CRYPTO-ASSET

SERVICE PROVIDERS:
NAVIGATING YOUR EU
REGULATED STATUS

NOVEMBER 2024
 CRYPTO-ASSET SERVICE PROVIDERS:
NAVIGATING YOUR EU REGULATED STATUS
The Markets in Crypto-Assets Regulation (MiCA) delivers a new
EU-wide regulatory framework for issuing, intermediating and
dealing in crypto-assets. Under MiCA, Crypto-asset service
providers (CASPs) must be authorised, comply with conduct,
disclosure, governance and organisational requirements and
have prudential safeguards in place. In this briefing we take a
closer look at some of the wider EU regulatory requirements that
will attach to some CASPs for the first time, and to existing
service providers more broadly, as EU-regulated entities.

CASP obligations under other financial services frameworks to

take advantage of MiCA to expand their
MiCA service offering to include those relating
We gave an overview of these obligations to crypto-assets. These firms will be
in our July 2024 briefing EU Crypto well versed in EU regulatory
Regulation: MiCAR Overview for Issuers requirements and therefore able to
and Crypto-Asset Service Providers. leverage or adjust their existing internal
MiCA’s provisions relating to the offering processes for MiCA compliance.
and admission to trading of stablecoins
took effect on 30 June 2024. Other parts Some EU frameworks will
of MiCA, including the authorisation be familiar
requirements for CASPs, apply from 30
Pre-MiCA, firms that have been providing
December 2024.
crypto-asset services in the EU have
been subject to certain obligations as a
MiCA will impact individual CASPs
result of qualifying as ‘Virtual Asset
differently.
Service Providers’ (VASPs), under the EU
• First, firms already offering crypto-asset anti-money laundering (AML) and counter-
services in the EU will have some terrorist financing (CTF) frameworks as
familiarity with financial services these regimes were implemented in
regulation in the individual EU member individual member states.
state(s) in which they operate. These
firms will benefit from the transitional There is a patchwork of local regulatory
regime that will enable them to continue regimes across the EU which implement
providing certain services until their the registration requirement that applies
application is decided. We expect that, to VASPs, and often ‘gold-plate’ that
in practice, during the transitional requirement with additional obligations
period these CASPs will adjust and relating to, for example, systems and
improve their systems and controls and controls, or fitness and propriety. This
other processes to achieve levels means that compliance with local
required by MiCA.1 registration requirements has placed
different obligations on existing firms
• Secondly, we can expect to see some
depending on their location. But the EU’s
new entrants seeking EU authorisation
AML/CTF framework is changing
in order to rely on the rights under
(including, as explained further below,
MiCA to passport their services across
extension of the so-called ‘travel rule’ to
the EU.
crypto-asset transfers), which will affect
• Finally, we can also expect some firms all CASPs wherever located in the EU.
that are authorised in the EU under

1 MiCA contains transitional provisions permitting CASPs providing crypto-asset services in accordance with
applicable law in individual EU member states prior to 30 December 2024 to continue to do so until 1 July
2026 or until they are granted or refused an authorisation under MiCA (whichever is sooner). The European
Securities and Markets Authority (ESMA) has recently provided helpful clarification (in ESMA_QA_2295) that
firms operating under the transitional provisions do not need to comply with MiCA’s CASP provisions until
their application for authorisation is approved.

2 CLIFFORD CHANCE
CRYPTO-ASSET SERVICE PROVIDERS: NAVIGATING YOUR EU REGULATED STATUS
All CASPs will be ‘obliged entities’ under Wider obligations –
the forthcoming Anti-Money Laundering
existing and incoming
Regulation (AML Regulation), which will
repeal and replace the Anti-Money EU frameworks
Laundering Directive with effect from impacting CASPs
10 July 2027. The AML Regulation forms EU legislative frameworks do not operate
part of the EU’s new AML/CTF framework in isolation and authorised CASPs will
and will be supplemented by technical need to be aware of other key existing
standards and guidance to be developed requirements or forthcoming changes to
by the new Anti-Money Laundering EU frameworks with which they will need
Authority (AMLA). Depending on their to comply as a result of being authorised
size, CASPs may also be subject to direct under MiCA. While these frameworks will
supervision by AMLA. be familiar to existing financial institutions
intending to perform crypto-asset
VASPs are also likely, in aligning their services, compliance may require
operations in particular member states, to significant system builds and additional
have been ensuring compliance with data work for some newly authorised
protection and privacy laws, in particular CASPs and those transitioning into a
the General Data Protection Regulation MiCA authorisation.
(GDPR), when controlling or processing
personal data. As noted below, new data- DORA – Digital operational
sharing obligations will apply from resilience and cybersecurity
2026/2027. CASPs will be financial entities for the
purposes of the EU’s Digital Operational
Similarly, VASPs may have considered Resilience Act (DORA) a directly
how their existing services sit alongside applicable EU Regulation which applies
the payment services and electronic from 17 January 2025. DORA aims to
money perimeter under the revised ensure that all EU financial entities have
Payment Services Directive (PSD2) and robust digital operational resilience
the second Electronic Money Directive regimes in place to be able to withstand
(2EMD); for example, to what extent their and recover from ICT-related incidents,
services involve the transfer of funds such including cyber-attacks.
that this may constitute a payment
service or the issuance of electronic While MiCA provides an 18-month
money. With MiCA some of these points transitional period for existing crypto-
will need to be reconsidered, and PSD2 is asset providers to ensure they are fully
being replaced, as noted further below. compliant with MiCA, many jurisdictions
have shortened this period to 12 months.
Entities already authorised under existing Existing crypto-asset providers will not be
EU frameworks (for example, crypto- treated as CASPs during this time (see
asset firms authorised under PSD2 or footnote 1, above) but, in practice,
2EMD, or other financial entities prospective CASPs will need to ensure
authorised under MiFID2, AIFMD, CSDR) they can demonstrate compliance with
will already be fully familiar with EU DORA from its application date. This is
regulation and supervision, and be aware because the expectation is that EU
of forthcoming developments in the EU’s competent authorities will assess
legislative pipeline. To the extent that their ability to comply with DORA
these firms wish to carry on MiCA obligations as part of the application
activities, they will need to notify their for CASP authorisation.
intention to conduct CASP activities to
the competent authority of their home DORA defines digital operational
member state and comply with MiCA’s resilience as:
CASP requirements, rather than seek a
separate CASP authorisation. However, in “The ability of a financial entity to build,
practice, this may require a substantive assure and review its operational
review of existing arrangements in order integrity and reliability by ensuring,
to meet the cyber and resilience either directly or indirectly through the
expectations set for CASPs. use of services provided by ICT
third-party service providers, the full
range of ICT-related capabilities

CLIFFORD CHANCE 3
CRYPTO-ASSET SERVICE PROVIDERS: NAVIGATING YOUR EU REGULATED STATUS
 needed to address the security of the Directive (NIS2), which has applied since
network and information systems 18 October 2024. NIS2 aims to further
which a financial entity uses, and which harmonise the EU cybersecurity
support the continued provision of framework. However, DORA is considered
financial services and their quality, a lex specialis for financial entities,
including through disruptions.” meaning that certain of its provisions,
which are tailored for the financial sector,
To ensure resilience, financial entities override those of the broader
must comply with a range of detailed cybersecurity framework in NIS2 in the
obligations imposed by DORA. Financial event there is conflict between the two
entities are required to implement DORA frameworks. In September 2023, ESMA
on a proportionate basis, taking into published guidelines clarifying which
account their size and overall risk profile, provisions in DORA will apply to financial
and the nature, scale and complexity of entities within scope of both pieces of
their services, activities and operations. legislation rather than those provided for
in NIS 2.
DORA obligations include:
• Governance and organisation Payment services and
requirements; electronic money
• ICT risk management requirements; Interplay between PSD2 and MiCA
Where CASPs themselves offer services
• ICT-related incidents management, that qualify as payment services, they
classification and reporting; must comply with the requirements of
• Digital operational resilience testing; PSD2, which include strong customer
authentication, transparency requirements
• Management of ICT third-party risk;
and security measures.
and
• A new oversight framework of critical While CASPs will not automatically be
ICT third-party providers. deemed to be conducting payment
services under PSD2, there is an interplay
A key issue for CASPs will be compliance between PSD2 and MiCA, especially in
with Article 30 of DORA, which will relation to the issuance of e-money
require identification of ICT third-party tokens, which is currently linked to the
services providers and will also potentially concept of electronic money. ‘Electronic
require negotiation with such providers to Money Tokens’ (EMTs) are defined in
put in place very stringent requirements MiCA by reference to the definition of
and termination rights in respect of the e-money in 2EMD. The effect of this is
services provided by ICT third-party that, under PSD, EMTs may qualify as
services providers and their “funds” for the purposes of PSD2, such
subcontractors (including, potentially, the that a transfer of EMTs may be defined as
chain of subcontractors). Difficulties in a payment service being provided.
practice start with the identification of ICT CASPs will therefore need to carefully
third-party services providers and whether consider their activities in respect of
technology relied on in order to deliver stablecoins and EMTs in order to
crypto-asset related services would fall identify whether any of their activities
within this definition. For example, to what inadvertently stray into the provision of
extent a layer 1 or layer 2 blockchain payment services that would require
would qualify as an ICT third-party PSD2 authorisation.
services provider or whether certain
aspects do. This is exacerbated by the The European Banking Authority (EBA)
fact that some providers may be based issued an Opinion in 2022 which is
outside of the EU and would not normally helpful in the context of CASPs providing
see themselves in scope of EU legislation payment services. The EBA stressed the
such as DORA. need for the potential future revised PSD2
to pay close attention to the treatment
Depending on their activities, CASPs may of EMTs, the issuers of which are
also fall within scope of the revised proposed to be required to conform to
Network and Information Security requirements under the EMD2, and which

4 CLIFFORD CHANCE
CRYPTO-ASSET SERVICE PROVIDERS: NAVIGATING YOUR EU REGULATED STATUS
are proposed to fall in scope of the • Controllers and processors that
definition of “funds” for the purposes of process personal data in the context
PSD2. of the activities of an EU establishment,
regardless of whether the data
Where CASPs provide payment services,
processing takes place in the EU
Article 70(4) of MiCA provides:
or not.
“Crypto-asset service providers may
• Non-EU controllers and processors
themselves, or through a third party,
with no EU establishment that offer
provide payment services related to
goods or services to individuals in the
the crypto-asset service they offer
EU or monitor their behaviour that
provided that the crypto-asset service
takes place in the EU.
provider itself, or the third party, is
authorised to provide those services
GDPR defines personal data as any
under Directive (EU) 2015/2366.
information relating to an identified or
Where payment services are provided, identifiable person (called a ‘data
crypto-asset service providers shall subject’). An authorised CASP could be
inform their clients of all of either a controller or a processor in
the following: relation to personal data (the European
Data Protection Board has published
(a) the nature and terms and
Guidelines on these concepts).
conditions of those services,
including references to the
GDPR sets out high-level data processing
applicable national law and to the
principles and grounds for the lawful
rights of clients;
processing of personal data related to a
(b) whether those services are provided data subject, as well as providing for a
by them directly or by a third party.” range of rights for data subjects, including
the right of access and right to data
Revised EU Framework for payment portability. Sanctions for non-compliance
services and electronic money with GDPR can be significant.
PSD2 is to be replaced by the new EU
legislative package, comprising a new FIDA – Access to customer data
Payment Services Regulation (PSR) and a GDPR gives consumers a right to share
new Payment Services Directive (PSD3). their personal data held by any financial
You can read an overview of these services provider directly with third-party
proposals in our previous briefing Keeping providers. However, that right does not
pace with EU payments: The PSD3 and cover non-personal data related to
Open Finance proposals. As at the time business customers and is only
of writing, the new package is still applicable “where technically feasible.”
proceeding through the EU legislative
process, with trilogue negotiations yet to The forthcoming Regulation on framework
begin. The PSR/PSD3 package is for financial data access (FIDA) promotes
expected to apply from 2026/2027. ‘open finance’ (an extension to the
current open banking framework) and will
Data protection and access to enable data sharing and third-party
customer data access, in line with EU data protection
GDPR – Processing of and consumer protection rules. It will
personal data impose a legal obligation on ‘data
Depending on its activities, a CASP is holders’ to share customer data on a
likely to be processing many types of customer’s request with certain regulated
personal data of customers – for financial institutions or firms authorised as
example, identification data, contact financial information service providers
information, authentication data (that is, (FISPs) under a new dedicated
biometric data, usernames, passwords), authorisation regime. FIDA is expected to
transactional data, etc. The EU General be adopted Q4 2024/Q1 2025 and to
Data Protection Regulation (GDPR) apply from 2026/2027.
applies to:

CLIFFORD CHANCE 5
CRYPTO-ASSET SERVICE PROVIDERS: NAVIGATING YOUR EU REGULATED STATUS
 Under FIDA, ‘customer data’ is the as the Revised Wire Transfer Regulation
data collected, stored and otherwise (revised WTR) aims to prevent terrorists
processed by a financial institution as part and other criminals from accessing
of its normal course of business with payment systems for transferring their
customers. It includes both personal data funds. The Revised WTR has applied
(as defined in the GDPR) and other data since 26 June 2017. It sets out
that does not fall within the definition of requirements, known as the ‘Travel Rule’,
personal data, such as that relating to for payment service providers (PSPs) to
business entities or financial product send information on the payer and payee
(contract) features. with transfers of funds and to ensure that
this information is transmitted throughout
CASPs are included in FIDA’s list of ‘data the payment chain.
holders’ and will therefore need to comply
with FIDA’s obligations on data holders, There has been much debate in the
which include: industry in respect of how the Travel Rule
will apply to CASPS. However, CASPs will
• putting in place the required technical
be obliged to comply with the Travel Rule
infrastructure to make customer data
with respect to crypto-asset transfers.
available to data users;
Regulation (EU) 2023/1113 on information
• providing customers with a data access accompanying transfers of funds and
permission dashboard and strong certain crypto-assets (known as the Wire
protection of their personal data in line and Cryptoasset Transfer Regulation, or
with EU data protection law; and WCTR) extends the Travel Rule to crypto-
asset transfers. It came into force on 20
• becoming members of one or more
June 2023 and applies from 30
financial data sharing schemes,
December 2024.
governing access to customer data.

CASPs involved in the transfer of

As the obligations on data holders arise
crypto-assets will be required to comply
on request of other institutions, in practice
with obligations to ensure the information
it will be necessary to be able to comply
on the originator and beneficiary of
with the relevant requirements. This will
crypto-asset transfers accompanies these
require building internal systems to ensure
transfers throughout the payment chain,
that data is categorised and stored in a
and is available to competent authorities.
manner where it can be made available
The obligations for CASPs resemble the
which in turn will require putting in place
obligations on PSPs under the revised
new systems and processes.
WTR, but are slightly different to reflect
Of course, FIDA also represents an the fact that the transfer is of crypto-
opportunity for CASPs to act as data assets rather than funds. For example,
users and obtain information from other there are no derogations for low-value
financial services providers or FISPs in transfers, and the WCTR requirements
order to enhance the provision of the reflect the FATF requirement that all
services they are offering. Where CASPs crypto-asset transfers are treated as
decide to make use of this, they will need cross-border transfers. As with other
to comply with FIDA requirements on applicable frameworks, any processing of
data users; for example, they must personal data for the purposes of the
access customer data only for the WCTR must comply with the GDPR.
purpose they have been granted
In practice, for a while CASPs have
permission, prevent the transfer of
been working hard to put in place
non-personal data when unlawful, and
relevant compliance measures for the
comply with customer security and
Travel Rule in reliance on relevant
storage limitation requirements.
technical solutions made available in the
Traceability of funds and crypto- industry. The interpretation of these
asset transfers – extension of the requirements and expectations in different
travel rule to crypto-assets from member states may not be fully aligned,
December 2024 which means that it will be necessary to
closely follow how industry guidance and
Regulation (EU) 2015/847 on information
approaches develop.
accompanying transfers of funds, known

6 CLIFFORD CHANCE
CRYPTO-ASSET SERVICE PROVIDERS: NAVIGATING YOUR EU REGULATED STATUS
Internal controls for compliance compliance with restrictive measures.
with sanctions and other These must be proportionate to the
restrictive measures nature and size of the CASP, the nature,
Union restrictive measures2 are binding on scope and complexity of their activities,
any person or entity under the jurisdiction and their exposure to restrictive
of EU member states, and their violation measures. The Guidelines introduce
might constitute a criminal offence. detailed requirements including:
Restrictive measures applicable to
financial institutions comprise targeted • CASPs must select a screening system
financial sanctions and measures, as well that is adequate and reliable to comply
as sectoral measures (e.g. economic and effectively with their restrictive measures
financial measures). The EBA has been obligations - this should include
concerned that not all institutions considering whether they have access
understand or address their exposure to to the resources necessary to use the
risks associated with restrictive measures, chosen system effectively.
and that weaknesses in internal • CASPs must define the dataset to be
governance, screening systems and risk screened against restrictive measures
management systems expose financial adopted by the EU on the basis of EU
institutions to legal risks, reputational risks Treaties and, where relevant, national
and the risk of significant fines for restrictive measures. Data held must be
non-compliance. sufficiently accurate, up to date and
detailed to enable them to determine if
The EBA has finalised two sets of a party to the transfer, their beneficial
guidelines (the EBA Guidelines) to ensure owner or any person purporting or
uniform implementation of internal being authorised to act on their behalf
policies, procedures and controls for is subject to restrictive measures. A
compliance with restrictive measures CASP’s internal systems should ensure
across the EU: this dataset is updated immediately
• One set of guidelines (EBA/ after a new restrictive measure enters
GL/2024/14) are guidelines EBA has into force, or an existing restrictive
adopted on its own initiative under EU measure is updated or lifted.
banking, payments and e-money • CASPs should screen their entire
legislation, and address all financial customer database regularly and
institutions within the EBA’s supervisory determine the frequency of that
remit and specify the governance customer screening (including
arrangements and internal policies, appropriate trigger events) based on
procedures and controls these their restrictive measures exposure
financial institutions should have in assessment. The EBA Guidelines
place to be able to comply with provide details of the minimum
restrictive measures. customer information that they
• A second set of guidelines (EBA/ should be screening. Screening
GL/2024/15) apply specifically to PSPs should comprise:
and CASPs and support Article 23 of – verifying whether a person, entity or
the WCTR, specifying what PSPs and body is designated;
CASPs should do to be able to comply
with restrictive measures when – managing the risks of violation of
performing transfers of funds or restrictive measures; and
crypto-assets. – managing the risks of circumvention
of restrictive measures.
Both sets of EBA Guidelines are intended
to apply from 30 December 2025. • CASPs should also screen all transfers
of crypto-assets before making the
To comply with the EBA Guidelines, crypto-assets available to the
CASPs will need to put in place policies, beneficiary, whether they are carried
procedures and controls to ensure out as part of a business relationship or

2 Restrictive measures are defined in Article 2(1) of Directive (EU) 2024/1226 of the European Parliament and
of the Council of 24 April 2024 on the definition of criminal offences and penalties for the violation of Union
restrictive measures and amending Directive (EU) 2018/1673.

CLIFFORD CHANCE 7
CRYPTO-ASSET SERVICE PROVIDERS: NAVIGATING YOUR EU REGULATED STATUS
 as part of a one-off transaction. The designated person or entity, or
EBA Guidelines specify the minimum owned, held or controlled by a
data that should be screened to assess designated person.
whether a transaction could be affected
• Where CASPs propose to outsource
by applicable restrictive measures.
screening activity, the EBA Guidelines
• CASPS must have in place internal also specify the key principles that
policies and procedures to freeze should be applied to the outsourcing
transfers of crypto-assets when an arrangements. The ultimate
internal analysis of an alert confirms responsibility for complying with the
that the possible match is the restrictive measures lies with the CASP.

8 CLIFFORD CHANCE
CRYPTO-ASSET SERVICE PROVIDERS: NAVIGATING YOUR EU REGULATED STATUS
AUTHORS

Diego Ballon Ossio Sara Evans Yolanda-Alma

Partner Senior Associate Ghita-Blujdescu
T: +44 207006 3425 Knowledge Lawyer Senior Associate
E: diego.ballonossio@ T: +44 207006 2557 T: +352 48 50 50 489
cliffordchance.com E: sara.evans@ E: yolanda.ghita-blujdescu@
cliffordchance.com cliffordchance.com

CONTACTS

Marc Benzler Anna Biała Riccardo Coassin Lounia Czupper

Partner Counsel Counsel Partner
T: +49 69 7199 3304 T: +48 22429 9692 T: +39 02 8063 4263 T: +32 2 533 5987
E: marc.benzler@ E: anna.biala@ E: riccardo.coassin@ E: lounia.czupper@
cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com

Boika Deleva Jaime Denis Steve Jacoby Frédérick Lacroix

Counsel Abogado Regional Managing Partner
T: +352 48 50 50 260 T: +34 91 590 7521 Partner CE T: +33 1 4405 5241
E: boika.deleva@ E: jaime.denis@ T: +352 48 50 50 219 E: frederick.lacroix@
cliffordchance.com cliffordchance.com E: steve.jacoby@ cliffordchance.com
cliffordchance.com

Francisco Pizarro Monica Sah Marina Sarkisjan Marian Scheele

Abogado Partner Senior Associate Senior Counsel
T: +34 91 590 4150 T: +44 207006 1103 T: +31 20 711 9517 T: +31 20 711 9524
E: francisco.pizarro@ E: monica.sah@ E: marina.sarkisjan@ E: marian.scheele@
cliffordchance.com cliffordchance.com cliffordchance.com cliffordchance.com

CLIFFORD CHANCE 9
CRYPTO-ASSET SERVICE PROVIDERS: NAVIGATING YOUR EU REGULATED STATUS
This publication does not necessarily deal with every important
topic or cover every aspect of the topics with which it deals.
It is not designed to provide legal or other advice.

www.cliffordchance.com

Clifford Chance, 10 Upper Bank Street, London, E14 5JJ

© Clifford Chance 2024

Clifford Chance LLP is a limited liability partnership registered in

England and Wales under number OC323571

Registered office: 10 Upper Bank Street, London, E14 5JJ

We use the word ‘partner’ to refer to a member of

Clifford Chance LLP, or an employee or consultant with
equivalent standing and qualifications

If you do not wish to receive further information from

Clifford Chance about events or legal developments which
we believe may be of interest to you, please either send an
email to [email protected] or by post at
Clifford Chance LLP, 10 Upper Bank Street, Canary Wharf,
London E14 5JJ

Abu Dhabi • Amsterdam • Barcelona • Beijing • Brussels •

Bucharest • Casablanca • Delhi • Dubai • Düsseldorf •
Frankfurt • Hong Kong • Houston • Istanbul • London •
Luxembourg • Madrid • Milan • Munich • Newcastle •
New York • Paris • Perth • Prague • Rome • São Paulo •
Shanghai • Singapore • Sydney • Tokyo • Warsaw •
Washington, D.C.

AS&H Clifford Chance, a joint venture entered into by

Clifford Chance LLP.

Clifford Chance has a best friends relationship with Redcliffe

Partners in Ukraine.

JOB0000026173