Getting up to speed with Europe’s “crypto regulation”

EU institutions reached an agreement on the much-awaited “Markets in Crypto-Asset Regulation” (MiCAR or “the Regulation”), which is expected to be applicable in 2024.

To date, the crypto-assets market has been mostly unregulated, but most could agree that dedicated policy has always been a question of when and not if. With negotiations on the Regulation playing out for over two years, industry players and investors have been expecting it – some eagerly and others grudgingly – for some time. On 5 October 2022,  the Council of the European Union (“the Council”) approved the MiCAR text. This timing could not be any better given the recent turmoil in this space, which came to a head when one of the world’s largest crypto exchanges announced bankruptcy in November 2022.

The purpose of the Regulation is to provide a framework for crypto-assets across the EU, with the objective of instilling confidence in the asset class, stabilizing what has been a volatile and speculative market and better protecting investors’ interests while concurrently encouraging innovation and growth. However, given the diversity and fast-evolving nature of crypto-assets, the types of issuers and service providers, and the general lack of precedent for blockchain, crypto and DeFi, policymakers have considered it appropriate to adopt a technology-neutral and proportionate approach to minimize supervisory and regulatory loopholes, duplicates and overlap.

Many asset managers are being nudged to offer crypto-assets to meet client demand, attract new investors and to avoid falling behind. Now, it is up to them to get up to speed with the Regulation and prepare for the eventual go-live date.

What follows is a brief overview of the contents of the Regulation and how it impacts the wealth and asset management industry. For a deep-dive on the topic, refer to our special MiCAR publication .

How does MiCAR fit into existing regulation?

MiCAR forms part of the EU Commission’s “digital finance package”, adopted in 2020 and composed of a digital finance strategy, and legislative proposals on crypto-assets and digital resilience. Rules within the package are designed to be proportionate to the risks, size, business profiles and needs of the entities in scope, and to support both start-ups and established regulated financial firms.  

The package also comprises more recent regulation, including:

• The pilot regime for market infrastructures based on distributed ledger technology (“DLT pilot regime”) published on 2 June 2022 in the Official Journal of the European Union
• The Digital Operational Resilience Act (DORA) adopted by the Council on 28 November 2022

Who does MiCAR impact?

Scope and classification of crypto-assets

Until now, only a handful of crypto-assets fell under the definition of financial instruments as per the MiFID definition (e.g., certain security tokens). MiCAR is now expanding the scope of crypto-assets to include new asset classes while keeping others out of scope. MiCAR recognizes three main types of crypto-assets:
 

• E-money tokens (EMT) which stabilize their value by referencing only one single official currency (e.g., the EUR-L, EUROC or USDC stablecoins)
• Asset-referenced tokens (ART) which stabilize their value by referencing any other value or right (e.g., PAX Gold, DIAM or the now discontinued Facebook Libra that was referenced by a mix of USD, EUR, YUAN, GBP and SDG)
• Other crypto-assets (OCA), such as utility tokens, which do not fall in the two other categories (e.g., the gaming currency, MANA, or BNB, which is used by the Binance exchange)

Crypto-assets which are already in scope of existing EU regulations will remain regulated under these regulations. Other crypto-assets, for example, unique and non-fungible crypto-assets (commonly referred to as NFTs), will be exempt from the scope of MiCAR.

Entity scope

MiCAR applies to offerors and people seeking admission to trading of the above-mentioned crypto-assets (EMTs, ARTs and OCAs), as well as crypto-asset service providers (CASPs), of which the latter includes: 
 

• Operators of crypto-asset trading platforms
  
• Entities exchanging crypto-assets for funds or other crypto-assets by dealing on own account
• Entities providing custody and administration of crypto-assets
• Entities placing crypto-assets, entities providing services of reception and transmission of orders for crypto-assets on behalf of third parties
• Entities providing execution of services on behalf of clients
• Entities providing advice or discretionary portfolio management (DPM)

What topics are covered within the Regulation?

MiCAR goes into detail on a range of topics. The main themes, inter alia, are listed below:
 

• Proportionality of authorization and supervision requirements for issuers and offerors of EMTs, ARTs, OCAs, and CASPs, including “significant” EMTs and ARTs: Details on the process and timelines for notification or authorization requests to the national competent authority (NCA), and the permissible services per entity type are spelled out 
  
• Operation, organization and governance of issuers and CASPs: Rules for the governance and conduct for issuers and CASPs are reported. The Regulation covers the following topics, including but not limited to processes and policies which should be in place ( inter alia, conflicts of interest policy, business continuity plan, custody policy), personnel requirements, substance and capital requirements, and redemption and reserve assets procedures
• Permissible services for different entity types and activity-specific requirements for CASPs: The list of permissible services for different entities (credit institutions, central securities depositaries, investment firms1, market operators, e-money institutions, UCITS ManCos and AIFMs) is provided. Further requirements are provided for CASPs which, inter alia, provide custody and administration services, operate trading platforms, execute orders on behalf of third parties, and provide portfolio management services
• Requirements applicable to issuance, offering to the public and the admission to trading of crypto-assets: Details on any white paper, marketing and communications requirements as well as exemptions for offerors of EMTs, ARTs and OCAs, are explained
• Market abuse: Rules are set out for the three main categories of market abuse that are anticipated: the unlawful disclosure of inside information, insider dealing and market manipulation 

What are some of the key takeaways for investment firms, UCITS ManCos and AIFMs?

Authorization and notification

UCITS ManCos and AIFMs providing or planning to provide crypto-asset services should take heed of the following requirements.

Unlike the “MiFID top-up”, the “MiCAR top-up” for already licensed firms is a notification and not an authorization regime whereby the CSSF will have only 20 days to provide comments. As such, CASPs already authorized as credit institutions, central securities depositaries, investment firms, market operators, e-money institutions, UCITS ManCos and AIFMs need only follow the notification procedure. Using the notification procedure, CASPs that are authorized in their home Member State will be able to provide crypto-asset services in other EU Member States.

CASPs not already authorized will need to file for authorization for the crypto-asset services they wish to provide. The NCA will have 25 working days to assess the application completeness and 40 working days to assess conditions for compliance. Note that authorization will be withdrawn if not used within 12 months, or if crypto-asset services have not been provided for nine consecutive months.

Permissible services

While credit institutions may provide the full range of crypto-assets services, other regulated firms are limited to certain types of services.

Permissible crypto-asset services for investment firms include: 

• Custody and administration
• Operation of trading platforms
• Exchange of crypto-assets for funds
• Exchange of crypto-assets for other crypto-assets
• Execution of orders
• Placing
• Reception and transmission of orders
• Advice
• Portfolio management
   

Permissible crypto-asset services for UCITS ManCos and AIFMs include:

• Reception and transmission of orders
• Advice
• Portfolio management

Target operating model and substance considerations

UCITS ManCos and AIFMs will need to answer the following questions in the wake of the Regulation and make adjustments where needed.

How should initial and ongoing due diligence be designed? 

There are well-established rules and guidelines for operational due diligence of UCITS ManCos and AIFMs (e.g., private equity and hedge funds) on the underlying managers and funds they invest in, and corresponding elements such as counterparties, valuation, IT, conflicts of interest, among others. Crypto-assets require a new set of due diligence considerations, such as, inter alia, connectivity to custodians, reconciliation processes and ownership verification.

How should fund risk profiles and risk limit monitoring be created or adjusted? 

Typically, risk limit monitoring for AIFs takes place quarterly, but this blanket approach will most likely not be sufficient for all crypto-asset classes. Fund managers may find themselves asking whether new substance and capabilities will be required due to the idiosyncratic risk structure of digital assets.

How should new service providers catering for digital assets under management be benchmarked and selected?

When offering crypto-assets, firms will need to consider which service providers will best serve their new needs. Can existing administration, IT, tax and legal advisors cater for the firm’s crypto needs or is it preferrable to look at specialized experts?

What steps can be taken to combat financial crime?

The typical customer due diligence checks should be applied to crypto-asset management (KYC, AML and CTF activities2). In practice this is tougher to execute due to its to-date decentralized nature – banks, asset managers and authorities lack control over cryptocurrencies and their associated data. 

Should new digital technologies (e.g., distributed ledger technology, “DLT”) be integrated with legacy IT systems, and if so, how? How should IT risk be catered for?

Plugging DLT into legacy technology and systems is a difficult task and may not always be necessary. However, in some instances, system integration could significantly increase the speed of processing transactions as well as reduce manual interventions. Here, one option is to use an “oracle” (or “secure blockchain middleware”) to connect the DLT to external data and technologies. In the context of IT risk, cybersecurity is of critical importance, especially in response to skepticism and perceptions around cryptocurrencies being utilized for criminal activity due to the anonymity and speed of transactions. One of the key concerns is the safekeeping of crypto-assets, which are currently accessible to investors via a private “key”. If this key is lost or hacked, there is no workaround. 

What changes should be made to the talent pool?

Firms are required to demonstrate that professionals giving advice or managing portfolios have necessary knowledge and experience. The question is whether upskilling existing staff will be sufficient or whether different and new profiles will be required (e.g., IT experts monitoring crypto protocols/discussion on forums, among others, to provide required investment research). Further, it could prove challenging to integrate “crypto teams” into an existing organization. Under MiFID, portfolio managers/advisors need to have a sufficient and demonstrated knowledge of the traditional financial products they distribute. These products have been on the market for a long period of time and training material/content is widely available. When it comes to crypto-assets, however, the topic is in constant evolution, is to date unregulated and as such it is difficult to train staff on such matters and to ensure that their knowledge remains up-to-date. As new crypto-assets and technology developments surface every day, upskilling cannot be a once-off activity. 

What’s next?

MiCAR is expected to become applicable in 2024. In the meantime, the European Commission will develop detailed level 2 requirements on certain aspects.

How EY can help

In Luxembourg, we are proud to have among our clients some of the most important players in the digital commerce industry. We provide support on a range of topics, spanning our assurance, consulting and tax service lines. Some of our services include the following:

Assurance

• External assurance for Virtual Asset Service Providers (VASPs) / Crypto-Asset Service Providers (CASPs)
• Internal audit “as-a-service” for VASPs/CASPs

Consulting

• Strategy definition and product development (e.g., tokenization, development of ARTs) 
• CASP licensing and MiCAR regulatory compliance
• Preparation and/or review of white papers
• MiCAR top-up and gap analysis
• Cybersecurity, DORA and outsourcing assessments
• Compliance/crypto-related training to staff members

Tax/Legal

• Tax reporting including CARF gap analysis and implementation
• VAT support 
• Support in the corporate setup of Luxembourg VASPs/CASPs
• Transfer pricing support and documentation

Footnotes 

1. Investment firms authorized under Directive 2014/65/EU (MiFID II).

2. Know Your Customer (KYC), anti-money laundering (AML) and counter-terrorist financing (CTF).