Simplified authorization procedure in the light of MiCA

Simplified authorization procedure in the light of MiCA | Tamari Asatiani | PayTechLaw | Cover picture: Adobe Stock/Юлия Лазебная

The Markets in Crypto-Assets Regulation (MiCA) aims to foster EU-wide innovative crypto ecosystem by regulating selected crypto-assets services and service providers as well as establishing legal certainty and financial stability for consumers and investors.

The introduced uniform rules include simplified authorization procedure: according to Art. 123 (3) MiCA Member States can apply a simplified procedure by entities that, at the time of entry into application of MiCA already have authorisation under national law for their crypto-assets services. Before granting authorisation pursuant to simplified procedures, the competent authorities will examine that crypto-asset service providers are compliant with the list of the requirements of Chapters 2 and 3 of Title V of MiCA.

 

1. General requirements

The long list of the general obligations of the crypto-asset service providers begins with the good conduct requirement: crypto-asset service providers have obligation to act honestly, fairly and professionally in accordance with the best interests of their clients and potential clients. Crypto-asset service providers must also meet information requirement: their clients should get fair, clear and not misleading information of any crypto-assets. In addition, they shall warn their clients about risks of crypto-assets transactions.

Crypto-Asset service providers that offer the following services: ‘the operation of a trading platform for crypto-assets’, ‘the exchange of crypto-assets for funds’, ‘the exchange of crypto-assets for other crypto-assets’, ‘providing advice on crypto-assets’ and ‘providing portfolio management on crypto-assets’ will be obliged to provide their clients with hyperlinks to any crypto-asset white papers in relation to which their services are provided. Furthermore, financial information such as pricing, costs and fee policies as well as environmental and climate-related information should be publicly available. ESMA, in cooperation with EBA, shall develop/update regulatory technical standards for providing this information.

 

2. Prudential requirements

Crypto-asset service providers will be obliged to have prudential safeguards always in place. The prudential safeguards shall be equal to the amount of to an amount of at least the higher of the following: permanent minimum capital requirements – depending on the nature of the crypto-asset services provided (Annex IV) or one quarter of the fixed overheads of the preceding year, that is reviewed annually.

The prudential safeguards can have the following forms: a form of own funds or/and a form of the insurance policy covering the territories of the Union where crypto-asset services are provided or a comparable guarantee. Crypto-asset service providers shall publicly disclose insurance policy through their website and meet the specific characteristic requirements of MiCA (e.g. its initial term shall be no less than year; the notice period of its cancellation should be at least 90 days etc.). Besides crypto-asset service providers need to fulfill in MiCA specified accounting requirements.

 

3. Governance requirements

One of the central elements of the governance requirements is professionality and good reputation of the members of the management body of crypto-asset service providers. Namely, they will need to have sufficient experience and skills to fulfill their duties and shall not have been convicted of offences that would affect their good repute. The qualified holder natural or legal persons shall also meet the good repute and competence requirements. Moreover, crypto-assets service providers will be obliged to develop adequate (internal) compliance policy and procedures to guarantee the fulfilment of the obligations of MiCA. Besides governance requirements include personnel-specific skill requirements: personnel of the crypto-asset service providers need to have skills, knowledge and expertise that are suitable for their responsibilities.

With regard to the effectiveness of the existing policies and procedures, MiCA obliges the management body of the crypto-asset service provider to assess and periodically review them and act appropriately to address any deficiencies. Furthermore, the performance of the services of the crypto-asset service providers shall be continuous and regular and they are responsible to take all reasonable steps to ensure these obligations. They need to establish e.g. business, continuity policy, disaster (timely) recovery plans, resilient and secure ICT systems and procedures, etc.

What’s more, crypto-asset service providers shall have adequate and effective preventive mechanisms, systems and procedures for risk assessment and compliance. These mechanisms should be monitored continuously by crypto-asset service providers. Money laundering and terrorist financing can be prevented/detected only based on appropriate place systems, procedures and arrangements. Furthermore, crypto-asset service providers need to have systems and procedures to guarantee security, integrity and confidentiality of information.

The records of all crypto-asset services, activities, orders, and transaction undertaken by crypto-asset service providers are required to kept by them. Crypto-asset service provider will be obliged to provide this information to the client involved, if he requests it. These records will be kept for a period of five years. If mentioned records are requested by the competent authority, before the five years have elapsed, they need to be kept for a period of up to seven years.

Moreover, MiCA introduces the market monitoring requirements for crypto-asset service providers: they will have obligation to monitor and detect market abuse using effective systems, procedures and arrangements and to report to the competent authority about existing circumstances that indicate any potential or committed market abuse.

 

4. Notification about changes/compliance to the management

Crypto-asset service providers will have notification duty in case of the changes to their management body: they need to notify/provide the necessary information to assess in MiCA specified compliance without any delay their competent authority. Information duty need to be fulfilled before the new members of the management body exercise any kind of activity.

 

5. Safekeeping requirements of clients’ crypto-assets and funds

If crypto-asset service providers hold crypto-assets belonging to clients or the means of access to such crypto-assets, they will be obliged to make arrangement to safeguard the ownership of their clients. The safeguarding requirement of client’s crypto-assets is very important in case of the insolvency of the provider.

Additionally, MiCA requires preventing the use of the client’s crypto-assets for service providers own account. The same safekeeping requirements applies in the scenario, when business models or the crypto-assets services require holding clients’ funds other than e-money tokens. Moreover, the safekeeping requirements includes placing the client’s funds with a central bank or a credit institution. “The accounts separation” can also be seen as the main part of the safekeeping requirements: crypto-asset service providers shall guarantee that the clients’ funds (other than e-money tokens) that are held with a central bank/credit institution are held in an account(-s) that is separately identifiable from any account used to hold funds of the crypto-asset service provider.

Furthermore, when crypto-asset service provider offers their clients payment services related to the crypto-asset services or provides mentioned service through a third party, crypto-asset service provider/third party should have a suitable authorisation (under Directive (EU) 2015/2366). They also need to fulfill client information duty, namely, clients should be informed about the nature, and terms and conditions of those services, etc. MiCA provides some exceptions to this rule: defined safekeeping requirements of funds other than e-money tokens shall not apply to crypto-asset service providers that are electronic money institutions, payment institutions or credit institutions.

 

6. Complaint handling procedure

MiCA also covers the requirements for complaint handling procedure. The establishment and maintenance of the procedures for the prompt, fair and consistent handling of complaints will be the obligation of the crypto-asset service providers. Besides the descriptions of complaint handling procedures need to be publicly available. MiCA provides detailed standards for client’s complaints: they shall be free of charge, crypto-asset service providers need to make templates for complaints and meet the record-keeping requirement, crypto-asset service providers will be obliged to provide information to their clients about the possibility to file a complaint and they should fulfill duty of timely and fair investigation.

 

7. Identification, prevention, management and disclosure of conflicts of interest

The avoidance and mitigation of the conflict of interests will be central part of the policy of crypto-asset service providers. Using electronic format, namely, the website, crypto-asset service providers shall publicly disclose to their (potential) clients every detail about mitigation and prevention of conflicts of interest. MiCA requires (at least) annual review of (effectiveness) of this policy by crypto-asset service providers.

 

8. Outsourcing

In case of outsourcing crypto-asset service providers shall avoid additional operational risk. According to MiCA crypto-asset service providers will still have full responsibility toward their clients. Additionally, crypto-asset service providers shall guarantee that outsourcing won’t influence client-crypto-asset service provider relationship or change their authorisation-conditions, in the outsourcing involved third parties have cooperation with the competent authority and etc.

Crypto-asset service providers need still manage any risks associated with the service and have direct access to the relevant information. Furthermore, appropriate data protection law standards and suitable outsourcing policy requirements must be fulfilled. MiCA requires that agreement among crypto-asset service providers and any third parties involved in outsourcing have written form. This agreement shall already specify rights and obligations of both parties. Finally, crypto-asset service providers as well as third parties will have duty to provide information to the competent/relevant authorities.

 

9. Orderly wind-down of providers

To avoid economic harm of the clients of the crypto-asset service providers MiCA requires from them (namely, from the crypto-asset service providers that carrying out the following services: custody and administration of crypto-assets on behalf of third parties, operation of a trading platform for crypto-assets, exchange of crypto-assets against funds or exchange of crypto-assets against other crypto-assets, execution of orders for crypto-assets on behalf of clients and placing of crypto-assets) to have a suitable plan for orderly wind-down of their services in the light of applicable national law. This plan shall also include continuity/recovery of critical activities of mentioned service providers.

 

10. Custody and administration of crypto-assets on behalf of third parties

Crypto-asset service providers that provide a crypto-asset service of custody and administration on behalf of third parties will be obliged to fulfill obligations of the Art. 67 MiCA and requirements of this article will be also examined by the competent authorities for the purposes of the simplified authorisation procedure.

Firstly, these crypto-asset service providers need to enter into an agreement with their clients and this agreement shall reflect their duties and responsibilities. This agreement shall cover: the identity of the parties to the agreement; nature/description of the provided service; the means of communication (which covers the client’s authentication system) between mentioned parties; a description of the security systems of the crypto-assets service provider; which fees, costs and charges are applied by the crypto-asset service provider; which law is applicable to the agreement and the custody policy.

As a next step, MiCA requires the existence of the register of positions: mentioned crypto-asset service providers must keep a register of position that will be opened in the name of each client and corresponds to each client’s rights to the crypto-assets. Crypto-asset service providers will be obliged to immediate recording of any movements following instructions from their clients in this register.

The establishment of the suitable custody policy that consist of the internal rules and procedures to ensure the safekeeping/control of crypto-assets or their means of access like cryptographic keys, is also requirement of MiCA for the crypto-asset service providers that provide a crypto-asset service of custody and administration on behalf of third parties. This requirement follows client’s risk minimization purposes. Clients can request a summary of the custody policy and it shall be provided in an electronic format.

Generally, (where applicable) “crypto-asset service provider shall facilitate the exercise of the rights attached to the crypto-assets.” The client’s position register shall immediately reflect any event likely to create or modify the client’s rights. Furthermore, if there are some changes to the underlying DLT or any similar events that create or modify the client’s rights, the client need to be entitled to any crypto-assets/rights that are newly created based on or to the extent of his positions. The exceptions from this rule can be agreed among the custodian and client prior to the occurred event in a valid (signed) agreement.

MiCA also introduces the following requirement for the crypto-asset service providers that provide a crypto-asset service of custody and administration on behalf of third parties: at least once every three months (or at each request of their client) providers need to provide their clients “the statement of position” of crypto-assets recorded in their name. Statement should have electronic format and must include mention the crypto-assets concerned, their balance, their value and their transfers. Additionally, crypto-asset service providers will be obliged to immediately provide information to their clients crypto-assets-operation that require a response from their sides. Crypto-asset service providers shall also guarantee immediate returns or means of access of crypto assets to their clients.

The requirement of the segregation of crypto-assets should also be fulfilled by crypto-asset service provider. Specifically, their own holdings and their client’s holdings shall be segregated. Besides that the means of access to the client’s crypto-assets shall be clearly identified. The crypto-asset service providers shall guarantee that their client’s crypto-assets are held on the DLT existed separate addresses than their own crypto-assets.

Regarding the liability of the crypto-asset service providers MiCA introduces the following rule: crypto-asset service providers be liable to their clients for loss of crypto-assets or of the means of access to them resulted from the incident “that is attributable to the provision of the relevant service or the operation of the service provider”. The limit of their liability is measured based on the actual market value of the crypto-asset lost.

Finally, in case of the insolvency the crypto-assets held in custody need to be insulated from the estate of the crypto-asset service provider. On this way the creditors of the crypto-asset service provider have no recourse on the crypto-assets that are held in custody. Moreover, crypto-asset service provider will be obliged to guarantee operational segregation of the crypto-assets held in custody from their own estate.

 

11. When to apply?

The simplified authorisation procedure aims to speed up the use of MiCA-benefits. However, under national law authorised entities can initiate this procedure firstly 18 month after the date of entry into force of MiCA. This means that the authorised entities need to wait until the date of application of MiCA and until then they should continue their work under national authorisation. The profits of MiCA will be accessible (even for authorised entities that are compliant with the discussed requirements) firstly when MiCA will be into force, and everyone will be able to apply for “normal” MiCA-authorisation procedure.

 

 

Chapter 2

 

Art. 59 MiCA

1.     General requirements

    • Good conduct requirement
    • Information requirement
    • Risk warning requirement
    • Whitepaper(-s)
    • Publicly available financial information
    • Publicly available climate-related information
Art. 60 MiCA

Annex IV

2.     Prudential requirements

    • Prudential safeguards
    • Form of prudential safeguards: own funds/insurance policy
    • Accounting requirements
 

Art. 61 MiCA

3.     Governance requirements

    • Professionality/Good reputation requirements of management
    • Professionality/Good reputation requirements of qualified holder natural or legal persons
    • Compliance policy/procedures
    • Personnel-specific skill requirements
    • Policy requirements/review
    • Service continuity/regularity requirements
    • Preventive mechanisms
    • Security/Integrity/Confidentiality of information
    • Record-keeping requirement
    • Record-providing requirement/the length of time (5 years/ or up to 7 Years)
    • Market monitoring requirements

Art. 62 MiCA

4.     Duty to inform competent authority about changes to the management
  • Notification competent authority
  • Fulfilment of the MiCA-compliance
 

Art. 63 MiCA

5.     Safekeeping requirements of clients’ crypto-assets and funds

    • Safeguarding of clients’ crypto-assets
    • Safekeeping requirements of client’s funds other than e-money tokens
    • Separately identifiable account(-s)
    • Authorisation requirements for providing payment services
    • Client information duty in case of the providing payment services
    • Exceptions from safekeeping requirements of client’s funds other than e-money tokens: electronic money institutions, payment institutions or institutions
 

 

Art. 64 MiCA

 

6.     Complaint handling procedure

    • Procedural requirements/publishing
    • Free of charge complaints requirement
    • Template for complaints/record-keeping
    • Duty to provide information about procedure
    • Duty of fair and timely investigation
Art. 65 MiCA

7.     Identification, prevention, management and disclosure of conflicts of interest

    • Effective management policy requirement/avoidance of conflict of interest
    • Website disclosure requirement
    • Annual review requirement
Art. 66 MiCA

8.     Outsourcing

    • Prevention of additional operational risk
    • Doesn’t result in delegation of the responsibility
    • Doesn’t Influence on client-service provider relationship
    • Doesn’t Influence on authorisation-conditions
    • Cooperation of the in the outsourcing involved third parties and competent authority
    • Service evaluation requirement
    • Direct accessibility of information
    • Data protection law standards
    • Policy requirement
    • Written form of the outsourcing-agreement
    • Duty to provide information to competent/relevant authority
 Art. 66a MiCA

9.     Orderly wind-down of providers

    • Wind-down plan
    • Continuity/recovery of the activities of the providers
 

Chapter 3

 

 

Art. 67 MiCA

10.  Custody and administration of crypto-assets on behalf of third parties

    • Provider/client agreement requirement
    • Register of positions
    • Recording requirement
    • Custody policy/risk minimization purpose
    • Electronic format requirement of the custody policy
    • Client’s position register
    • Changes to the underlying DLT/any modification
    • Statement of position
    • Duty to provide information
    • Return of crypto-assets
    • Segregation of crypto-assets
    • Liability/events not attributable to the crypto-assets service provider
    • Insolvency – Insulation requirement
    • Segregation of crypto-assets from service provider’s estate

 

 

Cover picture: Copyright © Adobe Stock/Юлия Лазебная

 

Leave a Reply

Your email address will not be published.

You May Also Like