Crypto regulation: the introduction of MiCA into the EU regulatory landscape
Just over two years after it was first proposed, the agreed text of the new Markets in Crypto-assets Regulation (MiCA) has beenreleased. MiCA aims to create an EU regulatory framework for the issuance of, intermediating and dealing in, cryptoassets. It will introduce licensing and conduct of business requirements as well as a market abuse regime with respect to cryptoassets.
With parts of MiCA anticipated to come into force from spring 2024, we look at what issuers of stablecoins and other cryptoassets, custodians and other crypto service providers need to know now.
MiCA creates a broad regulatory framework for cryptoassets in the EU which:
- regulates the issuance of, and admission to trading of, cryptoassets, including transparency and disclosure requirements
- introduces licensing of cryptoasset service providers, issuers of asset-referenced tokens and issuers of electronic money tokens
- clarifies the regulatory obligations applicable to issuers of asset-referenced tokens, issuers of electronic money tokens and cryptoasset service providers, including consumer protection rules for the issuance, trading, exchange and custody of cryptoassets
- strengthens confidence in cryptoasset markets by creating a market abuse regime prohibiting market manipulation and insider dealing
- clarifies the powers, including the co-operation and sanctions framework, available to competent authorities.
The requirements under MiCA are broadly similar to requirements under the existing EU financial services regimes, including requirements relating to disclosures, governance and licensing. However, as there are nuances between MiCA and the existing regime, firms engaging in cryptoasset activities will need to consider whether they will fall under the MiCA definition of "cryptoassets" or whether they are subject to another regulation, to ensure that they adhere to the appropriate regulation, in particular for transferable securities which may constitute a financial instrument falling under the Markets in Financial Instruments Directive II (MiFID II) as further discussed below.
MiCA forms part of the European Commission's wider digital finance strategy, which also includes a Regulation on digital operational resilience (DORA) – which will also cover cryptoasset service providers – and a new Regulation on a distributed ledger technology (DLT) pilot regime focused on financial market infrastructures based on DLT. (See our article: DORA: Exploring what the new European Framework for Digital Operational Resilience means for your business)
Who does MiCA apply to?
Broadly, MiCA applies to three categories of persons:
- Issuers of cryptoassets. This does not necessarily mean the entity or firm that has created the cryptoassets. Instead, the issuer of a cryptoasset is the "legal person who offers to the public any type of cryptoassets" or "seeks the admission of such cryptoassets to a trading platform for cryptoassets". The framework that applies will also depend on what type of cryptoasset is being offered
- Cryptoasset service providers (CASPs). This includes any person whose occupation or business is the provision of one or more cryptoasset services to third parties on a professional basis
- Any person, in respect of acts that concern trading in cryptoassets that are admitted to trading on a trading platform for cryptoassets operated by an authorised cryptoasset service provider, or for which a request for admission to trading on such a trading platform has been made.
What types of cryptoassets are in scope of MiCA?
MiCA applies with respect to "cryptoassets", which are defined very broadly as "a digital representation of a value or a right that uses cryptography for security and is in the form of a coin or a token or any other digital medium which may be transferred and stored electronically, using distributed ledger technology or similar technology". This definition is aimed at capturing not only cryptocurrencies, such as Bitcoin and Ethereum, but also stablecoins and utility tokens.
What is not covered by MiCA?
MiCA does not apply to security tokens which would quality as transferable securities and other cryptoassets that qualify as financial instruments for the purposes of MiFID II, deposits, securitisation positions, insurance or pension products.
DeFi protocols and truly "unique" nonfungible tokens (NFTs) are largely outside the current scope of MiCA. However, there is a review clause baked into the regulation that could lead to specific regulatory regimes to be introduced for them at a later date, if needed. Unique NFTs are excluded unless they replicate a financial instrument or where the issuer creates a "collection" of assets for purchase. The idea behind the latter is to allow artists and firms to create individual digital assets without being buried in regulatory paperwork. Companies behind NFT collections, however, will have to provide a white paper that explains what their product is and how they operate on the blockchain.
MiCA does not apply to central bank digital currencies (CBDCs) issued by the ECB and digital assets issued by national central banks of the Member States when acting in their capacity as monetary authority, or to services related to cryptoassets that are provided by such central banks.
My firm could be an issuer of cryptoassets, what does MiCA mean for me?
MiCA creates a base regime for all issuers of cryptoassets and imposes additional, or different, obligations on (i) issuers of asset-referenced tokens or (ii) issuers of e-money tokens.
An issuer of cryptoassets will have to be incorporated as a legal entity in the EU and will be required to publish a white paper in respect of the relevant cryptoassets and to notify such white paper to its competent authority. The white paper regime under MiCA borrows heavily from the existing Prospectus Regulation regime. The white paper should, amongst other things: • describe the crypto project and the main participants; • describe the type of blockchain consensus mechanism used, e.g. proof of work (PoW) or proof of stake (PoS); • describe the terms of the offer to the public; • set out the rights attaching to the cryptoassets in question; • disclose the key risks associated with the cryptoassets; and • contain a summary, to help potential purchasers make an informed decision regarding their investment.
Although a white paper does not need to be approved prior to publication, the relevant competent authority may require amendments to the white paper or suspend the offer or trading of the cryptoassets. It is essential that firms ensure that their white paper adequately covers the content required under MiCA.
Issuers will also have to consider whether any additional EU or domestic regulatory frameworks apply in parallel, for example in relation to registration under any implementation of the EU anti-money laundering Directive (AMLDV).
What requirements apply to stablecoin issuers?
Under MiCA, stablecoin issuers are subject to additional regulatory requirements. Stablecoins are referred to in MiCA as cryptoassets whose aim is to maintain a stable value in relation to an official currency of a country or to one or several assets. A stablecoin therefore constitutes either (i) a cryptoasset, that is not an e-money token, that purports to maintain a stable value by referencing to any other value or right or a combination thereof, including one or more official currencies (an asset referenced token) or (ii) a cryptoasset that purports to maintain a stable value by referencing to the value of one official currency (an e-money token).
Issuers of asset-referenced tokens (ARTs)
Location and licensing requirements
To offer ARTs to the public in the EU or be admitted to trading on a crypto platform, an issuer of ARTs must be established and authorised (licensed) in the EU.
Systems and controls
An issuer of ARTs is also required to put in place "robust governance arrangements…with well-defined, transparent and consistent lines of responsibility" in order to, amongst other things, "identify, manage, monitor and report the risks to which [it is] or might be exposed". Issuers of ARTs are also required to maintain a recovery plan providing for measures to be taken by the issuer to restore compliance with the requirements applicable to the reserve of assets. Reserve assets must be held in custody on certain prescribed terms and can only be invested in highly liquid financial instruments. There are also detailed requirements in respect of treating customers fairly, ongoing disclosure, complaint handling, governance and systems and controls as well as prudential requirements.
The regime envisages certain partial exemptions depending on the type of offer (e.g. to qualified investors) or if the issuer is already regulated (e.g. as an EU credit institution). Issuers of e-money tokens Permitted issuers/ authorisation The issuance of e-money tokens is only permitted for EU credit institutions and for electronic money institutions (authorised under the E-money Directive).
E-money tokens must amount to a claim on the issuer and must be redeemable at par. Funds received by issuers of e-money tokens in exchange for e-money tokens, if invested, must be invested in assets denominated in the same currency as the one referenced by the e-money token.
MiCA imposes additional rules for regulation of "significant" ARTs and e-money tokens, including in relation to liquidity maintenance, recovery and redemption planning. Competent authorities will also be granted MiFID-like product intervention powers and a separate empowerment to require an issuer of an ART widely used as a medium of exchange or of an e-money token denominated in a non-EU currency to introduce a minimum denomination or to limit the amount issued in order to decrease usage of such tokens.
The limits on use of USD-pegged stablecoins under MiCA have been subject to debate amongst EU co-legislators and last-minute changes to the agreed text approved by the Council. This appears to be driven by a desire to avoid USD-pegged stablecoins becoming a global reference currency for cryptoassets. Indeed, the thresholds set for the daily number and value of transactions (2,500,000 transactions and EUR 500 million, respectively) are not high in the context of USD-denominated stablecoins currently used in the market.
My firm provides cryptoasset services, does it need to be licensed?
Generally, yes, the provision of any cryptoasset service will trigger an authorisation requirement. However, authorised credit institutions and authorised MiFID investment firms may provide cryptoasset related services without having to obtain a separate authorisation. Note that these firms would still need to notify their competent authorities that they intend to provide services under MiCA and would also have to comply with the relevant supervisory framework imposed under MiCA, including conduct of business obligations and governance arrangements, which may vary from existing applicable standards.
What requirements apply to cryptoasset service providers (CASPs)?
Legal form and governance requirements
A CASP should be a legal person who has a registered office in a member state and has been authorised by the relevant competent authority. A CASP will have to comply with detailed requirements in respect of its governance arrangements and risk management, including systems and controls requirements. CASPs are required to monitor and disclose conflicts of interest and have in place internal know-your-customer policies.
Disclosure and prudential requirements
CASPs will have to disclose what type of blockchain consensus mechanism they use, e.g. PoW or PoS, in a white paper. CASPs should maintain prudential safeguards, either in the form of ownfunds regulatory capital or by taking out insurance.
Activity-specific requirements MiCA provides details on the terms on which various cryptoasset services are to be provided, including, for example, the custody and administration of cryptoassets on behalf of third parties, the operation of trading platforms for cryptoassets, the placing and execution of orders for cryptoassets on behalf of third parties and the provision of advice on cryptoassets.
Firms will need to undertake a detailed review of the requirements they are subject to under MiCA which relate to the particular cryptoasset service they provide.
MiCA does not provide for a separate third country regime. This means that persons located in a non-EU jurisdiction and wishing to actively promote and/or advertise their services to clients in the EU will have to obtain full authorisation (as illustrated in practical examples below). One of the requirements for becoming licensed as a CASP under MiCA is that the CASP has a registered office in an EU member state where they carry out at least part of their cryptoassets services. They must also have an effective place of management in the EU and at least one director shall be EU resident.
My firm provides crypto custody services – is it liable for losses?
MiCA introduces specific liability requirements for custodians of cryptoassets in relation to losses, in contrast to the position under existing legislation for more traditional assets, where liability for loss is not generally imposed.
A custodian holding reserve assets for an issuer of ARTs must, if financial instruments or cryptoassets are lost, return identical assets or their value to the issuer without undue delay, unless it can prove the loss arose from an external event beyond its reasonable control, the consequences of which would have been unavoidable despite all reasonable efforts to the contrary. This resembles depositary liability wording in AIFMD and UCITS V, suggesting that ARTs are viewed as similar to funds.
A custodian will also be liable for loss of cryptoassets (or means of access) resulting from an incident attributable to provision of the service or operation of the service provider, capped at the market value of the cryptoassets lost.
Note, "custody and administration of cryptoassets on behalf of third parties" is defined as "safekeeping or controlling, on behalf of third parties, cryptoassets or the means of access to such cryptoassets, where applicable in the form of private cryptographic keys". The inclusion of "controlling" makes this much wider than normal definitions of custody.
Custodians providing or considering providing crypto custody services in the EU should carefully consider their risk appetite in relation to these liabilities and the broad definition of custody, and ensure that they have robust systems and controls in place as well as appropriate insurance to mitigate the effect of such rules.
How does supervision work under MiCA?
Competent Authorities (CAs) at member state level will be responsible for supervising CASPs and enforcing requirements under MiCA.
CASPs that have more than 15 million active users will be classified as "Significant CASPs". Significant CASPs will remain supervised by the relevant CA(s), but the European Securities and Markets Authority (ESMA) will have an "intervention power" to prohibit or restrict the provision of cryptoasset services by CASPs if there are threats to market integrity, investor protection or financial stability. Additionally, ESMA will be able to issue opinions on how to promote supervisory convergence; ESMA already has these powers for the wider financial market.
The European Banking Authority will supervise stablecoins that have more than 10 million users or a reserve of assets that are worth more than €5 billion. The European Central Bank will also have veto rights in respect of any stablecoin in relation to which it has concerns. Stablecoin issuers will be obliged to maintain reserves 1:1 to cover all claims and provide permanent redemption rights to holders. Reserves will be fully protected in the event of insolvency.
ESMA will be empowered to operate a crypto blacklist in which it can effectively name and warn investors of any CASP that fails to comply with the requirements in MiCA. For example, any company that refuses to register in an EU member state or that purposely avoids having to register by operating outside legal structures might be included in such blacklist.
Do market abuse restrictions apply?
As a new type of asset class, cryptoassets that do not qualify as financial instruments under MiFID II fall outside the scope of the EU Market Abuse Regulation (MAR). However, MiCA sets out new market abuse rules for cryptoasset markets to guarantee market integrity. These rules apply to cryptoassets that are admitted to trading on a trading platform for cryptoassets operated by an authorised cryptoasset service provider. They notably include requirements relating to the disclosure of inside information, the prohibition of insider dealing, the prohibition of unlawful disclosure of inside information and the prohibition of market manipulation.
When and how will MiCA apply?
The EU Parliament is expected to formally adopt MiCA at a plenary session during February 2023. It will then still need to be formally approved by the Council of the EU before it can be published in the Official Journal, probably in Q1 or Q2 2023. It will enter into force 20 days after such publication. The provisions on ARTs and e-money tokens will apply from 12 months after entry into force, expected to be spring 2024. Other provisions of MiCA will apply from 18 months after entry into force (i.e. in the second half of 2024).
For firms already providing cryptoasset services in accordance with national laws in the EU when MiCA starts to apply, there are grandfathering/transitional provisions under MiCA which will give firms more time to become authorised under MiCA. For example, existing CASPs may continue to provide their services in accordance with national law for an additional 18 months after MiCA comes into effect. In some cases, such firms may also benefit from a simplified authorisation procedure.
Additional technical guidance will follow MiCA's introduction and there is also scope for MiCA to be extended in the future. For example, as outlined above, MiCA includes a provision for EU authorities to review its application in relation to DeFi and NFTs that could lead to specific regulatory regimes to be introduced for them.
What should my firm be doing now to prepare for MiCA?
My firm is already authorised as a financial institution
Firms that are already authorised will not generally need to seek another authorisation under MiCA, provided that they meet certain disclosure requirements including a requirement to notify their competent authorities of the services they intend to provide with respect to cryptoassets. However, requirements under MiCA are nuanced from equivalent requirements under MiFID and other existing legislation so such firms must still undertake a detailed analysis of their crypto activities to see what is caught by MiCA vs other existing legislation and to consider where changes to existing policies are needed or additional requirements might apply accordingly, e.g. location based requirements for issuers of ARTs.
My firm issues cryptoassets within the EU and is not currently authorised
Issuers of ARTs must be both established and authorised within the EU. Non-EU firms that wish to continue issuing ARTs n the EU should act now to establish an undertaking in an appropriate member state and secure the relevant authorisation given the time that such processes can take.
My firm is based in the EU and currently provides cryptoasset services but is not currently authorised
Firms should undertake a detailed analysis of the extent to which their activities are caught by MiCA and what restrictions will apply and consider whether seeking an authorisation in their home or any other appropriate member state ahead of MiCA taking effect would be worthwhile to benefit from the transitional arrangements and to avoid post-MiCA delays. Firms that wish to do so must act swiftly as authorisations can take many months to secure.
My firm currently provides cryptoasset services into the EU but is based outside the EU
MiCA does not provide for a separate third country regime, so non-EU firms will have to obtain full authorisation to offer services within the EU. Firms should undertake a detailed analysis of the extent to which their activities are caught by MiCA and what restrictions will apply and consider whether seeking an authorisation in an appropriate member state ahead of MiCA taking effect would be worthwhile to benefit from the transitional arrangements and to avoid post-MiCA delays. Firms that wish to do so must act swiftly as authorisations can take many months to secure.
For readers interested in the interaction between MiCA and the "loi pacte" – the existing French regulatory framework for digital assets, please see our briefing: Fintech: The evolving French regulatory landscape.