The custody and management of crypto assets for others is a regulated crypto asset service under Art. 3 (1) No. 16 lit. a) MiCAR and Art. 3 (1) No. 17 MiCAR. It may therefore only be provided by companies that have been authorized as crypto asset service providers under Art. 59 MiCAR. In addition to the usual strict requirements that must be met by companies regulated under MiCAR in the European Union, such as sufficient initial regulatory capital, fit and proper managers, and proper business organization with regard to risk management, IT security, and money laundering prevention, among other things, crypto asset custodians must also fulfill specific supervisory compliance obligations. One of these special requirements for crypto custodians is the obligation to conclude a custody agreement with custody clients that includes the minimum content required under Article 75(1) MiCAR. Accordingly, MiCAR-compliant custody agreements must contain at least information on the identity of the contracting parties, a description of the type of crypto service offered, information on the custody strategy, the means of communication used and how customers authenticate themselves to the crypto custodian, the security systems used, the fees and costs, and the applicable law.
What Exactly Must a Crypto Custody Agreement Contain in Regard to the Custody Strategy?
MiCAR does not specify exactly what crypto custodians must agree with their custody clients with regard to the custody strategy. The development and implementation of a custody strategy is primarily a regulatory obligation that crypto custodians must demonstrate to the supervisory authorities that oversee them. Article 75(1) MiCAR, which regulates the minimum requirements for custody agreements, merely stipulates that the custody strategy is a minimum requirement for a crypto custody agreement. However, this provision is specified in more detail in Article 75(3) MiCAR, which provides for a right of custody account holders to receive a summary of the custody strategy in electronic form from their crypto custodians. In order to be able to meet this requirement, crypto custodians will have to maintain an electronic document summarizing the custody strategy. The actual agreement of the custody strategy with the customer or the attachment of the complete custody strategy, for example as an annex to the custody agreement, seems unnecessary, especially since any change to the strategy would require renegotiation or a new crypto custody agreement. This cannot have been in the interest of the MiCAR regulator. It should also be noted that, as a strategy document, the custody strategy should not contain any specific technical implementation measures or the names of employees or any third-party service providers that may be involved. A strategy generally formulates goals, objectives, and ways to achieve them.
What Details Regarding Security Systems Must Be Agreed Upon?
Art. 75 (1) (e) MiCAR requires that crypto custody agreements include a description of the security systems used by the custodian. In this respect, it is rather unlikely that there will be any room for negotiation, as crypto custodians will hardly be able to grant custody clients any leeway in this regard. In this regard, it is necessary to include details on the technologies used for the custody of private keys, information on any vulnerability tests and security audits carried out, the authentication mechanisms provided for clients, and other security measures used by the custodian to minimize the risk of loss of clients’ crypto assets or the associated private keys. Information may also be provided on how client crypto assets are separated from the crypto asset custodian’s own holdings in crypto assets or funds and are kept safe from insolvency. Here, too, it will not be necessary to name specific sub-custodians or banks that are used to segregate client assets. A description of the specific measures implemented by the crypto custodian to increase security for customers will in any case be sufficient for the purposes of the crypto custody agreement.
Attorney Lutz Auffenberg, LL.M.
subscribe to Newsletter-
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW. -
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm. -
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
