Central Bank of Ireland's AML REQ for Crypto-Asset Service Providers (CASPs): What You Need to Know

The Central Bank of Ireland's new AML REQ for Crypto-Asset Service Providers is a significant step up in AML reporting expectations for the crypto sector.

The return moves away from any form of high-level reporting toward granular, XML-only submissions with strict schema validation and substantially deeper AML/CFT data requirements across crypto-specific activities.

For most CASP compliance teams, the challenge is operational: pulling together customer data, transaction volumes, crypto-asset exposure, and TM rule-level statistics across multiple systems, and structuring them into a format the CBI will accept.

This blog breaks down what the CBI is asking for, where firms are likely to run into issues, and what good preparation looks like.s like.

What Is the CBI AML REQ for Crypto Firms?

The AML REQ (Risk Evaluation Questionnaire) is the Central Bank of Ireland's annual AML/CFT supervisory return for regulated financial institutions. The CBI has been rolling out sector-specific versions since mid-2025, beginning with credit institutions and PI/EMIs.

The CASP REQ, published in March 2026, is the version built for Crypto-Asset Service Providers.

It is required under Section 22 of the Central Bank (Supervision and Enforcement) Act 2013 and the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. The return also feeds into AMLA's EU-level data collection requirements under the Regulatory Technical Standards at Article 40(2) of AMLD and Article 12(7) of AMLAR.

The return gives the CBI structured, quantitative visibility into a CASP's:

• Customer risk profile and segmentation
• Crypto-specific product and service activity
• Geographic exposure by customer and by funds flow
• AML controls, governance, and outcomes
• Transaction monitoring rules, alerts, and outcomes

Complyfirst took the pain out of the AML REQ return. The platform generated the XML file for us, and Fiona and Dan were quick and helpful on Teams throughout. We submitted our return to the CBI same day and saved hours of effort.

Fiona Lynch, Head of Risk & Compliance

Learn how

Who Must Comply and Key Reporting Dates

All CBI-authorised Crypto-Asset Service Providers must submit the CASP AML REQ. This includes Irish-authorised entities and Irish branches operating under Freedom of Establishment or Freedom of Services.

Each regulated legal entity must submit its own return, even if part of a wider group.

Former VASPs:

If your firm was previously registered as a Virtual Asset Service Provider before transitioning to CASP authorisation, your first submission must cover both periods. You report data under your former VASP registration and separately under your CASP authorisation for any crypto-asset services commenced in 2025. This cannot be split across two returns.

Group structures:

If your institution is reported as Parent of Group or Stand-alone entity, Sections 8.2.3 and 8.4.17 must be reported in an aggregated manner for all EEA business. Only Irish institution data is required for the remaining sections.

Key Changes Introduced

The CBI is moving from a generic, one-size-fits-all REQ in Excel format to a crypto-specific return in machine-readable XML format. Here is what that means in practice:

Section-by-Section Overview of the CASP AML REQ

Let’s zoom in.

The CASP REQ has 19 reporting sections. At a high level, the return is structured to give the CBI detailed visibility into both your firm's inherent AML risk exposure and the effectiveness of your AML/CFT control framework.

1. General: Legal structure, LEIs, group structure, business model summary, CASP services operated, international presence by EEA country, and statement of compliance.
2. Inherent Risk: Customer Segments: Total customer counts by segment type (natural persons, legal entities, PEPs, high risk, complex structures, cash-intensive), split by product or service. Includes transaction volumes and values by segment.
3. Inherent Risk: Sector: High-risk legal entity customers by sector, referenced against Annex III of the AML Regulation.
4. Inherent Risk: Anonymity: Whether your products allow identity concealment, including explicit yes/no flags for self-hosted wallet addresses, DeFi platforms, mixer and tumbler platforms, and crypto ATMs involving cash.
5. Inherent Risk: Crypto-Assets: Your top five crypto-assets or cryptocurrencies by EUR traded value over 2025, expressed as a percentage of gross traded volume. Also includes average daily transacting users.
6. Inherent Risk: Other: Correspondent relationships, cash transactions, prepaid cards, crowdfunding, funding methods and payment instruments, intermediaries, remote onboarding proportions.
7. Mitigation and Control: BWRA: Whether your business-wide risk assessment covers ML, TF, sanctions, cybercrime, market abuse, crypto risks, customer groups, geographies, and distribution channels. How outcomes are applied.
8. Mitigation and Control: Policies and Procedures: Approval dates for each AML/CFT policy area, from customer onboarding to record keeping, sanctions, and geographic risk.
9. Mitigation and Control: Onboarding and CDD: Onboarding channel coverage, identity verification methods, CDD review frequencies by risk tier, backlog proportions, and customers without ML/TF risk profiles.
10. Mitigation and Control: Transaction Monitoring: TM approach (manual, automated, or both), model validation methodology, rule inventory, alert counts, true and false positive rates, backlog, and average time to close. Includes a specific question on whether your firm has implemented a distributed ledger analysis tool.
11. Mitigation and Control: STR Reporting and Sanctions: STR counts by GoAML category, days to report, sanctions list coverage, screening frequency, and confirmed sanction hits.
12. Mitigation and Control: Governance and Assurance: Outsourcing arrangements, training coverage, compliance testing dates, audit dates, governance reporting frequency, and AML staffing numbers.
13. Physical Presence: Subsidiaries, branches, agents, distributors, and white-labelling partners by country.
14. Residence and Establishment: Customer base by country: total, new, high-risk, and PEP-linked customers, for both natural persons and legal entities.
15. Beneficial Owner: Beneficial owner counts by country of residence.
16. Politically Exposed Persons: PEP exposure by country of nationality or citizenship for natural persons, and by country of establishment for legal entities.
17. Custody Administration: Country-level transaction numbers and EUR values for custody and administration of crypto-assets, split between all customers and high-risk customers.
18. Trading Platform, Exchange Funds, Exchange Cryptos, Order Execution, Reception and Transmission, Portfolio Management, Transfer Cryptos: For each CASP service your firm offers, country-level incoming and outgoing transaction numbers and values, split between all customers and high-risk customers.
19. Correspondent Relationships, Geography of Funds Flow, Transaction Monitoring Rules: Correspondent activity by country, funds flow source and destination by country with high-risk splits, and a rule-by-rule TM disclosure covering rule name, description, alert count, true positives, and false positives.

What truly sets Complyfirst apart is its ability to simulate a regulator’s review, identifying potential data discrepancies or inconsistencies across multiple reports before submission.

Pamela Crilly, EU COO, TrueLayer

Read case study

Submission Format and Validation Requirements

Now, for the reporting mechanics. 👀

The CBI requires CASP firms to submit the AML REQ in XML format only, generated in line with the official XSD schema provided for the CASP sector. Excel versions are available solely to support understanding and will not be accepted for submission.

The XML must comply with strict requirements: correct table ordering, approved variable names, valid enumerations, mandatory field formatting, and explicit closing tags throughout. Even minor technical errors can result in rejection by the CBI Portal.

File Naming Convention

Files must follow this structure:

Example: CXXXXX_20251231_A04.xml

XML Table Structures

The CASP REQ uses two different XML table structures:

• Table Structure A: Used for country-level and activity-level tables. REF codes are entered as attributes within a single element.
• Table Structure B: Used for general and control sections. Requires an Identifier (REF code) and a Variable Name for each field.

The reporting sections must be entered in the strict order defined by the XSD schema. A file submitted in a different order will be automatically rejected.

Post-Upload Steps

Once the file passes the Portal's initial validation, two further steps are required:

1. Click Finalise
2. Click Sign-Off

Both are mandatory. Missing either step means the return has not been transmitted to the CBI.

Mandatory Data Rules

Every field in the CASP REQ is mandatory. No blanks are permitted, including fields that are not applicable to your business model.

The CBI requires firms to use approved placeholder values by field type:

All values must be reported in euros. Exchange rates can be based on the transaction date or the reference date.

Here’s a walkthrough from our AML REQ breakfast session where our CTO, Dan, breaks down the non-negotiables for completing the AML REQ:

Step-by-Step Checklist to Submit Your AML REQ

There are no shortcuts, here is what the CBI requires end-to-end.

Step 1: Download the CASP REQ pack

Download the CASP-specific materials from the Central Bank of Ireland:

• Guidance Notes v1.1 (March 2026)
• CASP XSD schema (A04)
• Sample XML file

Step 2: Read the guidance notes

Review the full guidance PDF document (typically 80-120 pages):

Step 3: Map your firm’s data to the REQ schema

Map internal data sources across all 19 sections.

Every field:

• is mandatory
• has a strict format
• must align to the XML schema requirements

Step 4: Complete the REQ

Complete the return across all required sections.

This includes hundreds of fields covering:

• customers
• products and services
• jurisdictions
• transaction activity
• AML controls
• governance
• monitoring frameworks

Step 5: Validate against the XSD schema

The submission must validate against the official CBI XSD schema before upload. Excel won’t fly! XML only.

Step 6: Obtain sign-off

Complete internal governance and approvals. Typically this involves MLRO and board-level review.

Step 7: Upload to the Central Bank Portal

Submit the validated XML file through the Central Bank Portal before 30th June 2026.

Step 8: Keep an audit trail

The CBI will ask.

How Complyfirst Helps CASPs Submit Their AML REQ

Complyfirst provides the tools and support for CASP firms to deliver a compliant AML REQ submission, aligned to the CBI’s schema and deadlines.

We have supported firms across the CBI's AML REQ since the first sector-specific returns launched. Fiona Lynch at Fexco told us that Complyfirst took the pain out of the AML REQ return entirely. The platform generated the XML file, they submitted to the CBI the same day, and saved hours of effort in the process. Adrian Witkowski at SumUp put it this way: "What took weeks, Complyfirst fixed in hours: within 48 hours we were live and submitted."

Here’s how we'll help:

• CBI definitions are built in-platform
• N/A codes are auto-applied in one click
• Real-time validation in plain English as you work
• Approvals and audit trail are baked in
• You get 1:1 support, even on deadline day
• Generated XML output, named & ready to upload

Get in touch here to get started.