The most common shortcomings in readiness for the licensing process in the crypto-asset sector

The first most common gap in applicants’ preparedness concerns the identification and attribution of the business model to the individual crypto-asset services within the meaning of Art. 3(1)(16) of the MiCA. The applicant must specify in the application for authorisation exactly how the individual sub-activities that make up the business model are reflected in the crypto-asset services to which the application relates. It is essential that applicants analyse their services in detail and demonstrate that their business model fully complies with the definitions in the MiCA, which also implies the scope of the conditions that need to be demonstrated in the application.

The gap often lies in the misinterpretation of the content of the crypto-asset services, which leads to the incorrect attribution of their own business model to the crypto-asset services. Applicants sometimes fail to distinguish between different crypto-asset services and thus try to subsume their business model under services that are not part of the crypto-asset service for which they are applying for a permit, or they fail to demonstrate how their activities meet the definitions under Article 16 of the MiCA. Eliminating these inaccuracies in the procedure itself may extend the overall duration of the procedure.

We therefore recommend that you subject your business model to a thorough analysis and accurately identify the individual services in accordance with their definitions in the MiCA. In some cases, it may be necessary to modify or supplement the business model to meet the requirements. When preparing your application, you should clearly describe how the individual activities from your business model fall under the specifically defined crypto-asset services. Professional consultations with experienced advisors can minimize the risk of misinterpretations and unnecessary delays in the licensing procedure.

Example:
The applicant’s business model consists in the fact that after placing an order in the applicant’s system and depositing the client’s funds into the applicant’s account, the applicant sends the client’s funds to the applicant’s account with another provider, e.g. an exchange, exchanges the client’s funds for crypto assets and withdraws the client’s crypto assets to the client’s wallet maintained by the applicant. The applicant interprets the aforementioned business model as a crypto asset service “exchange of crypto assets for funds”, which is an incorrect and insufficient interpretation. The correct scope of the requested crypto asset services should be “receiving and forwarding orders relating to crypto assets on behalf of the client” and “providing custody and management of crypto assets on behalf of clients” since the applicant’s funds were not used to acquire the crypto assets, but the client’s, and after acquisition, the client continues to hold the crypto assets in the applicant’s custody.

The second typical and frequently identified deficiency is the inadequate composition of the management body. MiCA places strict demands on the members of the management body at an individual level for a sufficiently good reputation, at an individual and at the same time collective level for adequate knowledge, skills and experience of individuals and especially as a whole. The ability to devote sufficient time to the position they are to hold is also examined. The management body as a whole should have collective experience in areas relevant to the intended crypto-asset services, in particular in the areas of financial markets, risk management, regulatory compliance and IT governance.

In many cases, members of the management body hold multiple roles, which can lead to excessive accumulation of functions and insufficient time dedicated to management responsibilities, thereby weakening the strategic leadership of the company. There is often a lack of expertise in key areas such as liquidity and market risk management, AML, legal knowledge or IT technical support. Such gaps in professional qualifications may lead to an assessment of insufficient professional competence.

To meet the requirements, it is recommended to assess the current composition of the management body and, if necessary, expand it with experts with the necessary experience. Training of existing members to increase their competence in the relevant areas may also be appropriate. In addition, it is desirable to introduce mechanisms for regular assessment of the management body to ensure flexibility and the ability to respond quickly to any shortcomings. For internal assessment of suitability, we recommend using the tool – Annex 1 to the MiCA Suitability Guidelines. This approach can effectively strengthen the professional qualities of the management body and improve the quality of decision-making in the provision of crypto-asset services.

Example:

An example of a typical deficiency is entrusting the management body tasks to a single person who, in practice, could hardly be able to meet the requirements of individual and collective suitability and sufficient time pool at a proper crypto-asset service provider, given the requirements set out in the Guidelines on the assessment of the suitability of members of the management body of ART issuers and crypto-asset service providers.

The third common shortcoming that arises when assessing the readiness of applicants is insufficient staffing. The number of employees should reflect the requirements of the MiCA Regulation and correspond to the nature, scope and complexity of its subject matter and the scope of activities performed and services provided. The applicant must ensure that the team is adequate given the scope and complexity of the crypto-asset services provided, with each employee having a defined function in terms of the content of the activity and reporting line. In practice, this means not only a sufficient number of employees, but also their specialization in individual aspects of the regulated activity, from risk management to ensuring compliance with AML and IT security.

A common problem is that companies underestimate the need for specialized functions and expect a few employees to cover a wide range of activities. This shortcoming can lead to a decrease in the quality of management and control, as employees cannot fully devote themselves to all the necessary activities. There is also a lack of provision for specific functions, such as positions for ensuring compliance with AML laws, operational risk management, or ensuring IT and cyber security.

The requirements for a specific staff composition implicitly arise from the MiCA Regulation and related regulations (AML Act, DORA Regulation). The applicant is required to indicate in the application the persons responsible for internal functions: management, supervision and internal control functions and provide details of the position of the responsible person under the AML Act, the technical officer for ensuring operational resilience and the officer providing a specific crypto-asset service. The distribution of positions must guarantee sufficient time to effectively perform the tasks, taking into account their other commitments. These criteria ensure the competence and credibility of the CASP management, which helps to meet regulatory requirements and protect the integrity of the crypto-asset sector.

Example:

As an example of an insufficient staff composition, we cite a situation where an employee of a provider ensuring the provision of various services for clients, in addition to performing tasks related to the provision of crypto-asset services (communication with the client, transfer of funds, etc.), also performs client care, e.g. evaluation and assessment of AML risk, for which he is not qualified in the given case.

The fourth common deficiency we encounter is the difficult to prove or unclear origin of the funds used to cover prudential requirements. MiCA requires the applicant to be able to accurately document where the sources of funding come from, while the origin of the funds is verified all the way back to the initial source of their acquisition. The explanation of the origin should include a description of the activity by which the funds were generated, and supporting the explanation with relevant documents such as a bank statement, tax return, etc. The method and scope of proof always depends on the nature of the funds used. In the case of crypto-assets, the method of their acquisition and the funds used for acquisition are proven, in the case of loans, the origin of the borrowed funds, etc.

However, in practice, it often turns out that not all applicants have complete and trustworthy documentation of the origin of the funds. Many companies draw funds from various investments or sources that cannot be easily and transparently proven, or are based on complex financial structures, which complicates the verification process.

To meet this requirement, it is recommended that applicants collect and submit complete documentation on each source of finance down to the deepest level of their origin from the start of the licensing process. The details examined are based on Article 8 of the RTS on the detailed content of the information necessary to carry out the assessment of the proposed acquisition of a qualifying holding in the applicant.

Example:

An example of proving the origin of funds to cover prudential requirements may be the case of funds from a loan. In such a case, it is necessary to prove the legal title of acquisition of these funds by the lender as well as that these are funds originating from a given legal title. The origin and legality of the funds must be clearly demonstrated.

The fifth common deficiency of applicants in the licensing process under MiCA is the insufficient separation of the provider’s funds from the client’s funds. The regulation requires separation through a separate bank account. This separate bank account must be identifiable, and the provider’s funds may never be held in it. In relation to client crypto-assets, crypto-asset service providers that provide custody and management of crypto-assets on behalf of clients are obliged to ensure their clear operational separation from their own crypto-assets and the identification of the means of access to them. Client crypto-assets must be held in wallets that do not and have never held the provider’s own crypto-assets.

The part of the separation of crypto-assets is particularly problematic, which results from the inherent nature of the method of transferring crypto-assets, where it is often uneconomical to transfer small amounts. The problem is also caused by some types of business models, where funds are mixed during rebalancing of trading accounts to ensure liquidity.

It is necessary to set up financial flows in such a way that they consistently separate client funds and crypto assets from those of the provider. This includes setting up separate bank accounts for managing client funds and implementing separate wallets for clients’ crypto assets. At the same time, it is necessary to design processes that will allow for compliance with segregation requirements even with increased transaction costs, or to modify the existing business model. In practice, solutions can be found with enterprise wallet providers.

Example:

The most common example of insufficient segregation of client funds and crypto assets is a business model operating a service of receiving and forwarding orders related to crypto assets on behalf of clients. In this case, the provider often holds part of its funds in an account with another provider with sufficient liquidity to purchase crypto assets for its clients. In cases where these own funds are not sufficient to fulfill the request, it will also use part of the client’s funds that it sent to purchase crypto assets, thus combining the client funds with the provider’s funds in the provider’s account held with another provider.

Those interested in obtaining a license to operate as a crypto-asset service provider should pay particular attention to the requirements set out in the MiCA Regulation. However, a significant set of requirements for crypto-asset service providers is also set out in Regulation (EU) 2022/2554 of the European Parliament and of the Council on the digital operational resilience of the financial sector (hereinafter referred to as the “DORA Regulation”).

Article 68(8) of the MiCA Regulation requires crypto-asset service providers to:

put in place all relevant mechanisms, systems and procedures within the meaning of the DORA Regulation,

monitor them on an ongoing basis (proportional to the scale, nature and scope of the crypto-asset services provided),

regularly assess their adequacy and effectiveness (proportional to the scale, nature and scope of the crypto-asset services provided),

take appropriate measures to address any deficiencies (whether potential or identified).
DORA sets out a comprehensive set of requirements for the relevant mechanisms, systems and procedures of supervised financial market entities, the application of which depends on the size of the entities (e.g. micro-enterprises, small enterprises, medium-sized enterprises) and in some cases on the specific types of supervised financial market entities. The narrowest set of requirements applies to so-called micro-enterprises, which are, within the meaning of Article 3(60) of DORA, crypto-asset service providers that employ fewer than 10 persons (i.e. a maximum of 9 persons) and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million.

Minimum requirements for crypto-asset service providers that are micro-enterprises are set out in Article 25(3) of the DORA Regulation, under which these entities shall carry out, in particular, the following tests:

vulnerability assessments and scans of ICT systems,
analysis of open-source solutions used (open source analyses),
network security assessments,
analysis of identified deficiencies (a prerequisite for taking appropriate measures to address deficiencies pursuant to Article 68(8) of the MiCA Regulation) (gap analyses),
physical security reviews (for critical assets such as crypto ATMs),
where appropriate, source code reviews,
scenario-based tests,
performance testing,
end-to-end testing,
penetration testing.
The above tests shall be carried out by combining a risk-based approach with strategic planning of ICT testing, taking due account of the need to maintain a balanced approach between the scope of resources and time to be devoted to ICT testing as set out in Article 25 of the DORA Regulation, on the one hand, and the urgency, type of risk, criticality of the information assets and services provided, as well as any other relevant factors, including the financial entity’s ability to bear the foreseeable risks, on the other. This constitutes the so-called proportionality principle, which is also contained in the second sentence of Article 68(8) of the MiCA Regulation.

The performance of the above tests may be ensured internally or externally, individually or collectively. The overall fulfilment of the above requirements may also be ensured by obtaining an external ICT audit of the applicant, who meets the above requirements.

Since, pursuant to Article 63(10)(d) of the MiCA Regulation, the NBS is obliged to refuse to grant a license to operate as a crypto-asset service provider if there are objective and demonstrable reasons that the applicant crypto-asset service provider does not meet or is likely to meet all the requirements of Title V of the MiCA Regulation, it is necessary to demonstrate the fulfilment of the above requirements already in the procedure for the application for a license to operate as a crypto-asset service provider.