MiCA: Regulating provision of services in crypto-assets

Executive summary

On September 24, 2020 the European Commission published its long-anticipated Digital Finance package, comprising legislative proposals and non-legislative communications. One of the legislative proposals published included a draft regulation on markets in crypto-assets (MiCA). MiCA is the first European-level legislative initiative aiming to introduce a harmonized and comprehensive framework for the issuance, application and provision of services in crypto-assets. The draft legislation provides a set of prescriptive rules that, once formally adopted, will shape conduct of business in European markets in crypto-assets. In this briefing series we aim to provide a comprehensive overview of the proposed rules as intended to apply to various categories of participants in the crypto-asset markets. This article focuses on the provision of services in crypto-assets. 

Who is this relevant to?

This article is relevant to providers of services in crypto-assets that are not financial instruments within the meaning of the revised Markets in Financial Instruments Directive (MiFID II). This includes providers of one of eight types of services in crypto-assets as defined in MiCA and including:

• The custody and administration of crypto-assets on behalf of third parties;
• The operation of trading platforms for crypto-assets;
• The exchange of crypto-assets for fiat currency that is a legal tender;
• The exchange of crypto-assets for other crypto-assets;
• The execution of orders in crypto-assets on behalf of third parties placing crypto-assets;
• The reception and transmission of orders for crypto-assets on behalf of third parties; and
• The provision of advice on crypto-assets.

This article also is relevant to all such persons located or established in the European Economic Area (EEA) or established outside the EEA (including in the United Kingdom once the transition period expires) and having clients located in the EEA. It is also relevant to investment firms providing investment services or performing investment activities in crypto-assets that, albeit not subject to MiCA authorization requirements, will have to comply with certain prudential and organizational requirements. 

Explanation of terminology used

The proposed regulation provides for the first time in European law a harmonized set of definitions applicable to markets in crypto-assets. Some of the key definitions relevant to the scope of this article include: 

• Crypto-asset: a digital representation of value or rights, which may be transferred and stored electronically, using distributed ledger technology (DLT) or similar technology. 
• Crypto-asset service provider: any person whose occupation or business is the provision of one or more crypto-asset services to third parties on a professional basis. 
• Custody and administration of crypto-assets on behalf of third-parties: safekeeping or controlling, on behalf of third parties, crypto-assets or the means of access to such crypto-assets, including in the form of private cryptographic keys.
• Operation of trading platforms for crypto-assets: managing one or more trading platforms for crypto-assets, within which multiple third-party buying and selling interests for crypto-assets can interact in a manner that results in a contract, either by exchanging one crypto-asset for another, or a crypto-asset for fiat currency that is legal tender.

Authorization of crypto-asset service providers

Only legal persons that have a registered office in one of the European Union (EU) Member States and have obtained an authorization from the relevant national competent authorities as crypto-asset service providers in accordance with MiCA will be permitted to provide services in crypto-assets. An authorization in one Member State will be valid for the entire EU, in accordance with a “passporting” mechanism familiar from other pieces of European markets legislation. However, and this is an important distinction in comparison to other European financial services legislation, MiCA does not provide for a separate third country regime. This means that persons located in a non-EU jurisdiction and wishing to actively promote and/or advertise their services to clients in the EU will have to obtain full authorization. Otherwise they could rely on a very restrictive reverse solicitation provision. 

In respect of the authorization requirement, MiCA sets out a long list of information that a person will need to provide for the purpose of the application procedure. This will include a program of operations, a description of internal control mechanisms, a procedure for risk assessment and business continuity plan, and proof that the applicant meets the relevant prudential safeguards. In terms of the authorization procedure, the national competent authorities will have 25 days to assess the completeness of the application and subsequently three months to review it in detail and grant or refuse an authorization. All authorized crypto-asset service providers will be listed on a central register that will be maintained by the European Securities and Markets Authority (ESMA). 

Obligations of crypto-asset service providers

Crypto-asset service providers will be obliged to act honestly, fairly and professionally in accordance with the best interests of their clients and prospective clients. This will include making their pricing policies publically available. In respect of prudential requirements, crypto-asset service providers will be obliged to have in place prudential safeguards equal to the amounts specified in MiCA and composed of own funds and an insurance policy. Interestingly, the obligation to maintain such prudential safeguards will also apply to investment firms providing services in crypto-assets, but it is unclear at this stage how this obligation is intended to interact with the prudential requirements as set out in Regulation (EU) 2019/2033 on the prudential requirements for investment firms (IFR). MiCA is also quite prescriptive in respect of the types of risks the insurance policy must cover, which will include loss of documents, acts, errors or omissions resulting in a breach of the duty to act honestly, fairly and professionally towards clients, as well as where applicable, gross negligence in safeguarding clients’ crypto-assets and funds. 

Organizational requirements and ICT risks

Crypto-asset service providers will have to have in place resilient and secure ICT systems, including internal control mechanisms and procedures for risk assessments, set up in accordance with the proposed regulation on digital operational resilience in financial services (DORA) (a high-level summary of DORA is available on our Regulation Tomorrow blog). In addition to other organizational requirements such as record keeping, complaints handling procedures and procedures for prevention, identification, management and disclosure of conflict of interests, crypto-asset service providers will need to have in place systems, procedures and arrangements to monitor and detect market abuse. They will need to report any suspicion that “there may exist circumstances that indicate that any market abuse has been committed, is being committed or is likely to be committed”. Finally, crypto-asset service providers relying on third parties for the performance of operational functions will need to comply with the rules on outsourcing as set out by MiCA.

Specific requirements for different types of crypto-asset service providers

In addition to the requirements applicable to all types of crypto-asset service providers as set out in earlier parts of this article, MiCA foresees specific requirements that will apply according to the type of their permission. Key points to note include:

• Custody and administration of crypto-assets: persons authorized to provide such services will have to enter into a written agreement with their clients, specifying their duties and responsibilities. They will also have to keep a register of positions opened in the name of each client, establish a custody policy, and facilitate the exercise of the rights attached to the crypto-assets. They will also have to provide regular and on-request reporting to clients, including a statement of client positions, and ensure separation of holdings of crypto-assets held on behalf of clients from their own holdings. Finally, they will be liable to clients for loss of crypto-assets resulting from “malfunction or hacks” up to the market value of the crypto-asset lost.
• Operation of a trading platform for crypto-assets: persons authorized to provide such services will have to adopt operating rules for the platform, in accordance with the requirements set out in MiCA. They will not be able to deal on own account on the trading platform they operate. They will also need to put in place effective systems, procedures and arrangements to ensure operational resilience of their trading systems. Finally, they will be subject to MiFID-like pre- and post-trade transparency provisions, and will have to ensure that their fee structures are transparent, fair and non-discriminatory.
• Exchange of crypto-assets: persons authorized to provide such services will have to establish a non-discriminatory commercial policy that will indicate the type of clients they accept to transact with and the conditions that are to be met by clients. They will have to publish firm prices or methods for determining the prices, execute orders at the time of their receipt and publish the details of orders received and the transactions concluded by them.
• Execution of orders in crypto-assets: persons authorized to provide such services will be subject to best execution requirements and to this end, they will have to establish and implement “effective execution arrangements” consisting of, among other elements, an order execution policy.
• Placing of crypto-assets: persons authorized to provide such services will have to communicate certain prescribed information to clients prior to concluding a contract with them, and obtain the agreement of the issuers or any third party acting on their behalf.
• Reception and transmission of orders in crypto-assets: persons authorized to provide such services will have to establish and implement procedures and arrangements which provide for the “prompt and proper transmission of client’s orders for execution”. MiCA prohibits receipt of any inducements (remuneration, discounts or non-monetary benefits) for routing clients’ orders to a particular trading platform.
• Advice on crypto-assets: persons authorized to provide such services will have to “assess the compatibility” of crypto-assets with the needs of the clients and only on this basis provide the relevant recommendations – and provide appropriate warnings about possible fluctuations in crypto-asset value. 

Timeline and forecast for application

Once adopted, MiCA is intended to become applicable 18 months following its entry into force. European legislators – the European Parliament and the Council of Ministers – have already begun their review of MiCA. Assuming that the legislative review will take approximately 18 months and MiCA will be published in the EU Official Journal in Q4 2021, it will become applicable in Q2 2023. That said, it is impossible to predict exactly the duration of the legislative review (complex files tend to take longer) and the phase in periods may be amended in the course of legislative review. 

How we can help

Our team has extensive experience in advising European, UK and third-country market participants in crypto-assets, including operators of trading venues, custodians and post-trade service providers, as well as a variety of other companies active in the broader FinTech sector. Unlike most other law firms, we offer a blend of legal, compliance and government relations skills in one cohesive team. This means we can help clients to prepare for legislative change by advising on legal and regulatory requirements, as well as on practical aspects of their implementation from the perspective of operational systems and controls adaptation.