Crypto Cyber Resilience in 2024: Strategies for safeguarding crypto assets

Crypto Cyber Resilience in 2024: Strategies for safeguarding crypto assets

With digital assets becoming a bigger player in the global economy, everyone’s buzzing about “crypto cyber resilience.” It’s no surprise – 2024 has seen some seriously high-tech hacks, phishing attacks, and other cyber threats targeting cryptocurrency. This article dives into the current state of crypto security. We’ll explore what companies and individuals can do to protect their digital treasures, and how to build strong defenses against these ever-evolving cyber attacks. We’ll also compare these challenges to the Wild West days of fintech, highlighting how the threats and solutions have transformed alongside the crypto landscape.

The Current State of Crypto Cyber Resilience

Cryptocurrency, while promising unprecedented financial opportunities, has also introduced a host of new vulnerabilities. According to Chainalysis, cryptocurrency-related crime hit an all-time high in 2022, with illicit addresses receiving $14 billion worth of cryptocurrencies. This figure underscores the critical need for robust security measures in the crypto space.

In 2024, the landscape of crypto cyber resilience is defined by an ongoing arms race between cybersecurity experts and cyber criminals. The rise of decentralised finance (DeFi) platforms has particularly exacerbated the issue. These platforms, while democratizing access to financial services, have also become prime targets for hackers. For instance, in 2022, the DeFi sector saw a staggering $53.5 billion in losses due to hacks and exploits, as reported by IntoTheBlock

What Companies Should Do to Enhance Crypto Cyber Resilience

  1. Implement Multi-Factor Authentication (MFA): One of the fundamental steps companies can take is to enforce multi-factor authentication (MFA). MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access to their accounts. This significantly reduces the risk of unauthorised access, as attackers would need to compromise multiple forms of authentication.
  2. Adopt Cold Storage Solutions: Storing the majority of crypto assets in cold storage, which is offline storage, can drastically reduce the risk of theft. Unlike hot wallets, which are connected to the internet and hence more vulnerable to hacks, cold wallets are immune to online attacks.
  3. Regular Security Audits and Penetration Testing: Regular security audits and penetration testing are crucial in identifying and mitigating vulnerabilities. Companies should engage with cybersecurity firms to conduct thorough assessments of their systems and rectify any weaknesses. This proactive approach helps in staying ahead of potential threats.
  4. Educate Employees and Users: Human error remains one of the biggest threats to cybersecurity. Companies must invest in comprehensive training programs to educate employees and users about phishing, social engineering attacks, and safe practices for handling crypto assets. Knowledgeable users are less likely to fall victim to scams.
  5. Implement Robust Incident Response Plans: Having a well-defined incident response plan is essential for minimising the impact of a cyber attack. This plan should include steps for immediate containment, eradication of the threat, and recovery of affected systems. It should also outline communication strategies to inform stakeholders and mitigate reputational damage.
  6. Leverage Advanced Cryptographic Techniques: Employing advanced cryptographic techniques such as zero-knowledge proofs and homomorphic encryption can enhance data privacy and security. These techniques allow for the verification of transactions and computations without exposing sensitive data.


Preventing Hacks, Phishing, and Other Cyber Threats

The prevention of cyber threats in the crypto space requires a multi-faceted approach that addresses both technological and human factors. Here are some strategies:

  1. Strengthen Network Security: Ensuring that network infrastructure is secure is paramount. This includes using firewalls, intrusion detection systems, and regular monitoring to detect and block suspicious activities. Network segmentation can also help contain breaches and prevent them from spreading.
  2. Employ Blockchain AnalyticsBlockchain analytics tools can help track and analyse transactions across the blockchain. These tools are valuable in identifying suspicious patterns and potentially fraudulent activities. Companies like Chainalysis and Elliptic offer services that provide insights into the flow of funds and help in tracing the origins of illicit transactions.
  3. Use Smart Contract Auditing: Smart contracts are the backbone of many DeFi platforms, and their security is critical. Regular auditing of smart contracts by specialized firms can identify vulnerabilities and ensure that they function as intended. This reduces the risk of exploits that could lead to significant financial losses.
  4. Promote User Awareness: User awareness campaigns can educate investors and users about common phishing tactics and how to avoid them. Encouraging the use of hardware wallets, which require physical confirmation for transactions, can also add an extra layer of security.
  5. Adopt Decentralised Security Measures: Decentralised security measures, such as decentralised autonomous organisations (DAOs) for security, can leverage the collective intelligence of the community to identify and mitigate threats. This collaborative approach can be more effective than traditional centralised security models.


Comparing Crypto Cyber Resilience to Fintech Security

The fintech era, which saw the rise of digital banking and online financial services, laid much of the groundwork for current cybersecurity practices. However, there are distinct differences between the security needs of traditional fintech and the current crypto landscape:

  1. Centralisation vs. Decentralisation: Traditional fintech services are typically centralised, with security measures focused on protecting centralised servers and databases. In contrast, cryptocurrencies operate on decentralised networks, such as blockchain, where security must be distributed across all nodes. This decentralisation presents unique challenges and requires innovative security solutions.
  2. Regulatory Frameworks: The regulatory frameworks governing traditional financial institutions are well-established and comprehensive. Cryptocurrencies, however, exist in a relatively nascent regulatory environment. While regulations like the EU Cyber Resilience Act are emerging, there is still a lack of uniformity and clarity in many jurisdictions, making it harder to establish standardised security protocols.
  3. Nature of Assets: Traditional financial assets are often backed by physical or legal guarantees (e.g., government bonds, insurance). Cryptocurrencies, being purely digital, lack these tangible assurances. This intangibility makes them more susceptible to cyber threats, emphasising the need for robust digital security measures.
  4. Evolving Threat Landscape: The threat landscape in the fintech era was largely confined to phishing attacks, malware, and hacking attempts aimed at centralised systems. In the crypto world, the rise of quantum computing poses a significant threat to cryptographic algorithms that underpin digital currencies. Additionally, the anonymity and irreversibility of cryptocurrency transactions make them attractive targets for cybercriminals.


Conclusion: Building a Resilient Future for Crypto

The future of cryptocurrency hinges on the industry’s ability to build robust cyber resilience. As the crypto market continues to grow, so too does the incentive for cybercriminals to exploit vulnerabilities. Companies must adopt a holistic approach to security, integrating advanced technologies, rigorous protocols, and comprehensive user education.

To survive, the industry needs to build a fortress around security, with cutting-edge tech, bulletproof protocols, and everyone on the same page about staying safe.

Here’s the good news: companies can seriously toughen their defenses by using double-verification logins (multi-factor authentication), keeping most crypto offline in secure storage (cold storage), and having regular security checkups (audits). Plus, educating users about crypto scams is like giving them a shield against online attacks.

But that’s not all. Crypto needs its own special security suit, not just hand-me-downs from the traditional finance world (fintech). Decentralised security measures and keeping up with new regulations are crucial for navigating this ever-changing landscape.

Here’s the key: everyone needs to work together. Companies, cybersecurity experts, and even regulators need to join forces to build a strong defense around the entire crypto ecosystem. By working as a team, we can make sure the exciting potential of crypto isn’t overshadowed by cyber threats.

 

Source: https://ciosea.economictimes.indiatimes.com/blog/crypto-cyber-resilience-in-2024-strategies-for-safeguarding-crypto-assets/111074132

Anndy Lian is an early blockchain adopter and experienced serial entrepreneur who is known for his work in the government sector. He is a best selling book author- “NFT: From Zero to Hero” and “Blockchain Revolution 2030”.

Currently, he is appointed as the Chief Digital Advisor at Mongolia Productivity Organization, championing national digitization. Prior to his current appointments, he was the Chairman of BigONE Exchange, a global top 30 ranked crypto spot exchange and was also the Advisory Board Member for Hyundai DAC, the blockchain arm of South Korea’s largest car manufacturer Hyundai Motor Group. Lian played a pivotal role as the Blockchain Advisor for Asian Productivity Organisation (APO), an intergovernmental organization committed to improving productivity in the Asia-Pacific region.

An avid supporter of incubating start-ups, Anndy has also been a private investor for the past eight years. With a growth investment mindset, Anndy strategically demonstrates this in the companies he chooses to be involved with. He believes that what he is doing through blockchain technology currently will revolutionise and redefine traditional businesses. He also believes that the blockchain industry has to be “redecentralised”.

j j j

How the EU is regulating crypto-assets with MiCAR and why you should care

How the EU is regulating crypto-assets with MiCAR and why you should care

The EU has recently adopted the Markets in Crypto-Assets Regulation (MiCAR). This groundbreaking legislation aims to provide a clear and consistent framework for regulating crypto-assets and related services in the EU. MiCAR will apply from the end of 2024, with some provisions applying from mid-2024.

MiCAR defines crypto-assets as “a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology.” This definition covers various types of crypto-assets, such as cryptocurrencies, tokens, stablecoins, and non-fungible tokens (NFTs). It excludes crypto-assets already regulated under existing EU financial services legislation, such as financial instruments, deposits, electronic money, or insurance products. I agree with this definition, as it is broad and neutral enough to capture the diversity and innovation of crypto-assets while also respecting the existing regulatory frameworks for other types of assets.

Furthermore, it classifies crypto-assets into three main categories: e-money tokens (EMTs), asset-referenced tokens (ARTs), and other tokens. EMTs are crypto-assets pegged to one official currency, such as Tether or USD Coin. ARTs are crypto-assets backed by a pool of assets, such as fiat currencies, commodities, or other crypto-assets. Other tokens are crypto-assets that have various purposes and characteristics, such as utility tokens, payment tokens, or governance tokens.

As mentioned above, MiCAR also introduces the concept of significant tokens for EMTs and ARTs, which are subject to additional requirements due to their potential impact on financial stability or monetary policy. The European Banking Authority (EBA) will identify and monitor significant tokens based on criteria such as the number of users, transaction values, interconnectedness with the financial system, or innovation or complexity of the token. I think this classification is reasonable and valuable, as it reflects the different functions and risks of crypto-assets while also allowing for some flexibility and adaptation. Personally, when I spoke to EU-based bankers who are considering ESG-related crypto funds, they mentioned that MiCAR should also consider the environmental and social impact of crypto-assets, especially those that consume a lot of energy or resources or those that may affect human rights or privacy. I did not comment on that, but I am well aware of their “crypto agenda”. Additionally, I also think that they should actively involve other stakeholders, such as consumers, investors, or developers, in identifying and monitoring significant tokens, as they may have valuable insights and feedback.

MiCAR imposes different authorization and supervision requirements for crypto-asset issuers and crypto-asset service providers (CASPs), depending on the type and significance of the crypto-asset. Crypto-asset issuers offer crypto-assets to the public or seek their admission to trading on a trading platform for crypto-assets. CASPs provide or perform services or activities related to crypto-assets, such as custody, exchange, execution, advice, or portfolio management. Crypto-asset issuers of EMTs and ARTs must obtain authorization from the competent authority of their home member state before offering or admitting such tokens to trading. They must also prepare and publish a white paper that discloses essential information about the crypto-asset project, such as the features, rights, and obligations of the crypto-asset, the risks and costs involved, the governance and technical arrangements, and the identity and contact details of the issuer. Do note that they do not need authorization but must comply with the white paper requirement and other general obligations.

CASPs must obtain authorization from the competent authority of their home member state before providing or performing any crypto-asset services or activities. They must also comply with prudential requirements, the conduct of business rules, safeguarding requirements, and anti-money laundering and counter-terrorism financing (AML/CTF) obligations. I support these requirements, as they aim to ensure the transparency, accountability, and responsibility of crypto-asset issuers and CASPs and protect the interests and rights of consumers, investors, and the public. On top of this, I think that MiCAR should also provide some incentives and benefits for crypto-asset issuers and CASPs that comply with these requirements, such as lower fees, faster processing, or broader access. I also think that MiCAR should promote cooperation and coordination among the competent authorities of different member states and other international regulators and organizations to avoid duplication, inconsistency, or conflict.

MiCAR also provides some transitionary provisions and exemptions for crypto-asset issuers and CASPs already operating in the EU before the application date of MiCAR. For example, those authorized or registered under national regimes in one or more member states may continue to operate in those member states until mid-2025 without obtaining authorization under MiCAR. However, they must comply with the relevant national rules and regulations and apply them by mid-2024 if they wish to operate in the EU after mid-2025.

They also established a pilot regime for distributed ledger technology (DLT) market infrastructures, which are a new type of market participants that use DLT to provide trading and settlement services for crypto-assets that qualify as financial instruments. The pilot regime aims to test the use of DLT in trading and post-trading crypto-assets while ensuring high investor protection and market integrity. The pilot regime will apply for five years from the application date of MiCAR, with a possibility of extension. These provisions are good in my opinion, as they recognize the diversity and maturity of the existing crypto-asset market in the EU and can provide a smooth and gradual transition to the new regulatory framework. They should also ensure a fair and equal treatment of all crypto-asset issuers and CASPs, regardless of origin, size, or status, and avoid creating undue advantages or disadvantages for some over others. If they can encourage and support the participation and experimentation of different actors and stakeholders in the pilot regime, such as incumbents, newcomers, or innovators, and foster a collaborative and inclusive environment for the development and adoption of DLT. This will be a big plus for them.

MiCAR does not apply to crypto-assets issued or guaranteed by central banks, member states, third countries, or public international organizations. It also does not apply to crypto-asset services or activities provided or performed by central banks or other public authorities in performing their public tasks or functions. These exemptions aim to preserve the monetary sovereignty and policy of the EU and its member states and facilitate the development of central bank digital currencies (CBDCs) and other public initiatives in the crypto-asset space. While I understand these exemptions, as they reflect the special and privileged status of central banks and public authorities and their role and responsibility in the monetary and financial system. However, I think MiCAR should also ensure a close and constructive dialogue and cooperation between the public and the private sectors and foster a balanced and complementary relationship between the traditional and innovative forms of money and finance. I also think that MiCAR should monitor and assess the impact and implications of CBDCs and other public initiatives on the crypto-asset market and address any potential issues or challenges that may arise.)

I also want to highlight that there are also some implications for investment firms and the travel rule, which are relevant to the crypto-asset market. Investment firms are those who provide or perform investment services or activities on a professional basis, such as execution of orders, portfolio management, or investment advice. The travel rule is a requirement that obliges financial institutions to exchange certain information about the originator and the beneficiary of a funds transfer, such as their names, addresses, account numbers, and transaction amounts.

They allow investment firms that are authorized under the Markets in Financial Instruments Directive 2014/65/EU (MiFID II) to provide or perform crypto-asset services or activities in relation to crypto-assets that qualify as financial instruments without obtaining additional authorization under MiCAR. However, they must comply with the relevant MiFID II rules and regulations, as well as some specific requirements under MiCAR, such as the safeguarding and AML/CTF obligations. Investment firms that wish to provide or perform crypto-asset services or activities concerning crypto-assets that do not qualify as financial instruments must obtain authorization and comply with its rules and regulations.

The travel rule applies to crypto-asset transfers, which are any transactions resulting in the change of ownership of one or more crypto-assets from one person to another. MiCAR requires CASPs that are involved in crypto-asset transfers to exchange certain information with other CASPs, such as the name and account number of the originator and the beneficiary, the amount and type of crypto-asset transferred, and the date and time of the crypto-asset transfer. The CASPs must ensure that the information is accurate, complete, secure, and confidentially transmitted. They must also keep records of the information for at least five years. They must implement the travel rule by mid-2024, the same date as applying the Financial Action Task Force (FATF) standards on virtual assets and virtual asset service providers.

They aim to establish a level playing field and a single market for crypto-assets and related services within the EU. This is achieved by harmonizing and simplifying the current national regulatory frameworks, thereby eliminating regulatory fragmentation and uncertainty. They also acknowledge the need for a degree of regulatory flexibility and discretion at the national level, which opens the door to regulatory arbitrage and competition among EU member states in specific areas. Some of the leading EU jurisdictions for MiCAR compliance and regulatory arbitrage are France, Germany, and Malta. These jurisdictions have already adopted national regimes for crypto-assets and related services, which are solid, flexible, favorable, attractive, and clear and consistent. They also have supportive and innovative regulators, such as the AMF, BaFin, and MFSA, which have issued several guidance and recommendations on crypto-assets and related services. They also have robust and diversified crypto-asset ecosystems, with several established and emerging players. These jurisdictions are likely to maintain and enhance their leading positions in the crypto-asset market under MiCAR, as they have a competitive edge and a first-mover advantage over other member states.

To sum up, MiCAR is a landmark legislation shaping the future of crypto-assets in the EU. It will introduce legal certainty, consumer protection, market integrity, and financial stability and foster innovation and competition by enabling cross-border activities and passporting rights for crypto-asset issuers and CASPs within the EU.

They are visionary and ambitious legislation that reflects the importance and potential of crypto-assets and related services and that responds to the needs and expectations of the crypto-asset community and society at large. It is also a complex and dynamic legislation that requires constant monitoring and evaluation and may face some difficulties and uncertainties in its application and enforcement. I hope that MiCAR will be able to adapt and evolve with the changing and growing nature of crypto-assets and related services and that it will be able to achieve its objectives and benefits.

I look forward to seeing the development and implementation of this framework, and I hope it will contribute to the growth and maturity of the crypto-asset industry in the EU and beyond.

 

Source: https://www.financialexpress.com/business/digital-transformation-how-the-eu-is-regulating-crypto-assets-with-micar-and-why-you-should-care-3434243/

 

Anndy Lian is an early blockchain adopter and experienced serial entrepreneur who is known for his work in the government sector. He is a best selling book author- “NFT: From Zero to Hero” and “Blockchain Revolution 2030”.

Currently, he is appointed as the Chief Digital Advisor at Mongolia Productivity Organization, championing national digitization. Prior to his current appointments, he was the Chairman of BigONE Exchange, a global top 30 ranked crypto spot exchange and was also the Advisory Board Member for Hyundai DAC, the blockchain arm of South Korea’s largest car manufacturer Hyundai Motor Group. Lian played a pivotal role as the Blockchain Advisor for Asian Productivity Organisation (APO), an intergovernmental organization committed to improving productivity in the Asia-Pacific region.

An avid supporter of incubating start-ups, Anndy has also been a private investor for the past eight years. With a growth investment mindset, Anndy strategically demonstrates this in the companies he chooses to be involved with. He believes that what he is doing through blockchain technology currently will revolutionise and redefine traditional businesses. He also believes that the blockchain industry has to be “redecentralised”.

j j j

Technical Break Down of the Markets in Crypto Assets Regulation

Technical Break Down of the Markets in Crypto Assets Regulation
The Markets in Crypto-Assets Regulation (MiCAR) is a landmark legislation that aims to create a harmonised and comprehensive framework for the regulation of crypto-assets and related services in the European Union (EU). MiCAR was adopted by the European Parliament and the Council of the EU in June 2023 and entered into force on 29 June 2023. It will apply from 30 December 2024, except for some provisions that will apply from 30 June 2024.

MiCAR is anticipated to bring about a substantial influence on the crypto-asset market, introducing legal certainty, consumer protection, market integrity, and financial stability. Moreover, it is poised to encourage innovation and competition by facilitating cross-border activities and providing passporting rights for crypto-asset service providers (CASPs) operating within the EU. Nevertheless, MiCAR presents certain challenges and responsibilities for crypto-asset issuers and CASPs, along with additional obligations for other financial institutions and investors engaged in transactions involving crypto-assets. In this article, I will provide a technical breakdown of the main aspects of MiCAR.

The definition and classification of crypto-assets under MiCAR

MiCAR characterizes crypto-assets as “a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology.” This definition is expansive and impartial to specific technologies, encompassing various crypto-assets like cryptocurrencies, tokens, stablecoins, and non-fungible tokens (NFTs).

However, it’s essential to note that it excludes crypto-assets qualifying as financial instruments, deposits, structured deposits, electronic money, securitisation positions, insurance products, or pension products under existing EU financial services legislation. These excluded crypto-assets remain subject to the pertinent sectoral rules and regulations.

MiCAR distinguishes between three main categories of crypto-assets that fall within its scope:

  • E-money tokens (EMTs): These are crypto-assets that purport to maintain a stable value by referencing the value of one official currency that is legal tender. EMTs are similar to electronic money under the Electronic Money Directive 2009/110/EC (EMD2), but they use distributed ledger technology or similar technology to issue, store and transfer value. Examples of EMTs are Tether (USDT) and USD Coin (USDC), which are pegged to the US dollar.
  • Asset-referenced tokens (ARTs): These are crypto-assets that are not EMTs and that purport to maintain a stable value by referencing another value or right or a combination thereof, including one or more official currencies, commodities, crypto-assets or a basket of such assets. ARTs are a type of stablecoins that are backed by a pool of assets, such as fiat currencies, gold or other crypto-assets.
  • Other tokens: These are crypto-assets that are neither EMTs nor ARTs and that have various purposes and characteristics. This category includes utility tokens, which provide access to a good or a service supplied by the issuer, such as decentralized applications (DApps) or platforms. It also includes payment tokens, which are used as a means of exchange, such as Bitcoin or Ether. Furthermore, it includes hybrid tokens, which combine features of different types of tokens, such as governance tokens, which grant voting rights or other benefits to the holders.

They bring forth the concept of significant tokens for EMTs (Electronic Money Tokens) and ARTs (Asset-Reference Tokens). These tokens are subjected to additional requirements owing to their potential impact on financial stability or monetary policy. The task of identifying and monitoring significant tokens falls under the purview of the European Banking Authority (EBA). The EBA employs criteria such as the number of users, transaction values, interconnectedness with the financial system, substitutability with existing payment instruments, and the innovation or complexity of the token to determine significance. The EBA will publish and update a list of significant tokens on its website.

The authorisation and supervision requirements for crypto-asset issuers and CASPs

MiCAR also imposes different authorisation and supervision requirements for crypto-asset issuers and CASPs, depending on the type and significance of the crypto-asset involved.

Crypto-asset issuers

Crypto-asset issuers are natural or legal persons who offer crypto-assets to the public or seek the admission of crypto-assets to trading on a trading platform for crypto-assets. MiCAR requires crypto-asset issuers to comply with the following obligations:

  • White paper: Crypto-asset issuers must prepare and publish a white paper that discloses essential information about the crypto-asset project, such as the features, rights and obligations of the crypto-asset, the project’s objectives and intended use of funds, the risks and costs involved, the governance and technical arrangements, and the identity and contact details of the issuer. The white paper must be notified to the competent authority of the issuer’s home member state at least 20 working days before its publication and must be made available on the issuer’s website and the website of any CASP involved in the offer or admission to trading of the crypto-asset. The white paper must also be updated whenever there is a material change that affects the information disclosed.
  • Authorisation: Crypto-asset issuers of EMTs and ARTs must obtain an authorisation from the competent authority of their home member state before offering such tokens to the public or seeking their admission to trading on a trading platform for crypto-assets. The authorisation process involves submitting an application that includes information such as the identity and contact details of the issuer, the white paper, the governance and technical arrangements, the risk management and internal control mechanisms, the complaints handling procedures, and the arrangements for the protection of the reserve assets backing the EMTs or ARTs. The competent authority must assess the application and grant or refuse the authorisation within three months of receiving a complete application. The authorisation is valid in all member states and allows the issuer to passport its activities across the EU. Crypto-asset issuers of other tokens do not need an authorisation, but they must comply with the white paper requirement and other general obligations under MiCAR.
  • Supervision: Crypto-asset issuers of EMTs and ARTs are subject to ongoing supervision by the competent authority of their home member state, which may impose administrative sanctions or remedial measures in case of non-compliance with MiCAR. The competent authority may also withdraw the authorisation of the issuer if certain conditions are met, such as the issuer no longer meets the authorisation requirements, the issuer has obtained the authorisation by false statements or any other irregular means, the issuer has not made use of the authorisation within 12 months of its granting, or the issuer has ceased to offer or admit to trading the EMTs or ARTs for more than six months. Crypto-asset issuers of other tokens are not subject to ongoing supervision, but they must cooperate with the competent authorities and provide any information requested by them.

Crypto-asset service providers

Crypto-asset service providers are natural or legal persons who provide or perform one or more of the following services or activities on a professional basis:

  • Custody and administration of crypto-assets on behalf of clients
  • Operation of a trading platform for crypto-assets
  • Exchange of crypto-assets for fiat currency or other crypto-assets
  • Execution of orders for crypto-assets on behalf of clients
  • Placing of crypto-assets
  • Reception and transmission of orders for crypto-assets on behalf of clients
  • Providing advice on crypto-assets
  • Providing portfolio management on crypto-assets
  • Providing transfer services for crypto-assets on behalf of clients

MiCAR requires CASPs to comply with the following obligations:

  • Authorisation: CASPs must obtain an authorisation from the competent authority of their home member state before providing any of the above services or activities. The authorisation process involves submitting an application that includes information such as the identity and contact details of the CASP, the programme of operations, the governance and technical arrangements, the risk management and internal control mechanisms, the complaints handling procedures, the arrangements for the safeguarding of clients’ funds and crypto-assets, and the policies and procedures for the prevention of money laundering and terrorist financing. The competent authority must assess the application and grant or refuse the authorisation within three months of receiving a complete application. The authorisation is valid in all member states and allows the CASP to passport its activities across the EU.
  • Supervision: CASPs are subject to ongoing supervision by the competent authority of their home member state, which may impose administrative sanctions or remedial measures in case of non-compliance with MiCAR. The competent authority may also withdraw the authorisation of the CASP if certain conditions are met, such as the CASP no longer meets the authorisation requirements, the CASP has obtained the authorisation by false statements or any other irregular means, the CASP has not made use of the authorisation within 12 months of its granting, or the CASP has ceased to provide or perform the crypto-asset services or activities for more than six months.
  • Prudential requirements: CASPs must comply with prudential requirements, such as holding a minimum amount of own funds, maintaining adequate capital adequacy ratios, applying sound accounting and auditing standards, and ensuring the continuity and regularity of their operations. The prudential requirements vary depending on the class of the CASP, which is determined by the type and scope of the crypto-asset services or activities provided
  • Conduct of business rules: CASPs must comply with conduct of business rules, such as providing clear and accurate information to clients, acting honestly and fairly, avoiding conflicts of interest, ensuring the suitability and appropriateness of their services or activities, executing orders promptly and efficiently, and disclosing any fees or charges. The conduct of business rules vary depending on the type of client, which may be retail, professional or eligible counterparty.
  • Safeguarding requirements: CASPs must comply with safeguarding requirements, such as segregating clients’ funds and crypto-assets from their own assets, keeping accurate records and accounts, ensuring the availability and accessibility of clients’ funds and crypto-assets, and protecting clients’ funds and crypto-assets from insolvency, fraud, theft or cyberattacks. The safeguarding requirements vary depending on the type of crypto-asset service or activity provided or performed and the type of crypto-asset involved.
  • Anti-money laundering and counter-terrorism financing (AML/CTF) obligations: CASPs must comply with AML/CTF obligations, such as applying customer due diligence measures, monitoring transactions, reporting suspicious activities, keeping records, and cooperating with the competent authorities. The AML/CTF obligations are aligned with the Fifth Anti-Money Laundering Directive 2018/843/EU (AMLD5) and the Sixth Anti-Money Laundering Directive 2018/1673/EU (AMLD6), which apply to other obliged entities in the financial sector.

The transitionary provisions and exemptions under MiCAR

  • MiCAR provides for some transitionary provisions and exemptions for crypto-asset issuers and CASPs that are already operating in the EU before the application date of MiCAR.
  • Grandfathering clause: Crypto-asset issuers and CASPs that are authorised or registered under national regimes in one or more member states before the application date of MiCAR may continue to provide or perform their services or activities in those member states until 30 June 2025, without obtaining an authorisation under MiCAR. However, they must comply with the relevant national rules and regulations and notify the competent authorities of their intention to continue their operations. They must also apply for an authorisation under MiCAR by 30 June 2024, if they wish to provide or perform their services or activities in the EU after 30 June 2025.
  • Pilot regime for distributed ledger technology (DLT) market infrastructures: MiCAR establishes a pilot regime for DLT market infrastructures, which are a new type of market participants that use DLT to provide both trading and settlement services for crypto-assets that qualify as financial instruments. The pilot regime aims to test the use of DLT in the trading and post-trading of crypto-assets, while ensuring a high level of investor protection and market integrity. The pilot regime will apply for five years from the application date of MiCAR, with a possibility of extension. DLT market infrastructures must obtain an authorisation from the competent authority of their home member state and comply with specific requirements under MiCAR. They are also subject to the supervision and cooperation of the European Securities and Markets Authority (ESMA) and the EBA. The pilot regime will allow DLT market infrastructures to operate in a sandbox environment, where they can benefit from certain exemptions and derogations from existing EU financial services legislation, such as the Markets in Financial Instruments Directive 2014/65/EU (MiFID II), the Central Securities Depositories Regulation 909/2014/EU (CSDR) and the Settlement Finality Directive 98/26/EC (SFD).
  • Exemptions for central banks and public authorities: MiCAR does not apply to crypto-assets that are issued or guaranteed by central banks, member states, third countries or public international organisations. It also does not apply to crypto-asset services or activities that are provided or performed by central banks or other public authorities in the performance of their public tasks or functions. These exemptions aim to preserve the monetary sovereignty and policy of the EU and its member states, as well as to facilitate the development of central bank digital currencies (CBDCs) and other public initiatives in the crypto-asset space.

The implications of MiCAR for investment firms and the travel rule

MiCAR also has some implications for investment firms and the travel rule, which are relevant for the crypto-asset market.

  • Investment firms: Investment firms are natural or legal persons who provide or perform investment services or activities on a professional basis, such as reception and transmission of orders, execution of orders, portfolio management, investment advice, underwriting or placing of financial instruments. Investment firms are subject to the MiFID II framework, which regulates their authorisation, conduct of business, organisational and prudential requirements, and supervision. MiCAR allows investment firms that are authorised under MiFID II to provide or perform crypto-asset services or activities in relation to crypto-assets that qualify as financial instruments, without obtaining an additional authorisation under MiCAR. However, they must comply with the relevant MiFID II rules and regulations, as well as some specific requirements under MiCAR, such as the safeguarding and AML/CTF obligations. Investment firms that wish to provide or perform crypto-asset services or activities in relation to crypto-assets that do not qualify as financial instruments must obtain an authorisation under MiCAR and comply with its rules and regulations.
  • Travel rule: The travel rule is a requirement that obliges financial institutions to exchange certain information about the originator and the beneficiary of a funds transfer, such as their names, addresses, account numbers and transaction amounts. The travel rule aims to prevent money laundering and terrorist financing, as well as to facilitate the traceability and transparency of funds transfers. The travel rule applies to crypto-asset transfers under MiCAR, which are defined as any transaction that results in the change of ownership of one or more crypto-assets from one person to another person. MiCAR requires CASPs that are involved in crypto-asset transfers to exchange the following information with other CASPs:
    • The name and account number of the originator
    • The name and account number of the beneficiary
    • The originator’s address, official personal document number, customer identification number or date and place of birth
    • The beneficiary’s address, official personal document number, customer identification number or date and place of birth
    • The amount and type of crypto-asset transferred
    • The date and time of the crypto-asset transfer
    • Any other information required by the competent authorities

The CASPs must ensure that the information is accurate and complete, and that it is transmitted securely and confidentially. They must also keep records of the information for at least five years. They must implement the travel rule by 30 June 2024, which is the same date as the application of the Financial Action Task Force (FATF) standards on virtual assets and virtual asset service providers.

The leading EU jurisdictions for MiCAR compliance and regulatory arbitrage

MiCAR’s objective is to establish an equitable environment and a unified market for crypto-assets and associated services within the EU. This is to be achieved by standardizing and simplifying the current national regulatory frameworks, thereby eradicating regulatory fragmentation and uncertainty. Nonetheless, MiCAR acknowledges the need for a degree of regulatory flexibility and discretion at the national level, which opens the door to regulatory arbitrage and competition among EU member states in specific areas.Some of the areas where MiCAR grants national discretion and flexibility are:

  • The definition and treatment of crypto-assets that qualify as financial instruments, deposits, structured deposits, electronic money, securitisation positions, insurance products or pension products under existing EU financial services legislation. MiCAR does not provide a clear and uniform definition of these crypto-assets, nor does it harmonise their classification and regulation across the EU. Therefore, the member states may adopt different approaches and interpretations, which may affect the scope and applicability of MiCAR.
  • The authorisation and supervision of crypto-asset issuers and CASPs. MiCAR establishes a home member state principle, which means that the crypto-asset issuers and CASPs are authorised and supervised by the competent authority of the member state where they have their registered office or head office. The authorisation is valid in all member states and allows the crypto-asset issuers and CASPs to passport their activities across the EU. However, the member states may have different procedures and criteria for granting or refusing the authorisation, as well as different supervisory practices and enforcement actions, which may create regulatory divergence and inconsistency.
  • The fees and charges for the authorisation and supervision of crypto-asset issuers and CASPs. MiCAR allows the competent authorities of the member states to charge fees or charges for the authorisation and supervision of crypto-asset issuers and CASPs, in order to cover their costs and expenses. However, MiCAR does not specify the amount or the calculation method of the fees or charges, nor does it impose any limits or caps. Therefore, the member states may set different levels and structures of fees or charges, which may affect the competitiveness and attractiveness of their crypto-asset markets.

Given these areas of national discretion and flexibility, some of the leading EU jurisdictions for MiCAR compliance and regulatory arbitrage are:

  • France: France is one of the first and most proactive EU member states to adopt a national regime for crypto-assets and related services, under the PACTE law of 2019. The PACTE law provides an optional registration and an optional licence for CASPs, as well as a mandatory approval for initial coin offerings (ICOs). The PACTE law also recognises crypto-assets as intangible property and grants them legal and tax certainty. France has a supportive and innovative regulator, the Autorité des Marchés Financiers (AMF), which has issued several guidance and recommendations on crypto-assets and related services. France is also a founding member and a key player of the European Blockchain Partnership (EBP), which aims to develop a European Blockchain Services Infrastructure (EBSI) that supports the delivery of cross-border digital public services. France is likely to maintain and enhance its leading position in the crypto-asset market under MiCAR, as it has a solid and flexible national regime, a favourable and stable legal and tax environment, and a strong and cooperative regulator.
  • Germany: Germany is another pioneer and leader in the crypto-asset market, as it has a comprehensive and advanced national regime for crypto-assets and related services, under the Banking Act of 1961 and the Securities Trading Act of 1998. The Banking Act defines crypto-assets as financial instruments and subjects them to the MiFID II framework, while the Securities Trading Act regulates the issuance and trading of crypto-assets that qualify as securities. The Banking Act also requires CASPs to obtain a licence from the Federal Financial Supervisory Authority (BaFin), which is a competent and experienced regulator that has issued several guidance and circulars on crypto-assets and related services. Germany has a robust and diversified crypto-asset ecosystem, with several established and emerging players, such as Bitwala, Bison, Bitbond, Nuri and Neufund. Germany is expected to retain and strengthen its leading role in the crypto-asset market under MiCAR, as it has a clear and consistent national regime, a reliable and efficient legal and tax framework, and a reputable and supportive regulator.
  • Malta: Malta is a small but ambitious EU member state that has positioned itself as a global hub for crypto-assets and related services, under the Virtual Financial Assets Act of 2018. The Virtual Financial Assets Act provides a comprehensive and bespoke regime for crypto-assets and related services, which covers the issuance, offering and admission to trading of crypto-assets, as well as the licensing and supervision of CASPs. The Virtual Financial Assets Act also introduces the concept of a virtual financial asset (VFA) agent, which is a person who acts as an intermediary between the crypto-asset issuers or CASPs and the regulator, the Malta Financial Services Authority (MFSA). The MFSA is a proactive and forward-looking regulator that has issued several rules and guidance on crypto-assets and related services, as well as a VFA framework that sets out the principles and best practices for the crypto-asset industry. Malta has attracted and hosted several prominent and innovative players in the crypto-asset market, such as Binance, OKEx, BitBay and ZBX. Malta is likely to continue and expand its leading role in the crypto-asset market under MiCAR, as it has a comprehensive and bespoke national regime, a favourable and attractive legal and tax framework, and a proactive and forward-looking regulator.

Conclusion

MiCAR is a landmark legislation that aims to create a harmonised and comprehensive framework for the regulation of crypto-assets and related services in the EU.

They will introduce legal certainty, consumer protection, market integrity and financial stability, as well as foster innovation and competition, by enabling cross-border activities and passporting rights for crypto-asset issuers and CASPs within the EU. However, MiCAR also poses some challenges and obligations for crypto-asset issuers and CASPs, as well as for other financial institutions and investors that interact with crypto-assets.

I look forward to see the development of this framework.

 

Source: https://www.securities.io/technical-break-down-of-the-markets-in-crypto-assets-regulation/

Anndy Lian is an early blockchain adopter and experienced serial entrepreneur who is known for his work in the government sector. He is a best selling book author- “NFT: From Zero to Hero” and “Blockchain Revolution 2030”.

Currently, he is appointed as the Chief Digital Advisor at Mongolia Productivity Organization, championing national digitization. Prior to his current appointments, he was the Chairman of BigONE Exchange, a global top 30 ranked crypto spot exchange and was also the Advisory Board Member for Hyundai DAC, the blockchain arm of South Korea’s largest car manufacturer Hyundai Motor Group. Lian played a pivotal role as the Blockchain Advisor for Asian Productivity Organisation (APO), an intergovernmental organization committed to improving productivity in the Asia-Pacific region.

An avid supporter of incubating start-ups, Anndy has also been a private investor for the past eight years. With a growth investment mindset, Anndy strategically demonstrates this in the companies he chooses to be involved with. He believes that what he is doing through blockchain technology currently will revolutionise and redefine traditional businesses. He also believes that the blockchain industry has to be “redecentralised”.

j j j