Bulgaria • AML registration • MiCA transition

Bulgaria | AML Authorization & MiCA Transition

Full country note • FID/SANS supervision • Styled for CryptoWisely

Overview

Bulgaria has historically approached crypto supervision through an AML/CFT registration model rather than a full financial-services license. In practice, crypto-related service providers register with the Financial Intelligence Directorate (FID) under the State Agency for National Security (SANS), focusing on AML controls, KYC, record-keeping, and reporting.

This creates a cost-efficient entry route for early-stage operations—while the EU-wide MiCA regime is expected to shift the market toward a formal CASP authorization standard during 2025–2026.

Supervisory Authority

  • Authority: Financial Intelligence Directorate (FID), under SANS
  • Primary focus: AML/CFT supervision, risk controls, monitoring, and reporting
  • Legal basis (high-level):
    • Law on Measures Against Money Laundering
    • Law on Measures Against the Financing of Terrorism
    • Implementing rules and relevant government decrees

Covered / Typical Activities

  • Exchange services (crypto–crypto and/or crypto–fiat), depending on declared scope
  • Custody and wallet-related services (where applicable)
  • Ancillary crypto services linked to onboarding, transfers, and operational support

Legal tender: Crypto assets are not legal tender in Bulgaria.

Corporate & Structural Requirements

  • Company type: OOD (limited liability company)
  • Minimum share capital: 2 BGN (nominal)
  • Residency: Typically no strict residency requirement for shareholders/directors (case-by-case for banking)
  • Registered address: Required in Bulgaria
  • AML roles: Even if a “local AML officer” is not strictly mandated, a clear internal AML ownership model is expected (responsible person, escalation, approvals, and reporting line)

Authorization Process & Timeline (Indicative)

Stage 1 — Company Incorporation

  • Form OOD and register a Bulgarian legal address
  • Prepare UBO structure and corporate documents
  • Align declared activities with operational reality (exchange, custody, etc.)

Stage 2 — AML Registration / Filing

  • Submit AML/CFT policies, KYC procedures, and risk assessment methodology
  • Define transaction monitoring, sanctions screening, and STR workflow
  • File with SANS/FID for registration (and address any follow-up questions)

Stage 3 — Banking / EMI Account

  • Complete KYB, governance checks, and proof-of-process review
  • Demonstrate client asset flow mapping, source-of-funds logic, and controls

Typical end-to-end duration: Often ~2–3 months depending on documentation quality and banking/EMI onboarding speed.

Minimum Operational Expectations

  • Bulgarian entity and legal address
  • Risk-based AML program (CDD/EDD logic, monitoring, record-keeping)
  • Suspicious activity reporting workflow and governance ownership
  • Documented onboarding, sanctions/PEP screening, and escalation rules

Scope & Limitations

  • Works well for: Lean market entry, pilot operations, internal/proprietary activity, early exchange/custody setups (subject to bankability)
  • May require additional licensing for: Payment services, e-money, securities/investment services, funds, derivatives, and public offerings
  • Key limitation: AML registration does not automatically equal “MiCA-ready” governance, ICT, and safeguarding standards

Taxation (High-level)

  • Corporate income tax: 10%
  • Dividend withholding: commonly cited 5% (often 0% for certain EU/EEA cases subject to conditions)
  • VAT: treatment for crypto-related services can be fact-pattern dependent; validate exemption logic with advisors

Compliance Obligations

  • Customer due diligence (CDD/EDD) triggered by risk and thresholds (commonly referenced around €15,000 depending on activity type)
  • Record-keeping, retention, and data protection alignment
  • Periodic risk assessments and internal controls testing
  • Suspicious transaction reporting to FID/SANS

Sanctions & Enforcement (Conceptual)

  • Registration revocation or operational restrictions for serious violations
  • Administrative fines (range depends on breach type and severity)
  • Escalation to management liability in repeated or severe cases

MiCA Integration

MiCA introduces a unified CASP authorization regime across the EU, including defined service categories, capital requirements, safeguarding rules, governance expectations, and ICT risk controls. As Bulgaria aligns to MiCA, crypto businesses operating under an AML registration approach should plan for:

  • Capital thresholds: Typically €50k–€150k depending on CASP class
  • Governance uplift: fit-and-proper management, risk/compliance ownership, outsourcing controls
  • ICT & security: incident management, BCP/DR, and operational resilience standards
  • Safeguarding: client asset segregation, reconciliations, disclosures, and controls

Practical takeaway: Treat today’s AML registration as a bridge, not the end state—build MiCA-grade policies early to avoid a disruptive migration.

CryptoWisely.io Commentary

Bulgaria is one of the EU’s most cost-efficient early-entry setups for crypto teams that need legal presence and AML-grounded operations fast.

Advantages: Low corporate friction, 10% corporate tax, and a straightforward AML registration logic.
Limitations: The AML model is not a full MiCA authorization—serious EU scaling still requires MiCA-grade governance, ICT, and safeguarding readiness.

CryptoWisely insight: Start lean under the AML regime, but build your “MiCA package” in parallel (ops manual, safeguarding map, ICT controls). That’s how Bulgaria becomes a strategic EU foothold rather than a short-term workaround.

Disclaimer: Informational only and not legal/tax advice. Always verify current SANS/FID expectations and the latest EU MiCA implementation guidance before proceeding.