NJORD Estonia: What changes will MiCA bring for crypto-asset service providers?

What is the purpose of MiCA?

MiCA is part of the larger digital finance package, which aims to further enable and support the potential of digital finance in terms of innovation and ensure financial stability and consumer protection. Additionally, the package includes a digital finance strategy, distributed ledger technology (DLT) Pilot Regime, and the Digital Operational Resilience Act (DoRA), which was published at the end of 2022, to be applied at the beginning of 2025. DoRA will have an impact on crypto-asset service providers (CASPs) as well. 

The main purpose of MiCA is to provide legal certainty for crypto-assets outside the scope of existing EU financial services legislation and to establish uniform EU-level rules for crypto-asset service providers and issuers of crypto-assets. In addition, to support innovation and promote the development of crypto-assets and the wider use of DLT and investor protection and market integrity. MiCA introduces uniform transparency and disclosure requirements in relation to the issuance of cryptocurrency and the activities, organisation and management of crypto-asset service providers, as well as consumer protection rules and measures to prevent market abuse.

Who is affected by MiCA?

According to the current Estonian legislation, virtual currency service providers are mainly regulated by the Money Laundering and Terrorist Financing Prevention Act (MLTFPA). The MLTFPA essentially distinguishes four virtual currency services, i.e. virtual currency wallet service, virtual currency exchange service, virtual currency transfer service and ICO-related services. 

For the purposes of MiCA, a crypto-asset is a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology. MiCA contains three sub-categories of crypto-assets, i.e. asset-referenced tokens (ART), electronic money tokens (EMT), and other crypto-assets not covered by existing EU law. Compared to the MLTFPA, MiCA’s approach to crypto-assets is much broader and includes not only cryptocurrencies, such as Bitcoin and Ethereum, but also stablecoins and utility tokens.

However, MiCA does not apply to crypto-assets that are regulated by already existing financial services legislation (e.g. security tokens qualifying as financial instruments under MiFID II regulation). In addition, MiCA does not apply to crypto-assets that are unique and not fungible with other crypto-assets (e.g. NFT). Notably, if NFTs are issued in a large series or collection and may be considered fungible, MiCA is applicable.

MiCA distinguishes the following crypto-asset services:

1) The custody and administration of crypto-assets on behalf of third parties – safekeeping or controlling, on behalf of third parties, crypto-assets or the means of access to such crypto-assets, where applicable in the form of private cryptographic keys;

2) The operation of a trading platform for crypto-assets – managing one or more trading platforms for crypto-assets, within which multiple third-party buying and selling interests for crypto-assets can interact in a manner that results in a contract, either by exchanging one crypto-asset for another or a crypto-asset for fiat currency that is legal tender;

3) The exchange of crypto-assets for fiat currency that is legal tender – concluding purchase or sale contracts concerning crypto-assets with third parties against fiat currency that is legal tender by using proprietary capital;

4) The exchange of crypto-assets for other crypto-assets – concluding purchase or sale contracts concerning crypto-assets with third parties against other crypto-assets by using proprietary capital;

5) The execution of orders for crypto-assets on behalf of third parties – concluding agreements to buy or to sell one or more crypto-assets or to subscribe for one or more crypto-assets on behalf of third parties;

6) Placing of crypto-assets – the marketing of newly-issued crypto-assets or of crypto-assets that are already issued but that are not admitted to trading on a trading platform for crypto-assets, to specified purchasers and which does not involve an offer to the public or an offer to existing holders of the issuer’s crypto-assets;

7) The reception and transmission of orders for crypto-assets on behalf of third parties – the reception from a person of an order to buy or to sell one or more crypto-assets or to subscribe for one or more crypto-assets and the transmission of that order to a third party for execution;

8) Providing advice on crypto-assets – offering, giving or agreeing to give personalised or specific recommendations to a third party, either at the third party’s request or on the initiative of the crypto-asset service provider providing the advice, concerning the acquisition or the sale of one or more crypto-assets, or the use of crypto-asset services.

The virtual currency services regulated under MLTFPA are essentially covered by the crypto-asset services under MiCA but additionally, new crypto-asset services can be detected. For instance, placing crypto assets and providing advice on crypto-assets. As any person whose occupation or business is the provision of one or more previously listed crypto-asset services to third parties on a professional basis is considered a CASP, an operating license from the competent authority is required. Therefore, if advice on crypto-assets on a professional basis is provided, a license for such activity is necessary. At the same time, for example, already licensed credit institutions and investment firms can provide services related to crypto-assets without applying for a separate license.

Application for a new license under MiCA  

In Estonia, licenses for virtual currency service providers have been issued by the Financial Intelligence Unit (FIU) since November 2017. Estonia has been a favourable regulatory environment for virtual currency providers but in the light of the amendments in the MLTFPA as of 15 March 2022, conditions and requirements for service providers became significantly stricter. Essentially, from 15 June 2022, which was the deadline for service providers to comply with the amendments, a procedure for amending the license has been carried out by the FIU since then. 

As MiCA will introduce new requirements for CASPs, the CASPs, who wish to continue the provision of services, need to obtain a new license from the relevant authority. In Estonia, the issuance of licenses of the CASPs and the supervision of the service providers are expected to be transferred to the competence of the Financial Supervision Authority (FSA). For the market participants, it likely means stronger supervision than before, as credit institutions, payment and e-money institutions and investment firms are also supervised by the FSA. On the positive side, the application process is hopefully clearer and faster and certain in decision-making. Undoubtedly, the current license amendment process with the FIU and ensuring compliance with the MLTFPA changes have been a good preparation for the service providers in Estonia. Presumably, this in turn creates a ‘smoother transition’ from the compliance perspective and readiness to apply for a license from the FSA.

Although the timetable for MiCA is not finalised but if everything goes as planned, the transition period of 18 months from the entry into force (i.e. May 2023) of MiCA allows preparations for both CASPs and competent authorities. Presumably, the CASPs can start applying for the license from the FSA from the end of 2024. Already operating CASPs may continue to provide their services up to 18 months after the date of application of MiCA – 2026 Q2 (maximum). However, Member States may decide not to allow this or reduce the period. The transition period will end in the spring of 2026, which means that the service providers who have a license issued by the FIU, must have obtained a new license under MiCA. The licenses already issued by the FIU in accordance with Estonian legislation will lose validity upon the implementation of MiCA.

Obtained license under MiCA = pass across the EU   

According to the current legislation, if service providers would like to expand their activities at the EU level, they must be guided by the legislation of several Member States (MS) and apply for several national licenses or registrations. This means complying with different national laws and requirements throughout the EU. With the introduction of MiCA, the previously described situation changes. Similar to the regulation of payment, e-money or credit institutions, having obtained the license under MiCA provides the possibility of passporting crypto-asset services across the EU. This allows CASPs with a license obtained in one MS to operate in another MS without the need to apply for separate licenses in each MS. However, CASPs that intend to provide their services in more than one MS, shall inform the competent authority.

Requirements and obligations for CASPs

MiCA will introduce new requirements for CASPs, which are similar to requirements under the existing EU financial services regimes. MiCA stipulates requirements for all CASPs and additionally service-specific requirements that are entailed to the risks related to the services provided.

Here are some of the requirements that all CASPs will need to comply with under the MiCA regulation:

1)     One of the requirements for becoming licensed as a CASP under MiCA is that the CASP has a registered office in an EU member state where they carry out at least part of their crypto-assets services. Their management must effectively take place in the EU and at least one director shall be an EU resident.

2)     MiCA contains an obligation for all CASPs to act honestly, fairly and professionally in the best interest of clients and information to clients. Members of the management body of CASPs must have the necessary good repute and competence, in terms of qualifications, experience and skills to perform their duties. 

3)     The CASPs must establish a business continuity policy, disaster recovery plans set-up, internal control mechanisms and effective procedures for risk assessment, systems and procedures to safeguard the security, integrity and confidentiality of information. In addition, CASPs must have in place systems, procedures and arrangements to monitor and detect market abuse. There are also requirements for outsourcing and CASPs must maintain and operate an effective policy to prevent, identify, manage and disclose conflicts of interest.

In terms of internal regulations and policies for CASPs, many similarities can be detected compared to the current Estonian regulation and the requirements of the FIU. Estonian service providers are largely required to have such internal regulations and policies in place.

4)     There will be capital requirements for CASPs, which means that the CASPs shall, at all times, have in place prudential safeguards and ensure that they have their own funds in place. This requirement is aimed at ensuring that CASPs have sufficient financial resources to operate their business and meet their obligations to their clients.

CASPs shall maintain a minimum capital that is higher of €50,000, €125,000 or €150,000, depending on the service for which they are licensed, or one-quarter of the fixed overheads of the preceding year. Operators of crypto exchanges will be subject to a €150,000 minimum capital requirement. CASPs exchanging crypto-assets for other such assets or funds and providers of custody services will be subject to a €125,000 requirement. Other CASPs will be subject to a €50,000 minimum requirement.

The requirement of own funds, albeit with some differences is also present in current Estonian legislation.

5)     CASPs will be required to have adequate measures in place to safeguard the assets of their clients, especially in case of insolvency and to prevent the use of a client’s crypto-assets on their own account. For example, CASPs must place any client’s funds with a central bank or a credit institution and take all necessary steps to ensure that the client’s funds are held in an account or accounts separately identifiable from any accounts used to hold funds belonging to the CASP. Additionally, CASPs will need to ensure that they have adequate insurance coverage in place to protect their clients in case of theft or loss of assets.

According to MiCA, there will be a public register of all crypto-asset service providers established by the European Securities and Markets Authority (ESMA). The register will contain for instance, the name, legal form and the legal entity identifier and the branches of the crypto-asset service provider; the list of crypto-asset services authorised to provide; the list of MS in which the crypto-asset service provider has notified its intention to provide crypto-asset services. 

Understandably, MiCA has faced criticism and concerns for its potential negative impact on innovation, competition, and the growth of the crypto-asset sector. As MiCA imposes new obligations, compliance requirements and increased scrutiny on service providers, it may represent a challenge and a potential barrier to entry. However, MiCA provides transparency through a uniform legal framework for the crypto-asset market and establishes a level playing field, as all service providers will be subject to the same requirements. This can be considered favourable and may attract new investors and increase market confidence, leading to growth in the crypto-asset market. Therefore, service providers who can successfully overcome the barrier and effectively implement and comply with MiCA’s requirements could be part of this success.