Interpreting the EU MiCA Act: How can virtual currency custody services comply with regulations?

Author: Bai Zhen; Source: Mankiw Blockchain Legal Services

The EU's Markets in Crypto-Assets Act (MiCA) is a major development in the regulatory framework for digital assets. Designed to provide a clear and consistent regulatory environment for EU member states, MiCA covers key areas of the virtual asset ecosystem, including the operations and responsibilities of virtual asset custodians. This article explores specific matters that custodians need to consider when complying with the latest regulatory environment.

Introduction to MiCA

MiCA aims to coordinate crypto asset regulation in the EU and provide legal certainty for issuers and service providers. It includes a framework for regulating cryptocurrencies, stablecoins and other digital assets, and establishes the rights and obligations of virtual asset custodians. These custodians are responsible for protecting and managing digital assets on behalf of their clients and will be subject to strict regulatory requirements to ensure security, transparency and legal compliance.

*Image source: Screenshot of ESMA official website

The European Commission proposed the MiCA regulation in 2020, and the bill came into effect on June 30, 2023. However, not all MiCA rules apply immediately - the rules on stablecoin issuers came into effect on June 30, 2024, and other provisions will come into effect on December 30, 2024.

As MiCA is about to come into effect, the bill provides a "transition period", that is, if a crypto asset service provider is currently providing services (before December 30, 2024), then it can continue to provide services until July 1, 2026, after which it must hold a license. However, the exact length of the transition period is determined by the relevant EU member states.

MiCA Key Definitions

Before exploring the compliance requirements for custodians, let’s quickly review some key definitions of MiCA:

1 Crypto-assets

means digital representations of value or rights that are capable of being transferred and stored electronically using distributed ledger technology or similar technology.

2 Asset-backed Tokens

Refers to a crypto asset that is not an electronic currency token and that claims to maintain a stable value by reference to another value or right or a combination thereof (including one or more official currencies).

3 Cryptoasset service provider

means a legal person or other undertaking that provides one or more cryptoasset services to clients in a professional manner and is authorized to provide cryptoasset services in accordance with Article 59.

4 Cryptoasset Services

refers to the following services or activities related to any crypto-assets:

• custody and manage crypto-assets on behalf of clients;

• operate a crypto-asset trading platform;

• convert crypto-assets into funds;

• convert crypto-assets into other crypto-assets;

• Execute crypto-asset orders on behalf of clients;

• Issue crypto-assets;

• Receive and transfer crypto-asset orders on behalf of clients;

• Provide crypto-asset advice;

• Provide crypto-asset portfolio management;

• Provide crypto-asset transfer services on behalf of clients.

5 Safekeeping and management of crypto assets on behalf of clients

means the means of safekeeping or controlling crypto assets on behalf of clients or accessing such crypto assets (if any, in the form of private keys).

6 Operating a crypto-asset trading platform

means managing one or more multilateral systems that bring together or facilitate the bringing together of multiple third parties' interests in the purchase and sale of crypto-assets and conduct the exchange of funds or crypto-assets in accordance with its rules in the system, resulting in contracts.

7 Asset reserve

refers to the basket of reserve assets that guarantee claims against the issuer.

Compliance requirements for custodians

As mentioned above, a virtual asset custodian is defined as any entity that safeguards private keys and manages customer digital assets on behalf of customers. This includes centralized and decentralized custodians, regardless of their storage method (e.g., hot wallets, cold wallets, or multi-signature solutions).

MiCA introduces significant changes for European crypto-asset custodians. Under MiCA, custodians face stricter obligations to provide greater transparency and security to clients. This includes requirements such as maintaining separate accounts for client assets, robust internal custody procedures, and more detailed client agreements to clarify responsibilities and safeguards. In addition, custodians are now explicitly liable for any loss of crypto assets or loss of access keys, which increases accountability for breaches or security failures. Prior to MiCA, custodians operated in a fragmented regulatory environment, typically operating under the civil or contractual laws of each EU Member State. This shift to a more structured and coordinated regulatory approach has significantly changed the way custodians operate, providing greater legal certainty while also requiring greater compliance.

Custodians will be required to meet several key regulatory obligations covering the following matters:

1 Governance

As part of the application for Crypto-Asset Service Provider (CASP) authorisation, the applicant must include a description of the applicant’s CASP governance arrangements. In particular, the applicant CASP will need to consider the following:

• Are the members of its management body of good reputation? Do they have the appropriate knowledge, skills and experience (individually and collectively) to carry out their duties?

• Have members of its management body ever been convicted of money laundering/terrorist financing or other offences that could be detrimental to its good reputation?

• Are its shareholders and members (whether directly or indirectly) of good reputation and have they ever been convicted of money laundering/terrorist financing or other offences?

• If its shareholders or members have qualifying shareholdings in the CASP, is their influence likely to adversely affect the sound and prudent management of the CASP? If yes, the competent authority must take appropriate measures to address such risks, such as:

  a. Applying for judicial orders or imposing judicial sanctions on directors and relevant officers

  b. Suspending the exercise of voting rights in relation to the shares held by the relevant shareholders/members

• Does it have sufficiently effective policies and procedures in place to ensure compliance with MiCA’s regulatory requirements? Is it able to assess and regularly review the effectiveness of such policies and procedures?

• Does it employ personnel with the necessary knowledge, skills and expertise to carry out the responsibilities assigned to them, taking into account the scale, nature and scope of the crypto-asset services provided?

• Does it have resilient and secure ICT systems? Does it have an appropriate business continuity policy covering ICT business continuity, covering disruptions to ICT systems?

As mentioned above, a business continuity policy is essential to protect custodians from potential liability under the new MiCA regime. The reason is that a crypto-asset custodian may be liable to its clients in the event of loss of crypto-assets or loss of the means of accessing crypto-assets. In such cases, it would need to be proven that such losses are attributable to the custodian. Therefore, a suitable and effective business continuity plan that adequately addresses security measures and is regularly maintained is essential.

2 Capital

Under MiCA, a crypto-asset service provider will at all times be required to have in place prudential safeguards equal to the higher of:

• the permanent minimum capital requirement indicated in Annex IV (EUR 125,000);

• a quarter of the fixed expenditure of the previous year, reviewed annually.

*Photo source: Annex IV of REGULATION (EU) 2023/1114 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 31 May 2023

3 Conflict of Interest Disclosure

• its shareholders/members;

• any person directly or indirectly associated with it or its shareholders/members;

• the members of its governing body;

• its employees; or

• its clients.

a conflict of interest may also arise if two or more of CASP’s clients have conflicting common interests.

Where a conflict of interest exists, MiCA provides that CASPs need to disclose to their clients and potential clients the general nature and source of the conflict of interest and the measures taken to mitigate the conflict of interest. Such disclosure needs to be prominently displayed on the CASP’s website. In addition, such disclosure in electronic format needs to include sufficient detail, taking into account the nature of each client, so that each client can make an informed decision regarding the type of crypto-asset services that give rise to the conflict of interest.

4 Agreement between the Custodian/Manager and Its Clients

For CASPs that wish to provide crypto asset custody and management services on behalf of their clients, they are required to set out at least the following matters in a written agreement (the Agreement):

• The parties to the Agreement;

• The nature of the crypto asset services to be provided and a description of such services;

• The custody policy;

• The left;">The methods of communication between the crypto-asset service provider and its clients, including the clients’ authentication systems;

• A description of the security systems used by the crypto-asset service provider;

• The fees, costs and charges charged by the crypto-asset service provider; and

• Applicable law.

5 Safety Policy

The "Safety Policy" mentioned above refers to a policy designed to minimize the following risks:

• loss of client's crypto assets;

• loss of rights associated with those crypto assets; or

• loss of access to crypto assets due to fraud, cyber threats or negligence.

The custody policy does not necessarily need to be included in the initial agreement with the client, but it needs to be provided to the client in an electronic format upon request.

Mankiw Lawyer Summary

The introduction of the MiCA regulation undoubtedly emphasizes the importance of security, transparency and compliance, and its purpose is to build a more secure and reliable digital asset management framework. For custodians, the new regulatory environment has brought certain challenges, but it also breeds new development opportunities. Adapting to the dynamic requirements of MiCA is crucial to maintaining competitiveness. Mankiw Lawyer believes that although the MiCA Act has not yet been fully implemented and its ultimate effect remains to be seen, we have reason to believe that with the accumulation of regulatory experience and market feedback, MiCA will continue to improve to better adapt to the particularity of crypto assets. In the future, more regulations may be needed to fill potential regulatory gaps.

As a professional who is deeply engaged in Web3 business compliance, Mankiw's lawyer prompts: In order to better cope with the changes brought about by MiCA, custodians can take the following three actions immediately:

• Review and update internal processes. Ensure that existing operating procedures meet the requirements of MiCA, especially with regard to asset isolation, safe custody and customer agreements.

• Strengthen risk management. Identify and evaluate potential risk points, and develop corresponding risk mitigation measures to prevent the loss of encrypted assets or the leakage of access keys.

• Improve compliance capabilities. Invest in compliance training and technology to ensure that the team can understand and comply with MiCA regulations, while maintaining a constant focus on regulatory developments to adjust strategies in a timely manner.