EU creates regulatory framework for crypto-asset service providers

The EU regulation on markets in crypto-assets (MiCAR) sets down a harmonised regulatory framework for service providers, known as crypto-asset service providers (CASPs), carrying out activities in relation to crypto-assets falling within the regulation's scope. Under MiCAR, CASPs are subject to authorisation requirements and supervision by relevant national authorities. Furthermore, CASPs are bound by prudential and organisational requirements along with the obligation to abide by rules of conduct in the provision of their services. This regulatory framework ensures not only the protection of customers but also a level playing field among service providers. The following article briefly summarises these requirements.

Authorisation requirements

The long-awaited crypto licensing obligation

MiCAR introduces a harmonised and uniform licensing process for CASPs, facilitating the pursuit of crypto business on a EU level and putting an end to disparities between national regimes.

More specifically, the following service providers will be subject to authorisation requirements:

• Custody services providers, which safekeep or control the client’s crypto-assets or the means of access to them (e.g. private keys).
• Trading platforms operators, which manage a multilateral system that facilitates the bringing together of buying and selling interests for crypto-assets.
• Exchange services providers, which conclude purchase/sale contracts concerning crypto-assets against funds or other crypto-assets by using proprietary capital.
• Broker-dealers, which conclude agreements to buy/sell or subscribe crypto-assets on behalf of clients. Broker-dealers can also receive an order from the client to buy/sell or subscribe crypto-assets and transmit this order to a third party for execution.
• Placers, which market crypto-assets for purchase, on behalf of or for the account of the offeror or of a party related to the offeror.
• Transfer providers, which transfer, on behalf of a client, crypto-assets from one distributed ledger address or account to another.
• Advisors, which provide personalised recommendations to a client for transactions relating to crypto-assets, or the use of crypto-asset services.
• Portfolio managers, which manage portfolios in accordance with mandates given by clients on a discretionary basis where such portfolios include crypto-assets.

The process for obtaining an authorisation is detailed under MiCAR, including the checklist of information and attachments to be provided. As part of the application process, information relating to the legal form of the entity, a description of the internal governance framework, programme of operations, identity of shareholders, etc. will need to be communicated to the relevant competent authority. Upon receiving a complete application file, the relevant competent authority has a period of assessment during which it will examine the request, prior to granting (or refusing) the authorisation.

Authorisation upon notification for (already) authorised entities

The European legislator foresees a simplified authorisation procedure for certain regulated entities, including investment firms, credit institutions and e-money institutions, wishing to add crypto-asset services to their existing services portfolio. Regulated entities will be able to extend their authorisation onto MiCAR services upon a notification to be submitted to the local regulator at least 40 working days before the intended start of the provision of crypto-asset services. 

Reverse solicitation

MiCAR explicitly recognises the concept of reverse solicitation in relation to crypto-asset services, similarly to the equivalent provision under Directive 2014/65/EC of 15 May 2014 on markets in financial instruments (MiFID II). More specifically, if a client based in the EU initiates at its own exclusive initiative the provision of a crypto-asset service or activity by a third‐country firm, the authorisation requirement under MiCAR will not apply to the provision of that crypto-asset service or activity, including a relationship specifically relating to the provision of that crypto-asset service or activity. A client’s own exclusive initiative does not, however, allow the marketing of new types of crypto-assets or crypto-asset services to that client.

Passport

Once a CASP has obtained authorisation to provide crypto-asset services in a member state, it may passport such authorisation in another EU member state. It will thus be authorised to provide its services throughout the EU, either through the right of establishment (branch) or the freedom to provide services (i.e. cross-border provision of services). Bearing in mind that many CASPs operate digitally, by way of platforms and service clients established throughout the EU, being able to rely on the EU passport is a definite advantage introduced by MiCAR.

Obligations for CASPs

Once authorised, CASPs are subject to prudential and organisational requirements as well as rules of conduct, similar to the requirements applicable to investment firms under MiFID II. 

Prudential and organisational requirements

Similar to other types of entities in the financial sector, CASPs will be bound by prudential and organisational requirements. These requirements are both general (i.e. applying to all types of CASPs) and specific, depending on the service provided.

In relation to the general requirements, CASPs are required to have prudential safeguards equal to an amount of at least the higher of either (i) the amount permanent minimum capital requirements, depending on the type of the crypto-asset services provided; or (ii) one quarter of the fixed overheads of the preceding year, reviewed annually. These safeguards may take the form of either the CASP's own funds or an insurance policy.

Furthermore, CASPs must have adequate governance arrangements with effective policies and procedures (e.g. business continuity, complaint handling, management of conflicts of interest, outsourcing) and employees, which have the knowledge, skills and expertise necessary to carry out their tasks. CASPs must ensure the continuity and regularity in the performance of their services. CASPs are also bound by record-keeping obligations.

In relation to specific requirements, for example, CASPs that hold crypto-assets belonging to clients or the means to access such crypt-assets are required to make adequate arrangements to safeguard the ownership rights of clients and to prevent the use of clients’ crypto-asses for their own account.  

Rules of conduct

CASPs are required to act honestly, fairly and professionally in accordance with the best interests of their clients and prospective clients. Information provided must be fair, clear and not misleading and marketing communications must be identified as such. Warnings regarding risks associated with transactions in crypto-assets must be communicated. Certain information must be publicly available (e.g. policies on pricing, costs and fees).

Conclusion

There is already a strong interest in the market for the regulatory regime available to CASPs under MiCAR. While waiting for the application of the regulation's provisions, relevant players can adapt their business models to the new requirements set out under MiCAR. We would expect that this new regulatory framework (alongside the DLT pilot regime and other relevant texts) marks a new era for crypto-asset service providers.

For more information and legal support, contact your usual CMS professional or CMS experts who worked on this article: Aurelia Viémont, Ricardo Plasencia, Raquel Garcia Lobato, Lucía Escauriaza Medina, Tihana Balagović, Katarzyna Biszczanik, Sarah Hantscher or send an email to crypto@cmslegal.com. 

For other articles in the series “Legal experts on Markets in Crypto-Assets (MiCA) regulation”, click here: Legal experts on Markets in Crypto-Assets (MiCA) regulation (cms.law)

For more information on crypto regulation before the introduction of MiCA, visit CMS Expert Guide to European Crypto Regulation.

Go back to main page