RTS on notification of crypto-asset service provision

To avoid outages of operations as they can have major financial, regulatory and reputational consequences for the notifying entity and more generally, crypto-assetmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. A notification should therefore contain detailed information on the notifying entity’s arrangements to ensure continuity and regularity in the provision of crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients;, including a detailed description of its risks and business continuity plans.

Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council(²)Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI: http://data.europa.eu/eli/dir/2015/849/oj). are needed to ensure that notifying entities appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients;. Notifying entities should therefore provide in their notification detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.

Due to the decentralised and digital nature of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, cybersecurity risks for crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; are significant and take many forms. To ensure that the notifiying entity is able to prevent data breaches and financial losses that could be caused by cyberattacks, the information on the notifying entity’s deployed ICT systems and related security arrangements such as identity and geographical location of the providers, description of the outsourced activities or ICT services with their main characteristics, copy of contractual agreements, as referred to in Article 60(7), point (c), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.

The segregation of clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services;’ crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; and fundsmeans funds as defined in Article 4, point (25), of Directive (EU) 2015/2366; protects clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services; from losses of the crypto-asset service providermeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; and from misuse of their crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; and fundsmeans funds as defined in Article 4, point (25), of Directive (EU) 2015/2366;. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; to make adequate arrangements to safeguard the ownership rights of clientsmeans any natural or legal person to whom a crypto-asset service provider provides crypto-asset services;. That requirement also applies to crypto-asset service providersmeans a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with Article 59; that do not provide custody and administration services.

To enable competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; to assess the adequacy of the notifying entity’s operating rules for their trading platforms for crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, the notifying entity should detail specific elements in the description of those rules. In particular, the notifying entity should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;. As regards the admission to trading of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, notifying entities should provide detailed information on the way in which the admitted crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; comply with the notifying entity’s rules, on the types of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; that the notifying entity will not admit to trading on its trading platform and the reasons for such exclusions, and on the fees for the admission to trading. As regards the trading of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, the notifying entity should specify the elements of the operating rules governing the execution and cancelation of orders, orderly trading, transparency and record-keeping. Finally, the notifying entity should include in the description of the operating rules the elements governing the settlement of transactions in crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; on the trading platform, including whether the settlement is initiated by using distributed ledger technologyor ‘DLT’ means a technology that enables the operation and use of distributed ledgers; (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction and any measure to limit settlement failures.

To allow for competent authoritiesmeans one or more authorities:designated by each Member State in accordance with Article 93 concerning offerors, persons seeking admission to trading of crypto-assets other than asset-referenced tokens and e-money tokens, issuers of asset-referenced tokens, or crypto-asset service providers;designated by each Member State for the application of Directive 2009/110/EC concerning issuers of e-money tokens; to assess the adequacy of the notifying entity in providing certain crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients; such as exchange of crypto-assets for fundsmeans the conclusion of purchase or sale contracts concerning crypto-assets with clients for funds by using proprietary capital; or other crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology;, execution, the provision of advice on crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; or portfolio management of crypto-assetsmeans a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology; and transfer services, the notifying entity should specify the details of how these crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients; will be provided as well as the arrangements put in place to ensure that the notifying entity complies with the relevant provisions of Regulation (EU) 2023/1114 with regards to the provision of those crypto-asset servicesmeans any of the following services and activities relating to any crypto-asset:providing custody and administration of crypto-assets on behalf of clients;operation of a trading platform for crypto-assets;exchange of crypto-assets for funds;exchange of crypto-assets for other crypto-assets;execution of orders for crypto-assets on behalf of clients;placing of crypto-assets;reception and transmission of orders for crypto-assets on behalf of clients;providing advice on crypto-assets;providing portfolio management on crypto-assets;providing transfer services for crypto-assets on behalf of clients;.

Any processing of personal datameans personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; under this Regulation shall comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council(³)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj)..

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority (ESMA) and developed in close cooperation with the European Banking Authority.

ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁴)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj)..

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁵)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI http://data.europa.eu/eli/reg/2018/1725/oj). and delivered formal comments on 21 June 2024,