ESMA peer review report issuing CASP oversight recommendations under MiCAR

The European Securities and Markets Authority (ESMA) has published a peer review report assessing the authorisation and supervision of a crypto-asset service providers (CASPs) under the Markets in Crypto-Assets Regulation (MiCAR). While the peer review was conducted in Malta and sets out specific recommendations addressed to the Malta Financial Services Authority (MFSA), ESMA also makes broader recommendations which apply to all national competent authorities (NCAs).

These relate to specific aspects of the CASP authorisation process, in particular:

• Business growth – NCAs should assess CASP business plans with a forward-looking perspective, considering anticipated growth and the rise of any associated risks.
• Conflicts of interest – NCAs should evaluate potential conflicts arising from the combination of CASP services and ensure that firms comply with relevant disclosure obligations.
• Governance and third-party risk – NCAs are advised to apply ESMA's principles on third-party risk supervision as a baseline, particularly for intragroup arrangements.
• ICT architecture – NCAs should review CASPs' ICT systems prior to authorisation, with particular focus on critical functions such as custody. They should also ensure that CASPs implement robust ICT security measures capable of detecting and preventing malicious transactions.
• Web3 and decentralised products – NCAs should assess exposure to risks related to decentralised finance and ensure appropriate controls are in place. In addition, they should also assess the promotion of any unregulated services to ensure it does not mislead customers into believing such services are regulated.

Return to main website.