MiCA Compliance – key issues and what they mean for a crypto business operating in the EU.

The introduction of a harmonised set of crypto-specific regulation has certainly not been unexpected – with an increased need for financial integrity, transparency and customer protection in the crypto market, Markets in Crypto Assets Regulation ('MiCA') is set to deliver a set of rules for those who issue or offer crypto-assets to customers in the EU, as well as for those who provide crypto-asset services.

MiCA is intended to 'fill in the gaps' in the current EU regulatory framework, and so has broad application across the crypto sector. Therefore, it is vital for those who conduct business activities that relate to crypto-assets in the EU to achieve compliance.

The reaction to MiCA across the crypto market was positive, insofar as it demonstrates the EU's commitment to crypto-assets as a part of society and the new economy, however balanced by the scale of regulatory requirements crypto businesses will need to meet. Such businesses are now working to ensure compliance is achieved, with some requirements (relating to asset-referenced tokens and electronic money tokens) coming into force from June 2024, and the full requirements to apply from 30 December 2024.

The Fundamentals of MiCA

Who does it apply to?

MiCA primarily applies to:

1. Issuers of crypto-assets to the public, or entities that seek admission to trading of crypto-assets.
2. Crypto-asset service providers ('CASPs') – persons involved in the provision of crypto-asset services to clients on a professional basis. Such services could include operating a platform for crypto-assets or providing custody and administration of crypto-assets on behalf of clients.

What types of 'crypto-assets' does MiCA cover?

The regulation defines crypto-assets as "a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology" and differentiates between the following in terms of the relevant compliance requirements:

1. Asset-referenced tokens ('ARTs') – Crypto-assets that maintain a stable value by referencing the value or right in other crypto-assets, commodities or several fiat currencies (or any combination thereof).
2. Electronic money tokens ('EMTs') – Crypto-assets that maintain a stable value by referencing one official fiat currency, such as $USDT.
3. Crypto-assets other than ARTs or EMTs – Crypto-assets that are valued by referencing an asset or assets, such as utility tokens, which are those tokens which are only intended to provide access to a good or service supplied by its issuer.

For now, certain products are excluded from the scope of MiCA, such as those crypto-assets already covered by other legislation, such as financial instruments under MiFID II, as well as DeFi protocols and NFTs that are truly non-fungible. Those operating in the crypto sector should be aware however that there will be an expected review of the regulation in the next two years, which could see NFTs are DeFi protocols falling under the jurisdiction of MiCA.

Regulations on token issuers

Some of the key requirements on issuers are:

Issuers of crypto-assets other than ARTs or EMTs:

• Authorisation with their competent authority is not required.
• White paper requirement – before making the crypto-asset available to EU customers, issuers must publish a white paper outlining the technical and economic aspects of the token and notify their competent authority of the white paper no later than 20 working days before the intended publication date. Because of the lower compliance requirements for crypto-assets that are not ARTs or EMTs, this notification needs to be accompanied with an explanation of the methodology behind the classification of the token as a crypto-asset that is not an ART or EMT.
• No marketing communications in respect of the crypto-asset will be allowed prior to the publication of the white paper, however marketing communications do not require approval from their competent authority.
• Right of withdrawal – issuers are required to offer consumer protection measures to retail holders, by offering a period of 14 calendar days to withdraw their agreement to purchase crypto-assets without incurring fees or costs.

Issuers of ARTs and EMTs

• Authorisation requirement for ARTs – issuers of ARTs require authorisation (a MiCA licence) from their competent authority.
• Authorisation requirement for EMTs – EMTs can only be issued by institutions or e-money institutions under the E-Money Directive (2009/110/EC).
• White paper requirement – both issuers of ARTs and EMTs must publish a white paper prior to offering the relevant underlying crypto-asset to the public (and follow notification requirements with their competent authority).
• Measures to help protect investments made by token holders:
• Reserve and custody of assets - Issuers of ARTs are subject to a range of requirements relating to maintenance of a reserve of assets to ensure liquidity of the ART and custody policies and procedures.
• Redemption rights - Issuers of ARTs must establish a policy setting out the right of ART holders to redeem against the ART issuer or reserve assets at any time, and a corresponding plan to ensure that rights of token holders are protected during redemption.
• Capital requirements - ART issuers are required to hold capital that is the higher of €350,000, 25% of fixed overheads of the preceding year or 2% of the average amount of reserve assets.
• Recovery plan - issuers of ARTs and EMTs are required to prepare a recovery plan regarding potential issues related to the reserve of assets which trigger non-compliance with MiCA.
• Reporting on high-value ARTs – issuers of ARTs are subject to reporting obligations such as a quarterly report to their competent authority for ARTs with an issued value higher than €100M.
• Significant issuers - issuers of ‘significant’ ARTs and EMTs ('significance' is deemed by the European Banking Authority ('EBA') are subject to stricter requirements, including extra supervision from the EBA including higher capital requirements and interoperability requirements. They should also establish a liquidity management policy.

Regulations on CASPs

What will I need to do if I am a CASP?

CASPs are subject to somewhat different requirements, as summarised below:

• Authorisation requirements – CASPs also require authorisation from their competent authority, via a MiCA licence. Authorisation in one EU member state will allow entities to operate across all EU member states via a passporting system.
• Corporate structure requirements – CASPs will need a registered office in an EU member state where they carry out at least part of their crypto-asset services, and the place of effective management must be in the EU. Additionally, at least one company directors must be residing in an EU member state.
• Governance requirements – senior management must establish adequate policies and procedures to ensure compliance with MiCA, must have good standing and must be able to demonstrate sufficient knowledge and skills to perform their duties.
• Capital requirements and safekeeping measures – CASPs must adhere to minimum capital requirements and safeguard their clients' ownership rights of crypto-assets.
• Conflicts of interest and complaints handling – CASPs must maintain and operate a procedure for the handling of client complaints and an effective policy to identify and disclose conflicts of interest.
• Publicity of environmental requirements – CASPs must make information related to the adverse environmental impact of the crypto-assets to which they provide services prominently available on their website(s).

What if a crypto-asset business is based outside the EU?

MiCA has extra-territorial scope and will apply to all who aim to offer crypto-assets or provide crypto-asset services to EU residents, regardless of their geographical location. Given the authorisation requirement for issuers of ARTs and EMTs and the need for prospective CASPs to have a registered entity in a member state, extra planning will be required if you are involved in activities caught within MiCA's perimeter, and operate from outside the EU.  

What are the risks of non-compliance?

As part of the enforcement of MiCA, member states will designate their own responsible 'competent authorities' to carry out the duties provided for in MiCA, such as providing assistance to other member states and cooperating with the EBA and the European Securities and Marketing Authority ('ESMA') in investigations. These competent authorities can suspend and prohibit crypto-asset services as well as public offerings or admission to trading of crypto-assets, which could have a devastating reputational on affected businesses worldwide.

There are also significant financial penalties that entities can face from competent authorities, including fines of up to €700,000 for natural persons, and, in respect of legal persons, fines of the greater of 15% of their total annual turnover or at least twice the amount of the profits gained or losses avoided because of the infringement.

Final considerations 

MiCA represents a much-needed step in the continued digitalisation of the EU. The requirements under MiCA are tough, particularly for crypto-asset businesses who have until now been operating in a decentralised, largely regulation-free sector; however the requirements have been deemed a necessary step in order to bring crypto-asset businesses and services in the EU into the mainstream, and they are here to stay.

The continued adoption of distributed ledger technology across governmental bodies and small companies alike has spurred on the need for effective regulation - MiCA certainly aims to do this by promoting integrity in the sector, protecting customers and pushing for the seamless provision of crypto-asset services across the EU via the passporting system to ensure the EU remains at the forefront of crypto innovation.

If your business operates within the crypto sector and has customers resident in the EU, then it is likely that you will fall under the jurisdiction of MiCA. The full implementation of the regulation is scheduled for 30 December 2024, meaning there is limited time to start planning and taking the necessary steps to ensure full MiCA compliance.

For advice on MiCA, regulatory or other crypto-asset business compliance matters, or if you have any questions on this topic, please get in touch with your usual Withers contact or the authors of this article.