MiCA Briefing Series: Regulating Provision of Services in Crypto-Assets

Who is this note relevant to?

This note is relevant to providers of services in crypto-assets that are not products regulated under other pieces of European financial services law, for example financial instruments within the meaning of the Markets in Financial Instruments Directive II (MiFID II). The types of services in crypto-assets regulated by MiCA include: 

• providing custody and administration of crypto-assets on behalf of clients; 
• operation of a trading platform for crypto-assets; 
• exchange of crypto-assets for funds; 
• exchange of crypto-assets for other crypto-assets; 
• execution of orders for crypto-assets on behalf of clients; 
• placing of crypto-assets; 
• reception and transmission of orders for crypto-assets on behalf of clients; 
• providing advice on crypto-assets;
• providing portfolio management on crypto-assets; and
• providing transfer services for crypto-assets on behalf of clients.

This note is relevant to all such persons located or established in the European Economic Area (EEA) or established outside the EEA (including in the United Kingdom) and having clients located in the EEA. This note is also relevant to investment firms providing investment services or performing investment activities in crypto-assets that, albeit not subject to MiCA authorisation requirements, will have to comply with certain additional notification, prudential and organisational requirements.

Explanation of terminology used

The proposed regulation provides for the first time in European law a harmonised set of definitions applicable to markets in crypto-assets. Some of the key definitions relevant to the scope of this note include: 

• Crypto-asset: a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology (DLT) or similar technology.
• Crypto-asset service provider: a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with MiCA.
• Distributed ledger: an information repository that keeps records of transactions and that is shared across, and synchronised between, a set of DLT network nodes using a consensus mechanism.

Authorisation of crypto-asset service providers

Similar to the MiFID II regime for financial instruments, MiCA sets out that the provision of services in crypto-assets in the European Union (EU) is subject to authorisation, unless an exemption applies. To this end, MiCA foresees an exemption for persons who provide crypto-asset services exclusively for their parent companies, for their own subsidiaries or for other subsidiaries of their parent companies. Other than this limited exemption, MiCA provides that a person cannot provide services in crypto-assets in the EU unless that person is:

(a) a legal person or other undertaking that has been authorised as a crypto-asset service provider in accordance with the MiCA requirements; or 

(b) a credit institution, central securities depository, investment firm, market operator, electronic money institution, UCITS management company, or an alternative investment fund manager that is allowed to provide crypto-asset services in accordance with the rules set out in MiCA for financial entities authorised under other European financial services legislation.

In respect of non-authorised persons aiming to provide services in crypto-assets in the EU, in order to apply for authorisation under MiCA they will have to have a registered office in a Member State where they carry out at least part of their crypto-asset services.  The registered office will have to be more than just a “letter box” entity as MiCA requires that such persons must have their place of effective management in the EU and at least one of the directors must be resident in the EU. Concerning the notion of “other undertakings” that are not legal persons, such structure will be permissible only if their legal structure ensures a level of protection for the interests of third-parties equivalent to that provided by legal persons and when they are subject to equivalent prudential supervision appropriate to their legal form.

Regarding the authorisation process specifically, MiCA sets out a long list of information that a person will need to provide for the purpose of the application procedure. This includes, among other information and documentation, an obligation to submit a programme of operations, a description of internal control mechanisms and governance arrangements, a procedure for risk assessment and business continuity plan, proof that the applicant meets the relevant prudential safeguards as well as the technical documentation of the ICT systems and security arrangements. In terms of the authorisation procedure, Member State competent authorities will have 25 days to assess the completeness of the application and thereafter 40 working days to review it in detail and then grant or refuse an authorisation. All authorised crypto-asset service providers will be listed on a central register that will be maintained by the European Securities and Markets Authority (ESMA). 

Importantly and in order to avoid duplication, MiCA sets out rules concerning the provision of certain crypto-asset services by financial entities authorised under pieces of European financial services legislation including investment firms, credit institutions, central securities depositories, electronic money institutions, UCITS management companies and market operators.

Passporting rights and provision of crypto-asset services from third-countries

Authorisation in one Member State will be valid for the entire EU, passporting on both a cross-border services basis and an establishment (branch) basis is permitted. Importantly, the cross-border provision of services in crypto-assets within the EU based on the passporting regime will not require a physical presence in the host Member State. 

However, and this is an important distinction in comparison to other European financial services legislation, MiCA does not provide for a separate third-country regime. This means that persons located in a non-EEA jurisdiction and wishing to actively promote and/or advertise their services to clients in the EEA will have to obtain full authorisation. Alternatively they could only rely on a very restrictive reverse solicitation provision, whereby a client established or situated in the EU initiates at its own exclusive initiative the provision of a crypto-asset service or activity by a third‐country firm. The co-legislators sought to narrow down the notion of the client’s “exclusive initiative”, highlighting that the reverse solicitation exemption would not apply when a person solicits clients or prospective clients in the EU via an entity acting on the service providers’ behalf or having close links with such third-country firm. They further specified that the substance rather than the form of any such arrangements would be looked at.

Obligations for authorised crypto-asset service providers

MiCA sets out a whole range of conduct requirements for crypto-asset service providers. As such, they will be under an obligation to act honestly, fairly and professionally in accordance with the best interests of their clients and prospective clients. This includes making their pricing policies publicly available. Crypto-asset service providers will also have to publish information related to “the principal adverse impacts on the climate and other environment-related adverse impacts of the consensus mechanism used to issue crypto-assets” for which they provide services. Information on such “principal adverse impacts” will also have to be included in the white paper published by persons offering crypto-assets to the public or seeking their admission on a crypto-assets trading platform.  

In respect of prudential requirements, crypto-asset service providers will be obliged to have in place prudential safeguards equal to the amounts of permanent minimum capital specified in MiCA and one quarter of fixed overheads of the preceding year. The prudential safeguards must include own funds and/or an insurance policy, or a comparable guarantee, covering the territories of the EU where the crypto-asset services are provided. MiCA is quite prescriptive in respect of the types of risks the insurance policy must cover, which will include loss of documents, misrepresentation or misleading statements made, acts, errors or omissions resulting in a breach of legal and regulatory obligations, the duty to act honestly, fairly and professionally towards clients, obligations of confidentiality, as well as where applicable, gross negligence in safeguarding clients’ crypto-assets and funds. 

Crypto-asset service providers having at least 15 million active users in the EU on average in one calendar year will be deemed to be significant, triggering a notification requirement to its home Member State competent authority. The competent authorities of such significant crypto-asset service providers will also have to submit to ESMA annual reports on supervisory developments in relation to such service providers.

Governance arrangements and ICT risks

MiCA sets out requirements concerning the governance framework for crypto-asset service providers, including requirements concerning members of the management body and personnel. Crypto-asset service providers will have to have in place resilient and secure ICT systems, including internal control mechanisms and procedures for risk assessments, set up in accordance with the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA). In addition, crypto-asset service providers will have to ensure compliance with MiCA’s rules concerning record keeping, complaints handling procedures and procedures for prevention, identification, management and disclosure of conflict of interests. In addition, crypto-asset service providers relying on third parties for the performance of operational functions will need to comply with the rules on outsourcing as set out by MiCA. Finally, certain types of crypto-asset service providers, including providers of custody and administration services and operators of trading platforms, will have to have in place an orderly wind-down plan.

Specific requirements for different types of crypto-asset service providers

In addition to the general requirements applicable to all types of crypto-asset service providers as set out in earlier parts of this article, MiCA foresees specific requirements that will apply according to the type of their permission. Key points to note include:

• Providing custody and administration of crypto-assets on behalf of clients: persons authorised to provide such services will have to enter into a written agreement with their clients, specifying their duties and responsibilities. They will also have to keep a register of positions opened in the name of each client, establish a custody policy, and facilitate the exercise of the rights attached to the crypto-assets. They will also have to provide regular and on-request reporting to clients, including a statement of client positions, ensure that necessary procedures are in place to return crypto-assets held on behalf of their clients, and ensure separation of holdings of crypto-assets held on behalf of clients from their own holdings. Finally, they will be liable to clients for any loss of crypto-assets or the means of access to the crypto-assets resulting from an incident that is attributable to the crypto asset service provider. The liability is capped at the level of the market value of the crypto-asset lost at the time when the lost occurred.
• Operation of a trading platform for crypto-assets: persons authorised to provide such a service will have to adopt operating rules for the platform, in accordance with the requirements set out in MiCA. They will not be able to deal on own account on the trading platform they operate and they will only be able to engage in matched principal trading where the clients have consented to the process. Before admitting a crypto-asset for trading at their platform, operators will have to assess the suitability of the crypto-asset. They will also need to put in place effective systems, procedures and arrangements to ensure the operational resilience of their trading systems, as well as implement measures to prevent and detect market abuse. They will be subject to MiFID II-like pre- and post-trade transparency provisions, including an obligation to make data available to the public on reasonable commercial basis, and to ensure that their fee structures are transparent, fair and non-discriminatory. 
• Exchange of crypto-assets for funds or other crypto-assets: persons authorised to provide such services will have to establish a non-discriminatory commercial policy that will indicate the type of clients they accept to transact with and the conditions that are to be met by clients. They will have to publish firm prices or methods for determining the prices, execute orders at the time when the order for exchange is final and publish the details of orders received and the transactions concluded by them, such as transaction volumes and prices.
• Execution of orders in crypto-assets on behalf of clients: persons authorised to provide such services will be subject to best execution requirements and to this end, except when following specific instructions given by its clients. They will have to establish and implement “effective execution arrangements” consisting of, among other elements, an order execution policy. Information about the order execution policy will have to be provided to the clients. Crypto-asset service providers must also be able to demonstrate to the clients that they have executed their orders in accordance with the order execution policy.
• Placing of crypto-assets: persons authorised to provide such services will have to communicate certain prescribed information to the offeror, to the person seeking admission to trading or to any third party acting on their behalf before entering into agreement with them, including the type of placement under consideration and, an indication of the amount of transaction fees. Prior to the placing of the relevant crypto-assets, they will have to obtain the agreement of the issuers of those crypto-assets or any third party acting on their behalf. Finally, their conflicts of interest procedures will have to reflect the specificities of such conflicts that may arise from this type of activity.
• Reception and transmission of orders in crypto-assets on behalf of clients: persons authorised to provide such services will have to establish and implement procedures and arrangements which provide for the “prompt and proper” transmission of client’s orders for execution. MiCA prohibits receipt of any inducements (remuneration, discounts or non-monetary benefits) for routing clients’ orders to a particular trading platform. Finally, crypto-asset service providers engaged in receipt and transmission of orders must not misuse information relating to pending client orders.
• Providing advice on crypto-assets and providing portfolio management of crypto-assets: persons authorised to provide such services will have to assess whether the crypto-asset services or crypto-assets are suitable for the clients or prospective clients, regularly review such suitability assessment and report to the clients about the same. They will have to provide certain information to clients, including whether the advice is provided on an independent or non-independent basis, as well as information on costs and charges. Providers of advice on an independent basis will not be able to accept inducements in any form. MiCA also sets out requirements concerning warnings to clients or prospective clients.
• Providing transfer services for crypto-assets on behalf of clients: persons authorised to provide such services must conclude an agreement with their clients specifying their duties and responsibilities.

Timeline

Subject to various transitional provisions and with the exception of rules applicable to stablecoins, MiCA will become applicable on 30 December 2024. That said, MiCA provides for a time-limited grandfathering clause for those crypto-asset service providers that providetheir services in accordance with national law before 30 December 2024 but this remains subject to Member State discretion. Member States must inform the European Commission by 30 June 2024 whether they will apply this transitional regime. Member States will also be able to apply a simplified procedure for applications for authorisations submitted before 30 December 2024 and 1 July 2026 by persons that on 30 December 2024 were authorised under Member State law to provide crypto-asset services.

How we can help

Our team has extensive experience in advising European, UK and third-country market participants in crypto-assets, including operators of trading venues, custodians and post-trade service providers, as well as a variety of other companies active in the broader FinTech sector. Unlike most other law firms, Norton Rose Fulbright offers a blend of legal, compliance and government relations skills in one cohesive team. This means we can help clients to prepare for legislative change by advising on legal and regulatory requirements, as well as on practical aspects of their implementation from the perspective of operational systems and controls adaptation.