Guidelines on procedures and policies, including client rights, in the context of crypto-asset transfer services under the Markets in Crypto-Assets Regulation (MiCA) regarding investor protection (ESMA35-1872330276-2032)

26/02/2025 ESMA35-1872330276-2032 Guidelines on procedures and policies, including client rights, in the context of crypto-asset transfer services under the Markets in Crypto-Assets Regulation (MiCA) regarding investor protection

ESMA – 201-203 rue de Bercy – CS 80910 – 75589 Paris Cedex 12 – France – Tel. +33 (0) 1 58 36 43 21 – www.esma.europa.eu 2

3 Contents 1 Scope .........................................................................................................................4 2 Legislative references, abbreviations and definitions .................................................4 2.1 Legislative references..........................................................................................4 2.2 Abbreviations.......................................................................................................5 3 Purpose......................................................................................................................5 4 Compliance and reporting obligations ........................................................................6 4.1 Status of the guidelines .......................................................................................6 4.2 Reporting requirements .......................................................................................6 5 Guidelines on policies and procedures in the context of crypto-asset transfer services ...7 5.1 General provisions on crypto-asset transfer policies and procedures (Guideline 1.) ..7 5.2 Information on individual crypto-asset transfers (Guideline 2.)....................9 5.3 Execution times and cut-off times (Guideline 3.) ....................................10 5.4 Rejection or suspension of a client’s instruction for crypto-asset transfer or return of transferred crypto-assets (Guideline 4.)..........................................................................11 5.5 Liability of crypto-asset service providers (Guideline 5.) ........11

4 1 Scope Who?

1. These guidelines apply to: (i) competent authorities and (ii) crypto-asset service providers acting as crypto-asset transfer service providers on behalf of clients within the meaning of Article 3(1)(26) of the Markets in Crypto-Assets Regulation (MiCA). What?
2. These guidelines apply in relation to Article 82 of the Markets in Crypto-Assets Regulation (MiCA). When?
3. These guidelines shall apply 60 calendar days after the date of their publication on the ESMA website in all EU official languages. 2 Legislative references, abbreviations and definitions 2.1 Legislative references ESMA Regulation Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC1 MiCA Regulation Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/19372

1 OJ L 331, 15.12.2010, p. 84. 2 OJ L 150, 9.6.2023, p. 40. – 205.

5 TOFR Regulation Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/8493 2.2 Abbreviations EC European Commission ESFS European System of Financial Supervision ESMA European Securities and Markets Authority EU European Union 3 Purpose 4. These guidelines, developed by ESMA in close cooperation with the EBA, are based on Article 82(2) of the MiCA Regulation. The purpose of these guidelines is to establish consistent, effective and efficient supervisory practices within the ESFS and to ensure a common, uniform and consistent application of the provisions of Article 82 of the MiCA Regulation. In particular, their aim is to clarify the requirements for crypto-asset service providers providing crypto-asset transfer services on behalf of clients regarding procedures and policies, including client rights, in the context of crypto-asset transfer services. ESMA expects appropriate strengthening of investor protection in this regard. These guidelines apply without prejudice to relevant rules under the other Payment Services Directive, where applicable, to relevant crypto-asset transfers, particularly e-money tokens.

3 OJ L 150, 9.6.2023, p. 1. – 39.

6 4 Compliance and reporting obligations 4.1 Status of the guidelines 5. In accordance with Article 16(3) of the ESMA Regulation, competent authorities and crypto-asset service providers must make efforts to comply with these guidelines. 6. Competent authorities to which these guidelines apply should comply with them by incorporating them into their national legal or supervisory frameworks in an appropriate manner, even where certain guidelines primarily relate to participants in the financial market. In such cases, competent authorities should ensure through supervision that crypto-asset service providers adhere to the guidelines. 4.2 Reporting requirements 7. Within two months from the date of publication of the guidelines on the ESMA website in all EU official languages, the competent authorities to which the guidelines apply must notify ESMA of i. that they are compliant with the guidelines, ii. that they are not compliant with the guidelines but intend to comply with them, or iii. that they are not compliant with the guidelines and do not intend to comply with them. 8. In the case of non-compliance, competent authorities must also notify ESMA of the reasons for non-compliance with the guidelines, within two months from the publication of the guidelines on the ESMA website in all EU official languages. 9. The notification form is available on the ESMA website. 4 After completion, the form is forwarded to ESMA. 10. Crypto-asset service providers are not required to report on compliance with these guidelines.

4 See: https://www.esma.europa.eu/sites/default/files/library/esma42-110-1132_confirmation_of_compliance_with_guidelines.pdf

7 5 Guidelines on policies and procedures in the context of crypto-asset transfer services 5.1 General provisions on crypto-asset transfer policies and procedures (Guideline 1.) 11. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures (including appropriate tools) to provide the client with information and terms related to crypto-asset transfer services in a timely manner and in electronic form, before the client enters into any agreement for the provision of crypto-asset transfer services. 12. The information provided should include at least the following elements: • the name of the crypto-asset service provider, the address of its registered office and all other addresses and means of communication relevant for communication with the crypto-asset service provider, including the email address • the name of the national competent authority responsible for supervising the crypto-asset service provider • a description of the main features of the crypto-asset transfer service to be provided • a description of the form and procedure for initiating or giving consent for a crypto-asset transfer and withdrawing the client’s instruction or consent, including specification of the information the client must provide to properly initiate or execute the crypto-asset transfer (including authentication method) • the conditions under which the crypto-asset service provider may reject the client’s instruction to execute a crypto-asset transfer • a reference to the procedure or process established by the crypto-asset service provider to determine the time of receipt of the client’s instruction or consent for a crypto-asset transfer and any cut-off time established by the crypto-asset service provider • an explanation, per crypto-asset, of which distributed ledger technology (DLT) network is supported for the transfer of the relevant crypto-asset • the maximum execution time for the crypto-asset transfer service • for each DLT network, a reasonably estimated time or number of block confirmations required for the transfer to be irreversible on the DLT network or to be considered sufficiently irreversible in the case of probabilistic settlement, taking into account the rules and circumstances of the DLT network

8 • all fees, charges or commissions payable by the client in connection with the crypto-asset transfer service, including those related to the manner and frequency of providing or making available information and, where appropriate, a breakdown of the amounts of these fees • means of communication, including basic information on the technical requirements for client equipment and software (e.g., minimum software or mobile operating system), as agreed by the parties for the transfer of information or notifications related to the crypto-asset transfer service • the manner and frequency of providing or making available information related to the crypto-asset transfer service • the language or languages in which the agreement referred to in Article 82(1) of the MiCA Regulation will be concluded and communication will be conducted during that contractual relationship • a secure procedure used by the crypto-asset service provider to notify the client in case of suspected fraud, actual fraud or security threats • means and time frame within which the client should notify the crypto-asset service provider of any unauthorized or incorrectly initiated or executed crypto-asset transfers, as well as the liability of the crypto-asset service provider, including the maximum amount for which it assumes liability, for unauthorized, incorrectly initiated or incorrectly executed transfers • the client’s right to terminate the agreement for the provision of crypto-asset transfer services and the ways in which this can be done. 13. Policies and procedures relating to crypto-asset transfer services should ensure that the crypto-asset service provider provides relevant information in an easily understandable manner and in a clear and comprehensible form. 14. Policies and procedures under paragraph 12 should also ensure the following: • the client should be able to access or receive, upon request, at any time during the contractual relationship related to crypto-asset transfer services, the agreement referred to in Article 82(1) of the MiCA Regulation, as well as the information listed in paragraph 12, in electronic form • the client is informed in a timely manner of any planned changes to the information listed in paragraph 12 before the implementation of such changes. 15. Crypto-asset service providers should be able to provide relevant information at the time of providing a copy of the draft agreement referred to in Article 82(1) of the MiCA Regulation.

9 16. As good practice, crypto-asset service providers are encouraged to consider in the policies and procedures under paragraph 11 how to provide educational materials to clients to help them better understand their rights and the function and risks associated with crypto-asset transfers. 5.2 Information on individual crypto-asset transfers (Guideline 2.) 17. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures (including appropriate tools) to ensure that after receiving the client’s instruction for a crypto-asset transfer but before executing the crypto-asset transfer, the crypto-asset service provider provides the client with at least the following information: • a short and standardized warning on whether and when the crypto-asset transfer will be irreversible or sufficiently irreversible in the case of probabilistic settlement5 • the amount of all fees for the crypto-asset transfer payable by the client and, if applicable, a breakdown of the amounts of these fees, distinguishing, for example, transaction fees (gas fees) charged for the transaction via the relevant DLT network and other fees charged by crypto-asset service providers for their services. 18. Furthermore, the policies and procedures under the previous paragraph should ensure that the transfer is not initiated or executed before taking appropriate steps to achieve compliance with the TOFR Regulation, including its Article 14. 19. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures (including appropriate tools) to ensure that after the execution of individual crypto-asset transfers, the crypto-asset service provider provides the client with at least the following information: • names of the sender and recipient of the transfer • the sender’s distributed ledger address or the sender’s crypto-asset account number • the recipient’s decentralized ledger address or the recipient’s crypto-asset account number • a reference label enabling the client to identify each crypto-asset transfer

5 Depending on the type of consensus algorithms associated with the relevant DLT.

10 • the amount and type of crypto-asset transferred or received • the value date of the debit or the value date of the credit of the crypto-asset transfer • the amount of all fees, charges or commissions related to the crypto-asset transfer and, where appropriate, a breakdown of the amounts of these charges. 20. The policies and procedures under paragraph 19 should also cover the frequency of providing the information listed in that paragraph, all charges or fees levied for providing the information, and the manner of providing the information. 21. The information listed in paragraph 19 should be provided in electronic form and, if not provided more frequently than once a month, free of charge. 22. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures (including appropriate tools) to ensure that, without prejudice to other applicable regulatory requirements, in the event of rejection, return or suspension of a crypto-asset transfer, the client is provided with at least the following information: • the reason for the rejection, return or suspension • if applicable, how to rectify the situation of rejection, return or suspension • the amount of all fees or charges payable by the client and the possibility of cost reimbursement. 5.3 Execution times and cut-off times (Guideline 3.) 23. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures relating to at least: • the cut-off time for receipt of client instructions for crypto-asset transfers which are considered to be received on the same working day • the maximum execution time depending on the crypto-asset transferred • a reasonable estimate of the time or number of block confirmations required for the crypto-asset transfer to be irreversible on the DLT or sufficiently irreversible in the case of probabilistic settlement for each DLT network.

11 5.4 Rejection or suspension of a client’s instruction for crypto-asset transfer or return of transferred crypto-assets (Guideline 4.) 24. Crypto-asset service providers should establish, implement and maintain risk-based policies and procedures to determine whether and how to execute, reject, return or suspend a crypto-asset transfer. Such policies and procedures should specifically take into account the relevant provisions of the TOFR Regulation, as set out in the Guidelines of the European Banking Authority on preventing the use of the financial system for the purpose of money laundering and terrorist financing through certain crypto-asset transfers. 5.5 Liability of crypto-asset service providers (Guideline 5.) 25. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures determining the conditions for the liability of the crypto-asset service provider towards clients in the event of unauthorized, incorrectly initiated or incorrectly executed crypto-asset transfers.