.png)
.png)
The European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, has issued new guidelines aimed at standardizing how member states regulate crypto companies. The supervisory briefing provides concrete guidance for National Competent Authorities (NCAs) as they process applications from Crypto Asset Service Providers (CASPs) looking to establish new business operations.
The guidelines emphasize a risk-based approach to the authorization of CASPs. A key principle set forth by ESMA is that all CASPs should be subject to an elevated level of scrutiny. “ESMA is of the view that there are no low-risk CASPs,” the regulator stated. “CASPs often deal directly with retail investors and have a limited track record when it comes to regulatory compliance and supervision.”
Highlighting the potential dangers in the sector, ESMA pointed out that the risks associated with money laundering (ML) and terrorist financing (TF) are generally high for CASPs. “CASPs are exposed to ML/TF risks due to specific features of their business structure, the cross-border nature of their business and the technology used,” the briefing stated.
The regulator outlined several factors that contribute to higher risk, including the size of a CASP in terms of client base and assets, the complexity of its corporate structure, and the extent of its cross-border activities. Additionally, risks are heightened when key functions are outsourced or when there is a problematic supervisory history.
To mitigate these risks, NCAs must assess whether CASPs have sufficient local autonomy. This includes ensuring that companies have an independent chair for the executive management board and a chief executive officer who dedicates 100% of their time to the CASP’s operations. The use of staff located outside the country of authorization should also be carefully evaluated by NCAs.
The guidelines further require CASPs to establish a comprehensive risk management framework. Companies must designate key personnel, including risk managers and compliance officers, and clearly define their specific responsibilities and accountability structures. Moreover, each CASP is expected to have a detailed business plan, which should contain realistic projections over a three-year period with clearly defined intermediate targets.
ESMA has made it clear that these principles should be applied not only during the initial authorization procedures but also throughout the ongoing supervision of CASPs. “NCAs are expected to apply the principles in the supervisory briefing during authorisation procedures, as well as ensure continued adherence for CASPs once they have been authorised,” the authority stated.
By introducing these new guidelines, ESMA aims to bring greater consistency and oversight to the regulation of crypto companies across the European Union, ensuring that financial markets remain secure and resilient in the face of emerging technological developments.
By fLEXI tEAM