MiCA – Service providers

MiCA – Service providers

1. Introduction

The Market in Crypto Asset Regulation (EU) 2023/1114, commonly referred to as MiCA, is a legislative framework applicable in the European Union to crypto-assets issuers and service providers. The role of the Regulation is to assure an efficient and prudent management of the crypto-asset service providers, as well as to enable fair market rules without abusive practices.

The article discusses the regulatory mechanisms for the providers in the cryptocurrency sphere which offer services to their clients within the European Union. It also presents the legislative framework to prevent market abuse in this specific economic sphere.

The provision of services by such providers is defined in Article 3 as including but not limited to: offering custody and administration of crypto-assets on behalf of clients, operation of a trading platform, exchange of crypto-assets for funds, execution of orders and placing of crypto-assets.

2. Authorisation

In order to provide services related to crypto-assets, Article 59 requires the legal person to have an authorisation or to be a credit institution, investment firm, market operator, UCITS management company, electronic money institution or an alternative investment fund manager. The Regulation establishes clear territorial requirements for all the service providers: a company must own a registered office in a Member State (where they carry out at least some part of their services), to have their place of effective management in the European Union and to have at least one director resident in a Member State.

The application for authorisation should contain all the information from Article 62 such as the description of the legal entity, the articles of association, the programme of services provided, policies for prudential safeguards, governance arrangements and the identity of the shareholders. It is also imperative that the service provider has a business continuity plan and operates anti-money laundering policies.

Credit institutions above-mentioned do not require prior authorisation but are instead obliged to provide specific information to competent authorities of the Member State before providing any services. The mandatory information includes programme of operations including a service plan, protocols to ensure internal control, risk assessments in relation to anti-money laundering and terrorism financing policies, and non-discriminatory commercial policies.

As part of the integrity requirements that the Regulation seeks to enforce, management and shareholding members have to be free from any criminal record (convictions) and sanctions under commercial law in respect to anti-money laundering legislation.

Crypto-assets service providers are excluded from the authorisation requirement if a client situated in the European Union initiates at its own exclusive initiative the service/activity by a third country firm. This does not apply if the third-country firm solicited clients or used marketing communication to promote its services.

For cross-border service providers, there is a requirement of submitting specific information to the competent authority Member State which relates to the list of states in which the entity intends to provide services and their type.

An authorisation can be withdrawn if it has not been used within 12 months from coming into force, if no crypto-asset services were provided for 9 consecutive months, if it infringed the Regulation or if it was renounced voluntarily.

3. Obligations

Crypto-assets service providers are obliged to act honestly, fairly and professionally while following the interests of their clients per Article 66. All information provided in marketing communications is required to be fair and not misleading for the clients. Any price and related policy must be made public on the website. A specific obligation is to disclose environmental impacts arising from the issuance of the crypto-assets.

Providers have to keep prudential safeguards with the value of either the permanent minimum capital requirements (Annex IV) or one quarter of the fixed overheads of the preceding year. In case an insurance is chosen for the safeguards, the provider has to publish it on the website and assure that the insurance is made for minimum one year. The policy has to be made with an independent entity and cover misrepresentations, acts/errors/omissions in breach of obligations and losses arising from business disruption.

In terms of governance arrangements, the Regulation imposes that the members of the management body of service providers are persons of good reputation, sufficiently skilled to perform their duties and free from any financial crime. The requirements of good reputation and absence of convictions are also applicable to shareholders with qualifying holdings. Competent authorities may intervene through judicial orders and penalties if the shareholders can negatively impact the management of the crypto-asset service provider.

All providers must implement protocols for identifying and disclosing conflicts of interests arising between the entity, management team, employees and clients. It is mandatory that such conflicts, if found, are stored visibly on the website.

The Regulation requests per Article 68 that crypto-asset service providers enact a business continuity plan suitable for preserving essential data and functions for their systems in case of a technical failure. If it is not possible to enact such protocols during interruption of the ICT systems, the provider must at least be able to provide a timely recovery of the systems.

The service provider is under an obligation to keep records of all the activities, orders and transactions undertaken by them. The records should also be made available to clients on request and should be maintained for at least five years.

In terms of safekeeping client’s crypto-assets and funds, the provider has to ensure constant ownership and availability (especially during insolvency). All funds (except e-money) received by the provider must be stored independently with a credit institution or central bank. If payment services are provided, clients must be informed of the terms of the service as well as the applicable national law and consequent rights.

If the service provider chooses to outsource its services to third party, operational risk must be avoided. The main crypto-asset service providers remain under the obligation to follow the Regulation’s provisions and cannot delegate the responsibility. The service provider is required to have an exit strategy (and respectively, termination rights) and to sign a written agreement for the contractual provisions with the third party.

In order to ensure effective services to the client, the providers have to maintain a procedure for complaints-handling which is both fair and reliable. All such complaints should be made free of charge and should be stored securely in a record. Investigations have to be carried out in respect of each complain in order to obtain a timely outcome for the client.

4. Specific services

There are multiple specialist services that providers can offer to the clients which are regulated under Title VI, Chapter 3 of the Regulation. These services include providing custody and administration of crypto-assets, operating a trading platform, exchanging crypto-assets for funds, executing orders for crypto-assets and providing portfolio management.

Crypto-asset service providers which offer custody and administration products require an initial agreement with the client containing the nature of the service, a description of it as well as the custody policy and security protocols enabled. All movements instructions from the clients should be recorded in a register of positions. The custody policy should contain adequate information to minimise the risk of the crypto-assets and protect them against cyber threats. All assets administered by the service providers must be segregated from the provider’s estate. Any liability arising out of an incident attributable to the provider is carried by them, with losses totalling market value of the assets.

For the purposes of operating trading platforms, service providers are obliged under the Regulation to set the approval processes for clients on the platform, to define exclusion categories for crypto-assets, to establish the fees and commissions as well as to promote fair and open access to trading. The framework also imposes on providers the need to set conditions for operating and settling crypto-assets and funds. All crypto-assets have to be evaluated beforehand to asses the technical solutions, links with illicit activities, the track record of the issuer and suitability. Crypto-assets with an inbuilt anonymity feature are not allowed on trading platforms unless the holders and transaction history are visible to the service providers. Moreover, providers are required to ensure through their internal protocols that the platforms are resilient, capable of handling severe market stress and prepared to detect market abuse. The fees structure should not under any circumstances represent incentives to perform certain transactions on the platform. All prices, volumes and times of transactions have to remain public.

Exchange of crypto-assets, according to the Regulation, has to be conducted through a non-discriminatory policy, establishing from the beginning the conditions of eligibility for clients. The providers have the duty to publish a price of the crypto-assets or if not possible, an algorithm which can be used to determine it. All the information concerning transactions, including volumes and prices, has to be published by the service provider.

The Regulation specifies that any crypto-asset service provider executing orders on behalf of clients has to act in its best interest, obtaining the best result by reference to the price, cost, speed and conditions of custody. All execution orders must be conducted in a prompt and fair way, preventing the misuse of any information. The efficiency of the services must be monitored constantly to correct any potential deficiencies per Article 78.

In terms of providing advice and portfolio management, crypto-assets service providers must evaluate the asset suitability for their client by analysing the investment experience, objectives and financial situation. There is an explicit prohibition for providing services or recommending crypto-assets which are not suitable for the client. When providing such advice, the entity has to assess a sufficient range of crypto-assts available on the market and not accept any commissions from third parties for the services. If the advice is not on an independent basis, the service provider is required by Article 81 to ensure that the third party has the necessary expertise to give advice. A special warning for services related to advice/portfolio management is required to inform the client that the value of assets might fluctuate, that the crypto-assets can be subject to full/partial losses and that no coverage exists under the investor compensation or deposit guarantee schemes.

Crypto-asset service providers may be deemed significant under the present Regulation if they hold in the European Union minimum 15 million users on average in a year. When the provider reaches the said threshold, it is necessary to inform the competent authority which will notify European Securities and Markets Authority.

5. Market abuse

Title VI of the Regulation seeks to deter potential market abuse in the field of crypto-assets and the provision of services. It applies to all persons admitted to trading and transactions or affiliated orders.

Inside information which is precise and relates to issuers, offerors and persons seeking admission to trading has to be disclosed to the public per Article 88. Such a disclosure can be delayed if it has the potential of prejudicing the legitimate interests of relevant persons, provided that the confidentiality is kept by the issuers, offerors and others seeking to trade.

Insider dealing is explicitly prohibited under Article 89 of the Regulation. Information relating to crypto-assets cannot be given to any person with the purpose of making them acquire/dispose of assets or cancel/amend orders. A person receiving such information can also be guilty of insider dealing if they knew or ought to have known it was based on inside information.

The framework also establishes that market manipulation is not accepted. This includes entering into a transaction or doing an action which can give rise to false signals and therefore impact the price of a crypto-asset. Market manipulation is said to cover sharing information through media and electronic means which is either false or misleading. The provisions in Article 91 extend to any dominant positions which can fix the prices or affect the functioning of the trading platform. Any conflict of interest has to be disclosed beforehand where individuals with the special advantage of access to media plan to disseminate an opinion about a crypto-asset.

6. Legislative Focus: Romania

The crypto-assets service providers are defined in the Romanian legislation under the Emergency Ordinance 111/2020 concerning anti-money laundering provisions.

In order to be registered as service providers for crypto-assets, legal entities from Romania have to obtain an authorization from the competent authority, the Commission for Authorisation of Foreign Exchange within the Ministry of Finance. The current national procedure of obtaining the authorisation is in the public debate phase, published as a draft Government Decision. The legislative project only refers to service providers which exchange crypto-assets for funds or ensure the custody of such assets.

According to the legislative project, the authorisation application for the service provider will contain the following: the unique identification code (provided by the Direction of General Management of Specific Regulated Domains within the Ministry of Finance), the type of activity proposed and the validity date. The entity needs to have CAEN code 6499 for other financial intermediation. If the service provider has been authorized already in another Member State, then the entity can obtain a certificate of registration from the same department within the Ministry of Finance.

For the crypto-asset service providers operating in Romania which are already authorized in another Member State, there is a territorial requirement. The entity has to choose a representative which resides in Romania and is free from any convictions falling under anti-money laundering and financial laws. The said representative will be in charge of liaising with the competent authorities from Romania.

During the authorisation procedure, the provider requires a digital platform with remote access that can host the exchange/custody services. The said platform has to be connected to at least one Romanian internet domain. Additionally, at least one bank account of the service provider has to be opened in Romania and the servers used for the activity have to be physically placed in Romania or another Member State. An important element of the procedure is to obtain a technical approval from the Romanian Digitalization Authority.

Due to the governance arrangements within MiCA, all the shareholders with qualifying holdings as well as the management members have to possess a clean record, without any financial crime charges, and to be individuals with a good professional and moral reputation. The authorisation requires a list of all stakeholders, evidence of their professional qualification to prevent money-laundering as well as proof of financial record (which can be obtained from the national registry through the National Agency for Fiscal Administration).

The crypto-asset service providers are required under the Regulation and draft Government Decision to have an insurance policy valid in Romania with the total value of 1% of the crypto-assets available in the digital wallet, with no less than 350.000 EUR. The said policy has to cover against the loss of documents, misrepresentation and losses arising out of business failures.

All exchange services between crypto-assets and funds can be conducted only through a virtual wallet containing the identification of the client. For the exchange platform, the systems need to have mechanisms to detect illicit activity and potential risks of the clients. The platform must be tested constantly to ensure its security and all data must be stored for at least 5 years. The exchange rates can be established by the service provider, but they have to be published on the website.

To respect the transparency requirements of the Regulation, all service providers need to have visible on their website the following additional information: the address of the entity, the crypto-assets risks related to cybersecurity and financial markets, the rules for accessing the digital platform as well as information concerning payment means.

All service-providers will be required according to the draft legislation to request the identification data of the clients. The entities will need to keep an online register of all the transactions performed using virtual wallets and the IP address of the users.

Any suspensions of the activity of the service providers should be notified to both the competent authority (the Commission within Ministry of Finance) and the clients. During the suspension period, the entity is obliged to refund to its clients on request any crypto-assets and funds held. If the entity decides to cease its activity, a notification has to be sent to the same beneficiaries which also contains the method of refund. Special arrangements must be made and communicated beforehand if the client chooses to transfer their assets/funds to a different service provider.

The Commission within the Ministry of Finance can decide to suspend the activity of the crypto-asset service provider if there are grave actions committed against the above provisions or at the discretion of the National Office for the Prevention and Combat of Money Laundering (for a breach of Law 129/2019). The measure to revoke the authorisation can be taken if the initial information provided to the authority was false or the fiscal obligations are unpaid. Government agencies including the National Agency for Fiscal Administration, Romanian Consumer Protection Agency and the Ministry of Interior will constantly communicate to the Commission any findings related to illegal activity.

Therefore, the Romanian authorisation process is still being drafted by the national authorities to mirror MiCA’s provisions.

7. Conclusions

The Regulation has complex provisions in the area of crypto-asset providers in order to ensure a smooth operation of the markets. Its emphasis on client protection extends to imposing governance arrangements on the providers. All services are required to be carried out according to specific obligations, with an accent on transparency and efficiency. Thus, the Regulation legislates on the commercial activities undertaken for different entities to prevent potential market abuse.


Gelu Maravela
Founding Partner
gelu.maravela@mprpartners.com

Alexandru Lungu
Intern

Menu