Why the 19th EU sanctions package matters for CASPs

Why the 19th sanctions package matters for crypto asset service providers 

On October 23, 2025, the European Union adopted its 19th sanctions package against Russia, and for the first time, crypto asset service providers (CASPs) are squarely in the crosshairs. 

While previous sanctions packages addressed digital assets indirectly, this update introduces explicit prohibitions on providing crypto-asset services to Russian nationals, residents, and entities. The scope is comprehensive, covering custody, wallet provision, exchange services, transfers, and payment processing. The effective date is November 25, 2025; however, compliance teams should begin acting now. 

For CASPs operating across EU jurisdictions, this isn’t a minor technical amendment. It fundamentally reshapes who you can serve, what services you can offer, and how you assess counterparty risk in an increasingly complex sanctions landscape.  

What changed: crypto-asset service prohibitions under EU regulation 

The new measures introduce a blanket ban on providing crypto-asset services (as defined in Regulation (EU) 2023/1114) to: 

• Russian nationals or residents 

• Legal entities, bodies, or organizations established in Russia 

Prohibited services include: 

• Custody and administration of crypto-assets on behalf of customers 

• Operation of a trading platform for crypto-assets 

• Exchange of crypto-assets for funds or other crypto-assets 

• Execution of orders for crypto-assets on behalf of customers 

• Placing of crypto-assets 

• Reception and transmission of orders for crypto-assets 

• Providing advice on crypto-assets 

• Portfolio management on crypto-assets 

• Providing transfer services for crypto-assets on behalf of customers 

Additionally, from January 18, 2026, Russian nationals and residents are prohibited from owning, controlling, or holding positions in EU-based crypto-asset wallet, account, or custody providers. 

The package also bans engagement with Russia’s domestic payment systems—specifically the Mir payment card system and the Fast Payments System (SBP)—and prohibits transactions involving certain listed crypto-assets, currently including the stablecoin “A7A5.”  

Why Crystal classified Payeer as high-risk before the legal deadline 

Among the newly sanctioned entities, one stands out for CASPs: Payeer. 

Payeer has been added to Annex XIX, Part A, as a credit or financial institution providing services to sanctioned entities. The legal effective date is November 25, 2025. However, Crystal classified Payeer as a sanctioned high-risk entity immediately as a preventive risk measure. 

Why we moved early 

Our analysis identified multiple red flags that align with the intent of EU Regulation 2025/2033: 

• Payeer’s historical exposure to entities listed under Decision 2014/145/CFSP and Regulation (EU) No 833/2014 

• Transactional patterns consistent with sanctions evasion typologies 

• Operational infrastructure overlapping with jurisdictions under heightened scrutiny 

Rather than wait until the legal deadline, Crystal made a strategic decision to classify Payeer proactively. This gives our clients critical time to: 

• Identify and quantify exposure 

• Initiate termination protocols with affected counterparties 

• Mitigate compliance risk before enforcement actions begin 

What this means for you 

If your compliance, transaction monitoring, or onboarding systems interact with Payeer—either directly or through nested relationships—you should restrict and review any activity involving Payeer immediately. This isn’t just about regulatory alignment; it’s about protecting your institution from exposure before the effective date closes the window for orderly exits.  

Who is impacted by the new CASP sanctions and immediate compliance actions 

Teams affected: 

• Compliance officers: Responsible for updating screening rules and conducting exposure assessments 

• Transaction monitoring (TM) teams: Must tune alert logic to flag Russia-nexus activity 

• Onboarding and partnership teams: Need revised customer acceptance policies and offboarding scripts 

• Payments operations: Must implement geo- and person-based controls for restricted services 

Immediate actions: 

1. Identify exposure 

Run retrospective screening on counterparties, wallet addresses, and transaction flows over the past 12 months. Key questions to answer: 

• Do we have customers or partners flagged as Russian nationals or residents? 

• Have we processed transactions involving Payeer or entities in Annex XIX? 

• Are any wallets in our system linked to Russia-nexus clusters? 

Crystal clients can run exposure checks directly through our platform, with results highlighting risk scores, entity links, and suggested mitigations. 

2. Freeze and flag

Where policy allows, place temporary holds or heightened monitoring on flagged relationships. Document the rationale and timeline for each decision to demonstrate proactive compliance. 

3. Offboard and terminate

Plan orderly exits from relationships that violate the new prohibitions. This includes: 

• Preparing customer notifications 

• Establishing final transaction windows 

• Coordinating with legal and operations teams on account closures 

4. Document everything

Regulators will expect evidence of compliance preparation. Maintain records of: 

• Risk assessment notes 

• Screening results and counterparty reviews 

• Communications with affected customers or partners 

• Decision logs and escalation timelines

Newly sanctioned Russian banks and financial entities in Annex XIX 

Beyond the CASP-specific measures, the 19th package introduces significant financial restrictions: 

Newly sanctioned Russian banks: 

• Istina 

• Zemsky Bank 

• Commercial Bank Absolut Bank 

• MTS Bank 

• Alfa-Bank 

Third-country entities now covered: 

• Bank BelVEB 

• Belgazprombank 

• VTB Bank (PJSC) Shanghai Branch 

• CJSC Alfa-Bank 

• OJSC Sber Bank 

• VTB Bank (Belarus) 

• VTB Bank (Kazakhstan) 

Additional non-financial entities (Annex XIX, Part C): 

• Blackford Corporation Limited 

• Fuel and Oil Dynamics FZE 

These entities are prohibited from transacting with EU persons under the expanded framework, which now explicitly targets facilitators of sanctions evasion and Russia’s war efforts.  

Professional services and technology restrictions for Russian entities 

The package also introduces authorization requirements and outright prohibitions on certain professional services provided to the Government of Russia or Russian legal persons. This includes: 

• Accounting and auditing 

• IT consultancy 

• Enterprise-management software (ERP, SCM, BI, EDW systems) 

• Industrial design and manufacturing software 

• Banking and financial-sector regulatory/reporting software 

For CASPs offering B2B SaaS tools or consulting services, these restrictions may apply indirectly if your platforms are used by entities subject to the prohibitions.  

What EU regulators will monitor for CASP sanctions compliance 

EU member state authorities are expected to intensify enforcement in three key areas: 

1. Pre-existing relationships

Did you identify and exit prohibited relationships before the effective date, or did you wait for regulatory action? 

2. Transactional evidence

Can you demonstrate that blocked transactions were caught by monitoring systems, not discovered post-hoc during audits? 

3. Documentation trails

Are your compliance decisions backed by contemporaneous risk assessments, or are they being reconstructed after the fact? 

Early action and clear documentation are not just best practices—they are your primary defense in enforcement scenarios. 

How Crystal’s blockchain intelligence supports CASP compliance 

Crystal’s blockchain intelligence platform is built for exactly this kind of regulatory pivot. Our tools enable CASPs to move from reactive compliance to intelligence-led enforcement: 

Exposure scanning 

Identify Payeer-linked wallets, Russia-nexus entities, and sanctioned counterparties across your transaction history. Crystal’s clustering and attribution models reveal hidden links that traditional screening misses. 

Real-time monitoring 

Tune alert logic to flag CASP-specific prohibitions, including service-type violations and geo-based restrictions. Our risk scoring adapts to regulatory updates, ensuring your systems stay aligned with evolving sanctions. 

Investigative workflows 

Visualize transactional clusters, trace fund origins, and generate evidence packages for internal escalations or regulatory submissions. Crystal provides the context compliance teams need to act decisively. 

Proactive intelligence 

When Crystal identifies emerging threats—like our early Payeer classification—we push updates to clients immediately, giving you a head start on compliance preparation.  

Your 30-day CASP compliance checklist for the November 25 deadline 

If you’re a CASP operating in or serving EU markets, here’s your compliance checklist for the next 30 days: 

Week 1 (Now – November 8): 

• Run exposure scans for Payeer and Russia-nexus entities 

• Review recent onboarding decisions and flag affected accounts 

• Notify internal stakeholders (legal, ops, exec team) of new obligations 

Week 2 (November 9 – 15): 

• Update sanctions screening rules to reflect CASP-specific prohibitions 

• Add Payeer to high-risk blocklists across all systems 

• Implement geo- and person-based controls for Russian nationals/residents 

Week 3 (November 16 – 22): 

• Begin offboarding prohibited relationships with structured timelines 

• Prepare customer notifications and finalize exit scripts 

• Document all compliance decisions and create audit-ready evidence files 

Week 4 (November 23 – 25): 

• Conduct final pre-deadline review of flagged accounts 

• Ensure monitoring systems are live and alert logic is tuned 

• Schedule post-implementation audit with compliance leadership 

Post-November 25: 

• Monitor for attempted circumvention (e.g., proxy accounts, nested services) 

• Maintain enhanced due diligence on high-risk jurisdictions 

• Stay alert for further EU sanctions updates and Crystal intelligence briefs

The CASP compliance imperative for 2025 and beyond 

The 19th sanctions package is not an isolated event. It reflects a broader EU strategy to close loopholes in digital asset enforcement and hold CASPs to the same AML/CFT standards as traditional financial institutions. 

For compliance teams, the message is clear: the days of reactive sanctions compliance are over. Regulators expect proactive risk identification, timely terminations, and evidence-backed decision-making. CASPs that treat sanctions as a checkbox exercise will find themselves exposed—not just to penalties, but to reputational damage and operational disruption. 

Crystal exists to help you stay ahead. Our intelligence-led approach gives you the visibility, tools, and early warnings you need to navigate complex regulatory environments with confidence. 

 

Legal references: 

• Council Decision (CFSP) 2025/2032 

• Council Regulation (EU) 2025/2033 

• Regulation (EU) 2023/1114 (Markets in Crypto-Assets Regulation) 

Effective dates: 

• November 12, 2025: Part C entities (Blackford Corporation, Fuel and Oil Dynamics FZE) 

• November 25, 2025: Payeer and Tajikistan-based banks (Part A) 

• January 18, 2026: Ownership/control restrictions on Russian nationals in EU CASPs 

 

Crystal Intelligence provides blockchain analytics and compliance solutions for crypto asset service providers, exchanges, financial institutions, and law enforcement agencies. Our platform combines transaction tracing, risk profiling, and sanctions intelligence to help clients navigate evolving regulatory frameworks with confidence.