Central Bank of Ireland MiCAR Industry Briefing: Path to Success for CASP Licensing

Path to Success MiCAR Industry Briefing, March 28th 2025

2 Purpose of Today Today’s session provides the Central Bank with the opportunity to highlight; ➢The characteristics and practices we are observing in firms that are on the Path to Success; ➢The areas where we see Room for Improvement; ➢Key Challenges firms face; ➢The Central Bank’s Expectations of applicant firms; ➢Key Principles for Engagement to ensure firms are on the Path to Success to getting a CASP License.

3 Central Bank Overarching Authorisation and Supervisory Objectives ◼Protect consumers and safeguard users’ funds (including digital assets). ◼Be able to demonstrate autonomy and an appropriate level of ‘substance’ in Ireland, resulting in firms which are well governed, with appropriate cultures, effective risk management and control arrangements in place. ◼Be financially and operationally resilient. ◼Have business models which are viable and sustainable. ◼Be able to recover critical or important business services from a significant unplanned disruption, while minimising impact and protecting their customers and the integrity of the financial system. ◼If they cannot recover, be able to exit the market in a safe and orderly manner. Ensure that we have a stable, resilient and trustworthy financial sector, sustainably operating in the best interests of the public, consumers and the wider economy. Expectations of Firms

4 Authorisation Process Overview

5 Current Landscape NEW! BREACH vs Applicant Size Regulated Status vs vs Client Type vs vs Suite of Activities/Services Complexity We have a robust pipeline of diverse applicant firms.

6 Early and meaningful engagement with the Bank, including timely responses through authorisation process. Path to Success Good culture, vision and values, strong “tone from the top.” Clearly articulates business model and rationale for authorisation for specific activities or services provided. Has a strong risk management framework. Demonstrates good governance and controls. Characteristics of firms already on the Path to Success Open and willing to reflect on the Bank’s feedback. Exhibits a strong commitment to the jurisdiction. Incorporates strong consumer protection measures and adopts a client-centric approach. Places emphasis on the importance of safeguarding client assets. Compliant with & has a strong understanding of MiCAR regulations and is prepared to engage with the authorisation process Focused on providing strong AML and CFT frameworks.

7 Room for Improvement Areas for firms to address, opportunities for growth Poor response times, lack of meaningful engagement. Business model not clearly described. Substance and sufficient resourcing within this state is not demonstrated. Heavy reliance on outsourcing without strong evidence of strategic control and direction. Authorisation sought for activities/services that do not align with business model. Key documents, policies unavailable (or not localised). Unsuitable Board composition and/or key PCF roles not proposed or identified. Insufficient conflicts of interest risk mitigation within CASP. Business model proposed is in breach of regulation, e.g., ESMA Broker Model Opinion. Failure to demonstrate sufficient control over client assets (private keys, generation and storage).

➢ Governance and safeguarding of client assets are critical considerations for the Central Bank. ➢ Custody and administration of crypto assets is considered a significant risk area in the assessment of prospective applicant firms. ➢ Key Challenge: Utilising third parties for sub custodial services that are not authorised to do so ➢ Expectation: Article 75(9) of MiCAR requires sub-custody arrangements are only proposed when the third party is authorised as a CASP ➢ Key Challenge: Safekeeping & Controlling of assets on behalf of clients must be demonstrated ➢ Expectation: ownership of operational processes and control of client crypto assets must be demonstrated by the CASP. ➢ e.g., where non-CASP third parties provide support (operational, I.T, engineering etc.) they should not have autonomy over these processes. ➢ the CASP must be able to demonstrate that it retains exclusive control over clients’ crypto-assets (ownership of Master, Private and Back-up Key generation; wallet management; transactions signatory process). 8 Room for Improvement Focus Area: Custody & Safeguarding of Client Assets Ex-post oversight of processes is not sufficient to demonstrate control.

9 Room for Improvement Focus Area: Substance & Outsourcing ➢ Building an EU crypto ecosystem demands commitment, as such substance within the jurisdiction is of critical importance (the Central Bank has no appetite for “letter-box” entities). ➢ Leveraging intra-group entities and functions brings strong efficiencies but there are limits to the level of acceptable outsourcing. ➢ Many prospective CASPs will also be subject to outsourcing requirements under DORA. ➢ Key Challenge: firms must be appropriately established and effectively managed to meet the financial and operational requirements of their business model. ➢ Expectation: The local CASPs should have the power to autonomously make decisions and sufficient in-country personnel and executive management. Board includes at least 2 INEDs and an Independent Chair. ➢ Key Challenge: the extent and the role of third parties (e.g., group entities) in the provision of outsourced services and activities. ➢ Expectation: outsourcing of all core activities, or of the activities a firm seeks authorisation for, will not be acceptable. CBI Cross-Industry Guidance on Outsourcing

Key Challenges: reasons IQ applications may be returned as incomplete ➢ Insufficient information or documentation provided to demonstrate compliance with F&P standards, or MCC as applicable. ➢ Poor quality, omission of detail or lack of supporting documentation in respect of matters disclosed under Section 3, Professional Experience or Section 5, Reputation and Character. ➢ Invalid proposer (must be individual seeking PCF) and/or insufficient due diligence performed. ➢ Queries re: applicant’s F&P are not addressed sufficiently or not answered in a timely manner. 10 Room for Improvement Focus Area: Fitness & Probity Expectations ➢ FSPs are not permitted to appoint an individual to perform a PCF role without prior written approval of the Central Bank (Central Bank Reform Act 2010, Section 23). ➢ RFSPs are expected to have performed relevant due diligence in advance of the submission of an IQ for PCF approval and evidence of this may be requested as part of the assessment. ➢ PCF applicants and proposing RFSPs expected to demonstrate how they meet with F&P Standards (competent & capable; honest, ethical & acts with integrity; financially sound). Guidance on Fitness and Probity Standards Fitness and Probity: Individual Questionnaire, Applications and PCF Roles Guidance Fitness and Probity Standards

11 Room for Improvement Other Areas ➢ Key Challenge: poor response times, lack of meaningful engagement. ➢ Expectation: firms respond to queries in a timely manner and seek to engage proactively with the Central Bank when issues arise. Firms are open to reflecting on feedback from the Bank. ➢ Key Challenge: business model not clearly described or authorisation is sought for activities/services that do not align with business model. ➢ Expectation: firms should demonstrate their understanding of MiCAR by clearly articulating their business model and by ensuring that the authorisation activities sought are aligned with that model. ➢ Key Challenge: key documents, policies & procedure not available or not relevant to Irish entity. ➢ Expectation: firms must be able to provide the Central Bank with key documents as part of authorisation process. For applicants that are part of a global group, policies and procedures must be specific to the local entity and jurisdiction.

12 Path to Success – Engagement Principles ➢ We want to see a strong, well-functioning crypto ecosystem in the EU that is customer centric and has utility. ➢ The role and approach of applicant firms to the authorisation process is key to supporting this goal. ➢ To achieve this, firms should focus on; ➢ good quality submissions; ➢ timely engagement with the Central Bank; ➢ full alignment with MiCAR; ➢ an openness to reflect on feedback; ➢ a clear commitment to their European and Irish presence; ➢ Firms should be familiar with MiCAR resources and guidance published by the Central Bank and the ESAs. ➢ The Bank wants to see firms move successfully through the authorisation process and to that end, we will continue our extensive engagement with firms to help ensure that they are on the Path to Success.

13 Q&A Engagement Session PANEL MEMBERS ◼ Sonia Weafer - CASP Supervision & Authorisation ◼ Michael O’Callaghan - CASP Supervision & Authorisation ◼ Emmet O’Sullivan – Supervisory Support ◼ Sinead O’Riordan - Client Assets and Safeguarding