Cryptoassets

From a VASP to a CASP: A comprehensive guide to MiCAR

Joanna Käi Grant Thornton Baltic
Contents

Author: Joanna Käi

This article covers the key differences between MiCAR (Markets in Crypto Assets Regulation) and MLTFPA, the fate of the old license, new taxonomies introduced in MiCAR, key regulatory requirements for CASPs, key regulatory requirements for issuing assets and possible redundant requirements of MLTFPA.

The MLTFPA has been in place in Estonia since 2017 and is based on the EU's Fourth Money Laundering Directive. The MLTFPA requires financial institutions and other obligated entities to undertake customer due diligence, identify and report suspicious transactions, and implement internal controls to prevent money laundering and terrorist financing.

The MiCA regulation, on the other hand, is designed to address the unique challenges posed by crypto-assets and virtual currencies. MiCAR is a comprehensive regulatory framework that aims to provide a harmonized approach to the regulation of crypto-assets across the EU. The MiCA regulation seeks to provide a high level of consumer protection, prevent money laundering and terrorist financing, and ensure the stability of the financial system. The regulation sets out strict requirements for Crypto Asset Service Providers (CASPs) operating within the EU. Additionally, a register for all crypto-asset service providers will be established and it will be available to the public and shall be updated on a regular basis. 

MiCA introduces a new taxonomy of assets and services with respective license requirements. MiCA regulation covers basically all forms of token offerings and stablecoin issuance plus new market abuse rules for the entire space. 

In terms of the obligations on obligated entities, the MiCA regulation builds on the existing requirements under the MLTFPA. Obligated entities will still need to undertake customer due diligence, identify, and report suspicious transactions, and implement internal controls. 

Truthfully, for VASPs already licensed in Estonia, the transition from Estonian MLTFPA to MiCAR should be relatively easy as plenty of obligations introduced in MiCA are already in effect under Estonian MLTFPA.

MiCA vs. MLTFPA: Key Differences

Overall, the requirements under MiCA are more specific and comprehensive compared to the existing MLTFPA. MiCA includes new taxonomy of assets and services, requirements for licensing and capital requirements, which may all impact a VASP’s business models and operations. Additionally, MiCA covers a broader range of crypto-assets than the MLTFPA, including stablecoins and utility tokens. However, it's important to note that MiCA doesn't cover crypto assets that fall under existing EU financial services legislation (like securities), digital assets which cannot be transferred to other holders, staking, lending, NFTs (unless issued in a “large series or collection”) and “fully decentralized finance”*.

The most exciting aspect of the new MiCA license is the allowance and regulation of passporting, which will allow institutions to operate across EU under a single regulatory framework. Timeline for applying and getting the authorization to start providing services is said to be about a month. 

The MLTFPA and MiCA have different thresholds for customer due diligence (CDD) requirements. For example, the MLTFPA requires CDD to be performed on all customers, while MiCA allows for simplified CDD measures to be applied in certain circumstances, such as when carrying out occasional transactions below €1,000.

A big difference is in the amounts of permanent minimum capital required from CASPs. Currently, under MLTFPA, the lowest requirement is €100,000 (wallet services, exchange services and issuing services) while the highest is €250,000 (transfer services). Under MiCA the requirements are much lower: 

  • €150,000 for trading platforms, 
  • €125,000 for custodians and exchanges (brokers), 
  • and €50,000 for all the others.

Another big general requirement is to place clients’ funds with a bank and in a separate account from where the service provider holds its own funds. 

* MiCA states: “where crypto-asset services (..) are provided in a fully decentralized manner without any intermediary, they should not fall within the scope of this Regulation”. However the same documents states that MiCA applies even “when part of such activities or services is performed in a decentralized manner”. So, for now it remains hard to tell how much decentralization (technical, governance, legal etc) is necessary to stay out of the scope. 

Fate of the FIU and the old license

The MiCA license is one of the most important changes that MiCA brings. It will be uniform in all Member States as all CASPS must apply for the same license with the same requirements, same obligations, same procedure etc. 

It is important to note that the MiCA license still has to be applied for. There will be a new separate application process (hopefully more transparent than so far) where the relevant authority will assess the application and ultimately decide to grant (or refuse to grant) the license. There is no way to transfer or modify the current MLTFPA license or otherwise speed up the procedure. 

The license will cover current services listed in MLTFPA and new types of services previously not regulated. We will see modified requirements for service providers (including redundant MLTFPA requirements) and special requirements for each type of service. 

So far FIU has been the supervisory authority for VASPs. This will change with presumably the Financial Supervision Authority (FSA) taking over for FIU. This means MiCA applications will be submitted to the FSA, who will review and make the decision to grant or refuse to grant licenses. FSA will also start performing supervision, issuing notices and withdrawing licenses, if relevant grounds are presented. Current licenses will become known as the „old“ ones and they will expire once MiCA is implemented.

Crypto-asset services listed by MiCA

As mentioned above, MiCA will cover current services listed in MLTFPA and new types of services previously not regulated. 

MiCA lists the following crypto-asset services:

  • the custody and administration of crypto-assets on behalf of third parties
  • the operation of a trading platform for crypto assets
  • the exchange of crypto-assets for funds
  • the exchange of crypto-assets for other crypto-assets
  • the execution of orders for crypto-assets on behalf of third parties
  • placing of crypto assets
  • the reception and transmission of orders for crypto-assets on behalf of third parties
  • providing advice on crypto-assets

So, the current wallet services (as described in MLTFPA) remains as “the custody and administration of crypto-assets on behalf of third parties”.

The current exchange service (as described in MLTFPA) was divided into several services:

  • the operation of a trading platform for crypto-assets
  • the exchange of crypto assets for funds
  • the exchange of crypto-assets for other crypto-assets

As you can see, issuing a crypto-asset is not listed as a service. One does not need a license to issue crypto-assets, however there are detailed requirements and sometimes authorization is needed, depending on the asset type.

Asset taxonomy

MiCA identifies 4 different types of assets with respective requirements:

  1.  A crypto-asset is a “digital representation of a value or a right, which may be transferred and stored electronically, using distributed ledger or similar technology”. Most crypto-assets should fall under this “catch-all” category, including Bitcoin and Ether.
  2. A utility token is a sub-type of crypto-assets “which is only intended to provide access to a good or a service supplied by its issuer”. There are lighter requirements for issuing utility tokens, but we don’t expect to see many of these. 
  3. An asset-referenced token (ART) is a token that aims at stabilizing its value by referencing/pegging to a basket of currencies, commodities, crypto-assets or other single non-fiat currency assets. 
  4. An e-money token (EMT) aims at stabilizing its value by referencing the value of one single fiat currency, for example USDC, USDT, BUSD or EUROC. This concept and most of its requirements stem from the existing regulatory concept of e-money in the EU.

It’s worth noting that for the scope of MiCA, it doesn’t matter if your stablecoin is based on a algorithm - it is in the scope if it matches any of the above mentioned definitions as mechanism doesn’t matter.

Key regulatory requirements and obligations for CASPs

To apply for a CASP license, the application must contain all the following:

  • the name, including the legal name and any other commercial name to be used, the legal entity identifier of the applicant crypto-asset service provider, the website operated by that provider, and its physical address
  • the legal status of the applicant crypto-asset service provider
  • the articles of association of the applicant crypto-asset service provider
  • a program of operations setting out the types of crypto-asset services that the applicant crypto-asset service provider wishes to provide, including where and how these services are to be marketed
  • a description of the applicant crypto-asset service provider’s governance arrangements
  • for all natural persons involved in the management body of the applicant crypto-asset service provider, and for all natural persons who, directly or indirectly, hold 20% or more of the share capital or voting rights, proof of the absence of a criminal record in respect of infringements of national rules in the fields of commercial law, insolvency law, financial services law, anti-money laundering law, counter-terrorism legislation, and professional liability obligations
  • proof that the natural persons involved in the management body of the applicant crypto-asset service provider collectively possess sufficient knowledge, skills and experience to manage that provider and that those natural persons are required to commit sufficient time to the performance of their duties
  • a description of the applicant crypto-asset service provider’s internal control mechanism, procedure for risk assessment and business continuity plan
  • descriptions both in technical and non-technical language of applicant crypto-asset service provider’s IT systems and security arrangements
  • proof that the applicant crypto-asset service provider meets the prudential safeguards
  • a description of the applicant crypto-asset service provider’s procedures to handle complaints from clients
  • a description of the procedure for the segregation of client’s crypto-assets and funds
  • a description of the procedure and system to detect market abuse.
  • where the applicant crypto-asset service provider intends to ensure the custody and administration of crypto-assets on behalf of third parties, a description of the custody policy
  • where the applicant crypto-asset service provider intends to operate a trading platform for crypto-assets, a description of the operating rules of the trading platform
  • where the applicant crypto-asset service provider intends to exchange cryptoassets for fiat currency or crypto-assets for other crypto-assets, a description of the non-discriminatory commercial policy
  • where the applicant crypto-asset service provider intends to execute orders for crypto-assets on behalf of third parties, a description of the execution policy
  • where the applicant intends to receive and transmit orders for crypto-assets on behalf of third parties, proof that the natural persons giving advice on behalf of the applicant crypto-asset service provider have the necessary knowledge and expertise to fulfil their obligations.

Even though MiCA is way more detailed and crypto focused, much of CASP obligations are already in act in Estonia through MLTFPA. So, we would like to currently only highlight distinct new or changed obligations:

  • crypto-asset service providers must have a registered office in an EU Member State in which at least part of the CASP’s crypto-asset activities is carried out as well as have an effective management in the EU and at least one director being a resident of the EU
  • crypto-asset service providers shall make their policy procedures in place for identifying, preventing, managing and disclosing conflicts of interests publicly available
  • crypto-asset service providers shall, at all times, have in place prudential safeguards, which may take the form of own funds requirement or an insurance policy covering the territories of the Union where crypto-asset services are actively provided
  • crypto-asset service providers shall arrange for records to be kept of all crypto-asset services, activities, orders and transactions undertaken by them and allow clients to receive such records
  • crypto-asset service providers shall, promptly place any client’s funds, with a central bank or a credit institution. Crypto-asset service providers shall take all necessary steps to ensure that the clients’ funds held with a central bank or a credit institution are held in an account or accounts separately identifiable from any accounts used to hold funds belonging to the crypto-asset service provider
  • crypto-asset service providers, that rely on third parties for the performance of operational functions, take all reasonable steps to avoid additional operational risk
    • outsourcing cannot result in the delegation of the responsibility of the crypto-asset service providers
    • outsourcing cannot alter the relationship between the crypto-asset service providers and their clients, nor the obligations of the crypto-asset service providers towards their clients
    • crypto-asset service providers must have direct access to the relevant information of the outsourced services
    • crypto-asset service providers shall have a policy on their outsourcing, including on contingency plans and exit strategies
    • crypto-asset service providers shall enter into a written agreement with any third parties involved in outsourcing. That written agreement shall specify the rights and obligations of both the crypto-asset service providers and of the third parties concerned and shall allow the crypto-asset service providers concerned to terminate that agreement
  • specific ESG requirements
  • crypto-asset service providers must establish an appropriate plan to support an orderly wind-down
  • crypto-asset service providers must establish and maintain a proper complaint handling procedure, informing clients of a possibility to file a complaint

Depending on the services they provide and due to the specific risks raised by each type of services, crypto-asset service providers are subjected to requirements specific to those services. We will cover those in another article.

Requirements for issuing assets

Issuing assets other than ARTs and EMTs:

  • issuer must be a legal person
  • requirement to draft and publish a white paper
    • doesn’t have to be approved previously, but a local competent authority needs to be notified and the white paper has tons of requirements
  • requirements on marketing communication
  • no ex-ante approval of documents, notification to the home member state competent authority 20 working days prior to publishing white paper
  • possibility to modify the white paper 

There are exemptions for when there is no obligation to draft the white paper and publish it:

  • crypto-assets are offered for free
  • crypto-assets are offered to fewer than 150 natural or legal persons per Member State
  • cmall offering – does not exceed 1M EUR (or equivalent) over a period of 12 months
  • offer is solely addressed to qualified investors and crypto-assets can only be held by qualified investors

As mentioned, MiCA’s goal is to also offer protection for consumers and investors. This is reflected in the consumer’s right to withdraw from a crypto-asset purchase within 14 calendar days. Issuer must make this possible without incurring any costs and without asking for a reason or an explanation.  

Asset reference tokens are considered more riskier and their regulation is heavier.

  • issuers need to apply for an authorization (including approval of white paper)
  • exemptions
    • over a period of 12 months, the average outstanding amount of asset-reference tokens does not exceed 5M EUR (or equivalent)
    • offer solely addressed to qualified investors and tokens can only be held by such
  • notification of the white paper to the competent authorities
  • publication of the white paper
  • strict requirements which the application and its documentation must meet
  • modifications to the white paper are allowed, but are subject to new approval by the authority
  • obligation to have reserve assets
  • obligation to regularly audit and have independent audit of the reserve assets in every six months
  • obligation to disclose at least every month the amount of asset-reference tokens in circulation and the value of the composition of the reserve assets

E-money tokens

  • authorisation required to act as a Credit institution or an e-money institution
  • requirement to draft and publish white paper while also notifying the competent authority
  • no ex-ante approval of documents, notification to the home member state competent authority at least 20 working days prior to publishing a WP
  • E-money Directive applies
  • the above does not apply if:
    • e-money tokens are marketed, distributed and held by qualified investors and can only be held by qualified investors;
    • if the average outstanding amount of e-money tokens does not exceed 5M EUR (or equivalent) over a period of 12 months
  • white paper modifications are allowed – subject to infoming the public and notifying the competent authority along with reasons

Additionally, for ARTs and EMTs, MiCA introduces the concept of “significance”. Significant ARTs and EMTs are tokens that reach certain adoption thresholds and have to meet higher prudential, governance, and liquidity requirements. If three of the following criteria (TBA by EU supervisors) are met, ARTs and EMTs are deemed significant:

  • > 10 million holders
  • > €5 billion market capitalization
  • whether the number and value of transactions per day is higher than 2.5 million and €500 million, respectively
  • whether the issuer is designated a gatekeeper according to the Digital Markets Act
  • whether the issuer is deemed significant on an international scale, including the use of the token for payments and remittances
  • the degree to which the token is interconnected with the financial system
  • whether the issuers offer additional ARTs, EMTs, or crypto-asset services

It is also very important to mention that MiCA Article 36 prevents issuers of asset-referenced tokens and crypto-asset service providers from granting any interest to holders of asset-referenced tokens and Article 45 prevents issuers of e-money tokens and crypto-asset service providers from granting any interest to holders of e-money tokens.

Redundant requirements of MLTFPA

Several important requirements of MLTFPA might become redundant as these are
not included in MiCAR:

  • Auditor requirements

There is no longer a specific requirement for virtual currency service providers to audit their annual report nor is there a requirement to have an external auditor or internal auditor. However the overall audit requirement pursuant to law will apply (based on parameters such as revenue, assets etc.)

  • Higher education requirement

Even though the members of the management body of crypto-asset service providers and the members of the management body of ART issuers shall have sufficiently good repute and possess knowledge, experience and skills to perform their duties and for the purpose of anti-money laundering and combatting the financing of terrorism, there is no requirement for higher education or Estonian residence. However CASPs do need at least one director to be a resident of the EU.

Analysis and conclusion

There has been a lot of active discussions on social media and crypto spaces about the MiCA regulation and its potential impact on the crypto industry. Many people are expressing concerns about the increased regulatory burden and the potential impact on innovation and competition in the sector. Some commentators are also pointing out that the MiCA regulation does not cover certain activities, such as staking and lending, or fully decentralized finance. This has raised questions about the extent to which the regulation will be effective in addressing the risks associated with the crypto industry while some are already calling for MiCA 2.0. 

Despite these concerns, we believe that the MiCA regulation is an important step forward in the regulation of the crypto industry, as it provides much-needed clarity and certainty for market participants while also protecting investors. We hope to see this regulation helping increase trust and confidence in the sector, which in turn will encourage greater adoption of crypto-assets and virtual currencies. We are excited to see how this will shape the future of the crypto industry in the EU and beyond!

It's important to note that the MiCA regulation is expected to come into effect in the EU member states by 2024. The exact timeline for implementation in Estonia is not yet clear, but current VASPs should stay tuned for further updates and already begin preparing now to ensure they are ready to comply with the new requirements (especially service-specific requirements) once they come into force. Especially since failure to comply with MiCA can result in substantial fines (which in certain cases may reach 12.5% of the total annual turnover of the entity or more), periodic penalty payments, withdrawal/suspension of the authorization or removal/ban of a natural person from managerial positions. 

At Grant Thornton Baltic OÜ, we understand the challenges that come with staying up-to-date on complex regulations and requirements, which is why we offer internal auditing and business risk advisory services. Our experienced professionals can help you navigate the regulatory landscape and implement effective compliance programs that minimize risk and maximize opportunities for growth. Contact us today to learn how we can help you achieve your business objectives while remaining compliant with the new MiCA regulation.