Article 5 Information on the internal control framework

1. a comprehensive description of the internal compliance function as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114 having sufficient authority, stature, resources and direct access to the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity;;

2. a comprehensive description of the risk management framework, and of the risk management function where it is established, or where in accordance with proportionality in terms of size, complexity and risk profile, it is entrusted to a third-party provider, of the related third-party arrangements in accordance with Article 4(2);

3. a comprehensive description of the risk management systems and controls, explaining the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;’s strategy for identifying, assessing, monitoring, mitigating and reporting all risks the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets; is or might be exposed to, including risks to the holders of an asset-referenced tokenmeans a type of crypto-asset that is not an electronic money token and that purports to maintain a stable value by referencing another value or right or a combination thereof, including one or more official currencies;, market, liquidity, concentration, operational, ICT, reputational, legal, conduct, compliance, ESG, money laundering and terrorism financing and strategic risks;

4. a comprehensive description of the internal audit function as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114 where that is established, or, where in accordance with proportionality in terms of size, complexity and risk profile of the activities of the issuermeans a natural or legal person, or other undertaking, who issues crypto-assets; applicant, that mechanism has been entrusted to a third party provider, a comprehensive description of the arrangements with the third-party that shall include all of the elements referred to in Article 4(2), points (a) to (g) of this Regulation, as well as the name and contact details of the external auditor appointed;

5. an explanation of the governance arrangements implemented to ensure the separation and adequate segregation of duties of the business lines and units from the internal control functions as part of the internal control mechanism according to Article 34(10) of Regulation (EU) 2023/1114, and an explanation of the arrangements implemented to ensure the independence of the internal control functions, including through their direct access to the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity; in its management and in its supervisory function.

For the purposes of point (c), the description shall also include the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;’s risk appetite statement and its risk tolerance, including the envisaged procedures and measures to manage the identified risks within the risk appetite.

1. a detailed technical documentation including a description of the ICT risk management framework in accordance with Article 6(1) of Regulation (EU) 2022/2554, demonstrating the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;’s ability to address ICT risk rapidly, efficiently and comprehensively and to ensure a high level of digital operational resilience;

2. details showing that the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets; maintains updated ICT systems, protocols and tools that are appropriate, reliable, equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and technologically resilient in accordance with Article 7 of Regulation (EU) 2022/2254;

3. a detailed description of the security policy demonstrating that the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;’s systems and procedures are capable to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers in accordance with Article 9(4) of Regulation (EU) 2022/2554;

4. a comprehensive description of the ICT process and systems showing the ability to provide the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets; with reliable information and data to support data reporting requirements.

1. the mapping of the essential data and functions;

2. an overview of available back-up and recovery systems;

3. a description of the availability of key staff in business continuity situations in accordance with Article 34(8) of Regulation (EU) 2023/1114 and Article 11(1) of Regulation (EU) 2022/2554.

1. the description of the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;’s legal title towards the DLT or similar technology, whether it is right of property or other contractual relationships providing control of the distributed ledger technologyor ‘DLT’ means a technology that enables the operation and use of distributed ledgers; or of the similar technology to the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;, irrespective of the circumstance that the DLT is operated by a different undertaking;

2. the name and contact details of the operator or operators of the DLT, if different from the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;;

3. the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;’s or third-party operator’s plan on risk identification, monitoring, assessment, mitigation, and prevention, also having regard to the potential spill-over to other crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; issued, transferred or stored on that DLT and the related crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59;, and the plan on the regular technological maintenance and update of the DLT or of similar technology;

4. a technical and security audit report on the consistency of the DLT functioning with quality standards in use in the market, and on the appropriateness and adequacy of the plans referred to in point (c);

5. in case the proprietary DLT is permissioned, a detailed description of the transparency mechanisms.

Where cooperation arrangements between the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets; and specific crypto-assets service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; are envisaged, the application for authorisation shall contain a detailed description of the crypto-asset service providermeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59;’s current internal control mechanisms and procedures ensuring compliance with the obligations in relation to the prevention of money laundering and terrorist financing under Directive (EU) 2015/849 and, where applicable, Regulation (EU) 2023/1113. Such detailed description shall include a forward-looking assessment of the continuous compliance with such obligation for the three-year time horizon of the applicant issuermeans an issuer of asset-referenced tokens or e-money tokens who applies for authorisation to offer to the public or seeks the admission to trading of those crypto-assets;’s business plan. Such description and forward-looking assessment prepared by the specific crypto-asset service providermeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; may be exchanged by the competent authoritymeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; with the competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; for anti-money laundering and counter-terrorist financing, financial intelligence units or other public bodies, in accordance with Article 20(2), second subparagraph, of Regulation (EU) 2023/1114.