In December 2024, the Central Bank of Ireland (Central Bank) published a document (MiCAR Guidance) setting out its authorisation and supervision expectations for firms seeking authorisation to provide crypto-asset services under the EU Markets in Crypto-Assets Regulation (MiCAR).
MiCAR came into full force on 30 December 2024. The MiCAR Guidance applies to issuers of AssetReferenced Tokens (ARTs), issuers of Electronic Money Tokens (EMTs) and firms seeking authorisation as a crypto-asset service provider (CASP).
CROSS SECTORAL GUIDANCE
The MiCAR Guidance should be read in conjunction with the Central Bank's Guidance on expectations for applicant firms seeking authorisation from the Central Bank to operate as a regulated Firm (Cross Sectoral Guidance) of November 2024. For further information on the Cross Sectoral Guidance, please see our article here.
CENTRAL BANK'S MICAR RISK APPETITE
The Central Bank's MiCAR Risk Appetite guides its approach when authorising and supervising issuers of ARTs and EMTs and CASPs under MiCAR. This risk appetite has been informed by:
- The MiCAR legislative package;
- Existing authorisation and supervisory expectations;
- Central Bank learnings from engaging with firms with crypto-related business models;
- The external environment and the risks that have crystallised (e.g. FTX);
- The product offerings and utility; and
- Engaging with national competent authorities (NCAs) as well as international and European regulatory authorities.
AUTHORISATION APPLICATION ASSESSMENT
Potential influencing factors in the context of an application for authorisation in the crypto-assets sector include:
- The use case and utility, suitability and risks associated with a crypto product or service.
- Whether the crypto product that is issued or offered is backed by a reserve of assets or otherwise structured to reliably meet expectations.
- The target customer and investor base (e.g. is the product/ service retail-focused or aimed at institutional clients?).
- The viability and sustainability of the applicant firm's business model.
- The level of inherent conduct and investor protection risks (e.g. higher inherent risk will attract higher Central Bank expectations).
- The Central Bank expects full transparency regarding the firm's current and future intentions.
- The nature, scale and complexity of an application is a key consideration both in the focus of the assessment, and the overall application of proportionality within the assessment.
- Supervisory knowledge regarding existing authorised/ registered firms will be utilised although there are no predetermined authorisation assessments.
CENTRAL BANK'S MICAR EXPECTATIONS
General
- Early engagement. Potential applicant firms are encouraged to engage early in relation to their business proposal. In this regard, firms can initially engage with the Central Bank's Innovation Hub.
- Submission standard. Submissions should be of an appropriate standard and firms should have obtained all necessary internal/group approvals prior to submission.
- Passporting or outsourcing. Firms proposing significant levels of passporting or outsourcing should detail the rationale for seeking authorisation in Ireland.
- Licence types. Firms must consider whether the proposed business model requires more than one type of licence, consider and understand the different legal and regulatory requirements applicable to the authorisations required and take the appropriate steps to seek the required authorisations.
Governance and Accountability
Firms must demonstrate substance and autonomy in Ireland, be led by a local crypto-competent executive and board with a strong understanding of the local regulatory environment and maintain robust governance and risk management arrangements. Applicant firms should focus on:
- Appropriate governance arrangements. Governance arrangements should be sound, effective and commensurate with the nature, scale and complexity of proposed operations, product offerings and enterprise-wide risks, especially conduct risk.
- Pre-Approval Controlled Functions (PCF). PCF role holders must be of good repute, hold the necessary crypto knowledge, skills and experience and have sufficient time to perform the role. In this regard, evidence of due diligence conducted by the applicant firm must be provided. Applicant firms should also note the final report On Joint EBA and ESMA Guidelines on the suitability assessment of members of the management body of issuers and on Joint EBA and ESMA Guidelines on the suitability assessment of shareholders and members, whether direct or indirect, with qualifying holdings in issuers of ARTs and in CASPs.
- Reputation and clear record of members of the management body. Members of the management body must not have been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute. In this regard, evidence of due diligence conducted by the applicant firm must be provided. Applicant firms should also note the final report On Joint EBA and ESMA Guidelines on the suitability assessment of members of management body of issuers and on Joint EBA and ESMA Guidelines on the suitability assessment of shareholders and members, whether direct or indirect, with qualifying holdings in issuers of ARTs and in CASPs.
- Board oversight. The local board (Board) must have full oversight of the firm and its risks and must be of sufficient size, expertise, and independence to achieve that outcome.
- Local autonomy. Local autonomy must be demonstrated (including that the Board operates and makes decisions independently from any group board) and that close links (between the local entity and another person/entity) do not exist that would impact the Central Bank performing its supervisory mandate, should the firm be authorised.
- Organisational structure. The applicant firm should demonstrate a clear organisational structure in place with well-defined, consistent lines of responsibility.
- Risk management. The applicant firm should demonstrate that it has effective processes to identify, manage, monitor and report risks, as well as adequate internal control mechanisms and practices that are consistent with and promote effective risk management.
- Customer-centric culture. Firms should have a strategy and execution plan with measurable actions to embed a customer-centric culture.
Protection of Client Assets
The firm must have full control of all client assets with robust segregation and prompt access to the reserve assets to meet redemption demands. The firm should:
- Fully control client assets. Demonstrate full control of all client assets and associated safeguarding accounts.
- Appoint a Head of Client Asset Oversight.
- Maintain a safeguarding framework with robust reconciliation and internal control mechanisms and detailed policies and procedures, that are compliant with regulatory requirements, reflect safeguarding best practices and ensure investors' ownership rights are protected and customer assets are fully segregated.
- Complete an annual conflicts of interest assessment, which is reviewed by the Board to ensure that no risks are posed to client assets through the nature and extent of the firm's activities.
- Ensure safeguarding expertise exists within the Board, particularly the non-executive cohort, to ensure strong independent oversight.
- Maintain robust outsourcing risk management procedures, systems and controls.
- Obtain annual independent third-party assurance on the safeguarding framework. This assurance may also be required for initial authorisation.
Business Model and Financial Resilience
Firms must maintain a Board-approved business strategy that demonstrates the viability and sustainability of the business model and fully reflects the vulnerabilities stemming from the product offering. Applicant firms should concentrate on:
- Financial planning. Through a financial plan, demonstrate the key drivers of profitability and how the firm can remain financially resilient in stress, particularly an event driving significant volatility in the crypto market. Key assumptions underpinning the financial plan, including macroeconomic variables, should be included.
- Maintaining a strong capital management framework, which quantifies potential capital deterioration from enterprise-wide risks (scrutiny will be placed on the sources of capital for the first three years of operation).
- For group companies, provide an explanation of group activities and how the activities of the firm will fit within the group strategy and interact with the activities of the other entities of the group.
- Risk appetite. Ensure their risk appetite is aligned with, and embedded in, the firm's business strategy in a way that it can be assessed both qualitatively and quantitatively and ensure that it is appropriately communicated across the firm.
Operational Resilience
Firms must ensure continuity and regularity in the performance of their services, including distributed ledger technology (DLT) and blockchain. Applicant firms should demonstrate that:
- Robust plans provide continuity and regularity in the performance of the firm's activities.
- Outsourcing arrangements. The firm maintains full risk ownership and a detailed operational understanding of all aspects of its activities including DLT.
- No letterbox entities. Outsourcing or delegation arrangements, under which entities confer either a substantial degree of activities or critical functions to other entities, should not result in those entities becoming letterbox entities. Such concerns are heightened where the outsourced service provider is located outside the EU, as the ability of firms and the Central Bank to, respectively, control and supervise may be significantly impacted.
- ICT systems and DLT infrastructure. Robust documentation and oversight of the information and communications technology (ICT) systems, DLT infrastructure, and security arrangements must be maintained.
- DORA. CASPs and issuers of ARTs are subject to the Digital Operational Resilience Act (DORA) and the specific technical requirements set out in MiCAR. DORA sets out a new EU framework for managing ICT risks in the financial sector. The new rules impose obligations on all financial institutions and their critical third-party ICT services providers. DORA sets up a comprehensive framework in areas such as ICT risk management, ICT incident management, operational resilience testing, and management of third-party ICT service providers.
Ownership
Firms must ensure a full, transparent and corroborated view of the identity of direct and indirect shareholders as well as any party, which can exercise significant influence. Ownership and operating structures must be designed to achieve maximum transparency and clarity as to the ownership of the firm.
- Persons exercising significant influence. Provide a full and transparent view of the identity of all direct and indirect shareholders (qualifying or otherwise) as well as any party that can exercise significant influence over the applicant firm. Firms should also demonstrate that shareholders are of good repute and have not been convicted of offences relating to money laundering or terrorist financing or of any other offences that would affect their good repute and ensure that submissions are supported by all necessary corroborating documents.
Conflicts of Interest
Firms must ensure that no risks are posed to customer interests through conflicts of interest and that a robust system is in place which can proactively identify and subsequently remedy any conflicts in a timely manner. In this regard, applicant firms should concentrate on:
- Policies. Maintain policies commensurate with the nature, scale and range of crypto-asset and other services that the firm intends to provide and of the other activities of the group to which it belongs (if applicable); ensure that conflicts of interest can be identified and subsequently remedied in a timely manner. Annual board-attested assessments are to be completed. Applicant firms should ensure that remuneration policies, procedures and arrangements do not create conflicts of interest.
Crisis Management
Firms must maintain detailed plans appropriate to support an orderly wind-down of their activities and timely redemption of customer funds without causing undue economic harm to their customers, including:
- Wind-down plans appropriate to support an orderly winddown of activities and timely redemption of customer assets without causing undue economic harm to customers.
- Recovery plans that include appropriate conditions and procedures to ensure the timely implementation of recovery actions where a firm experiences an issue of noncompliance.
Conduct and Transparency
Firms must demonstrate how customers' interests are secured and how the suitability of their product offering is being proactively assessed in accordance with customers' risk tolerance.
- A Business Standards Plan should be maintained outlining standards for the purpose of ensuring that in the conduct of its affairs, a firm (a) acts in the best interests of customers and of the integrity of the market, (b) acts honestly, fairly and professionally and (c) acts with due skill, care and diligence.
- Provide sufficient product information to customers in a comprehensive, clear, accurate, not misleading and understandable manner for the intended audiences of customers and other relevant stakeholders and investors.
- Consumer Protection Code. Note that the Consumer Protection Code applies to regulated firms providing regulated activities to individuals and small businesses within the State. A regulated firm means a financial services provider authorised, registered or licensed by the Central Bank or other EU or EEA Member State that is providing regulated activities. Once in effect, firms that fall under MiCAR, will subsequently be subject to the requirements of the Consumer Protection Code where appropriate.
- White paper. Ensure that business models are aligned with the relevant crypto-asset white paper(s), without contradictions between what is set out in the programme of operations and the information included for public disclosure to potential token holders.
- Complaints handling. Provide clients with easy access to a clear, understandable and up-to-date description of their complaints-handling procedure.
- Market abuse. Maintain effective arrangements, systems and procedures to prevent and detect market abuse.
Anti-Money Laundering (AML)/Countering the Financing of Terrorism (CFT)
Applicant firms must demonstrate that strong risk management practices and internal controls are in place to identify, assess and manage risks, including money laundering, terrorist financing and financial sanctions risks. Applicant firms must ensure compliance with the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) and all relevant financial sanctions legislation. Actions include:
- AML/CFT risk assessment. Carrying out an AML/CFT risk assessment of their business.
- Customer due diligence. Undertaking customer due diligence.
- Ongoing monitoring. Carrying out ongoing monitoring of customers and customer transactions.
- Suspicious Transaction Reporting. Filing Suspicious Transaction Reports with the Financial Intelligence Unit Ireland and the Revenue Commissioners in instances where money laundering or terrorist financing is known or suspected.
- AML/CFT policies, procedures and controls. Maintaining and implementing AML/CFT policies, procedures and controls.
- Appropriate records. Retaining appropriate records.
- AML/CFT training must be provided to all staff on an ongoing basis.
- Financial sanctions. Implementing and maintaining appropriate and effective financial sanctions controls. Freezing assets of sanctioned individuals/entities, where appropriate.
RESOURCES
For access to our suite of articles and briefings on MiCAR and authorisation as a CASP in Ireland, please visit our dedicated MiCAR hub here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.