RTS on CASP authorisation

In accordance with Article 62(2), point (d), of Regulation (EU) 2023/1114 an application for authorisation is to contain a programme of operations. That programme should specify the applicants’ organisational structure, strategy in providing crypto-asset services to their targeted clients and their operational capacity for 3 years following authorisation. When specifying the strategy used to target clients, for transparency reasons the applicants should describe the marketing means that they intend to use, including websites, mobile phone applications, face-to-face meetings, press releases, or any form of physical or electronic means, including social media campaign tools, internet advertisements or banners, retargeting of advertising, agreements with influencers, sponsorships agreements, calls, webinars, any invitation to an event, affiliation campaign, gamification techniques, invitation to fill in a response form or to follow a training course, demo accounts or educational materials.

To enable competent authorities to assess the applicants’ resilience to withstand external financial shocks, including those concerning the value of crypto-assets, applicants should include in their application for authorisation stress scenarios simulating severe but plausible events in its forecast calculations and plans to determine their own funds.

Clients are exposed to potential risks related to the crypto-asset service providers. To enable competent authorities to assess whether applicants meet the prudential requirements set out in Article 67 of Regulation (EU) 2023/1114 to protect clients against such risks, an application for authorisation should contain information specifying the applicant’s prudential safeguards.

To ensure that crypto-asset service providers comply with their obligations laid down in Regulation (EU) 2023/1114, applicants should demonstrate that they have adequate and robust governance arrangements and internal control mechanisms, including arrangements and mechanisms that are essential to the sound and prudent management of crypto-asset service providers.

In the financial services system, time is essential. To avoid outages as they can have major financial, regulatory and reputational consequences for the crypto-asset service providers and crypto-asset markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providers and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. An application for authorisation should thus contain detailed information on the applicant’s arrangements to ensure continuity and regularity in the provision of crypto-asset services, including a detailed description of its risks and business continuity plans.

Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council(³)Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI http://data.europa.eu/eli/dir/2015/849/oj). and Regulation (EU) 2023/1113 of the European Parliament and of the Council(⁴)Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (OJ L 150, 9.6.2023, p. 1, ELI: http://data.europa.eu/eli/reg/2023/1113/oj). are needed to ensure that applicants appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset services. Thus, applicants should provide in their application for authorisation detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.

In accordance with Article 62(2), point (g), of Regulation (EU) 2023/1114, an application for authorisation is to contain proof that the members of the management body are of sufficiently good repute and possess the appropriate knowledge, skills and experience to manage that crypto-asset service provider. In particular, applicants should provide competent authorities with all information about past criminal convictions and with information on pending criminal investigations, civil and administrative cases, penalties, enforcement actions and other adjudicatory proceedings of the members of the management body relating to commercial law, insolvency law, anti-money laundering, counter-terrorist financing, fraud, professional liability. To provide competent authorities with adequate information on the good repute of the members of the management body, applicants should provide the information for those cases directly concerning the member or concerning an organisation of which the member held a position as member of the management body, shareholder or member with qualifying holdings or a key function holder. To ensure that competent authorities receive sufficient information on refusals or withdrawals of, inter alia, registrations, authorisations or memberships related to the applicants’ provision of crypto-asset services, applicants should provide such information about any member of the management body. Furthermore, applicants should provide, for each member of the management body, relevant information to enable competent authorities to assess their professional knowledge, skills and experience in the scope of the position sought and a description of all financial and non-financial interests of the members of the management body that could create potential material conflicts of interest significantly affecting the members’ trustworthiness in the performance of their mandate.

In respect of the requirement of good repute of shareholders and members directly or indirectly holding qualifying holdings in applicant, the application for authorisation should contain all information about their past convictions and pending criminal investigations, civil and administrative cases and other adjudicatory proceedings, and relevant information relating to the certainty and legitimate origin of the funds used to set-up applicants and finance their business so to enable the assessment of any attempt or suspicion of money laundering or terrorist financing.

Due to the decentralised and digital nature of crypto-assets, cybersecurity risks for crypto-asset service providers are significant and take many forms. To ensure that applicants are able to prevent data breaches and financial losses that may be caused by cyberattacks, the information on the applicants’ deployed ICT systems and related security arrangements, as referred to in Article 62(2), point (j), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.

The segregation of clients’ crypto-assets and funds protects clients from losses of the crypto-asset service provider and from misuse of their crypto-assets and funds. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providers to make adequate arrangements to safeguard the ownership rights of clients. That requirement also applies to crypto-asset service providers that do not provide custody and administration services. It is therefore important that the application for authorisation includes information on the segregation of clients’ crypto-assets.

To enable competent authorities to assess the adequacy of applicants’ operating rules of trading platforms for crypto-assets, applicant should detail specific elements in the description of those rules. In particular, applicants should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assets. As regards the admission to trading of crypto-assets, applicants should provide detailed information on rules governing the admission of crypto-assets to trading, the way in which the admitted crypto-assets comply with the applicants’ rules, the types of crypto-assets that applicants will not admit to their trading platform and the reasons for such exclusions, and fees for the admission to trading. As regards the trading of crypto-assets, applicants should specify the elements of the operating rules governing the execution and cancelation of orders orderly trading, transparency and record-keeping. Finally, applicants should include in the description of the operating rules the elements governing the settlement of transactions of crypto-assets concluded on the trading platform, including whether the settlement is initiated in the Distributed Ledger Technology (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction, and any measure to limit settlement failures.

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority and developed in close cooperation with the European Banking Authority.

The European Securities and Markets Authority has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁵)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI http://data.europa.eu/eli/reg/2010/1095/oj)..

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁶)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI http://data.europa.eu/eli/reg/2018/1725/oj). and delivered formal comments on 21 June 2024,