
When BVNK went live with its MiCA license in Malta, some may say that the compliance team had done its job. The policies were written. The frameworks were approved. The regulator was satisfied.
But then, the real work started.
This part of the MiCA conversation does not get enough attention. The majority of industry discussion and headlines focus on getting authorised. The hard yards of operating and embedding a compliance framework in a newly licensed business receive far less attention. In my experience, that gap is where most teams underestimate what they have signed up for.
The reason is simple: MiCA compliance is not just a compliance challenge. It is an operational challenge. And solving it requires your entire organization to get behind it, not just the people with "compliance" in their job title.
The very first question to ask post-authorisation is not about alerts, thresholds, or tooling. It is ensuring that your day-to-day operations reflect the policies you submitted to the regulator.
This sounds obvious. It is consistently underestimated.
A policy is easy to write. What is harder is making sure that the procedures your analysts are following on a Tuesday afternoon match what you told the regulator you would do. Any gap or deviation is, at best, an audit finding waiting to happen, and at worst, a regulatory breach. Before you optimize anything else, you need to close that gap.
From there, the questions become more operational. Do you have the right monitoring tools in place? Are your reporting processes set up to meet your obligations? Do you have the staffing to handle the alert volumes those tools will generate? At BVNK, these were the questions we were working through just before and just after we went live. They are not compliance questions. They are operations questions.
One thing I have come to believe firmly: You need a dedicated data analytics function sitting close to your financial crime team, and you need it early. Shared functions won’t give you what you need.
At BVNK, this function has evolved significantly over the last two years, but it existed from early on, and I think that matters.
We’ve benefitted greatly from having a team whose job is to look at the health of our transaction monitoring systems, find patterns that the alert-reviewing team might not see, and bring a view that is not colored by the typologies our analysts are already focused on. That independence matters. When your data team is separate from your financial crime intelligence team, they bring analysis that is not shaped by what the analysts already know, or think they know.
The value shows up in two ways. First, your transaction monitoring system needs to be tuned continuously. Bad actors move quickly. If you are only reviewing your rules once a year, you are already behind. Depending on your risk profile and transaction volumes, you should be assessing the health of your system every three to six months, at a minimum. That work requires data capability. Second, when the regulator comes in, they want to see a documented trail of how your rules have evolved, why you made the changes you made, and what evidence supported those decisions.
One practice I have found particularly useful is analysing global enforcement actions and reverse-engineering them back into our own system. When another organisation's transaction monitoring program fails, there is a detailed public record of what went wrong. Taking time to look at that record and ask whether your system would have caught what they missed is a valuable exercise.
No regulator is going to tell you what a good false positive ratio looks like. You have to figure that out yourself, and you have to be able to defend the number you land on.
The way we approach it is to start from the inside. Understand your customer base, how they use your product, and what normal looks like in your data. From that baseline, you build an internal picture of what your alert program should produce, stress test it against actual transaction data, and make changes that are documented and backtested.
Sitting with a large backlog is not a compliance strategy. If your team cannot get through the alerts you are generating, you are not finding risk. You are generating noise. The regulator will see it the same way. A tighter, well-reasoned alert program that your team can actually work through is worth more than a broad one that creates the appearance of thoroughness while producing nothing actionable.
The governance piece matters here as much as the tuning. Every material change to a rule, every threshold adjustment, should be documented with the reasoning behind it. When the regulator asks why you changed something, "the data suggested it" is not enough. "The data showed X, we backtested the change against Y months of transactions, and the result was Z" is the answer you need.
As an industry, we are only beginning to scratch the surface of the transformative potential of AI.
But we can already see that the use cases are real. If an analyst is spending forty-five minutes reviewing and writing up an alert, AI-assisted tooling can review multiple sources and prepare a coherent narrative to get that review down to ten minutes. At scale, that is a meaningful difference.
AI can also be used to supplement your data analytics functions, identifying patterns in information that may not always be obvious to the human eye. Used thoughtfully and with the correct guardrails in place, there are meaningful ways in which AI can be a powerful co-pilot to your team.
Responsible use of AI requires effective governance, and many regulators have already set out their expectations in this regard. The EU AI Act is worth tracking closely here. It is less concerned with the technology itself than with how you are using it, and that distinction matters. You need to be able to explain every AI-assisted decision in your compliance program: who reviewed it, and why you accepted the output. If you cannot do that, the efficiency gain creates more risk than it removes.
If there is one thing I would want compliance leaders going through MiCA authorisation to hear, it is this: do not assume the compliance team can carry this alone.
Every function in your business will be impacted. MiCA brings in several concepts that are likely to be new to most firms, such as safekeeping, token-listing, market abuse and conflicts of interest. The regulation cuts across the whole organisation in ways that most compliance teams are not resourced to manage by themselves. Make sure the whole business understands the assignment and is working towards a common goal.
Hire right. Get your data right. Build cross-functional relationships now, before you need them under pressure. In my experience, most things tend to follow from those starting points.