MiCAR – Final RTS specifying certain requirements in relation to the detection and prevention of crypto-asset related market abuse

RegCORE – Client Alert | Digital Single Market

QuickTake

The EU’s Market in Crypto-Assets Regulation (MiCAR) became fully operational as of 30 December 2024. As explored in PwC Legal’s EU RegCORE’ series covering developments across the “EU’s Digital Single Market, financial services and crypto-assets” MiCAR marks a momentous achievement in creating (i) a new chapter of the EU’s Single Rulebook for certain types of crypto-assets that are not classified as “financial instruments” and (ii) concurrently extending existing chapters of the Single Rulebook to those crypto-assets that do qualify as “financial instruments”.

The EU’s legislative policymakers’ approach has been to use MiCAR’s legislative text to divide the regulation and supervision of crypto-assets between those that are not “financial instruments” and thus subject to MiCAR and those that qualify as “financial instruments” and thus subject to traditional financial services legislation including the EU’s Market Abuse Regulation, as amended, (MAR). Such an approach makes sense, at least from a legislative drafting standpoint. It serves to cement the concept that crypto-assets (and activity in respect thereof) which “act like a financial instrument should be supervised like a financial instrument”This does not however equate to the principle of “same risk, same regulatory treatment” as a listed equity security may have a different risk and thus regulatory treatment to a tokenised representation of that listed equity security – including with respect to market abuse.Show Footnote and those that are not and which are under the scope of MiCAR remain subject to MiCAR’s provisions. MiCAR’s Title VI establishes rules to detect and prevent insider dealing, unlawful disclosure of inside information and market manipulation including market abusive behaviours (collectively as used herein “market abuse”). While both MAR and MiCAR’s market abuse provisions both have the same aims, the provisions including what is required of whom, when and how do differ somewhat.

The European Securities and Markets Authority (ESMA) had been tasked under MiCAR to develop Regulatory Technical Standards (RTS) specifying arrangements, systems and procedures for detecting and reporting suspected market abuse in crypto-assets as well as templates for suspicious transactions and orders reporting (STORs) as well as coordination procedures between relevant national competent authorities (NCAs) or the detection and sanctioning of cross-border market abuse sanctions.

On 17 December 2024, ESMA published its Final Report containing, in Annex IV, the now final RTS in the form of a Commission Delegated Regulation (CDR) “specifying the appropriate arrangements, systems and procedure as well as the templates to be used for preventing, detecting and reporting suspected market abuse and on the coordination procedures between the relevant competent authorities for the detection and sanctioning of market abuse in cross-border market abuse situations” (the MiCAR STOR CDR).Available here – see Annex IV for the text of the MiCAR STOR CDR.Show Footnote ESMA ran a consultation on a draft version of the MiCAR STOR CDR between March and June 2024 and received 29 responses from industry as well as advice from ESMA’s Securities and Markets Stakeholder Group (the SMSG). These responses have been reflected in the 19 pages that make up the MiCAR STOR CDR and in the 50 pages of the Final Report setting out the context and rationale for the changes plus industry and SMSG feedback.

This Client Alert assesses the key takeaways for traditional financial services firms and for all persons involved in crypto-assets. The provisions of the MiCAR STOR CDR apply to persons professional arranging or executing transactions in crypto-assets (PPAETs). This includes crypto-asset service providers (CASPs) operating trading platforms, providing services such as reception or transmission of orders, execution of orders, portfolio management and exchange of crypto-assets. Notably, miners and validators are excluded from the PPAET category. CASPs solely providing custody and administration services are also excluded from the PPAET category.

This Client Alert should be read in conjunction with further analysis on MiCAR and in particular a number of further supervisory clarifications provided by ESMA along with its sister European Supervisory Authorities (ESAs) comprised of the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA) as well as the European Central Bank (ECB).

Scope of application

Before delving into the detail of the key requirements and implications of the MICAR STOR CDR it is important to understand who is included in the PPAET category when and why and who is not. So too is when, due to a recategorisation of a crypto-asset under MiCAR to that of a financial instrument under traditional financial services legislation, this would trigger requirements under MAR.

Services Provided by CASPs Included Under the PPAET Category

ESMA has outlined specific services provided by CASPs that fall under the category of PPAETs in the context of MiCAR. According to the MiCAR STOR CDR, the following services are included under the PPAET category:

1. Operating a trading platform: CASPs that operate trading platforms for crypto-assets are considered PPAETs. These platforms facilitate the buying, selling and trading of crypto-assets among users.
2. Reception or transmission of orders: CASPs that receive or transmit orders for crypto-assets on behalf of clients fall under the PPAET category. This service involves acting as an intermediary to facilitate transactions between buyers and sellers.
3. Execution of orders: CASPs that execute orders for crypto-assets on behalf of clients are included as PPAETs. This service involves carrying out transactions as instructed by clients.
4. Portfolio management: CASPs providing portfolio management services for crypto-assets are considered PPAETs. This service includes managing a portfolio of crypto-assets on behalf of clients, making investment decisions and executing transactions to achieve investment objectives.
5. Exchange of crypto-assets for funds: CASPs that exchange crypto-assets for fiat currency or other forms of funds are included under the PPAET category. This service involves converting crypto-assets into traditional currency or other financial assets.
6. Exchange of crypto-assets for other crypto-assets: CASPs that facilitate the exchange of one type of crypto-asset for another are considered PPAETs. This service involves trading different crypto-assets without converting them into fiat currency. 
7. Dealing on own account: Persons dealing on their own account in crypto-assets on a professional basis or as part of their business activity are included as PPAETs. Indicators of this activity include having a dedicated trading desk or staff systematically engaged in trading crypto-assets for the entity’s own account. 

There are certain exclusions notably for miners and validators (as discussed below) as well as for CASPs solely providing custody and administration of crypto-assets on behalf of clients are excluded from the PPAET category. The rationale for such exclusion is that these services do not involve managing or executing transactions and lack the necessary internal controls to detect abusive behaviour.

Exclusion of miners and validators from the PPAET category

ESMA has provided detailed reasoning for the exclusion of miners and validators from the category of PPAET under MiCAR. The key reasons for this exclusion are as follows:

a.    Structural incentives and role in blockchain networks: miners and validators in blockchain networks, particularly in Proof of Work (PoW) and Proof of Stake (PoS) systems, are primarily incentivised to maximize their profits through the process known as Maximum Extractable Value (MEV). MEV involves selecting and prioritising transactions based on the fees that parties are willing to pay, rather than strictly arranging transactions according to the time of execution. This process is fundamentally different from traditional finance, where transactions are arranged strictly by execution time. 

b.    Limited capacity to commit market abuse: miners and validators generally lack the incentives to commit market abuse. Their primary role is to validate and order transactions to maximise their own profits, which does not inherently involve market abuse. While some MEV practices can be abusive, the majority of MEV activities are considered legitimate and beneficial for the market, such as aiding price discovery, creating more efficient markets and enabling faster liquidations to protect lenders. 

c.    Evolving role and technical solutions: the role of miners and validators is evolving, with ongoing efforts in the industry and academia to identify and mitigate abusive practices. Technical solutions such as fair transaction sequencing, first-come-first-served mechanisms, encrypted mempools and preference matching are being developed to reduce the negative externalities of MEV. These advancements further limit the potential for market abuse by miners and validators.

d.    Visibility and monitoring capabilities: miners and validators typically do not have visibility into the activities of their peers or other market participants. This lack of visibility makes it challenging for them to monitor and report suspicious activities effectively. The capacity to monitor a portion of the crypto-assets landscape and identify potential market abuse cases is a critical factor in determining the inclusion of entities in the PPAET category. 

e.    Potential negative impact on innovation and supervision: including miners and validators in the PPAET category could incentivise them to relocate outside the EU, complicating the supervision of EU-based CASPs who may outsource services to these entities. This could push innovation offshore and hinder the development of the EU's crypto-assets market.

f.    Industry feedback and consultation responses: the feedback received during ESMA's consultation process was almost unanimous in excluding miners and validators from the PPAET category. Respondents highlighted the structural differences between blockchain networks and traditional finance, the evolving role of miners and validators and the ongoing efforts to address abusive practices through technical solutions.

While miners and validators (including individual persons) may be excluded from the PPAET category they may still be subject to general principles and requirements under EU and other legislation to prevent financial crime and thus market abuse.

Key takeaways from the MiCAR STOR CDR

The provisions of the MiCAR STOR CDR are comprehensive. Over the course of 19 pages, they set out detailed requirements that can be summarised as follows:

1.   Arrangements, systems and procedures: PPAETs must establish and maintain effective arrangements, systems and procedures to monitor and detect market abuse. These systems should be proportionate to the scale, size and nature of the PPAET's business activities. PPAETs may outsource these functions to third parties or within the same group, provided they retain control and oversight. Key requirements include:

i.    Ongoing monitoring: continuous monitoring of orders, transactions and other aspects of the distributed ledger technology (DLT) to detect potential market abuse. PPAETs must employ ICT systems capable of deferred automated reading, replaying and analysis of order book data. These systems should produce alerts for further analysis and cover the full range of trading activities; 

ii.    Human analysis: an appropriate level of human analysis must be integrated into the detection process to ensure the relevance and accuracy of alerts; 

iii.    Reporting obligation: the systems above must serve to allow the PPAET to promptly submit accurate reports (i.e. STORs) based on reasonable suspicion of market abuse to the NCA. STORs must be submitted electronically to the NCA (using the specified template – see below) without delay once a reasonable suspicion is formed. PPAETs must explain delays in submission due to subsequent events or information. Confidentiality of the information must be maintained; 

iv.    Documentation and record-keeping: PPAETs must document their systems and procedures in writing, maintain records of their analyses and keep these records for five years; and 

v.    Periodic review and updating of systems: PPAETs are required to periodically review (at least annually) their systems and arrangements and assess whether they remain fit for purpose and update them when necessary. 

2.    Notification template for reporting suspected market abuse: The MiCAR STOR CDR includes a detailed template that is specified for reporting suspected market abuse. The template requires comprehensive information, including:

i.     identification of the reporting entity and the suspected person;

ii.    description of the suspicious order, transaction or behaviour;

iii.   details of the DLT involved, including the type of DLT and any relevant technical aspects; and 

iv.   additional information that may support the suspicion, such as trading patterns and contextual information. 

3.    Coordination procedures for cross-border situations: The MiCAR STOR CDR outlines procedures for coordination between NCAs in cross-border market abuse cases. Key elements include:

i.     Timely exchange of information: NCAs must share information without undue delay to facilitate investigations. This applies equally to reporting the status of preliminary assessments and sharing information about supervisory activities or criminal investigations without undue delay;

ii.     Coordination of supervisory actions: NCAs must update each other on significant developments and coordinate their actions to avoid conflicting investigations; and

iii.    Involvement of ESMA: ESMA may be informed of investigations and can coordinate actions between multiple authorities if requested.

4.    Proportionality and flexibility: welcomingly the MiCAR STOR CDR emphasises the principle of proportionality, allowing PPAETs to tailor their systems and procedures based on their specific business activities and risk profiles. This flexibility is crucial for smaller PPAETs that may face significant costs in implementing comprehensive surveillance systems. The MiCAR STOR CDR permits outsourcing of surveillance functions to third-party providers or in-group entities, provided that PPAETs retain control and oversight of these functions, have written agreements in place with third-party providers that clearly outline the rights and obligations of both parties and respective service level agreements as well as arrangements to mitigate concentration risks arising when several PPAETs delegate or outsource to the same provider.

5.    Training and compliance culture: PPAETs are required to provide regular and comprehensive training to staff involved in the detection and prevention of market abuse. This training should ensure that staff can identify suspicious activities and understand the PPAET's reporting obligations. The MiCAR STOR CDR is clear that building a strong compliance culture is essential for effective market abuse prevention

While the above represents a number of principles and processes that should be familiar for those already acquainted with MAR compliance, there are some aspects that are DLT and crypto-asset specific and may require some market participants to step up their efforts on their own processes as well as where they rely on outsourcing support. Some of these key specifics include:

a.    DLT Type and characteristics: PPAETs must be aware of the type of DLT being used (public/permissionless or private/permissioned) and its specific characteristics. This includes understanding the governance and operational structure of the DLT, which can impact how market abuse might occur.

b.    Consensus mechanism: PPAETs must monitor the consensus mechanism of the DLT. This involves observing how transactions are validated and added to the blockchain. Any irregularities or manipulations in the consensus process, such as attempts to alter the order of transactions or influence the validation process, must be detected and reported.

c.    Order and transaction data: PPAETs are required to monitor all orders and transactions, including their placement, modification, cancellation and execution. This includes:

i.    Order book data: Monitoring the order book to detect suspicious patterns or behaviours that could indicate market manipulation, such as spoofing or layering; and

ii.   Transaction data: Analysing transaction data to identify unusual trading volumes, price movements or other anomalies that could suggest insider trading or market manipulation.

d.    On-chain and off-chain activities: PPAETs must ensure effective and ongoing monitoring of both on-chain and off-chain activities this means that for:

i.    On-chain transactions: monitoring transactions that occur directly on the blockchain, including the transfer of crypto-assets between wallets; and

ii.   Off-chain transactions: observing transactions that occur outside the blockchain but are related to the crypto-assets being traded, such as over-the-counter (OTC) trades.

e.    Order and transaction alterations: PPAETs must monitor any alterations to orders and transactions, including:

i.    Order cancellations and modifications: tracking changes to orders, such as cancellations or modifications in price or quantity, to detect potential market abuse; and

ii.   Transaction failures: identifying transactions that are designed to fail or are repeatedly failing, which could indicate manipulative practices.

f.    Behaviour related to the functioning of the DLT: PPAETs must also monitor behaviours that are specifically related to the functioning of the DLT, such as:

i.    Transaction reordering: detecting attempts to reorder transactions within a block to gain an unfair advantage; and

ii.   Smart contract interactions: observing interactions with smart contracts, including the execution of specific functions or events that could be used to manipulate the market.

g.    Public and private queues (Mempools): PPAETs should monitor whether transactions pass through public or private (encrypted) queues of transactions (mempools) before being validated on the DLT. This can help identify patterns consistent with front-running or other manipulative practices.

Timing considerations

In terms of immediate next steps, the MiCAR STOR CDR, once published in the EU’s Official Journal, shall enter into force on the twentieth date following its publication. While MiCAR’s full operationalisation starts 30 December 2024, an 18-month transitional phase i.e., a grandfathering period applies until 1 July 2026. These transitional measures (e.g. grandfathering and simplified procedure) apply in those Member States who have opted in.ESMA has published this list here.Show Footnote Entities in participating Member States are permitted to make use of the simplified CASP authorisation procedure (in Art. 143(6) MiCAR) but must acquire an authorisation in accordance with Article 63 of MiCAR by then. This grandfathering period varies from Member State to Member State with some having lower periods than the full 18 months (either at 6 or 12 months) and others yet to announce what they will offer. Notwithstanding this grandfathering period, the MiCAR STOR CDR will apply as per the timeline above, so for PPAETs making use of grandfathering, they will still need to assess compliance with the MiCAR STOR CDR. 

Outlook

The implementation of MiCAR, the Final Report and the RTS as set out in the MiCAR STOR CDR, marks a significant step forward in the regulation of crypto-assets within the EU. This regulatory framework aims to create a more secure and transparent market environment by establishing stringent requirements for detecting and preventing market abuse. The extent of what is required underscores the urgency for PPAETs to begin aligning their systems and procedures with the MiCAR STOR CDR requirements as early as possible, including where such monitoring and reporting is outsourced and/or delegated. The emphasis on proportionality and flexibility within the guidelines allows for tailored approaches, which is particularly beneficial for smaller entities that may face substantial implementation costs.

Looking ahead, the evolving landscape of crypto-assets and DLT (including beyond MiCAR) across the EU will continue to pose challenges and opportunities for market participants and regulators alike. The exclusion of miners and validators from the PPAET category reflects a nuanced understanding of their roles and the structural differences between blockchain networks and traditional financial systems. However, the ongoing development of technical solutions to mitigate abusive practices and the need for continuous monitoring and updating of compliance systems will be critical. As the industry progresses, collaboration between market participants, regulators and technology providers will be essential to ensure that the regulatory framework remains robust and adaptive to new developments and the operationalisation of the new legislative, regulatory and supervisory principles.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients to navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

In order to assist firms in staying ahead of their compliance obligations we have developed a number of RegTech and SupTech tools for supervised firms. This includes PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,000+ legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.