Common mistakes in CASP applications and how to avoid them

The entry into force of MiCA has opened a completely new chapter for crypto-asset service providers (CASPs) in the European Union. In Spain, the CNMV has become the mandatory gateway for any project that wants to operate with legal certainty, attract institutional investment or scale its operations without regulatory uncertainty.

The issue we see in some of the projects presented to us is that this increase in applications is not matched by the same level of quality in the files. In practice, we see a very clear pattern: most rejections and requests for corrections stem from entirely avoidable mistakes.

This article is a practical guide—without unnecessary technical jargon—to understand where CASP files tend to fail, how to avoid those issues, and what the CNMV really expects from each project.

For more information, we invite you to read our article “The definitive guide to obtaining a CASP licence from the CNMV (MiCA 2025)”

IN DIEM Abogados provides the legal-regulatory approach and Cryptoveritas 360 the technical expertise in cybersecurity and blockchain auditing.

Why is it so easy to make mistakes in CASP applications?

Those approaching MiCA for the first time often think it is a regulation focused solely on the legal side. But in reality, it is a legal + technical + operational model.

The documents must fit together like a puzzle: AML manuals, governance, technology architectures, operational flows, custody policies, etc. Any inconsistency is quickly detected by the CNMV.

Many projects come from the startup environment, where speed takes precedence over documentation. This clashes head-on with the level of detail required by MiCA.

MiCA requirements in Spain: the starting point where many mistakes begin

Solvency and capital

MiCA requires real solvency, not mere declarations. A custody service with millions under management cannot justify low capital without a robust risk analysis.One of the most serious mistakes: generic or copied manuals. The CNMV detects them immediately because they lack the necessary specificity. An AML manual must be a living document, reflecting the real risks of your business model, your clients and the blockchains you operate on.

AML/CFT manuals

One of the most serious mistakes: generic or copied manuals. The CNMV detects them immediately because they lack the necessary specificity. An AML manual must be a living document, reflecting the real risks of your business model, your clients and the blockchains you operate on.

Governance

Clear roles, traceability and defined processes. Many projects fail due to “nice but empty” org charts, where no specific responsibilities are assigned and no effective chain of command for critical decision-making is demonstrated.

Technology systems

One of the most demanding requirements. The technical side is often described superficially, raising significant doubts about the security, resilience and real capacity of the infrastructure. The CNMV needs to understand not only what you do, but how you do it securely.

IN DIEM + Cryptoveritas 360 cross-check each document against the rest to avoid inconsistencies, the most common mistake.

The 10 most common mistakes in CASP applications

1. Vague or inconsistent business models.

• The mistake: Describing the service in generic terms (“we are an exchange”) without detailing specific workflows, target customers, revenue sources or a realistic assessment of operational risks.
• CNMV example: A project presents itself as an NFT marketplace, but its AML documentation does not differentiate the risks between an artist minting a work and a collector trading high volumes. The CNMV perceives a lack of understanding of its own business.
• The solution: The business model must be a complete operational narrative. Include user flow diagrams (onboarding, trading, withdrawals), define your customer profiles (buyer personas) and present a SWOT analysis that supports your strategic and risk decisions.

2. Generic AML/CFT plans copied from third parties.

• The mistake: Using internet templates or documents from other companies without adapting them to the project’s technological and operational reality. The CNMV looks for “copy and paste” and penalises it.
• CNMV example: The AML manual mentions monitoring “cash transactions” or geographic risks in jurisdictions where you do not operate, when your platform is 100% digital and operates in the EU. This reveals a lack of customisation.
• The solution: Absolute customisation. Your AML manual must reflect your real risk assessment, mention the specific KYT tools you use (such as Chainalysis or Elliptic), the blockchain protocols you support, and the alert thresholds defined based on your activity.

3. Poorly defined governance or no clear accountable persons.

• The mistake: “Decorative” org charts where it is not clear who has ultimate authority to make decisions in critical areas such as AML, technology or risk management.
• CNMV example: The “Compliance Officer” appears on the org chart, but their functions described in another document are ambiguous and they are not given veto power over the launch of new high-risk products. It is perceived as a token role.
• The solution: Assign a named individual to each role required by MiCA. Create responsibility matrices (RACI) and attach minutes of the first risk committee meetings to demonstrate that governance is active and not merely theoretical.

4. Misalignment between technical and legal documents.

• The mistake: The technical description of systems (e.g., the ratio between cold and hot wallets) does not match the execution timelines or disaster recovery policies described in operational and legal manuals.
• CNMV example: The legal document promises 99.99% service availability (SLA), but the technical architecture describes maintenance windows without customer communication procedures or real redundancy. The inconsistency is glaring.
• The solution: Ongoing cross-review. A lawyer must understand the fundamentals of the technology described, and a technician must understand the legal requirements the architecture must meet. Every statement in one document must be coherently reflected in all the others.

5. Failure to justify technological requirements.

• The mistake: Claiming compliance with cybersecurity standards without detailing how. Vague phrases such as “we use encryption” or “we have a SOC” are insufficient and trigger immediate requests for clarification.
• CNMV example: “We have a SOC (Security Operations Center).” The CNMV will ask: Is it in-house or outsourced? What certifications does the team have? What are the response SLAs? Which events are specifically monitored?
• The solution: Technical specificity. Instead of “encryption”, specify “we use AES-256 for data at rest and TLS 1.3 for data in transit”. Attach team certifications, detailed architecture diagrams and documented security policies (patching, access, etc.).

6. Underestimating KYC and traceability.

• The mistake: Implementing a basic KYC process that does not scale or does not allow full traceability of a customer’s transactions over time, breaching the principle of ongoing “know your customer”.
• CNMV example: The system allows customer onboarding, but cannot automatically track and group all associated wallets or detect suspicious behaviour patterns based on transaction history.
• The solution: Integrate on-chain analytics and KYT tools by design. Demonstrate to the CNMV that your system can follow the trail of funds beyond a single transaction, linking addresses and detecting anomalous behaviour.

7. Not substantiating the management team’s experience.

• The mistake: Submitting generic CVs without demonstrating how each executive’s specific experience is relevant and adequate for the risks and complexity of a CASP.
• CNMV example: The CTO has extensive experience in traditional IT, but their CV does not show specific knowledge of blockchain cybersecurity, private key management or decentralised architectures.
• The solution: CVs must be explanatory. Do not just list experience—explain how each previous role has prepared the executive to manage MiCA’s specific risks. Specific training in blockchain and regulation is a key advantage.

8. Non-existent or vague continuity procedures.

• The mistake: Not having a business continuity plan (BCP), or having one that is merely a statement of intent, without concrete steps, assigned roles and communication plans for serious incidents.
• CNMV example: The BCP mentions “recovery at a secondary site” but does not specify the RTO (Recovery Time Objective) and RPO (Recovery Point Objective), nor does it detail how data consistency is ensured in a crisis scenario.
• The solution: Develop a detailed, realistic BCP. Include test scenarios, communication plans for customers and regulators, and specific technical procedures for system and data recovery.

9. Superficial or not credible custody policies.

• The mistake: Describing a custody system without providing technical evidence of its implementation, such as multi-party signature schemes, asset segregation or key recovery protocols.
• CNMV example: A company claims to use “98% cold wallets” but does not describe the physical and logical procedure to access them, nor how it mitigates the risk of a single point of failure in that process.
• The solution: Provide in-depth technical custody documentation. Key architecture diagrams, a description of the Hardware Security Modules (HSMs), and audited procedures for generating, storing and using private keys.

10. Inconsistencies between annexes submitted to the CNMV.

• The mistake: Data, figures or descriptions in one annex do not match those in another. For example, the share capital in one document differs from what is declared in another, or the list of supported protocols in the technical manual does not match the commercial one.
• CNMV example: The financial annex shows capital of €150,000, while the descriptive report refers to €125,000. Or the marketing manual promotes support for a blockchain that does not appear in the technology risk assessment.
• The solution: Carry out a final “horizontal read” of the entire file. Check that every data point, name, figure and description is consistent across the more than 20 documents that an application typically includes. This is one of the most critical tasks before submission.

How can you avoid mistakes before submitting your application?

The best strategy is to carry out a legal and technical pre-audit that reviews the entire file with the same approach the CNMV would take, but with a constructive, improvement-oriented mindset.

Basic checklist

• Operational, understandable business model with detailed flows.
• Risks identified, assessed and quantitatively justified.
• AML manual 100% tailored to your service, technology and customers.
• Technology described precisely, without vagueness.
• Real cybersecurity measures, documented and justified.
• Coherent governance, with accountable persons and defined processes.
• Suitable, financially sound management team, with proven relevant experience.
• All annexes aligned and free of internal contradictions.

The importance of legal–technical alignment: the decisive factor

If the legal side says one thing and the technical side describes another, the CNMV will spot it within minutes. This disconnect is the main cause of requests for corrections and delays. MiCA regulation is, by its nature, an interdisciplinary framework that requires an equally integrated response.

How IN DIEM + Cryptoveritas 360 address it

• Smart contract audit (where applicable) and review of blockchain architecture.
• Comprehensive cybersecurity assessment of the infrastructure.
• Technology risk analysis aligned with capital requirements.
• Cross-review of all manuals (AML, Governance, Technology) to ensure consistency.
• Full alignment between the business model, the underlying technology and AML/CFT policies.

Frequently Asked Questions

Please note that…

Most mistakes in CASP applications are avoidable. They do not depend on the size of the project, but on the quality of the file and the alignment between the legal, technical and operational aspects.

How can IN DIEM Abogados help in this process?

At IN DIEM Abogados and Cryptoveritas 360, we work together so that each application reaches the CNMV coherent, robust and ready to be approved without delays.

Our firm offers comprehensive advice in all areas related to crypto-assets and blockchain, including:

• Law and Cryptocurrencies: we advise on Bitcoin, Altcoins, ICOs, NFTs, and blockchain-based projects, providing legal security from creation to the operation of any crypto-asset.
• Crypto Tax and Taxation: we offer expert guidance on taxation of cryptocurrency investments, buy-sell transactions, staking, DeFi, and airdrops, ensuring compliance with current regulations.
• Registration and Compliance with Banco de España: we guide cryptocurrency exchange and custody platforms in their registration and regulatory compliance, ensuring safe and legal operation.
• Adaptation to the MiCA Regulation: we help crypto companies comply with the new European regulation, covering everything from obtaining licenses to implementing anti-money laundering (AML) policies, consumer protection, and compliance auditing.
• Fraud on Web Platforms with Cryptocurrencies. Criminal: we offer legal defense and recovery strategies against fraud or scams on exchanges, wallets, or any digital investment platform.

In an increasingly complex and competitive regulatory environment, having a firm that understands both technology and law is key to minimizing risks and seizing opportunities. In Diem Abogados, in collaboration with its technology partner Cryptoveritas 360, does not only advise: it accompanies, implements, and ensures that your crypto company complies with regulations, integrates secure technological solutions, and thrives in the digital ecosystem.

IN DIEM Abogados, cryptocurrency experts at your service

At IN DIEM Abogados, we have the best experts in different branches of Law—Criminal, Civil, Administrative, Commercial, and Labor—ensuring at all times the advice and defense of our clients’ interests. Additionally, our firm specializes in the management and coordination of criminal and civil proceedings with groups of affected parties, which allows us to offer an effective joint strategy, optimize resources, and strengthen each client’s position within the process.

Contact IN DIEM Abogados 24 hours a day, any day of the week, without obligation.

We guarantee the best possible outcome, whatever your case.

• Personalized and professional service
• Advice on Taxation and Regulatory Compliance
• Assistance in tax, judicial, or other proceedings
• 24-hour contact with your expert lawyer
• Absolute confidentiality

Publications on Companies in our blog

IN DIEM Abogados: Málaga, Marbella, Sevilla, Madrid, Las Palmas de Gran Canarias, Almería, Huelva, Marbella, Estepona,…

IN DIEM Abogados has a team with experience in previous roles such as Judge, State Attorney, Public Prosecutor, or University Lecturer, which will provide you with peace of mind and confidence, as you will have the best team—competitive and highly prepared—to achieve your objectives and meet your needs.

We are at your disposal for whatever you need. You can reach us through the IN DIEM Lawyers Telephone (+34) 901 900 071. In cases of Emergency, you have us at the 24-Hour Emergency Lawyers Telephone IN DIEM: (+34) 610 667 452.

Did you know that IN DIEM Abogados offers an online service and an urgent service?

We offer our clients the option of being assisted via video call or videoconference, as well as by telephone, according to our clients’ preference, so that the assistance is as personal as possible, with absolute immediacy, without the need to travel. This service is complemented by communication via email, which facilitates the analysis and delivery of documentation.

Likewise, we have urgent and 24-hour services available for our companies, handling national and international contracting operations.

For more information on the Online Legal Advisory Service HERE, the 24-hour and Urgent Service, HERE, and some recognitions, we leave you this link.

Anything else about IN DIEM Lawyers? Here’s a short presentation video…

You will find us in Seville, Madrid, Las Palmas de Gran Canaria, Málaga, Huelva, Punta Umbría, Tomares, Coria del Río, Dos Hermanas, Mairena del Alcor, Estepona, Marbella, Mairena del Aljarafe… it will be a pleasure to serve you…!!