navigating the complexities of immediate compliance, regulatory uncertainties, and operational implementation. 

From addressing the absence of a grandfathering period to integrating robust compliance technology, CASPs must take decisive action to stay ahead and ensure smooth customer journey.” 

In this article, find out which key areas CASPs should focus on post-TFR to ensure seamless compliance while maintaining efficiency and user experience based on Delphine’s expertise.

In this interview, Delphine expresses her views, not those of Solidus Labs.   

21 Analytics: What is next for CASPs now that the TFR is live? 

Delphine: With the TFR now live, CASPs face a critical point. This is far from a period of smooth sailing, as compliance in the crypto industry is inherently complex, dynamic, and constantly evolving. Implementation and maintenance are the most critical parts. Below are key areas CASPs should focus on post-TFR implementation:

1. Clarity on Grandfathering

First and foremost, there is no grandfathering period for TFR. Compliance is immediate and mandatory. Title VI of MiCA on prevention and prohibition of market abuse is also applicable now without any grandfathering period applicable. CASPs must act proactively, avoiding any assumption of leniency. The regulatory requirements have been known for years, so excuses for lack of preparedness are increasingly untenable.

2. Regulatory Interpretation Challenges

Regulations like the TFR are often broad and leave room for interpretation. The interaction between different legal texts (e.g., TFR, MiCA, DORA, MIFID, EMIR, PSD) and future frameworks like AMLR and PSD3 add complexity. Bodies like ESMA and the European Commission are still finalising specific RTS (Regulatory Technical Standards), publishing opinions, leaving unresolved grey areas. CASPs must stay informed and adaptable to these changes.

3. Implementation, Not Just Policies

Writing policies and procedures is only step one and by far the easiest one. CASPs now need to focus on implementing compliance frameworks effectively. This means ensuring that:

• Their technology integrates the necessary compliance and risk controls per applicable policies and procedures.

• Policies and procedures are reflected in day-to-day operations.

• Policies and procedures are maintained, tested and updated.

• Systems and procedures operate as planned, requiring constant maintenance and monitoring.

Implementation and maintenance are often the hardest and least glamorous parts of compliance, but they are also the most critical, as you must ensure that your business can always comply with applicable regulations.

4. The Role of Technology

CASPs must ensure their technical infrastructure can support compliance. For example, customer onboarding and transaction monitoring workflows must integrate smoothly with TFR requirements.

Proof of ownership for self-hosted wallets is a critical area that directly impacts the customer experience.

Opt for using solutions like AOPP when possible, which streamline the process for users and minimise friction in customer journeys, instead of Satoshi tests or video verifications, which can create poor user experiences and don’t conclusively prove ownership—only control. CASPs must carefully evaluate their chosen methodologies. Screenshots should definitively not be used.

5. Vendor and Solution Evaluation

Choosing compliant Travel Rule solution providers is crucial. CASPs should evaluate Travel Rule solution vendors based on the following:

• Compatibility with their jurisdiction’s specific regulations.

• Technical capabilities, including API integration and operational workflows.

• Compatibility with counterparties.

• Handling of PII and compliance with data privacy laws.

• Self-hosted wallet support, focusing on proof of ownership methods that balance efficiency and customer experience.

• Adherence to open standards and FATF guidelines.

• Certifications like SOC2 and ISO.

• Blockchain agnosticism and the ability to support CASP due diligence (CCDD).

• Data security and privacy measures, especially given that regulations like DORA are set to elevate scrutiny of IT security*.

*CASPs must involve both tech teams (for API evaluations) and IT security teams (for data protection reviews) in the selection process to ensure robust compliance.

6. Privacy and Data Protection

The TFR introduces significant requirements for customer data sharing. While some CASPs prioritise user privacy, this is still not a universal norm. Robust cybersecurity controls are now non-negotiable, particularly for custodial service providers. CASPs should implement strong privacy frameworks to:

• Protect customer data from breaches.

• Align with privacy-focused compliance standards, a competitive differentiator in the market.

7. Continual Education and Expertise

Compliance officers must stay up-to-date with regulatory changes and technical innovations. The crypto industry operates 24/7, and regulatory landscapes evolve constantly. Unfortunately, expertise gaps remain, as not all compliance professionals fully understand or implement the necessary steps. Building and maintaining a culture of passion, continuous learning, and proactive engagement with regulations is key. 

Join Delphine’s Crypto Compliance and Legal TG Group 

21 Analytics: What are your parting thoughts? 

Delphine: Post-TFR, CASPs must embrace a proactive compliance mindset. This means not only meeting regulatory requirements but also anticipating future developments and focusing on operational excellence. Compliance is not a one-time effort—it’s an ongoing, iterative process that involves aligning policies, technology, and customer experience with regulatory demands. For those who adapt successfully, compliance can transform from a cost centre into a competitive advantage.

Find out how your CASP can become Travel Rule compliant with 21 Travel Rule - reach out to us.

About Delphine Forma 

Delphine is an experienced policy officer who has worked across different countries and industries, including large banks in the UK, and blockchain/crypto businesses such as BitMEX. 

Holding a diploma from Sciences Po, and two master’s degrees specialised in European Criminal Business Law, and Frauds and Money Laundering Prevention, Delphine currently works as a Policy Lead at Solidus Labs.

She is also the founder of the Crypto Compliance and Legal TG group with more than 1500 members across the globe (constantly growing), and has been advising startups on their regulatory strategy in Switzerland and Europe. Moreover, she is an Ambassador for the Association of Women in Crypto and GBBC, and the podcast host of MiCA Masters. 

Delphine is passionate about regulatory affairs and strategy, policy, virtual assets, technology and how blockchain technology, as well as AI can change (is changing) the world we are living in.