This is the final part of our series of alerts on the EU’s new Market in Crypto-assets Regulation (MiCA). In this part, we will discuss the authorisation regime under MiCA for specified crypto-asset services which is largely based on the existing regulatory regime under the EU Market in Financial Instruments Directive 2014/65 (MiFID II).
Capitalised terms used in this Part 3 have the meanings given to them in Part 1 and/or Part 2 as applicable, unless otherwise indicated.
Subject to certain exemptions (discussed below), firms wishing to engage in any of the MiCA-specified services and activities in relation to crypto-assets (referred to collectively in MiCA as "crypto-asset services") must obtain prior authorisation from the relevant regulator. These "crypto-asset services", most of which bear strong similarities to investment services and activities under MiFID II, are:
- Custody and administration of crypto-assets on behalf of third parties. This essentially means safekeeping, or controlling, crypto-assets or their private cryptographic keys. This appears to be wider than the concept of a "custodian wallet provider" under the EU Money Laundering Directive (MLD) which refers to firms that safeguard private cryptographic keys (on behalf of customers); further a custodian wallet provider under MLD is defined by reference to "virtual currency" which is arguably narrower than "crypto-asset" under MiCA and which is, in summary, a digital representation of value that is not fiat money but is accepted as a means of exchange. The effect seems to be that an MLD custodian wallet provider would necessarily be providing this MiCA crypto-asset service thereby triggering the authorisation requirement (in addition to the MLD registration requirement), but a firm providing this crypto-asset service may not necessarily be caught by the MLD registration requirement.
- Operation of a trading platform for crypto-assets. A crypto-asset trading platform is defined as, in summary, a multilateral system where multiple third-party buying and selling crypto-assets interact in the system that results in a contract. This essentially borrows the concept of "multilateral system" (used for the concepts of "regulated market", "multilateral trading facility" and "organised trading facility") under MiFID II.
- Exchange of crypto-assets for funds. This covers buying or selling crypto-assets for funds (i.e. fiat money) by using proprietary capital. This can be compared with the MLD concept of a "[provider] engaged in exchange services between virtual currencies and fiat currencies". The effect seems to be that a firm engaging in this crypto-asset service may necessarily fall within MLD thereby triggering the registration requirement thereunder (in addition to the MiCA authorisation requirement) and, conversely, that an exchange service provider under MLD may not necessarily be carrying on this crypto-asset service (e.g. if it does not use proprietary capital).
- Exchange of crypto-assets for other crypto-assets. This covers buying or selling crypto-assets for other crypto-assets by using proprietary capital. As noted above, the MLD concept of exchange services covers only exchanges between virtual currencies and fiat currencies. However, the situation noted immediately above could also arise with respect to this service, depending on how the MLD concept is implemented in the relevant EU member state. For example, under the UK implementation (prior to Brexit), this MLD concept is expanded also to cover the services of "exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another" (including where the firm provides these services as creator or issuer of any of the crypto-assets involved).
- Execution of orders for crypto-assets on behalf of third parties. This means concluding an agreement to buy or sell crypto-assets on behalf of third parties ("including the conclusion of agreements to sell crypto-assets at the moment of their issuance"). It is not entirely clear what selling at the moment of issuance would entail in practice, and we await further guidance or explanation on that point.
- Placing of crypto-assets. This means marketing crypto-assets to purchasers on behalf of, or for the account of, the offeror or a person related to the offeror.
- Transfer services for crypto-assets on behalf of third parties. This means transferring crypto-assets from one address/account to another. This service was not included in the initial Commission proposal but was added by the Parliament. The Compromise Text retains it.
- Reception and transmission of orders for crypto-assets on behalf of third parties. This covers receiving a buy/sell order and then transmitting that order to a third party for execution.
- Providing advice on crypto-assets. This covers giving a personalised recommendation in respect of a crypto-asset transaction or the use of crypto-asset services. This also includes agreeing to given such recommendations.
- Providing portfolio management on crypto-assets. This means discretionary management of portfolios in accordance with mandates on a client-by-client basis; this is triggered where the portfolio includes at least one crypto-asset. This service was not in the Commission’s initial proposal but was added by the Parliament and Council. The Compromise Text retains it.
The Parliament in its negotiation version also added a crypto-asset service of "exchange of crypto-assets for [MiFID] financial instruments" but this is not taken on in the Compromise Text.
By comparison, the United Kingdom has proposed that "issuing, creating or destroying", "providing custody and admin[istration] for a third party", "executing transactions" and "exchanging", relating to certain stablecoins (termed, for now, "payment cryptoassets") should be made subject to an authorisation regime. These activities seem similar to some of the MiCA crypto-asset services above but they relate only to "payment cryptoassets" (essentially, stablecoins that are used widely as a means of payment). So their scope (if implemented as proposed in consultation) would be narrower than MiCA.
Further, the United Kingdom has proposed certain "controlled activities" relating to certain "qualifying cryptoassets" for the purposes of the UK financial promotion regime, which are in summary: "dealing", "arranging deals", "managing", and "advising". Again, these proposed controlled activities would resemble certain of the MiCA crypto-asset services above. However, unlike under MiCA, these proposed controlled activities would not trigger any authorisation requirements; they would only be used to assess whether the UK financial promotion restriction applies to a promotional communication.
Please see Part 1 for a discussion on the UK concepts of "payment cryptoasset" and "qualifying cryptoasset".
Crypto-asset service provider
Subject to certain exclusions and exemptions (discussed below), any person that provides any of the above specified crypto-asset services "within the Union" must be authorised under MiCA. What amounts to "within the Union" will largely depend on the interpretation of the relevant EU member state and so, for third country (i.e. non-EU) firms whose businesses have EU elements, they may need to seek local advice as regards MiCA's territorial scope with respect to each relevant EU member state.
Firms wishing to obtain authorisation under MiCA must have a registered office, or place of effective management, in the European Union, and have at least one director based in the European Union. There are other conditions to authorisation such as capital requirements, and governance requirements etc. Once authorised in its home member state, the crypto-asset service provider may passport its services throughout the European Union, either via a physical branch or on a cross-border basis, without having to obtain separate authorisations in the other EU member states (known as the "host" member states).
The Parliament, in its negotiation version, proposed some more stringent authorisation eligibility conditions (similar to its proposal for asset-referenced crypto-asset issuer authorisation; see Part 2): e.g. the applicant must not have a parent or subsidiary in a high risk country as identified under MLD. The Compromise Text does not take these on. However, the Compromise Text does add new provisions not included in any of the three negotiation versions (apparently to address these Parliament concerns): where an applicant has offices in, or relies on third parties based in, a high-risk country identified under MLD, the home regulator must, before granting authorisation, ensure that the applicant complies with the relevant MLD provisions relating to such high-risk countries as implemented in the home member state; the relevant regulator may also refuse authorisation if the applicant has close links in a third country (i.e. non-EU) whose laws would prevent or materially affect the effective supervision of the applicant.
The relevant regulator can withdraw a firm's authorisation in certain circumstances which go beyond those for an investment firm under MiFID II. For example, a crypto-asset service provider may lose its authorisation if has not provided crypto-asset services for nine successive months throughout its life or fails to put in place effective anti-money laundering and counter-terrorist financing systems and procedures.
Reverse solicitation exclusion for third country (i.e. non-EU) firms
If a firm based outside the European Union provides the relevant crypto-asset services at the "own exclusive initiative" of a customer residing within the European Union, the firm does not have to obtain authorisation under MiCA. This exclusion is similar to corresponding provisions under MiFID II, and the scenario is often referred to as "reverse solicitation".
The exclusion was not in the Commission's initial proposal but was added by the Parliament and Council, and retained in the Compromise Text. "Exclusive initiative" generally means there must be no solicitation on the part of the non-EU service provider which also cannot market new or different products not requested by the customer. The European Securities and Markets Authority (ESMA) is given power to prepare guidelines on when non-EU service providers are deemed to have solicited EU customers for these purposes. ESMA typically interprets MiFID II reverse solicitation narrowly. So it would not be surprising if ESMA took a similar position with the MiCA reverse solicitation provisions.
Firms already authorised
Certain types of firms such as, amongst others, credit institutions, MiFID investment firms, alternative investment fund managers, UCITS management companies and e-money institutions that are already authorised under their respective regulatory regimes can provide crypto-asset services without separate authorisation under MiCA. But there are limitations for most of them.
- Credit institutions – EU-authorised credit institutions may provide all of the crypto-asset services without separate authorisation under MiCA.
- MiFID investment firms - Investment firms authorised under MiFID II may, without separate authorisation under MiCA, provide those crypto-asset services considered to be equivalent to the MiFID activities/services they are already authorised for. As noted above, crypto-asset services under MiCA bear strong similarities to MiFID investment services and activities. Essentially, the only crypto-asset service that does not have an equivalent MiFID activity/service is providing transfer services for crypto-assets.
- UCITS management companies and AIFMs – These firms are permitted (subject to the local implementation of the UCITS Directive and AIFMD in their home member state) to carry on certain services/activities in addition to their UCITS/AIF management activities, which are: (for UCITS management companies) management of portfolios of investments, investment advice, and safekeeping and administration in relation to units of collective investment undertakings; (for AIFMs) management of portfolios of investments, investment advice, safekeeping and administration in relation to shares or units of collective investment undertakings, and reception and transmission of orders in relation to financial instruments. These firms may, without separate authorisation under MiCA, carry on crypto-asset services that are deemed equivalent to these additional services and activities. While these additional services/activities are commonly considered MiFID activities, the Compromise Text does not simply apply the equivalence provisions for MiFID activities (see above) to these services/activities. Instead, it has separate specific provisions under which each of these additional services and activities other than the activity of "safekeeping and administration of shares/units of collective investment undertakings" is matched to an equivalent crypto-asset service. This drafting seems to suggest that "custody and administration of crypto-assets" (which is deemed equivalent to safekeeping and administration of financial instruments under MiFID II) should not be considered equivalent to the "safekeeping and administration of shares/units of collective investment undertakings" for UCITS management companies/AIFMs. If so, this could potentially give rise to an issue: where the units of a fund are tokenised, does that mean a UCITS management company or an AIFM, already authorised for safeguarding/administering fund units, has to obtain separate authorisation under MiCA for custody and administration of crypto-assets (given the wide definition of crypto-asset)?
- E-money institutions – An authorised e-money institution may, without additional authorisation under MiCA, only provide the crypto-asset services of "custody and administration" and "providing transfer services" with regard to e-money tokens it issues.
But these firms must nonetheless notify their regulator and provide certain information (similar to the information needed for authorisation application but less extensive, such as a program of operation and a description of governance arrangements etc.).
These provisions in the Compromise Text are largely based on the Council's version.
Environment and Climate
Crypto-asset service providers must publish, in a prominent place on their website, information related to principal adverse environmental and climate-related impact of the consensus mechanism used to issue each crypto-asset in relation to which they provide services. This requirement was added by the Parliament and has been retained in the Compromise Text. The Compromise Text also provides for ESMA to prepare regulatory technical standards with regard to this disclosure requirement. Note that the white paper requirements for crypto-assets include disclosure of information on principal adverse environmental and climate related impact of the consensus mechanism. So crypto-asset service providers that are not issuers themselves could take information from the white paper for these purposes, as permitted under MiCA.
As can be seen, MiCA is a complex piece of legislation that adopts what may be referred to as a "one size fits all" approach to regulating crypto-assets. There are difficulties in interpreting some of its provisions as they are based on existing concepts used in the traditional financial services and the adaptations may not be sufficiently thorough. There is also uncertainty with respect to its interaction with other existing regulatory regimes. For example, in addition to the issues identified above (such as regarding MLD), one further point worth noting is that some of the crypto-asset services may involve payment services under the EU Payment Services Directive 2015/2366 (PSD2). The Compromise Text expressly provides that if the relevant crypto-asset services involve payment services, then the crypto-asset service provider must obtain separate authorisation under PSD2 for those payment services. By contrast, a MiFID investment firm can provide crypto-asset services as long as these crypto-asset services are considered "equivalent" to the relevant MiFID II investment services and activities for which it is authorised. MiFID investment firms can generally take advantage of an exclusion under PSD2 to avoid separate authorisation under PSD2 where their MiFID activities involve payment services. However, it is less clear whether a MiFID investment firm providing those equivalent crypto-asset services must also obtain a separate authorisation under PSD2 in respect of any payment services relating to those equivalent crypto-asset services. This would not be an issue, however, for EU credit institutions which can already provide payment services under their banking authorisation, and for e-money institutions which typically add payment services permissions (as permitted) onto their e-money authorisation. Such confusing interaction with other existing regulatory regimes may not be ideal and it remains to be seen how much of this can be remedied through secondary legislation or tertiary guidelines to be made under MiCA.