ESMA supervisory briefing for CASPs under MiCA: The crypto standard
On January 31, 2025, ESMA issued new guidance for crypto-asset service providers (CASPs) under the EU’s MiCA regulation. CASPs must meet strict standards in governance, compliance, and anti-money laundering efforts. A genuine local presence and strong oversight are key for authorisation. Cross-border operations face heightened scrutiny.
How will these changes affect the crypto industry?
The European Securities and Markets Authority (ESMA) issued new supervisory guidance on January 31, 2025, regarding the authorisation of crypto-asset service providers (CASPs) under Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, as amended (MiCA). These guidelines aim to establish a harmonised regulatory framework across the EU, setting stringent requirements for CASPs seeking regulatory authorisation. The guidance underscores the importance for firms operating in the crypto-asset space across the EU to meet heightened expectations in governance, compliance, and risk management.
ESMA considers all CASPs to be high-risk entities due to their cross-border operations and exposure to financial crime risks, particularly money laundering and terrorist financing. As a result, national supervisory authorities will subject applications to rigorous assessments, ensuring that firms demonstrate robust operational substance, effective internal controls, and compliance. A key requirement is maintaining a sufficient physical presence within the country of authorisation. CASPs must establish genuine decision-making authority at the local level, with executives and key personnel actively engaged in oversight and governance. “Letter-box” entities will not satisfy MiCA’s authorisation standards.
While outsourcing remains a common practice, special scrutiny will apply to outsourcing arrangements involving non-EU entities. Additionally, all CASPs will be subject to rigorous fit and proper assessments of their senior executives and board members. Prior regulatory violations, governance failings, or ongoing criminal proceedings—even in non-EU jurisdictions—may significantly impact an entity’s ability to secure CASP authorisation.
Given the inherent risks within the crypto-asset industry, MiCA places a strong emphasis on anti-money laundering (AML) and counter-terrorist financing (CFT) measures. Firms must implement comprehensive AML/CFT frameworks that align with EU regulatory expectations, ensuring they can effectively monitor, detect, and mitigate financial crime risks. The ability to demonstrate compliance with these standards will be critical for firms seeking to establish or maintain operations in the pan-European crypto-asset market.
