The European Union regulation on the regulation of crypto-assets was published in the official Journal of the EU on 9 June 2023 and entered into force on 29 June 2023. Parts of the provisions relating to Asset referenced tokens (ART) and E-money tokens (EMT) will apply from 30 June 2024. The remaining provisions, including those relating to Crypto Assets Service Providers (hereinafter – CASP), will begin to apply on December 30, 2024.
In the previous article, we took a detailed look at MiCA, finding out what classes of tokens the legislator has introduced, what the requirements are for issuing tokens and allowing them to be traded. We broke down what must be in the white paper and how tokens are prohibited. We also briefly touched on the topic of Service Providers. We have described kinds of activities and requirements for them. In this article, we will go deeper into the topic of Service Providers, discuss in detail the requirements for them, the procedure and terms of obtaining licenses for the provision of services related to crypto-assets, as well as briefly touch on how this license can be revoked.
At the outset we shall make a short digression. The requirements for Providers are described in great detail. We deliberately leave out all the details in this article, focusing only on the most important aspects. Also, the requirements are divided into general requirements for all providers and specific requirements for providers of certain services. We will focus on the first one, and only briefly go over the requirements for individual types of services.
At the very beginning the Regulation makes a division of persons who receive a licence into two types. This is discussed in more detail in the next section.
The first type is legal entities that already have financial licences and are supervised by the relevant financial authorities in their countries. For example banks, investment companies, depositories, electronic money institution (EMI) and so on. What distinguishes them is that they comply a priori with high standards of reliability, reporting, and including standards of combating money laundering and terrorist financing. Accordingly, the legislator has initially simplified their requirements for obtaining a licence, quite narrowing the number of documents required.
Also, for each type of licence, the regulations make reference to other regulations that regulate these entities but in the traditional financial world and require them to apply the same standards to crypto-assets. For example, a financial institution that holds and administers traditional financial instruments is required to apply the same standards and practices to crypto-assets. Thus, the legislator has initially simplified the life of financial institutions significantly, making them obvious contenders to receive such licences first.
The second type, are all other legal entities that plan to obtain licences from scratch. A rather detailed and extensive list of documents and information is prescribed for them, which they have to submit to the regulator.
We will not dwell in detail on the first type, we will only briefly describe the list of documents for them. Then we will go straight to the second type.
The following requirements have been established and must be provided:
(a) a programme of activities defining the types of crypto-asset services that the applying Crypto-asset Service Provider intends to provide, including where and how those services will be sold;
(b) description:
(i) internal controls, policies and procedures to ensure compliance with AML legislation
(ii) risk assessment systems to manage money laundering and terrorist financing risks; and
(iii) a business continuity plan;
(iv) technical documentation on information systems and security measures and their description in non-technical language;
(v) a description of the procedure for segregation of crypto-assets and customer funds;
These are general requirements. Next are the requirements for the specific types of services that the Provider plans to provide. The common denominator here is the requirement to have a specific policy written for the specific type of activity. For example, if the Provider wants to implement portfolio management or consulting activities, he has to prove that his management has relevant knowledge in this area. And so for each type of service. We will not go into detail here, let’s move on to the most interesting part: how to obtain a licence from scratch.
An application for a licence must be made to the Financial Markets Authority in the jurisdiction in which you wish to operate. In the EU, a company registered in one jurisdiction has the right to operate in any EU jurisdiction, but before commencing such activities you will need to notify the competent authority of the other jurisdiction of your intention to do so.
Your application must contain the following information:
(a) the name, including the legal name and any other business name used, the legal entity identifier of the Service Provider, the website operated by that Service Provider, the contact email address, the contact phone number and its physical address;
(b) the legal form of the CASP;
(c) the statutes of the CASP, if applicable;
(d) a programme of activities defining the types of crypto-asset services that the applicant CASP intends to provide, including where and how those services will be marketed;
(e) proof that the applying CASP meets the prudential requirements. These are discussed below;
(f) a description of the governance arrangements of the CASP;
(g) proof that the members of the governing body of the applying CASP are of sufficient standing and have the relevant knowledge, skills and experience to govern;
(h) the identity of any shareholders and members, direct or indirect, who hold interests in the CASP and the amounts of those interests, and evidence that those persons are in sufficient good standing;
(i) a description of the CASP’s internal controls, policies and procedures for the identification, assessment and management of risks, including money laundering and terrorist financing risks, and a business continuity plan;
(j) technical documentation of information systems and security measures and their description in non-technical language;
(k) a description of the procedure for segregation of crypto-assets and customer funds;
(l) a description of the CASP’s complaints procedures,
(m) the type of crypto-asset to which the service relates.
There are separate requirements for each type of service for which a licence is obtained:
Type of service | Requirement | |
1. | Providing storage and administration services for crypto-assets on behalf of the client | a description of the storage and administration policy; |
2. | Marketplace management | a description of the rules of the trading platform as well as the procedures and systems for identifying market abuse; |
3. | Exchanging crypto-assets for funds or other crypto-assets | a description of the commercial policy, which shall be non-discriminatory, governing customer relationships, and a description of the methodology for determining the price of crypto-assets that the CASP offers to exchange for funds or other crypto-assets; |
5. | Execution of orders with crypto-assets on behalf of the client | a description of the enforcement policy; |
8. | Providing advice on crypto-assets or providing portfolio management services for crypto-assets | proof that the individuals giving advice on behalf of the CASP or managing portfolios on behalf of the CASP applicant have the necessary knowledge and experience to fulfill their obligations; |
10. | Providing crypto-asset transfer services for the benefit of clients | information on how such transfer services will be provided; |
Also, for each type of licence, the legislator has established minimum capital requirements to be maintained. The general requirement is as follows.
The service provider must at all times have prudential guarantees (minimum capital) equal to the sum of at least the greater of the following:
How do you calculate the overhead for (b) for the previous year if you are operating the first? One of the requirements of the information you submit is your project for the first 12 months. This project includes the costs you plan to incur.
We then provide a table showing the minimum capital requirements for each licence:
Class of service | Types of services | Capital requirements, minimum |
Class 1 |
| EUR 50 000 |
Class 2 |
| EUR 125 000 |
Class 3 |
| EUR 150 000 |
The general time limits for the examination of the application are as follows:
(a) within 25 working days from the receipt of the application, the approved body shall consider the sufficiency of the information submitted;
(b) if the application has all the necessary information, the approved body shall notify the applicant;
(c) after notification, the approved body has 40 days to consider and shall issue a reasoned decision to grant or refuse to grant the license at the expiration of the period.
The notified body may refuse to issue a licence on the following grounds:
(a) the management body of the Service Provider poses a threat to its efficient, reasonable and prudent management and business continuity as well as to the adequate consideration of its customers and market integrity, or exposes the Service Provider to a serious risk of money laundering or terrorist financing;
(b) the members of the management body of the Service Provider do not meet the criteria laid down in these Regulations, namely that they do not have sufficient experience and skills to provide the services for which they are being licensed;
(c) shareholders or members, direct or indirect, who have qualifying interests in the applicant CASP do not meet the criteria for good standing;
(d) the applicant CASP fails or may fail to comply with any of the requirements discussed above.
If the licensing authority has no grounds for refusing to grant the licence, it makes a positive decision and the Service Provider may begin to provide the services for which it has been authorised.
A service provider must comply with a number of requirements that relate to the conduct of business, communication with customers and disclosure of information regarding its activities. We will not disclose the entire list of requirements in this article, as it is quite lengthy. We will only point out what we consider to be the most important ones.
With the entry into force of the Regulation, new horizons are opening up for the crypto-asset business. From now on, crypto-assets are recognised as a type of asset that can be held, exchanged and around which a full-fledged service market can now be built.
This Regulation also sets out detailed requirements for the operation of the Service Providers. The Regulation requires ESMA (the financial market regulator) and EBA (the banking sector regulator) to develop detailed forms and requirements for the information that must be specified when submitting an application. They have until 30 June 2024 to do so. In practice it is possible that ESMA and EBA will do it much quicker than a year. In any case, we now have a clear and transparent framework for CASP as well as the definition of crypto-assets themselves.