MiCA creates a new framework for crypto custody

This article is the second instalment of a series on the custody of crypto assets. Read the first article here, and third article here.

The introduction of distributed ledger technology (DLT) has raised the possibility of transforming financial and commodities markets by repositioning trading and post-trade operations within a single system. In the EU, the DLT Pilot opens a path to test this combination with certain security tokens, subject to limitations on the assets involved and the lifespan of the sandbox. 

It is perhaps surprising, therefore, that the EU’s new framework for the regulation of DLT-based transactions — the Markets in Crypto-Assets Regulation (MiCA) — approaches crypto asset services, including custody, from the standpoint of a traditional market structure.

Instead of taking the opportunity to renew the legislative approach to intermediary services and financial market infrastructures (FMIs), based on the specific features of DLT-based systems, MiCA draws heavily on existing rules to recreate the market design for financial instruments. For custodians of crypto assets, this means greater legal certainty based upon a well-understood set of requirements; but, potentially, at the cost of calibration with their services for nascent asset classes.

In this second instalment of the series on crypto custody, we consider the requirements for custodians of crypto assets other than stablecoins under MiCA — a category which includes tokens such as bitcoin and ether. The third article will look more closely at the specific custody requirements for the asset reserves of “Asset-Referenced Tokens” and “Electronic Money Tokens” — the forms of stablecoins recognised by MiCA.

MiCA and legal certainty

Although a “world first” in the regulation of crypto assets, MiCA does not represent a step change in the evolution of services like custody. Instead, it applies the regulatory principle of “same activity, same risk, same rules” — transposing rules recognisable from securities and funds markets. As a result, there are many similarities between the requirements applying to a custodian holding securities for clients and one holding crypto assets. 

At the same time, the risk profile of a custodian under MiCA is arguably closer to that of a fund depository under Undertakings for the Collective Investment in Transferable Securities Directive (UCITS) and Alternative Investment Fund Managers Directive (AIFMD) legislation than a custodian for institutional investors. To an extent, this can be explained by the fact that the EU has few rules focused on custody activity: in MiFID II, it is characterised as an “ancillary service”, while in UCITS and AIFMD rules, there is a focus on the custodians who act as fund depositories with fiduciary responsibilities.

From time to time, the European Commission has considered the possibility of a bespoke and mandatory regulation directed towards custodians, but it has not been a priority. 

What makes MiCA ground-breaking is that it provides greater legal certainty for participants in the markets for stablecoins and other crypto assets. MiCA clarifies, for example, that the existing Markets in Financial Instruments Directive 2014 (MiFID II) regime is to apply to security tokens, such as digital bonds. It also removes doubt that tokenised bank deposits are matters for other legislation.

MiCA’s greatest merit is that it defines the activities of intermediaries and FMIs that require supervision, laying a clear path to authorisation for crypto asset service providers (CASPs) and issuers of certain stablecoins. For most market participants, MiCA delivers a comprehensive framework, adapted from existing EU laws, which will allow compliant business models to develop throughout the EU.

For custodians, legal certainty is desirable for two main reasons: it allows enforcement risks to be managed through targeted compliance efforts; and it gives confidence to investors that their assets will be redelivered when they need them. Conversely, uncertainty inhibits investment and deters holders of assets from entrusting them to custodians. The EU’s move to create a stable regulatory platform for crypto custody is likely to encourage investor confidence, leading existing custodians — typically, banks and brokers — to expand their service offerings to include crypto assets and compete with specialised service providers.

Crypto custody

Under MiCA, the service of “custody and administration of crypto assets on behalf of clients” is characterised as a “crypto asset service” on a stand-alone basis. This can be contrasted with MiFID II, which treats the equivalent functions as an “ancillary service”. Consequently, monoline custody services for crypto assets are clearly within the scope of MiCA. The authorisation requirements are essentially the same as for other crypto asset services, such as “execution of orders on behalf of clients”, or “providing transfer services for crypto assets on behalf of clients”.

In common with other CASPs, custodians will need to be established and authorised in the EU to provide crypto asset services to EU clients. The registered office of the undertaking will need to be in an EU member state in which it provides services, and its centre of management will need to be in the EU. At least one director must be resident in the EU, as well. This ensures that competent authorities in the EU will be able to exercise effective supervision over the operations of the custody CASP.

The authorisation process involves an application to the competent authority in a member state. Firms that have submitted the same information to be registered under anti-money laundering/combating the financing of terrorism rules or other EU financial services legislation will not need to resubmit it unless it has changed. Firms that have been authorised under MiFID II to provide the service of safeguarding and administration of financial instruments do not need to submit a new authorisation for custody under MiCA, but they do have to provide advance notice to their competent authorities which effectively covers the same ground.

Attention does need to be paid to the range of activities that might align with the list of crypto asset services covered by MiCA. Custodians involved in the transfer of crypto assets between client wallets or between client wallets and third parties could be performing the service of “transfer of crypto assets on behalf of clients”. This is a broadly cast arrangement, which could encompass acting on settlement instructions. Firms acting like brokers or operating trading platforms, offering custody as a value-added service, will also need to ensure that they do not overlook this step.

Once authorised, custody CASPs will be subject to a set of requirements, with respect to crypto assets other than stablecoins within the scope of MiCA, that are familiar to traditional actors: client assets must be legally and operationally segregated from the assets of the firm to insulate clients insofar as possible from the insolvency risk of the custodian; a register of positions must be held to show clients’ entitlements to crypto assets; there must be a written custody policy that sets out the internal rules to be followed to prevent the loss of assets or the keys that control them; a client agreement must provide basic information about the custodian and the services; and client statements must be provided periodically or on request. The custody CASP is also responsible to facilitate the exercise of rights attached to crypto assets.

Liability of custody CASPs

A key area where crypto custody arrangements differ from standard securities custody is in the level of liability assumed by the custodian towards its client. In most member states, this is a matter of contract law, and the extent of the liability of the custodian represents a balance of risk and reward, calibrated to commercial circumstances, such as the bargaining power of the client. This balance is dictated, in relation to the assets of collective investment schemes held in custody, by UCITS and the AIFMD, which effectively reverse the burden of proof in cases of lost assets. 

Custodians acting as depositories for those funds are presumed to be liable to replace them or pay compensation, unless the loss has resulted from an event beyond their reasonable control, which they could not have planned for or avoided. Although not a truly strict form of liability, this approach makes it more likely that investors will be able to claim against their custodians to recover assets lost while held in custody. 

MiCA is closer to this approach than the contractual balance of risks and rewards with respect to crypto assets. It means that, if hackers are able to steal the private keys that secure crypto assets in custody, or disable them through a ransomware attack, it falls to the custody CASP to prove that its security and business continuity arrangements were at an appropriate standard and properly maintained to avoid liability.

Events like forks or bugs in the underlying DLT might be more clearly outside of the custodian’s responsibility, but we expect MiCA’s allocation of responsibility for “a cyber-attack, theft or any malfunctions” to be tested in the course of disputes arising from both third-party attacks and technical faults.

The inclusion of liability provisions for the custody of crypto asset wallets appears to be based on a practical calculation; i.e., that institutional service providers will be in a better position to manage the risks of loss than retail investors. The loss rules push the costs of mitigating such risks to custodians, who are free to pass them on through increased fees. In a competitive marketplace, however, there may be limits to the redistribution of costs/risks.

Firms operating outside of the EU, who wish to continue to work with EU clients for custody, may do so on the basis of the EU client’s unsolicited request for services. Unlike during Brexit, when non-EU firms were able to assess the restrictions on cross-border activity related to MiFID II on a member state-by-member state basis, there is expected to be a Commission regulation to harmonise the approach to reverse solicitation. This has the potential to limit the usefulness of MiCA’s recognition of reverse solicitation, but it remains to be seen how the Commission will approach this.

Authorisation of custody CASPs

Custody CASPs need to be authorised in accordance with MiCA, unless they support only crypto assets subject to a listed exemption. That category includes crypto assets that are offered for free; crypto assets that are created automatically as a reward for maintenance of DLT or the validation of transactions; utility tokens giving access to existing goods or services; and crypto assets that can be used only in exchange for goods and services in a limited network of merchants with contractual arrangements with the offeror (and the total consideration for the offer is less than €1m in a year). 

These exemptions are qualified, and, importantly, will not apply if the offeror makes known its intention to seek admission of the crypto asset to trading, the crypto asset is admitted to a trading platform, or there is another offer of the same crypto asset which is not itself an exempted offer.

Applications are to be made to national competent authorities (NCAs), but approval in one member state provides a legal basis for the provision of services throughout the EU. In common with the passporting provisions of MiFID II, a custody CASP is required to notify its home NCA of the member states in which they intend to provide services through establishment (including through a branch) or on a cross-border basis, and the NCA of the home member state will be responsible to notify the NCAs of the host member states.

Unlike MiFID II, however, there is no provision in MiCA which would allow the NCA of a host member state to challenge a passport request. By default, CASPs may commence cross-border services once they have been informed that their home member state has notified the relevant host member states, as well as the European Securities Markets Authority (ESMA) and the European Banking Authority (EBA). In any event, such services may begin 15 days following the submission of the required information to the NCA of the home member state by the custody CASP.

Operating requirements for custody CASPs

Custody CASPs are required to have agreements with their clients that set out their respective duties and responsibilities. The content of their contracts is expected to go beyond basic commercial terms and spell out the security systems used by the custody CASP, the means by which the custody CASP and client will communicate, and the custody policy of the CASP. 

The custody policy is expected to set out the internal rules and procedures of the custody CASP to ensure the safekeeping or control of the crypto assets or the means by which they are accessed (depending on the custody model being used). The purpose of the custody policy is to minimise the risk of loss due to “fraud, cyber threats or negligence”. Although included in client agreements, a summary of the custody policy is also to be made available to clients electronically.

Custody CASPs need to maintain a register of positions, which shows each client’s claims to the crypto assets held by it. Movements of crypto assets are to be recorded as soon as possible, so that the holdings for each client and transactions impacting their positions are identified. The custody CASP is also required to record in the register of positions any event “likely to create or modify the rights of a client” — such as a fork in the relevant DLT — “immediately”. By default, clients will be entitled to any new crypto assets or rights arising from a fork or other event affecting their rights, but this position can be modified by their contracts with custody CASPs.

As intermediation, by its nature, limits the ability of a token-holder to act in respect of their tokens in custody without action by the custody CASP, the latter are obligated to “facilitate the exercise of the rights attached to the crypto assets” — a duty that corresponds to the corporate actions and proxy voting requirements of the Shareholder Rights Directive II.

Custody CASPs must provide at least quarterly statements of positions to their clients, showing them the contents of the accounts recorded in their names. The statements must show the relevant crypto assets, their balance, their value, and records of transfers made during the period. Clients may require the same information, on demand, and it is to be delivered in an electronic format. Clients may also request information about operations on crypto assets from their custody CASPs, who must respond as soon as possible.

Conclusions

MiCA represents a significant advance in the development of a European market for crypto assets. It defines the regulatory perimeter for crypto asset services that require authorisation. It specifies the requirements for custody CASPs to obtain authorisation and meet basic operating conditions. It also provides a passport for cross-border services that will allow firms to act as custody CASPs for clients throughout the EU. At the same time, it imposes statutory liability on custody CASPs in a way that is unusual for custodians of physical and book-entry securities.

Although the regulatory principle of “same activity, same risk, same rules” is intended to level the playing field for service providers, it is questionable whether it has been consistently applied by MiCA. Despite being highly prescriptive in places, there are areas that are only superficially addressed in the rules. 

Further work to achieve a better balance is clearly required, including technical standards to harmonise the operational and conduct of business expectations for custody CASPs. Where these powers have not been delegated to the European Commission, ESMA and the EBA, there is a gap to be closed in the next version of MiCA — which is already being contemplated.

Etay Katz (left) is a partner, and Simon Helm is counsel at law firm Ashurst.