top of page
Search

ESMA Peer Review on CASP Authorisations under MiCA

1. Executive Summary


This report analyses the findings of a European Securities and Markets Authority (ESMA) peer review concerning the Malta Financial Services Authority's (MFSA) process for authorising and supervising a Crypto-Asset Service Provider (CASP) under the Markets in Crypto-Assets (MiCA) regulation. The review assesses the MFSA's performance in the context of MiCA, which established a comprehensive EU-wide regulatory framework in June 2024.


While the MFSA was commended for its expertise, resources, and post-authorisation supervision, the report delivers significant criticism of the authorisation process itself. The Peer Review Committee (PRC) found that the license was granted prematurely, before the resolution of several material issues. This signals ESMA's intent to enforce MiCA rigorously from its inception, emphasising that the authorisation process must serve as a robust gatekeeping mechanism to protect the EU single market and ensure consistent investor protection.

2. Assessment of the Malta Financial Services Authority (MFSA)


The peer review provided a mixed assessment of the MFSA's performance, highlighting both commendable practices and significant shortcomings.


2.1. Strengths


  • Expertise and Resources: The MFSA is recognised for possessing strong knowledge and sufficient resources dedicated to CASP supervision. It was rated as "fully meeting expectations" in this domain.

  • Proactive Engagement: The authority was proactive in its efforts to build knowledge by engaging with both industry stakeholders and academic institutions.

  • Supervisory Actions: In terms of supervisory actions following authorisation, the MFSA was assessed as "largely meeting expectations."


2.2. Weaknesses and Key Failings in the Authorisation Process


The primary weakness identified was in the authorisation phase, which was rated as only "partially meeting expectations." The PRC expressed concerns over the timing of the authorisation, arguing that the MFSA did not sufficiently leverage its authority to compel the entity to resolve critical deficiencies before granting the license.


The review identified failures to adequately assess several critical risk areas for the specific CASP, including:


  • Business Growth: Insufficient scrutiny of the firm's growth plans and the associated risks.

  • Conflicts of Interest: Inadequate assessment of potential conflicts of interest within the firm's business model.

  • Governance: A lack of depth in reviewing the firm's governance structure and its reliance on other entities within its corporate group.

  • Technology and Custody: Insufficient analysis of risks related to its IT infrastructure, custody model, and the use of Web3 services.

  • AML/CFT: Incomplete assessment of certain Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) risks.


3. Key Implications for Regulators and the Crypto-Asset Industry


The peer review serves as a foundational document, establishing clear expectations for National Competent Authorities (NCAs) and CASPs under MiCA. The key takeaways are as follows:


  • Strict Enforcement from Day One: ESMA and other EU bodies will closely scrutinise NCAs to ensure MiCA rules are applied rigorously and consistently. Granting authorisations to firms with unresolved "material issues" will be deemed unacceptable.

  • Authorisation as a Critical Gatekeeping Function: The report firmly establishes the authorisation process as the primary "gatekeeper" for the EU single market. NCAs are expected to be exhaustive in their reviews and use this phase to guarantee full compliance before a firm can operate and "passport" its services across the EU.

  • Focus on Cross-Border Supervision: The review acknowledges the dominant business model where a CASP in one member state (e.g., Malta) serves the entire EU. This places immense responsibility on the home regulator and necessitates stronger coordination, information sharing, and trust-building among all national regulators.

  • Heightened Scrutiny on Key Risk Areas: CASPs seeking MiCA authorisation must prepare for intense scrutiny on specific operational and governance areas. The recommendations signal regulatory priorities:

    • Conflicts of Interest: Demonstrating robust management of conflicts when multiple services are offered.

    • Governance & Intragroup Reliance: Establishing clear lines of responsibility and managing risks from services provided by parent or sister companies.

    • ICT and DORA Compliance: Ensuring resilient IT systems, business continuity plans, and cybersecurity in line with the Digital Operational Resilience Act (DORA).

    • Web3 & DeFi Risks: Proving the ability to manage novel risks from decentralised finance and clearly distinguishing between regulated and unregulated services.

  • Investor Protection is Paramount: The ultimate goal is to ensure that all EU investors receive the same high level of protection, regardless of where the CASP is domiciled. This includes detailed assessments of user interfaces and risk warnings to ensure they are transparent, fair, and not misleading.


4. Conclusion


This ESMA peer review serves as a clear warning to the industry and national regulators. It underscores that the MiCA authorisation process is not a formality, but a stringent and substantive review. For crypto firms, the message is unequivocal: achieving full compliance with MiCA's requirements on governance, risk management, ICT security, and investor protection is non-negotiable for gaining access to the lucrative EU market. For NCAs, it sets a high bar for their role as gatekeepers, demanding thoroughness and a low tolerance for risk in the authorisation phase.


 
 
 

Comments

bottom of page