MFSA-RESTRICTED

MiCA Regulations – Markets in Crypto assets

 The MiCA act was enacted to provide specific rules for Crypto Assets
+ Services that were not covered yet.
 CASP refers to anyone, company or legal person, which offers any
type of the MiCA crypto-asset services.

Article 59 of the MiCA act is the authorization requirement, and it states

that CASPs must obtain authorization to provide crypto-related services
within the EU. This ensures a regulated and standardized approach to
offering these services across member states. It should be noted that
typically CASP’s tend to be legal entities like companies or partnerships
however exceptions may arise provided the entity offers equal protection
to users or they are under equivalent prudential supervision. Once
authorized, CASPs can provide services across the entire EU without the
need for a physical presence in every member state (MS). This
simplifies cross-border operations for crypto businesses.

No individual or organization can claim or market themselves as a CASP

unless they are properly authorized. This rule is essential to avoid
misleading claims and ensure only compliant and licensed providers
operate in the market. Regarding this license, it should be noted that this
will detail the specific crypto service which they are authorized to provide.
Any request to extend the scope of a CASP's license (e.g., adding new
services) will be reviewed in accordance with Article 63 of MiCA. This
ensures all new services are vetted for compliance and safety.

Summary of Annex V – MiCA

Article 1: General Information

Applicants seeking authorization as a crypto-asset service provider under

Article 62 of Regulation (EU) 2023/1114 must submit detailed information
to the competent authority. This includes the applicant’s legal name,
 MFSA-RESTRICTED

contact details, commercial or trading names, and Legal Entity Identifier

(LEI). They must also provide information about a designated contact
person, including their full name, function, and contact details. The
application requires corporate details such as the legal form of the
applicant, evidence of registration, incorporation details, and governing
documents like articles of association or by-laws. Address details,
including the head office and registered office, must also be included. If
the applicant has branches, their locations and LEIs should be provided.
Additional information required pertains to web and social media
presence, including domain names and social media accounts. For non-
legal entities, documentation demonstrating equivalent protection for
third-party interests must be supplied. Trading platforms associated with
the applicant must provide their contact details and commercial name.

Article 2: Programme of Operations

Applicants must outline a comprehensive three-year programme of

operations. This plan should explain how the applicant’s activities align
with the broader group strategy if applicable and detail the organizational
structure of the group. Information about affiliated entities, including their
services and impact on the applicant’s operations, is required. Applicants
must list all crypto-asset services they intend to offer, specifying the types
of crypto assets involved, alongside any additional regulated or
unregulated activities. Plans for public offerings or admission of crypto
assets to trading must be included, specifying targeted jurisdictions and
client demographics. The applicant must also describe how clients will
access these services, detailing websites, ICT-based applications, and
promotional activities in various languages. Additionally, the applicant
must demonstrate adequate allocation of human, financial, and ICT
resources to support operations and provide an outsourcing policy that
complies with Article 73 of Regulation (EU) 2023/1114. Financial forecasts,
including stress-tested accounting plans, must also be presented, along
with details about any interactions with crypto-asset exchanges or
 MFSA-RESTRICTED

decentralized finance applications. Specific compliance policies for client-

related activities must be outlined, ensuring adherence to Articles 79 and
80 of the Regulation.

Article 3: Prudential Requirements

Applicants must provide a detailed account of prudential safeguards in

compliance with Article 67 of Regulation (EU) 2023/1114. This includes the
number of prudential safeguards at the time of application and their
coverage by own funds or insurance policies. Applicants must submit
forecast calculations for prudential safeguards for the first three years of
business, considering planning assumptions, stress scenarios, and
operational expectations like client numbers, transaction volumes, and
maximum custody of crypto assets. Active companies must include
financial statements for the past three years, audited where applicable.
The application should also include a description of the policies and
procedures used to plan and monitor prudential safeguards. Finally,
applicants must provide proof of compliance with prudential safeguards,
such as documentation on own funds calculation, national supervisor
certifications for unaudited companies, or bank statements for newly
incorporated entities.

Article 4: Governance Arrangements and Internal Control

Mechanisms

Applicants for authorization as crypto-asset service providers under

Regulation (EU) 2023/1114 must submit comprehensive details about
their governance and internal controls to the relevant authority. Key
requirements include:

1. Organizational Structure:
 MFSA-RESTRICTED

o Detailed structure, including tasks, powers, reporting lines,

and internal control measures.

o Profiles of internal function heads (e.g., management,

supervisory), including their qualifications and experience.

2. Policies and Procedures:

o Ensuring staff awareness of responsibilities.

o Maintaining orderly records and arrangements for compliance

with regulations.

o Regular review and assessment of the effectiveness of

policies, including independent operation of internal control
functions.

3. ICT Systems:

o Description of IT systems, safeguards, and monitoring tools.

4. Conflict of Interest Management:

o Conflict of interest policies tailored to the applicant’s scale and

services.

o Mechanisms to monitor, assess, and mitigate conflicts.

5. Market Abuse Prevention:

o Arrangements to detect and prevent market abuse.

6. External Auditors and Accounting:

o Information about appointed auditors and accounting

practices.

Article 5: Business Continuity

Applicants must provide a business continuity plan that ensures consistent

service delivery. This includes:
 MFSA-RESTRICTED

 Steps to maintain continuity during service interruptions.

 Testing arrangements for the continuity plan.

 Provisions for third-party dependencies, critical personnel changes,

and jurisdictional risks like political instability.

Article 6: Detection and Prevention of Money Laundering and

Terrorist Financing

Applicants must outline internal control mechanisms and policies to

comply with anti-money laundering (AML) and counter-terrorist financing
(CTF) laws. Requirements include:

Risk Assessments:

 Analysis of inherent and residual risks linked to customer base,

services, distribution channels, and geography.

Preventive Measures:

 Policies for customer due diligence, suspicious activity detection,

and reporting.

Proportionality:

 Systems tailored to the applicant’s size, business complexity, and

risk level.

Responsibility and Expertise:

 Identification of the AML/CTF compliance officer and proof of their

expertise.

Training:

 Evidence of adequate training for staff in AML/CTF matters.

 MFSA-RESTRICTED

Policies and Effectiveness:

 Submission of AML/CTF policies and procedures, including their

periodic evaluation.

These articles emphasize robust governance, operational resilience, and

adherence to regulatory standards in crypto-asset services.

Article 7: Identity and Proof of Management Body Members

Applicants seeking authorization as crypto-asset service providers must

provide comprehensive information about each member of the
management body, including:

1. Personal Details: Full name, date of birth, address history,

nationality, and official identification documents.

2. Professional Information: Position details, curriculum vitae

highlighting relevant experience, key duties, and prior roles within
the last 10 years, especially in finance, crypto assets, or technology.

3. Reputation and Background: Criminal records, history of regulatory

refusals or penalties, dismissals, and any assessments of reputation
by other authorities.

4. Conflicts of Interest: Details of financial and non-financial interests

or relationships with close relatives in related entities and how any
conflicts will be mitigated.

5. Time Commitment: Estimated time dedication to the role, other

executive/non-executive positions held, and responsibilities
associated with those roles.

6. Suitability Assessment: Evidence of suitability assessments of

individual members and the collective management body, including
board minutes or assessment reports.
 MFSA-RESTRICTED

Article 8: Shareholders or Members with Qualifying Holdings

Applicants must disclose information about shareholders or members

holding qualifying holdings, including:

1. Ownership Structure: Detailed organizational chart showing capital

and voting rights breakdown.

2. Identity of Shareholders: Information about shareholders or

members holding direct or indirect qualifying holdings, including the
type and value of shares held, any premiums, and security interests.

3. Management Influence: Details of management body members

appointed by shareholders with qualifying holdings.

4. Additional Information: Compliance with related regulatory technical

standards for assessing qualifying holdings.

Article 9: ICT Systems and Security Arrangements

Applicants must provide technical documentation on their ICT systems

and security measures to ensure compliance with relevant EU regulations,
including:

1. Risk Management Framework: A detailed description of ICT risk

management as part of overall risk management, ensuring data
security, confidentiality, and integrity.

2. Critical ICT Services: Identification of ICT services supporting critical

or important functions, describing systems, protocols, and tools.

3. Compliance with Regulations: Ensuring adherence to relevant

cybersecurity and data protection laws, including Regulation (EU)
2022/2554 and GDPR (Regulation (EU) 2016/679).

Article 10: Segregation of Clients’ Crypto assets and Funds

 MFSA-RESTRICTED

1. Policies and Procedures

Applicants seeking authorization as crypto-asset service providers

must provide detailed descriptions of their segregation policies and
procedures, including:

o Ensuring clients’ funds and crypto assets are not used for the
applicant’s account.

o Differentiating wallets holding clients’ crypto assets from

those of the applicant.

o Describing the approval system and safeguarding of

cryptographic keys, e.g., multi-signature wallets.

o Procedures for segregating clients' crypto assets, including

those held in omnibus accounts.

o Processes for depositing clients’ funds with a central bank or

credit institution by the next business day, held in accounts
identifiable from the applicant's accounts.

o Selection criteria and review frequency for credit institutions if

funds are not deposited with a central bank.

o Ensuring clients are informed in clear, concise language about

the systems and policies for compliance.

2. Exceptions
Crypto-asset service providers that are electronic money institutions
or payment institutions only need to address the segregation of
clients’ crypto assets.

Article 11: Complaints-Handling

Applicants seeking authorization must detail their complaints-handling

policies and procedures, including:

 Resources allocated to complaints handling (human and technical).

 MFSA-RESTRICTED

 Identification of the person responsible, including their curriculum

vitae highlighting relevant qualifications + Compliance with Article 1
of the [RTS on complaints handling by CASPs].

 Methods for informing clients of the complaint submission process

(free of charge), with details of where and how this information is
accessible.

 Record-keeping arrangements for complaints and the keeping of

timelines for investigating, responding to, and addressing
complaints.

 Procedures for informing clients about available remedies + Key

steps in complaint decision-making and communication processes.

Article 12: Custody and Administration Policy

Applicants intending to provide custody and administration of crypto

assets for clients must provide:

1. General Arrangements

o Description of custody types offered and related policies,

along with client agreements and summaries of the custody
policy.

2. Policy Details

o Identified operational and ICT risks for safekeeping and control

of crypto assets.

o Policies and systems to manage risks, including outsourcing to

third parties.

o Procedures for clients’ exercise of rights attached to crypto

assets.

o Systems ensuring the return of clients' crypto assets or access

means.
 MFSA-RESTRICTED

3. Identification and Minimization of Risks

o Information on the identification of crypto assets and access

means.

o Risk minimization arrangements to prevent loss.

4. Third-Party Delegation

o Identity and status of third parties involved.

o Description of delegated functions and potential conflicts of

interest.

o Supervision plans for delegated or sub-delegated functions.

Article 13: Operating Rules of the Trading Platform and Market

Abuse Detection
Applicants intending to operate trading platforms must provide:

1. Admission of Crypto assets

o Rules and approval processes for admitting crypto assets,

including customer due diligence.

o Categories of crypto assets excluded from trading and reasons

for exclusion.

o Policies, procedures, and fees for admission, including

membership and rebate conditions.

2. Order Execution and Public Information

o Rules for order execution, cancellations, and disclosures.

o Procedures for assessing crypto assets’ suitability.

 MFSA-RESTRICTED

o Systems for publishing bid/ask prices, trading interests, and

executed transactions.

3. Data and Settlement

o Arrangements for storing order data and providing access to

competent authorities.

o Details on settlement mechanisms, including whether initiated

on or outside the distributed ledger, timeframe, and
verification systems.

4. Fee Structures

o Justification of fee structures to ensure compliance with

applicable regulations.

Article 14: Exchange of Crypto assets for Funds or Other Crypto

assets

An applicant seeking authorisation as a crypto-asset service provider in

accordance with Article 62 of Regulation (EU) 2023/1114, and intending to
provide the service of exchanging crypto assets for funds or other crypto
assets, must submit the following information to the competent authority:

1. Commercial Policy Description:

o A description of the commercial policy established in

compliance with Article 77(1) of Regulation (EU) 2023/1114.

2. Pricing Methodology:

o The methodology for determining the price of the crypto

assets the applicant proposes to exchange for funds or other
crypto assets. This should include an explanation of how
volume and market volatility of crypto assets affect the pricing
 MFSA-RESTRICTED

mechanism, in compliance with Article 77(2) of Regulation

(EU) 2023/1114.

Article 15: Execution Policy

An applicant seeking authorisation as a crypto-asset service provider in

accordance with Article 62 of Regulation (EU) 2023/1114, and intending to
provide the service of executing orders for crypto assets on behalf of
clients, must submit its execution policy, which includes the following
details:

1. Client Consent:

o Arrangements to ensure that the client has provided consent

to the execution policy prior to the execution of the order.

2. Trading Platforms:

o A list of the trading platforms for crypto assets on which the

applicant will rely for order execution and the criteria used to
assess execution venues in accordance with Article 78(6) of
Regulation (EU) 2023/1114.

o Details of which trading platforms will be used for each type of

crypto-asset and confirmation that the applicant will not
receive any form of remuneration, discount, or non-monetary
benefit for routing orders to specific platforms.

3. Execution Factors:

o How the applicant considers factors such as price, costs,

speed, likelihood of execution and settlement, size, nature,
custody conditions, and other relevant elements to achieve
the best possible result for the client.

4. Orders Executed Outside Trading Platforms:

 MFSA-RESTRICTED

o Arrangements for informing clients about orders executed

outside trading platforms and obtaining their express prior
consent.

5. Specific Client Instructions:

o How clients are warned that specific instructions may prevent

the applicant from optimizing execution as per its execution
policy.

6. Venue Selection and Monitoring:

o The process for selecting trading venues, execution strategies,

and procedures for analyzing execution quality. This includes
how the applicant ensures the best possible results for clients.

7. Information Protection:

o Measures to prevent misuse of client order information by

employees.

8. Policy Disclosure:

o Procedures for disclosing the execution policy to clients and

notifying them of any material changes.

9. Compliance Demonstration:

o Arrangements to demonstrate compliance with Article 78 of

Regulation (EU) 2023/1114 to the competent authority upon
request.

Article 16: Provision of Advice or Portfolio Management on Crypto

assets

An applicant seeking authorisation as a crypto-asset service provider in

accordance with Article 62 of Regulation (EU) 2023/1114, and intending to
 MFSA-RESTRICTED

provide advice or portfolio management services on crypto assets, must

provide the following information:

Policies and Procedures – A detailed description of the arrangements to

ensure compliance with Article 81(7) of Regulation (EU) 2023/1114,
including:

o Mechanisms for controlling, assessing, and maintaining the

knowledge and competence of individuals providing advice or
portfolio management.

o Arrangements ensuring individuals involved are familiar with

internal policies, anti-money laundering (AML), and anti-
terrorist financing obligations as per Directive (EU) 2015/849.

o Annual human and financial resource allocations for

professional development and training.

Suitability Assessment – Arrangements to ensure that individuals

providing advice have the necessary knowledge and expertise to perform
suitability assessments as required by Article 81(1) of Regulation (EU)
2023/1114.

Article 17: Transfer Services

An applicant seeking authorisation as a crypto-asset service provider in

accordance with Article 62 of Regulation (EU) 2023/1114, and intending to
provide transfer services for crypto assets on behalf of clients, must
provide the following information:

1. Types of Crypto assets:

o Details on the types of crypto assets for which transfer

services will be provided.

2. Policies and Procedures:

 MFSA-RESTRICTED

o A description of arrangements to ensure compliance with

Article 82 of Regulation (EU) 2023/1114. This should include:

 Measures to address risks effectively during the

provision of transfer services, considering operational
failures and cybersecurity risks.

3. Insurance Policy:

o If applicable, a description of the applicant’s insurance policy,

including coverage for potential detriment to clients’ crypto
assets due to cybersecurity risks.

4. Client Information:

o Arrangements to adequately inform clients about the policies,

procedures, and risk mitigation measures in place.

Article 18: Entry into Force and Application

This Regulation shall enter into force on the twentieth day following that
of its publication in the Official Journal of the European Union.

Assessment of the Applications

When new applications are received, they are to be acknowledged within

5 working days and the completion of the assessment needs to be done
within 25 working days. It should be noted that:

 The NCA (National Competent Authority) may decide to refuse to

review the application if the above deadline is not met. Applicants
tend to be refused in cases where the management body poses a
threat to investor protections, market integrity or serious risk of
ML/TF or if the applicant fails or is likely to fail to comply with MiCA.
 The NCA must notify the applicant when application is complete.
 MFSA-RESTRICTED

Furthermore, the decision to either grant or refuse an applicant must be

taken within 40 working days, and the applicant must be made aware
within 5 days of the decision being taken.

Reverse Solicitation

Reverse solicitation allows a firm outside the EU to provide crypto services

to an EU client without authorization, but only if the client reaches out first
on their own initiative without any marketing or solicitation. If the firm
actively markets or solicits EU clients, this rule does not apply, and
authorization is required under Article 59 of MiCA.

This is important because it:

1. Regulatory Compliance: Ensures only authorized firms operate in

the EU.

2. Spotting Loopholes: Prevents firms from misusing reverse

solicitation as an excuse to bypass EU rules.

3. Consumer Protection: Flags and escalates cases of unauthorized

firms to safeguard clients.
 MFSA-RESTRICTED

CASP

Services – Article 3

As per Article 3 of MiCA the list of Services of a CASP include:

1. Execution of Orders for crypto assets on behalf of clients.

2. Placing of crypto assets.

3. Providing transfer services for crypto assets on behalf of clients.

4. Reception and transmission of orders for crypto assets on behalf of

clients.

5. Providing advice on crypto assets.

6. Providing portfolio management on crypto assets.

7. Providing custody and administration of crypto assets on behalf of

clients.

8. Exchange of crypto assets for funds.

9. Exchange of crypto assets for other crypto assets.

10. Operation of a trading platform for crypto assets.

Custody – Article 75

Providing custody and administration of crypto assets on behalf of clients

means the safekeeping or controlling on behalf of clients, of crypto assets
or of the means of access to such crypto assets, where applicable in the
form of private cryptographic keys. Requirements in line with sub-articles:

1. Requirement to enter into agreement with clients.

2. Requirement to maintain register of positions.

3. Requirement to establish a custody policy.

4. Requirement to fulfil the exercise of rights.

 MFSA-RESTRICTED

5. Requirement to report to clients.

6. Requirement to establish procedure for the return of crypto assets to

clients.

7. Requirement to segregate client crypto assets.

8. Liability of CASP in relation to crypto assets held on behalf of clients.

9. Requirement for sub-custodians to be MiCA authorised.

The two main focuses with crypto currency should be cybersecurity,

including the accessing and handling of private keys, and reconciliations.

The ‘Exchange’ Services

The following CASP services all involve some form of exchange:

 Reception and Transmission of Orders – Receiving and

transmitting crypto-asset orders means taking a client's order to
buy, sell, or subscribe to crypto-assets and passing it to a third party
for execution. The licensed entity handles this process, showing the
client the fees and current price of the crypto asset. CASPs shall:
o Ensure prompt transmission of clients’ orders.
o Not receive remuneration/ monetary benefit.
o Not misuse information relating to pending client orders.
 Execution of orders – Executing crypto-asset orders for clients
means making agreements to buy or sell crypto assets or
subscribing to them on behalf of clients. It also includes signing
contracts to sell crypto assets when they are offered to the public or
listed for trading. CASPs shall:
o Obtain best execution.
o Establish order execution policy.
o Provide appropriate and clear information to clients on the
order execution policy and any changes to it.
o Demonstrate best execution to clients on requires.
 MFSA-RESTRICTED

o Obtain prior consent from clients on execution policy.

o Inform clients if orders may be executed outside the TP.
o Monitor the effectiveness of the order execution policy.
 The exchange of crypto assets for funds or for other crypto
assets – CASP’s are required to establish a non-discriminatory
commercial policy, publish a firm’s price for the crypto assets they
exchange and publish the details of transaction concluded by them.
These exchange services can be of two types. These being:
 The exchange of crypto assets for funds which refers to the
purchase or sale of crypto assets for monetary capital.
 The exchange of crypto assets for other crypto assets which
refers to the purchase or sale of crypto assets for other crypto
assets.
 The operation of a trading platform – This refers to the
management of one or more multilateral systems, which bring
together multiple third-party purchasing and selling interests in
crypto assets, in the system and in accordance with its rules, in a
way that results in a contract, either by exchanging crypto assets for
funds or by the exchange of crypto assets for other crypto assets.

CASPs must assess crypto assets before listing, avoid anonymous

tokens, and ensure transparency in Matched Principal Trading (MPT)
with client consent, avoiding conflicts of interest and under NCA
monitoring. Trading platform operators must establish clear rules
covering client onboarding, excluded assets, fees, listing processes,
fair trading practices, liquidity requirements, trading suspensions,
and settlement procedures, ensuring a fair and orderly trading
environment.

Furthermore, the role of a CASP also includes ensuring that trading

systems are resilient and continuous even under market stress and
at peak order times, publishing bids and asking about prices on a
continuous basis. Making public the price, volume and time of the
 MFSA-RESTRICTED

transactions executed on the TP, initiating final settlement on DLT

within 24 hours of the transaction being executed on the TP, and
retaining transaction data for at least 5 years.

Other MiCA Services

Transfer Services – Article 82

When talking about transfer services we are referring to the action of

providing services of transfer of crypto assets from one account to
another on behalf of a natural or legal person. With regards to what’s new
with a MiCA transfer services are the requirement of instruction of the
client. When a CASP enters into an agreement with a client the following
information is required to be included at minimum:

 The identity of the parties of the agreement.

 Modalities of the transfer and a description of the services being
provided.
 A description of the security systems used by the CASP.
 Any relevant charges or fees.
 The law applicable to the agreement.

Placing of Crypto Assets – Article 79

Article 79 discusses the marketing of crypto assets to purchasers on

behalf of the related party. It is important that CASP’s have in place
specific and adequate procedures which prevent, monitor and disclose
any conflicts of interest which could arise by marketing the crypto assets
to their clients. Besides obtaining consent and ensure conflict of interest,
CASP’s are required to communicate the following information to the
person seeking admission to trading:

• The type of placement considered.

 MFSA-RESTRICTED

• An indication of the amount of transaction fees associated with the

service.

• The considered timing, process, and price for placement.

• Information about the targeted purchasers.

Advice and Portfolio Management – Article 81

When we are discussing the term providing advice on crypto assets we are
referring to when a CASP offers or agrees to give personalised
recommendations in respect of one or more transactions relating to
crypto-assets or the use of crypto asset services.

On the other hand, providing portfolio management on crypto assets

refers to when CASP’s manage portfolios in accordance with the mandates
given to them by the clients on a discretionary client-by-client basis. This
does not constitute the provision of advice.

CASPs shall inform clients of the following prior to providing

advice:

- Whether advice is provided on an independent basis.

- Whether the advice is based on a broad or restricted analysis of

crypto markets.

- All information on costs and charges.

CASPs shall:

- Ensure that employees providing advice or portfolio management

are competent.

- Conduct a suitability assessment on clients prior to providing

advice/ portfolio management.
 MFSA-RESTRICTED

- Notify clients of the outcome of the suitability assessment and

provide appropriate risk disclosures.

- Provide periodic statements to clients in case of portfolio

management.

Where advice is provided on an independent basis:

- CASP shall assess a sufficient range of crypto-assets and not limit

assessment to crypto-assets issued by entities with close links to
the CASP.

- Not accept any fees or inducements (except minor non-monetary

benefits that can enhance the service).

Where advice is provided on a non-independent basis, the CASP

may accept some monetary benefits under the following
conditions:

- The monetary benefit is designed to benefit is designed to enhance

the service.

- It does not impar compliance with the CASP’s duty to act honestly,
fairly, and professionally.

General Obligations:

Passporting – Article 65

The concept of passporting refers to regulations which allow for crypto

service providers which are authorized in one EU member state to operate
across the entire European Economic Area (EEA) without needing
additional licenses in each country. Once a provider meets MiCA’s
requirements and gains approval in its home country it will then be able to
“passport” its services to other EU countries, this allowing for a
streamlined access to the EU market while maintaining regulatory
compliance. The CASPs are required to submit following information to
NCA:
 MFSA-RESTRICTED

• List of MS where services will be provided.

• Starting date of intended provision of services.

• List of all other activities provided by CASP not in scope of MiCA.

• Services intended to be provided.

Conduct Obligations – Article 66

Under MiCA conduct obligations refer to specific rules which are designed
to ensure that CASP’s operate responsibly and prioritize client protection.
CASPs are required to:

• Act honestly, fairly and professionally, including when issuing

marketing communications.

• Warn clients of the risks of transactions in crypto and provide links

to whitepapers.

• Make pricing and fees publicly available in prominent places on their

website.

• Make information related to principal adverse environmental/

climate-related impact of the consensus mechanism publicly
available.

Prudential Requirements – Article 67

Prudential Requirements refer to financial and operational requirements

which CASPs must meet to ensure their stability, reliability, and ability to
manage risks. These requirements were introduced with the goal of
protecting the clients and maintaining market integrity.
 MFSA-RESTRICTED

Governance – Article 68

The term governance refers to the rules and systems which guide how a
CASP is managed and controlled. Article 68 outlines the requirements for
the internal structure and management of CASPs ensuring effective
oversight and decision-making. CASPs shall:

• Ensure suitability of the management body & good repute of

qualifying shareholders.

• Employ personnel with necessary skills, expertise, and knowledge.

• Ensure business continuity.

• Comply with DORA Regulation and AMLD.

• Maintain records of all activities, services, transactions.

• Notify without undue delay any changes to the management body.

(prior to making changes)
 MFSA-RESTRICTED

Safekeeping of Clients’ Assets – Article 70

This article refers to regulations which are in place to ensure that a CASP
effectively manages a client’s assets. As per Article 70 a CASP is required
to:

• Ensure that clients’ assets are safeguarded and segregated.

• Not utilise clients’ assets for their own account.

• Place funds with a credit institution.

• Place crypto assets with an authorised CASP.

Complaint Handling - Article 71

CASPs shall:

• Shall establish and maintain effective and transparent procedures

for the prompt, fair and consistent handling of complaints received
from clients.

• Ensure that complaints can be submitted free of charge.

• Make template available for complaints and inform clients of their

right to submit a complaint.

• Investigate all complaints in a timely and fair manner and

communicate the outcome of investigations to their clients within
reasonable time.

Conflict of Interest – Article 72

CASPs shall maintain conflict of interest policy to manage any conflict of

interest which may arise between themselves:
 MFSA-RESTRICTED

 Shareholders
 Managers and employees
 Clients

NB – Any conflict of interest is to be published on the website.

Outsourcing – Article 73

The principles on outsourcing outlined in the new FIR 03, as they pertain
to MiCA, focus on ensuring that CASPs effectively manage the risks
associated with delegating functions or tasks to third parties. MiCA
introduces specific guidelines for outsourcing that align with broader EU
principles, like those found in the EBA Guidelines. CASPs shall comply with
the following conditions:

• Outsourcing shall not result in delegation of responsibility or alter

relationship between CASP and client.

• Outsourced function cooperates with home NCA, and outsourcing

does not prevent exercising of supervisory functions.

• CASP retains expertise for oversight of outsourced function and has

direct access to relevant information.

• Outsourcing arrangements should be GDPR compliant.

• An outsourcing agreement is entered into.

• CASP provides all information on outsourcing upon request of the

NCA.

Orderly Wind-Down – Article 74

An orderly wind-down refers to the structured and controlled process by

which a business or financial institution ceases its operations. The goal is
 MFSA-RESTRICTED

to ensure that the shutdown or closure happens in a way that minimizes

disruptions, protects clients and creditors, and complies with regulatory
requirements. CASPs providing the below listed services will be required to
have an orderly wind-down plan (including plan on continuity or recovery
of critical activities)

• Custody

• Operation of a trading platform

• Exchange of crypto against funds or other crypto

• Execution of orders

• Placement

NB – The plan shall demonstrate the ability of the crypto-asset service

provider to conduct an orderly wind-down without causing undue
economic harm to its clients.

Market Abuse - Title VI

The Market Abuse Regulations (MAR) in MiCA are designed to ensure

transparency, fairness, and integrity in the crypto-asset markets. These
regulations aim to prevent fraudulent, manipulative, or deceptive
activities in relation to crypto assets, much like they do for traditional
financial markets. Market abuse provisions are applicable to all relevant
persons.

Article 87 defines what is meant by Inside Information – Inside information

refers to non-public, material information that, if made public, could
significantly affect the price of an asset. Specifically, it is information that
could influence an investor’s decision to buy, sell, or hold an asset (in this
case, a crypto asset). Under both MiCA and MAR, inside information is
considered illegal to use for trading, aiming to prevent insider trading—
where individuals use privileged knowledge for personal financial gain.
Both MiCA and MAR aim to ensure that all participants have access to the
 MFSA-RESTRICTED

same material information before making investment decisions. For crypto

assets, this could involve, for example, undisclosed updates about a
crypto project’s security vulnerabilities, partnership developments, or
regulatory approvals that could impact the market value of the asset.

Article 88 talks about provisions on how inside information should be

disclosed – Article 88 of MiCA outlines how inside information should be
disclosed to ensure market transparency. It emphasizes that once inside
information is made available to a limited group (e.g., insiders, investors),
it must be disclosed to the public promptly. MiCA adopts principles from
MAR, which requires that inside information must be made public as soon
as possible unless specific conditions justify a delay (such as protecting
the stability of the financial market or avoiding public panic). For crypto-
asset providers, this means ensuring that material information about their
projects, such as new technological developments, regulatory status, or
partnership announcements, is disclosed appropriately and timely to
prevent any unfair advantage.

Both MiCA and MAR impose strict obligations on companies to manage

inside information and ensure that no individual or group can profit from
information that is not yet available to the wider public. These regulations
aim to level the playing field and foster investor confidence by reducing
the risk of market manipulation and abuse.

 Art 89 prohibits insider dealing.

 Art 90 prohibits the unlawful disclosure of inside information.
 Art 91 prohibits market manipulation including:

- Pump and dump.

- Spoofing.

- Front running.

- Wash trading.

Art 92 requires persons arranging transactions or executing orders to

monitor for market abuse and report to NCA.
 MFSA-RESTRICTED

Authorisation Supervisory Briefing – Agenda Item 6

The document provides guidance for National Competent Authorities

(NCAs) on authorizing Crypto Asset Service Providers (CASPs) under
the Markets in Crypto-Assets Regulation (MiCA). It emphasizes the
need for supervisory convergence to ensure consistent and effective
regulation across the EU while avoiding regulatory arbitrage. Though not
public, NCAs are expected to align with the principles outlined.

The guidance:

 Establishes core principles and minimum thresholds.

 Addresses areas prone to divergent application of MiCA.

 Offers granular guidance and best practices to promote

consistency in the authorization process.

Core Principles / Minimum Thresholds for Risk-Based Approach

 No CASPs are “low risk”: CASPs, especially those dealing with

retail investors, pose higher risks due to limited regulatory
compliance history. "Fast-track" authorization or cursory
assessments are deemed inappropriate.

 Risk-based scrutiny: While varying risks among CASPs may

warrant differential treatment, elevated scrutiny is required for
entities with specific high-risk characteristics.

Key Risk Elements in Authorisation

1. Size of CASPs:
 MFSA-RESTRICTED

o Larger CASPs with over 1 million active EU users should

face stricter scrutiny due to the potential for broader harm in
case of non-compliance.

2. Cross-Border Activity:

o CASPs with significant cross-border operations (e.g., >50% of

clients outside the home state or >100,000 active users in
five or more member states) require elevated scrutiny.

o Entities seeking immediate passporting to all EU states must

demonstrate robust compliance with MiCA standards in host
jurisdictions.

3. Role in the Crypto Ecosystem:

o CASPs with significant ecosystem influence (e.g., trading

platforms or custody providers) are subject to stricter review
to mitigate risks of systemic market impact.

4. Combination of Services:

o CASPs offering more than four services (e.g., multifunction

crypto-asset intermediaries) pose unique risks and should face
heightened evaluation.

5. Outsourcing:

o CASPs outsourcing critical functions (e.g., compliance, ICT

systems) or relying heavily on outsourcing (>20% of FTEs,
management fees, or operational costs) should undergo
elevated scrutiny.

o Outsourcing to non-EU entities poses additional risks and may

limit supervisory effectiveness.

6. Supervisory History:
 MFSA-RESTRICTED

o CASPs or key personnel with past regulatory sanctions,

incomplete authorizations, or instances of jurisdictional
arbitrage should be closely examined.

o Multiple simultaneous applications to different NCAs may

indicate attempts to exploit favorable regimes.

Best Practices for High-Risk Authorisation

1. On-Site Visits:

o Conducted to verify the alignment between documented

procedures and real-world operations, especially for high-risk
CASPs. On-site visits should be organized early in the
evaluation process.

2. Board-Level Involvement:

o Authorization decisions for high-risk CASPs should receive

board-level approval to ensure alignment with EU-wide
convergence discussions.

3. Engagement with the DFSC:

o High-risk authorizations, particularly for CASPs with cross-

border ambitions, should be presented to the Digital Finance
Standing Committee (DFSC) for information-sharing and
guidance before final decisions.

4. Monitoring Marketing Activities:

o NCAs must oversee promotional activities, especially for

CASPs operating across borders, ensuring adherence to local
marketing regulations.

5. Phased Rollouts:
 MFSA-RESTRICTED

o CASPs with plans for immediate, large-scale operations across

the EU should be encouraged to adopt a phased approach to
reduce risks.

This article also stresses the importance of consistent, thorough, and risk-
focused authorization processes for CASPs. Elevated scrutiny should be
applied to high-risk entities, with specific emphasis on size, cross-border
operations, ecosystem influence, service complexity, outsourcing
practices, and supervisory history. The best practices proposed aim to
bolster the regulatory framework and prevent significant market
disruptions.

1. Core Principles/Minimum Standards

 Autonomy in decision-making: The EU entity must have the

authority to make decisions on EU policy, as required by MiCA article
59(2) and recital 74. A registered entity without sufficient personnel
or management in the EU doesn’t meet requirements.

 Substance within the EU: CASPs should have substantial operations

within the EU. Functions performed outside the EU should be
minimal, focusing on essential operations. NCAs should assess
decision-making powers and management presence in the EU.

 Supervisory function impact: Governance structures should not

undermine the NCA’s ability to supervise, especially if governance
or operations are limited in the EU or if group leadership is outside
the EU.

2. Authorising on the Basis of Intended Substance

 CASPs may apply for authorization based on plans to increase EU

substance over time, but NCAs should be conservative, allowing
changes only if there is already a good minimum level of substance.
 MFSA-RESTRICTED

 A roadmap with timelines for substance increases must be provided,

with progress evaluations and conditions attached to authorizations.

 EU substance should be reached within two years, with clear

consequences for failing to meet milestones.

3. Insufficient Local Autonomy

 Independent Chair: The chair of the management board must be

independent (no dual roles in the parent company).

 Time Commitment: Board members must dedicate sufficient time to

CASP duties (ideally no dual hatting or at least 50% time
commitment if dual hatting).

 Local Knowledge: Board members should have strong knowledge of

national and EU rules and market conditions.

 Local Team: A significant proportion of key staff must be based in

the Home Member State, ideally over 50%, with key management
accessible to the NCA.

 Decision-Making: The EU entity should be able to make independent

decisions without interference from the parent company.

4. Internal Control Function

 Responsibility for compliance and risk must lie with the CASP itself.
Risk management and compliance functions should generally be
separate unless disproportionate for smaller firms.

 An effective internal control framework should cover all activities,

including outsourced ones, and include risk management,
compliance, and internal audit functions.

 Periodic reviews and updates to policies are necessary.

5. Risk Management Framework

 MFSA-RESTRICTED

 The framework should have clear roles, responsibilities, and controls

for identifying, assessing, and managing risks, including integrity,
operational, legal, and other risks.

 Risk Appetite: Clearly define the level of acceptable risk aligned with
the organization’s strategy.

 Monitoring and Reporting: Continuous risk monitoring and regular

reporting to the management board.

 Evaluation: Annual assessment of the framework’s effectiveness,

considering emerging risks and regulatory changes.

6. Compliance Function

 The compliance function must ensure adherence to internal and

external rules. This includes risk mitigation related to misconduct
and money laundering.

 The function should be independent and resourced adequately,

reporting regularly to the management board.

 An annual evaluation of the compliance function’s effectiveness

should be conducted.

7. Staff Outside the Country of Authorisation

 Staffing: Using staff outside the country of authorization is

permissible, as long as it doesn't exceed 50% of the total staff and
doesn’t impede supervision by the NCA.

8. On-site Inspections and Non-EU Cooperation

 Non-EU Staff: If CASPs employ significant numbers of staff outside

the authorization country, NCAs should liaise with counterparts in
other EU or non-EU jurisdictions to verify substance. Lack of such
cooperation may signal issues with substance assessment.

These points emphasize the importance of maintaining significant and

autonomous operations within the EU for CASPs, ensuring proper
 MFSA-RESTRICTED

governance structures, compliance, risk management, and effective

oversight by National Competent Authorities (NCAs).

Fit and Proper Testing

Key crypto asset players should undergo in-person interviews with

management board members who have not been previously interviewed
by the National Competent Authority (NCA). Core standards include a
commitment of at least 50% of their time, technical expertise in
blockchain, DORA/ICT risk management, crypto assets, and at least two
years of compliance experience. NCAs should investigate prior supervisory
violations of management members, using such information to assess risk
levels and engage with relevant NCAs for insights. The collective
suitability of a board is essential, particularly in the crypto asset sector,
where technical knowledge is critical. For firms with cross-border
operations, liaising with host member states is necessary to gather
relevant board member information. Best practices include conducting
interviews with key officers to ensure consistency in compliance
approaches.

Outsourcing
Outsourcing should not lead to a firm becoming a "letter-box entity," and
NCAs must ensure that firms maintain control over outsourced activities,
especially critical functions like IT infrastructure and AML compliance.
Outsourcing to jurisdictions with limited NCA oversight is prohibited, and
firms must demonstrate effective control over outsourced activities.
Special attention should be paid to the delegation of responsibility,
ensuring outsourcing does not compromise the firm's ability to supervise
its operations or meet regulatory requirements. Jurisdictions, sub-
outsourcing, and outsourcing highly important functions, like compliance
and IT control, must be scrutinized to ensure effective supervision and
governance. In custody arrangements, outsourcing is allowed only to
 MFSA-RESTRICTED

authorized entities. The use of third-party key management services, such

as Copper or Fireblocks, must be analyzed based on the active role these
parties play in controlling crypto assets.

Business Plan

Business plans should be realistic, based on current activities, and include

projections with clear intermediate points to monitor progress. Best
practices include stress-testing plans for higher customer numbers and
considering plausible events like sales decline or market changes. Firms
should notify NCAs of significant activity increases and provide
information on how they interact with decentralized finance (DeFi)
applications, including the associated risks.
 MFSA-RESTRICTED

Scoping Issues - Agenda Item 7giv

The Autoriteit Financiële Markten (AFM) has raised scoping issues related
to crypto-asset services under MiCA, informed by their experience with
applications. Clarity on these scoping issues is essential for both NCAs
(National Competent Authorities) and CASPs (Crypto-Asset Service
Providers) to align their understanding. To address this, the AFM suggests
using Q&As to ensure consistency across interpretations.

The scoping issues under MiCA present several challenges that stem from
divergent interpretations of crypto-asset services. Different stakeholders,
including CASPs, NCAs, and legal advisors, often interpret MiCA’s scope
inconsistently. During pre-application interactions, it was observed that
CASPs classify the same activities under varying crypto-asset services,
leading to discrepancies. This complexity is further compounded by the
partial equivalency of MiCA services to MiFID II’s investment services, as
the two frameworks are not fully aligned despite their similarities.

One of the major challenges arises in distinguishing between exchange

services and dealing on own account. MiCA defines exchange services
differently from MiFID II’s concept of dealing on own account, resulting in
interpretative difficulties. While MiFID II exempts certain activities from
regulation under Article 2(1)(d), MiCA offers no such exemptions.
Furthermore, MiCA explicitly separates the execution of orders on behalf
of clients from exchange services, which contrasts with MiFID II. MiCA also
uses a single definition for “client,” whereas MiFID II differentiates
between retail and professional clients, adding another layer of
complexity.

Brokerage activities under MiCA involve three primary services: exchange

services as defined in Articles 3(1)(19) and (20), execution services under
Article 3(1)(21), and reception and transmission of orders (RTO) under
Article 3(1)(23). Distinguishing between execution services and RTO
services depends on whether the firm concludes contracts directly on
 MFSA-RESTRICTED

behalf of clients or merely relays the order to a third party. This distinction
has implications for how services are categorized and regulated.

The overlap between execution services and exchange services also

creates ambiguity. Exchange services involve CASPs acting as
counterparties using proprietary capital, while execution services involve
concluding agreements on behalf of clients, potentially even with the
CASP itself. This overlap raises concerns, as exchange service providers
could also be classified as offering execution services, which may not
necessarily improve consumer protection.

To address these challenges, it is proposed that the scope of MiCA services

be explicitly delineated. Developing Q&As would help clarify these issues
and ensure alignment among CASPs, NCAs, and other stakeholders. This
approach aims to provide consistent interpretations, leveraging insights
from MiFID II while accounting for MiCA’s unique characteristics.

To conclude the AFM emphasizes the need for a clear and consistent
interpretation of crypto-asset services under MiCA to prevent regulatory
discrepancies and to provide clarity to the sector. The proposed Q&A
approach would help address these challenges, leveraging insights from
MiFID II while respecting the unique characteristics of MiCA.