MiCA Insights: Must-Know Rules for CASPs

The European Securities and Markets Authority (“ESMA”) has recently issued a ‘Supervisory Briefing – Authorisation of CASPs under MiCA’ to guide National Competent Authorities (“NCA”s) on the authorization of Crypto Asset Service Providers (“CASP”s) under the Markets in Crypto-Assets Regulation (“MiCA”). This briefing sheds lights on the most critical aspects, including risk management, governance, outsourcing, and compliance requirements, offering essential insights into what CASPs need to meet MiCA’s standards and navigate the evolving regulatory landscape in the EU.

MiCA’s Risk-Based Approach

ESMA applies risk-based approach for CASP authorization. Unlike traditional finance, no CASP is considered ‘low-risk’ due to the evolving nature of the crypto industry and the direct engagement with retail investors. Factors influencing risk levels include:

• Size and Scale: CASPs with over 1 million yearly active users or a balance sheet exceeding €3 billion are subjected to heightened scrutiny.
• Complex Group Structures: Highly complex group structures, especially those involving multiple legal frameworks (e.g., EMI, MiFID, and CASP authorizations), increase risks related to conflicts of interest, AML/CFT, and effective supervision.
• Cross-Border Activities: CASPs with significant cross-border activity, particularly those with more than 200,000 yearly active users outside their home jurisdiction, face elevated scrutiny. NCAs are encouraged to coordinate with significant host NCAs to address compliance challenges early.
• Role in the Crypto Ecosystem: CASPs playing critical roles in the crypto ecosystem, such as trading platforms and custody providers, are considered higher risk due to their potential impact on market stability.
• Combination of Crypto-Asset Services: Multifunction Crypto-Asset intermediaries are subject to increased scrutiny due to the unique risks associated with providing multiple CASP services.
• Business Model and Issuer Activities: CASPs combining ART or EMT issuance with CASP services are deemed higher risk, particularly concerning conflicts of interest.
• Outsourcing of Key Functions: Outsourcing critical functions, including risk management, and ICT security, necessitate stringent oversight to prevent operational and regulatory risks.
• Supervisory History and ML/TF Risks: CASPs with a history of supervisory violations or those engaged in activities with high money laundering and terrorist financing risks are subjected to enhanced scrutiny.

Governance and Substance Requirements

To qualify for MiCA authorization, CASPs must demonstrate sufficient local autonomy and substance within the EU. This includes:

• Local Presence and Decision-Making Authority: CASPs must demonstrate local decision-making autonomy, with at least one (1) executive management board member located in the jurisdiction where the CASP is authorised to operate, apart from the one non-executive board member. Reporting lines should clearly reflect the ability to make independent decisions at the EU level.

Independent and Dedicated Executive Roles

• Dual-hatting (holding roles in parent companies) is highly scrutinized to ensure independence and avoid conflicts of interest.
• The CEO must commit 100% of their time to CASP duties, ensuring focused leadership and proper management. Other executive board members should devote at least 50% of their time.
• The executive board should collectively possess strong knowledge of both national and EU regulations applicable to CASPs.

Internal Control and Risk Management

CASPs are required to establish internal control frameworks that include compliance, risk management, and internal audit functions. These functions must be independent, adequately resourced, and clearly structured to avoid conflicts of interest.

Local Team and Operational Substance

A significant local team is required, including key executive members and senior managers who are present and actively involved in the Member State. Critical roles, including compliance and risk management, cannot be fully outsourced outside the EU.

Continuous Review and Adaptation

Governance and substance arrangements must be periodically reviewed and adapted to align with regulatory changes, organizational growth, and market dynamics.

Outsourcing and Compliance

Outsourcing plays a crucial role in CASP operations, but MiCA imposes stringent rules to ensure compliance and avoid regulatory arbitrage. Key requirements include:

• No Letter-Box Entities: Outsourced functions should not transform CASPs into letter-box entities or undermine local supervision. CASPs must maintain control over key functions, even if executed by third-party providers.
• Control and Oversight: Critical functions, especially risk management, ICT systems, and security, must remain under the CASP’s control. This includes monitoring and supervising outsourced activities to ensure compliance with MiCA requirements.
• Outsourcing to Non-EU Entities: Outsourcing to non-EU entities is subject to elevated scrutiny to ensure effective supervisory oversight and avoid regulatory gaps.
• Highly Important Functions: Certain functions, such as internal control, IT control, compliance, and key management, are considered highly important and cannot be outsourced if it compromises the CASP’s activities or effective NCA supervision.
• Continuous Monitoring and Reporting: CASPs are required to continuously monitor outsourced functions and report compliance and risk management activities to the executive management board.
• AML/CFT Responsibilities: CASPs retain responsibility for AML compliance, even when outsourcing AML functions. This includes ensuring effective controls, monitoring, and risk mitigation measures.

Fit and Proper Assessment

The ‘Fit and Proper’ assessment is a pivotal component of the authorization process, focusing on the integrity, competence, and experience of executive management board members. Requirements include:

• Technical Knowledge and Experience: Given the complexity of the crypto industry, technical knowledge and industry experience are critical for board members, particularly in crypto-asset services and technology.
• Integrity and Trustworthiness: Prior supervisory transgressions, ongoing criminal proceedings, or involvement in activities with regulatory concerns are considered to ensure only trustworthy leaders are authorized.
• Collective Suitability and Compensation of Experience: In cases where executive board members have limited management experience, MiCA allows for collective suitability, where less experienced members are compensated by others with more experience in regulated finance.
• Continuous Assessments and Review: Fitness and propriety are assessed on an ongoing basis, requiring continuous compliance with MiCA’s standards.

For more information about the ESMA supervisory briefing and the MiCA authorization requirements for CASPs, please contact our FinTech team at [email protected]