RTS on record keeping

To ensure that competent authorities can properly supervise services provided by crypto-asset service providers, it is necessary that crypto-asset service providers keep a record of the policy arrangements and procedures put in place to comply with Regulation (EU) 2023/1114.

Market abuse, including market manipulation, may be carried out through various means, including through algorithmic trading. Therefore, in order to ensure effective market surveillance, where investment decisions are made by a person other than the client or by a computer algorithm, that person or algorithm should be identified in the order and transaction records using unique, robust and consistent identifiers. For the same reasons, it is important to lay down that where more than one person in a crypto-asset service provider makes the investment decision, the person with primary responsibility for the decision is to be identified in the record.

To ensure unique, consistent and robust identification of natural persons in order and transaction records, those natural persons should be identified by a concatenation of the country of their nationality followed by identifiers assigned by the country of nationality of those persons. Where those identifiers are not available, natural persons should be identified by identifiers created from a concatenation of their date of birth and name.

It is necessary that certain personal data are recorded by crypto-asset service providers to identify their clients or other natural persons relevant for orders or transactions in crypto-assets, as these data are fundamental to ensure efficient supervision by competent authorities, including in the area of market abuse. For all instances of identifying natural persons, this is to be done by following the level of prioritization of the different identifiers detailed in Annex II of Commission Delegated Regulation (EU) 2017/590(⁴)Commission Delegated Regulation (EU) 2017/590 of 28 July 2016 supplementing Regulation (EU) No 600/2014 of the European Parliament and of the Council with regard to regulatory technical standards for the reporting of transactions to competent authorities (OJ L 87, 31.3.2017, p. 449, ELI: http://data.europa.eu/eli/reg_del/2017/590/oj)..

It is possible that natural persons who need to be identified for recordkeeping purposes are residents of a country other than the one of their nationality. The country of residence of natural persons can affect several obligations under Regulation (EU) 2023/1114, and is therefore an important data element for ensuring effective supervision by competent authorities. Whenever their country of residence is different from that person’s nationality, this should be indicated by providing the country code of the country of residence of that natural person.

To facilitate market surveillance and to allow for the comparability of the records to be kept by crypto-asset service providers, clients of crypto-asset service providers that are legal entities should be identified with a code that is compatible with the internationally established criteria for the development of robust identification systems for the monitoring of financial markets. Such code should be unique, neutral, reliable, open source, scalable, accessible, available for free or at a reasonable cost, and subject to an appropriate governance framework. These criteria were also used by the competent authorities for assessing the most appropriate identifiers in previous technical standards on supervisory data(⁵)Commission Implementing Regulation (EU) 2019/363 of 13 December 2018 laying down implementing technical standards with regard to the format and frequency of reports on the details of securities financing transactions (SFTs) to trade repositories in accordance with Regulation (EU) 2015/2365 of the European Parliament and of the Council and amending Commission Implementing Regulation (EU) No 1247/2012 with regard to the use of reporting codes in the reporting of derivative contracts (OJ L 81, 22.3.2019, p. 85, ELI: http://data.europa.eu/eli/reg_impl/2019/363/oj).(⁶)Commission Implementing Regulation (EU) No 1247/2012 of 19 December 2012 laying down implementing technical standards with regard to the format and frequency of trade reports to trade repositories according to Regulation (EU) No 648/2012 of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories (OJ L 352, 21.12.2012, p. 20, ELI: http://data.europa.eu/eli/reg_impl/2012/1247/oj)., to ensure consistency and comparability of data on financial transactions, and therefore should also be applicable in the context of this Regulation.

LEI is a widely recognised, financially and operationally accessible international identifier used in financial markets. LEI is an international identifier that ensures access to the underlying data at all times, allowing for comparability and aggregation of information at Union level, improving the quality and timeliness of aggregated data and reducing the reporting burden for crypto-asset service providers. Therefore, crypto-asset services providers should, where available, record the LEI of clients that are legal persons on whose behalf they carry out orders and execute transactions. However, there are other legal entity identifiers that may be appropriate for use in the context of this Regulation. Directive (EU) 2017/1132 of the European Parliament and of the Council(⁷)Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (OJ L 169, 30.6.2017, p. 46, ELI: http://data.europa.eu/eli/dir/2017/1132/oj). requires companies subject to that Directive to have a European Unique identifier (‘EUID’), which unequivocally identifies companies and as such is an appropriate tool for the identification of entities in the EU. Within a period of 18 months after the entry into force of this Regulation, the Commission and ESMA will work closely to facilitate the use of EUID as a tool to identify clients that are legal entities for the purpose of this Regulation. Following the completion of this work, the Commission should assess the readiness to use EUID for the purposes of Article 14. Additionally, to ensure openness to other identifiers which may be fit for supervisory purposes and support the integrity of the market, this Regulation sets out criteria that should be met by those alternative identifiers. To enable the market to use such eligible alternative identifiers, ESMA should approve their use where they meet the criteria set out in this Regulation.

A unique method for the identification and classification of parties compliant with the above-mentioned criteria and instruments that follow these principles directly supports efforts to achieve data-driven market monitoring by competent authorities.

Manual or algorithmic abusive behaviours can also occur when a crypto-asset service provider determines the trading platform for crypto-asset to access or the crypto-asset service provider to which the orders are to be transmitted or any other conditions related to the execution of the order. Therefore, to ensure effective market surveillance, a person or computer algorithm within the crypto-asset service provider performing such activities should be identified in the order and transaction records. For the same reasons, where both a person and computer algorithm are involved, or more than one person or algorithm is involved, the crypto-asset service provider should determine, on a consistent basis following predetermined criteria, which person or algorithm is primarily responsible for those activities.

To ensure that competent authorities have access to information that is relevant, accurate and complete, the details relating to the order to be transmitted between crypto asset service providers should be specified.

Given the cross-border nature of crypto assets trading, in order to avoid data gaps where a crypto-asset service provider transmits orders or executes transactions via an entity to which Regulation (EU) 2023/1114 does not apply, the crypto-asset service provider should record the transmission of those orders or the execution of those transactions as if it had transmitted those orders or executed those transactions itself. Such information may be of particular importance for the performance of adequate market monitoring and market abuse supervision by the competent authority.

To properly monitor the integrity and stability of the markets in crypto-assets, competent authorities need reliable, consistent and standardised information on the crypto-assets that are traded. Such information should enable them to identify the individual crypto-asset being traded according to internationally established principles. In addition, competent authorities should be able to retrieve the main characteristics of the crypto-assets traded, including their technology-specific features. Crypto-asset service providers should therefore use an internationally agreed digital token identifier to identify crypto-assets in the order and transactions records that they provide to competent authorities. The Digital Token Identifier (DTI) managed by the Digital Token Identifier Foundation is an internationally agreed identifier that guarantees reliable, consistent, standardised and available information and allows for comparability and aggregation of information at the level of the European Union, improving the quality and timeliness of aggregated data and reducing the reporting burden for crypto-asset service providers. Therefore, crypto-asset service providers should be able to use the DTI to identify crypto-assets. However, to ensure openness to other token identifiers which may be fit for supervisory purposes and support the integrity of the market, it is necessary to lay down criteria that should be met by those alternative identifiers. To enable the market to use eligible alternative identifiers, ESMA should approve their use where they meet the criteria set out in this Regulation.

To be able to properly monitor the integrity and stability of the markets in crypto-assets, competent authorities need reliable, consistent and standardised information on the crypto-assets that are traded. Such information should enable them to classify the individual crypto-asset being traded according to internationally established principles. Such classification should also enable authorities to connect data on white papers with data on transactions and orders in the same crypto asset. The ISO code for the Classification of Financial Instruments (CFI) is an international standard used for classifying financial instruments. However, crypto-assets that are not financial instruments cannot currently be described using the CFI code. The ISO CFI is being revised to accommodate the classification of crypto-assets, but this revision will not be finalized before the application of this Regulation. Therefore, until such revision is completed, an interim classification indicating the type of crypto-assets (crypto-assets other than asset-referenced tokens and e-money tokens, asset-referenced tokens, and e-money tokens) should be used.

To ensure efficient and effective market monitoring by competent authorities, transaction records should reflect whether the transaction was executed wholly or partly through a branch of the crypto-asset service provider located in another Member State or in a third country. The inclusion of data detailing the activity of each branch in the records kept by the crypto-asset service providers, should not lead to a disproportionate administrative burden for the crypto-asset service provider, but would enable competent authorities to supervise the services provided by crypto-asset service providers more efficiently and to enhance the visibility on how those services are provided within the different Member States.

In line with the principle of data minimisation, crypto-asset service providers should only keep information that is necessary and sufficient to enable competent authorities to carry out a comprehensive assessment of the crypto-asset service provider’s compliance with the relevant requirements of Regulation (EU) 2023/1114 and with that Regulation’s provisions on market abuse. When processing personal data included in the records, crypto-asset service providers and competent authorities should comply with the relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council(⁸)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj)..

In order to ensure certain and efficient identification of crypto-asset service providers responsible for executing orders or transactions, those providers should ensure that they are identified in the records maintained pursuant to their record-keeping obligations using validated, issued, and duly renewed legal entity identifiers (LEIs). Pursuant to Article 62 in Regulation (EU) 2023/1114, crypto-asset service providers are required to obtain a legal entity identifier in order to be authorised. Furthermore, to enable the competent authorities to fulfil their supervisory tasks and take enforcement measures in accordance with Article 68(10) of Regulation (EU) 2023/1114, such identifier should be verified, up-to-date and included in the records to be maintained in accordance with this Regulation.

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁹)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). and delivered an opinion on 28 August 2024.

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the European Securities and Markets Authority (‘ESMA’).

ESMA has conducted open public consultations on the draft regulatory technical standards upon which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Securities and Markets Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(¹⁰)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).,