This article covers the key differences between MiCAR (Markets in Crypto Assets Regulation) and MLTFPA, the fate of the old license, new taxonomies introduced in MiCAR, key regulatory requirements for CASPs, key regulatory requirements for issuing assets and possible redundant requirements of MLTFPA.
The MLTFPA has been in place in Estonia since 2017 and is based on the EU's Fourth Money Laundering Directive. The MLTFPA requires financial institutions and other obligated entities to undertake customer due diligence, identify and report suspicious transactions, and implement internal controls to prevent money laundering and terrorist financing.
The MiCA regulation, on the other hand, is designed to address the unique challenges posed by crypto-assets and virtual currencies. MiCAR is a comprehensive regulatory framework that aims to provide a harmonized approach to the regulation of crypto-assets across the EU. The MiCA regulation seeks to provide a high level of consumer protection, prevent money laundering and terrorist financing, and ensure the stability of the financial system. The regulation sets out strict requirements for Crypto Asset Service Providers (CASPs) operating within the EU. Additionally, a register for all crypto-asset service providers will be established and it will be available to the public and shall be updated on a regular basis.
MiCA introduces a new taxonomy of assets and services with respective license requirements. MiCA regulation covers basically all forms of token offerings and stablecoin issuance plus new market abuse rules for the entire space.
In terms of the obligations on obligated entities, the MiCA regulation builds on the existing requirements under the MLTFPA. Obligated entities will still need to undertake customer due diligence, identify, and report suspicious transactions, and implement internal controls.
Truthfully, for VASPs already licensed in Estonia, the transition from Estonian MLTFPA to MiCAR should be relatively easy as plenty of obligations introduced in MiCA are already in effect under Estonian MLTFPA.
Overall, the requirements under MiCA are more specific and comprehensive compared to the existing MLTFPA. MiCA includes new taxonomy of assets and services, requirements for licensing and capital requirements, which may all impact a VASP’s business models and operations. Additionally, MiCA covers a broader range of crypto-assets than the MLTFPA, including stablecoins and utility tokens. However, it's important to note that MiCA doesn't cover crypto assets that fall under existing EU financial services legislation (like securities), digital assets which cannot be transferred to other holders, staking, lending, NFTs (unless issued in a “large series or collection”) and “fully decentralized finance”*.
The most exciting aspect of the new MiCA license is the allowance and regulation of passporting, which will allow institutions to operate across EU under a single regulatory framework. Timeline for applying and getting the authorization to start providing services is said to be about a month.
The MLTFPA and MiCA have different thresholds for customer due diligence (CDD) requirements. For example, the MLTFPA requires CDD to be performed on all customers, while MiCA allows for simplified CDD measures to be applied in certain circumstances, such as when carrying out occasional transactions below €1,000.
A big difference is in the amounts of permanent minimum capital required from CASPs. Currently, under MLTFPA, the lowest requirement is €100,000 (wallet services, exchange services and issuing services) while the highest is €250,000 (transfer services). Under MiCA the requirements are much lower:
Another big general requirement is to place clients’ funds with a bank and in a separate account from where the service provider holds its own funds.
* MiCA states: “where crypto-asset services (..) are provided in a fully decentralized manner without any intermediary, they should not fall within the scope of this Regulation”. However the same documents states that MiCA applies even “when part of such activities or services is performed in a decentralized manner”. So, for now it remains hard to tell how much decentralization (technical, governance, legal etc) is necessary to stay out of the scope.
The MiCA license is one of the most important changes that MiCA brings. It will be uniform in all Member States as all CASPS must apply for the same license with the same requirements, same obligations, same procedure etc.
It is important to note that the MiCA license still has to be applied for. There will be a new separate application process (hopefully more transparent than so far) where the relevant authority will assess the application and ultimately decide to grant (or refuse to grant) the license. There is no way to transfer or modify the current MLTFPA license or otherwise speed up the procedure.
The license will cover current services listed in MLTFPA and new types of services previously not regulated. We will see modified requirements for service providers (including redundant MLTFPA requirements) and special requirements for each type of service.
So far FIU has been the supervisory authority for VASPs. This will change with presumably the Financial Supervision Authority (FSA) taking over for FIU. This means MiCA applications will be submitted to the FSA, who will review and make the decision to grant or refuse to grant licenses. FSA will also start performing supervision, issuing notices and withdrawing licenses, if relevant grounds are presented. Current licenses will become known as the „old“ ones and they will expire once MiCA is implemented.
As mentioned above, MiCA will cover current services listed in MLTFPA and new types of services previously not regulated.
MiCA lists the following crypto-asset services:
So, the current wallet services (as described in MLTFPA) remains as “the custody and administration of crypto-assets on behalf of third parties”.
The current exchange service (as described in MLTFPA) was divided into several services:
As you can see, issuing a crypto-asset is not listed as a service. One does not need a license to issue crypto-assets, however there are detailed requirements and sometimes authorization is needed, depending on the asset type.
MiCA identifies 4 different types of assets with respective requirements:
It’s worth noting that for the scope of MiCA, it doesn’t matter if your stablecoin is based on a algorithm - it is in the scope if it matches any of the above mentioned definitions as mechanism doesn’t matter.
To apply for a CASP license, the application must contain all the following:
Even though MiCA is way more detailed and crypto focused, much of CASP obligations are already in act in Estonia through MLTFPA. So, we would like to currently only highlight distinct new or changed obligations:
Depending on the services they provide and due to the specific risks raised by each type of services, crypto-asset service providers are subjected to requirements specific to those services. We will cover those in another article.
Issuing assets other than ARTs and EMTs:
There are exemptions for when there is no obligation to draft the white paper and publish it:
As mentioned, MiCA’s goal is to also offer protection for consumers and investors. This is reflected in the consumer’s right to withdraw from a crypto-asset purchase within 14 calendar days. Issuer must make this possible without incurring any costs and without asking for a reason or an explanation.
Asset reference tokens are considered more riskier and their regulation is heavier.
Additionally, for ARTs and EMTs, MiCA introduces the concept of “significance”. Significant ARTs and EMTs are tokens that reach certain adoption thresholds and have to meet higher prudential, governance, and liquidity requirements. If three of the following criteria (TBA by EU supervisors) are met, ARTs and EMTs are deemed significant:
It is also very important to mention that MiCA Article 36 prevents issuers of asset-referenced tokens and crypto-asset service providers from granting any interest to holders of asset-referenced tokens and Article 45 prevents issuers of e-money tokens and crypto-asset service providers from granting any interest to holders of e-money tokens.
Several important requirements of MLTFPA might become redundant as these are
not included in MiCAR:
There is no longer a specific requirement for virtual currency service providers to audit their annual report nor is there a requirement to have an external auditor or internal auditor. However the overall audit requirement pursuant to law will apply (based on parameters such as revenue, assets etc.)
Even though the members of the management body of crypto-asset service providers and the members of the management body of ART issuers shall have sufficiently good repute and possess knowledge, experience and skills to perform their duties and for the purpose of anti-money laundering and combatting the financing of terrorism, there is no requirement for higher education or Estonian residence. However CASPs do need at least one director to be a resident of the EU.
There has been a lot of active discussions on social media and crypto spaces about the MiCA regulation and its potential impact on the crypto industry. Many people are expressing concerns about the increased regulatory burden and the potential impact on innovation and competition in the sector. Some commentators are also pointing out that the MiCA regulation does not cover certain activities, such as staking and lending, or fully decentralized finance. This has raised questions about the extent to which the regulation will be effective in addressing the risks associated with the crypto industry while some are already calling for MiCA 2.0.
Despite these concerns, we believe that the MiCA regulation is an important step forward in the regulation of the crypto industry, as it provides much-needed clarity and certainty for market participants while also protecting investors. We hope to see this regulation helping increase trust and confidence in the sector, which in turn will encourage greater adoption of crypto-assets and virtual currencies. We are excited to see how this will shape the future of the crypto industry in the EU and beyond!
It's important to note that the MiCA regulation is expected to come into effect in the EU member states by 2024. The exact timeline for implementation in Estonia is not yet clear, but current VASPs should stay tuned for further updates and already begin preparing now to ensure they are ready to comply with the new requirements (especially service-specific requirements) once they come into force. Especially since failure to comply with MiCA can result in substantial fines (which in certain cases may reach 12.5% of the total annual turnover of the entity or more), periodic penalty payments, withdrawal/suspension of the authorization or removal/ban of a natural person from managerial positions.
At Grant Thornton Baltic OÜ, we understand the challenges that come with staying up-to-date on complex regulations and requirements, which is why we offer internal auditing and business risk advisory services. Our experienced professionals can help you navigate the regulatory landscape and implement effective compliance programs that minimize risk and maximize opportunities for growth. Contact us today to learn how we can help you achieve your business objectives while remaining compliant with the new MiCA regulation.
If you have similar challenges and questions, please contact our specialists.
