MiCAR Notification for Authorised Financial Enterprises
6 March 2024
In the previous edition of our series on the Markets in Crypto-Assets Regulation (MiCAR), we discussed the licence requirement for crypto-asset service providers (CASPs). Since then, we have learned that the date from which market participants can submit their CASP licence applications to the Dutch Authority for the Financial Markets (AFM) has been set at 22 April 2024. Currently authorised financial entities will be exempt from this licence requirement under certain circumstances and will merely need to notify the competent regulator. This edition will delve deeper into this notification procedure and highlight some key aspects.
Parties that can use the MiCAR notification procedure
The notification procedure is simpler that that for a MiCAR licence application and applies to the following entities that are already subject to financial supervision:
- Banks
- Central securities depositories
- Investment firms
- Electronic money institutions
- Collective investment undertakings (UCITS managers and AIF managers)
- Market operators
Notification procedure limited to activities already licensed
However, the option to use the notification procedure will be limited for most financial entities. Only banks are fully exempt from the licence requirement; after completing the notification process they can offer all types of crypto-asset services. Other financial entities can only use the notification procedure to provide crypto-asset services which are equivalent to the services and activities for which they are authorised. The provision of crypto-asset services which are not equivalent to their current activities or services requires a MiCAR licence. For example, an investment firm authorised under the Markets in Financial Instruments Directive (MiFID II) to provide investment advice on financial instruments will be exempt from the MiCAR licence requirement for advice on crypto-assets but will require a license under MiCAR to execute crypto-orders on behalf of clients. Similarly, managers of investment firms with a MiFID top-up for individual portfolio management, investment advice or receipt and transmission of orders for financial instruments can use the notification procedure to provide these authorised services for cryptocurrencies.
Once the notification procedure has been successfully completed, the right to provide crypto-asset services will lapse if the regulated entity's primary licence is revoked. That makes sense, as it is this licence that justifies providing crypto-asset services via a notification. Without a licence, this justification misses.
Notification procedure only replaces licence application, other provisions remain in force
Another important aspect is that this notification procedure will only replace the licence requirement. The majority of the MiCAR provisions remain in force. Under the notification procedure financial entities must demonstrate their compliance with these provisions under MiCAR. Provisions under MiCAR that continue to apply include:
- The provisions on the issuance and offering of crypto-assets in titles II through IV of MiCAR.
- The ongoing obligations for CASPs in title V of MiCAR that apply during the provision of services after the completion of the notification procedure or licence application.
- The separate obligation to inform the home state regulator of its intention to provide cross-border crypto asset services.
Notification processing time
The notification procedure is the same for all financial entities mentioned above. The relevant company must submit an information pack to its home state regulator at least 40 working days before providing the crypto-asset services. The regulator will check within 20 working days whether the notification contains all the information required. If not, it can give the notifying party a period of up to 20 working days to provide the missing information while suspending the 40-day notification period. In addition, the regulator can also ask questions to complete or clarify the information without suspending this period.
The relatively short periods for the notification procedure set out in MiCAR may create the impression that the process will be a very swift one and that regulators will be bound by the timelines mentioned. However, we would like to point out that the decision deadlines will have relatively limited significance in practice, as MiCAR also provides that the crypto-asset services cannot be provided until the regulator has confirmed that the notification is complete. This will serve as a safety net for regulators, allowing them to request additional information from parties.
In addition, it is not inconceivable that the regulators will still look at the content of the information submitted as part of the notification procedure. While the text of MiCAR only grants the power to assess the completeness of the notification, the AFM and the central bank of the Netherlands (DNB), under the heading of 'completeness' may also examine the contents of the documents. There is a precedent for this: under the current system of the registration requirement for crypto service providers, DNB set up the process largely in line with the licensing process to enable a much more comprehensive assessment than provided for in the law. Although the Rotterdam administrative court partly hauled back DNB for this after some crypto service providers had started legal proceedings, we do not consider it inconceivable that a more substantive review will be attempted again. A factor here is that crypto is inherently linked to money laundering risks and CASPs are, after the notification procedure, continuously bound by the rules from MiCAR. Sooner or later, it is therefore necessary to comply with those rules.
To expedite the notification procedure and avoid a unnecessarily long procedure with regulators we recommend starting the preparation of the notification on time and aligning the documents, where possible in advance, to match the requirements from MiCAR as far as possible. Later in this blog, we will address the content of the notification in more detail.
Competent regulator
A relevant question for parties that wish to submit a notification is which regulator they should address. Is it the same as the regulator that grants the licences under MiCAR (in the Netherlands, the AFM), or is it the regulator from which the regulated entity obtained its licence (DNB for banks and electronic money institutions)?
MiCAR refers to the competent authority of the home Member State. This offers little clarity. To make up for this, the European Securities and Markets Authority (ESMA) published a Q&A. The text in question is also ambiguous, but does offer some scope for Member States to have the notification assessed by the regulator that granted the primary licence to the relevant regulated entity. We anticipate that the Netherlands will use this scope and that DNB will assess the notifications from banks and electronic money institutions. If that course is indeed followed, it would seem self-evident that these entities will also have to turn to DNB to passport their crypto-asset services to other Member States.
What information must be provided?
The information that must be provided with the notification will depend in part on the proposed type of crypto-asset services but will include in any event the following:
- a programme of operations, including the proposed crypto-asset services and stating where and how the services are to be marketed;
- a description of the internal control mechanisms, policies and procedures on money laundering and terrorist financing, a risk assessment framework and a business continuity plan;
- a technical and a non-technical description of the ICT systems and security arrangements; and
- the procedure for the segregation of clients' crypto-assets and funds.
Importantly, MiCAR also provides that during the notification procedure financial entities are not required to submit any information previously submitted by them, such as documents already in the regulator's possession from a previous licence application. This is on condition that this information is still up to date.
The question is how much scope parties will actually have to confine themselves to their current documents. We believe this will be limited, as ESMA has already indicated that the information must align with the proposed crypto-asset services. Even regulated entities are therefore advised to critically assess their current policies, procedures and other required documents to complete the notification process swiftly and successfully. We would be happy to help identify ways that your company can handle this efficiently.
MiCAR compliance after notification
After the national regulator has confirmed that notification is complete, regulated entities must comply with MiCAR. Only a couple of aspects are exempt for these parties:
- own funds requirements to ensure financial stability; and
- approval from shareholders and parties that have qualifying holdings.
In all other respects, MiCAR's ongoing requirements simply apply. It is therefore very important for regulated entities to know where MiCAR sets additional requirements and where it will be sufficient for entities to comply with the regulations under which they obtained their primary licence. Where necessary, they will then need to adjust their operations to ensure full compliance. This will require accurate analysis, which will vary from one entity to the next. We expect this will also be a component that the regulator will look at in the notification process.
To illustrate, we will discuss a MiCAR top-up for investment firms authorised under MiFID II.
MiCAR top-up for investment firms
MiCAR shares many similarities with the MiFID II rules for investment firms. However, there are also some notable differences. Take the rules on the outsourcing of operational functions, for example. The MiFID II outsourcing rules only apply to 'critical and important operational functions'. MiCAR does not include such a limitation. Its outsourcing rules apply to all operational functions. Investment firms will therefore have to investigate the extent to which the outsourcing of non-critical and unimportant operational functions that fall outside the scope of the MiFID II outsourcing rules meets the MiCAR rules. This could be relevant for operational functions such as the provision of legal advice, staff training, billing services, building security and the purchase of standardised services such as market and price information services. MiCAR makes the outsourcing of these operational functions subject to the express requirement that CASPs retain the expertise and resources necessary for evaluating the quality of the services provided, for supervising the outsourced services effectively and for managing the risks associated with the outsourcing on an ongoing basis. Another important aspect comprises the requirements imposed on investment firms and crypto-asset service providers by the Digital Operational Resilience Act (known under the acronym DORA). For an overview of those requirements, please see Houthoff's publication of 12 January 2024.
These sorts of differences between MiFID II and MiCAR will force investment firms to identify what additional measures they need to take for MiCAR compliance. However, this does not just apply to investment firms. To be fully compliant, banks, central securities depositories, electronic money institutions, collective investment undertakings (UCITS managers and AIF managers) and market operators will also have to investigate what consequences MiCAR will have for their current operations if they wish to expand into crypto-asset services.
Next steps
Regulated entities that wish to start providing crypto-asset services from 30 December 2024 can submit their notifications to the AFM from 22 April 2024. In other words, now is the time to start preparing the notification. We can critically assess your current policies, procedures and other required documents and advise you on an efficient approach to notification. That way, you can be assured that your company will meet the new regulations on time, preventing any suspension of your crypto-asset services.
