Guidelines on certain aspects of suitability requirements and the format of periodic reports for portfolio management activities under the Markets in Crypto-Assets Regulation (MiCA)

26/03/2025 ESMA35-1872330276-2031 Guidelines on certain aspects of suitability requirements and the format of periodic reports for portfolio management activities in accordance with the Regulation on Markets in Crypto-Assets (MiCA Regulation)

ESMA - 201-203 rue de Bercy - CS 80910 - 75589 Paris Cedex 12 - France - Tel. +33 (0) 1 58 36 43 21 - www.esma.europa.eu 2

3 Contents 1 Scope .........................................................................................................................5 2 Legislative references, abbreviations and definitions .................................................6 2.1 Legislative references.........................................................................................6 2.2 Abbreviations.......................................................................................................6 2.3 Definitions ...........................................................................................................6 3 Purpose.......................................................................................................................7 4 Compliance and reporting obligations ..........................................................................8 4.1 Status of guidelines ............................................................................................8 4.2 Reporting requirements .......................................................................................8 5 Guidelines on certain aspects of suitability requirements in accordance with the Regulation on Markets in Crypto-Assets..........................................................................................................9 5.1 Information for clients on the purpose of the suitability assessment and its scope (1. guideline) .........................................................................................................................9 5.2 Measures necessary to understand clients (2. guideline)....................................10 5.3 Scope of data to be collected from clients (proportionality) (3. guideline) .......................................................................................................................13 5.4 Reliability of client information (4. guideline)..................................................17 5.5 Updating client information (5. guideline) .........................................................19 5.6 Client information for legal persons or groups (6. guideline) .........................21 5.7 Measures necessary to understand crypto-assets (7. guideline).......................23 5.8 Measures necessary to ensure the suitability of crypto-assets or crypto-asset services (guideline 8.).........................................................................................23 5.9 Costs and complexity of equivalent products (9. guideline).............................26 5.10 Costs and benefits of replacing investments (10. guideline) ............................27 5.11 Staff qualifications (11. guideline).....................................................................29 6 Guidelines on the format of periodic reports for crypto-asset portfolio management ....31 6.1 Permanent medium (1. guideline)........................................................................31 6.2 Internet system access (2. guideline).................................................................31 6.3 Content of the periodic report (3. guideline).....................................................31

4

5 1 Scope Who?

1. These guidelines apply to competent authorities and crypto-asset service providers, as defined in Article 3(1)(15) of the Regulation on Markets in Crypto-Assets, if, as appropriate, they provide crypto-asset advice or crypto-asset portfolio management services. What?
2. These guidelines apply in relation to: (i) the suitability requirements set out in Article 81(1), (7), (8), (10), (11) and (12) of the Regulation on Markets in Crypto-Assets and (ii) the requirements applicable to the format of the periodic report that crypto-asset service providers providing crypto-asset portfolio management services must submit in accordance with Article 81(14) of the Regulation on Markets in Crypto-Assets. When?
3. These guidelines shall start to apply 60 calendar days after the date of their publication on the ESMA website in all official EU languages.

6 2 Legislative references, abbreviations and definitions 2.1 Legislative references ESMA Regulation Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EU and repealing Commission Decision 2009/77/EC1 Regulation on Markets in Crypto-Assets (MiCA Regulation) Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/19372 2.2 Abbreviations ESFS European System of Financial Supervision ESMA European Securities and Markets Authority EU European Union 2.3 Definitions Suitability assessment The entire process of collecting client data and the subsequent assessment carried out by a crypto-asset service provider of the suitability of a specific crypto-asset for a client, which is based on both a solid understanding which the crypto-asset service provider has of the crypto-asset in order to be able to recommend it or invest in it on behalf of the client Robo-advice Provision of crypto-asset advice or crypto-asset portfolio management services (in whole or in part) using an automated or semi-automated system used to interact with the client

1 OJ L 331, 15.12.2010, p. 84. 2 OJ L 150, 9.6.2023, p. 40.

7 3 Purpose 4. These guidelines are based on Article 81(15) of the Regulation on Markets in Crypto-Assets and Article 16(1) of the ESMA Regulation. The purpose of these guidelines is to establish consistent, effective and efficient supervisory practices within the ESFS and to ensure a common, uniform and consistent application of the provisions of Article 81(1), (7), (8), (10), (11), (12) and 14 of the Regulation on Markets in Crypto-Assets, as appropriate. 5. They specifically aim to promote greater convergence in the application of requirements and in supervisory approaches to the suitability requirements of the Regulation on Markets in Crypto-Assets and to the requirements applicable to the format of the periodic report that crypto-asset service providers providing crypto-asset portfolio management services must submit. 6. By identifying a number of key issues, as set out in the guidelines below, thereby helping to ensure that crypto-asset service providers comply with regulatory standards, ESMA foresees appropriate strengthening of investor protection.

8 4 Compliance and reporting obligations 4.1 Status of guidelines 7. In accordance with Article 16(3) of the ESMA Regulation, competent authorities and financial market participants must make efforts to comply with these guidelines. 8. Competent authorities to which these guidelines apply should comply with them by incorporating them into their national legal or supervisory frameworks in an appropriate manner, even where certain guidelines primarily relate to financial market participants. In that case, competent authorities should ensure through supervision that financial market participants adhere to the guidelines. 4.2 Reporting requirements 9. Within two months from the date of publication of the guidelines on the ESMA website in all official EU languages, the competent authorities to which these guidelines apply must notify ESMA whether i. they are compliant with the guidelines, ii. they are not compliant but intend to comply with the guidelines or iii. they are not compliant and do not intend to comply with the guidelines. 10. In the case of non-compliance, competent authorities must also notify ESMA of the reasons for non-compliance with the guidelines, within two months from the publication of the guidelines on the ESMA website in all official EU languages. 11. The notification form is available on the ESMA website. Once completed, the form is forwarded to ESMA. 12. Financial market participants are not required to report on compliance with these guidelines.

9 5 Guidelines on certain aspects of suitability requirements in accordance with the Regulation on Markets in Crypto-Assets 5.1 Information for clients on the purpose of the suitability assessment and its scope (1. guideline) Relevant legislation: Article 66(1) and (2) and Article 81(1), (8), (10) and (11) of the Regulation on Markets in Crypto-Assets. 13. Crypto-asset service providers should inform their clients in a clear and simple manner about the suitability assessment and its purpose, which is to enable the crypto-asset service provider to act in the best interest of the client. This should include a clear explanation that the crypto-asset service provider is responsible for carrying out the assessment so that clients understand i. the reason why they are asked to provide certain information, ii. the importance that such information is up-to-date, accurate and complete and iii. that without such information the crypto-asset service provider will not recommend crypto-asset services or crypto-assets nor start managing crypto-asset portfolios. These information may be provided in a standardised format. 14. Information on the suitability assessment should help clients understand the purpose of the requirement. They should encourage them to provide up-to-date, accurate and sufficient data on their knowledge, experience, investment objectives (including their risk tolerance) and financial situation (including their ability to bear losses). Crypto-asset service providers should highlight to clients that it is important to collect complete and accurate data so that the crypto-asset service provider can recommend a suitable crypto-asset or crypto-asset services to the client. Without this information, crypto-asset service providers cannot provide crypto-asset advice or crypto-asset portfolio management services. 15. The crypto-asset service provider itself decides how to inform its clients about the suitability assessment. However, the form used should allow for controls to verify whether information has been provided. 16. Crypto-asset service providers should not create ambiguity or confusion regarding their responsibilities in the suitability assessment process for crypto-asset services or crypto-assets. Crypto-asset service providers should particularly avoid emphasising or creating the impression that the client is the one deciding on the suitability of the investment or service or that the client is the one determining which crypto-asset or crypto-asset services correspond to their risk profile. For example, crypto-asset service providers should avoid indicating to the client that a certain crypto-asset is the one chosen by the client as suitable or asking the client to confirm that a certain crypto-asset or crypto-asset service is suitable.

10 17. Any disclaimer (or other similar statements) intended to limit the liability of the crypto-asset service provider for the suitability assessment should not in any way affect the characteristics of the crypto-asset service offered to clients in practice nor the assessment of the compliance of the crypto-asset service provider with the relevant requirements. For example, when collecting the necessary client data to carry out the suitability assessment (such as investment timeframe / holding period or information related to risk tolerance), crypto-asset service providers should not claim that they are not assessing suitability. 18. In order to clarify to clients the crypto-asset services provided via robo-advice, which they may not understand, crypto-asset service providers should, in addition to providing other requested information, do the following: • offer a very clear explanation of the exact degree and extent of human involvement and whether and how the client can request interaction with humans • explain that the answers provided by clients will directly affect the determination of suitability of investment decisions recommended or made on their behalf • describe the sources of information used for investment advice services or portfolio management services (e.g. if an online questionnaire is used, crypto-asset service providers should explain that answers to questions could be the exclusive basis for robo-advice and whether the crypto-asset service provider has access to information or accounts of other clients) • explain how and when client information will be updated in relation to their situation, personal circumstances, etc. 19. Crypto-asset service providers should also carefully consider whether their disclosures are designed to be effective (e.g. disclosures are directly accessible to clients and are not hidden or incomprehensible). For crypto-asset service providers offering robo-advice, this may particularly include: • highlighting relevant information (e.g. by using design features such as pop-ups) • considering whether some information needs to be accompanied by interactive text (e.g. by using design features such as tooltips) or other means to provide additional details to clients seeking further information (e.g. using a frequently asked questions section). 5.2 Measures necessary to understand clients (2. guideline) Relevant legislation: Article 81(1), (8) and (10) of the Regulation on Markets in Crypto-Assets. 20. When collecting information necessary to carry out the suitability assessment for each client, crypto-asset service providers should ensure that the questions they ask their clients are sufficiently precise, will likely be understood correctly, take into account elements developed in guideline 3 and that any method used to collect information is designed to obtain the information necessary for the suitability assessment. 21. Crypto-asset service providers should ensure that the assessment of collected data on their clients is carried out consistently, regardless of the method by which that information was collected. 22. For example, crypto-asset service providers may use questionnaires (especially in digital form) completed by their clients, information collected during discussions with them or other information already collected within the existing relationship between the crypto-asset service provider and the client. For example, non-compliance with other obligations may indicate a difficult financial situation. 23. When drafting questionnaires to collect data on their clients for the purpose of carrying out the suitability assessment, crypto-asset service providers should be careful and take into account the most common reasons why clients might answer questions inaccurately. Specifically: • attention should be paid to the clarity, comprehensiveness and thoroughness of the questionnaire, avoiding misleading, confusing, imprecise and overly technical language • the structure should be carefully developed and avoidance of steering client choices (font, spacing…) • avoiding asking multiple questions at once (collecting data on a number of items with one question, especially when assessing knowledge and experience and risk tolerance) • crypto-asset service providers should carefully consider the order in which they ask questions to collect information effectively • to ensure the collection of necessary information, the option to avoid answering should generally not be offered in questionnaires (especially when collecting data on the client's financial situation). 24. Crypto-asset service providers should also take reasonable steps to assess whether the client understands investment risks and the link between risk and investment returns, as this is a key factor enabling crypto-asset service providers to act in the best interest of the client when carrying out the suitability assessment. When asking questions in this regard, crypto-asset service providers should clearly and simply explain that the purpose of their answers is to help assess the client's attitude towards risk (risk profile), and thus whether crypto-asset services or crypto-assets are suitable for them (and, if suitable, what types and risks are associated with them). 25. Information necessary to carry out the suitability assessment covers various circumstances that may affect, for example, the analysis of the client's financial situation (including their ability to bear losses) or investment objectives (including their risk tolerance). Examples of such circumstances include the following client data: • marital status (especially the client's legal capacity to dispose of assets that may also belong to their partner) • family situation (changes in the client's family situation can affect their financial situation, e.g. a newborn child or a child of university age) • age (which is particularly important to ensure a correct assessment of investment objectives, especially the level of financial risk the client is willing to accept, and the holding period / investment timeframe indicating willingness to hold investments for a certain period) • employment-related situation (level of job security or the fact that the client is close to retirement can affect their financial situation or investment objectives) • need for liquidity for certain investments or need to finance a future financial obligation (e.g. purchase of real estate, education costs). 26. When determining the necessary information, crypto-asset service providers should take into account the impact that any significant change related to that information may have on the suitability assessment. 27. ESMA considers that it would be good practice for crypto-asset service providers to consider non-financial elements when collecting data on clients' investment objectives and to, in addition to the elements listed in paragraph 25, collect data on environmental, social and governance factors preferred by the client to take into account within the suitability assessment. 28. Crypto-asset service providers should take all reasonable steps to effectively assess whether their clients understand the main features and risks associated with the types of products offered by the crypto-asset service provider. For a correct assessment of the client's knowledge and experience, it is particularly important that crypto-asset service providers identify mechanisms that avoid unjustified reliance on the client's self-assessment and ensure consistency of the answers provided by the client3. Information that the crypto-asset service provider collects on the client's knowledge and experience should be considered together with the goal of a comprehensive assessment of their understanding of products and services and the risks involved in recommended transactions or managing their portfolio. 29. It is also important that crypto-asset service providers assess the client's understanding of basic financial concepts such as investment risk (including concentration risk) and the risk-return relationship. For this purpose, crypto-asset service providers should consider applying indicative and comprehensive examples of loss/return levels that may arise in relation to the level of risk taken and should assess the client's reaction to such scenarios. 30. Within the framework of assessing the client's knowledge and experience, crypto-asset service providers should ensure that the client understands crypto-assets, particularly the risks inherent in the use of distributed ledger technology (e.g. cyber theft, hacking, loss or destruction of private keys) on which crypto-assets are based. 31. Crypto-asset service providers should draft their questionnaires so that they can collect the necessary data on the client. This is particularly important for crypto-asset service providers offering robo-advice services given the limited human interaction. To ensure compliance with the requirements relating to this assessment, crypto-asset service providers should also take into account factors such as: • whether the crypto-asset service provider can conclude on the basis of data collected via online questionnaires that the advice provided is suitable for its clients based on their knowledge and experience, their financial situation and their investment objectives and needs • whether the questions in the questionnaire are sufficiently clear and/or whether the questionnaire is designed to provide clients with additional explanations or examples as needed (e.g. by using design features such as tooltips and pop-ups) • whether clients have access to human interaction (among others via email and mobile phones) during the completion of online questionnaires • whether steps have been taken to address inconsistent client answers (such as introducing design features in the questionnaire to warn clients when their answers are inconsistent and encourage them to reconsider those answers or introducing a system that would automatically flag inconsistent data provided by the client for the crypto-asset service provider to review or take subsequent action). 5.3 Scope of data to be collected from clients (proportionality) (3. guideline) Relevant legislation: Article 81(1), (8) and (10) of the Regulation on Markets in Crypto-Assets 32. Before providing crypto-asset advice or crypto-asset portfolio management, crypto-asset service providers should collect all "necessary information" 4 on the client's knowledge and experience, financial situation, investment objectives and basic understanding of the risks associated with purchasing crypto-assets, taking into account the nature and scope of the service provided

4 The term "necessary information" should be interpreted as information that crypto-asset service providers must collect to meet the suitability requirements under the Regulation on Markets in Crypto-Assets.

13 service. The scope of "necessary" information may vary, and crypto-asset service providers should determine the scope of information collected from clients with regard to all features of the crypto-asset advice or crypto-asset portfolio management service provided to that client. Specifically, crypto-asset service providers should take into account the features of the crypto-asset advice or crypto-asset portfolio management service to be provided, the type and features of the crypto-asset to be considered and the features of the client. 33. When determining what information is "necessary" regarding the client's knowledge and experience, crypto-asset service providers should take into account f