Written by: Bai Qin, Mankiw LLP
The European Union's (Markets in Crypto-Assets) (MiCA) is a major development in the regulatory framework for digital assets. Designed to provide a clear and consistent regulatory environment across EU member states, MiCA covers key areas of the virtual asset ecosystem, including the operations and responsibilities of virtual asset custodians. This article explores the specific issues that custodians need to consider when complying with the latest regulatory environment.
About MiCA
MiCA aims to harmonize crypto-asset regulation in the EU and provide legal certainty for issuers and service providers. It includes a framework for regulating cryptocurrencies, stablecoins and other digital assets, and establishes the rights and obligations of virtual asset custodians. These custodians are responsible for protecting and managing digital assets on behalf of their clients and will be subject to strict regulatory requirements to ensure security, transparency and legal compliance.
*Source: Screenshot of ESMA official website
The European Commission proposed the MiCA regulation in 2020, and the bill came into force on June 30, 2023. However, not all MiCA rules apply immediately - the rules on stablecoin issuers came into force on June 30, 2024, and additional provisions will come into force on December 30, 2024.
As MiCA is about to come into effect, the bill provides a "transition period", that is, if a crypto asset service provider is currently providing services (before December 30, 2024), then it can continue to provide services until July 1, 2026, after which it must hold a license. However, the exact length of the transition period is determined by the relevant EU member states.
MiCA Key Definitions
Before we delve into the compliance requirements for custodians, let’s quickly review some key MiCA definitions:
Crypto assets
Refers to a digital representation of value or rights that is capable of being transferred and stored electronically using distributed ledger technology or similar technology.
Asset-backed tokens
A crypto-asset that is not an electronic money token and that purports to maintain a stable value by reference to another value or right or combination thereof, including one or more official currencies.
Crypto asset service provider
means a legal person or other undertaking that provides one or more crypto-asset services to clients in a professional manner and is authorised to provide crypto-asset services pursuant to Article 59.
Crypto asset services
Refers to the following services or activities related to any crypto-assets:
Safekeeping and management of crypto assets on behalf of clients;
Operate a crypto asset trading platform;
Convert crypto assets into funds;
Exchange crypto assets for other crypto assets;
Execute crypto-asset orders on behalf of clients;
Offering crypto assets;
Receive and transfer crypto asset orders on behalf of clients;
Providing crypto asset advice;
Provide crypto asset portfolio management;
Provide crypto asset transfer services on behalf of clients.
Custody and management of crypto assets on behalf of clients
means the custody or control of Crypto Assets on behalf of a Client or the means of accessing such Crypto Assets (if any, in the form of private keys).
Operate a crypto asset trading platform
means the administration of one or more multilateral systems that brings together or facilitates the bringing together of the buying and selling interests of multiple third parties in crypto-assets and the exchange of funds or crypto-assets in accordance with the rules of the system resulting in a contract.
Asset Reserve
Refers to the basket of reserve assets that guarantee claims against the issuer.
Compliance requirements for custodians
As mentioned above, a virtual asset custodian is defined as any entity that safeguards private keys and manages customer digital assets on behalf of customers. This includes centralized and decentralized custodians, regardless of the storage method (e.g., hot wallets, cold wallets, or multi-signature solutions).
MiCA introduces significant changes for European crypto asset custodians. Under the MiCA regulations, custodians face stricter obligations to promote transparency and security for customers. This includes requirements such as maintaining separate accounts for client assets, robust internal custody procedures, and more detailed client agreements clarifying responsibilities and security measures. Additionally, custodians are now explicitly responsible for any loss of crypto assets or loss of access keys, increasing liability for breaches or security failures. Prior to MiCA, the regulatory environment for custodians was fragmented and typically operated under the civil or contractual laws of each EU member state. This shift to a more structured and coordinated regulatory approach has significantly changed the way custodians operate, providing greater legal certainty while also requiring greater compliance.
Custodians will be required to meet several key regulatory obligations relating to the following matters:
Governance
As part of the application for Crypto-Asset Service Provider (CASP) authorization, the applicant must include a description of the Applicant CASP’s governance arrangements. In particular, the Applicant CASP will need to consider the following:
Are the members of its governing body of good reputation? Do they have the appropriate knowledge, skills and experience (individually and collectively) to carry out their responsibilities?
Have any members of its governing body been convicted of money laundering/terrorist financing or other crimes that could damage its good reputation?
Are its shareholders and members (whether direct or indirect) of good reputation and have they ever been convicted of money laundering/terrorist financing or other crimes?
If its shareholders or members have qualifying holdings in CASP, is their influence likely to adversely affect the sound and prudent management of CASP? If so, the competent authority must take appropriate measures to address such risks, such as:
a. Apply for judicial orders or impose judicial sanctions on directors and relevant officers
b. Suspension of the exercise of voting rights in relation to the shares held by the relevant shareholder/member
Does it have sufficiently effective policies and procedures in place to ensure compliance with MiCA’s regulatory requirements? Is it able to assess and regularly review the effectiveness of such policies and procedures?
Does it employ personnel with the necessary knowledge, skills and expertise to carry out the responsibilities assigned to them, taking into account the scale, nature and scope of the crypto-asset services provided?
Does it have resilient and secure ICT systems? Does it have a business continuity policy in place covering ICT business continuity, covering disruptions to ICT systems?
As mentioned above, a business continuity policy is essential to protect the custodian from potential liability under the new MiCA regime. The reason is that a crypto-asset custodian may be liable to its clients in the event of loss of crypto-assets or loss of the means to access crypto-assets. In such cases, it would need to be proven that such losses are attributable to the custodian. Therefore, a suitable and effective business continuity plan that adequately addresses security measures and is regularly maintained is essential.
capital
Under MiCA, crypto-asset service providers are always required to have a prudential guarantee equal to the greater of:
the permanent minimum capital requirement indicated in Annex IV (EUR 125,000);
One quarter of the previous year's fixed expenditure is reviewed annually.
*图源:Annex IV of REGULATION (EU) 2023/1114 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 31 May 2023
Disclosure of Conflicts of Interest
MiCA provides clear guidance on conflicts of interest. But first, what exactly are conflicts of interest in CASP? A CASP may have a conflict of interest with itself or with:
its shareholders/members;
Any person directly or indirectly associated with it or its shareholders/members;
members of its governing body;
its employees; or
its customers.
A conflict of interest may also exist if there are conflicting common interests between two or more of CASP’s clients.
In the event of a conflict of interest, MiCA provides that CASPs need to disclose to their clients and potential clients the general nature and source of the conflict of interest and the measures taken to mitigate the conflict of interest. Such disclosure needs to be prominently displayed on the CASP’s website. In addition, such disclosure in electronic format needs to include sufficient detail, taking into account the nature of each client, so that each client can make an informed decision regarding the type of crypto-asset service in which the conflict of interest arises.
Agreement between the Custodian/Manager and its Clients
For CASPs that wish to provide crypto asset custody and management services on behalf of their clients, they will need to set out at least the following in a written agreement (the Agreement):
the parties to the agreement;
The nature of the cryptoasset service provided and a description of that service;
Custody policy;
The methods of communication between cryptoasset service providers and their clients, including the clients’ authentication systems;
A description of the security systems used by the crypto-asset service provider;
Fees, costs and charges imposed by crypto-asset service providers; and
Governing Law.
Custody Policy
Reference is made above to a “custodial policy” which means a policy designed to minimize the risk of:
Loss of clients’ crypto assets;
loss of rights associated with those crypto-assets; or
Loss of access to crypto assets due to fraud, cyber threats, or negligence.
The custody policy does not necessarily need to be included in the initial agreement with the client, but it needs to be provided to the client in an electronic format upon request.
Attorney Mankiw's Summary
The introduction of MiCA regulations undoubtedly emphasizes the importance of security, transparency and compliance, and its purpose is to build a more secure and reliable digital asset management framework. For custodians, the new regulatory environment has brought certain challenges, but it also breeds new development opportunities. Adapting to the dynamic requirements of MiCA is essential to maintaining competitiveness. Lawyer Mankiw believes that although the MiCA Act has not yet been fully implemented and its final effect remains to be seen, we have reason to believe that with the accumulation of regulatory experience and market feedback, MiCA will continue to improve to better adapt to the particularity of crypto assets. In the future, more regulations may be needed to fill potential regulatory gaps.
As a professional who specializes in Web3 business compliance, Mankiw suggests that in order to better cope with the changes brought about by MiCA, custodians can immediately take the following three actions:
Review and update internal processes. Ensure existing operating procedures comply with MiCA requirements, particularly with regard to asset segregation, safekeeping and client agreements.
Strengthen risk management. Identify and evaluate potential risk points and develop corresponding risk mitigation measures to prevent the loss of encrypted assets or the leakage of access keys.
Improve compliance capabilities. Invest in compliance training and technology to ensure that the team can understand and comply with MiCA regulations, while maintaining a constant focus on regulatory developments so that strategies can be adjusted in a timely manner.