Web3 Lawyer: Interpreting the EU MiCA Act, how can virtual currency custody services comply with the law?

Prepare for compliance in advance and seize the EU market

Author: Lawyer Liu Honglin, Mankun Blockchain Legal Services

Cover: Photo by Christian Lue on Unsplash

The EU's Regulation on Markets in Crypto-Assets (MiCA) is a major development in the regulatory framework for digital assets. Aimed at providing a clear and consistent regulatory environment for EU member states, MiCA covers key areas of the virtual asset ecosystem, including the operations and responsibilities of virtual asset custodians. This article explores the specific considerations that custodians need to take into account in complying with the latest regulatory environment.

Introduction to MiCA

MiCA aims to harmonize crypto-asset regulation in the EU, providing legal certainty for issuers and service providers. It includes a framework for regulating cryptocurrencies, stablecoins, and other digital assets, and establishes the rights and obligations of virtual asset custodians. These custodians, responsible for protecting and managing digital assets on behalf of clients, will be subject to strict regulatory requirements to ensure security, transparency, and legal compliance.

The European Commission proposed the MiCA regulation in 2020, and the law came into effect on June 30, 2023. However, not all MiCA rules will apply immediately - the rules for stablecoin issuers took effect on June 30, 2024, and other provisions will come into force on December 30, 2024.

As MiCA is about to take effect, the regulation provides a "transitional period", meaning that if a crypto-asset service provider is currently providing services (before December 30, 2024), it can continue to do so until July 1, 2026, after which it must hold a license. However, the exact length of the transitional period is to be determined by the relevant EU member states.

Key Definitions in MiCA

Before discussing the compliance requirements for custodians, let's quickly review some key definitions in MiCA:

1 Crypto-asset

Means a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology.

2 Asset-referenced token

Means a type of crypto-asset that is not an electronic money token and that purports to maintain a stable value by referring to the value of several fiat currencies, one or more commodities, or one or more crypto-assets, or a combination of such assets.

3 Crypto-asset service provider

Means a legal person or any other entity that provides one or more crypto-asset services as a profession, and is authorised in accordance with Article 59.

4 Crypto-asset services

Means any of the following services or activities when relating to any crypto-asset:

• The custody and administration of crypto-assets on behalf of third parties;
• The operation of a trading platform for crypto-assets;
• The exchange of crypto-assets for fiat currency that is legal tender;
• The exchange of crypto-assets for other crypto-assets;
• The execution of orders for crypto-assets on behalf of third parties;
• The placement of crypto-assets;
• The reception and transmission of orders for crypto-assets on behalf of third parties;
• The provision of advice on crypto-assets;
• The provision of portfolio management of crypto-assets;
• The provision of transfer services of crypto-assets on behalf of third parties.

5 Custody and administration of crypto-assets on behalf of third parties

Means holding, or arranging the holding of, crypto-assets or the means of access to such crypto-assets, on behalf of clients.

6 Operation of a trading platform for crypto-assets

Means the management of one or more multilateral systems that brings together or facilitates the bringing together of multiple third-party buying and selling interests in crypto-assets in a way that results in a contract, in accordance with its non-discretionary rules.

7 Asset reserve

Means the basket of reserve assets that back the claims against the issuer.

Compliance Requirements for Custodians

As mentioned in the previous text, a virtual asset custodian is defined as any entity that represents and protects the private keys and manages the digital assets of clients. This includes both centralized and decentralized custodians, regardless of their storage method (e.g., hot wallets, cold wallets, or multi-signature solutions).

MiCA introduces significant changes for crypto-asset custodians in Europe. Under the MiCA regulation, custodians face stricter obligations to enhance transparency and security for their clients. This includes requirements such as maintaining separate accounts for client assets, robust internal custody procedures, and more detailed client agreements to clarify responsibilities and security measures. Additionally, custodians are now explicitly liable for any loss of crypto-assets or loss of access to private keys, increasing accountability for misconduct or security failures. Prior to MiCA, the regulatory environment for custodians was more fragmented, typically operating under the civil or contract laws of individual EU member states. This shift towards a more structured and harmonized regulatory approach significantly changes the way custodians operate, providing greater legal certainty, but also demanding higher compliance.

Custodians will be required to meet several key regulatory obligations, covering the following areas:

1. Governance

As part of the authorization application for Crypto-Asset Service Providers (CASPs), applicants must include a description of their CASP's governance arrangements. Specifically, the CASP applicant will need to consider the following:

• Whether the members of its management body have good repute, and whether they possess the appropriate knowledge, skills, and experience (individual and collective) to perform their duties?
• Whether any members of its management body have been convicted of money laundering/terrorist financing or other crimes that could harm their good repute?
• Whether its shareholders and members (whether direct or indirect) have good repute, and whether they have been convicted of money laundering/terrorist financing or other crimes?
• If its shareholders or members hold a qualifying holding in the CASP, whether their influence is likely to adversely affect the sound and prudent management of the CASP? If so, the competent authority must take appropriate measures to address such risks, such as: a. Applying to the courts for a judicial order or imposing judicial sanctions on the directors and relevant managers b. Suspending the exercise of voting rights attached to the shares held by the relevant shareholders/members
• Whether it has developed sufficiently effective policies and procedures to ensure compliance with the regulatory requirements of MiCA? Whether it is able to assess and periodically review the effectiveness of such policies and procedures?
• Whether it employs personnel with the necessary knowledge, skills, and expertise to perform the responsibilities assigned to them, considering the scale, nature, and scope of the crypto-asset services provided?
• Whether it has resilient and secure ICT systems? Whether it has appropriate business continuity policies covering ICT business continuity, covering disruptions to ICT systems?

As mentioned, business continuity policies are crucial for protecting custodians under the new MiCA regime. This is because, in the event of loss of crypto-assets or loss of access to the means of accessing crypto-assets, crypto-asset custodians may be liable to their clients. In such cases, it needs to be demonstrated that such losses can be attributed to the custodian. Therefore, a suitable, effective business continuity plan, adequately addressing security measures and regularly maintained, is of utmost importance.

2. Capital

Under MiCA, crypto-asset service providers must always hold prudential safeguards equal to the higher of:

• The permanent minimum capital requirement specified in Annex IV (EUR 125,000);
• One-quarter of their fixed overheads of the previous year, reviewed annually.

3. Conflict of Interest Disclosure

MiCA provides clear guidance on conflicts of interest. But first, what constitutes a conflict of interest in a CASP? A CASP may have conflicts of interest between itself and:

• Its shareholders/members;
• Any person directly or indirectly associated with it or its shareholders/members;
• The members of its management body;
• Its employees; or
• Its clients.

A conflict of interest may also arise if there are competing common interests between two or more of the CASP's clients.

In the event of a conflict of interest, MiCA requires the CASP to disclose the general nature and source of the conflict of interest to its clients and potential clients, as well as the measures taken to mitigate the conflict of interest. Such disclosure must be prominently displayed on the CASP's website. Additionally, such electronic format disclosure must include sufficient detail, considering the nature of each client, to enable each client to make an informed decision based on the type of crypto-asset service giving rise to the conflict of interest.

4. Custodian/Manager and Client Agreements

For CASPs wishing to provide crypto-asset custody and management services on behalf of clients, they must at least specify the following in a written agreement (the Agreement) with the client:

• The parties to the agreement;
• The nature of the crypto-asset services provided and a description of such services;
• The custody policy;
• The means of communication between the crypto-asset service provider and the client, including the client's authentication system;
• A description of the security systems used by the crypto-asset service provider;
• The fees, costs, and charges levied by the crypto-asset service provider; and
• The applicable law.

5. Custody Policy

The "custody policy" mentioned above refers to a policy aimed at minimizing the risk of:

• Loss of the client's crypto-assets;
• Loss of the rights associated with those crypto-assets; or
• Loss of the means of accessing the crypto-assets due to fraud, cyber threats, or negligence.

The custody policy does not necessarily need to be included in the initial agreement with the client, but must be provided to the client in electronic format upon request.

Manqun Lawyers' Summary

The introduction of the MiCA regulation undoubtedly emphasizes the importance of security, transparency, and compliance, with the aim of building a more secure and trustworthy digital asset management framework. For custodians, the new regulatory environment, while presenting certain challenges, also presents new development opportunities. Adapting to the dynamic requirements of MiCA is crucial for maintaining competitiveness. Manqun Lawyers believes that although the MiCA legislation has not yet been fully implemented, its ultimate effects remain to be observed, but we have reason to believe that as regulatory experience accumulates and market feedback is received, MiCA will be continuously improved to better adapt to the unique characteristics of crypto-assets. In the future, additional regulations may be needed to fill potential regulatory gaps.

As a professional in Web3 business compliance, Manqun Lawyers advise:

• Review and update internal processes. Ensure that existing operational procedures comply with the requirements of MiCA, particularly in the areas of asset segregation, secure custody, and client agreements.
• Strengthen risk management. Identify and assess potential risk points, and develop corresponding risk mitigation measures to prevent the loss of crypto-assets or the disclosure of access keys.
• Enhance compliance capabilities. Invest in compliance training and technology to ensure that the team understands and complies with the provisions of MiCA, while maintaining continuous attention to regulatory dynamics to adjust strategies in a timely manner.

Disclaimer: As a blockchain information platform, the articles published on this site represent the views of the authors and guests only, and are not related to the position of Web3Caff. The information in the articles is for reference only and does not constitute any investment advice or offer, and please comply with the relevant laws and regulations of your country or region.