ESMA Moves Forward on MiCAR Implementation

The European Securities and Markets Authority (ESMA) has released its Third Consultation Package under the EU Markets in Crypto-Assets Regulation (MiCAR) for public input. The package includes a draft regulatory technical standard (RTS) on market abuse, along with guidelines on suitability, transfer services for crypto-assets, and systems and security access protocols.

At the same time, ESMA has published its Final Report on the First Consultation Package. The Final Report includes the Authority's responses to submissions, along with recommendations to the European Commission to adopt certain technical standards. The focus of the First Consultation Package is on the information to be provided to competent authorities in certain circumstances (eg, when applying for authorisation as a crypto-asset service provider) and organisational arrangements (eg, complain-handling procedures and handling of conflicts of interest).

Two high-level messages can be taken from the progress seen in the implementation of MiCAR:

1. So far, the march towards MiCAR shows no signs of delays, as there were under the Markets in Financial Instruments Directive and Regulation (MiFID II).
2. There will be outstanding challenges as MiCAR comes into effect. MiCAR does not address all existing business models, and questions of interpretation will arise for some time to come.

Third Consultation Package

The Third Consultation Package from ESMA includes a draft RTS and three guidelines. It is open for consultation through 25 June 2024.

• RTS on arrangements, systems and procedures for detecting and reporting suspected market abuse in crypto-assets

The draft RTS prescribes the forms to be used for the reporting of suspicious transaction or order reports (STORs). These are mandatory notifications to be given to competent authorities by persons professionally arranging or executing transactions in crypto-assets when market abuse is suspected or detected. The RTS also regulates the sharing of information between competent authorities for cross-border market abuse.

ESMA's view is that the notification obligations apply to most CASP activities, including operating a trading platform, as well as persons dealing on own account on a professional basis or as part of their business activity. ESMA seeks input on whether custody and administration of crypto-assets should be included within the scope of the notification regime.

• Draft guidelines on certain aspects of the suitability requirements and format of the periodic statement for portfolio management activities under MiCA

When CASPs provide advice on crypto-assets or portfolio management of crypto-assets, they are required to assess the suitability of products for each client. This follows from the duty to act in the best interests of the client. The draft guidelines elaborate on the information to be provided to clients on the purpose and scope of the assessment. They also call for clear information to be provided to users of automated systems (ie, robo-advisers) about the extent to which human intervention is involved and the significance of information provided.

ESMA has expanded on its mandate under MiCAR by adding guidance and basing its positions on the suitability requirements under MiFID II. The guidelines have not been transposed exactly. ESMA explain:

For instance, under MiFID II, the extent of the obligations of an investment firm under the suitability requirements may vary depending on the level of complexity and riskiness of the financial instruments considered as part of the advice or portfolio management services. Under MiCA, such differentiation is less relevant as there is no such thing as a ‘safe’ crypto-asset.

• Draft guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets

The transfer of crypto-assets between addresses is similar to payment services for funds. In order to ensure transparency for crypto-asset holders, CASPs will be required to have policies and procedures to ensure that their clients receive basic information about the CASP, its competent authority, and the characteristics of the transfer services. The information to be provided includes, among other things: the method of instructing and withdrawing instructions for transfers; the conditions under which transfer instructions may be rejected; cut-off times; information on the DLT used to support the transfer; the maximum execution time; and details of fees and charges. In addition, for each DLT network, the CASP must specify the time or number of block confirmations needed for the transfer to become irreversible. This information is expected to be provided at the time that a contract for services is entered into.

Further details must be provided to clients when an instruction for the transfer of crypto-assets is received. Prior to the execution of the instruction, the CASP must provide a "brief and standardised warning" that indicates when a transfer will become irreversible. The charges payable by the client must be disclosed. This should allow the client to cancel or amend the instruction before it is executed. Following execution, the CASP is expected to provide a confirmation with the basic details of the transfer. If the transfer is rejected, returned or suspended, the client is to be provided with the reason, options to remedy the situation, and the amount of any fees and charges incurred (along with reimbursement details, where relevant).

The RTS also requires CASPs to establish cut-off times for transfer instructions, maximum execution times, and the numbers of block confirmations needed for transfers to become irreversible (or sufficiently irreversible, in cases of probabilistic settlement) for each DLT network.

Taking into account the requirements of the restated Transfer of Funds Regulation, CASPs must also have policies and procedures for the execution, rejection, return, or suspension of crypto-asset transfers.

CAPS must also have policies and procedures to describe the conditions under which they will be liable to clients for unauthorised or incorrectly executed transfers of crypto-assets.

• Draft guidelines on the maintenance of systems and security access protocols in conformity with appropriate Union standards

Offerors and persons seeking admission to trading for "crypto-assets other than asset-referenced tokens or e-money tokens" (ie, the general category of regulated crypto-assets which are not one of the two species of stablecoins specified by MiCAR) are expected to follow ESMA guidelines on physical and logical security. Cryptographic key management guidelines are also included in the proposed package.

Final Report on the First Consultation Package from ESMA

ESMA's Final Report on the First Consultation Package sets out the recommended drafts of the following technical standards:

• RTS on content of notification from selected entities to NCAs
• ITS on forms and templates for notification from entities to NCAs
• RTS on the content of the application for authorisation for CASPs
• ITS on forms and templates for CASP authorisation application
• RTS on complaint handling procedure
• RTS on management and prevention, disclosure of conflict of interest
• RTS on intended acquisition information requirement

This package now passes to the European Commission for consideration.