EU 20th Sanctions Package May 24 — The CASP Technical Checklist

The 20th package consists of three core instruments:

- **Council Regulation (EU) 2026/506** — amends Regulation 833/2014 (sectoral measures). Adds Articles 5ba (asset-level ban via Annex LIII) and 5bb (sectoral CASP ban). Parallel Belarus measures via Article 1zf of Regulation 765/2006. - **Council Implementing Regulation (EU) 2026/509** — amends Regulation 269/2014 (individual designations). Adds twenty Russian credit institutions to Annex XIV plus third-country banks in Kyrgyzstan, Azerbaijan, and Laos. Adds four payment agents to Annex XLV Part D. Lists TengriCoin / Meer.kg. - **Council Regulation (EU) 2026/511** — amends Regulation 269/2014 (asset freeze framework).

Sectoral measures took effect April 24, 2026 (the day after OJ publication). Banking provisions took effect May 14, 2026. The crypto-specific provisions take effect May 24, 2026 — the window you are reading this in.

Annex LIII enumerates the crypto-assets a CASP may not process. Currently:

1. **A7A5** — banned since November 25, 2025 (added in the 19th package). Old Vector LLC, the Kyrgyz issuer, was designated in August 2025. A7A5 contracts: Ethereum `0x6fA0BE17e4beA2fCfA22ef89BF8ac9aab0AB0fc9`, with the bulk (per Elliptic, ~99% of supply) circulating on TRON. 2. **RUBx** — banned from May 24, 2026. Rostec-issued, TRON-based ruble stablecoin announced July 2025 alongside the RT-Pay platform. 3. **Russian digital ruble (CBDC)** — banned from May 24, 2026. Planned national rollout September 2026. 4. **Belarusian digital ruble (CBDC)** — banned from May 24, 2026. Listed pre-emptively before public launch.

For CASPs, the practical implication is that the screening list now requires cross-chain symbol and contract-address matching. A wrapped variant of A7A5 (the wA7A5 contract `0x0d57436f2d39c0664c6f0f2e349229483f87ea38` is documented on Etherscan) falls within the prohibition by the anti-circumvention reading. Sanctions teams that screen only by symbol miss wrapped variants and bridge-side derivatives.

This is the architectural shift. Earlier packages designated individual exchanges (Garantex in 2022, then re-designated; Grinex, Old Vector LLC, A7 LLC, Payeer in 2025). The 20th package introduces a blanket prohibition: EU CASPs may not transact with **any** crypto-asset service provider established in Russia, or in Belarus (via Article 1zf), regardless of whether that provider is individually named.

This kills the whack-a-mole pattern of the past three years. Garantex shut down, Grinex stood up, Grinex was sanctioned, TokenSpot stood up. Every successor required a new individual designation cycle that took six to twelve months. Article 5bb removes that cycle for Russia and Belarus jurisdictions specifically.

The hard part is the test. "Established in Russia" is not the same as "uses a .ru domain" or "has a Russian-language interface." The European Commission has not yet published an operational-nexus methodology, but the working consensus from law firms (Skadden, Morgan Lewis, Crowell & Moring, Mayer Brown, Greenberg Traurig) is a combination of:

- Place of incorporation - Principal place of business - Beneficial-ownership majority by Russian/Belarusian persons or entities - Key-management location - Infrastructure footprint

A CASP that is incorporated in Kyrgyzstan, operates from a Bishkek office, has Russian beneficial owners, and routes its order book through a Russian exchange operator can plausibly be "established in Russia" under the test. The first practical application is TengriCoin / Meer.kg, the Kyrgyz-licensed venue covered in the next section.

Exemptions from the sectoral ban are narrow: EU diplomatic missions, and EU nationals who were Russian residents before February 24, 2022.

The 20th package's first individual crypto-platform designation is **CJSC TengriCoin**, operator of the Meer.kg trading platform.

The entity is Kyrgyz, not Paraguayan as some earlier press reporting suggested. Registered address: 77/1, Tunguch Microdistrict, Oktyabrsky District, Bishkek 720000. Registration number 311490-3301-ZAO. Tax ID 01312202410095. Incorporated December 13, 2024. Licensed by the Kyrgyz Financial Supervisory Authority since December 31, 2024.

Meer.kg trades A7A5 against ruble and other instruments. The platform is the first practical use of the EU's country-level **anti-circumvention tool** — a mechanism that lets the Council apply sanctions designations even when the targeted entity is incorporated in a third country, provided the third country has been formally identified as a circumvention jurisdiction.

Kyrgyzstan is the first third country so identified. The implication for compliance teams is that screening must extend to third-country platforms with operational nexus to Russia, not just to Russia-domiciled platforms.

Annex XLV Part D, effective May 14, 2026, names four payment agents:

1. **Arneis** 2. **Asia Import Group** 3. **GPAgent** 4. **Platejka**

These are not crypto exchanges. They are settlement and netting operators that move Russian trade flows across mirror accounts without funds crossing the Russian border. The mechanism is logistically simple: a Russian counterparty pays one of these operators in rubles inside Russia; the operator instructs a partner account outside Russia to pay the Russian counterparty's foreign supplier in dollars, euros, or stablecoins. No direct cross-border transfer occurs; the books are reconciled internally.

The prohibition is mechanism-based. The Commission has signalled that additional payment agents will be designated as they are identified. The four named are the seed of a category, not the exhaustive list.

CASPs handling stablecoin flows should add the four names plus known alternative spellings and corporate variants to their screening pipeline. Sanctuary maintains these as discrete intelligence flags with category `russian_settlement_agent`.

What an EU CASP must do, in order, by May 24:

**1. Block all transactions involving Annex LIII assets.** A7A5, RUBx, Russian digital ruble, Belarusian digital ruble. Cover symbol-level and contract-address-level matching across all supported chains and across wrapped variants. If a customer attempts to deposit, withdraw, or trade any of these assets, the transaction must be rejected and a record kept.

**2. Identify CASPs "established in Russia" and block all transactions with them.** This requires beneficial-ownership data and operational-nexus assessment, not just sanctions-list matching. The screening tooling must operate on entity attribution, not just address attribution. Sanctuary's entity graph is the layer that does this; equivalent tooling exists at Chainalysis (KYT entity attribution), TRM (CASP intelligence), and Elliptic (Lens).

**3. Block transactions with the four named payment agents.** Arneis, Asia Import Group, GPAgent, Platejka. Maintain the list as live screening, with provisions for additions.

**4. Apply enhanced due diligence on Central Asia and Caucasus corridors.** The Commission's stated expectation. CASPs receiving flows from Kyrgyzstan, Kazakhstan, Uzbekistan, Tajikistan, Armenia, Georgia, or Azerbaijan must apply higher scrutiny on counterparty identity and source-of-funds documentation than they would on flows from low-risk corridors.

**5. Wind down existing contracts in the May 13 to May 24 window.** Contracts that include Russian or Belarusian CASP counterparties, or that reference Annex LIII assets, must be terminated. Operational frictions — last-minute redemptions, asset withdrawals, account closures — must be handled with audit-quality records. AML controls do not relax during wind-down; if anything, the volume creates more opportunities for layering.

**6. Maintain evidence of the screening decision per transaction.** Member-state competent authorities have indicated they will request transaction-level documentation in early enforcement actions. A spreadsheet of "we screen our flows" is not enough; per-transaction records showing screening hit/no-hit, decision, and timestamp are the floor.

Enforcement will not arrive uniformly. Eighteen member states received Commission infringement procedures in July 2025 for late transposition of Directive 2024/1226. National authorities that did transpose on time and have active enforcement capacity — Germany (BaFin), France (AMF + Tracfin), Netherlands (AFM), Lithuania, Estonia — are the early-action candidates.

BaFin is already operating a "name-and-warn" tool against unauthorized CASPs serving German clients. AMF named Binance among ninety unlicensed firms operating in France in early 2026. Both authorities will likely use the 20th package to expand scope. Lithuania declared a "war on unlicensed crypto firms" earlier in 2026 and has the political appetite for visible action.

Smaller jurisdictions — Malta, Cyprus, Luxembourg — have historically been more permissive but are under ESMA peer-review pressure, in Malta's case acutely (the July 2025 fast-track peer review censured the Malta authorisation of a major CASP for insufficient AML/CFT controls).

If you operate a CASP outside the EU but serve EU customers — Binance, OKX, KuCoin, MEXC, Bitget — the 20th package does not directly bind you, but the indirect effects are significant. EU-authorized CASPs must avoid transacting with Russia-established CASPs, and the test will increasingly extend to "CASPs with material Russian exposure" — flows to and from Russia-domiciled customers, ruble-corridor liquidity, and Russia-adjacent payment agents.

Non-EU CASPs that want to maintain EU correspondent relationships or be referenceable as compliant counterparties for EU institutional flows must demonstrate equivalent screening. The market read is that 2026 will see a sorting between "CASPs willing to maintain EU-grade Russia screening" and "CASPs that accept the loss of EU market access in exchange for Russian flow."

Sanctuary's screening already covers A7A5 since November 25, 2025. RUBx and the Russian and Belarusian digital rubles are added as discrete flags effective May 24, 2026. The four payment agents are added as entity flags under category `russian_settlement_agent`. "Established in Russia" CASP attribution is handled through the entity-attribution layer, with operational-nexus signals from infrastructure, beneficial ownership, and on-chain liquidity pattern data.

For a regulated EU CASP integrating Sanctuary, the operational hook is direct: the API returns a screen result per address that surfaces the Annex LIII asset exposure, the entity-class match, the payment-agent counterparty exposure, and the corridor risk score in a single response. No additional logic is required at the integration layer beyond reading the response.

The 20th package converts whack-a-mole into category enforcement. The compliance question is no longer "which exchange got named this week." It is "what is the entity behind this counterparty, and where is it established?"

The deadline is May 24. The window to wind down is now. If your screening pipeline does not surface entity attribution and operational nexus today, it will not surface them on May 24 either. Audit the pipeline first.