Payment And Crypto Services: Latest Regulatory Developments

EU supervisory authorities' warning to consumers on crypto assets: why it is relevant for MICA-regulated providers.

On 6 October 2025, the European Supervisory Authorities ("ESAs") – EBA, ESMA and EIOPA –issued a joint warning to consumers: crypto-assets can be risky and legal protection may be limited depending on the asset, service and provider (document available on the EBA website) in question. The warning comes with a consumer factsheet explaining what is and what is not protected by the MiCA Regulation (MiCAR). The ESAs urge consumers to check whether a provider is authorised in the EU and to understand that risk, volatility, liquidity constraints, misleading advertising, scams and attacks continue to generate risks in the market.

What ESAs are conveying to consumers in practice

A review of the materials issued by the ESAs to understand what the "consumer experience" would look like leaves us with a very clear message:

• Not all crypto-assets or services are regulated (and those that are, are regulated in different ways).
• Risk remains high even where regulation is in place, for example, in terms of extreme price fluctuations, low liquidity, misleading marketing communications, fraud/scams, and operational security issues surrounding wallets and passkeys.
• Protections vary: MiCAR offers meaningful disclosures and governance and complaints management, but does not provide for deposit guarantee schemes or investor compensation systems comparable to traditional finance.
• Authorisation status does matter: consumers should consult registries (ESMA/ANC) and avoid unauthorised or third country offerings, where protections may be limited or non-existent.

In our view, this is more than financial consumer education: it is the public standard against which conduct and communications will be assessed.

Recommended practices in daily operations

• Be precise as to the perimeter. All documentation – website, application flows, term sheets, factsheets – should make it clear what is regulated by MiCAR and what is not. Some examples: If regulated services are offered alongside unregulated functionalities, it is advisable to draw a clear line between them; if operations are still conducted under a national transitional regime, this should be pointed out clearly, identifying the Member State framework concerned and avoiding references to MiCAR safeguards that may not yet apply. In this regard, operate as if it were an "early test" in an inspection or a mystery-shopping exercise¹.
• Review advertising as a supervisor would. ESAs target aggressive or confusing promotions, especially through 'influencers', so it is important to bolster fair presentation controls: place risk warnings next to calls for action, avoid language that promises stability or returns, and ensure governance over affiliates/introducers, as well as maintain an auditable trail of approvals. Where 'educational' content is published, in addition, the line between information and inducement to sign up should be monitored.
• Treat complaints as a regulatory asset, not a cost. MiCAR requires the transparent handling of complaints, i.e. ensuring that the channel is easy to find and use, publishing clear Service Level Agreements (SLAs) and monitoring specific aspects (eg. wallet access, transaction reversal or fee transparency). Supervisors are increasingly inspecting complaints to verify actual conduct and redress.
• Operational security: teaching the basics and proving one's own. ESAs recommend that consumers maintain device health, use strong passwords, not use public Wi-Fi to access accounts, and understand that loss of passkeys can be definitive, and to reflect those messages in the user experience (UX) and document key management controls, incident response and consumer education timelines. This is where "behaviour" and "ICT" (Information and Communication Technologies) cross paths, and this is open to assessment.
• Use the same sources that the ESAs have provided to consumers. They suggest bookmarking the ESMA registration portal and the IOSCO I-SCAN site – which contains warnings from supervisors around the world – and incorporating regular checks into financial crime prevention/AB&C and brand protection (eg. to detect spoofing sites attempting to exploit brands).

¹Supervisors use incognito "mystery shoppers" to observe actual sale practices; on 17 June 2025, EIOPA published the results of its first coordinated exercise on IBIPs in eight Member States, checking the compilation of information, explanations on risks and costs, and suitability.

Other significant issues raised by the AEFI

MiCA-PSD2 perimeter in EMT flows

In Spain, the Spanish Fintech Association (AEFI) has raised a perimeter issue with the Bank of Spain with immediate impact on business models. The issue concerns if, when a Crypto-Asset Service Provider (CASP) acts as a client's agent in flows with e-money tokens (EMTs) it can operate under the exclusion of Art. 3(b) of the Second Payment Services Directive (PSD2), thus avoiding dual licensing (MiCA + PSD2) provided that the agency relationship is properly documented and funds are held solely to execute orders. The Bank of Spain has yet to issue an official response, but the debate is in line with ESMA's clarifications and with the European line adopted by EBA.

With regard to this minimum transparency threshold, the AEFI consultation seeks to clarify a practical issue:

• When can a purchase with EMTs by a CASP, acting as a client's agent, fall outside PSD2 (art. 3(b))? and;
• When does it cross the line into a payment service that requires additional licensing or a regulated partnership?

AEFI's thesis rests on two pillars: (i) the very concept in MiCA of "execution on behalf of clients", which describes a genuine agency on behalf of the client and not the use of the CASP's own funds; and (ii) the material limitation of holding funds only as is strictly necessary to execute the client's orders, without the use of payment accounts, stored value or third party transfers.

Without anticipating the BoE's response, the European framework suggests that agency documentation, granular flow mapping (who receives, holds and settles Fiat or EMTs, and where) and the absence of payment risks beyond order settlement will be decisive.

Regardless of its final response, it is advisable to pre-establish flows and communications so that, if pure order execution is taking place, this is evident from the contract through to the UX. This will avoid dual licencing – where not applicable – and reduce supervisory friction.

The macroprudential layer. ESRB Report and recommendation on stablecoins

In October 2025, the European Systemic Risk Board (ESRB) published a macroprudential report and Recommendation – ESRB/2025/9 – warning of the systemic risks from stablecoins, with a particular focus on EU/third country multi-issuance schemes. The ESRB proposes a timetable for action (2025-2027) and potentially closing the door on those structures under MiCAR.

The ESRB, for its part, has observed a leap in scale in stablecoins – particularly in capitalisation, adoption and interconnection with banking and investment products – and warns of new cross-border vulnerabilities, especially in the case of EU or third-country joint issuance schemes. The risk is therefore not theoretical. In stress scenarios, holders may prefer to redeem in the EU if regulation is more favourable (eg. limits on fees), shifting liquidity pressures onto European reserves; and jurisdictional blockages may prevent the movement of reserves from third countries.

Recommendation ESRB/2025/9 proposes that the European Commission issue a legal clarification before the end of 2025 that joint issuance schemes would not be covered by MiCAR. It also proposes that, if no such clarification is issued, a "plan B" be implemented affording safeguards between 2026 and 2027, such as international cooperation, stress testing and stock mobility, consolidated group-level data, and, where appropriate, legislative adjustments.

For issuers and CASPs with exposure to stablecoins, this translates into three immediate actions:

1. Inventory offshore dependencies of reserves and payment rails;
2. Simulate runs with EU redemption preference and repatriation restrictions; and
3. Align disclosures (MiCA white paper/marketing) with actual group structure and third country exposure, avoiding suggesting "MiCA equivalence" where it does not exist.

Conclusion

ESAs have set the public benchmark. Risk is high, protections vary and authorisation status is critical. To maintain credibility among consumers – and to remain aligned with supervisors – it is important to make that standard clear across all channels. Be accurate about what is regulated, unambiguous about what protections apply, disciplined in marketing, rigorous in complaints and custody, and transparent about any transitional regimes or third country exposures. This builds trust, reduces supervisory friction and keeps brands away from undesired incumbents.

In the same vein, AEFI's consultation to the Bank of Spain on the possible exclusion of art. 3(b) PSD2 when the CASP acts as a client's "agent" – supported by ESMA's Q&A, which recognises that concept in the execution of orders under MiCA – provides a practical channel to delimit the perimeter, to avoid MiCA-PSD2 duplications and to align client experience with the standard set by the ESAs.

The underlying message is consistent: verifiable transparency, clear perimeter and resilience. The ESAs' warning and ESMA's Q&A set out how to communicate and how to classify services under MiCA; AEFI's consultation to the Bank of Spain addresses the close fit with PSD2 regarding flows with EMTs; and the ESRB places the discussion surrounding stablecoins at the level of financial stability, with a potential non-permissibility of EU or third country joint issuance schemes and a timetable of measures.

Integrating these three layers into a single playbook would build consumer confidence, reduce supervisory friction and safeguard brands from reputational and macro-prudential risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.