News Update Financial Regulatory

The EU Markets in Crypto-Assets Regulation ("MiCA") was published in the Official Journal of the European Union on 9 June 2023 and entered into force on 29 June 2023. Crypto-asset service providers ("CASPs") need to be MiCA compliant by no later than 30 December 2024. It is notable that the requirements applicable to issuers of asset-referenced tokens and e-money tokens (Title III and IV MiCA) will already enter into force six months earlier, on 30 June 2024. In addition, Member States may apply transitional periods of no longer than 18 months, starting on 30 December 2024. These transitional periods will postpone the applicability of the licence requirement. The Dutch Minister of Finance is considering a reduced transitional period of 6 months, resulting in a final compliance date for Dutch CASPs of 1 July 2025.

MiCA is the EU regulatory framework governing CASPs and offerings of crypto-assets in the EU. Crypto-asset services include, for example, order transmission, order execution, portfolio management, investment advice and operating crypto exchanges. MiCA does not regulate non-fungible tokens, central bank digital currencies or utility tokens. Decentralised finance (DeFi)propositions are generally not in scope either.

MiCA is the largest piece of supranational legislation governing crypto-assets to date, demonstrating the EU's resolve to update its financial legislation to the digital era. As well as hugely impacting CASPs active in the EU – including those established outside the EU – MiCA will also affect incumbent financial institutions, and creates opportunities for EU banks, investment firms and insurance companies.

Being a regulation, MiCA will apply directly throughout the EU without any national implementing legislation being required. Nevertheless, Member States have to ensure their national legislation facilitates MiCA's proper functioning. To that end, on 14 July 2023 the Dutch Minister of Finance published a draft Act for public consultation purposes (in Dutch only). The draft Act mainly covers the attribution of specific supervisory powers to the national competent authorities, the Dutch Authority for the Financial Markets ("AFM") and the Dutch Central Bank ("DNB"). DNB will supervise issuers of asset-referenced tokens and e-money tokens. The AFM will supervise all other aspects of MiCA, including the provision of crypto-asset services. The consultation ended on 11 August 2023, and triggered only a small number of responses, probably due to the limited scope of the draft Act.

In general, EU Member States will have to dismantle or adapt their existing national crypto-asset legislation and frameworks governing crypto-assets and crypto-asset services to the extent these are irreconcilable with MiCA. For example, the registration requirement under the Dutch Act on the Prevention of Money Laundering and Terrorism Financing (Wet ter voorkoming van witwassen en financieren van terrorisme, "Wwft"), requiring virtual asset service providers to register with DNB, is irreconcilable with MiCA and has to be dismantled.

Several elements of MiCA will be specified in more detailed delegated EU legislation. The European Securities and Markets Authority ("ESMA") and the European Banking Authority ("EBA") have been given the task of formulating detailed requirements on topics such as white papers (and their contents), authorisation/licences (e.g. templates for licence applications), assessingthe suitability of a CASP's management body and qualified shareholders, and complaints handling and the prevention of conflicts of interest. ESMA has published a provisional implementation timeline and EBA has published an information page on its website. Both ESMA and EBA are publishing their draft delegated regulations in three packages, and each of them published their first package for consultation in July 2023. The second and third packages are scheduled for Q4 2023 and/or Q1 2024.

Impact on CASPs – licence requirements

The regulation of CASPs under MiCA will broadly resemble the regulation of investment firms under the EU Markets in Financial Instruments Directive II ("MiFID II"). CASPs are parties engaged in crypto-asset services. These services are similar to investment services under MiFID II, with the key distinction that they solely concern crypto-assets as underlying assets. To the extent that crypto-assets also qualify as MiFID II financial instruments, e.g. tokenised securities, tokenised notes, or tokenised units in alternative investment funds, services relating to these products will be governed by MiFID II and not by MiCA.

Under MiCA, CASPs require a MiCA licence from the competent Member State authority. In the Netherlands, this will be the AFM. A MiCA licence will – after completion of notification requirements – serve as an EU passport for providing licensed crypto-asset services in other EU Member States than the home Member State. Licence requirements are similar to those in other EU financial services legislation. The applicant must, for example:

• Be a legal entity;
• Be of good repute, with competent senior management;
• Satisfy minimum capital requirements or have adequate insurance coverage as an         alternative;
• Have a robust organisation and processes (e.g. IT, AML, outsourcing);
• Ensure the safeguarding of client assets;
• Have policies on prevention of conflicts of interest, governing inducements, order         execution, complaints handling, AML prevention, ICT business continuity, etc.

Existing registrations with DNB as a virtual asset service provider do not constitute MiCA licences and will not result in simplified licence application processes. The requirements set out in MiCA are much wider and more onerous than those in the current registration regime. This means that DNB-registered virtual asset service providers will need to complete the full CASP licence application process. We expect that CASPs will have to make tremendous efforts and significant investments to obtain a MiCA licence.

Impact on CASPs – ongoing requirements

MiCA contains ongoing licence requirements to ensure the financial (prudential) solidity of CASPs as well as to safeguard sound business conduct and ensure consumer protection. Prudential requirements include minimum levels of own funds (CET1) or adequate insurance coverage.
Business conduct requirements include obligations to act honestly, fairly and in the client's best interest, arrangements on the prevention and disclosure of conflicts of interests, and requirements on best execution and prohibitions on payments for order flow. Other aspects covered include complaints handling, the use of fair, clear and non-misleading marketing consistent with information set out in white papers, and the use of relevant mandatory warnings in marketing materials, white papers and in the case of advice or portfolio management.

Impact on information provision

MiCA sets out requirements on minimum information that must be made available by parties offering crypto-assets in the EU. This minimum information has to be published in a white paper. MiCA differentiates between various categories of crypto-assets based on their application and risk profile: 

• Crypto-assets;
• Asset-referenced tokens (i.e. stablecoins);
• E-money tokens (i.e. payment tokens). 

Information requirements are proportionate and risk-based. In addition, the safeguards set out in MiCA are risk-based and more stringent for the highest risk categories: asset-referenced tokens and e-money tokens. This approach, already formulated in 2020, appears to be well aligned with the risks that materialised in global crypto markets in 2022.

Impact on existing financial institutions

Under MiCA, licensed EU banks and investment firms will be uniquely positioned commercially compared to CASPs. Their EU banking or investment firm licences authorise them to provide crypto-asset services without having to apply for a separate MiCA licence. Banks may provide all crypto-asset services. Investment firms may provide the crypto-asset services equivalent to their investment services. When doing so EU banks and EU investment firms need to fully comply with MiCA. Launching crypto-asset services will require prior notification thereof to competent banking and investment firm supervisors, through a standardised notification, 40 days in advance. This is also an opportunity for incumbent banks, investment firms and CASPs to explore collaborations and joint service provision. 

It is also noteworthy that CASPs have to appoint custodians for the safekeeping of client assets and reserve assets, backing up asset-referenced tokens (i.e. stablecoins). Banks will be uniquely authorised to act as custodian for the safekeeping of all categories of CASP client assets and reserve assets, i.e. cash, financial instruments and crypto-assets. Investment firms may only provide custody for client assets consisting of financial instruments and crypto-assets, and CASP's may only act as custodian for client crypto-assets.

Licensed financial institutions will have to start thinking about the changes to the financial landscape post-MiCA, both in terms of the commercial opportunities they may gain and the increased risks they may be exposed to. For example, it will become more difficult for banks to refuse services to licensed CASPs, payment service providers acting on their behalf, or merchants accepting payments in crypto-assets. Also, financial institutions engaging with CASPs will need to ensure their CASP counterparties or CASP clients are duly licensed. 

Impact on regulators

MiCA will make it far more difficult for financial regulators to dissuade banks and other financial institutions from exploring and engaging in crypto-asset services, and from providing services to licensed CASPs and their service providers (such as payment service providers) and collaborating with them. It also means regulators will need to enforce compliance and can no longer refrain from taking action against business practices harming consumers. Crypto-assets will be in their remit.

Although MiCA aims to protect consumers, there appears to be room for improvement. MiCA only minimally regulates social media (including 'finfluencers') not engaging in crypto-asset services. It also appears that various mandatory crypto risk warnings are limited to advisory/portfolio management services, while 'execution only' is the predominant means of exchange. 

In addition, regulators may be confronted with large numbers of licence applications. This depends in part on the timeframe within which Member States finalise their licence application processes and whether or not Member States apply the 18-month transition period or a shorter one. Furthermore, given the pan-EU nature of a MiCA licence, there is a risk that licence applicants will opt for the first Member State that launches the licence application process or for the Member State perceived to have the fastest or least onerous licence application process. Therefore, the risk of regulatory arbitrage is real. 

Next steps

MiCA presents challenges and opportunities both for CASPs and licensed financial institutions. Parties taking a wait-and-see approach will quickly find themselves running out of time. Several requirements will be clarified in delegated legislation which at best will only become available shortly prior to the final compliance date. Now is the time to start preparing for MiCA and the changes it will entail. 

Houthoff will be glad to navigate you through this changing and challenging environment.

If you have any financial regulatory questions, please do not hesitate to contact Berry van Wijk, Juan Vervuurt or Lisanne Haarman.