Austria

**Currently (Pre-MiCA Full Implementation): Partial, primarily AML/CFT-focused.** Austria has a framework that primarily addresses anti-money laundering and counter-terrorist financing (AML/CFT) aspects, along with existing securities and tax laws that apply depending on the classification of the crypto asset. This means many crypto activities are not specifically regulated *as financial services* unless they fall under traditional definitions (e.g., a token classified as a security).

**Future (Post-MiCA Full Implementation): Comprehensive.** With the phased implementation of MiCA, Austria's approach will become fully comprehensive, covering licensing, operational requirements, consumer protection, market integrity, and environmental aspects for a broad range of crypto-assets and service providers.

**Finanzmarktaufsicht (FMA) – Austrian Financial Market Authority:**

**Role:** The primary regulatory body for financial services in Austria, including supervision of banks, insurance companies, pension funds, investment firms, and exchanges.

**Crypto Involvement:** The FMA is responsible for the registration of Virtual Asset Service Providers (VASPs) under AML/CFT laws and will be the competent authority for licensing and supervising crypto-asset service providers (CASPs) under MiCA. It also provides guidance on the classification of crypto assets.

**URL:** FMA Austria – Information on Crypto Assets

**Bundesministerium für Finanzen (BMF) – Federal Ministry of Finance:**

**Role:** Responsible for fiscal policy, budget, and tax matters.

**Crypto Involvement:** Sets and clarifies the tax treatment of cryptocurrencies.

**Geldwäsche- und Terrorismusfinanzierungsgesetz (GWG) – Anti-Money Laundering and Counter-Terrorist Financing Act (as amended):**

**Date:** Various amendments, notably incorporating the 5th EU AML Directive in 2020.

**Relevance:** This is the cornerstone of Austria's current crypto regulation. It mandates that Virtual Asset Service Providers (VASPs) offering services in Austria must register with the FMA.

**Services covered (as per the FMA):** Exchange between virtual currencies and fiat currencies, exchange between one or more virtual currencies, transfer of virtual currencies, safekeeping and administration of virtual currencies or instruments enabling control over virtual currencies, and financial services in connection with the issuance/sale of virtual currencies.

**URL (FMA guidance on VASP registration):** FMA – Virtual Asset Service Provider Registration

**Einkommensteuergesetz (EStG) – Income Tax Act (as amended):**

The BMF (German Federal Ministry of Finance, not Austrian) published foundational crypto taxation guidance with significant revisions in March 2025 that supersede and update the May 2022 letter. The March 2025 letter replaces the previous framework and is the current authoritative guidance for crypto taxation in Germany.

Crypto assets are treated as property (like stocks), subject to capital gains tax with distinction between short-term (ordinary income rates 10-37%) and long-term (0-20%) holdings, plus potential 3.8% NIIT; income from mining/staking etc. taxed as ordinary income. No 27.5% flat tax or elimination of short/long-term distinction.

**Wertpapieraufsichtsgesetz 2018 (WAG 2018) – Securities Supervision Act 2018 & Kapitalmarktgesetz (KMG) – Capital Market Act (as amended):**

**Date:** 2018 (WAG), various amendments (KMG).

**Relevance:** If a specific crypto asset qualifies as a financial instrument (e.g., a security token), then existing securities laws apply, requiring prospectuses for public offerings, and licenses for services like investment advice or portfolio management. The FMA determines this classification on a case-by-case basis.

**Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA):**

**Date:** Entered into force on June 29, 2023.

**Applicability:** Stablecoin-related provisions (Asset-Referenced Tokens and E-Money Tokens) will apply from **June 30, 2024**. All other provisions (covering most other crypto-assets and crypto-asset service providers) will apply from **December 30, 2024**.

Austria maintains a specific and detailed national regulatory landscape for crypto, and while EU-level harmonization discussions are ongoing, local regulations remain a crucial and defined factor.

**Authorization requirements:** For most crypto-asset service providers (CASPs).

**Market abuse rules:** To prevent insider trading and market manipulation.

**Transparency and disclosure requirements:** For issuers of crypto-assets.

**Operational and governance requirements** for CASPs.

The relevant TFR in the EU context is now Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets, which entered into force on 29 June 2023 and is applicable from 30 December 2024; it is published in the Official Journal and can be accessed via its specific EUR-Lex page rather than a generic Official Journal access URL.

**Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (TFR – "Travel Rule" Regulation):**

Will apply from December 30, 2025 (main provisions postponed by targeted revision).

**Relevance:** This regulation extends the "Travel Rule" (requiring financial institutions to collect and share information about the originator and beneficiary of transactions) to crypto-asset transfers, enhancing AML/CFT efforts in the crypto space.

**URL (Official Journal of the EU):** TFR Regulation

**Legality:** Trading cryptocurrencies is legal in Austria.

Regulation of exchanges in Austria is now governed under the EU MiCA framework rather than a pre-MiCA national regime

**Registration Required:** Any entity operating a crypto exchange or providing other virtual asset services (e.g., custody, transfer, issuance) to Austrian customers must **register as a Virtual Asset Service Provider (VASP)** with the FMA under the GWG. This registration primarily focuses on AML/CFT compliance.

**Supervision:** The FMA supervises registered VASPs for their compliance with AML/CFT obligations.

**Authorization Required:** From December 30, 2024, crypto exchanges and other crypto-asset service providers (CASPs) covered by MiCA will require **authorization** from the FMA (or another EU competent authority) to operate. This authorization is much broader than the current AML registration, covering capital requirements, organizational setup, consumer protection, and operational resilience.

**Passporting:** Once authorized in one EU member state, a CASP will be able to "passport" its services across all other EU member states, including Austria.

**VASP Registration:** There is no dedicated "custody license" per se. Instead, entities providing custody of virtual assets are classified as **Virtual Asset Service Providers (VASPs)** and are required to register with the Austrian Financial Market Authority (FMA).

**Scope:** The FM-GwG defines "providers of services related to virtual currencies" to include "the safekeeping of virtual currencies for third parties" (i.e., custody).

**Fit and Proper Management:** Key persons involved in the management must demonstrate their suitability and reliability.

**Robust AML/KYC Framework:** Implementation of comprehensive policies and procedures for customer due diligence (KYC), transaction monitoring, risk management, and reporting of suspicious activities to the Financial Intelligence Unit (FIU).

**Internal Controls:** Establishment of internal controls and risk management systems to prevent money laundering and terrorist financing.

**Designated AML Officer:** Appointment of a dedicated officer responsible for AML compliance.

**Finanzmarkt-Geldwäschegesetz (FM-GwG):** § 2 Z 22 FM-GwG defines virtual currency and § 32a FM-GwG outlines the registration requirements for providers of services related to virtual currencies.

**FMA Guidance on Virtual Assets:** The FMA provides guidance on the interpretation and application of the FM-GwG for virtual asset service providers.

FMA - Virtual Assets (English section, may link to German guidance)

FMA - Information sheet on the legal qualification of tokens and the regulation of virtual assets (German, with English summary)

**Current:** The FM-GwG, being an AML law, does not explicitly mandate prudential segregation of client crypto assets from the custodian's own assets.

**Implicit Expectation:** While not a specific legal mandate for *crypto*, general principles of good business conduct and the FMA's supervisory expectations would lean towards ensuring customer assets are identifiable and protected from insolvency of the custodian to the extent possible, though this is not as robust as under a prudential financial services license.

**Current:** There are no explicit, dedicated insurance or bonding requirements specifically for crypto custodians under the current FM-GwG VASP registration.

Custodians of crypto assets in Austria are required to hold professional indemnity insurance or equivalent capital reserves specifically covering the loss of client crypto assets.

**Current:** Austrian regulation does not explicitly mandate the use of cold storage for crypto assets.

**General Security Requirements:** The FMA expects VASPs to have robust IT security measures and operational resilience to protect client assets from theft, loss, or unauthorized access. This implicitly encourages the use of secure storage solutions, which commonly include cold storage for a significant portion of assets.

As of Austria's 2025 MiCA implementation, 'qualified custodian' for crypto assets has a distinct regulatory definition: only licensed MiCA-compliant CASPs authorized for 'custody and administration of crypto-assets' with specific prudential, capital, and custody requirements (beyond just AML/CTF) qualify.

**EU-Wide Authorization:** Custodians will need to obtain authorization as a CASP from the FMA. Once authorized, they can "passport" their services across the EU.

MiCA introduces robust requirements beyond AML, but Austrian regulator action (banning KuCoin EU from new business) shows that enforcement was still needed to address gaps, with KuCoin subsequently hiring a new AML chief and expanding compliance in Vienna

**Organizational Requirements:** Clear governance arrangements, effective risk management, internal controls, and operational resilience.

**Fit and Proper Requirements:** For management and shareholders.

**Prudential Safeguards:** Capital requirements (see below).

**Complaint Handling:** Procedures for client complaints.

**Conflict of Interest:** Policies to prevent and manage conflicts of interest.

Regulation (EU) 2023/1114 on Markets in Crypto-Assets: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1114

**Explicit Mandate:** MiCA explicitly mandates the segregation of client crypto-assets and funds from the CASP's own assets.

**Protection in Insolvency:** CASPs must ensure that client crypto-assets are not used in their own interest and are protected in the event of the CASP's insolvency.

**Record Keeping:** Detailed records of each client's crypto-assets must be maintained.

MiCA Regulation: Article 53(1) and (2).

**Capital Requirements:** MiCA introduces initial capital requirements and ongoing prudential requirements for CASPs, which vary based on the services provided. For custody, specific capital requirements apply (e.g., the higher of a fixed amount or a percentage of fixed overheads).

Under MiCA (EU 2023/1114), CASPs must maintain prudential safeguards at least equal to the higher of the permanent minimum capital in Annex IV or one quarter of the previous year’s fixed overheads; these safeguards may consist of own funds, a professional indemnity‑type insurance policy, a comparable guarantee, or a combination, but MiCA does not impose a blanket, stand‑alone professional indemnity insurance requirement for all CASPs in Austria.

Articles 6 and 53(4) of Regulation (EU) 2023/1114 (MiCA) remain legally in force and form part of the applicable MiCA framework in Austria, but their practical effect is now complemented and further specified by post‑MiCA level‑2/level‑3 measures (delegated and implementing acts and guidelines), so that relying on the bare wording of these provisions alone no longer reflects the full, current regulatory standard for CASPs and issuers in Austria.

MiCA, complemented by DORA, imposes stringent operational‑resilience and security requirements on CASPs, including detailed, documented custody architectures for client crypto‑assets. While MiCA remains technology‑neutral and does not literally require specific tools such as ‘cold storage’ or ‘HSMs’ in the legal text, current regulatory guidance and practitioner interpretations expect CASPs to define, in their authorization and internal policies, concrete arrangements for safeguarding client assets (e.g., segregation, hot‑vs‑cold wallet setups, movement rules, and key‑management controls). In practice, this pushes CASPs toward industry‑standard mechanisms such as multi‑signature schemes, hardware security modules, and structured cold/hot storage strategies, not merely as implied best practice but as the de‑facto way to satisfy MiCA/DORA’s operational‑resilience and custody obligations.

Under MiCA, crypto‑asset custodians are strictly liable to clients for the loss of crypto‑assets or the means of access to them when the loss is attributable to the provision or operation of their custody service, with liability generally capped at the market value of the asset at the time of loss. This liability is not absolute: it excludes non‑attributable incidents (e.g. certain external events beyond the custodian’s control) and does not extend to all types of consequential loss. While the stricter regime is expected to incentivise stronger security and risk controls, MiCA does not mandate or necessarily ‘push’ all firms toward any single ‘most secure’ storage method, and security choices remain a matter of risk‑based design within the regulatory framework.

Under MiCA (Regulation (EU) 2023/1114), the core civil liability regime for misleading, incomplete or unclear white‑paper information and related investor protection (including withdrawal rights) is laid down primarily in Articles 14–16 and further specified for particular token types elsewhere in the Regulation; Articles 53–56 do not constitute the general liability provisions and referencing them as such is inaccurate for Austria or the EU generally.

MiCA establishes a harmonised, activity‑based authorisation and supervisory framework for CASPs providing custody, imposing high standards on governance, capital, ICT/operational security, and client asset protection (including segregation and detailed custody contracts). While these rules amount to a robust, prudentially supervised custody regime within the EU single market, MiCA does not formally create a separate legal category of “qualified custodian” equivalent to that under AIFMD/UCITS, and CASPs are not automatically treated as such in other regulatory frameworks.

In Austria, virtual asset service providers operating under the AML regime had to register with the FMA, but under MiCA/CASP rules the FMA is now the competent authority for authorization/supervision and the old VASP registration framework is being replaced during the transition period.

**AML/CFT compliance:** Implementing and enforcing measures to prevent money laundering and terrorist financing.

**Consumer protection:** Warning the public about unauthorized providers and investment risks.

**Fines for Non-Registration as a VASP:** This is a recurring theme. Entities offering virtual asset services without being registered face penalties.

**Fines for AML Deficiencies:** Registered VASPs failing to meet their AML obligations are subject to fines.

**Regulator:** Financial Market Authority (FMA) Austria

**Entity Targeted:** Various smaller entities, individuals, or companies operating as Virtual Asset Service Providers (VASPs) in Austria without proper registration or sufficient AML measures.

**Violation Type:** Operating as an unregistered VASP, deficiencies in implementing anti-money laundering (AML) and counter-terrorist financing (CFT) measures.

**Penalty Amount:** Varies significantly, typically ranging from a few thousand Euros to tens of thousands or potentially hundreds of thousands for more severe or repeated breaches. Specific public figures for these are often aggregated or not fully detailed for privacy/legal reasons unless deemed exceptionally high-profile.

**Date:** Ongoing, throughout 2021, 2022, 2023, and 2024. The FMA regularly publishes notices of penalties on its website.

**Outcome:** Issuance of administrative penalty notices, requiring payment of the fine. These decisions can be appealed.

Source URL (General FMA Penalties):

FMA - Geldwäscheprävention (AML Prevention)

FMA - Strafbescheide (Penalty Notices) - *Note: This section lists all FMA penalties, requiring filtering for crypto-specific ones, which are often generalized as "Verletzung des FM-GwG" (Violation of FM-GwG) without specific crypto mention in the headline for smaller cases.*

**Entity Targeted:** Various foreign and domestic entities, websites, or individuals offering cryptocurrency services (e.g., trading platforms, investment schemes) in Austria without FMA authorization. Examples often include entities offering dubious crypto investments.

**Violation Type:** Unauthorized provision of financial services, including virtual asset services, in Austria; lack of required licenses/registrations; potential for fraud or scams.

**Penalty Amount:** Not a direct monetary fine *at the time of the warning*. However, such warnings can lead to investigations, legal action, and potential fines if the entities are found operating within Austrian jurisdiction and fail to comply.

**Outcome:** Public alert issued, informing consumers about unauthorized activities and potential risks. These entities are typically blacklisted, and further action may be pursued if they continue to operate illegally.

Source URL (General FMA Investor Warnings):

*Specific examples vary frequently as new warnings are issued. One prominent example from 2023 was regarding various "crypto investment platforms" without authorization.*

**Consistent, albeit often smaller, penalties** for non-compliance with VASP registration and AML obligations, targeting both individuals and smaller corporate entities operating within Austria.

**Proactive public warnings** to protect investors from unauthorized and potentially fraudulent crypto service providers.

**Exchanges (Providers of Exchange Services between Virtual Currencies and Fiat Currencies and between One or More Virtual Currencies):**

Under MiCA as applied in Austria, the defined "exchange services" cover professional activities that facilitate the exchange of crypto‑assets for fiat currency (and fiat for crypto‑assets), while exchanges of one crypto‑asset for another are treated as a distinct crypto‑asset service and are not included in the MiCA definition of "exchange services" for fiat.

**Required Action:** Registration with the FMA.

**Custody Providers (Providers of Safekeeping and Administration of Virtual Currencies on Behalf of Clients):**

This includes entities that safeguard private cryptographic keys on behalf of their clients, to hold, store, and transfer virtual currencies.

**Payment Processors (in the context of virtual assets):**

While "payment processor" isn't a standalone defined VASP category under FM-GwG like exchange or custody, entities that facilitate payments using virtual assets will likely fall under the definitions above if their activities involve:

**Exchange:** If they convert virtual assets to fiat or vice versa for payment purposes.

**Custody:** If they hold virtual assets on behalf of clients for payment execution.

**Important Distinction:** If a service involves processing payments in *fiat currency* (even if originating from or destined for a crypto transaction), it might also trigger the need for a traditional payment service provider license under the Austrian **Payment Services Act 2018 (ZaDiG 2018)**. This is a full prudential license regulated by the FMA, separate from VASP AML registration.

**Risk Assessment:** A comprehensive assessment of the money laundering and terrorist financing risks associated with the company's business model, customer base, products, services, and geographical areas of operation.

**Internal Policies and Procedures:** Implementation of robust internal policies, controls, and procedures to mitigate identified risks, including:

**Customer Due Diligence (CDD/KYC):** Procedures for identifying and verifying the identity of customers and beneficial owners (UBOs), ongoing monitoring of business relationships, and enhanced due diligence for high-risk customers.

**Transaction Monitoring:** Systems for monitoring transactions for suspicious patterns.

**Reporting:** Procedures for reporting suspicious transactions to the Financial Intelligence Unit (FIU).

**Record Keeping:** Policies for retaining customer and transaction data.

**AML Officer:** Appointment of a qualified and reliable AML Officer (Geldwäschebeauftragter) responsible for overseeing AML compliance.

**Staff Training:** Regular training for all relevant employees on AML/CTF obligations.

**Reliability and Professional Suitability (Fit & Proper):**

**Management:** The managing directors and persons responsible for AML compliance must demonstrate professional suitability and reliability (e.g., no criminal record, especially related to financial crime, fraud, or money laundering).

Beneficial owners (typically holding 25% or more of shares/voting rights) must also demonstrate reliability.

The VASP must have its registered office in Austria.

While not always strictly enforced for *all* personnel, the management and key AML functions are generally expected to be located in Austria to ensure effective oversight by the FMA.

**Operational Capacity and IT Security:**

The applicant must demonstrate adequate operational resources, systems, and controls to perform the proposed services securely and reliably.

This includes robust IT security measures to protect customer data and virtual assets.

Unlike traditional financial institutions, there are **no specific minimum capital requirements** explicitly stated for *AML registration* of VASPs under FM-GwG.

**Preparation of Documentation:** Gather all necessary documents, which generally include:

Completed application form provided by the FMA.

Detailed business plan, outlining the services, target market, operational model, and technological setup.

Comprehensive AML/CTF manual/concept (Geldwäschekonzept) detailing all internal policies, procedures, and controls.

Information on the legal entity (e.g., extract from the commercial register).

Proof of reliability and professional suitability for managing directors and beneficial owners (e.g., CVs, police clearance certificates, declarations of non-bankruptcy).

Proof of sufficient financial resources.

Regulatory focus on AML/CTF has shifted from detailed, prescriptive scrutiny of compliance checklists toward a broader, outcomes‑based assessment of program effectiveness and risk management, while still requiring robust oversight.

Assessment of the reliability and professional suitability of management and owners.

Requests for additional information or clarification.

**Decision:** If the FMA is satisfied that all requirements are met, it will register the entity as a VASP. If the application is incomplete or concerns remain, it may be rejected or further information requested.

**Ongoing Supervision:** Registered VASPs are subject to ongoing supervision by the FMA to ensure continuous compliance with AML/CTF obligations.

**Austrian Financial Market Authority (FMA):**

Information on Virtual Assets (Cryptocurrencies) - Registration obligation: https://www.fma.gv.at/en/cross-sectional-topics/virtual-assets-cryptocurrencies/ (This page directly links to forms and relevant information for VASP registration.)

**Financial Market Money Laundering Act (FM-GwG - Finanzmarkt-Geldwäschegesetz):**

The full legal text can be found in Austrian legal databases (BKA/RIS). While official Austrian legislation is published in German as the authoritative version, English translations are increasingly accessible through multiple public sources including HeinOnline's World Constitutions Illustrated, multi-jurisdictional legal databases, and machine-translation tools applied to the free BKA/RIS database, making the claim that 'a direct English translation might not be publicly available from an official source' partially outdated.

**6th EU Anti-Money Laundering Directive (AMLD6)** (Directive (EU) 2024/1640): https://eur-lex.europa.eu/eli/dir/2024/1640/oj (AT, aml)

The term “6th EU Anti-Money Laundering Directive (AMLD6)” now refers to Directive (EU) 2024/1640, adopted as part of the 2024 EU AML package, which overhauls and replaces the earlier criminal‑law‑focused Directive (EU) 2018/1673; Austria’s current and future AMLD6 compliance framework is therefore anchored in Directive (EU) 2024/1640, not 2018/1673.

The Austrian Payment Services Act 2018 (Zahlungsdienstegesetz 2018 – ZaDiG 2018) is still the operative legal framework for payment services in Austria, but it has been amended multiple times, most recently by BGBl. I Nr. 5/2026 (effective 19 February 2026); any reference should therefore be to the current consolidated version of ZaDiG 2018, not just its original 2018 enactment.

Relevant if traditional payment services are also offered. This transposes the Second Payment Services Directive (PSD2).

**Markets in Crypto-Assets Regulation (MiCA):**

Regulation (EU) 2023/1114 on Markets in Crypto-Assets: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1114

Future Impact: MiCA will introduce a harmonized EU-wide licensing regime for various crypto-asset services. The rules on stablecoins (asset-referenced tokens and e-money tokens) apply from 30 June 2024, and the rules for other crypto-assets and service providers apply from 30 December 2024. This means the current national AML-registration regimes will be largely superseded by MiCA's comprehensive licensing requirements. VASPs should prepare for this significant shift.

EU sanctions are based on a two-step legal process: a CFSP Council Decision under Article 29 TEU, followed by, where economic or financial measures are involved, a Council Regulation under Article 215 TFEU.

Treaty on the Functioning of the European Union (TFEU) – Article 215.

These treaties empower the EU to impose restrictive measures (sanctions) to achieve Common Foreign and Security Policy (CFSP) objectives.

**Asset Freezes:** Prohibiting the use, transfer, or access to funds and economic resources of designated individuals, entities, or bodies. This directly applies to cryptocurrencies held by or transacted through VASPs.

**Travel Bans:** Restricting entry into or transit through EU territory for designated individuals.

**Trade Restrictions:** Embargoes on certain goods (e.g., arms, dual-use goods, luxury goods) or services. This includes restrictions on providing crypto-asset services to certain entities or in specific contexts.

**Sectoral Sanctions:** Targeting specific economic sectors (e.g., finance, energy, transport). The EU has increasingly included prohibitions on providing crypto-asset services as part of its sectoral sanctions, particularly against Russia and Belarus.

Russia: Extensive sanctions, including asset freezes, financial restrictions (e.g., SWIFT bans for certain banks, prohibitions on transactions with certain state-owned enterprises), and specific prohibitions on crypto-asset services.

*Legal Reference:* Council Regulation (EU) No 833/2014 concerning restrictive measures in view of Russia's actions destabilizing the situation in Ukraine. Subsequent amendments explicitly included crypto-asset services.

*URL:* EUR-Lex - Council Regulation (EU) 833/2014 (Check for latest consolidated version and amendments).

**Belarus, Syria, Iran, North Korea, Venezuela, Myanmar, etc.:** Various sanctions regimes applying asset freezes and other restrictions.

**Consolidated List of Sanctioned Persons, Groups and Entities:**

The EU maintains a consolidated list of persons, groups, and entities subject to EU financial sanctions. This is the primary list for screening.

*URL:* EU Sanctions Map (EEAS) or Financial Sanctions (European Council)

**Legal Basis:** UN Charter, Chapter VII.

**Key UN Sanctions Programs:** DPRK (North Korea), Iran, Afghanistan (Taliban), ISIL (Da'esh) & Al-Qaida, Libya, Somalia, Sudan, South Sudan, Yemen, etc.

*URL:* UN Security Council Sanctions Committees (Each committee maintains its specific list).

An Austrian VASP deals with U.S. persons (citizens, residents, entities).

Transactions involve the U.S. financial system (e.g., USD-denominated transactions, even if not directly involving a U.S. bank, if they clear through the U.S.).

Transactions have a direct or indirect nexus to OFAC-sanctioned individuals, entities, or jurisdictions, regardless of where the VASP is based.

**Key OFAC List:** Specially Designated Nationals and Blocked Persons (SDN) List.

EU Sanctions List (e.g., Consolidated Financial Sanctions List)

**OFAC Crypto Guidance:** OFAC has issued specific guidance on sanctions compliance for the virtual currency industry.

OFAC’s October 2021 Sanctions Compliance Guidance for the Virtual Currency Industry remains in force as baseline enforcement guidance, but it no longer fully reflects the current enforcement landscape because subsequent developments—most notably the 2026 joint FinCEN/OFAC proposed rulemaking under the GENIUS Act and more recent crypto/fintech enforcement actions—have expanded and tightened AML and sanctions‑compliance expectations for virtual currency industry participants.

**Legal Basis for VASPs in Austria:**

**Finanzmarkt-Geldwäschegesetz (FM-GwG):** This law implements the EU AML Directives and specifically covers VASPs. It mandates that VASPs comply with AML/CFT obligations, which inherently include sanctions compliance.

*URL:* RIS - Finanzmarkt-Geldwäschegesetz (FM-GwG) (Official Austrian legal information system – check for the latest consolidated version).

**Registration Requirement:** VASPs operating in Austria must register with the FMA. Registration requires demonstrating robust AML/CFT systems, including sanctions compliance.

**Key Compliance Obligations for VASPs:**

Identify and verify the identity of customers (KYC) and beneficial owners.

Understand the purpose and intended nature of the business relationship.

Ongoing monitoring of the business relationship.

Sanctions screening is an integral part of CDD.

Mandatory Screening: VASPs must screen all customers (individuals and entities), beneficial owners, and, where appropriate, transaction counterparties against relevant sanctions lists (EU, UN, and practically, OFAC).

**Real-time & Ongoing:** Screening should ideally occur at onboarding and on an ongoing, risk-based basis (e.g., daily, weekly, or upon significant changes) to capture updates to sanctions lists.

**Technology:** Utilizing robust sanctions screening software that can handle various name spellings, aliases, and updates from multiple lists is essential.

**"Travel Rule" for Crypto:** For crypto transactions above a certain threshold, VASPs are required to obtain and transmit originator and beneficiary information, which then also needs to be screened for sanctions. This is being implemented via the EU's Transfer of Funds Regulation (TFR) which will apply to crypto-asset transfers.

Monitor transactions for unusual patterns, amounts, or destinations that could indicate sanctions evasion or other illicit activities.

This includes monitoring on-chain activity where feasible and integrating with blockchain analytics tools.

**Suspicious Activity Reports (SARs)/Suspicious Transaction Reports (STRs):** If a VASP identifies a potential match to a sanctions list or suspects sanctions evasion, they must immediately freeze the assets and report the incident to the Austrian Financial Intelligence Unit (FIU), which is part of the Federal Criminal Police Office (**Geldwäschemeldestelle**).

*URL (FMA guidance):* FMA - Geldwäscheprävention (AML Prevention)

**Internal Controls and Risk Assessment:**

Implement comprehensive internal policies, procedures, and controls for sanctions compliance, tailored to the VASP's specific risk profile.

Conduct regular risk assessments to identify and mitigate sanctions risks inherent in their services, customer base, and geographic exposure.

Provide ongoing training to relevant staff.

**Record Keeping:** Maintain records of CDD measures, transactions, and sanctions screening activities for at least 5 years.

**Titles III (ARTs) and IV (EMTs) of MiCA**, covering stablecoins, will apply from **30 June 2024**.

The remaining provisions of MiCA for other crypto-assets and crypto-asset service providers will apply from 30 December 2024.

**E-money Tokens (EMTs) (Title IV of MiCA):**

Under MiCA as applied in Austria, stablecoins are split into (i) e‑money tokens (EMTs), defined as crypto‑assets that purport to maintain a stable value by reference to one official currency, and (ii) asset‑referenced tokens (ARTs), defined as crypto‑assets that purport to maintain a stable value by reference to one or several assets or values other than a single official currency (for example baskets of fiat currencies that are not legal tender, commodities like gold, or other crypto‑assets). The broad ‘any other value or right or combination thereof’ formulation is no longer the operative description for EMTs, which are now limited to one official currency, while ARTs cover the multi‑asset or non‑currency references.

EMTs are considered e-money under the E-Money Directive (2009/110/EC) and its Austrian implementation, the **E-Geldgesetz 2010**. MiCA effectively extends the existing e-money framework to crypto-assets.

**Regulatory Reference:** MiCA, Article 3(1)(5) and Title IV.

**Asset-Referenced Tokens (ARTs) (Title III of MiCA):**

Defined as a type of crypto-asset that is not an EMT and purports to maintain a stable value by referencing **any other value or right or combination thereof**, including one or several official currencies that are not legal tender, one or several commodities, or one or several crypto-assets, or a combination of such assets (e.g., a stablecoin backed by a basket of fiat currencies, gold, or other crypto-assets).

ARTs are a new category specifically created by MiCA.

**Regulatory Reference:** MiCA, Article 3(1)(4) and Title III.

MiCA aims to create a *specific* framework for ARTs and EMTs, meaning that if a token falls under these MiCA definitions, it will primarily be regulated as such, rather than as a "security" under the traditional WAG 2018/KMG, or merely as a "payment token" (which is not a formal legal classification but a functional description).

However, if a crypto-asset (even if attempting to be stable) does *not* meet MiCA's definitions for ARTs or EMTs and exhibits characteristics of a financial instrument, it could still be regulated under existing Austrian securities law (e.g., WAG 2018) or capital market law (KMG). MiCA has a clear scope exclusion for financial instruments already regulated under existing EU legislation like MiFID II.

Issuers of EMTs must always issue them **at par value** upon receipt of funds and are required to redeem them at par value upon request.

Funds received in exchange for EMTs must be protected and held by the issuer in a credit institution or invested in secure, low-risk assets (e.g., deposits with central banks or credit institutions, highly liquid government bonds).

Issuers must ensure that the reserve assets are **at all times equal to or greater than the amount of EMTs in circulation** (1:1 backing).

Issuers of asset‑referenced tokens must maintain and manage a segregated reserve of assets whose value at least equals the value of tokens in circulation, subject to risk-based prudential rules on composition, liquidity and own funds, rather than a simple static ‘at all times 1:1 parity’ formula.

**Regulatory Reference:** MiCA, Article 52-56.

Issuers must establish and maintain a **reserve of assets** that is fully segregated, separate from the issuer's own assets, and held in custody by a third party.

The reserve assets must be managed to ensure that the value of the reserve is **at all times equal to or greater than the value of the ARTs in circulation**.

Rules on the composition of the reserve assets:

Must be adequately diversified and held in low-risk assets.

Detailed rules on liquidity management (at least 30% in highly liquid assets, daily redemption for stable ARTs).

**Regulatory Reference:** MiCA, Article 32-38.

Issuers of EMTs must be **authorized as a credit institution** (under the EU Capital Requirements Directive/Regulation) or as an **e-money institution** (under the EU E-Money Directive/Austrian E-Geldgesetz 2010).

They also need to publish a crypto-asset white paper and obtain approval from the FMA.

**Regulatory Reference:** MiCA, Article 48 & 49.

Issuers of ARTs must be **authorized by the FMA** (or another competent national authority in the EU) before offering ARTs to the public or seeking admission to trading on a crypto-asset exchange.

The authorization process is extensive, requiring a detailed application including a business plan, governance arrangements, risk management, internal control mechanisms, capital requirements, and a crypto-asset white paper.

Under MiCA in Austria, issuers of ARTs must maintain own funds equal to the higher of EUR 350,000, 2% of the average amount of reserve assets, or one quarter (25%) of the fixed overheads of the preceding year; for significant ARTs, the percentage rises to 3%.

**Regulatory Reference:** MiCA, Article 16-21.

Holders of EMTs have a **direct claim against the issuer** and must be able to redeem their EMTs at any time at par value, for the fiat currency they represent, free of charge (unless explicitly disclosed fees apply, which must be proportionate).

Regulatory Reference: MiCA, Article 58.

Holders of ARTs have a **direct claim against the issuer** and a proportionate claim on the reserve assets.

Issuers must establish and disclose clear redemption policies, including conditions, fees, and procedures for redeeming ARTs for the assets in the reserve.

**Regulatory Reference:** MiCA, Article 39.

For a crypto-asset to qualify as an ART or EMT, it *must* maintain a stable value by referencing actual assets held in reserve (for ARTs) or fiat currency (for EMTs) with specific backing and liquidity requirements.

An algorithmic stablecoin that relies solely on a smart contract and arbitrage mechanisms without physical backing to maintain its peg would fail to meet the reserve requirements of MiCA Titles III and IV.

If an algorithmic token *does* manage to maintain a stable value through mechanisms that include sufficient, liquid, and segregated reserve assets as required by MiCA, then it *could* theoretically fall under ARTs/EMTs, but this design would be fundamentally different from typical unbacked algorithmic stablecoins.

**Regulatory Reference:** The implicit prohibition stems from the strict definitions and reserve requirements in MiCA, especially Articles 32-38 (ARTs) and 52-56 (EMTs).

MiCA acknowledges the potential future for a digital euro (a Central Bank Digital Currency or CBDC) issued by the European Central Bank (ECB).

Currently, there is no specific Austrian legislation regulating the interaction between private stablecoins and a CBDC, as the digital euro is still in development. However, MiCA lays the groundwork for ensuring that private stablecoins do not undermine monetary sovereignty or financial stability in a future CBDC environment.

MiCA Articles 21(5), 51(3), and 60(3) address crypto-asset issuance and service provider requirements, but do not directly govern macro-prudential safeguards related to monetary policy. CBDC development falls outside MiCA's scope and is governed by separate central bank frameworks; the ECB and OeNB are primary sources for CBDC policy, not MiCA implementation.

**Markets in Crypto-Assets Regulation (MiCA) (Regulation (EU) 2023/1114):**

**Austrian Financial Market Authority (FMA) – Crypto Assets Information:**

The FMA is the primary competent authority in Austria for supervising MiCA.

General information on crypto-assets: https://www.fma.gv.at/en/cross-sector/crypto-assets-and-tokenisation/

**Austrian E-Money Act (E-Geldgesetz 2010 – E-GG 2010):**

Relevant for EMTs and pre-MiCA e-money classifications.

Generally available through legal information systems like Rechtsinformationssystem des Bundes (RIS) – search for "E-Geldgesetz 2010".

**Austrian Securities Supervision Act (Wertpapieraufsichtsgesetz 2018 – WAG 2018):**

Relevant for assessing if a token falls outside MiCA's scope and qualifies as a security.

Generally available through FMA or official legal publications – search for 'Wertpapieraufsichtsgesetz 2018' or 'WAG 2018'.

**Oesterreichische Nationalbank (OeNB) – Digital Euro Information:**

Information on Austria's central bank stance on the digital euro.