The European Securities and Markets Authority (“ESMA”) has published important guidance for firms seeking authorisation as a crypto-asset service provider (“CASP”) under the Markets in Crypto-Assets Regulation (“MiCAR”). Together, ESMA’s Supervisory Briefing on the Authorisation of CASPs and its Guidelines on knowledge and competence under MiCAR set out the practical expectations that applicant firms must meet. The message is clear: genuine substance in the EU, robust governance, rigorous internal controls, and appropriately qualified staff are non-negotiable.
Perhaps the most important takeaway is that ESMA does not recognise any category of “low-risk” CASP. Every application will receive a meaningful level of scrutiny, regardless of scale. Given that CASPs often deal directly with retail investors and have limited track records of regulatory compliance, ESMA considers them higher risk than entities in more established financial sectors. Factors such as significant size, complex group structures, substantial cross-border activity, or the combination of multiple crypto-asset services will attract even closer examination. Anti-money laundering controls will receive special attention during the authorisation process.
ESMA places considerable weight on demonstrating genuine substance and autonomous decision-making capacity within the EU. A shell presence will not suffice. At least one executive management board member must be located in the jurisdiction of authorisation, the CEO should devote 100 per cent of their time to the CASP, and a significant local team must be in place. Arrangements where more functions are performed outside the EU than within it will be critically assessed.
Applicants must also establish a robust internal control framework encompassing risk management, compliance, and internal audit as distinct functions. ESMA is equally clear that outsourcing must not result in a “letter-box entity” real operations must reside within the EU, and AML compliance cannot be outsourced.
ESMA’s competence guidelines distinguish between staff giving information and those giving advice, with advisory staff held to a higher standard. Information staff must complete at least 80 hours of professional qualification alongside six months of supervised experience or hold at least one year of supervised experience. Advisory staff face more demanding qualification pathways and a minimum of 20 hours of continuing professional development per year. CASPs must maintain clear internal distinctions between advisory and informational roles and keep records of staff competence available for regulatory review.
Firms considering a MiCAR authorisation application should begin assessing their governance structures, staffing arrangements, outsourcing models, and internal control frameworks against these expectations without delay. Early engagement with the relevant national competent authority is strongly advisable, given the comprehensive nature of the assessment process.
