Licensing for CASPs According to MiCA and ESMA

With the advent of the European Union’s Markets in Crypto Assets Regulation (MiCA) this year, it is important for crypto-asset firms to gain a better understanding of the day-to-day compliance needs that will arise from MiCA.

The following insights are useful to crypto-asset issuers, crypto-asset service providers (CASPs), and financial entities dealing with crypto-assets, as well as all stakeholders that have an interest in crypto assets.

The European Securities and Markets Authority (ESMA) has been empowered to develop technical standards and guidelines specifying certain provisions concerning MiCA.

To date, ESMA has produced consultation papers designed to collect views, comments, and opinions from stakeholders and market participants on the appropriate implementation of MiCA. Such publications provide an early insight into expectations that will impact the compliance functions for crypto-asset firms. This is useful for those firms that have yet to secure regulatory licences and are assessing the road ahead.

Key regulatory provisions for those issuing and trading crypto-assets cover areas such as transparency, disclosure, consumer protection, reporting obligations, surveillance and a range of other requirements that feed into business-as-usual compliance.

MiCA requires ESMA to develop Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), which are essential contributions for maximising harmonisation across the EU while minimising regulatory arbitrage. MiCA includes a significant number of RTS and ITS as well as other guidelines that, together, support the legislative text and are the best source for signposting firms towards what good compliance will look like.

Getting Authorised:

According to MiCA's Article 3(1)(15), a CASP is a “legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis and that is allowed to provide crypto-assets services[…].”

The mentioned crypto-asset services include providing custody and administration of crypto-assets, operating a trading platform for crypto-assets, and exchanging crypto-assets for funds or other crypto-assets. Moreover, it includes providing advice on crypto-assets or providing portfolio management on crypto-assets. 

Applications to EU national competent authorities (NCAs) for a CASP licence require a number of compliance-related considerations. Firms are advised to perform an assessment not just against MiCA but on their offered crypto-assets themselves. 

This is key to ascertaining which regulation applies, as some may qualify as financial instruments falling within the scope of the Markets in Financial Instruments Directive (MiFID II), which currently impacts capital and wholesale market firms.

After properly assessing which regulations apply, CASPs should ensure the completeness of an application to the NCA.

Completeness will stem from demonstrating a detailed grasp of compliance across a number of deep technical areas.

Necessary Compliance Domains:

The areas covered by MiCA that compliance teams must consider include:

1. Complaint Handling Procedures.

2. Management and prevention of Conflicts of Interest.

3. Building of a Financial Crime Framework, including a description of internal control mechanisms relating to anti-money laundering and counter-terrorist financing obligations.

4. Safeguarding, which includes procedures for the segregation of clients’ crypto-assets and funds.

5. Custody and Administration.

6. Documentation of Information and Communication Technology (ICT) systems and security arrangements.

7. Explaining what your programme of operations is. This includes setting out the types of crypto-asset services you intend to provide, including where and how those services will be marketed.

This is not an exhaustive list. 

The role of compliance will extend beyond initial assessments of regulatory perimeters into policy building, training, procedures, monitoring, reporting and management. It takes an experienced professional to ensure all areas remain compliant and no one domain is undernourished.

MiCA provides that “entities that already have a license to provide financial services and that already went through the authorisation process with the NCA of their home Member State (such as investment firms, credit institutions, etc.), do not need to go through the entire authorisation process again”. 

Germany, France, and the Netherlands, among other jurisdictions, have already published or are drafting their transitioning legislation, demonstrating movement in the right direction but creating uncertainty across the Union for crypto-asset issuers and CASPs. Many CASPs have been left wondering what this means for their businesses or what changes they can expect to see in the near future. 

To aid CASPs transitioning from the country’s existing regulations to the bloc-wide enforcement of MiCA, 21 Analytics and KPMG Germany, for example, recently published an overview of the upcoming changes in Germany’s adoption of the Travel Rule, which follows the European Union-wide Transfer of Funds Regulation (TFR).

“MiCA is an important first step towards the regulation of cryptoasset services and their providers,” German crypto regulator BaFin told CoinDesk in a written statement.

Although the 2 frameworks go hand in hand, it is important to note that MiCA differs from the TFR. MiCA forms part of a holistic regulatory framework that regulates centralised entities such as CASPs and stablecoin issuers. It is part of the broader EU Digital Finance framework, which references several other frameworks, while the Transfer of Funds Regulation (TFR), the EU’s implementation of the Travel Rule, constitutes the AML package.