On 31 January 2025, the European Securities and Markets Authority (ESMA) released a supervisory briefing to guide (the Briefing) National Competent Authorities (NCAs) with respect to the authorisation of crypto asset service providers (CASPs) under the EU Regulation 2023/1114 on markets in crypto assets (MiCA).
The Briefing provides detailed guidance with respect to the expectations on NCAs when assessing CASPs applications.
More specifically, the Briefing provides that NCAs should perform a risk-based approach when assessing CASP applications, taking into account:
- Size: CASPs with more than 1,000,000 yearly active users in the EU or a balance sheet size of €3,000,000,000 should be subjected to a higher level of scrutiny.
- Group structure: The more complex a CASP's group structures in number of entities and regulated activities involved, the higher the risk.
- Cross-border activity: CASPs with more than 200,000 yearly active users outside the home Member State should be subjected to a higher level of scrutiny.
- Ecosystem role: CASPs with an important role in the crypto ecosystem constitute a higher level of risk, as any issues they face may lead to contagion effects.
- Multiple crypto-asset services: CASPs which provide a number of crypto-asset services should be considered as being of higher risk.
- Token issuances: The issuance of tokens combined with CASP services should be treated with caution.
- Outsourcing: Excessive outsourcing of key functions creates room for potential high-risk situations.
- Regulatory history: CASPs, their shareholders, or management which have previously been the subject of administrative measures should be taken into account.
The document also provides detailed guidance on compliance with requirements in key areas such as:
- Substance and governance: CASPs should ensure that they can operate autonomously and with adequate in-country people when operating in the EU. Risk management, compliance, and internal control are at the forefront.
- Outsourcing practices: Highlighting effective limits on the externalisation of functions and services to maintain operational accountability. “Letter-box” entities are not permitted.
- Suitability of personnel: The management bodies of CASPs are required to demonstrate strong technical knowledge of the crypto ecosystem, in addition to being “fit and proper”.
- Business plan: A CASP's business plan should contain realistic projections of activity over a three-year horizon with clearly defined intermediate points.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
