Doing Crypto Business in Europe: MiCAR, the EU’s New Uniform Crypto Code – Part 2 | Goodwin

As noted in our previous Marketing Crypto-Assets in and Into Europe: MiCAR, the EU’s New Uniform Crypto Code, the European Union (EU) Markets in Crypto-Assets Regulation (MiCAR) was published in the Official Journal of the European Union on 9 June 2023. MiCAR is a major step toward an EU-wide uniform code governing crypto-assets, such as BTC, ETH, and stablecoins.

Although MiCAR came into force on 29 June 2023, there is a period of time before its provisions come into effect:

• The provisions governing certain stablecoins will apply from 30 June 2024.
• The provisions governing the remaining crypto-assets will apply from 30 December 2024.

There is, therefore, one year and 18 months, respectively, to achieve compliance with MiCAR.

As we discuss below, MiCAR indicates that it will apply where any non-EU crypto-business, including those in the US and UK, provides a crypto-service identified in MCAR to someone in the EU.

How Are Crypto-Asset Businesses Currently Regulated in the EU?

Regulation of crypto-assets in the EU is currently fragmented, with each EU member state having its own regulatory regimes for the regulation of crypto-assets that are not financial instruments within the meaning of the Markets in Financial Instruments Directive (MiFID). The fifth EU Money Laundering Directive (MLD5) does, however, require EU Member States to impose anti-money laundering and counterterrorist financing requirements on businesses providing custodian wallet services or fiat-to-crypto exchange services. MLD5 also requires these types of firm to be registered with their home state national competent authority. MLD5 does not impose any requirements on crypto businesses that advise on or offer placing services. This has left scope for significant variation between the regimes of different member states. For example, Germany follows a strict approach to regulation, requiring some firms to be fully authorized, whereas countries such as Denmark and the Netherlands do not have any specific regulation beyond the requirements of MLD5. 

What Is MiCAR?

As noted in our previous alert, MiCAR is an EU regulation, and unlike an EU directive, it will bind EU businesses directly without the need for individual EU member states to implement laws to put it into effect. It will, therefore, address the current fragmented position in the EU, although individual EU member state authorities will be responsible for enforcing MiCAR in their respective territories.

MiCAR addresses the following:

• the issuance and marketing/offering of crypto-assets, to which MiCAR applies, covered in our alert “Marketing Crypto-Assets in and Into Europe: MiCAR, the EU’s New Uniform Crypto Code”
• the performance of activities/offering of services connected with crypto-assets, such as the custody and administration of crypto-assets on behalf of third parties, the operation of a trading platform for crypto-assets, and the exchange of crypto-assets for fiat currency or other crypto-assets, covered in this alert
• the prevention of market abuse involving crypto-assets (to be covered in another alert)

MiCAR will be relevant not only to those involved in carrying on these activities but also to those who acquire businesses involved in carrying on these activities, as discussed further below. 

What Types of Crypto-Assets Does MiCAR Apply To?

As discussed further in our previous alert “Marketing Crypto-Assets in and Into Europe: MiCAR, the EU’s New Uniform Crypto Code,” MiCAR defines a “crypto-asset” as “a digital representation of a value or a right that is able to be transferred and stored electronically, using distributed ledger technology or similar technology”. However, the Commission is given power to introduce secondary legislation to “specify technical elements of the definitions [in MiCAR]… and to adjust those definitions to market developments and technical developments”, so the question of whether certain assets fall within the definition should be kept under review.

Despite the broad definition of “crypto-assets”, the obligations imposed by MiCAR do not apply to certain types of crypto-assets, including central bank digital currencies and “unique” non-fungible tokens (NFTs). 

What Types of Crypto-Asset Businesses Does MiCAR Apply To?

MiCAR extends the regulatory perimeter to capture businesses providing the following categories of crypto-asset services, thereby making that business a crypto-assert service provider (CASP),:

• Custody and administration of crypto-assets on behalf of clients: This includes safekeeping or controlling crypto-assets or the means to access crypto-assets on behalf of clients. Note this would apply to custody and administration of private cryptographic keys.
• Operation of a trading platform for crypto-assets: This is defined to include management of systems that bring together or facilitate the bringing together of multiple third parties purchasing and selling crypto-assets in a way that results in a contract. This would apply to platforms allowing both the exchange of crypto-assets for other crypto-assets as well as for fiat currency. 
• Exchange of crypto-assets for funds or other crypto-assets: This is defined as concluding purchase or sale contracts concerning crypto-assets with clients against fiat currency or other crypto-assets using proprietary capital. 
• Execution of orders for crypto-assets on behalf of clients: This captures the activity of concluding agreements to buy or to sell one or more crypto-assets or to subscribe for one or more crypto-assets on behalf of clients.
• Placing of crypto-assets: This is defined as marketing crypto-assets to purchasers on behalf of or for the account of the offeror or a party related to the offeror.
• Reception and transmission of orders for crypto-assets on behalf of clients: This involves the reception from a person of an order to purchase or sell one or more crypto-assets and the transmission of that order to a third party for execution.
• Providing advice on crypto-assets: This includes offering, giving, or agreeing to give personalised recommendations to a client, either at the client’s request or on the initiative of the CASP, in respect of transactions relating to crypto-assets or the use of crypto-asset services.
• Providing portfolio management on crypto-assets: This includes managing portfolios in accordance with mandates given by clients on a discretionary client-by-client basis where such portfolios include one or more crypto-assets.
• Providing transfer services for crypto-assets on behalf of clients: This is defined to include providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another.

Will MiCAR Apply to Non-EU Crypto Businesses?

Whether MiCAR will apply to the activities of a CASP will depend on the place in which the services are provided, rather than the jurisdiction in which the CASP is established. 

The wording of MiCAR indicates that it will have extra-territorial effect requiring any third-country firms that provide services to EU-based customers to become authorised under MiCAR. 

MiCAR provides a reverse solicitation exception for clients established in the EU that seek out crypto-asset services provided by a third-country firm on their own initiative. In this case the crypto-asset services will not be deemed to be provided in the EU and so will be out of scope of MiCAR. However, the Recitals to MiCAR state that if the third-country firm solicits clients or otherwise promotes or advertises any crypto-asset services in the EU, then it will not be able to rely on this exception, regardless of any contractual disclaimers that may be in place. 

It is important to note that a condition of authorisation is that CASPs must have their “place of effective management” in the EU, and at least one director must be resident in the EU. The Recitals to the act adds that “place of effective management” is the location of the key management and commercial decisions that are necessary for the conduct of the business. Essentially this means that, subject to a narrow reverse solicitation exception discussed below, third-country firms will not be permitted to provide crypto-asset services within the EU. 

Once authorised, a CASP can rely on a passporting regime to provide crypto-asset services throughout the EU. To do this, the CASP should provide its home regulator with a list of the member states in which it intends to provide crypto-asset services and the date it intends to start providing these services. The home regulator must then, within 10 working days, communicate this to the regulator in each of the relevant member states, allowing the services to be provided 15 calendar days after the intention to provide the cross-border services is communicated to the home regulator. 

What Must a Business Do Before It Can Become a CASP?

Subject to the narrow reverse solicitation exception described above, under MiCAR, crypto-asset services may be provided in the EU only by: 

• Firms that have been authorised as a CASP. 
• Firms holding other authorisations that are deemed by MiCAR to be equivalent to certain specified crypto-asset services and that have provided specified information to the competent authority of their home member state at least 40 working days before providing the crypto-asset services for the first time. For example, an authorised central securities depository may provide the crypto-asset service of custody and administration of crypto-assets without obtaining further authorisation.

To obtain authorisation as a CASP, a firm must (i) have a registered office in the EU where it carries out at least part of its crypto-asset services; (ii) have its place of effective management in the EU; and (iii) have at least one director resident in the EU. 

Following receipt of a complete application for authorisation, a regulator will have 40 working days to grant or refuse authorisation and must provide a fully reasoned decision to the applicant within five working days of making a decision. Following authorisation, a CASP will be added to a public register maintained by the European Securities and Markets Authority (ESMA).

Are There Any Transitional Provisions for Firms That Are Registered or Authorised Under Existing Regimes?

Prior to MiCAR, there were no uniform rules governing the activities of CASPs across the EU. As a result of this, each member state regime contains important differences regarding the scope of crypto-assets and activities captured and the requirements placed on these activities.

MiCAR nevertheless provides that CASPS that provided their services in accordance with applicable law before 30 December 2024, may continue to do so until 1 July 2026 or until they are granted or refused authorisation under MICAR, whichever is sooner.

What Ongoing Obligations Are Crypto-Asset Service Providers Subject to Under MiCAR?

Ongoing obligations placed on all CASPs

All CASPs are under a general obligation to act honestly, fairly, and professionally and to act in the best interests of their clients. This includes an obligation that communications must be fair, clear, and not misleading and that marketing communications must be identified as such. 

All CASPs are also subject to ongoing disclosure requirements. This includes obligations to publish policies on pricing, costs, and fees as well as any relevant principal adverse impacts on the climate. In addition to this, CASPs must comply with stringent prudential requirements, including minimal capital requirements (held in the form of own funds or qualifying insurance policies).

Various organizational and governance requirements must also be complied with by all CASPs, including requirements as to:

• the suitability of members of the management body, direct or indirect shareholders, and employees
• Business continuity and disaster recovery planning
• Recordkeeping
• Safeguarding of clients’ crypto-assets and funds
• Complaint handling
• Identification, prevention, management, and disclosure of conflicts of interest
• Outsourcing
• Plans for an orderly wind-down

There are also requirements around outsourcing of operational functions. CASPs are required to put in place a policy on outsourcing and must have a written agreement with any third parties involved in outsourcing. Regardless of whether activities have been delegated to third parties, CASPs will remain responsible for complying with all their obligations under MiCAR. 

Ongoing obligations relevant to specific crypto-asset services

How Does This Differ for “Significant” Crypto-Asset Service Providers?

A CASP is deemed to be “significant” where on average during one calendar year it has 15 million daily active users in the EU. If this is the case, the CASP must notify the member state regulator within two months of reaching the threshold. 

The regulatory framework for significant CASPs remains the same; however, the member state regulator is obliged to report annually to ESMA on key supervisory developments related to that CASP. The ESMA will have the power to issue opinions on how to promote supervisory coordination in relation to a significant CASP. In addition to this, where there is a threat to the orderly functioning and integrity of the financial markets or the stability of the EU financial system, the ESMA may exercise an intervention power to prohibit or restrict the provision of crypto-asset services by the CASP or take other appropriate measures. 

Are There Any Provisions Governing The Acquisition of CASP?

Yes. If a legal person wishes to acquire voting rights or capital in a CASP reaching or exceeding thresholds of 20%, 30%, or 50%, it will be required to notify the relevant member state regulator indicating the size of the intended holding and providing other information. MiCAR prescribes a process and the matters to be taken account of in making an assessment. These are similar to those found in other directives, such as:

• the reputation of the proposed acquirer
• the reputation, knowledge, skills, and experience of any person who will direct the business of the CASP as a result of the proposed acquisition
• the financial soundness of the proposed acquirer
• whether the crypto-asset service provider will be able to comply with the requirements of MiCAR
• whether the acquisition could increase the risk of money laundering or terrorist financing

These provisions will be subject to secondary legislation to be developed by the European Securities and Markets Authority in cooperation with the European Banking Authority.

Will the Position on CASPS in the UK Be the Same as That Under MiCAR?

No. The UK government issued a consultation Future financial services regulatory regime for cryptoassets – GOV.UK (www.gov.uk) on an expanded regime for CASPS, some of which are subject to a regime similar to that under MLD5 discussed in our Alert Buying A U.K. Crypto Business: The New Regulatory Hurdles. Under current proposals, the UK regime will be similar to that under MiCAR in that it identifies specific crypto-asset services, the carrying on of which will require any entity to be authorized by the Financial Conduct Authority as a CASP. The new regime is expected in early 2024. 

[View source.]