RTS on CASP authorisation

In accordance with Article 62(2), point (d), of Regulation (EU) 2023/1114 an application for authorisation is to contain a programme of operations. That programme should specify the applicants’ organisational structure, strategy in providing crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients; to their targeted clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services; and their operational capacity for 3 years following authorisation. When specifying the strategy used to target clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services;, for transparency reasons the applicants should describe the marketing means that they intend to use, including websites, mobile phone applications, face-to-face meetings, press releases, or any form of physical or electronic means, including social media campaign tools, internet advertisements or banners, retargeting of advertising, agreements with influencers, sponsorships agreements, calls, webinars, any invitation to an event, affiliation campaign, gamification techniques, invitation to fill in a response form or to follow a training course, demo accounts or educational materials.

To enable competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; to assess the applicants’ resilience to withstand external financial shocks, including those concerning the value of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, applicants should include in their application for authorisation stress scenarios simulating severe but plausible events in its forecast calculations and plans to determine their own fundsmeans funds as defined in Article 4, point (25), of Directive (EU) 2015/2366;.

Clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services; are exposed to potential risks related to the crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59;. To enable competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; to assess whether applicants meet the prudential requirements set out in Article 67 of Regulation (EU) 2023/1114 to protect clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services; against such risks, an application for authorisation should contain information specifying the applicant’s prudential safeguards.

To ensure that crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; comply with their obligations laid down in Regulation (EU) 2023/1114, applicants should demonstrate that they have adequate and robust governance arrangements and internal control mechanisms, including arrangements and mechanisms that are essential to the sound and prudent management of crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59;.

In the financial services system, time is essential. To avoid outages as they can have major financial, regulatory and reputational consequences for the crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; and crypto-assetmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. An application for authorisation should thus contain detailed information on the applicant’s arrangements to ensure continuity and regularity in the provision of crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients;, including a detailed description of its risks and business continuity plans.

Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council(³)Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI http://data.europa.eu/eli/dir/2015/849/oj). and Regulation (EU) 2023/1113 of the European Parliament and of the Council(⁴)Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (OJ L 150, 9.6.2023, p. 1, ELI: http://data.europa.eu/eli/reg/2023/1113/oj). are needed to ensure that applicants appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients;. Thus, applicants should provide in their application for authorisation detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.

In accordance with Article 62(2), point (g), of Regulation (EU) 2023/1114, an application for authorisation is to contain proof that the members of the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity; are of sufficiently good repute and possess the appropriate knowledge, skills and experience to manage that crypto-asset service providermeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59;. In particular, applicants should provide competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; with all information about past criminal convictions and with information on pending criminal investigations, civil and administrative cases, penalties, enforcement actions and other adjudicatory proceedings of the members of the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity; relating to commercial law, insolvency law, anti-money laundering, counter-terrorist financing, fraud, professional liability. To provide competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; with adequate information on the good repute of the members of the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity;, applicants should provide the information for those cases directly concerning the member or concerning an organisation of which the member held a position as member of the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity;, shareholder or member with qualifying holdingsmeans any direct or indirect holding in an issuer of asset-referenced tokens or in a crypto-asset service provider which represents at least 10 % of the capital or of the voting rights, as set out in Articles 9 and 10 of Directive 2004/109/EC of the European Parliament and of the Council(32) Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC (OJ L 390, 31.12.2004, p. 38)., respectively, taking into account the conditions for the aggregation thereof laid down in Article 12(4) and (5) of that Directive, or which makes it possible to exercise a significant influence over the management of the issuer of asset-referenced tokens or the management of the crypto-asset service provider in which that holding subsists; or a key function holder. To ensure that competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; receive sufficient information on refusals or withdrawals of, inter alia, registrations, authorisations or memberships related to the applicants’ provision of crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients;, applicants should provide such information about any member of the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity;. Furthermore, applicants should provide, for each member of the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity;, relevant information to enable competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; to assess their professional knowledge, skills and experience in the scope of the position sought and a description of all financial and non-financial interests of the members of the management bodymeans the body or bodies of an issuer, offeror or person seeking admission to trading, or of a crypto-asset service provider, which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making in the entity and include the persons who effectively direct the business of the entity; that could create potential material conflicts of interest significantly affecting the members’ trustworthiness in the performance of their mandate.

In respect of the requirement of good repute of shareholders and members directly or indirectly holding qualifying holdingsmeans any direct or indirect holding in an issuer of asset-referenced tokens or in a crypto-asset service provider which represents at least 10 % of the capital or of the voting rights, as set out in Articles 9 and 10 of Directive 2004/109/EC of the European Parliament and of the Council(32) Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC (OJ L 390, 31.12.2004, p. 38)., respectively, taking into account the conditions for the aggregation thereof laid down in Article 12(4) and (5) of that Directive, or which makes it possible to exercise a significant influence over the management of the issuer of asset-referenced tokens or the management of the crypto-asset service provider in which that holding subsists; in applicant, the application for authorisation should contain all information about their past convictions and pending criminal investigations, civil and administrative cases and other adjudicatory proceedings, and relevant information relating to the certainty and legitimate origin of the fundsmeans funds as defined in Article 4, point (25), of Directive (EU) 2015/2366; used to set-up applicants and finance their business so to enable the assessment of any attempt or suspicion of money laundering or terrorist financing.

Due to the decentralised and digital nature of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, cybersecurity risks for crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; are significant and take many forms. To ensure that applicants are able to prevent data breaches and financial losses that may be caused by cyberattacks, the information on the applicants’ deployed ICT systems and related security arrangements, as referred to in Article 62(2), point (j), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.

The segregation of clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services;’ crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; and fundsmeans funds as defined in Article 4, point (25), of Directive (EU) 2015/2366; protects clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services; from losses of the crypto-asset service providermeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; and from misuse of their crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; and fundsmeans funds as defined in Article 4, point (25), of Directive (EU) 2015/2366;. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; to make adequate arrangements to safeguard the ownership rights of clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services;. That requirement also applies to crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; that do not provide custody and administration services. It is therefore important that the application for authorisation includes information on the segregation of clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services;’ crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;.

To enable competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; to assess the adequacy of applicants’ operating rules of trading platforms for crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, applicant should detail specific elements in the description of those rules. In particular, applicants should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;. As regards the admission to trading of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, applicants should provide detailed information on rules governing the admission of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; to trading, the way in which the admitted crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; comply with the applicants’ rules, the types of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; that applicants will not admit to their trading platform and the reasons for such exclusions, and fees for the admission to trading. As regards the trading of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, applicants should specify the elements of the operating rules governing the execution and cancelation of orders orderly trading, transparency and record-keeping. Finally, applicants should include in the description of the operating rules the elements governing the settlement of transactions of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; concluded on the trading platform, including whether the settlement is initiated in the Distributed Ledger Technologyor ‘DLT’ means a technology that enables the operation and use of distributed ledgers; (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction, and any measure to limit settlement failures.

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority and developed in close cooperation with the European Banking Authority.

The European Securities and Markets Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁵)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI http://data.europa.eu/eli/reg/2010/1095/oj)..

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁶)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI http://data.europa.eu/eli/reg/2018/1725/oj). and delivered formal comments on 21 June 2024,