In October 2022 the European Council approved the Markets in Crypto-Assets (MiCA) Regulation, one of the first attempts globally at comprehensive regulation of cryptocurrency markets. The regulation extends to money laundering, consumer protection, the accountability of crypto companies and environmental impact. The European Union (EU) is a pioneer in digital regulation, and the breadth of MiCA means that it will have a significant global impact.
What is the legislation and what is it for?
The Markets in Crypto-Assets Regulation ("MiCA" or "the Regulation") is a new piece of wide-ranging EU legislation designed to regulate crypto-asset-related activities carried on in the EU. MiCA covers several key areas including transparency, disclosure, authorisation and supervision of transactions. The Regulation applies to natural and legal persons and other undertakings that are engaged in the issuance, offer to the public and admission to trading of crypto-assets or that provide services related to crypto-assets in the Union.
MiCA employs its own definition of "crypto-asset", as meaning "a digital representation of a value or a right which may be transferred and stored electronically, using distributed ledger technology or similar technology". The Regulation splits this definition into three sub-categories, as explained below.
MiCA has passed through all the stages of the EU's legislative process, except for approval in the European Parliament. The European Parliament is not expected to resist the Regulation, and is expected to pass it before the end of 2022. If that happens, MiCA will come into effect in 2024.
The main aims of MiCA are industry regulation, consumer protection1, prevention of market abuse and upholding the integrity of crypto markets. Under MiCA, consumers will be "better informed about [the] risks, costs and charges" of dealing with crypto-assets, and the Regulation will also "support market integrity and financial stability by regulating public offers of crypto-assets", as well as introducing measures to tackle market manipulation and prevent money laundering, terrorist financing and other criminal activity.
More broadly, MiCA is designed to help ensure that "the Union's financial services legislation is fit for the digital age, and contributes to a future-ready economy that works for the people".
Interaction with other legislation
Broadly, crypto-assets that are already regulated by existing EU financial services regulation will not be covered by MiCA and will remain regulated under the existing framework, "regardless of the technology used for their issuance or transfer". For example, this means that crypto-assets that are already classed as "financial instruments" under EU legislation will continue to be governed by existing regulation and not MiCA. The European Securities and Markets Authority will be tasked with publishing guidelines on the interaction between MiCA and the existing EU financial services regulation before MiCA comes into effect, in order to ensure "a clear delineation between crypto-assets covered under [the] Regulation and financial instruments".
The Regulation will be administered by competent authorities designated by each Member State, a list of which will be published. A competent authority can be a new, or existing, authority. The European Securities and Markets Authority and the European Banking Authority will be the overseeing regulatory bodies at Union level.
Competent authorities will have the power to take appropriate administrative penalties and other administrative measures in the event of infringement, notwithstanding existing criminal sanctions in Member States. The Regulation specifies that competent authorities must have the power to impose at least certain specified penalties, including, among others, fines of either EUR5m or a proportion of the annual turnover (3% - 12.5%) of the legal person, depending on the nature of the infringement.
The Regulation separates crypto-assets into three sub-categories, and applies different requirements to each. The categories are based on whether the crypto-assets seek to stabilise their value by reference to other assets. The three categories are as follows:
- E-money (electronic money) tokens. These are crypto assets that aim at stabilising their value by referencing only one official currency.
- Asset-referenced tokens. These are crypto-assets that are not electronic money tokens and which purport to maintain a stable value by referencing to any other value or right or a combination thereof, including one or more official currencies. This category captures all crypto-assets which are not e-money tokens and whose value is backed by assets. The Regulation notes that this catch-all makes MiCA "future proof".
- All other crypto-assets. This covers all crypto-assets which are not e-money tokens or asset-referenced tokens. This would include utility tokens (i.e. a type of crypto-asset which is only intended to provide access to a good or a service supplied by the issuer of that token).
The Regulation does not apply to crypto-assets which are "unique and not fungible with other crypto-assets, including digital art and collectibles, whose value is attributable to each crypto-asset's unique characteristics and the utility it gives to the token holder". The Regulation expands further on what "unique and non-fungible" means, but it is likely that NFTs, in particular in the form of digital art and collectibles, will not be caught unless they qualify as financial instruments.
MiCA applies to persons who are engaged in:
- The issuance, offering and/or admission to trading of crypto-assets.
- The provision of crypto-asset services.
A crypto-asset service is any of ten services listed in the Regulation, with examples including the custody and administration of crypto-assets on behalf of third parties; the operation of a trading platform for crypto-assets; and the exchange of crypto-assets for funds.
The Regulation sets out which legal persons or other undertakings are allowed to provide crypto-asset services (and therefore be crypto-asset service providers ("CASPs"). In short, a CASP must either,
- be a specified type of financial institution (e.g. a credit institution or investment firm) which complies with the various specified requirements; or
- be authorised by the relevant competent authority, and: have a registered office in a Member State of the Union where it carries out at least part of its crypto-assets services; have its place of effective management in the Union; and have at least one director resident in the EU.
The penalty for providing crypto-asset services without authorisation is a fine of at least EUR5m or 5% of the total annual turnover of that legal person.
By way of example, we set out below some of the key regulatory provisions that MiCA will introduce when it comes into effect.
Liability for loss of crypto-assets
Under the Regulation, CASPs that are authorised for the custody and administration of crypto-assets on behalf of third parties shall be liable to their clients for the loss of any crypto-assets or of the means of access to the crypto-assets, as a result of an incident that is attributable to the provision of the relevant service or the operation of the service provider2. Notably, such incidents include ICT-related incidents, including cyber-attacks, theft and malfunctions. Incidents that "occurred independently of the provision of the relevant service or operations of the crypto-asset service provider", which might, for example, include problems inherent in the operation of the distributed ledger that the CASP does not control, are not attributable to the CASP.
Any entity—whether an individual or a financial institution—which wishes to offer crypto- assets to the public or admit crypto-assets to a trading platform must draft a white paper in respect of those crypto-assets containing mandatory disclosures and other information. The contents of the whitepaper will vary depending on the type of crypto-asset, but all whitepapers must contain information including information on the issuer, information on the crypto-asset, information on the underlying technology, and the associated risks. Advertising and marketing communications should be consistent with the contents of the white paper.
Agreement and Register of Positions
CASPs that provide a crypto-asset service of custody and administration on behalf of third parties will be required to enter into an agreement with their clients to identify their duties and responsibilities. Such agreements must include certain specified information (set out in Article 67), which includes the identity of the parties, a description of the security systems used by the CASP, and the law applicable to the agreement.
CASPs that provide a crypto-asset service of custody and administration on behalf of third parties will also be required to keep a register of positions, opened in the name of each client, corresponding to each client's rights to the crypto-asset.
Such CASPs must also, at least once every three months or upon request by a client, provide to each client a statement of position of the crypto-assets recorded in the name of that client.
Transparency and Governance
MiCA will require issuers of asset-referenced tokens to maintain robust governance arrangements. This is stated to include (a) a clear organisational structure with well-defined, transparent and consistent lines of responsibility; (b) effective processes to identify, manage, monitor and report the risks to which the issuer is or might be exposed; and (c) adequate internal control mechanisms, including sound administrative and accounting procedures.
The effect of MiCA
One primary aim of MiCA is to increase consumer confidence in crypto-assets by bolstering consumer protection through regulation. The EU's expectation is that increased consumer confidence will lead to development of a market in crypto assets and the development of opportunities in innovative digital services. Further, a unified framework as set out in MiCA will afford CASPs certainty as to how the services they will be providing will be treated in different Member States.
The beneficiaries of MiCA should, then, be wide-ranging: consumers, developers, financial institutions and regulators. Moreover, regulation also means recognition, and large-scale EU regulation lends legitimacy to this area. Some commentators have noted that if crypto is going to fulfil its potential, it needs this kind of regulatory legitimacy to bolster confidence and certainty.
Whilst MiCA is not yet in force, now is a good time to start preparing. Any person or entity looking to enter the CASP space would be well-advised to set up according to the requirements of MiCA, not least because many of the requirements are good practice, but mostly so as to be compliant by the time the Regulation comes into force in.
1. Slightly different rules apply where crypto-assets are to be offered to "qualified investors" (as defined in MiFID II).
2. Such liability will be capped at the market value of the crypto-asset lost at the time the loss occurred.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.