MiCAR Compliance: CBI Guidance for CASPs

With new EU rules on crypto assets taking effect, the Central Bank of Ireland is setting the bar for firms seeking authorisation and their ongoing compliance. Our Financial Regulation team examines the key regulatory requirements and outlines how firms can prepare for authorisation and compliance with the Central Bank of Ireland’s expectations.

The introduction of the Markets in Crypto Assets Regulation, or MiCAR, represents a significant shift in the regulatory landscape for crypto assets across the EU. Designed to foster innovation while safeguarding consumers, MiCAR imposes strict requirements on crypto asset service providers (CASPs) regarding governance, transparency, and market conduct. The Central Bank of Ireland (CBI) has issued detailed guidance on the authorisation process for CASPs and regulatory expectations for ongoing compliance. The guidance sets out its expectations for firms seeking to operate within the MiCAR framework. Our Financial Regulation team explores the key regulatory obligations under MiCAR and the CBI’s approach to ensuring robust compliance and consumer protection.

CASPs that are based in Ireland, have been required to obtain authorisation from the CBI to operate within the EU since 30 December 2024. There is a transitional period for existing virtual asset service providers, or VASPs. The Department of Finance outlined in its feedback statement that this transitional period will be a maximum of 12 months, ending on 29 December 2025. The transitional period allows VASPs to continue to provide services that would otherwise require a licence under MiCAR, up until 29 December 2025.

Any existing VASPs that will not apply for a CASP authorisation should implement their wind-down plan and cease providing services by the end of the transitional period.

Updates to the CASP authorisation process

We recently summarised the CBI’s authorisation process. However, recent developments and CBI guidance should also be considered when seeking authorisation as a CASP.

Firms are required to meet with the CBI and present their proposed plans and business model before submitting a formal application.

Applicant firms are also required to prepare and submit a “Key Facts Document” (KFD) that includes an overview of the firm’s proposed business. The overview will need to include details of:

• Intended services
• Capital requirements
• Governance
• AML
• ICT systems and security arrangements (including its approach to the Digital Operational Resilience Act (DORA))
• Conflicts of interest
• Business continuity and wind-down procedures

In November 2024, the CBI published detailed guidance on completing the CASP authorisation KFD. This guidance outlines the CBI’s expectations for the KFD stage of the authorisation process:

• The KFD should adequately reflect all items discussed and feedback provided during the pre-application meeting with the CBI.
• Applicant firms should expect engagement on the KFD's contents and respond to the CBI’s follow-up queries constructively and promptly.
• The CBI may provide feedback on the KFD, which should be reflected in the applicant firm’s formal authorisation application. The CBI may also provide feedback on material items that it deems necessary for the applicant firm to address before submitting a formal application.
• The KFD must provide sufficient detail to enable the CBI to identify potential issues or concerns that may impede the progression of the application.
• The CBI expects applicant firms to have full awareness and understanding of the relevant governing legislation, regulatory definitions, guidelines, and technical standards applicable to CASPs before submitting a KFD.

The CBI’s MiCAR expectations

In December 2024, the CBI published further guidance on the MiCAR authorisation process and the CBI’s supervisory expectations for CASPs. This guidance supplements the CBI’s cross-sectoral guidance on expectations for applicant firms seeking authorisation to operate as a regulated entity.

The CBI encourages prospective CASPs to engage with it early regarding their business proposals. The CBI’s guidance highlights several key areas of CBI focus, including:

• Governance and accountability: CASPs must demonstrate substance and autonomy in Ireland and show that they are led by a local crypto-competent executive and board with a strong understanding of the local regulatory environment. Firms must maintain robust governance and risk management arrangements.
• Protection of client assets: CASPs must demonstrate full control over all client assets, ensuring robust segregation and prompt access to reserve assets to meet redemption demands.
• Business model and financial resilience: CASPs must maintain a board-approved business strategy that demonstrates the viability and sustainability of the business model. This strategy should fully account for vulnerabilities stemming from the product offering.
• Operational resilience: CASPs must ensure continuity and regularity in the performance of their services, including Distributed Ledger Technology (DLT) and blockchain.
• Ownership: CASPs must provide a transparent and corroborated view of the identity of direct and indirect shareholders, as well as any party that can exercise significant influence over the CASP. Ownership and operating structures must be designed to achieve maximum transparency.
• Conflicts of interest: CASPs must ensure that customer interests are not compromised by conflicts of interest. They must implement a robust system to proactively identify and remedy any conflicts in a timely manner.
• Crisis management: CASPs must maintain detailed plans to support an orderly wind-down of their activities. CASPS need to ensure timely redemption of customer funds without causing undue economic harm.
• Conduct and transparency: CASPs must demonstrate how customers’ interests will be secured and how the suitability of their product offering is proactively assessed in accordance with customers’ risk tolerance.
• Anti-Money laundering / countering the financing of terrorism (AML/CFT): CASPs must demonstrate that they have strong risk management practices and internal controls to identify, assess, and manage risks, including money laundering, terrorist financing, and financial sanctions risks. Compliance with all relevant AML/CFT legislation and financial sanctions is mandatory.

Consumer protection in the context of MiCAR

The CBI is mandated to ensure that customers' best interests are protected through effective regulation.

The CBI is conducting a comprehensive review of the Consumer Protection Code 2012 (CPC), focused on securing consumers’ interests. The CPC will be replaced by CBI regulations, which are expected to be published early this year. A 12-month implementation period is proposed from the date of publication.

Firms intending to apply for authorisation as a CASP should be aware that the scope of the CPC has been expanded to include CASPs.

Comment

The CBI will publish its CASP application form in due course. Firms intending to apply for MiCAR authorisation should start preparing as soon as possible to ensure that they have all of the relevant information, policies, and processes in place to support their applications. Ensuring the careful preparation of a suitably detailed and accurate KFD will be of central importance to this process. Preparation should include a thorough review of governance, client asset protection, operational resilience, and AML/CFT controls. Firms must also stay updated on guidance from the EBA and ESMA, which will provide further clarity on MiCAR obligations. Early engagement with the CBI is key to navigating this complex process and ensuring regulatory readiness.

Our Financial Regulation team has extensive experience advising crypto operators and is assisting firms who are interested in applying for authorisation under MiCAR. Please reach out to a member of our team should you require advice and support in this area.

People also asked

The content of this article is provided for information purposes only and does not constitute legal or other advice.