Opinion on the interplay between PSD2 and MiCA in relation to crypto-asset service providers that transact electronic money tokens

EBA/Op/2025/08 10/06/2025 Opinion of the European Banking Authority on the interplay between Directive EU 2015/2366 (PSD2) and Regulation (EU) 2023/1114 (MiCA) in relation to crypto-asset service providers that transact electronic money tokens Executive Summary The EBA is issuing this No Action letter in response to the EU Commission’s written request of 6 December 2024 for the EBA, in close cooperation with ESMA, to clarify the interplay between Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA) and Directive (EU) 2015/2366 on payment services in the internal market (PSD2), in relation to crypto asset service providers (CASPs) that transact electronic money tokens (EMTs). This No Action letter aims to clarify the interplay by providing advice (i) to the EU Commission, EU Council and EU Parliament as to how the issue can be resolved in the long term, by making use of the ongoing legislative process of PSD3 and PSR, and (ii) to NCAs for the intervening period of 2-3 years during which PSD2 still applies until the application date of the future PSR and the transposition date of the future PSD3, by setting out which type of EMT transactions NCAs are advised not to regard as payment services and therefore not to require an additional authorization and, for those EMT transactions that will require an additional authorization, which PSD2 provision are recommended to be de-prioritised for the purpose of supervision and enforcement and from what date. To that end, the EBA advises NCAs during said intervening period to regard the transfer of crypto assets as a payment service under PSD2 where they entail EMTs and are carried out by the entities

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 2 on behalf of their clients; to regard the custody and administration of EMTs as a payment service under PSD2; and to regard a custodial wallet as a payment account under the PSD2 where the wallet is held in the name of one or more clients and allows to send and receive EMTs to and from third parties. For these services, the No Action letter advises NCAs to require an authorisation under PSD2 through streamlined procedures that make maximum use of information that legal entities have already provided during their CASP authorisation under MiCA. However, NCAs are advised to grant applicants a transition period until 1 March 2026 before the authorisation needs to be held. After that date, NCAs are advised to prevent entities that are not licenced as a PSP or have not entered into a partnership with a PSP, from providing services related to EMTs that qualify as a payment service. Once authorisation as PSP is granted (or, for those entities that already hold a PSP license or a partnership with a PSP), the No-Action letter advises NCAs not to prioritise the supervision and enforcement of some PSD2 provisions, such as on safeguarding, the disclosure of information to consumers pertaining to the level of applicable charges, the maximum execution time of payment transactions, and the unique identifier (e.g. IBAN), and open banking, while insisting on others,such as the application of strong customer authentication to the accessing of custodial wallets and the initiation of EMT transfers, the fraud reporting and the cumulative calculation of own funds. By contrast, the ‘exchange of crypto-assets for funds’ and ‘exchange of crypto-assets for other crypto-assets’ as defined in MiCA are not deemed to be payment services and therefore are not subject to the application of PSD2, including its provisions on licencing. Additionally, the EBA advises NCAs not to regard as a payment service cases where crypto-asset service providers intermediate the purchase of any crypto assets with EMTs, therefore not to enforce the application of PSD2 nor to require an authorization under PSD2 in such cases. This advice will result in a large number of EMT transactions not to be subject to the requirements of PSD2 during the intervening period, with the aim of significantly alleviating the burden that the dual authorisation would otherwise impose on CASPs. The EBA bases this advice solely on the acknowledgement that any alternative advice would require these CASPs to obtain a second authorization, which the EBA considers undesirable, because the compliance burden that arises for legal entities from such a scenario would be disproportionate; the overlaps, gaps and inconsistencies between the requirements of those texts, while a result of the original legislative effort to make MiCA ‘future-proof’, would be confusing; and the effort required of public authorities to supervise and enforce these laws would be unnecessarily complex. The EBA is of the view that any given financial activity should be regulated by one piece of financial services law and that the applicability of several laws to that same activity should be avoided. This is particularly so if it requires additional authorisations under those laws, thus contradicting good regulatory practices of avoiding undue compliance burdens. The advice to NCAs therefore aims at keeping at a minimum the types of EMT transactions that are to be regarded as payment services under PSD2 and that are therefore requiring an authorisation under PSD2 during the intervening period until PSD3&PSR applies.

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 3 The EBA does not base this advice on the conviction that an authorisation as a CASP under MiCA is sufficient to address the risks that arise from EMT transactions. On the contrary: the success of PSD1, PSD2 and EMD over the past 15 years in bringing about a secure and competitive market has shown that for retail payments to be able effectively to fulfil their role in a modern society, market actors need to have confidence in the stability of the market and the reliability of the payment transactions carried out. The same risks should be mitigated through the same regulatory mitigation measures, irrespective of whether the underlying technology is based on a distributed ledger or conventional systems and processes. Furthermore, CASPs promote their EMT services as ‘payments’, and consumers will not be in a position to distinguish between different types of providers and laws that afford them different levels of protection. For the long term, the No-Action letter advises the EU Commission, Council and Parliament to use the legislative process of PSD3/PSR to amend MiCA by strengthening/inserting in MiCA requirements applicable to the subset of crypto-assets services with EMTs that qualify as payment services in key areas such as the protection of consumers, the security of payments, the calculation of own funds, the reporting of payment fraud, and more. The No Action letter advises to achieve this by MiCA re-producing, or cross referring to, the relevant requirements set out in the forthcoming PSD3/PSR. Given that the PSD3/PSR provisions have not been conceived for DLT, these requirements should be fine-tuned to accommodate the technical specificities of services with EMTs that qualify as payments. Should the strengthening of MiCA not be feasible, an alternative approach would be for the PSD3 and PSR to set out to which types of EMTs these two legal texts apply, and how they apply. However, to achieve this in a way that avoids an undesirable second authorisation under PSD3/PSR, the PSD3/R would have to set out requirements for CASPs without requiring CASPs to be authorised under PSD3/PSR. This would be an unusual approach and would also require NCAs under MiCA to develop expertise in the supervision of payments-related requirements that would then be included in MiCAR, but it is the needed if a double authorisation is to be avoided. The EBA considers unsatisfactory and undesirable a third potential approach, according to which EMTs are excluded from the scope of the future PSD3 and PSR altogether (for example through a legislative exclusion), and for MiCA not to be strengthened, either. Such an approach would create confusion, distort a successful EU payments market, create an unlevel playing field, expose consumers to risks that would be more difficult to address than those posed by traditional payment services, and give rise to undesirable opportunities for regulatory arbitrage. The No Action letter does therefore not entertain this further as a legislative option for the future. The advice provided to national competent authorities (NCAs) under PSD2 applies until the date of application of the future PSR and the transposition deadline of the future PSD3, respectively, unless the Opinion is reassessed by the EBA earlier than such dates. The advice to NCAs covers all legal entities that aim to provide, or are already providing, services related to EMTs that qualify as a payment service, irrespective of whether they already hold a CASP licence under MiCA, benefit from one of the national transitional regimes under MiCA, or already hold a PSP licence under PSD2.

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 4 Introduction and legal basis

1. Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA) regulates, among other things, the provision of crypto-asset services within the Union and the authorisation of crypto-asset service providers (CASPs). Directive (EU) 2015/2366 on payment services in the internal market (PSD2) regulates the provision of payment services in the EU. As indicated in Recitals 90 and 93 of MiCA, there is a certain overlap between crypto-asset services provided by CASPs under MiCA and payment services regulated under PSD2, notably in the case of certain services relating to e-money tokens (EMTs). Under Article 48(2) of MiCA,‘[e]-money tokens shall be deemed to be electronic money’ and, therefore, EMTs fall within the definition of ‘funds’ set out in Article 4(25) of PSD2.
2. This means that EMTs have a dual nature being, at the same time, crypto-assets regulated under MiCA, and electronic money/funds within the meaning of PSD2. Article 70(4) of MiCA provides that CASPs which intend to provide payment services related to the crypto-asset service they offer, may either do it themselves or partner with a PSP, provided that the CASP or the partner PSP is authorised to provide the respective payment services. Nevertheless, MiCA is not explicit about which of the services that CASPs may offer qualify as payment services, and, as a result, the question arises of whether and in which cases there could be a need for a ‘dual authorisation’ for CASPs under MiCA also as payment institutions under PSD2.
3. In view of this uncertainty and given diverging interpretations that are emerging across EU Member States about the application of PSD2 and MiCA provisions in relation to EMT services, the Commission identified risks of regulatory arbitrage as well as consumer detriment. As a result, on 6 December 2024, the European Commission sent a letter to the EBA inviting the EBA, ‘in close coordination with ESMA, [to] explore the possibility of issuing an opinion pursuant to Article 9c of Regulation (EU) No 1093/2010 (‘No Action letter’), with regard to the enforcement of the requirements on authorisation in PSD2 as regards services with EMTs provided by CASPs’. The Commission suggested that ‘the no action letter should take effect until the application date of the PSR/ transposition deadline of the PSD3’; but it also suggested it would ‘welcome [the EBA’s] proposals as to potential legislative changes to address any of the issues identified above during the negotiations of the forthcoming PSD3/PSR’.
4. The EBA responded to the EU Commission’s letter on 10 December 2024, in which it concurred with the concerns raised in the letter. The EBA committed to assess carefully the issues in coordination with ESMA and to identify the best option going forward. As Title V of MICA applies since January 2025, applicants for a CASP licence are awaiting authorisation decisions from NCAs. The EBA’s response therefore committed to publishing the No Action letter (formally an EBA Opinion) at expedited speed. Given the limited time available, the Opinion covers only the major issues the EBA has identified as arising from the interplay between MiCA and PSD2 and does not assess each of the 250 Articles across the two texts individually.
5. The EBA’s competence to deliver the Opinion in the form of a No Action letter is based on Article 9c of Regulation (EU) No 1093/2010, according to which such letter shall be issued

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 5 where the absence of delegated acts would raise legitimate doubts concerning the proper application of a legislative act, where the absence of guidelines would raise practical difficulties concerning its application and where the EBA has received relevant information and considers on the basis of that information that the application of the relevant provisions raises significant exceptional issues pertaining to market confidence, customer or investor protection, the orderly functioning and integrity of financial markets or commodity markets, or the stability of the whole or part of the financial system in the Union. 6. In accordance with Article 14(7) of the Rules of Procedure of the Board of Supervisors, the Board of Supervisors has adopted this Opinion, which is addressed to the EU Commission, EU Council, EU Parliament and to national competent authorities (NCAs) designated under Article 22(1) of PSD2 and Article 93(1) of MiCA. At a dedicated workshop held two months prior to the finalisation of the Opinion, the EBA sought views on its emerging thinking from more than 100 crypto-asset service providers, payment institutions and credit institutions. 1 General comments 7. The EBA is of the view that any given financial activity should be regulated by one piece of financial services law and that the applicability of several laws to that same activity should be avoided, in particular if it requires additional authorisations under those laws. The compliance burden that arises for legal entities from such a scenario would be disproportionate; the overlaps, gaps and inconsistencies between the requirements of those texts, while a result of the original legislative effort to ‘future-proof’ MiCA, would be confusing; and the effort required of public authorities to supervise and enforce these laws would be unnecessarily complex. 8. However, it is this scenario that has now materialised in the EU with regard to the activity of transacting EMTs where CASPs are subject to MiCA and require an authorisation under that law but, to the extent that services with EMTs are equated with a payment service, they are also subject to PSD2 and therefore require an authorisation under PSD2. 9. In what follows in the Specific Comments section below, this No Action letter aims to address this issue by providing advice

• to the EU Commission, EU Council and EU Parliament as to how the issue can be resolved in the long term, by making use of the ongoing legislative process of PSD3 and PSR to amend and strengthen MiCA or, if this is not feasible, to take the alternative of retaining services with EMTs qualifying as payment services within the scope of PSD3/PSR but to achieve this in a way that avoids an undesirable second authorisation under PSD3/PSR, the PSD3/R would have to take the unusual step of setting out requirements for CASPs without requiring CASPs to be authorised under PSD3/PSR, and 1 See https://www.eba.europa.eu/publications-and-media/events/workshop-interplay-between-psd-2-and-MiCA

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 6

• to NCAs for the intervening period of 2-3 years during which PSD2 still applies,by setting out (i) which types of EMT transactions NCAs are advised not to regard as payment services and therefore for which not to require an additional authorisation, and (ii) for those EMT transactions for which they are advised to require an additional authorisation, how to supervise relevant PSD2 provisions, and from which date.

10. The EBA’s advice addressed to NCAs for the intervening period states that it is sufficient for a significant number of CASPs transacting EMTs to hold a license under MiCA only, without the need for an additional authorisation under PSD2. However, this advice is driven solely by the acknowledgement that any alternative advice would require these CASPs to obtain a second authorisation, which is undesirable because the compliance burden that arises for legal entities would be disproportionate; the overlaps, gaps and inconsistencies between the requirements of the two texts, while a result of the original legislative effort to ‘future-proof’ MiCA, would be confusing; and the effort required of public authorities to supervise and enforce these laws would be unnecessarily complexr.
11. The advice is not based on the conviction that an authorisation for CASPs under MiCA is sufficient to address the risks that arise from EMT transactions. On the contrary: there is a reason why payment services and electronic money are more tightly regulated under PSD2 and the Second Electronic Money Directive (EMD2) compared to the requirements that MiCA imposes on crypto assets. For retail payment services to be able effectively to fulfil their role in an economy, market actors need to have confidence in the stability and reliability of the payment transactions carried out. Since their creation in 2007 and 2009 respectively, PSD1/2 and EMD2 have achieved this, by creating a payments market that functions well, is reliable and is also increasingly competitive. Despite (or: because of) the requirements these texts have been imposing – regarding the authorisation of legal entities, the own funds they have to hold, and the security of transactions they have to comply with, to mention but a few – there are now approximately 2,000 payment and electronic money institutions and 4,500 banks authorised to operate and compete across the EU.
12. To ensure continued confidence of all participants in the payments market, it is imperative that electronic money transactions are regulated consistently against the high standards that the PSD2 and EMD set out. The same risks should be mitigated through the same regulatory mitigation measures, irrespective of whether the underlying technology is based on blockchain tokens or conventional systems and processes. CASPs promote their EMT services as ‘payments’, and consumers would not be aware of the different rights that are afforded to them depending on the type of provider with which they interact. So, any legislative and regulatory approach that would treat EMTs differently is bound to lead to confusion, market distortion, lower consumer protection standards, and regulatory arbitrage.
13. To achieve this level playing field, the EBA advises the EU Commission, Council and Parliament to use the legislative process of PSD3/PSR to amend MiCA, by strengthening MICA requirements applicable to the subset of crypto asset services with EMTs that qualify as

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 7 payments in key areas such as the protection of consumers, the security of payments, the calculation of own funds, the reporting of payment fraud, and more. This can be achieved by MiCA re-producing, or cross referring to, the relevant requirements set out in the forthcoming PSD3/PSR, with the amendments or derogations deemed necessary to take into account the technical specificities of the EMTs and of the DLT, so that users of crypto-asset services qualifying as payment services are provided with a level of protection that is adequate and comparable to that of users of payment services.. Using this approach, PSD3/PSR would not apply to CASPs, nor would an additional authorisation be needed 14. Should the strengthening of MiCA not be feasible, a second approach would be for the PSD3 and PSR to set out to which types of services entailing EMTs PSD3 and PSR apply and how they apply, and the Specific Comments section below provides the EBA’s detailed advice for such an approach. However, to achieve this in a way that avoids an undesirable second authorisation under PSD3/PSR, the PSD3/R would have to set out requirements for CASPs without requiring CASPs to be authorised under PSD3/PSR. This would be an unusual approach and would also require NCAs under MiCA to develop expertise in the supervision of payments-related requirements that would then be included in MiCAR, but it is the needed if a double authorisation is to be avoided. 15. What the EBA considers to be unsatisfactory and inconceivable is a third approach, which is for EMTs not to be brought into the scope of the future PSD3 and PSR (for example through an exclusion), and for MiCA not to be strengthened, either. Such an approach would create the distortion and unlevel playing field in the payments market mentioned earlier and would create undesirable opportunities for regulatory arbitrage. The No Action letter does therefore not entertain this further as a legislative option for the future. 16. To develop the advice addressed to NCAs for the intervening period until PSD3/PSR applies, the EBA has carried out a review of the requirements under MiCA and PSD2 in the main areas impacted by the overlaps or gaps and has set out its views for each of them, seeking to achieve a pragmatic approach that finds the appropriate balance between, similar to PSD2, the need to retain the objectives of enhancing competition and facilitating innovation of MiCA while, on the other hand, adhering to the requirements that the PSD2 appropriately imposes on legal entities to ensure the safe and efficient functioning of the payment services market. 17. The advice to NCAs covers all legal entities that aim to provide, or are already providing, services related to EMTsthat qualify as a payment service, irrespective of whether they already hold a CASP licence under MiCA, benefit from one of the national transitional regimes under MiCA, or already hold a PSP licence under PSD2. 18. NCAs are recommended to follow the advice once a legal entity has obtained a licence as a PSP, or has entered into a partnership with a PSP, but no later than 2 March 2026. This is to ensure that CASPs that are already transacting EMTs that qualify as a payment service do not need to discontinue this activity until they have a PSP licence. However, after that date, CAs are advised to prevent entities that are not licenced as a PSP or have not entered into a

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 8 partnership with a PSP, from providing services related to EMTs that qualify as a payment service. 19. However, the advice provided in chapters 1 (on scope and definitions), 2 (authorisation) and 3 (calculation of capital requirements) is relevant already prior to said date, because that advice in these chapters refers to requirements with which legal entities (including those currently under a national transitional regime under MiCA) need to comply to be granted a PSP licence by NCAs. 20. For legal entities that are not yet authorised as CASPs under MiCA or as PSPs under PSD2 and are considering to apply for licences under both legal frameworks, no particular sequence between the two authorisations is recommended in this Opinion. In this regard, NCAs are recommended to remind entities seeking authorisation that they are required to provide information that is accurate, complete and up to date, so as to allow NCAs sufficient time for their assessment. 21. Finally, the advice provided to NCAs in this Opinion does not apply to traditional payment services entailing funds that are not EMTs. Specific Comments 22. The Opinion itself sets out the advice for each of the areas identified by the EBA: the authorisation process, the calculation of initial capital and own funds, consumer protection, strong customer authentication, safeguarding/safekeeping, and open banking. The annex, in turn, lists the underlying provisions in PSD2 and MiCA on each of these topics and the resultant legislative issues that the EBA’s advice.

1. Scope and definitions
2. In order to address the inconclusive scope and definitions provided in the two legal texts that is explained in the annex, the EBA advises NCAs

• to regard the transfer of crypto assets, as defined under Article 3 (1), point 26 of MiCA, as a payment service under PSD2, where they i. entail EMTs, and ii. are offered and carried out by the entities on behalf of their clients;
• to regard the custody and administration of EMTs as a payment service andthe custodial wallet as a payment account under the PSD2, where they allow to send and receive transfers of EMTs to and from third parties;
• to apply to the aforementioned services the advice set out in the remaining chapters of this No Action letter;
• not to regard as a payment service the services of ‘exchange of crypto-assets for funds’ and ‘exchange of crypto-assets for other crypto-assets’, as defined under Article 3 (1), points 19 and 20 of MiCA,;

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 9

• to regard crypto-asset service providers that intermediate the purchase of any crypto assets with EMTs as not requiring an authorisation under PSD2;
• not to prioritise the supervision and enforcement of the provisions of Directive 2014/92/EU (the Payment Accounts Directive, PAD) in relation to custodial wallets.

24. Further, the EBA advises the EU Commission, Council and Parliament to amend MiCA through the legislative process of the forthcoming PSD3/PSR so as to

• clarify in MiCA that crypto-assets services are only subject to the provisions laid down in MiCA, and that this is despite EMTs having a dual nature of being at the same time a crypto-asset (as defined in MiCA) and funds (as defined in PSD2);
• clarify that CASPs providing crypto-asset services with EMTs qualifying as payment services need only be authorised and supervised under MiCA, and are not required to be authorised under PSD2/PSD3;
• strengthen the requirements laid down in MiCA by applying to crypto-asset services with EMTs qualifying as payment services, the provisions set out by Titles III and IV of the PSD2 (or equivalent tiles of the forthcoming PSD3/PSR), with the amendments or derogations deemed necessary taking into account the technical specificities of EMTs and of DLT, so that users of such crypto asset services are provided with a level of protection that is adequate and comparable to that of users of payment services.

25. Should a strengthening of MiCA be considered infeasible and the alternative approach of amending PSD3/PSR is chosen instead (in a way that does not require CASPs to obtain an additional authorisation under PSD3/PSR), the EBA advises the EU Commission, Council and Parliament

• to clarify if and to what extent the PAD applies to custodial wallets;
• to state explicitly that the qualification of certain crypto-assets services as payment services implies that the forthcoming PSD3/PSR apply to such services; and
• to clarify which, if any, provisions of the forthcoming PSD3/PSR should not apply to crypto-asset services qualifying as payment services, by way of explicit derogation or exclusion.

26. As the title indicates, this Opinion addresses the interplay between PSD2 and MiCA. Terms like ‘transfer’, ‘service’ or ‘funds’, are therefore used as defined in these two legal texts and not as potentially differently defined in other relevant EU law (e.g. Regulation (EU) 2023/1113, known as the Transfer of Funds Regulation).
27. Authorisation
28. Based on the views expressed by the EU Commission and the issues presented in the annex, the EBA advises NCAs:

• in cases where CASPs provide transfer services of EMTs on behalf of clients, to treat all transfer services of EMTs from one distributed ledger address or account to another when intermediated by CASPs on behalf of clients similarly, irrespective of their underlying motivation or purpose;

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 10

• to assess the authorisation applications taking into account that cases where a crypto￾asset service provider intermediates the purchase of any crypto assets with EMTs do not qualify as payment services;
• when assessing the application for a PI/EMI licence submitted by a CASP, to rely as much as possible on the information provided by the applicant in the application for a CASP licence and refrain from requesting information that NCAs already have, following a similar approach to the one laid down in Article 62(4) of MiCA. NCAs are reminded that the PI/EMI licence granted to the CASP should be aligned with the activities that the applicant has declared as intending to offer and that, in accordance with EBA Q&A 2022_6611, any type of PSP may service an account containing e-money or containing scriptural funds. 2 NCAs are also reminded that the exemptions set out in PSD2 should also apply, with the exception of Article 32 of PSD2, given that Article 59(7) of MiCA allows CASPs to provide their services on a cross-border basis;
• to streamline and simplify the information that CASPs should provide when applying for a PI/EMI licence (for example by allowing CASPs to comply with some of the information requirements set out in Article 5(1) of PSD2 by providing only updatesto the information that the CASP had already provided during the MiCA application procedure), while insisting that the information is accurate, complete and up to date, and exchange information with other NCAs within the relevant jurisdiction where the national designation of competent authorities gives rise to such a need. The exchange of information does not entail the acceptance of the assessment carried out by the other NCA;

28. In cases where a licensed PI/EMI intends to provide custody and administration or transfer services of EMTs and is not covered by the notification regime set out in Article 60 of MiCA, thus needing a licence as a CASP, competent authorities under PSD2 should liaise with the competent authorities under MiCA to rely as much as possible on the information already provided during the PI/EMI licence application, provided that it is complete and up to date. 29.The EBA advises the EU Commission, Council and Parliament to clarify through the legislative process of the the forthcoming PSD3/PSR that CASPs crypto-asset services with EMTs qualifying as payment services shall only be authorised and supervised under MiCA, and should not be required to be authorised under PSD2/PSD3, but to also strengthen MiCA requirements applicable to CASPs offering crypto-asset services in the form of EMTs, by:

• amending Title V of MiCA so as explicitly to grant supervisory discretion to NCAs to make risk-based adjustments for initial capital and own funds requirements, and
• inserting or cross-referencing relevant provisions of Titles III and IV of the PSD2 (or equivalent Titles of the forthcoming PSD3/PSR) on transparency, consumer protection, authentication and fraud reporting in order to ensure a level of protection for users of EMTs that is adequate and comparable to that offered for 2 See https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2022_6611

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 11 electronic money transactions in PSD3/PSR. 30.Should a strengthening of MiCA be considered infeasible and the alternative approach of amending PSD3/PSR is chosen instead (in a way that does not require CASPs to obtain an additional authorisation under PSD3/PSR), the EBA advises the EU Commission, Council and Parliament to amend instead the forthcoming PSD3/PSR by

• explicitly stating that the CASP services of ‘exchange of crypto-assets for funds’ and ‘exchange of crypto-assets for other crypto-assets’ are not to be considered a payment service;
• clarifying the extent to which MiCA, the forthcoming PSD3/PSR or both will apply to CASPs providing crypto-asset services with EMTs qualifying as payment services on their own account and on behalf of the customers, for example by: i. inserting a provision in PSD3 establishing a notification regime for CASPs providing crypto-asset services that qualify as payment services already authorised under MiCA, as well as clarifications about the exact scope of services that could follow such regime, and/or inserting a provision in MiCA that creates bespoke requirements for CASPs providing crypto-asset services that qualify as payment services , as well as clarifications about the exact scope of services that could follow such regime, and/or ii. amending Article 60(4) of MiCA to extend the notification regime in that Article for all PIs authorised under PSD3 that aim to provide crypto-asset services that qualify as payment services.

3. Initial capital and own funds
4. As explained in chapter 3 of the Annex, both PSD2 and MiCA contain requirements for the calculation of initial capital and own fundsin the context of both authorisation and as a matter of going concern once authorisation has been granted, which gives rise to two issues.
5. The first issue is whether or not the initial capital requirements imposed by MiCA and PSD2 apply cumulatively to entities requiring authorisation to carry out activities within the scope of each legislative instrument (e.g. crypto-asset services involving EMTs and payment services). Here, the EBA recognises experience from previous cases where entities have a hybrid character and carry out payment services and ‘other’ services (e.g. see EBA QA 2023_6790 on multi-licenced entity capital requirements). Taking account of this experience with hybrid character entities, the EBA advises NCAs to apply the initial capital/own funds requirements established by PSD2 and MiCA on a cumulative basis to entities intending to carry out payment services and crypto-asset services.
6. Such an approach maintains a level playing field with other types of ‘hybrid’ entity and acknowledges the fact that, once the PSD authorisation has been granted, it enables the entity to perform any relevant payment services and thus it is appropriate that initial capital is held

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 12 with regard to these services, in addition to the capital to be held with regard to the performance of crypto-asset services under Title V of MiCA. Put differently, the approach ensures that the risks stemming from the performance of each type of activity are taken into account from a prudential perspective, including any risks stemming from the processing of crypto-asset transfers, the execution of payment transactions and any custody risk, which may or may not stem from different infrastructures deployed in relation to each type of activity. 34. To illustrate the implications, one can consider the example of an entity authorised to:

• provide custody and administration of crypto-assets on behalf of clients (a ‘class 2’ crypto-asset service under Annex IV MiCA (minimum capital requirements for crypto￾asset service providers)); and
• provide payment services of a kind referred to in points (1) to (5) Annex 1 to the PSD2 (e.g. execution of payment transactions).

35. Assuming the amount of the permanent minimum capital requirement is to be calculated under Article 67(1)(a) MiCA, 3 pursuant to Annex IV MiCA, CASPsin ‘class 2’ are required to hold minimum capital of EUR 125 000. Pursuant to Article 7(c) of PSD2, payment institutions carrying out services of a kind referred to in Annex I, points (1) to (5) of PSD2 are required to hold an initial capital of EUR 125 000. As such, the cumulative basic minimum capital requirement for the entity is EUR 250 000.
36. The second issue is whether elements eligible for initial capital/own funds can be counted towards the satisfaction of requirements under more than one Directive/Regulation. Here, the EBA recalls that Article 8(2) of PSD2 expressly requires Member States to take the necessary measures to prevent the multiple use of elements eligible for own funds ‘where a payment institution has a hybrid character and carries out activities other than providing payment services’.
37. The EBA advises NCAs

• to ensure that CASPs are aware of the different elements that may be counted towards minimum capital;
• not to apply a higher own funds requirement under Article 9(3) of PSD2 simply because of the hybridity of the business model where the activities entail CASP services and ONLY payment services involving EMTs (i.e. some other material activity/risk should be demonstrated to justify a higher requirement);
• not to apply a lower own funds requirement under Article 9(3) of PSD2 simply where a CASP carries out payment services with regard to EMTs (i.e. some other factor must be identified which justifies a lower requirement). 3 As contrasted with Article 67(1)(b) and (2) MiCA (estimated fixed overheads).

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 13 38. Furthermore, the EBA advises the EU Commission, Council and Parliament that the requirements of MiCA should apply but its Title V amended so as explicitly to grant supervisory discretion to NCAs to make risk-based adjustments, akin to those provided in Article 9(3) of PSD2, but without necessarily replicating the existing cap on the amount by which own funds can be adjusted; 39. Should a strengthening of MiCA be considered infeasible and the alternative approach of amending PSD3/PSR is chosen instead (in a way that does not require CASPs to obtain an additional authorisation under PSD3/PSR), the EBA advises the EU Commission, Council and Parliament to amend instead the forthcoming PSD3/PSR by taking into account that the proportionality of the effect of the cumulative requirements; that risk-based adjustments are also integrated into MiCA; and that any exercise of that discretion should require the interaction of the NCAs under MiCA with those under PSD3/R, where applicable. 4. Consumer Protection 40. As explained in more detail in the Annex, PSD2 provisions applying to crypto-assets services qualifying as payment services include Titles III and IV, which respectively cover the ‘Transparency of conditions and information requirements for payment services’ and the ‘Rights and obligations in relation to the provision and use of payment services’, as well as implementing and delegated acts. The provisions aim at ensuring that all payment service users benefit from the same protection, irrespective of the type of payment service they use and its underlying technology. 41. However, as set out in the Annex, the application of some of these provisions may give rise to implementation challenges, due to the particular features of the Distributed Ledger technology (DLT) and the technical specificities of the crypto-assets services. To address such challenges, the EBA advises NCAs not to prioritise supervision and enforcement of the following requirements in relation to transfers of EMTs and/or custody and administration of EMTs qualifying as payment services provided by CASPs/PSPs:

• the information requirements related to the charges payable by the user to the CASPs/PSPs, i.e. not to require CASPs/PSPs to provide the exact amount of the applicable fees, where, for on-chain transactions, they cannot know such amount in advance, for example where due to a congestion of the network the CASP/PSP needs to pay a higher gas fee to obtain a confirmation of the transfer in an early block. However, in such cases the CASP/PSP should provide the user with the information on the applicable charges, and do so as soon as possible but in any case prior to the user authorising the transaction;
• the information requirement on maximum execution time of payment transactions as set out in Articles 45(1)(b), 52(2)(e), Article 56(a), in the limited number of cases where the CASPs/PSPs cannot know in advance the maximum execution time of payment transactions. However, in such cases the CASP/PSP should at least provide the user with an estimation of the execution time;

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 14

• the unique identifier as set out in Article 88 of PSD2, and
• Regulation (EU) No 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro (the “SEPA Regulation”) in its entirety.

42. Additionally, the EBA advises the EU Commission, Council and Parliament to use the legislative process of the forthcoming PSD3/PSR to strengthen the consumer protection regime in MiCA by applying to transfers of EMTs and to the custody and administration of EMTs the provisions set out in Titles III and IV of the PSD2 (or equivalent Titles II and III of the forthcoming PSD3/PSR), taking into account the technical specificities of DLT, so that users of such services are provided with a level of protection that is adequate and comparable to that of users of payment services.
43. Should a strengthening of MiCA be considered infeasible and the alternative approach of amending PSD3/PSR is chosen instead (in a way that does not require CASPs to obtain an additional authorisation under PSD3/PSR), the EBA advises the EU Commission, Parliament and Council to amend the forthcoming PSD3/PSR by clarifying:

• which provisions on transparency and rights and obligations should apply to transfers of EMTs and to the custody and administration of EMTs, in order to ensure an adequate level of protection for the users of such services, including but not limited to: i. the transparency requirements, such as on the maximum execution time and the applicable charges, as detailed in the previous paragraph; ii. the determination of an element, if any (e.g. public keys), that would match the requirements for the unique identifier, as currently set out by PSD2, in relation to transfers of EMTs and, consequently, the possibility to apply to such crypto-asset services the provisions on the incorrect unique identifier and the other provisions related to the concept of unique identifier; iii. the possible application of fraud prevention measures (which will also be detailed in the next section), including the setting of spending limits for transactions and the blocking in case of loss or misappropriation or fraud; and iv. the management of unauthorised transactions and non-executed or defective transactions and the subsequent liability regime.
• which rules apply to the custodial wallets and the custody and administration of crypto-assets on behalf of clients, with a view to clarifying how Article 75 of MiCA and the provisions of the PSD2 would apply regarding the changes in the conditions of the contract (Articles 51 and 54), the frequency with which the periodic information regarding the payment transactions should be provided to the user (Article 57), and the liability of the PSP in case of unauthorised transactions (Article 73) and for non-

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 15 execution, defective or late execution of payment transactions (Article 89); and

• whether or not the transfers of EMTs should be treated in the same way as conventional credit transfers and, therefore, whether or not SEPA Regulation provisions, including, for example, the Verification of Payee service, should apply to them.

5. Security of payment services, incl. Strong Customer Authentication (SCA)
6. As explained in more detail in the annex, the principles of non-discrimination and technological neutrality, and the principle that the same risks should be mitigated through the same rules lead the EBA to conclude that the custody and transfer of EMTs need to be as secure as all other payment services subject to PSD2. The SCA requirements set out in Articles 97 and 98 of PSD2 and the related implementing Acts developed by the EBA therefore have to apply to the custody and the transfers of EMTs. More specifically, the requirements have to apply to the access to custodial wallets of EMTs held by CASPs/PSPs and prior to initiating a transfer of EMTs.
7. However, the EBA acknowledges that the industry will require some time for the required technological implementation and therefore advises NCAs not to prioritise the supervision and enforcement of these requirements until 2 March 2026, thus resulting in a transitional period during which the industry is in a position to take the steps necessary for compliance. As this advice is without prejudice to the application to CASPs/PSPs of the liability regime set out in Article 74(2) of PSD2, the EBA advises NCAs to remind CASPs of the content of those provisions, which is that ‘where the payer’s payment service provider does not require strong customer authentication, the payer shall not bear any financial losses unless the payer has acted fraudulently’.
8. Finally, as the related requirements on the reporting of payment fraud under Article 96(6) PSD2 are an integral part of the supervision and oversight of the payments sector, it would be important that these requirements also apply. However, akin to the approach used for the SCA requirements themselves, the EBA advises NCAs not to prioritise the supervision and enforcement of the fraud reporting requirements under Article 96(6) PSD2 until 2 March 2026. Thereafter, the EBA advises NCAs to require the reporting of only selected data, which are those set out in the Annex of the applicable EBA Guidelines (EBA/GL/2018/05) under the following headings:4

• “6 - E-money payment transactions”;
• “6.1 - Of which via remote payment initiation channel”;
• “6.1.1 - of which authenticated via strong customer authentication”;
• “6.1.2 - of which authenticated via non-strong customer authentication”; 4 See https://www.eba.europa.eu/sites/default/files/document_library//Final%20Report%20on%20EBA%20Guidelines%20o n%20fraud%20reporting%20-%20Consolidated%20version.pdf

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 16

• “6.2 - Of which via non-remote payment initiation channel”;
• “6.2.1 - of which authenticated via strong customer authentication”;
• “6.2.2 - of which authenticated via non-strong customer authentication”; and
• “Losses due to fraud per liability bearer”.

47. To achieve the overall EU objective of making retail payments secure, enhancing confidence in innovative payment solutions, and ensuring legal certainty and a level playing field, the EBA additionally advises the EU Commission, Council and Parliament to strengthen MiCA by re￾producing, or cross referring to, the SCA requirements and fraud reporting set out in the forthcoming PSD3 and PSR.

• Should a strengthening of MiCA be considered infeasible and the alternative approach of amending PSD3/PSR is chosen instead (in a way that does not require CASPs to obtain an additional authorisation under PSD3/PSR), the EBA advises the EU Commission, Council and Parliament to clarify that crypto-assets services qualifying as payment services are subject to SCA;
• transfers of EMTs are subject to the fraud reporting to allow for a continuous and consistent assessment of fraud levels relating to EMTs.

6. Safeguarding/Safekeeping
7. To address the risk of divergent interpretations and application of the safeguarding requirements under PSD2 and the safekeeping requirements under MiCA, the EBA reminds NCAs that Article 70(1) of MiCA imposesspecific safekeeping requirements on CASPs/PSPs that hold EMTs on behalf of clients and advises NCAs not to prioritise the supervision and enforcement of the provisions in Article 10 of PSD2 in relation to CASPs/PSPs for the purpose of safeguarding EMTs or the means of access to such crypto-assets.
8. Also, the EBA advises the EU Commission, Council and Parliament to

• clarify in MiCA that CASPs are not required to safeguard the EMTs they received or the means of access to such crypto-assetsfor the execution of payment transactions under MiCA, as required under the current PSD2, and
• provide further guidance in MiCA on how precisely to comply with the safekeeping requirements in Article 70 of MiCA.

50. Should a strengthening of MiCA be considered infeasible and the alternative approach of amending PSD3/PSR is chosen instead (in a way that does not require CASPs to obtain an additional authorisation under PSD3/PSR), the EBA advises the EU Commission, Council and Parliament to explicitly exclude EMTs received by CASPs/PSPs for the execution of payment transactionsfrom PSD3 safeguarding requirements. This is without prejudice to the application of Article 48(3) of MICA on ‘Requirements for the offer to the public or admission to trading of

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 17 e-money tokens’, Article 54 of MICA on ‘Investment of funds received in exchange for e-money tokens’ and Article 58(1)(a) of MICA on ‘Specific additional obligations for issuers of e-money tokens’ to issuers of EMTs. 7. Common and secure open standards of communication (Open Banking) 51. The EBA advises NCAs not to prioritise the supervision and enforcement of the Open Banking provisions under PSD2 in relation to CASPs/PSPs intending to provide or already providing custody and administration of EMTs and/or carrying out transfer services of EMTs from one distributed ledger address or account to another. 52. Furthermore, the EBA advises the EU Commission, Council and Parliament to amend MiCA by clarifying whether CASPs transacting EMTs are subject to the same Open Banking provisions as PSPs carrying out electronic money transactions under the PSD2 and EMD and, if so, to include, or cross-refer to, relevant provisions in the forthcoming PSD3/PSR. 53. Should a strengthening of MiCA be considered infeasible and the alternative approach of amending PSD3/PSR is chosen instead (in a way that does not require CASPs to obtain an additional authorisation under PSD3/PSR), the EBA advises the EU Commission, Council and Parliament to clarify whether or not custodial wallets under MiCA are to be considered payment accounts, as, in the affirmative, the Open Banking provisions would apply. Either decision should be consistent, and avoid overlaps, with the separate emerging Financial Data Access Regulation (FIDA) that appears to already foresee the possibility of data access for CASPs for information sharing purposes, and also to take into account that while FIDA covers information sharing services, the payment initiation services will require clarification. This opinion will be published on the EBA’s website. Done at Paris, 10 June 2025 [signed] [José Manuel Campa] Chairperson For the Board of Supervisors

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 18 Annex 54. For each of the seven topics on which this Opinion provides advice to NCAs and the EU institutions, this Annex summarises the underlying provisions in PSD2 and MiCA and explains how they give rise to the issues that the Opinion aims to address. The annex lists the underlying provisions in PSD2 and MiCA on each of these topics and the resultant issues that have led to the EBA’s advice.

1. Scope and definitions PSD2
2. Article 4(5) of PSD2 defines a ‘payment transaction’ as ‘an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee’. The definition of ‘funds’ in Article 4(25) of PSD2 includes electronic money. MiCA
3. Article 48(2) of MiCA, states that ‘e-money tokens shall be deemed to be electronic money’. Recital 90 of MiCA, in turn, explicitly states that the transfer services for crypto-assets on behalf of clients are among the services which ‘might overlap’ with payment services as defined in PSD2. More specifically, Article 3 (1), point (26), of MiCA, defines ‘providing transfer services for crypto-assets on behalf of clients’ as ‘providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another’. On the other hand, the Funds Transfer Regulation makes a distinction between ‘transfer of funds’ (understood in a general manner) and ‘transfer of crypto-assets’.
4. Under one reading, the provision of transfers of EMTs could be considered as an ‘execution of payment transactions’ under Annex I (3) of PSD2, which refers to the ‘execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider’.
5. In addition to transfers of EMTs, Recital 90 of MiCA mentions the service of ‘providing custody and administration of crypto-assets on behalf of clients’ and ‘the placing of crypto-assets’ among the services which might also overlap with payment services. Article 3 (1), point (17), of MiCA defines the service of ‘providing custody and administration of crypto-assets on behalf of clients’ as ‘the safekeeping or controlling, on behalf of clients, of crypto-assets or of the means of access to such crypto-assets [...]’.
6. Moreover, Recital 93 of MiCA states that ‘[m]any CASPs also offer some kind of transfer service for crypto-assets as part of, for example, the service of providing custody and administration of crypto-assets on behalf of clients, exchange of crypto-assets for funds or other crypto￾assets, or execution of orders for crypto-assets on behalf of clients’ and that ‘depending on the precise features of the services associated to the transfer of e-money tokens, such services

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 19 could fall under the definition of payment services in Directive (EU) 2015/2366. In such cases, those transfers should be provided by an entity authorised to provide such payment services in accordance with that Directive’. The ‘exchange of crypto-assets for funds’ and the ‘exchange of crypto-assets for other crypto-assets’ are defined by Article 3, points 19 and 20 of MiCA as ‘the conclusion of purchase or sale contracts concerning crypto-assets with clients’ for funds or other crypto-assets ‘by using proprietary capital’. The issue(s) 60. Based on the above, although the legal text does not expressly qualify transfers of EMTs as payment services, such interpretation is supported by the EU Commission. By contrast, it is clear that transfers of asset-referenced tokens (ARTs), or of crypto-assets other than ARTs and EMTs, are not equated to funds and therefore do not seem to qualify as payment services regulated under the PSD2. 61. It is also conceivable that crypto-asset services other than transfers of EMTs may qualify as payment services regulated by the PSD2, where they:

• entail EMTs, and
• are offered and carried out by entities (CASPs/PSPs) on behalf of their clients, thus acting as intermediaries, not in their own name. This condition is also consistent with Article 3(1)(m) of the PSD2, which excludes the applicability of such Directive to payment transactions carried out between payment service providers, their agents or branches for their own account.

62. During the workshop convened by the EBA, some industry representatives suggested that the EBA should explore the possibility to add a third condition related to the purpose of the transaction so that the concept of ‘payment’ should relate only to transactions to buy goods or services. MiCAIf this suggestion were to be followed, out of scope of the notion of ‘payment transactions’ would be situations where EMTs are not used as a means of payment but rather for investment or trading purposes e.g. in the context of the exchange of EMTs for funds or other crypto-assets, or where they are used for peer-to-peer payment transactions.
63. Representatives of the industry suggested that MiCA and the Funds Transfer Regulation (Regulation EU 2023/1113, FTR) would already require CASPs to record such distinctions and that it is feasible for a CASP to delineate transactions according to their purpose.
64. The EBA subsequently assessed the relevant provisions in MiCA (in particular Article 22(6) and 58(3)) and the Guidelines on templates to assist competent authorities in performing their supervisory duties regarding issuers’ compliance under MiCA (EBA/GL/2024/16) 5 , as well as the FTR (in particular Article 2(3)) and the Travel Rule Guidelines (EBA/GL/2024/11) 6 and 5 At the time of publishing this Opinion, these Guidelines are not yet applicable and are available at this link: Final report on Guidelines on reporting on ARTs and EMTs.pdf. 6 Guidelines on information requirements in relation to transfers of funds and certain crypto-assets transfers under Regulation (EU) 2023/1113, available at the following link Travel Rule Guidelines.pdf.

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 20 verified that, indeed, CASPs are required to distinguish transfers of EMTs, where the EMTs are used as a means of exchange or to buy goods or services. 65. However, the fact that the purpose of a transaction is required to be recorded by certain pieces of legislation for a variety of purposes (classification of ARTs/EMTs as significant, application of AML rules, etc.) does not automatically imply that it is possible to establish ex ante (i.e. at the point of authorisation) that a CASP will never be able to facilitate, from a practical perspective the performance of a payment transaction involving an EMT for specific purposes. Moreover, the introduction of a purpose-based condition would bring uncertainty and leave too much room for discretion upon the intermediaries, with potential regulatory arbitrage and the risk that this condition could be leveraged in order to circumvent the requirement to be authorised under PSD2 (or partner with an authorised PSP) and ultimately lead to market distortion, illegal conduct and unfair competition. Additionally, the EBA observes that any kind of payment transaction involving traditional funds (including e-money) is in scope of the PSD2 unless expressly excluded (e.g. in scope are transactions involving a transfer between a customer’s two accounts with the same bank). Therefore, the EBA is of the view that a third, purpose-based condition cannot be taken into consideration. 66. With regard to the custodial wallet, it is conceivable that it could be equated to a payment account, which allows the user to send and receive funds to and from third parties. Such approach is consistent with the position expressed in the EU Commission’s letter and with the ‘functional’ definition of payment account, which has been established both by the Court of Justice of the European Union case law7 and by the EBA. In particular, the EBA clarified that ‘to determine whether an account qualifies as payment account, one must assess whether the account can be used for the execution of payment transactions in conformity with the definitions above as interpreted by the European Court of Justice in its ruling in Case C-191/17. The account should allow for sending and receiving funds, including to and from a third party. Also, transactions should be made directly from the account without the use of an intermediary account’ (Q&A 2018_4272). 67. In light of the above, the custody and administration of crypto-assets might alternatively qualify as

• Operations required for operating a payment account (Annex I, no. 1) and 2) of PSD2), which is in turn defined as an ‘account held in the name of one or more payment service users which is used for the execution of payment transactions’, according to Article 4, point 12 of PSD2) or
• Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider (Annex I, no. 3) of PSD2).

68. From the qualification of the custodial wallet as a payment account, it stems that several 7 In Case C-191/17, the Court of Justice made clear that ‘the possibility of making payment transactions to a third party from an account or of benefiting from such transactions carried out by a third party is a defining feature of the concept of ‘payment account’’ (Para. 31).

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 21 provisions of the PAD would in theory also apply to them (given that such Directive applies to payment accounts with certain features to be offered to consumers and contains the same definitions of PSD2 with regard to payment services, PSPs and payment accounts). However, MiCA does not explicitly state if custodial wallet qualify as payment accounts nor if PAD should apply to custodial wallets. The PAD regime was designed to enhance the transparency and comparability of fees, facilitate the account switching by consumers and the opening and using of payment accounts with basic features in the EU. The application of PAD to custodial wallets could therefore ensure an high level of transparency for consumers. However, neither the articles nor the recitals of PAD suggest that the legislators aimed for this Directive to facilitate the uptake of transformative technologies in the financial sector, which is one of the main aims of MiCA. In fact, the PAD entered into force many years before MiCA did, so the the EU Commission, Council and Parliament would now need to assess if and to what extent this Directive should apply to custodial wallets, and insert a specific provision in L1 legislation accordingly. 69. With regard to the ‘exchange of crypto-assets for funds’ and the ‘exchange of crypto-assets for other crypto-assets’, the EC letter states that such services do not qualify as ‘payment transactions’ (as defined by Article 4(5) of PSD2), where the CASP does not act as an intermediary between a payer and a payee, but in its own name, as seller/buyer of the EMTs, and does not provide other transfers of EMTs on behalf of its clients. The EBA is of the view that the exchange services as defined by MiCA do not qualify as payment services, since they are carried out ‘by using proprietary capital’ of the CASPs, as specified in their definition in MiCA. 70. Furthermore, it should be assessed whether and to which extent transfers of EMTs, the custody and administration of EMTs and other crypto-asset services potentially qualifying as payment services should benefit from the same exclusions as conventional payment services, as listed in Article 3 of PSD2, which include:

• ‘payment transactions carried out within a payment or securities settlement system between settlement agents, central counterparties, clearing houses and/or central banks and other participants of the system, and payment service providers’ (let. h);
• ‘payment transactions related to securities asset servicing, including dividends, income or other distributions, or redemption or sale’, carried out by persons referred to the previous point or ‘by investment firms, credit institutions, collective investment undertakings or asset management companies providing investment services and any other entities allowed to have the custody of financial instruments’ (let. i);
• ‘services provided by technical service providers, which support the provision of payment services, without them entering at any time into possession of the funds to be transferred’ (let. j); or
• ‘payment transactions carried out between payment service providers, their agents or

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 22 branches for their own account’ (let. m). 71. In the context of the workshop, some intermediaries expressed the view that transfers of EMTs to and from custodial wallets held by the same holder (also referred to as ‘first-party transfers’) do not qualify as payments. However, PSD2 does not make an exception for payment transactions executed from/to different payment accounts held by the same payment service user, even if they are serviced by the same PSP. Therefore, first-party transfers of EMTs would still qualify as payment transactions and therefore be subject to PSD2 rules. 2. Authorisation PSD2 72. Article 11 PSD2 provides that, with some exceptions, undertakings that intend to provide payment services need to seek authorisation as a payment institution (PI) before commencing the provision of payment services under PSD2. Mutatis mutandis the same obligations apply to electronic money institutions (EMIs) for the provision of e-money and payment services. The undertaking’s application must comply with all the requirements in Article 5 of PSD2 and receive a favourable assessment by the NCA, and the applicant must also make every effort to comply with the Guidelines that the EBA issued in 2019 in support of the authorisation process. Under the freedom to provide services or the freedom of establishment, the authorisation granted by one competent authority will be valid in all Member States and will allow the payment institution concerned to provide the payment services covered by the authorisation throughout the Union. MiCA 73. Article 62 and 63 of MiCA provide that legal entities seeking to provide crypto-asset services need to be authorised as CASPs. The undertaking’s application must comply with all the requirements in Article 62 of MiCA and receive a favourable assessment by the national competent authority. 74. Other financial entities can provide specific crypto-asset services without the need to apply for authorisation as a CASP, by way of notification to the competent authority in compliance with Article 60 of MiCA. ESMA, in close cooperation with the EBA, has detailed the content of such notification in specific RTS under Article 60(13) MiCA. 75. As mentioned in the previous Section, Recital 90 states that ‘some crypto-asset services, in particular providing custody and administration of crypto-assets on behalf of clients, the placing of crypto-assets, and transfer services for crypto-assets on behalf of clients, might overlap with payment services as defined in [PSD2]’. 76. Recital 93, in turn, states that ‘depending on the precise features of the services associated to the transfer of e-money tokens, such services could fall under the definition of payment services in Directive (EU) 2015/2366 [PSD2]. In such cases, those transfers should be provided by an entity authorised to provide such payment services in accordance with that Directive’.

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 23 This idea is also set out in Article 70(4) which provides that, where CASPs offer payment services related to the crypto-asset service they provide, they have two options: dual authorisation (as CASPs under MiCA and PSPs under PSD2) or partnership with a PSP. Nevertheless, MiCA is not explicit about which of the services that CASPs may offer qualify as payment services, and, as a result, the question arises of whether, and in which cases, there could be a need for a ‘dual authorisation’ for CASPs under MiCA also as payment institutions under PSD2. The issue(s) 77. The EU Commission explains in its letter that ‘there is a certain overlap between crypto-asset services provided by CASPs and payment services regulated under PSD2, triggering the need for a CASP providing PSD2 payment services to hold an authorisation as a payment service provider (PSP), or partner with a PSP having an authorisation to provide the respective services’. 78. Under the first option among those referred to in Article 70(4) MiCA – dual authorisation – the CASP needs to hold an authorisation as a PSP. Dual authorisation creates a significant administrative burden for the CASPs themselves as well as NCAs, particularly where close cooperation between different NCAs is needed, e.g., when the national authorities designated as competent to supervise the PSD2 are different from those that are designated as competent to supervise MiCA, which is the case in several EU Member States. Therefore, the EBA is of the view that CASPs should not be required to be authorised under PSD/PSD3 as well and that instead MiCA needs to be strengthened for the subset of crypto assets that are EMTs. 79. However, should a strengthening of MiCA be considered infeasible and the alternative approach of amending PSD3/PSR is chosen instead (in a way that does not require CASPs to obtain an additional authorisation under PSD3/PSR), the EBA advises the EU Commission, Council and Parliament to assess the following three specific cases, explored by the EU Commission in its letter:

• CASPs that provide the service of ‘exchange of crypto-assets for funds’ or ‘exchange of crypto-assets for other crypto-assets’, when the CASP does not act as an intermediary between a payer and a payee and does not provide other transfers of EMTs on behalf of its clients;
• CASPs that provide transfer services of EMTs on behalf of clients, where the EMTs are not used as a means of payment or peer-to-peer (P2P) payment transactions, but rather ‘for investment or trading purposes’ which, according to the EU Commission, should not be considered as ‘payment transaction’ under Article 4, point (5) of PSD2;
• CASPs that provide transfer services of EMTs on behalf of clients, where the EMTs are used as a means of payment or peer-to-peer (P2P) payment transactions, which, by contrast with the second case, should be considered as a payment transaction under Article 4, point (5) of PSD2.

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 24 80. For all those three cases, the Opinion sets out proposals for the NCAs, as well as proposals for the EU Commission, Council and Parliament. 81. The EU Commission letter states that the services of ‘exchange of crypto-assets for funds’ or ‘exchange of crypto-assets for other crypto-assets’ provided by the CASP on its own account should not require an authorisation under PSD28 . Regarding the transfer of crypto-assets, as already stated in the ‘Scope and definitions’ Section, this service qualifies as a payment service if two conditions are met: i) the service entails EMTs; ii) the intermediary is providing the service on behalf of the clients. 82. The EU Commission letter also refers to the case of entities providing crypto-asset services under the transitional regime set out in Article 143(3) of MiCA. According to this provision, Member States may decide not to apply or to reduce the duration of such transitional regime. The PSD2 does not foresee any transitional period, due to the entering into force of MiCA, for authorisation and does not grant Member States flexibility in this regard, either. However, the EBA considers that entities providing crypto-asset services under the transitional regime need time to adapt smoothly to the framework envisaged by the EC letter (e.g. seeking a PSP licence or a partnership with a PSP). To ensure that customers are adequately protected and that a level playing field with other PSPs is maintained, entities operating under the transitional regime set out in Article 143(3) MiCA need to comply with PSD2 requirements within a reasonable time. 83. Furthermore, the EBA explored the reverse scenario of a licensed PSP intending to carry out EMT transactions. In this scenario, as mentioned above in the paragraph describing the regulatory framework under MiCA, a notification regime is set out for credit institutions and electronic money institutions intending to provide crypto-asset services (with limitations for EMIs). By contrast, MiCA does not envisage any notification regime for payment institutions. The Opinion provides some suggestions to the NCAs to rely as much as possible on the information they already have and to exchange information between the MiCA and the PSD2 NCAs, when needed. 3. Initial capital and own funds PSD2 84. Article 5(1)(c) of PSD2 provides that the application for authorisation shall be accompanied by ‘evidence that the payment institution holds initial capital as provided for in Article 7’. Articles 8 and 9 of PSD2, in turn, establish the own funds requirements and calculation method with Article 9 making clear that the method is ‘to be determined by the competent authorit[y] in accordance with national legislation’. Article 9(3) of PSD2 specifies that competent authorities may, based on an evaluation of risk management processes, risk loss data base and internal control mechanisms, require a payment institution to hold a lower or higher amount than 8 As set out in Article 3 of EMD2, the authorisation process set out in PSD2 applies to applicant electronic money institutions.

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 25 calculated in accordance with Article 9(1) of PSD2. MiCA 85. MiCA specifies in Article 62(2)(e) that a person seeking authorisation to provide crypto-asset services shall include in its application ‘proof that the applicant crypto-asset service provider meets the requirements for prudential safeguards set out in Article 67’. Article 67 specifies that these prudential safeguards shall be equal to an amount of at least the higher of: (a) the permanent minimum capital requirements (as established by Annex IV of MiCA, depending on the types of crypto-asset services provided and essentially following the principle: the more services offered, the higher the requirement), and (b) one quarter of the fixed overheads of the preceding year (or projected overheads where the CASP has not been in business for one year as at the relevant date) (see further Article 67(2) and (3)). 86. Importantly, Article 60 of MiCA does not include any provision for payment institutions providing one or more crypto-asset services. As such, there is no suggestion in MiCA that the authorisation and regulatory requirements, including own funds and initial capital, established in Title V MiCA do not apply to entities authorised to carry out more than one payment service and vice versa. The issue 87. The key issue that arises from the above is whether the initial capital and own funds requirements established by PSD2 and MiCA apply cumulatively to entities carrying out activities within the scope of each legislative instrument (e.g. payment services and crypto￾asset services involving EMTs). A secondary issue is whether elements eligible for initial capital/own funds can be counted towards the satisfaction of requirements under more than one Directive/Regulation (i.e. whether they be used for dual/multiple purposes). 4. Consumer protection PSD2 88. The PSD2 contains an extensive regime regarding the protection of payment services users, articulated in the ‘Transparency of conditions and information requirements for payment services’ (Title III) and the ‘Rights and obligations in relation to the provision and use of payment services’ (Title IV) and aimed at ensuring the confidence of all payment service users in the reliability of payment services and in the continued innovations that the payments markets experience. 89. These titles cover, inter alia, the types of information that PSPs have to provide to the users (in their role as payer and/or payee) prior to or after the execution of a payment transaction or in the framework contracts (including the applicable charges, the termination of contracts, currency conversions), the authentication, authorisation and execution of a payment transaction and the subsequent distribution of liabilities between users and PSPs, the security

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 26 measures needed to prevent and combat fraud (including the Strong Customer Authentication), the rectification of incorrect transactions, the refusal of payment orders, the management of operational and security risks, and complaint procedures. MiCA 90. By comparison, MiCA provides very few provisions on the protection of crypto-assets users. Article 82(1) requires CASPs providing transfer services for crypto-assets on behalf of clients to ‘conclude an agreement with their clients to specify their duties and their responsibilities’ which should contain a minimum set of information, including the fees applied by the CASP and the applicable law. Article 82(2), in turn, grants ESMA the mandate to issue GLs, in close cooperation with EBA, for CASPs providing transfer services for crypto-assets on behalf of clients ‘as regards procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets’. 91. These GLs were published on 17th December 20249 and specify that they ‘apply without prejudice to the relevant rules under PSD2, where applicable to relevant transfers of crypto￾assets, notably EMTs’. Moreover, paragraph 58 of the GLs states that ‘as the provision of transfer services for crypto-assets on behalf of clients share similarities with payment services regulated under [PSD2], ESMA drew on relevant PSD2 provisions in developing the guidelines in Annex V’. The issue 92. As already mentioned under the section above on scope and definitions, under the interpretation conveyed by the EU Commission in its letter, the qualification of certain crypto￾assets services under MiCA as payment services regulated by PSD2 implies that PSD2 applies in its entirety to such services. Given the current legal framework, applying titles III and IV of PSD2 to crypto-asset services qualifying as payment services would ensure fair conditions to this market and an equivalent level of protection to their users, as the same rules would apply to payment services, regardless of the underlying technology used to execute the payment transactions. 93. However, PSD2 was not conceived to apply to the crypto-assets market, nor MiCA clarifies how the two texts should coordinate. Therefore, potential gaps, overlaps or inconsistencies between these two legal texts can give rise to uncertainty as to which rules are effectively applicable to specific cases. Moreover, the application of come of the PSD2 requirements could raise implementation challenges due to the particular features of the DLT and the technical specificities of such service, which also have an impact on the contractual relationship between CASPs and their users. 94. MiCA, by contrast, sets out only few provisions related to consumer protection and, for example, leave the definition of the duties and responsibilities of the parties involved (CASPs 9 See Annex IV of the Guidelines here https://www.esma.europa.eu/sites/default/files/2024-12/ESMA35-1872330276- 1936_MiCA_Final_Report_to_CP3_-_investor_protection_mandates.pdf

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 27 and their customers) to agreements that they conclude. More specifically, title III of the PSD2 lays down several types of information that the PSP shall provide to their users in the framework contracts or in relation to a single payment transaction, both prior and after the execution of a payment. This information includes all charges payable by the payment service user to the payment service provider and, where applicable, a breakdown of those charges. MiCA and the ESMA GLs require similar information to be provided. However, there are cases where the exact amount of these fees cannot be possibly known in advance by the CASP/PSP (for example on-chain transactions). 95. Moreover, in case of on-chain transactions, the network congestion of the blockchain might prevent the CASPs/PSPs from knowing in advance the exact execution time. It would also need to be established which, if any, element of the DLT matches the requirements of and therefore could qualify as the ‘unique identifier’, as set out by Article 4(33) of PSD2. In accordance with that provision, unique identifier means ‘a combination of letters, numbers or symbols specified to the payment service user by the payment service provider and to be provided by the payment service user to identify unambiguously another payment service user and/or the payment account of that other payment service user for a payment transaction’. According to Article 88 of the PSD2, if the unique identifier provided by the payment service user is incorrect, the PSP shall not be liable for non-execution or defective execution of the payment transaction. The existence of a unique identifier on the DLT is therefore relevant for the application of Article 88 of PSD2 to transfers of EMTs. Public keys or other identification elements might fulfil the necessary features to be considered as ‘unique identifiers’ in the context of the DLT. However, given the relevant implications of such interpretation also in terms of parties’ liability, this aspect should be carefully evaluated by the EU Commission, Council and Parliament. 96. Finally, as per point (3) of Annex I of PSD2, the ‘execution of payment transactions’ encompasses, inter alia, the ‘execution of credit transfers’ (Annex I(3)(c) of PSD2). Therefore, the qualification of transfers of EMTs as the payment service under point (3) of Annex I of PSD2 might raise doubts regarding their potential qualification as credit transfers, which are subject to specific requirements laid down in Article 5of the SEPA Regulation. However, the SEPA Regulation excludes from itsscope of application ‘payment transactions transferring electronic money as defined in point (2) of Article 2 of the EMD2, unless such transactions result in a credit transfer or direct debit to and from a payment account identified by BBAN or IBAN’ (Article 1(2)(f) of SEPA Regulation). 97. Thus, there is room for different interpretations and divergent applications of these provisions. On the one hand, if transfers of EMTs qualify as credit transfers, the provisions of SEPA Regulation applicable to credit transfers (including Article 5c on the Verification of the payee) would apply to such services. On the contrary, if transfers of EMTs fall within the exclusion applicable to electronic money payment transactions, the requirements applicable to credit transfers under the SEPA Regulation should not apply. Considering the significant burdens and implications for the industry behind these aspects, the EBA believes the EU Commission, Council and Parliament should clarify them.

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 28 5. Security of payment services (incl. Strong Customer Authentication) PSD2 98. Strong Customer Authentication (SCA) is one of the pillars set out by PSD2 to enhance the security of electronic payments, ensure the protection of users and favour the development of a sound environment for e-commerce in the EU. In order to guarantee the safe authentication of the users and reduce the risk of fraud, PSD2 requires Member States to ensure that all PSPs apply SCA when payers access their payment accounts online; initiate an electronic payment transaction; or ‘[…] carry out any action through a remote channel that may imply a risk of payment fraud or other abuses’ (Article 97(1) of PSD2). 99. The forthcoming PSD3/PSR is expected to amend the current framework as to strengthen the security requirements further, as well as to improve the safety measures to mitigate the risk posed by what is commonly referred to as ‘social engineering fraud’. MiCA 100. MiCA, in turn, does not explicitly provide authentication requirements for crypto-asset services in EMTs, which could also qualify as payment services under the PSD2. Article 82 of MiCA only requires CASPs providing transfer services for crypto-assets on behalf of clients to conclude an agreement with their clients to specify their duties and their responsibilities, which shall include – among other things – ‘a description of the security systems used by the crypto-asset service provider’. 101. Similarly, Article 75 requires CASPs providing custody and administration of crypto-assets on behalf of clients to conclude an agreement with their clients which shall include – among other things – ‘the means of communication between the crypto-asset service provider and the client, including the client’s authentication’.  102. The GLs on transfers of EMTs, drafted by the ESMA in close cooperation with the EBA and previously mentioned in this No action letter, require CASPs inter alia to provide their clients, in good time before they enter into any agreement for the provision of transfer services for crypto-assets, with the information and conditions related to such services ‘in order for a transfer of crypto-assets to be properly initiated or executed (including, how to authenticate)’ 10 . The issue 103. The implementation of SCA imposed through PSD2 and the EBA’s supporting technical standards was challenging for the industry but had the desired effect of reducing fraud. For example, a joint EBA-ECB report published in August 2024 found, among other things, that fraud in transactions where SCA is not applied (because one of the permissible exemptions is 10 See Guideline no. 1, para. 12 of Annex IV at https://www.esma.europa.eu/sites/default/files/2024-12/ESMA35- 1872330276-1936_MiCA_Final_Report_to_CP3_-_investor_protection_mandates.pdf

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 29 used) is 10 times higher than those where SCA is applied. 104. Transfers of EMTs, as payment transactions, give rise to fraud risks of a scale and nature similar to ‘traditional’ payment transactions, such as the theft of keys, compromises to the consensus mechanism, impersonation, phishing emails/websites, platform clones, zero value stablecoin transactions(where the user is misled inadvertently to send EMTs to scammers’ impersonating legitimate addresses), as well as theft from platforms and exchanges. However, MiCA does not impose upon them security requirements comparable to those of PSD2. 105. The compromise of private keys, which has been the main source of hacks in DLT since 2022, is becoming more sophisticated and innovative. Attackers increasingly deploy phishing campaigns, social engineering, and others approaches such as ‘rug pulls’, ‘pump-and-dump schemes’ or ‘pig butchering’. Most recently, on 21 February 2025, crypto exchange Bybit was targeted by a cyberattack, which resulted in a theft of Ethereum crypto tokens worth approximately USD 1.5 billion. The attackers employed advanced social engineering fraud methods to manipulate the interfaces that signers interacted with and to compromise private keys of Bybit’s setup. 106. In light of the above, crypto-asset services are exposed to massive fraud risks which can result into significant losses for their users, yet MiCA does not provide the same security measures laid down by PSD2. Imposing different security standards for ‘traditional’ payment services vs crypto-asset services qualifying as payment services could result in an unlevel playing field, undermine the trust of users in crypto-assets and ultimately hamper their market expansion. 107. In this context, while the PSD2 allows both the CAs, from a national perspective, and the EBA, with a European perspective, to receive and follow payment fraud data, there are no provisions under MiCA that requires the same follow up. More specifically, Article 96(6) under PSD2 states that PSPs must provide ‘statistical data on fraud relating to different means of payment to their competent authorities’ and that the CAs must, in turn, ‘provide EBA and the ECB with such data in an aggregated form’. This may result in added difficulties to decide on the appropriate policy and fraud preventing measures to face fraud under MiCA resulting from the lack of visibility from CAs and the EBA. 108. It derives from the above that transfers or other actions related to EMTs, depending on whether considered payments transactions under PSD2 or not, may qualify as either an initiation of an electronic payment transaction or ‘actions through a remote channel which may imply a risk of payment fraud or other abuses’, which are subject to SCA according to PSD2. Therefore, the application of SCA to crypto-asset services based on transfers of EMTs, although not explicitly laid down by MiCA, would be both consistent with the applicable regulatory framework and, in principle, desirable, since it would enhance the security of this type of electronic payment for both consumers and providers, increase the confidence of market participants in these crypto-assets and prevent regulatory arbitrage. 109. The same reasoning is applicable when accessing custodial wallets, as equated to payment

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 30 accounts. When a user accesses remotely a custodial wallet held by a CASP/PSP, SCA provisions should be applied, as foreseen in Article 97(1)(a) of PSD2, offering the same level of protection to all users irrespectively of the specificities of their accounts. During the workshop organised by the EBA, market participants stated that the DLT ensures a high level of security, thus helps preventing fraud. The EBA recognises that the cryptography allows information to be stored accurately and accessed securely; however, the intrinsic security of the DLT has to be considered separately from the security of the CASP custodial wallets and the need to univocally identify the user, which concerns the relationship between the user and the CASP/PSPs. In this regard, the application of SCA to the accessing of custodial wallets and the initiation of transfers of EMTs is a critical measure to mitigate the fraud risks explained above and prevent potential losses and the negative impact on other parties (namely the intended recipients of the funds to be transferred). 110. In this context, it is foreseeable that technological and practical obstacles might arise when CASPs/PSPs are required to apply SCA when accessing custodial wallets and initiating transactions on the DLT and also to comply with the fraud reporting requirements. Given the time it has taken for the established payments industry to comply with SCA in 2018-2021 and to report reliable fraud data in 2023, CASPs, too, can be expected not to be able to comply with those requirements immediately. 6. Safeguarding/safekeeping PSD2 (and EMD2) 111. Article 7(1) of the EMD2 foresees that EMIs shall ‘safeguard funds that have been received in exchange for electronic money that has been issued, in accordance with Article 9(1) and (2) of Directive 2007/64/EC’ (which correspond mutatis mutandis to Articles 10(1) and (2) of PSD2). The referred PSD2 provisions require, inter alia, PIs and EMIs providing the payment services referred to in Annex I, points (1) to (6) of PSD2 ‘to safeguard all funds which have been received from the payment service users or through another payment service provider for the execution of payment transactions’, in either of the ways laid down in of Article 10 points (a) and (b) of PSD2. MiCA 112. Article 48(3) states ‘Titles II and III of Directive 2009/110/EC shall apply with respect to e￾money tokens unless otherwise stated in this Title’. Article 54 of MiCA provides that the holding of ‘funds received by issuers of e-money tokens in exchange for e-money tokens and safeguarded in accordance with Article 7(1) of Directive 2009/110/EC’ shall comply with further requirements regarding the investment of those funds. 113. Furthermore, Article 70(1) of MiCA provides that ‘[c]rypto-asset service providers that hold crypto-assets belonging to clients or the means of access to such crypto-assets shall make adequate arrangements to safeguard the ownership rights of clients, especially in the event of the crypto-asset service provider’s insolvency, and to prevent the use of clients’ crypto-assets

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 31 for their own account.’ 114. Finally, Article 70(3) of MiCA provides that CASPs ‘shall, by the end of the business day following the day on which clients’ funds other than e-money tokens were received, place those funds with a credit institution or a central bank’. Nevertheless, Article 70(5) of MiCA provides that Article 70(3) does not apply to CASPs that are EMIs, PIs or credit institutions. The issue 115. The nature of EMTs as electronic money and also crypto-assets gives rise to the risk of divergent interpretations and application of the safeguarding requirements under PSD2 and safekeeping requirements under MiCA with regard to EMTs. This is particularly so where the provision of crypto-assets services involves CASPs/PSPs holding EMTs on behalf of clients. 116. From the combined reading of Articles 48(3) and 54 of MICA, issuers of e-money tokens issuing EMTs are required to safeguard the funds received in exchange for the EMTs, according to Article 7(1) of EMD2. In accordance with Article 58(1)(a) of MICA, EMIs issuing EMTs classified as significant are subject to the requirements laid down in Articles 36, 37, 38 and Article 45, (1) to (4) of MICA, instead of Article 7 of EMD2. However, Article 7 of EMD2 and Articles 54 and 58(1)(a) of MiCA do not apply to credit institutions. 117. Article 70 of MiCA establishes safekeeping requirements to CASPs that hold crypto-assets and funds other than EMTs on behalf of clients. Further, by virtue of Article 70(5), Article 70(2) and (3) do not apply to CASPs that are EMIs, PIs or credit institutions. Therefore, one potential reading of this exclusion could be that, funds other than EMTs held by CASPs that are EMIs or PIs, are required to be safeguarded in accordance with Article 10 of PSD2. 118. With regard to the safekeeping requirements, during the workshop organised by the EBA on 20 March 2025, some industry representatives expressed the need for more clarity on the provisions under Article 70 of MiCA, nevertheless that is not the purpose of the present Opinion since the related issues, if any, do not emerge from the interplay between MiCA and PSD2, but from MiCA itself. 119. The EBA acknowledges that the application of PSD2 safeguarding requirements to the EMTs held by CASPs/PSPs would strengthen clients’ rights even more but, given the application of Articles 48(3) and 54 of MiCA to the EMIs issuers and Article 70(1) of MiCA to the CASPs/PSPs, EMT’s holders would be protected by two sets of requirements. 120. Hence, if due to the EMT’s nature, the CASPs/PSPs, in addition to the application of safekeeping requirements in Article 70(1) of MiCA, also safeguarded EMTs according to PSD2, the measures to ensure clients’ rights would far exceed the risks intended to be covered and would not be proportionate. Especially considering that the implementation of PSD2 safeguarding methods to EMTs would generate significant challenges as, in some cases, CASPs/PSPs would have technological and operational difficulties to access such services and, in others, those methods may not be available or be disproportionately costly.

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 32 121. Further, risks associated with the services provided by the CASPs/PSPs to the EMT holders are expected to be adequately mitigated through the safekeeping measures that CASPs/PSPs must have in place according to Article 70 of MiCA. In fact, that Article explicitly foresees a clear differentiation between EMTs and funds other than EMTs and provides for specific treatment for each, both based on the nature of the funds. Consequently, the EBA is of the view that there are no grounds to require additional requirements from CASPs/PSPs. 7. Common and secure open standards of communication (Open Banking) PSD2 122. Article 4(17) of PSD2 defines an account servicing payment service provider (ASPSP) as a ‘payment service provider providing and maintaining a payment account for a payer’. In cases where payment accounts are accessible online, the PSD2 and the EBA’s RTS on SCA and CSC (Commission Delegated Regulation (EU) 2018/389) require ASPSPs to establish access interfaces through which third party providers (TPPs) can access accounts to offer account information services (AIS) and payment initiation services (PIS). The framework to allow the provision of these services is commonly referred to as ‘open banking’ (OB). 123. In addition, Article 33(4) of the RTS on SCA&CSC requires ASPSPs that have opted to develop an API to set up a contingency mechanism to allow account information service providers (AISP) and payment initiation service providers (PISP) to make use of the ASPSP’s clients’ interfaces in the event that the dedicated interface does not perform in accordance with adequate levels of availability and performance to ensure continuity in the provision of Open Banking services. MiCA 124. MiCA does not include any provisions that set out how access by third parties to data or services under it could be operationalised. The issue 125. Where custodial wallets are to be considered payment accounts, CASPs providing such wallets would be considered ASPSPs under PSD2 and would be required to develop an interface through which third party providers could access and provide their services. Furthermore, crypto-assetservices related to EMTs that also qualify as payment transactions under the PSD2 and are offered through custodial wallets would also be subject to the open banking requirements under PSD2 for third party providers to initiate via the mandatory interfaces. 126. Although access to data and transactions under PSD2 is aimed at facilitating innovation, enhancing competition for incumbent credit and payment institutions, and providing additional options to consumers, it would also result in a significant compliance burden for CASPs, which would need to develop and maintain a high performing interface. 127. Finally, one of the objectives of the Open Banking requirements in PSD2 was to further level

OPINION ON THE INTERPLAY BETWEEN PSD2 AND MICA 33 the playing field between incumbent credit and payment institutions and new entrants to the market. In the case of CASPs offering services under MiCA, this motivation may not be applicable because the CASPs themselves are the market challengers.