RTS on notification of crypto-asset service provision

To avoid outages of operations as they can have major financial, regulatory and reputational consequences for the notifying entity and more generally, crypto-asset markets in general, it is critical to maintain operations or at least essential functions of crypto-asset service providers and to minimise downtime due to unexpected disruptions, including cyberattacks and natural disasters. A notification should therefore contain detailed information on the notifying entity’s arrangements to ensure continuity and regularity in the provision of crypto-asset services, including a detailed description of its risks and business continuity plans.

Effective mechanisms, systems and procedures that comply with Directive (EU) 2015/849 of the European Parliament and of the Council(²)Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI: http://data.europa.eu/eli/dir/2015/849/oj). are needed to ensure that notifying entities appropriately address risks and practices of money laundering and terrorist financing in the provision of crypto-asset services. Notifying entities should therefore provide in their notification detailed information on their mechanisms, systems and procedures put in place to prevent risks associated with their business activities in relation to, inter alia, anti-money laundering and counter-terrorist financing.

Due to the decentralised and digital nature of crypto-assets, cybersecurity risks for crypto-asset service providers are significant and take many forms. To ensure that the notifiying entity is able to prevent data breaches and financial losses that could be caused by cyberattacks, the information on the notifying entity’s deployed ICT systems and related security arrangements such as identity and geographical location of the providers, description of the outsourced activities or ICT services with their main characteristics, copy of contractual agreements, as referred to in Article 60(7), point (c), of Regulation (EU) 2023/1114, should include the human resources dedicated to addressing cybersecurity risks.

The segregation of clients’ crypto-assets and funds protects clients from losses of the crypto-asset service provider and from misuse of their crypto-assets and funds. Article 70 of Regulation (EU) 2023/1114 therefore requires crypto-asset service providers to make adequate arrangements to safeguard the ownership rights of clients. That requirement also applies to crypto-asset service providers that do not provide custody and administration services.

To enable competent authorities to assess the adequacy of the notifying entity’s operating rules for their trading platforms for crypto-assets, the notifying entity should detail specific elements in the description of those rules. In particular, the notifying entity should elaborate on aspects of the operating rules relating to the admission to trading, the trading and the settlement of crypto-assets. As regards the admission to trading of crypto-assets, notifying entities should provide detailed information on the way in which the admitted crypto-assets comply with the notifying entity’s rules, on the types of crypto-assets that the notifying entity will not admit to trading on its trading platform and the reasons for such exclusions, and on the fees for the admission to trading. As regards the trading of crypto-assets, the notifying entity should specify the elements of the operating rules governing the execution and cancelation of orders, orderly trading, transparency and record-keeping. Finally, the notifying entity should include in the description of the operating rules the elements governing the settlement of transactions in crypto-assets on the trading platform, including whether the settlement is initiated by using distributed ledger technology (DLT), the timeframe in which the execution is initiated, the definition of the moment when the settlement is final, all verifications required to ensure the effective settlement of the transaction and any measure to limit settlement failures.

To allow for competent authorities to assess the adequacy of the notifying entity in providing certain crypto-asset services such as exchange of crypto-assets for funds or other crypto-assets, execution, the provision of advice on crypto-assets or portfolio management of crypto-assets and transfer services, the notifying entity should specify the details of how these crypto-asset services will be provided as well as the arrangements put in place to ensure that the notifying entity complies with the relevant provisions of Regulation (EU) 2023/1114 with regards to the provision of those crypto-asset services.

Any processing of personal data under this Regulation shall comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council(³)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj)..

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority (ESMA) and developed in close cooperation with the European Banking Authority.

ESMA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁴)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj)..

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁵)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI http://data.europa.eu/eli/reg/2018/1725/oj). and delivered formal comments on 21 June 2024,