MiCAR: EBA issues supervisory priorities for issuers of ARTs and EMTs

On 5 July 2024, the European Banking Authority (EBA) published a document setting out its supervisory priorities for issuers of asset-referenced tokens (ARTs) and electronic money tokens (EMTs) that are subject to the regulatory framework for ARTs and EMTs under Titles III and IV of the Regulation on Markets in Crypto-Assets Regulation (MiCAR). Titles III and IV of MiCAR, which have applied since 30 June 2024, contain a wide range of regulatory requirements, including authorisation, conduct and prudential requirements for issuers of ARTs and EMTs.

The EBA identified its supervisory priorities, which are relevant for 2024 and 2025, by leveraging national competent authorities’ expertise and experience and reflecting on the risks stemming from the crypto-assets market. In cooperation with national competent authorities (i.e. EU national regulators), the EBA intends to implement and monitor these priorities using a proportionate and risk-based approach using available supervisory tools. The priorities will be reviewed on an annual basis, taking into account market developments, supervisory experience and regulatory changes.

In this article, we outline the EBA's supervisory priorities and their implications for issuers of ARTs and EMTs in the EU.

 EBA's supervisory priorities for 2024/2025

The EBA’s supervisory priories for 2024/2025 address four priority areas:

• internal governance and risk management
• financial resilience
• technology risk management
• financial crime risk management

Internal governance and risk management

The EBA considers a robust and effective internal governance and risk management framework to be key to support issuers of ARTs and EMTs in identifying, assessing, managing and mitigating risks. The EBA also emphasises the importance of having a clear governance framework, especially for global entities with complex structures, together with robust custody policies, procedures and contractual arrangements for ensuring holder protection.

Given the importance of the internal governance and risk management framework, the EBA expects competent authorities to:

• verify that issuers have clear governance frameworks with clear lines of responsibilities
• assess the suitability of management, focusing on skills, knowledge and previous experience relevant to the crypto-asset sector
• verify that conflicts of interest are properly identified, prevented, monitored, managed and disclosed
• assess that issuers have in place effective and transparent complaints-handling procedures
• assess the risk management frameworks and ensure they are appropriate and commensurate to the issuers' size, business models and complexity
• assess third party dependencies and outsourcing risk, with a particular focus on custody arrangements

Issuers of ARTs and EMTs should, therefore, ensure that they have comprehensive internal governance and risk management frameworks in place, together with senior management that meet suitability requirements. Issuers should also be aware of the potential conflicts of interest that may arise from having links or interactions with crypto-asset service providers and other financial entities, and adopt adequate measures to prevent, mitigate, manage and disclose them. Issuers should also have in place effective complaints-handling procedures for dealing with holders' concerns and grievances in a timely and fair manner. Finally, it is important for issuers to assess the risks of outsourcing or relying on third parties for the custody of their crypto-assets and ensure that they have adequate contractual arrangements and contingency plans in place.

Financial resilience

The EBA notes the importance of the introduction of own funds requirements (for issuers of ARTs and significant EMTs other than credit institutions or where required by the competent authority) and requirements for reserves of assets for ensuring the financial resilience of issuers and addressing liquidity risks.

In this context, the EBA expects competent authorities to:

• assess compliance with own funds and reserve of assets composition and management requirements rigorously (where applicable)
• assess the quality of reserve assets in order to verify compliance with the requirements in MiCAR

As a result, issuers of ARTs and EMTs should ensure that they have adequate own funds and reserve of assets to meet their obligations under MiCAR (and other relevant legislation, where applicable) and to withstand adverse market conditions.

Technology risk management

In light of the rapid developments in distributed ledger technology (DLT) and the challenges posed by the technology, the EBA considers it important that associated information, communication and technology (ICT) risks are controlled and do not lead to outcomes to the detriment of holders.

The EBA expects competent authorities to:

• assess general ICT risks and risks resulting from the use of DLTs, including the risks inherent to the storage and transfer of crypto-assets over a DLT and the use of smart contracts
• assess the operational resilience of issuers and their vulnerability to cyber threats
• assess the criteria for the choice of DLTs that are used by ART and EMT issuers and the related contingency and backup plans in case of disruptions to those DLTs

Issuers should, therefore, be aware of the risks and challenges that the use of DLTs and smart contracts entail, such as interoperability, scalability, security and privacy, and adopt adequate measures to mitigate them. This includes having a robust and effective ICT risk management framework, including business contingency plans, that comply with all applicable legal requirements and are fit for purpose.   

Financial crime risk management

Given the specific features of crypto-assets, which allow crypto-asset transactions to occur across multiple jurisdictions, at a large scale and high speed and, in some cases, with pseudo-anonymity attached, the EBA considers financial crime, including money laundering and terrorist financing (ML/TF) risk and financial sanctions evasion, to be a major concern for crypto markets. 

As such, the EBA expects competent authorities to:

• ensure that individuals who own, control or manage an ART/EMT issuer do not expose the issuer to unacceptable risks related to financial crime
• assess the adequacy of proposed financial crime controls, including anti-money laundering and counter-terrorist financing (AML/CFT) controls where the issuer is an obliged entity for AML/CFT purposes
• liaise with their AML/CFT counterparts for expert input where appropriate

Issuers of ARTs and EMTs should ensure that they have adequate and effective financial crime risk management frameworks in place, including for ML/TF and financial sanctions, and that they are able to demonstrate their compliance with applicable requirements in MiCAR, AML/CFT legislation and EU restrictive measures. Issuers should also cooperate with the relevant competent authorities and report any suspicious transactions or activities.  

Next steps

The EBA's supervisory priorities for issuers of ARTs and EMTs reflect the EBA's mandate to promote cooperation and coordination among competent authorities and to foster supervisory convergence in the crypto-asset sector. The EBA aims to ensure effective supervision of issuers of ARTs and EMTs under MiCAR and to promote best practices that are being adopted by competent authorities.

Issuers of ARTs and EMTs should make sure that they are familiar with the EBA's supervisory priorities and the implications for their activities and compliance obligations. In light of the challenges and opportunities that the new regulatory framework poses for the crypto-asset sector, issuers should engage with the relevant competent authorities and stakeholders to ensure a smooth transition to the new regime.

For further information in relation to this topic, please contact Patrick Brandt, Partner, Ciara Brady, Senior Associate, Louise Hogan, Senior Associate, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.

Date published: 1 August 2024