Overview of crypto asset class regulations in the EU and the US
This OnPoint summarizes the panel discussion at Dechert’s annual investment funds conference that took place in Luxembourg in the last quarter of 2022. At the conference, we discussed the Regulation on the Markets of Crypto Assets (MiCA)1, and specifically, its scope, as well as how it will interconnect with current regulations, notably Prospectus Regulation2, MiFID3 and AIFMD4 , as well as the national regulations on crypto assets that were so far implemented in Germany, France, and Luxembourg. Conference participants also compared the initiatives in the European Union (EU) to the evolution of legislation and rulemaking in the United States.
Panelists were Patrick Goebel (partner, Luxembourg), Cyril Fiat (partner, Paris), Angelo Lercara (partner, Munich), Robert Rhatigan (counsel, Washington, D.C.) and Christine Renner (senior associate, Luxembourg).
On 5 October 2022, the European Council (the Council) and the European Parliament (Parliament) confirmed their agreement on MiCA5 which is widely considered as the first overall regulatory package for crypto assets in the world. It seeks to regulate issuers of unbacked crypto assets and fiat-backed or fiat-referencing stablecoins, as well as the trading venues and the wallets where crypto assets are held. It will also regulate crypto asset service providers and grant them the EU passport, enabling them to provide their services across the EU. In addition, the European Commission (the Commission) issued regulations on digital operational resilience (DORA)6 and a regulation on a pilot regime for market infrastructures based on distributed ledger technology7. DORA together with the DORA Amending Directive8 which, among others, impacts MiFID and AIFMD, entered into force on 16 January 2023 and have applied from 17 January 2025. DORA will set uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide information and communications (ICT) related services to them, such as cloud platforms or data analytics services. DORA aims to ensure that the financial sector in the EU can stay resilient through a severe operational disruption. These legislative initiatives are all part of the Commission’s Digital Finance Strategy that was launched in September 2020.
Some EU member states have already started to regulate certain parts of the crypto assets market on a national basis. It is not surprising that one of the main objectives pursued by the Commission with MiCA is to avoid national regulations that will create a fragmented regulatory framework across the EU. The purpose of MiCA and DORA is to create a harmonized market for crypto assets for 450 million consumers and investors and to boost the development and evolution of crypto assets in the EU, granting the EU the leading role in the regulation of crypto assets.
Another key objective driving the legislation is the protection of investors and consumers. The Council stated that “MiCA will protect consumers against some of the dangers of investing in crypto assets and help them avoid fraudulent schemes. Crypto asset service providers will now become liable in case they lose investors’ crypto assets”.
The initiative is ambitious but there are concerns that legislation, which is drafted to address challenges now, will become quickly outdated given the pace of evolution of this market. Rather than boosting the EU market for crypto assets, the EU regulations could actually become an obstacle for its development.
What will be regulated under MiCA?
MiCA defines crypto assets as the digital representation of a value or right, which may be transferred and stored electronically by using for instance digital ledger technology (DLT).
MiCA separates between three types of crypto assets:
- Utility tokens, which are crypto assets that are intended to provide digital access to a good or a service, available on DLT, and which are only accepted by the issuer of these tokens (e.g., a share of a company);
- Asset-referenced tokens, which are crypto assets aiming at maintaining a stable value by referencing one or more currencies that are legal tender, commodities, other crypto assets, or a combination of those assets; and
- E-money tokens, which are crypto assets used as a payment for a good or a service.
To avoid any overlap with other EU regulations, MiCA excludes from its scope financial instruments as defined by reference to MiFID, deposits and structured deposits, and e-money. MiCA aims to supplement the existing EU regulatory framework by filling the gap in crypto assets which currently remains unregulated – MiCA aims to start where current EU regulations (such as Prospectus Regulation, MiFID or AIFMD) stop.
Crypto assets under MiCA and crypto assets that qualify as financial instruments
Crypto assets that qualify as financial instruments under MiFID do not fall within the scope of MiCA.
Careful legal analysis is recommended to determine whether a relevant crypto asset actually falls in scope of MiCA. This could create some uncertainty in case of complex instruments. Alternative investment fund managers (AIFMs) and depositaries in particular may require confirmation from legal advisers as to the categorization of a relevant crypto asset when assessing their regulatory and contractual obligations.
To ensure a harmonized approach across the EU, MiCA provides for European Securities and Markets Authority (ESMA) to issue guidance on what will be a financial instrument under MiCA. The qualification of what is a financial instrument may currently differ between the EU member states. In France, for instance, the Autorité de contrôle prudentiel (ACPR)9 is currently providing guidance on the legal nature of crypto assets – however it is possible that the ACPR will need to revisit its approach once ESMA has issued its guidance.
Comparison with the U.S. regulatory approach
Regulation of the of the crypto markets in the United States is fragmented and turns largely on whether a crypto asset fits within the definition of a “security” under the U.S. securities laws. In the beginning, crypto currencies such as bitcoin or ether dominated crypto markets and were generally considered to be undefined assets that were not subject to any existing regulatory schemes. However, unlike the regulatory regime in the EU, the U.S regulatory scheme captures unintended securities in its purview and an asset can be deemed a security even if it was not intended as such by the issuer.
Accordingly, as the crypto markets gained more notoriety and attention, U.S. regulators, such as the U.S. Securities and Exchange Commission (SEC) and the U.S. Commodity Futures Trading Commission (CFTC), began to assert their jurisdiction over certain assets. Most notably, the SEC began classifying certain crypto assets as “investment contracts,” which is a catch-all term under the definition of “security.” Under U.S. law, an asset can be deemed an investment contract, and therefore a security subject to SEC oversight, if the asset meets the ‘Howey test’.10 Initially crypto asset technology gained attention and enthusiasm, but many market participants did not realize that numerous variations of ‘crypto assets’ issued and traded in the market were in fact securities. Consequently, many issuers of these crypto assets failed to comply with the requirements of the 1933 Securities Act. This resulted in the SEC asserting its jurisdiction through various enforcement actions against crypto market participants and issuers.
There remains a gap in the spot market for crypto assets that are not securities. Although the SEC has asserted its jurisdiction in a number of instances, there is still no clear guidance or a consistent regulatory scheme in the U.S. to govern the crypto markets. In its review of the U.S. crypto markets, the Financial Stability Oversight Counsel (FSOC)11 concluded that the U.S. financial system is exposed to a substantial risk because crypto assets not qualifying as securities are escaping from all existing regulations and neither bank regulators nor the SEC or CFTC are equipped to regulate these non-securities crypto assets. For crypto assets that are not securities (e.g., bitcoin), the only real regulatory requirement for exchanges, brokers, dealers and other market participants is to register or be licensed as a money transmitter at the state level, and to register as a Money Services Business with the U.S. Financial Crimes Enforcement Network (FinCEN)12 and be subject to U.S. anti-money laundering regulations. There are no specific capital or operational requirements, credential regulations, or safety or soundness requirements at the national level. An increasing number of market participants believe that this growing segment needs to be effectively and clearly regulated. For crypto assets that are securities, existing regulations are generally considered to be sufficiently robust and there is no need to change in the near future. Given recent market events, there is likely to be a push to move most crypto trading activities to registered broker-dealers operating alternative trading systems (ATSs).
Regulation of issuance of crypto assets in the EU
Issuance of financial instruments to the public is regulated in the EU by the Prospectus Regulation. Instead of extending the Prospectus Regulation to the issuance of crypto assets, the Commission established a new set of rules to regulate the issuance of crypto assets, in the form of MiCA. Contrary to the Prospectus Regulation, MiCA regulates the issuer of the crypto asset rather than the crypto asset itself, because only regulated entities will be permitted to issue crypto assets.
The issuance of crypto assets will be subject to a white paper which is comparable to the prospectus under the Prospectus Regulation. The white paper to be prepared when issuing crypto assets that are not asset reference tokens or e-money tokens will have to be notified to the competent supervisory authority, but there will be no authorization process. Once the notification has been made, it will be possible for the issuer to offer the crypto assets for sale across the EU. MiCA has an extra territorial, cross border element in that notification is required not only for EU-based issuers but also for non-EU-based issuers if they wish to issue crypto assets in the EU.
The white paper of an asset reference-based token such as a stablecoin is subject to the prior approval of the competent supervisory authority. In case of e-money tokens, the regulations are even stricter because only accredited institutions or e-money institutions are permitted to issue the white paper that needs to be approved by the competent supervisory authority.
Tokenization of units issued by AIFs
There is a growing interest in the market for alternative investment funds (AIFs) to issue tokens that can then be exchanged between investors or, alternatively, to tokenize units which were previously issued by AIFs. For AIFs investing in assets with a low level of liquidity, the issuance of tokens or the tokenization of units issued by the AIF seems an attractive route to raise capital from investors. There are many outstanding questions relating to tokenization, including those regarding identification of investors, the eligibility assessment of investors, and the prevention of money laundering, which need to be answered.
The first question is whether an AIF can issue tokens – this question must be assessed under the applicable law of the AIF. In Luxembourg, the act of 22 January 202113 enables the direct issuance of dematerialized securities in tokenized form by Luxembourg companies. This means that, for instance, a Luxembourg RAIF14 can issue tokens instead of, or alongside, dematerialized registered units. Units issued by an AIF are considered as financial instruments under MiFID irrespective of the legal form of the AIF or its underlying investments. Therefore, the issuance of tokens by a RAIF should in principle fall outside of the scope of MiCA, in which case no issuance of a white paper will be required.
As an alternative option to the AIF directly issuing tokens – particularly where the national law applicable to the AIF does not enable the direct issuance of tokens (e.g., France) – units issued by the AIF can serve as the underlying assets of tokens which are issued by a special purpose vehicle established for this purpose.
To determine whether these tokens would fall within MiCA, the question must again be raised whether the tokens created in this process (which is commonly designated as ‘tokenization’) are financial instruments in the meaning of MiFID. The answer would likely be yes, although this is a less obvious conclusion compared to instances where the AIF itself issues the tokens.
One of the main questions to be clarified is what the register of an AIF would look like when issuing tokens or when tokenizing units issued by the AIF. The national law applicable to an AIF typically requires that a register must be kept and must contain information on unitholders and the number and type of units held by unitholders. In case the AIF is issuing tokens, information on who is holding what number and type of tokens issued by the AIF should in principle be kept by analogy to the traditional register. In case where units issued by the AIF will be tokenized, the special purpose vehicle tokenizing the units will typically be recorded as a unitholder in the traditional register of the AIF and the requirements relating to identification of beneficial owners must also be satisfied.
In addition to the impact the issuance of tokens or the tokenization of units may have on the register-keeping and transfer agency services, the use of blockchain technology will also necessitate a change in the maintenance and operation of traditional registers. Information on investors and units will need to be kept on a ledger instead of on the traditional security file kept by the registrar. In the U.S., given the decentralized nature of blockchain technology, the SEC considers the issuance of tokens by a fund merely as book entry on a blockchain.
Regulating crypto asset service providers
Under MiCA, the following activities will require prior authorization by the supervisory authority of the EU member state where the crypto asset service provider (CASP) is domiciled:
- Undertaking services such as custody and administration of crypto assets.
- Operating a trading platform of crypto assets.
- Exchanging crypto assets against fiat currencies or other crypto assets.
- Execution of orders on the placing of crypto assets.
- Reception and transmission of orders on crypto assets.
- Advising on investment in crypto assets.
- Managing a portfolio of crypto assets.
Once authorized as a CASP, the service provider will benefit from the EU passport, meaning it will be able to provide crypto asset services across the EU.
MiFID and, to a lesser extent, the French Pacte law15 have influenced the regulation of CASPs, not only in terms of determining the services that are in scope but also terms of the capital and organizational requirements. As is currently the case for investment firms and AIFMs, a program of activity must be filed by the CASP with the competent supervisory authority. In addition, directors and persons conducting or having a significant impact on the conduct of the business of the CASP will need to be approved by the competent supervisory authority.
In France, the Pacte Law of 2019 introduced a specific regulatory regime for digital assets service providers (DASP)16. The DASP regime requires a mandatory registration for servicing crypto assets and, on an optional basis, a license which is delivered by the Autorité des Marchés Financiers (AMF) – so far 65 crypto asset service providers were regulated by AMF on a voluntary basis. Once MiCA takes effect, DASPs will be granted a period of 18 months during which they can become authorized as CASPs under MiCA. There are many similarities between the French DASP regime and the regime for CASPs under MiCA, meaning that the authorization process with the AMF is expected to be straightforward.
In Luxembourg, virtual asset service providers (VASP) must be registered with the Commission de Surveillance du Secteur Financier (CSSF). There is, however, no optional license process like in France. The registration requirement was introduced by the 2004 AML Act17, as amended by the law transposing the fifth Money Laundering Directive18, which included certain crypto assets and crypto currencies within its scope. A VASP is defined in the 2004 AML Act as any entity that is providing exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, transfer of virtual assets, safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets, including custodian wallet services and participation in services related to an issuer’s offer or sale of virtual assets.
Once MiCA takes effect, if the VASP is not authorized as an investment firm under MiFID, it must seek authorization from the CSSF to become a CASP. This will impact, for instance, Luxembourg depositaries of non-financial instruments and administrators when servicing crypto assets, as they have to move from their registration as a VASP to an authorization as a CASP.
As is the case in Luxembourg, following the implementation of the fifth Money Laundering Directive, Germany requires service providers of certain crypto assets to be registered with the Bundesanstalt für Finanzdienstleistungen (BaFin). However, unlike the regimes in Luxembourg and France, Germany has a mandatory license regime for firms providing custody services to crypto assets. The license is not required for credit institutions. Investment firms must assess whether the services provided in connection with crypto assets are close enough to the services provided in connection with the investment firm’s other activities to be exempted from requiring the license. When MiCA takes effect, German crypto asset service providers will be required to seek authorization from BaFin as CASPs, unless they are already regulated as investment firms under MiFID.
In the U.S, from 2023 the SEC will start to approve special purpose broker-dealers, second custody digital asset securities servicers and digital asset alternative trading systems. Where a U.S. bank is providing custody services to crypto assets, no separate license is required, but the bank must receive a non-objection letter from the OCC19, the FDIC20 or the Federal Reserve confirming that it has the systems in place to protect the safety and soundness of the bank when providing crypto asset custody services. With regards to broker-dealers engaged in digital asset securities’ activities, the SEC’s position is that this is separate from the traditional securities’ business and requires those broker-dealers to obtain a special license. To avoid any potential impact on the traditional securities’ business, some broker-dealers are expected to create separate firms, commonly designated as “special purpose broker-dealer”, which will be the entities licensed to carry out digital asset-based securities’ activities.
Even though MiCA will trigger a certain number of questions it will close the gap on crypto assets (and related services and service providers) that have to date largely escaped from any regulation. It will create more confidence in the crypto asset class – not only for investors but also for service providers. There is currently no equivalent of MiCA in the U.S., which may be explained by the fact that traditional U.S. securities laws are already regulating a greater proportion of the crypto asset class than the EU, although there remain a regulatory gap for crypto assets that do not qualify as securities.
- Our OnPoint “Countdown to MiCA: The EU’s cryptoassets regulation” is available here.
- Regulation (EU) 2017/1129 of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market, and repealing Directive 2003/71/EC.
- Directive 2014/65/EU of 15 May 2014 on markets in financial instruments.
- Directive 2011/61/EU of 8 June 2011 on Alternative Investment Fund Managers.
- The Council confirmed in a letter addressed to ECON and dated 5 October 2022 that, if the Parliament adopts its position at first reading in the form set out in the Annex to the letter, it will approve the Parliament’s position and adopt the act in wording corresponding to the Parliament’s position. Council and Parliament reached provisional political agreement on the proposed MiCA Regulation on 30 June 2022 following interinstitutional trialogue negotiations. The next step is for the Parliament to adopt the agreed text at first reading. The Parliament is due to consider the proposed MiCA Regulation during its plenary session to be held from 17 to 20 April 2023.
- Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (DORA) was published in the Official Journal of the EU on 27 December 2022.
- Regulation (EU) 2022/858 of 30 May 2022 on a pilot regime for market infrastructures based on distributed ledger technology. It will enter into force on 23 March 2023 and initially run for three years. It offers targeted regulatory exemptions to MiFID, Directive 98/26/EC on settlement finality in payment and securities settlement systems and Regulation (EU) n°909/2014 on improving securities settlement in the EU and on central securities depositories (commonly designed as CSDR) for the purpose of testing blockchain technology in financial markets and post-trade activities. It will allow market infrastructure operators and new entrants to operate a multilateral trading facility (MTF) and/or a settlement system (SS) by using blockchain technology for tokenized financial instruments.
- Directive (EU) 2022/2556 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector was published in the Official Journal of the EU on 27 December 2022.
- The French Prudential Supervision and Resolution Authority which operates under the French central bank, Banque de France, exercises prudential supervision of regulated French financial firms including banks and insurance companies.
- The ‘Howey test’ or ‘investment contract test’ is referring to the U.S. Supreme Court case for determining whether a transaction qualifies as an ‘investment contract’ and therefore be considered a ‘security’ which will be subject to the disclosure and registration requirements under the 1933 Securities Act and the 1934 Securities Exchange Act. Under the test, an ‘investment contract’ exists if there is an ‘investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others’.
- FSOC is part of the U.S. Treasury Department and charged with identifying risks to the financial stability of the United States, promoting market discipline and responding to emerging risks to the stability of the United States' financial system.
- FinCEN is part of the U.S. Treasury Department and charged with the collection and the assessment of information on financial transactions to fight against money laundering and terrorist financing.
- The act of 22 January 2021 (generally designated as “Blockchain II Act”) amended the act of 6 April 2013 on dematerialized securities to enable that a dematerialized security may entirely exist in a distributed ledger technology (DLT) environment.
- Reserved alternative investment fund under the Luxembourg act of 23 July 2016 on reserved alternative investment funds, as amended.
- French act n°2019-486 of 22 May 2019 related to the growth and transformation of enterprises (loi du 22 mai 2019 relative à la croissance et la transformation des entreprises) (Pacte Law).
- Article 86 of the Pacte Law on the prestataires de services sur actifs numériques, codified under articles L.54-10-1 et. Seq. of the French financial and monetary code.
- The Luxembourg act of 12 November 2004 on the fight against money laundering and terrorist financing, as amended.
- Directive 2018/843/EU on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directives 2009/138/EEC and 2013/36/EU.
- The Office of the Comptroller of the Currency (OCC) is an independent bureau of the U.S. Department of the Treasury which regulates and supervises U.S. national banks and federal savings associations as well as federal branches and agencies of foreign banks in the U.S.
- Federal Deposit Insurance Corporation (FDIC) is an independent agency which insures bank deposits, examines, and supervises financial institutions for safety, soundness, and consumer protection, makes large and complex financial institutions resolvable and manages receiverships.