Crypto custody

1. Introduction

This article discusses the EU’s approach to regulating crypto custody under the Markets in Crypto-assets (MiCA)¹ Regulation. To ensure financial stability, an adequate degree of investor protection, market fairness and integrity in places where gaps in the traditional EU financial regulation have been identified,² MiCA subjects crypto-asset service providers (CASPs) to both licensing and financial supervision if they provide certain crypto-asset services specified in Article 3(1)(16) MiCA. The provision of custody and administration of crypto-assets on behalf of clients is one such crypto-asset service.³

Custody is one means of providing safekeeping and is the main function of investment fund depositaries.⁴ Under established investment fund regulation, custody requires registration ‘in a financial instruments account opened in the depositary’s books’ or physical delivery to the depositary.⁵ The AIFMD⁶ limits the holding in custody to financial instruments, whereas for other assets, ownership verification and record-keeping is required.⁷ The widespread insecurity about the qualification of crypto-assets as financial instruments or not⁸—prior to MiCA—also impacted on what custody and safekeeping of crypto-assets was deemed to entail; this, in turn, may have contributed to token-holders’ losses in a period known as the Crypto Winter,⁹ with billions of Euros in asset value lost in less than two years.¹⁰ These losses have undermined the token-holders’ trust in crypto, threatening to halt the growth of crypto and investments in distributed ledger technology (DLT) at large,¹¹ not even two years after enthusiastic predictions of a golden crypto future.¹² Even today, when Bitcoin as most prominent digital asset experiences an upturn in the Spring of 2024, most large-volume crypto-assets (such as Ether, Tether, USCD) trade below their record highs of 2023. In this article, we seek to identify where MiCA furthers legal certainty in this regard, as well as the robustness of the crypto custody system at large, and whether MiCA provides a sufficiently solid foundation for the future of the emerging crypto industry.

First, we discuss the context of crypto custody against the background of the Crypto Winter, the current market needs and the international proposals to regulate crypto in Section 2. We then highlight the scope of MiCA’s custody rules, as well as the general requirements applicable to all CASPs, and those affecting crypto custodians in particular in Section 3. Thereafter, Section 4 issues policy considerations, and Section 5 concludes.

2. The case for regulating crypto custody

Large-scale asset misappropriations

Starting in the second half of 2021, a series of operational shortcomings, malfunctions and asset diversions of major crypto projects became apparent, with losses often in the hundred millions of US Dollars.¹³ Following the Terra-Luna stablecoin algorithms’ collapse in May 2022 that wiped out US$50 billion in just three days,¹⁴ the crypto industry experienced large-scale turmoil, sparking a string of bankruptcies of prominent crypto firms such as Three Arrows Capital, Voyager Digital and Celsius Network, culminating in FTX’s failure, which has been referred to as the ‘Lehman moment’¹⁵ for the crypto industry. What is now dubbed the ‘Crypto Winter of 2022–2023’¹⁶ severely undermined investors’ trust in the crypto industry, triggered asset price deterioration, and several spillover effects into traditional finance. Eventually, this event pushed crypto up policymakers’ agendas.

The role of crypto custodians

Crypto custodians have played and continue to play a pivotal role in crypto malfunctions. Crypto custody, so far, has usually taken the form of ‘hot’ collective custody, meaning that the wallet provider stores all of their clients’ private keys together in wallets that are permanently online and linked to the distributed ledger. These (sort of) ‘omnibus wallets’ are significantly vulnerable to internet attacks and security breaches.¹⁷

In this environment, six deficiencies contributed to token-holders losing trust in crypto:

1. Crypto custodians were unable to prevent the loss of private keys administered by them relating to their clients’ assets;¹⁸

2. Crypto custodians applied custody policies insufficient to address cyber-risks, misrepresentations, theft and fraud from the inside and the outside;¹⁹

3. Crypto custodians mixed custody business with risk-exposed activities of crypto exchanges, brokers, investments and lending on the same balance sheet.²⁰ Multi-functional CASPs providing custody in relation to their other crypto-asset services mimicked the financial conglomerate model of TradFi, yet neglected to implement the same safeguards, information barriers and internal controls. In turn, conflicts of interest became widespread throughout the industry and counterparty risks from other types of businesses undermined the crypto custodians’ own stability;²¹

4. Crypto custodians commingled numerous clients’ assets with their own assets in a way that neither their clients’ assets nor their own were identifiable as such. This was, for instance, the case for ‘collective’ hot (online) wallets where multiple clients’ assets—and usually the custodian’s own assets—are commingled;²²

5. Crypto custodians executed deficient bookkeeping, asset earmarking, internal controls, and business continuity practices so that in hindsight transactions on behalf of clients could not be distinguished from those in the custodian entity’s own name;²³ and

6. Crypto custodians reused client assets for proprietary trading on their own or a related entity’s account. In particular, large losses from proprietary trading were covered with clients’ custodial assets.²⁴ Still today, more than one year after the Crypto Winter ended, in their terms and conditions, many custodians entitle themselves to reuse the entrusted assets for their own investment or business purposes.²⁵

News about these deficiencies hit crypto markets hard at a time when signs of market concentration were emerging. When some of the new systemically important crypto intermediaries (SICIs)²⁶ were failing, with risks to token-holders, market stability and market integrity of systemic dimensions, clients initiated massive sell-offs akin to bank runs²⁷ common to TradFi. These sell-offs revealed previously unknown interconnections and spillover effects²⁸ into TradFi markets, further undermining the stability of crypto custodians.

The many bankruptcies of crypto custodians occurring in the vicinity of these events²⁹ further revealed that when token-holders depended on their custodians the most, prominent custodians could not deliver on their promise of safeguarding their clients’ assets.³⁰ The insolvency proceedings made it transparent that proper asset segregation, business continuity and recovery approaches, as well as other good custody practices, were lacking throughout the industry. Clients were left entirely unprotected, while the patchy, yet emerging crypto property and insolvency laws in most jurisdictions³¹ did little to further private protection for the token-holders themselves.

All in all, these instances prompt the question of whether the term ‘custodian’ would be the right term for this type of crypto service, since, after all, very little was held ‘in custody’ or safeguarded at all.

International proposals to regulate crypto custodians

In light of all these incidents, the crypto custodians have already become the focal point of international policymakers, resulting in partly overlapping policy proposals as displayed (cf Table 1).

According to policy recommendations of the FSB,³² the IMF³³ and the IOSCO³⁴ addressing crypto custody, the custodians shall safeguard the entrusted assets and their clients’ rights against loss and misuse especially in the event of insolvency, and they shall provide proper controls, as well as operational, cyber-resilience and risk-minimizing custody policies. They must also keep correct and up-to-date records establishing their clients’ holdings. Furthermore, they shall segregate the entrusted crypto-assets from their own proprietary assets, while title transfer arrangements and reuse of clients’ assets shall be permitted only with the client’s prior express consent and extensive ex ante disclosures. When the safekeeping is outsourced, they shall implement similar safeguards and additional risk management and inform the clients accordingly.

Moreover, the custodian shall provide transparency regarding inter alia the rights and obligations stemming from the custodial agreement, safeguarding arrangements, any outsourcing, any use of omnibus accounts, the respective reuse of clients’ assets, as well as all other related risks.

In addition, the multi-functional CASPs also offering custody shall identify, disclose and manage any conflicts of interest, and shall be subject to a mandatory separation of functions or even disaggregation of business lines. The IMF and the IOSCO set requirements on the safekeeping and segregation of clients’ funds; on top of that, custodians must have additional own funds or participate in guarantee schemes to compensate the clients in the event of asset loss or theft, or insurance of the assets. The IMF further recommends the adoption of an effective wind-down plan, while the IOSCO suggests proper and frequent on-chain and off-chain reconciliations.

The crypto market today

In the aftermath of these events, crypto inevitably pushed its way onto the agenda of regulators and supervisory authorities in multiple jurisdictions. In addition to the recent 25-year sentence of Sam Bankman Fried, former CEO of FTX,³⁵ regulators launched a series of enforcement cases and lawsuits against the largest crypto companies, most notably Coinbase³⁶ and Binance.³⁷

Even today, when Bitcoin as the most prominent digital asset experiences an upturn in the Spring of 2024 (which effects unique to Bitcoin may help explain³⁸), most large-volume crypto-assets (such as Ether, Tether, USCD) trade below their record highs of 2023 or, in the case of stablecoins like Tether and USCD, below par. All in all institutional investors remain reluctant to invest large-scale amounts in crypto, but increasingly engage on an experimental level. In turn, institutional services like crypto ETFs,³⁹ stablecoin by global payment service provider Paypal,⁴⁰ exchange-traded products drawing on Bitcoin, and TradFi-based crypto-asset and custody solutions⁴¹ have emerged. The ongoing institutionalization of crypto makes the need for a proper regulatory framework even more apparent.

3. MiCA’s rules on crypto custodians

The bespoke rules for CASPs in Title V MiCA cover the crypto-asset services defined in a long list in Article 3(1)(16) MiCA. One of these services is the ‘provision of custody and administration of crypto-assets on behalf of clients’ (cf Article 3(1)(16)(a) MiCA). While this list is far from complete (for instance, it does not cover crypto-lending and crypto-staking expressly⁴²), MiCA does not require that any activity is the provider’s main or exclusive activity. For MiCA’s custody rules to apply, it is sufficient that the CASP offers—amongst others—custody and administration services for crypto-assets on behalf of clients.

For these services, any CASP needs an authorization subject to Title V Chapter 1 MiCA, which may either be specific to a crypto-asset service, or an expansion of an existing license as, for example, a credit institution, an e-money institution, a payment service provider, MiFID investment firm, or investment fund manager.⁴³ On top of that, Title V Chapter 2 MiCA provides for general rules applicable to all CASPs, while Title V Chapter 3 MiCA stipulates rules for certain regulated activities. After explaining the scope of Title V MiCA in the custody context, below we discuss the most important operating requirements.

Scope of MiCA’s custodian rules

Article 4(3) MiCA exempts a number of token types from the whitepaper duties laid down in Title II MiCA.⁴⁴ Article 4(5) MiCA provides the analogous exemption with regard to crypto-asset services in relation to these token types; in all of these cases, the CASP is exempted from Title V MiCA.

Issues of delineation emerge in relation to three aspects: the application of acts of the EU financial law acquis other than MiCA; the extent to which MiCA applies to fully decentralized applications; and MiCA’s definition of ‘custody’.

Distinction from other EU financial laws

MiCA is a gap-filling exercise focusing on crypto-assets.⁴⁵ It does not apply where financial services are already regulated (cf Article 2(4) MiCA). In turn, MiCA’s rules do not apply where a digital asset qualifies as a financial instrument or a structured deposit, to name only two of several examples. In light of the former, MiCA’s scope is limited to EMTs,⁴⁶ ARTs⁴⁷ and ‘other crypto-assets’ within the scope of MiCA that do not qualify as EMTs and ARTs.⁴⁸

Note that MiCA’s list of exemptions does not mention collective portfolio management. In turn, for investment funds sometimes only the rules for funds investing in financial instruments apply,⁴⁹ sometimes only the rules for alternative investment funds apply⁵⁰ and sometimes MiCA’s rules on top of the rules on alternative investment funds apply. Notably, under EU financial law, the custody of assets on behalf of alternative investment funds is subject to particular rules specified in Article 21 AIFMD.⁵¹ We focus in this article on MiCA’s custody rules only⁵² and touch upon the relationship with other intermediary types only in passing.

Fully decentralized applications as CASPs?

For some crypto-assets, in particular Bitcoin, it is difficult to identify a single token issuer. Pursuant to Recital 22, ‘[w]here crypto-assets have no identifiable issuer, they should not fall within the scope of Title II, III or IV of [MiCA]. Crypto-asset service providers providing services in respect of such crypto-assets should, however, be covered by’ MiCA. Recital 22 therefore clarifies that CASPs must comply with Title V MiCA even where Titles II, III and IV MiCA do not apply. We welcome this clarification as, with regard to crypto custodians, it renders the difficult decision as to what constitutes ‘partly’ decentralized applications in contrast to ‘fully decentralized applications’ unnecessary. This means that for tokens issued by partly and fully decentralized applications, the CASP rules apply if a crypto-asset service is being provided.

Beyond the qualification and degree of centralization of the token issuer, whether Title V applies to fully decentralized custody providers requires further consideration. From the outset, the answer seems to be in the affirmative, as Title V is activity-based. Yet, the definition of a CASP in Article 3(1)(15) MiCA states that ‘crypto-asset service provider’ means ‘a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis’ (emphasis added). This notion is confirmed by the (non-binding) Recital 22 that excludes from the scope of MiCA the provision of crypto-asset services in a fully decentralized manner without any intermediary.

On that basis, fully decentralized applications challenge the CASP definition on two grounds. First, the requirement of a ‘legal person’ or ‘undertaking’ could be missing. Second, given that smart contracts perform services, we could question whether the service is provided by a person and/or on a professional basis. MiCA does not define ‘undertaking’ but the general understanding as ‘a task or project, especially one that is important and/or difficult,’ similar to a venture,⁵³ would cover decentralized crypto projects.⁵⁴ Regarding the second element, namely the question of whether or not the service is provided by smart contracts or natural persons, we argue that this is not a criterion of relevance for MiCA’s scope (ie MiCA applies regardless of whether the service is performed by code or humans and that service provision by smart contracts is one of the characteristic features of the crypto industry).⁵⁵ Yet, national competent authorities (NCAs) have a hard time identifying someone to comply with the regulation if the service is provided by an application that is entirely dispersed, with multiple unrelated parties contributing, and with Bitcoin nodes functioning as the archetype. For that reason, we hold that whenever someone controls an application, be it by legal or factual means, that ‘someone’ is the CASP for the purposes of Title V MiCA.⁵⁶ Second, the term ‘on a professional basis’ singles out mere hobby projects. In EU financial law, generally, ‘professional basis’ materializes if the service is provided on a permanent basis and the provider (ie platform) looks out for clients by way of client-oriented communication.⁵⁷ This requirement is fulfilled by many crypto custody solutions.

Control over cryptographic keys as a core criterion of ‘custody’

Article 3(1)(17) MiCA states that the provision of ‘custody and administration of crypto-assets on behalf of clients’ means the safekeeping or controlling, on behalf of clients, of crypto-assets or of the means of access to such crypto-assets, where applicable in the form of private cryptographic keys.

Two issues arise from this legislative text. First, MiCA clarifies that crypto-assets can be held in custody, a matter that was widely discussed prior to MiCA.⁵⁸ Second, given that a crypto-asset is intangible, and its existence depends on recognition by the nodes in the DLT, it defines that custody ‘means the safekeeping or controlling … of the means of access to such crypto-assets, where applicable in the form of private cryptographic keys.’⁵⁹ The former is supplemented by Recital 83, stating that the custody agreement shall ‘specify, inter alia, the nature of the service provided, which could include the holding of crypto-assets belonging to clients or the means of access to such crypto-assets, in which case the client might keep control of the crypto-assets in custody. Alternatively, the crypto-assets or the means of access to them could be transferred to the full control of the crypto-asset service provider.’ (Italics added by authors).

We wonder what ‘holding’ of a crypto-asset means for an asset class where the existence of the crypto-asset depends on the processing of the same code by multiple nodes, hence the token itself is potentially stored on multiple servers simultaneously, and only the access key preserved to the holder of crypto-asset. This shifts the attention from safeguarding to the second feature mentioned in Article 3(1)(17) MiCA: control of the means of access to such crypto-assets.

In simple terms, control over their clients’ private keys means control of the crypto-assets assigned to those keys.⁶⁰ Each user has, typically, a pair or pairs of private–public keys consisting of a private (secret) key from which a public (openly disclosed) key is mathematically derived. The public key is functionally equivalent to a bank account number that ‘identifies’ it to other users, so the account can receive or send funds, while the private key is the functional equivalent of the PIN code or the signature in a bank cheque that enables the holder to control and spend the bank account balance. Meanwhile, a crypto wallet is a digital tool that stores these keys.⁶¹

However, MiCA does not specify exactly what ‘control’ over the keys entails. This is an important feature when it comes to defining which wallet providers fall under the definition of Article 3(1)(17) MiCA, thereby delineating providers offering custodial wallet services from those offering a so-called self- or non-custodial wallet outside of MiCA’s scope.⁶² This distinction is crucial given that practice has developed a full spectrum of custodial, non-custodial and middle-ground wallet solutions.⁶³

On one side of the spectrum are custodial solutions where clients do not have direct access to either the crypto-assets or private keys. The custodian generates fresh public–private key pairs (or wallets) for the crypto-assets they accept to hold in custody. The safekeeping and recovery of the keys and assets here are tied to the custodian.⁶⁴

On the other side of the spectrum are custody solutions where only the client has possession of the keys (so-called self-custody). For these cases, MiCA’s recitals clarify that the service provider is outside the definition of custody, and thus does not provide a crypto-asset service under MiCA.⁶⁵

The users will generate and control their own key pairs to hold crypto-assets. This usually happens via a hierarchical deterministic wallet⁶⁶ with a seed encoded as mnemonic,⁶⁷ where the seed is the master key, randomly generated during the wallet initialization by the user, and the latter needs to back it up.⁶⁸ If the user loses access to their wallet and the seed, their assets are utterly lost.⁶⁹

For that reason, middle-ground custody solutions share control over the keys in some way between the user and the wallet provider. Where self-custody is defined by the users’ exclusive key control, these cases are borderline and need to be assessed according to the way in which control over the key is exercised.

This results in a taxonomy of middle-ground custody solutions as follows:

1. Wallet providers with middle-ground solutions that assign control of the keys to the client, while the master key is backed up by the wallet provider, belong to the first group of custodial solutions, where control resides eventually with the custodians. For example, in the case of Ledger Recover,⁷⁰ the wallet splits the user’s seed into three fragments, which are sent to three entities for backup purposes. The keys may be generated by the user at the wallet initialization phase, so that they ‘never leave the wallet device’; in fact, the keys may also be regenerated from these backups when necessary. In these cases, the wallet assigns some control of the keys to its users, yet the control is not exclusive, so the wallet provider has the capacity to access (and thus potentially control) the keys, while the users (need to) trust that the wallet provider will not abuse that power.⁷¹

2. The second group of middle-ground solutions, where control resides with the client to a large extent, includes cases of multi-signature⁷² (‘multisig’) wallets, key sharing,⁷³ or similar technologies. These technologies create multiple keys or key shares which can be held by different persons, while a minimum threshold of these keys or key shares is required to perform any transaction regarding x crypto-assets.⁷⁴ In our case, the wallet provider and the client hold different keys or key shares over the same assets. We consider a situation where neither the key(s) or key share(s) held by the client, nor the key(s) or key share(s) held by the service provider are sufficient to initiate a transaction. Therefore, for any transaction to take place, the collaboration and ‘co-approval’ of the wallet provider and the client are necessary. One example of this is the Zengo⁷⁵ wallet.

3. Regarding the third middle-ground group, these encompass cases of multisig wallets, key sharing and similar technologies where the client alone holds the minimum threshold of keys or key shares necessary to perform a transaction on their own. The wallet provider holds some key(s) or key share(s) that alone are not sufficient for any transaction and does not have access to clients’ key(s) or key share(s). Thus, the wallet provider’s key(s) or key share(s) shall be mainly held for backup purposes in case the clients lose some of their key(s) or key share(s).⁷⁶

We draw the line here based on the risks clients are facing that rely on the custody solution: where clients face the risk that the means of access could be stolen or obtained by way of ‘inside jobs’ by parties or persons not entitled to the assets, the typical custodial risks addressed by Title V MiCA do exist. In these cases, MiCA rules (should) apply. In turn, we hold that MiCA applies to the first group of middle-ground custody solutions where all relevant access data (ie where all keys are mere datasets) can be obtained from the service providers’ staff, servers and algorithms, but not to the second or third middle-ground categories since here no conduct on the side of the wallet provider or its staff alone is sufficient to obtain control over the assets.

In short, whenever the service provider can present a single point of failure that leads to a potential loss of assets, MiCA applies. By contrast, truly shared control, where no-one can ever act without the user’s consent, is not ‘control’ for the purposes of Article 3(1)(17) MiCA.

Authorization

Licensing principle

For CASPs that do not hold a relevant license under EU financial law, Articles 59, 61ff. MiCA foresee a fully-fledged authorization requirement.⁷⁷ This authorization is of relevance for new service providers that want to serve AIFMs as delegates with regard to order transmission and reception, portfolio management and advice.⁷⁸

Fund managers, e-money and credit institutions, and MiFID firms (as well as other licensed intermediaries) can gain the right to provide crypto-asset services by way of notification to their respective NCA.⁷⁹ These entities need to deliver the information relevant for expanding the authorization specified in Article 60(9) MiCA⁸⁰ 40 days prior to the commencement of the service to their NCA.⁸¹ To avoid repetitive documentation and double reviews, the CASPs that hold a license under EU financial law do not need to submit any information that they have already delivered as part of their previous licensing process if that information is identical, but they must state that this is the case in their notification.⁸²

EU passport

CASPs that receive authorization are allowed to provide crypto-asset services throughout the Union, either through the right of establishment, including through a branch, or through the freedom to provide services.⁸³ CASPs that provide crypto-asset services on a cross-border basis shall not be required to have a physical presence in the territory of a host Member State.

General and operating requirements

Title V MiCA mainly regulates the relationships between CASPs and clients (and in some cases, issuers of crypto-assets) and thus applies a regulatory perspective similar to that afforded to investment firms. Title V Chapter 2 MiCA stipulates general operating conditions applicable to all CASPs. The most important of these requirements for crypto custodians include⁸⁴ the fiduciary duties (Articles 66 and 72 MiCA), delegations and outsourcing (Article 73 MiCA) and asset recovery and business continuity (Article 74 MiCA).

Fiduciary duties (Articles 66 and 72 MiCA)

Equivalent to similar provisions in EU financial law,⁸⁵ Article 66(1) MiCA establishes that CASPs are fiduciaries: CASPs ‘shall act honestly, fairly and professionally in accordance with the best interests of their clients and prospective clients.’ This provision underpins a number of requirements on fairness, transparency and management of conflicts of interest, which follow the principle that clients’ interests shall be paramount, unless the clients have been informed and have provided their explicit consent to being treated in a disadvantageous manner.

The fiduciary duties have, on the one hand, a harmonizing effect that aligns the position of CASPs with other off-balance-sheet intermediaries in the field of finance. MiCA clarifies beyond doubt that CASPs must not use clients’ assets on their own accounts. On the other hand, it establishes limits to crypto business models resulting in value transfers from clients to the CASPs, as were frequent at the height of the Crypto Winter (cf at Part II).

Outsourcing (Article 73 MiCA)

Article 73 MiCA on outsourcing is modelled on Article 16(5) MiFID and Article 20 AIFMD and the respective implementing legislation.⁸⁶ The former’s purpose is to ensure the effectiveness of the authorization requirements and financial supervision even where the authorized CASPs rely on other, potentially not authorized, service providers.

CASPs ‘that outsource services or activities to third parties for the performance of operational functions shall take all reasonable steps to avoid additional operational risk.⁸⁷ They shall remain fully responsible for discharging all of their obligations pursuant to’ Title V MiCA. CASPs engaged in outsourcing need to ensure that the outsourcing does not: (1) result in the delegation of their responsibility; (2) alter the relationship between them and their clients, nor their obligations towards their clients; and (3) alter the conditions for their authorization. Again, events during the Crypto Winter account for the introduction of such rules: many CASPs were inexperienced in financial services, and incapable of handling the operational risks of their DeFi applications and the entities relating to them. These outsourcing rules ensure that the institutional robustness of the licensing principle cannot be circumvented by way of delegation.

The core question relating to Article 73 MiCA is establishing when a service relied on is a third party (from MiCA’s perspective)⁸⁸ and when that third party performs operational functions. Where custody as a crypto-asset service is concerned, to qualify as a delegate, that third party must provide material parts of custody services.⁸⁹ Given the core of custody is control of the means of access, examples of operational functions include the external storage of private keys, the involvement in the new generation of lost keys or key shares, or the reliance on a sub-custodian with bridges in place to connect to crypto-assets other than those that the custodian can access through their own bridges. Software developer firms are often engaged in code development, hosting and crisis management (in response to cyber-attacks or malfunctions); where these services come with temporary access to, or storage of, the private keys, these firms act as delegates of the CASP, and are consequently indirectly subject to regulation; in the case of sub-custody arrangements, they are subject to direct regulation as a CASP if the firm is located in the EU/EEA.⁹⁰ We account for that assessment in the same vein as we classified custody solutions in general (cf at III1.c): whenever the service provider can present a single point of failure that leads to a potential loss of assets, MiCA applies.

Burial plan (Article 74 MiCA)

Article 74 MiCA requires CASPs offering custody the setting up of a burial plan, which is a ‘plan that is appropriate to support an orderly wind-down of their activities under applicable national law, including the continuity or recovery of any critical activities performed by those service providers. That plan shall demonstrate the ability of crypto-asset service providers to carry out an orderly wind-down without causing undue economic harm to their clients.’ To be effective, the plan needs to be aligned with national insolvency law.⁹¹ The fact that crypto insolvency law is, so far, not harmonized in the EU,⁹² undermines the effectiveness of burial plans in protecting clients’ assets.⁹³

Safekeeping and custody

While Article 75 MICA provides for specific rules on crypto custody, one part of custody, namely the safekeeping of crypto-assets, forms the heading of Article 70 MiCA and is allocated within the general rules applicable to all CASPs.

Custody as qualified safekeeping (Article 70(1) MiCA)

While not all CASPs provide safekeeping in relation to crypto-assets, as they can also safekeep ‘funds’ (ie cash equivalents) to facilitate payments, in cases where custody with regard to crypto-assets is provided, Articles 70(1) and 75 MiCA apply in tandem. MiCA regulates crypto custody then as a qualified form of safekeeping under Article 70(1) MiCA, similar to Article 21(8) AIFMD that regulates custody as a qualified type of safekeeping for financial instruments on behalf of alternative investment funds.

Within the scope of Article 70(1) MiCA are then not only crypto custodians, but potentially also crypto portfolio managers, crypto exchanges and crypto-lending and crypto-staking services that, albeit not within the scope of MiCA for their main service, hold clients’ assets as an ancillary service.

Analogous to Article 16(8) and (9) MiFID, these CASPs ‘shall make adequate arrangements to safeguard the ownership rights of clients, especially in the event of the [CASP’s] insolvency, and to prevent the use of clients’ crypto-assets for their own account.’ The first requirement depends on what is necessary to protect the holders of crypto-assets under the insolvency laws applicable in the event of the DeFi application’s insolvency or going out of business.⁹⁴ The second requirement responds to the widespread abuses where crypto intermediaries (eg FTX Exchange) were treating clients’ assets as their own, for instance to cover up losses suffered from risky crypto investments in other parts of their crypto empire (eg Alameda, FTX’s investment subsidiary⁹⁵) or to back-up crypto-lending arrangements in which clients’ assets are pooled and then transferred to third-party creditors.⁹⁶

Custody contract, policy and procedures under Article 75 MiCA

Article 75 MiCA on custody services requires that CASPs must reside within the European single market,⁹⁷ and enter into an agreement with clients in which the contractual details are meticulously prescribed.⁹⁸

The most important stipulations here relate to the parties’ identities (which may be difficult to ascertain in cases of fully decentralized systems), the custody policy, a description of the CASP’s security systems, the fees, costs and charges to be paid by the client, and the applicable law.⁹⁹

The custody policy must contain procedures aimed at ensuring the safekeeping or control of the means of access to the crypto-assets.¹⁰⁰ This rule responds to the frequent incidents of private keys administered by custodians being misappropriated.¹⁰¹ Furthermore, clients’ rights to crypto-assets as well as any movement, modification, or creation in positions shall be registered in the name of each client,¹⁰² while the client is entitled to receive information on the register entries.¹⁰³ This rule shall provide for transparent handling of the exercise of clients’ rights.

Moreover, CASPs are obliged to provide procedures necessary for the return of crypto-assets to clients¹⁰⁴ as well as (an operational) segregation of the client’s assets from the CASP’s assets on the distributed ledger.¹⁰⁵ This shall ensure, for instance, that in the event of the CASP’s insolvency, the client’s assets remain unimpaired.

Notably, Article 75(4) MiCA establishes a private law provision mandating substitution: changes to the DLT and other events possibly impacting clients’ rights shall establish the clients’ right ‘to any crypto-assets or any rights newly created on the basis and to the extent of the client’s positions at the time of the occurrence of that change or event.’¹⁰⁶ While these provisions are meant to protect the custodian’s clients, they also subject CASPs to liability risks for events taking place on the DLT which the CASPs may or may not be able to influence; note that a CASP may have no governance right in relation to the token’s creation or modification by way of the DLT. If the DLT does not allocate the right, or a particle thereof, to the respective token, it may never come within the custodian’s reach.

Custodian’s liability

This shifts the focus of attention onto the custodian’s liabilities. MiCA introduces a broad rule in Article 75(8) MiCA: the custodian is liable for losing their clients’ assets. This rule stands in contrast to the terms and conditions of most crypto custody providers so far that either exclude liability¹⁰⁷ or cap liability up to the total amount of fees charged to clients, constituting a fraction of their clients’ losses.¹⁰⁸ The statutory liability is all the more important since liability is not preconditioned on any culpability or fault on the side of the custodian nor their staff.

A closer look reveals, however, that the liability of CASPs is limited in three respects. First, the CASP is liable for the loss of crypto-assets or the means of access to these assets only. MiCA does not foresee any other damage that the clients may suffer such as the loss of opportunity or reputational damage.¹⁰⁹ Second, liability is limited to situations attributable to, and under the control of, the CASPs.¹¹⁰ Third, liability is capped at the market value of the lost crypto-asset at the time the loss occurred. Regardless, Article 75(8) MiCA may function as a game-changer in an environment characterized by a lack of accountability and resilience.

As to what constitutes a loss depends on the interpretation of the substitution rule¹¹¹ and the obligation to facilitate their clients’ rights more generally: if the custodian decides not to extend custody to any crypto-assets created on the ledger to which their clients would be entitled, the question of whether the clients duly authorized the custodian to forego any claim on the new asset will determine whether (a part of) the assets were, in fact, lost (rather than ceded, voluntarily given up, donated, or something else). The same question of compliant conduct is of relevance when the consensus mechanism and other elements of the underlying DLT generate rewards, benefits or other passive income elements relating to crypto-assets and the custodian refrains from assigning these to their clients; these could be seen as a part of the crypto-asset or a loss stemming from a right separate from the crypto-asset. In this context, Article 66 MiCA, establishing fiduciary duties and the obligation to act in their clients’ best interests, will provide a guideline in the absence of express contractual stipulations and client orders.

Even more important to determine is what constitutes an incident that is attributable to the custodian, given that liability is excluded where the loss is not attributable thereto. An attributable incident is any event that occurs in the realm of the custodian’s operations that the latter controls or may control. Here, the core matter is what the law assumes the custodian has to control (ie how the custodian must be organized and what resources they must spend on securing such control). This may be derived from Recital 83 MiCA, clarifying that the custodian shall be liable for an ICT-related incident, including an incident resulting from a cyber-attack, theft, or any malfunction.

Therefore, liability under Article 75(8) MiCA results from an exercise of separating attributable from non-attributable incidents. In this regard, it is noteworthy that ESMA interprets Recital 83 MiCA to mean that CASPs using permissionless DLT infrastructure that they do not control or manage (ie no contractual arrangement exists) are exempted from this liability.¹¹² While this clearly sets incentive to outsource to permissionless rather than the permissioned DLT applications, ESMA tries to remedy this shortcoming by proposing obligations in the event of a disruption involving a permissionless DLT, for instance, to communicate the disruption to the client along with the associated risks and their own liability exclusion for such events and finally, to act in the best interest of the clients. Further, CASPs should remain liable for any losses related to their own smart contracts, such as hacks or exploits, regardless of whether they are deployed on a permissionless or a permissioned DLT.¹¹³  Tables 2 and 3 provide an overview of attributable and non-attributable incidents derived from MiCA’s requirements for crypto custodians.

4. Policy considerations

Analysing the strengths and weaknesses of the MiCA crypto custody framework in turn, we first set out our analytical perspective section, before focusing on institutional resilience section and asset resilience section.

Analytical perspective

For the remainder of the article, we assume two different starting points for the analysis of MiCA’s crypto custody framework.

We dub the first perspective ‘institutional resilience’. Here, we ask whether MiCA ensures that the crypto custodians are soundly organized, and whether that misconduct stemming from events inside the intermediaries is adequately addressed. We thus focus on the operational risk inherent to crypto custody.

The second perspective is called herein ‘asset resilience’. Under that term, we review the extent to which the existence or value of the crypto-asset is secured by way of regulation in the event of malfunctions, distress and the insolvency of the custodian, the token-issuer, the DeFi application or any third party, as the case might be. Accordingly, we focus on the overall embedding of MiCA into the legal system.

Institutional resilience

The ‘institutional resilience’ perspective measures MiCA’s robustness in light of the many deficiencies inherent in the custodian’s setup and conduct in the context of the Crypto Winter. From this perspective, MiCA is seen as a crisis mitigant by enhancing custodians’ resilience.

MiCA ensures that the custodian is a duly authorized¹¹⁴ fiduciary,¹¹⁵ soundly organized and governed, subject to prudential requirements, conflicts of interest and operational risk management.¹¹⁶ Custodians shall segregate¹¹⁷ their own assets from their clients’ assets and avoid the reuse of the latter for their own account.¹¹⁸ The transparency obligations regarding clients’ holdings¹¹⁹ as well as the liability regime of the custodian¹²⁰ pursue the same objective.

However, even where the authorization and operating conditions are robust, the overall resilience desired may not be achieved where service providers have the ability to avoid, or take steps to circumvent, MiCA’s authorization and operating conditions.¹²¹

We see three entry points here through which to undermine institutional resilience: MiCA’s scope, liability provisions and outsourcing rules.

Scope

The effectiveness of any MiCA rule is limited by its scope: what is outside of the rules is not addressed by them effectively. We argue herein that limitations on fully decentralized applications, the definition of regulated activities as such, and self-custody may undermine the effectiveness of MiCA’s custody rules.

Fully decentralized applications?

We discussed in the ‘Fully decentralized applications as CASPs’ section that MiCA covers fully decentralized applications only to the extent that they qualify as an ‘undertaking’. If regulators construe the definition of ‘undertakings’ broadly, this will oblige many decentralized applications to introduce governance arrangements as required by Title V MiCA. One may argue this goes against the intention of MiCA which excludes from its scope undertakings that provide crypto-asset services in a fully decentralized manner without any intermediary, thus any identifiable person or entity for enforcement purposes.¹²² Practically speaking, regulators may have difficulties when it comes to identifying persons responsible for the application, and to enforce orders in a broadly international environment.¹²³ By contrast, where regulators construe the definition of ‘undertakings’ narrowly, more applications remain untouched by MiCA’s requirements, to the detriment of institutional resilience.

Custodial versus non-custodial applications?

We have further laid out in the ‘Control over crypto-graphic keys as a core criterion of “custody”’ section that the scope of MiCA’s custody rules in Article 3(1)(17) MiCA rests on a delineation of custodial from non-custodial wallets. The same mechanics laid out in the previous section also apply to this delineation: institutional resilience increases when more DeFi applications are within the scope of MiCA, and decreases when more wallet solutions remain unregulated. This is all the more important having already noted a trend towards non-custodial solutions since the introduction of MiCA and its intention to regulate more centralized crypto solutions were announced.¹²⁴

Restrictions on regulated activities

Finally, institutional resilience is potentially at risk due to the definition of crypto-asset services. Services such as crypto-lending and crypto-staking are potentially out of scope, because they do not provide regulated crypto-asset services (for instance, custody or transfer services).¹²⁵

Often, multi-function CASPs combine custody with risk-taking activities such as proprietary trading. How MiCA deals with these services besides conflict rules¹²⁶ is somewhat unclear: even the ‘Significant CASPs’ subject to bespoke rules under Title V Chapter 5 MiCA become significant due to the number of clients only.¹²⁷ The provision of multiple services as a characteristic of multi-function CASPs would have been a better criterion for determining complexity.

In these cases, the regulatory coverage of side services, like transfer and custody, will dictate institutional resilience.¹²⁸ Here, the first battle line will lie between the taking of crypto-assets into custody on behalf of clients as an ancillary service to crypto-lending and crypto-staking, in contrast to the transfer of crypto-assets to others (clients and non-clients) in the interest of clients; note that the transfer of crypto-assets is a regulated activity different from custody, to which Article 75 MiCA does not apply, yet MiCA contains few details about what it entails.¹²⁹

Second, where custody is one, potentially initial, element of the service, a battle will inevitably be fought over the extent to which the consent of clients allows for treatment different than that provided for under Article 75 MiCA. However, where reuse hinges on the client’s consent, what implicit limits exist with regard to the reuse? Is there any compensation to be offered to clients, as a precondition for a valid consent? What are the legal requirements for a valid consent to the reuse?

The answers to these questions will determine how effectively MiCA ensures institutional resilience.

Liability as a barrier to entry?

Another reason potentially undermining institutional resilience stems from the liability provisions of Article 75(8) MiCA: where serious and well-financed intermediaries must fear liability, they may decide to opt-out of the market.¹³⁰ Given that the crypto market is small, in relative terms, staying out of crypto is one of several options financial intermediaries have when deciding upon their crypto strategy. While entirely opting-out is unlikely in the long run, as intermediaries risk missing opportunities, a viable and already observed strategy is to establish lowly financed subsidiaries, while taking the main balance sheet outside the scope of liability rules.¹³¹ To the extent that most large intermediaries refrain from crypto, and do not stand ready to entertain the existence of crypto-assets, the crypto market will remain small, in relative terms, and abstention from crypto, by and large, remains a viable option.

In this context, it is noteworthy that MiCA does not require a bank-like capitalization of custodians; hence, crypto custodians may be thinly capitalized entities under MiCA.¹³² Where custodians put up the minimum capital only, it is foreseeable that the losses may easily accumulate to an amount where the custodian’s capital is insufficient to compensate clients for losses. To this extent, liability is a double-edged sword. While potentially assisting crypto clients and investors, it may also shun the robust, well-governed and well-financed intermediaries the crypto markets so direly need.¹³³ In the absence of well-financed intermediaries that can compensate token-holders in the event of losses, liability rules are of little benefit in practice.

To demonstrate the importance of our argument, we need to take into account the use by custodians, and especially exchange-linked wallet providers, of ‘hot storage’ of private keys of multiple clients. These storage tools are constantly connected to the internet, to ensure time and cost efficiency.¹³⁴ These hot wallets have been referred to as ‘an attractive ‘honey pot’ for hackers’ and are more vulnerable than the cold (offline) key storage methods.¹³⁵

Outsourcing?

Another factor that could undermine institutional resilience results from the outsourcing rules under Article 73 MiCA. As CASP rules apply to EU entities only¹³⁶ even though many crypto intermediaries reside outside of the EU,¹³⁷ outsourcing to non-EU entities potentially weakens the institutional resilience provided by MiCA.¹³⁸ Indeed, Article 73 provides that the CASP engaging in the outsourcing shall remain fully responsible for discharging all of their obligations pursuant to’ Title V MiCA. The outsourcing does not: (1) result in the delegation of their responsibility; (2) alter the relationship between them and their clients, nor their obligations towards their clients; and (3) alter the conditions for their authorization. However, none of the above obligations concern directly the third-party sub-custodian who actually controls the assets/keys, since the latter (third party) is not subject to MiCA as long as it is not located within the EU/EEA. While the EU CASP, due to low levels of mandatory regulatory capital under MiCA,¹³⁹ will be unable to cover all or most of the holders’ losses even if it is held liable for violating its duties (such as the prohibition to alter relationships and obligations) when outsourcing to non-EU crypto service providers.

Furthermore, even when MiCA applies, that is, in the case of EU/EEA-based third-party sub-custodians, several issues related to the outsourcing of the safekeeping duties are not sufficiently addressed by MiCA. For instance, in TradFi, in cases of outsourcing of the safekeeping function, it is established that the client’s assets shall be segregated from the custodian’s proprietary assets, from the third-party’s proprietary assets, as well as from assets belonging to other clients of the third party.¹⁴⁰ We do not find the same to be the case in MiCA. This is not fundamentally changed by the fact that the CASP needs to hold certain records on, and store all communication with, the sub-custodian¹⁴¹ and make provision for the sub-custodian’s insolvency in its business continuity plan.¹⁴² While MiCA requires segregation of the client’s assets from the custodian’s proprietary assets,¹⁴³ it lacks bespoke rules on outsourcing crypto custody similar to EU investment fund law mentioned herein.

In addition, with regard to asset segregation by the sub-custodian, MiCA is ambiguous as to the following: First, whether it requires on-chain segregation (ie with separate blockchain addresses), or whether off-chain suffices (ie probably by means of a segregated record-keeping system).¹⁴⁴ Second, whether the custodian can rely on the records of the sub-custodian, who actually controls the assets/keys, in order to fulfil its own recordkeeping obligation.¹⁴⁵ Third, MiCA does not foresee safeguards for the sub-custodian’s insolvency—and thus does not address a crypto-industry-wide problem: the fact that a CASP holds information on the sub-custodian’s account¹⁴⁶ does not assure that the assets are segregated in the sub-custodian’s insolvency, nor that the CASP has legal standing in legal and insolvency proceedings relating to the sub-custodian’s assets. Since the latter point is one of asset resilience, we further address it in that context in the next section.

Asset resilience

While, despite minor deficiencies, MiCA clearly strengthens institutional resilience, we are less convinced that MiCA provides the necessary framework with respect to asset resilience (ie a framework that ensures the existence of the assets when there are operating changes on the distributed ledger (eg forks, airdrops), when the token-issuer or DeFi application experience difficulties, or finally, when the crypto custodian, or third-parties such as the custodian’s other clients, are bankrupt or close to bankruptcy).

While MiCA addresses the distress and malfunction of the token-issuer only in the context of ARTs and EMTs in its Titles III and IV, it does address the changes (eg airdrops, forks, or similar events) on the underlying distributed ledger for all types of crypto-assets in two ways: MiCA provides for the ‘substitution rule’ of Article 75(4)¹⁴⁷ and therefore the custodian’s obligation to facilitate the exercise of the clients’ rights resulting from such events, in conjunction with the custodian’s fiduciary duty and its disclosure obligations vis-à-vis the client.¹⁴⁸

Finally, to deal with the case that the custodian, sub-custodians or third parties find themselves in difficulties, malfunctions or misconducts affecting the clients’ crypto-assets, Articles 70 and 75 MiCA provide inter alia for: the custodian’s obligation to safekeep the assets and rights according to a proper custody policy, especially in the event of the custodian’s insolvency; the obligation to keep detailed records for each client; the obligation to segregate clients’ assets from the custodian’s own assets; the prohibition of asset reuse for the custodian’s own account; and the liability of the latter for asset losses.

Analysing the effectiveness of asset resilience requires (a) some context regarding the private law on crypto-assets followed by (b) a short examination of the potential of financial regulation to ensure asset resilience. On that basis, we summarize our concerns on asset resilience after the adoption of MiCA.

Roots in the EU legislative process: private law basis in doubt

Due to the nature of DLT, the existence of the asset relies on the recognition by and the functioning of other nodes. In this multi-party context, the effectiveness of legal protection depends on the nature and extent of the rights that the client has over the crypto-assets held in custody, under the applicable private law.

Where MiCA requires crypto custodians to safeguard the ownership rights of their clients in the event of the custodian’s insolvency¹⁴⁹ and where it provides for a solid burial plan for their activities,¹⁵⁰ it could be argued that it substitutes for the lack of harmonized property and insolvency laws for crypto-assets by imposing an ‘obligation of result’, leaving Member States wide discretion on the means of achieving these results. However, the obligation to safeguard the ownership rights is undermined when it is not certain, from a private law perspective, that the clients actually have ownership rights over the custodied crypto-assets and whether their nature is contractual or proprietary;¹⁵¹ after all the holders’ enforcement position is uncertain and a risk/costs consideration will prevent them to take legal action. In turn, public enforcement bodies (including courts) have little to enforce. Given the widespread legal uncertainties regarding ownership and property rights in digital assets,¹⁵² it will be interesting to see how CASPs acting for clients in several jurisdictions meet the above-stated requirements on a case-by-case basis. In particular, the lack of a harmonized legal framework and overall ambiguity encourages the existing custodians to provide in their terms and conditions that the client has only an unsecured contractual claim regarding the entrusted crypto-assets, and/or provide for title transfer arrangements.¹⁵³

Financial regulation as a mitigant of underdeveloped private law

To some extent, the product regulation for ARTs and EMTs in Titles III and IV MiCA substitutes for this private law gap with respect to crypto. Issuers of ARTs and EMTs are subject to licensing, custodial and prudential requirements—including redemption and recovery plans—for ART¹⁵⁴ and EMT¹⁵⁵ issuers. On top of that, issuers are required to wind down their activities when business continuity is at risk.¹⁵⁶ This ensures asset resilience even where private law is largely absent. Necessarily, the setup and operational effectiveness of these burial plans require significant resources on the side of the issuer and the supervisory agency. This explains why Title II MiCA on other crypto-assets refrains from similar rules—and therefore why token-holders of other assets remain largely unprotected.

Asset protection in the case of failures and malfunctions of the custodian or third party

Finally, while MiCA defines the rights and obligations of the custodian and their clients in the event of the custodian’s own failures or malfunctions, these rules provide little asset protection vis-à-vis third parties, such as the custodian’s other clients, counterparties and malicious actors.

Asset safekeeping and segregation

As for the protection of assets in the case of malpractices or failures of the custodian’s other clients, MiCA only clarifies the obligation to segregate clients’ assets from the custodian’s own assets ‘operationally’ (ie on the DLT using separate blockchain addresses)¹⁵⁷ and ‘legally’¹⁵⁸ (ie probably by means of a segregated record-keeping system).¹⁵⁹ This counters the custodian’s practice of using, for time and cost reasons, common blockchain wallet addresses commingling the assets of multiple clients with their own proprietary assets. However, MiCA does not require segregation on a client-by-client basis on the DLT. This allows for the use of omnibus wallets (ie common blockchain addresses to which multiple clients’ crypto-assets are pooled). Here, the protection of crypto clients lacks the rigidity of TradFi,¹⁶⁰ where the use of omnibus wallets is permitted when the safekeeping is delegated and under strict segregation requirements. In turn, crypto clients remain exposed not only to the elevated risk of cyber-attacks,¹⁶¹ but also to risks stemming from the insolvency of the other clients of the custodian, whose assets are pooled inside the same omnibus wallet.¹⁶² Note that token-holders have no information about these other clients, and thus have no means of protecting themselves by pulling out early, or issuing orders of injunction. This information asymmetry adds to legal uncertainties regarding the nature of the token-holders’ rights in the crypto omnibus account.

As for the protection of assets in the case of malpractices or failures of any sub-custodian, MiCA does not provide for granular provisions addressing the segregation obligation that the sub-custodian shall assume and the protection of the custodied assets in case of insolvency of the sub-custodian (see ‘Restrictions on regulated activities’ section).

Reuse and title transfer arrangements

Furthermore, as for the protection of assets in the case of malpractices or failures of the custodian or third parties such as the custodian’s counterparties, Article 70(1) MiCA prohibits the reuse of clients’ assets for the custodian’s own account and Recital 83 MiCA requires that the clients’ assets shall be unencumbered.

However, the absolute prohibition and the narrow wording of these provisions leave room for circumventions. In light of common practices that combine various types of asset reuse¹⁶³ with the lack of specifications regarding an intermediary’s function as custodian, liquidity provider or counterparty,¹⁶⁴ we find that MiCA’s rules lack granularity on the legal requirements for asset reuse. Meanwhile, TradFi sets an appropriate level of desirable protection, with one of the main safeguards being that title transfer arrangements are permitted only when the custodian discloses ex ante all relevant information and risks to the client and obtains their express prior consent.¹⁶⁵

Oversight control and representation against third parties

Finally, the custodian is not mandated to represent their clients’ interests vis-à-vis any third parties (for instance, by performing oversight or monitoring of other CASPs’ conduct), nor do they have express legal standing to represent the clients and their interests in legal proceedings vis-à-vis third parties under MiCA. While the mandate to represent clients could be derived from the custodian’s fiduciary duty, without standing any legal action is laden with risks.

While one could argue that standing would follow from the custodian’s registration on behalf of their clients on the distributed ledger, this would be at odds with models of true segregation on the ledger¹⁶⁶ (cf ‘Asset safekeeping and segregation’ section); and even where standing is given, the uncertainty in crypto private law renders the taking of legal action on behalf of clients risky. Here, MiCA lacks the clarity and simplicity of TradFi regulation: depositaries of investment funds do represent their clients’ interests by exercising oversight,¹⁶⁷ and also have, under most laws, legal standing in proceedings as ancillary competence to custody, where claims against the fund manager are concerned.¹⁶⁸ Given that the financial regulation provisions on investment funds have long substituted for uncertainties surrounding the private law of collective investment schemes in a cross-border context,¹⁶⁹ TradFi depositary regulation provides a useful blueprint for crypto custody, which MiCA neglected to implement.

5. Conclusion

MiCA’s rules on custody are novel and provide a benchmark for non-EU jurisdictions seeking to regulate crypto.

In this regard, MiCA’s focus is on what we have called herein ‘institutional resilience’, ensuring that the custodian is soundly organized and governed and must not reuse clients’ assets on their own accounts. Under MiCA’s CASP rules, all crypto custodians are fiduciaries, and subject to governance, conflicts of interest, asset segregation and operational risk requirements. The provisions on the custodian’s liability also heighten the custodian’s propensity to safeguard clients’ assets.

At the same time, MiCA lacks strength on ‘asset resilience’ (ie providing safeguards for cases where the custodian, third parties, the token-issuer, or DeFi application, as the case may be, encounter difficulties). This deficiency is partly due to the nature of DLT, where the existence of the asset relies on the recognition by and the functioning of other nodes, and partly due to the fact that MiCA does not regulate private law, and the insolvency proceedings regarding crypto-assets in particular. To some extent, the product regulations for ARTs and EMTs compensate for this gap, but holders of other crypto-assets are left unprotected. In this regard, MiCA, in terms of protection, trails behind TradFi regulation where depositaries play a much stronger role in ensuring asset resilience, through express powers that allow for oversight of other service providers, and representation of clients’ interests in legal proceedings against third parties.

Footnotes

Author notes