With the rise of cryptocurrencies and blockchain technology, European regulators have recognised the need to establish a comprehensive framework to ensure the sector's integrity, transparency and the protection of its stakeholders. The year 2023 saw the introduction of the Markets in Crypto-Assets Regulation (MiCAR), which was a significant step by the EU to create a consistent regulatory environment for crypto-assets. MiCAR defines crypto-assets as a digital representation of a value or right that can be transferred and stored electronically using distributed-ledger or similar technology. One of the key aspects covered by MiCAR is the custody and administration of crypto-assets.
1.What is crypto custody?
Custody of assets is a long-established concept in the traditional financial and banking sectors. A custodian is a financial institution that holds assets for safekeeping or control, protecting them from theft and loss. Often, a custodian goes beyond the mere protection of assets and provides an additional service of administration: managing client accounts and transactions, handling the settlement of financial transactions, accounting for the status of assets and ensuring compliance with tax regulations.
Custody of crypto-assets is based on the same principles: a custodian keeps records of the assets and proves their existence to counterparties, investors and auditors. However, while traditional finance has historically been based on tangible assets stored in physical locations, markets have grown increasingly sophisticated and as a result custody of financial assets are now not exclusively physical. This is more evident with assets based on cryptography and decentralised ledgers, which require cryptographic keys for protection and access. This is where the Crypto Custodian comes in, providing protection to private keys and ensuring that the assets remain uncompromised and available to the rightful owner. While traditional financial principles largely apply to crypto custody, since crypto-assets technically only exist and are transferred on the blockchain, they may pose operational challenges not commonly encountered in traditional finance, such as, in cases of insolvency, ensuring that insolvency administrators can gain swift access to assets held for customers.
2. Definition and classification of crypto custody under MiCAR
MiCAR introduces, among other things, licensing requirements for crypto-asset service providers. The "custody and administration of crypto-assets on behalf of clients" is clearly defined by the MiCAR framework as a crypto-asset service. This requirement is in contrast with the markets in financial instruments directive (MiFID II), where similar functions are categorised only as an "ancillary service". Therefore, specialised crypto-asset custody services fall squarely within the scope of MiCAR.
When it comes to custody, MiCAR draws heavily on established rules to replicate the market structure for traditional financial instruments. As a result, the requirements for custodians handling securities for clients are similar to those for custodians of crypto-assets.
3. Key requirements
Authorisation and the EU passport
Like other CASPs (crypto-asset service providers), custodians must be established and authorised in the EU to provide crypto-asset services for their EU clients (see Law-Now (link to be added). Custodians are also subject to the general requirements applicable to CASPs. However, the particularities of the services provided are taken into account and reflected by way of additional requirements placed on custodians.
Crypto Custodians are exempt from the requirement of authorisation if they provide their services on behalf of clients who are exempt or – if they provide transfer services for crypto-assets in relation to crypto-assets – whose offers to the public are exempt (see Law-Now (link to be added).
General obligations for all CASPs, including crypto custodians
Crypto Custodians must adhere to a certain standard of conduct. Above all, they should act honestly and transparently, putting their clients' interests first. They must provide clear, non-misleading information, including on the risks of crypto transactions. Pricing and fee details should be clearly visible on their website, along with environmental-impact data, possibly from crypto white papers. Prudential safeguards and governance arrangements must be in place, ensuring that directors and managers are of sufficiently good repute and are able to perform their duties. Policies and procedures must be adopted to ensure compliance with MiCAR A minimum capital requirement, which, in the case of Crypto Custodians, amounts to EUR 125,000. (For a look into general CASP obligations, see LawNow (link to be added).
Specific obligations for custodians of crypto-assets
In addition to the general requirements, MiCAR imposes obligations for specific crypto-asset services. The following are the key requirements that crypto custodians must fulfil:
Crypto Custodians must enter into an agreement with their clients, which details their duties and responsibilities. The agreement must include:
- the identity of the parties to the agreement;
- the nature of the crypto-asset service to be provided and a description of that service;
- the custody policy;
- the means of communication between the custodian and the client;
- a description of the security systems used by the custodian;
- the fees, costs and charges applied by the custodian;
- the applicable law.
Register of positions
Custodians must maintain a register of positions opened in the name of each client to show the client's entitlement to crypto-assets. Movements resulting from client instructions must be recorded as soon as possible in such register.
Custodians must establish a custody policy with internal rules and procedures to ensure the safekeeping or control of such crypto-assets or the means of access to the crypto-assets. This policy must be made available in summarised form to clients in an electronic format upon request.
Segregation of crypto-assets
Client crypto-assets held in custody must be legally segregated from the custodian's own assets, in accordance with applicable law, so that creditors of the crypto-asset service provider have no recourse against client crypto-assets, particularly in the event of insolvency. Furthermore, the crypto-assets held in custody must be operationally segregated from the custodian’s estate. The custodian must ensure that, on the distributed ledger, its clients’ crypto-assets are held separately from its own crypto-assets.
The application of segregation measures is likely to continue to vary between Member States.
Crypto custodians must provide their clients at least quarterly statements detailing the crypto-assets registered in their name.
4. Liability of Crypto Custodians
A key difference between crypto custody and traditional custody lies in the liability of the Crypto Custodian towards its client. In many EU member states, this is traditionally governed by civil or contract law. Under MiCAR, Crypto Custodians are liable to their clients for the loss of crypto-assets or the means of access to crypto-assets (i.e. private keys) as a result of an incident attributable to them. Therefore, if hackers manage to steal the private keys protecting the crypto-assets in custody or disable them through a ransomware attack, Crypto Custodians will in principle be held liable. To avoid liability, Crypto Custodians must demonstrate that their security measures and business-continuity plans were of a reasonable standard and consistently maintained. The liability of the Crypto Custodian is capped at the market value of the crypto-assets that were lost when the loss occurred.
Reactions to MiCAR's definition of obligations and standards for Crypto Custodians have been mixed. Critics express surprise that European legislators are approaching crypto-asset services, including custody and administration, from the perspective of a traditional market structure, with little regard for the novel and unique technology of crypto-assets.
On the other hand, MiCAR will provide greater legal certainty to market participants, which is extremely valuable for Crypto Custodians: it will allow them to better manage enforcement risks and give investors confidence that their assets are protected and will be returned to them.
For more information and legal support, contact your usual CMS professional or the CMS experts who contributed to this article: Klaus Pateter, Aurélia Viémont, Carolina Veas, Jovana Bingulac, Tihana Balagović and Oliver Göndör, or send an email to [email protected].
For other articles in the series “Legal experts on Markets in Crypto-Assets (MiCA) regulation”, click here: Legal experts on Markets in Crypto-Assets (MiCA) regulation (cms.law)
For more information on crypto regulation before the introduction of MiCA, visit CMS Expert Guide to European Crypto Regulation. For tax perspectives, check out CMS Expert Guide on Taxation of Crypto-Assets (Crypto Tax)