casp.eu

Providing custody and administration of crypto-assets on behalf of clients

14 July 2023

Introduction. In MiCA’s recitals, “providing custody and administration of crypto-assets on behalf of clients” belongs to the first category of services in the list of services that may be provided by CASPs (Recital (21) MiCA). However, in MiCA Annexes with regards to CASP minimum capital requirements, this service belongs to Class 2 (Annex IV MiCA). This crypto-asset service covers any service or activity for the safekeeping or controlling of crypto-assets or of the means of access to such crypto-assets, where applicable in the form of private cryptographic keys (Article 3-1(17) MiCA). This service may be provided by a CASP as part of other crypto-asset transfer services (Recital (93) of MiCA). Some custody and administration services of crypto-assets may overlap with payment services defined in Directive (EU) 2015/2366 (Recital (90) MiCA).

Exception to authorisation. Authorisation as a CASP is not required for “providing custody and administration of crypto-assets on behalf of clients” whose offers to the public concern crypto-assets from the third type (not EMT, nor ART) that (a) are offered for free, or (b) are automatically created as a reward for the maintenance of the distributed ledger or the validation of transactions (e.g., mining in the Blockchain), or (c) are utility tokens providing access to a good or service that exists or is in operation, or (d) are crypto-assets where the holder has the right to use in exchange for goods and services in a limited network of merchants with contractual arrangements with the offeror (Article 4-5 MiCA; Article 4-3(d) MiCA).

The foregoing exemption is exceptional and does not apply where (a) there exists another offer to the public of the same crypto-asset and that offer does not benefit from the exemption; or (b) the crypto-asset offered is admitted to a trading platform (Article 4-5 MiCA).

Rules & obligations. The entities providing these services are subject to specific rules and requirements (Recital (21) MiCA; Recitals (3) and (4) MiCA). CASPs authorised for the custody and administration of crypto-assets on behalf of clients must, among other requirements, to:

  • ensure that all held crypto-assets are always unencumbered (Recital (83) MiCA);
  • not use the customers' crypto-assets on their own account (Recital (83) MiCA) which would then mean that they are not performing the services “on behalf of clients” and which may generate potential conflicts of interest (Article 72 MiCA);
  • have a contractual relation with their clients, on the basis of an agreement, that specifies their duties and their responsibilities (Article 75 MiCA). This agreement must contain mandatory contractual provisions that inter alia specify (a) the identity of the parties to the agreement (Article 75-1(a) MiCA); (b) the nature of the service provided and a description of that service (Recital (83) MiCA; Article 75-1(b) MiCA); (c) the custody policy (Recital (83) MiCA; Article 75-1(c) MiCA; Article 75-3 MiCA); (d) the means of communication between the CASP and the client (including the client’s authentication system) (Article 75-1(d) MiCA); (e) a description of the security systems used by the CASP (Article 75-1(e) MiCA); (f) the fees, costs and charges applied by the CASP (Article 75-1(f) MiCA); (g) the applicable law to the agreement (Article 75-1(g) MiCA). This agreement may also include other non-mandatory contractual provisions concerning (h) the holding of the crypto-assets or the means of access to such crypto-assets; (i) the cases in which the client might keep control of the crypto-assets in custody; or (j) the type of crypto-assets or means of access to such crypto-assets that may be transferred in full control of the CASP (Recital (83) MiCA);
  • keep a register of positions, opened in the name of each client, corresponding to each client’s rights to the crypto-assets (Article 75-2 MiCA). CASPs must record as soon as possible, in that register, any movements following instructions from clients;
  • describe, establish, and implement a custody policy with internal rules and procedures relating to the safekeeping or the control of crypto-assets, or the means of access to the crypto-assets, such as cryptographic keys. A summary of the custody policy must be made available to clients on their request in an electronic format (Recital (83) MiCA; Article 75-1(c) MiCA; Article 75-3 MiCA);
  • facilitate the exercise of the rights attached to the crypto-assets. Any event likely to create or modify the client’s rights shall be recorded in the client’s position register immediately. In case of changes to the underlying distributed ledger technology (the “DLT”) or any other event likely to create or modify the client’s rights, the client is entitled to any crypto-assets or any rights newly created to the extent of the client's positions at the time of the event's occurrence by such change (Article 75-4 MiCA). This last warranty seems to be a minimal one: a valid agreement signed with the custodian prior to the event may explicitly provide otherwise (Article 75-4 MiCA);
  • provide clients, at least once every 3 months, with a statement of position of the crypto-assets recorded in the name of those clients. This statement of position must be made in an electronic format. This statement of position must mention (a) the crypto-assets concerned, (b) their balance, (c) their value and (d) the transfer of crypto-assets made during the period concerned (Article 75-5 MiCA);
  • ensure that necessary procedures are in place to return as soon as possible the crypto-assets, or the means of access to those crypto-assets, to their clients (Article 75-6 MiCA);
  • segregate holdings of crypto-assets on behalf of their clients from their own holdings and ensure that the means of access to crypto-assets of their clients are clearly identified as such (Article 75-7 MiCA). In that regard, they must also ensure that, on the DLT, their clients’ crypto-assets are held on separate addresses from those on which their own crypto-assets are held. Crypto-assets must be (operationally) segregated from the CASP’s estate, so that creditors of the CASP have no recourse to crypto-assets held in custody (including not in the event of insolvency) (Article 75-7 MiCA).

Outsourcing. CASPs authorised to provide custody and administration of crypto-assets on behalf of clients may make use of other service providers of custody and administration of crypto-assets. However, they may only do so if (a) those other service providers were authorised as such by the competent authority and if (b) they inform their clients thereof (Article 75-9 MiCA). Should they not do so, they are not performing the services “on behalf of clients” but on their own account, and will do so in violation of MiCA’s obligations (risking fines from the competent authority and their authorisation withdrawal) and assume all the risks inherent to it (including those related from conflicts of interest - Article 72 MiCA). In any case, the outsourcing does not result in the delegation of the responsibility of CASP, nor alter the relationship between the CASP and its clients (Article 73 MiCA). The CASP must retain the expertise and resources necessary for evaluating the quality of the services provided, have direct access to the relevant information of the outsourced services, and ensure that third parties involved in the outsourcing meet the data protection standards of the EU (Article 73-1 MiCA).

Liability. CASPs providing custody and administration of crypto-assets are also liable for any damages resulting from an incident that is attributable to them (Article 75-8 MiCA). In particular, they may be liable to their clients for the loss of any crypto-assets or of the means of access to the crypto-assets as a result of such incident (Recital (83) of MiCA; Article 75-8 §1 of MiCA), including any losses resulting from an incident related to information and communication technology (‘ICT’) such as an incident resulting from a cyber-attack, theft or any malfunctions (Recital (83) of MiCA). However, this liability of the CASP:

  • is capped at the market value of the crypto-asset lost at the time the loss occurred (Article 75-8 §1 MiCA); and
  • does not concern events not attributable to the CASP, including not events proven by the CASO to have occurred independently of the provision of the relevant service, or independently of the CASP operations – e.g., a problem inherent in the operation of the distributed ledger that the CASP does not control (Article 75-8 §2 MiCA).

Hardware or software providers of non-custodial wallets do not fall within MiCA’s scope (Recital (83) MiCA).

Custody regarding EMTs. MiCA’s regulated activity of providing custody and administration services might not be distinguishable from the tools provided by issuers of electronic money to their clients to manage an ‘e-money token’. Therefore, electronic money institutions can provide custody services, without prior authorisation under MiCA, only in relation to the e-money tokens issued by them. (Recital (91) of MiCA). Those institutions must however notify to their home EU Member State authority the crypto-asset service that they intend to provide.

Custody regarding ARTs. Issuers of asset-referenced tokens shall constitute and always maintain a reserve of assets (Article 36-1 MiCA). Issuers of asset-referenced tokens shall establish, maintain, and implement custody policies, procedures, and contractual arrangements that reserve assets are held in custody (Article 37-1(b) MiCA), by a CASP providing custody and administration of crypto-assets on behalf of clients, where the reserve assets take the form of crypto-assets (Article 37-3(a) MiCA).

In this case, the custodian CASP must be a legal person different from the issuer (Article 37-4 MiCA). Generally, and except in certain conditions, they must also not carry out any activity that might create conflicts of interest between ART issuers, the ART holders and themselves (Article 37-9 MiCA).

The CASPs must hold in custody the crypto-assets included in the reserve assets or hold the means of access to such crypto-assets (including in the form of private cryptographic keys) (Article 37-6(c) MiCA). They must open a register of positions in the name of the issuers of the ARTs for the purposes of managing the reserve assets of each ART, so that the crypto-assets held in custody can be clearly identified as belonging to each reserve of assets (Article 37-6 MiCA).

In the case of a loss of a crypto-asset held in custody, the CASP must compensate, or make restitution, to the ART issuer with a crypto-asset of an identical type or corresponding value without undue delay. However, the CASP will not be liable for compensation or restitution where it can prove that the loss occurred because of a ‘force majeure’ event (an external event outside its control, which consequences could not be avoided despite all reasonable efforts) (Recital (55) MiCA; Article 37-10 MiCA).

Issuers of significant ARTs must ensure that these ARTs can be held in custody by different CASPs authorised for providing custody and administration of crypto-assets on behalf of clients on a fair, reasonable and non-discriminatory basis (Article 45-2 MiCA).

Entities hat may provide custody and administration of crypto-assets on behalf of clients:

Copyright © 2024 Ruben Mendes ( CASP ).