The EU regulation on markets in crypto-assets (“MiCA”), a key component of the EU Commission’s Digital Finance Package, was adopted by the EU Parliament on 20 April 2023.
Once it is endorsed by the Council of the EU (expected in the coming weeks), it will be the first EU-wide comprehensive regulation on crypto-assets.
This is a significant and welcome development, benefiting both (i) service providers by introducing a clear legal framework with passporting rights and facilitating a level playing field, and (ii) service users by introducing several protective rules.
1. Luxembourg’s existing legislative and regulatory landscape for crypto-assets
The current Luxembourg legal and regulatory regime does not ignore crypto-assets, quite the reverse.
The Luxembourg legislator and regulator have already acted in three main areas:
- Registration requirements applying to virtual asset service providers to ensure their compliance with anti-money laundering and terrorism financing (“AML/CFT”) requirements (linked to the implementation of the fifth anti-money laundering directive into Luxembourg law).
- Holding, issuance and pledging of securities using DLT via Blockchain Laws I, II and III.
- Helpful guidance in the CSSF FAQs on virtual assets for credit institutions and investment funds.
The recent entry into application of the DLT Pilot Regime and the future application of MiCA will significantly enhance this framework.
2. What types of crypto-assets are in scope of MiCA?
MiCA will apply to a broad set of crypto-assets, including the most well-known cryptocurrencies such as bitcoin. MiCA will also apply to utility tokens (i.e. crypto-assets intended to give access to goods or services), as well as to certain crypto-assets which purport to retain a stable value, such as e-money tokens and asset referenced tokens (ARTs).
Out of scope
Importantly, MiCA will, however, not apply to crypto-assets qualifying as financial instruments. This type of asset remains subject to the existing legal and regulatory framework for financial instruments, such as the MiFID requirements and the prospectus regulation.
MiCA will also not apply to crypto-assets issued by a central bank (also called CBDC).
Finally, MiCA will not apply to crypto-assets that are unique and not fungible with other crypto-assets, including digital art and collectibles, whose value is attributable to each crypto-asset’s unique characteristics and the utility it gives to the token holder (popularly known as NFTs), other than to fractional parts of NFTs.
3. Crypto-asset services and CASPs
A broad range of crypto-asset services are covered by MiCA, including:
- Custody and administration of crypto-assets
- Operation of a trading platform for crypto-assets
- Exchange of crypto-assets for funds
- Exchange of crypto-assets for other crypto-assets
- Execution of orders for crypto-assets on behalf of clients
- Placing of crypto-assets
- Reception and transmission of orders for crypto-assets on behalf of clients
- Providing advice on crypto-assets
- Providing portfolio management of crypto-assets
- Providing transfer services for crypto-assets on behalf of clients
These services can be provided by existing types of licensed entities (such as banks, investment firms and e-money institutions), and by new types of licensed entities (the CASPs).
Existing licensed entities will be able to engage in the relevant services after completing a notification procedure with the CSSF. The notification needs to contain a comprehensive set of information and documents, and must be submitted at least forty working days in advance of the offer being launched.
CASPs will need to follow a fully fledged licensing procedure and will be subject to specific prudential and organisational requirements.
All providers of crypto-asset services will be subject to comprehensive rules of conduct to protect investors. These rules include obligations to:
- Act honestly, fairly and professionally in accordance with clients’ best interests
- Provide clients with fair, clear and not misleading information
- Warn clients about risks
- Provide clients with hyperlinks to white papers
- Make pricing, costs and fee policies publicly available on their website
- Make information related to principal adverse environmental and climate-related impacts of the consensus mechanism used to issue each crypto-asset in relation to which services are being provided publicly available on their website (can be taken from white papers)
- Make arrangements to safeguard client assets and prevent their use for own account
- Apply certain complaints handling rules
- Manage and disclose conflicts of interests
A striking feature of MiCA is that it introduces an additional, comprehensive set of rules of conduct specifically to protect client assets when custody services are provided. These rules include requirements to:
- Include certain mandatory provisions in custody agreements with clients
- Keep a register of positions in the name of each client
- Adopt a custody policy, including rules and procedures to ensure safekeeping and minimise risks of loss due to fraud, cyber-threats and negligence
- Facilitate exercise of client rights
- Issue a statement of positions at least every 3 months
- Adopt a procedure for returning crypto-assets as soon as possible
- Segregate client assets from own assets and ensure that means of access to crypto-assets of clients are identified as such – client assets to be held on separate addresses
- Use only authorised CASPs as sub-custodians, unless customers are informed of use of other providers
- Ensure operational segregation of client assets from estate of service provider
In the same spirit, MiCA makes the service provider liable for losses incurred as a result of incidents attributable to the service provider, capped at the market value of the assets at the time of loss.
MiCA also requires that crypto-assets held in custody are insulated from the estate of the service provider, with no recourse from creditors of the service provider including in the case of its own insolvency.
4. Issuance of crypto-assets
Inspired by the prospectus regime for financial instruments, MiCA requires the issue (and, in certain cases, authorisation) of a white paper describing the features and risks of the relevant crypto-assets.
Depending on the type of issuance (including when the crypto-asset is issued for free, or to fewer than 150 persons) or the type of crypto-asset (including utility tokens), these requirements may be fully or partially disapplied.
Given the risks stemming from ARTs and e-money tokens, MiCA imposes additional requirements (including authorisation, governance, reserve assets and detailed conduct of business rules, including redemption requirements).
Asset-referenced tokens may only be issued by authorised issuers of ARTs or by credit institutions.
Some of the requirements may be partially disapplied if the issue is only offered to qualified investors (who must satisfy the conditions for professionals per se under MiFID II) or if the issued assets are below a certain threshold.
E-money-tokens are subject to very specific rules under MiCA, for example, regarding the contents of the white paper and valorisation. Also, e-money tokens may only be issued by credit institutions or e-money institutions.
MiCA also provides a new framework to prevent market abuse in the crypto-assets arena.
5. Timeline and next steps
Once it has been endorsed by the Council of the EU, the regulation is expected to be published in the EU Official Journal in June and enter into force in July 2023.
MiCA is intended to apply as from 18 months after its entry into force, which will take place on the twentieth day following its publication in the EU Official Journal. Certain provisions will, however, apply earlier, such as the requirements for ARTs and e-money tokens, which will apply 12 months after entry into force.
As the date of application is approaching, it is important to:
- Prepare to obtain the required licences or make the necessary notifications
- Start drafting white papers, policies and procedures
- Consider revising contracts and arrangements with external providers