Application Form for Authorisation as a Crypto-Asset Service Provider under MiCAR

Application Form for authorisation as a Crypto-Asset Service Provider Under Article 62 of Regulation (EU) 2023/1114 (Markets in Crypto Assets Regulation)

2 Contents Application Details ...................................................................................................... 3 Notes on completing the application .................................................................... 4 Declaration..................................................................................................................... 5 Required Information................................................................................................. 6

1. General information............................................................................................................ 6
2. Programme of operations.................................................................................................. 7
3. Prudential requirements..................................................................................................11
4. Governance arrangements and internal control mechanisms..............................13
5. Business continuity............................................................................................................17
6. Detection and prevention of money laundering and terrorist financing...........17
7. Management body .............................................................................................................18
8. Shareholders or members with qualifying holdings.................................................21
9. ICT systems and related security arrangements.......................................................22
10. Segregation of clients’ crypto-assets and funds....................................................23
11. Complaints-handling.....................................................................................................24
12. Custody and administration policy ...........................................................................26
13. Operating rules of the trading platform and market abuse detection ...........28
14. Exchange of crypto-assets for funds or other crypto-assets.............................30
15. Execution Policy .............................................................................................................30
16. Provision of advice or portfolio management on crypto-assets ......................32
17. Transfer services ............................................................................................................33
18. Cross-border provision of crypto-asset services..................................................34
19. Other comments.............................................................................................................34

3 Application Details Dear CASP Authorisation Team, In accordance with Article 2 of the Commission implementing Regulation (EU) XXXX/XXX, laying down implementing technical standards for the application of Regulation (EU) 2023/1114 of the European Parliament and of the Council with regard to standard forms, templates and procedures for the information to be included in the application for the authorisation of crypto-asset service providers, kindly find attached the application for authorisation.1

1 This application form is based on a draft version of the regulatory technical standards (draft RTS) pursuant to Article 62(5) MiCAR, which specifies the information to be included in an application for authorisation as a crypto-asset service provider. The draft RTS may be subject to change which in turn may result in the Central Bank requesting the applicant to submit additional and/or adjusted required information. Date Name of the Applicant Address Nature of the application (tick the relevant box) Authorisation Change to the authorisation already obtained Contact details of the designated point of contact Name Status/position Phone Email

4 Notes on completing the application  Please do not complete this application form until you have read and are familiar with the Markets in Crypto Assets Regulation (EU) 2023/1114 (MiCAR) and Statutory Instrument No. 607 of 2024, European Union (Markets in Crypto-Assets) Regulations 2024.  The Central Bank are keen to ensure consumers have clarity around risks when they make financial decisions. As a result, the Central Bank expects that firms embed a culture where consumer protection and good governance is at the heart of all decision making. Applicant firms should be familiar with the updated the Addendum to the Consumer Protection Code 2012.  All applications must be typed.  For each section, the applicant must answer all questions asked and must provide any information or documentation requested. Where there is a request for a “description” please provide a sufficiently detailed account of the requested information and specific reference to supporting documentation or underlying evidence. In the event that a question does not apply, the applicant must provide an explanation as to why it considers this the case.  Where the application is not complete, the Central Bank will notify the applicant and set a deadline by which the applicant is to provide any missing information.  All responses and documents provided must reference the relevant section in the Application Form.  For each section, where separate and distinct documentation is requested, applicants should ensure that these documents, along with any other supporting documents, are clearly marked and referenced in accordance with the relevant section.  Where possible, information provided should be in MSWord (or equivalent) format rather than scanned versions.  Application documentation should be submitted via KiteWorks to the CASP Authorisation Team. The Central Bank may process personal data provided by you in order to fulfil its statutory functions or to facilitate its business operations. Any personal data will be processed in accordance with the requirements of data protection legislation. Any queries concerning the processing of personal data by the Central Bank may be directed to dataprotection@centralbank.ie. A copy of the Central Bank’s Data Protection Notice is available at www.centralbank.ie/fns/privacy-statement.

5 Declaration We [applicant] declare that the submitted information is true, accurate, complete and not misleading and we have disclosed any other information, which might reasonably be considered relevant for the purpose of the application. Unless specifically stipulated otherwise, the information is up to date on the date of this application. Information indicating a future date is explicitly identified in the application and we undertake to notify the Central Bank in writing without delay if any such information should turn out to be untrue inaccurate, incomplete or is misleading. Signature: Date: X DD/MM/YYYY Note: At least two directors, including the Chief Executive Officer must sign the declaration.

6 Required Information

1. General information An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide an application that includes all of the following information: Ref. Details Supplementary detail a. The legal name, phone number and email of the applicant. b. Any commercial or trading name used or to be used by the applicant. c. The legal entity identifier (LEI) of the applicant. d. The legal form of the applicant (including information on whether it will be a legal person or other undertaking) and, where available, its national identification number as well as evidence of its registration with the national register of companies.2 e. Date and Member State of the applicant’s incorporation or foundation. f. Where applicable, the instruments of constitution, the articles of association and by-laws. g. The address of the head office and, if different, of the registered office of the applicant. h. Information on where the branches will operate, if any, and their legal entity identifiers (LEI), if available. i. The domain name of each website operated by the applicant and the social media accounts of that applicant. The list should include the names of sub-domains and details of any content hosted on third-party platforms. Social media accounts include any medium that facilitates the interaction with clients. j. Where the applicant is not a legal person, documentation to assess whether the level of protection ensured to third

2 Typically the applicant’s Companies Registration Office registration number.

7 Ref. Details Supplementary detail parties interests and the rights of the holders of crypto￾assets, including in case of insolvency, is equivalent to that afforded by legal persons and that the applicant is subject to equivalent prudential supervision appropriate to their legal form. k. Where the applicant intends to operate a trading platform for crypto-assets: (i) the physical address, phone number and email of the trading platform for crypto-assets; (ii) any commercial name of the trading platform for crypto￾assets. 2. Programme of operations

1. An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide the programme of operations for the following three years, including all of the following information: Ref. Details Supplementary detail a. Where the applicant belongs to a group, an explanation of how the activities of the applicant will fit within the group strategy and interact with the activities of the other entities of the group, including an overview of the current and planned organisation and structure of the group. b. An explanation of how the activities of the entities affiliated with the applicant, including where there are regulated entities in the group, is expected to affect the activities of the applicant. This explanation shall include a list of and information on the entities affiliated with the applicant, including where there are regulated entities, the services provided by these entities (including regulated services, activities and types of clients) and the domain names of each website operated by such entities. c. A list of crypto-asset services that the applicant intends to provide as well as the types of crypto-assets to which the crypto-asset services will relate. Please include the business plan relating to the crypto￾asset services you (intend to) provide, including the

8 Ref. Details Supplementary detail revenue and cost model of each crypto-asset service. The business plan should align with the financial projections referred to in section (m) below. d. Other planned activities, regulated in accordance with Union or national law or unregulated, including any services, other than crypto-asset services, that the applicant intends to provide. e. Whether the applicant intends to offer crypto-assets to the public or seek admission to trading of crypto-assets and if so, of what type of crypto-assets. f. A list of jurisdictions, in and outside the European Union, in which the applicant plans to provide crypto-asset services, including information on the domicile of targeted clients and the targeted number by geographical area. Please include information regarding the crypto services that will be offered in each jurisdiction listed. With regard to non-EU jurisdictions, please specify which crypto-asset services will be provided and which regulatory framework applies to those services. g. Types of prospective clients targeted by the applicant’s services. h. A description of the means of access to the applicant’s crypto-asset services by clients, including all of the following: (i) the domain names for each website or other ICT-based application through which the crypto-asset services will be provided by the applicant and information on the languages in which the website will be available, the types of crypto-asset services that will be accessed through it and, where applicable, from which Member States the website will be accessible; (ii) the name of any ICT-based application available to clients to access the crypto-asset services, in which languages it is

9 Ref. Details Supplementary detail available and which crypto-asset services can be accessed through it. i. The planned marketing and promotional activities and arrangements for the crypto-asset services, including: This should include details on how the CASP ensures that their marketing meets the requirements of Article 66 of Regulation (EU) 2023/1114 and the requirements of the Consumer Protection Code. (i) all means of marketing to be used for each of the services, the means of identification that the applicant intends to use and information on the relevant category of clients targeted and types of crypto-assets; (ii) languages that will be used for the marketing and promotional activities. j. A detailed description of the human, financial and ICT resources allocated to the intended crypto-asset services as well as their geographical location. k. The applicant’s outsourcing policy and a detailed description of the applicant’s planned outsourcing arrangements, including intra-group arrangements, how the applicant intends to comply with the requirements set out in Article 73 of Regulation (EU) 2023/11143 . The applicant shall also include information on the functions or person responsible for outsourcing, the resources (human and ICT) allocated to the control of the outsourced functions, services or activities of the related arrangements and on the risk assessment related to the outsourcing. Please also provide an outsourcing register in line with the expectations of the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02)16 EBA Guidelines. Please refer to section 12 Custody and administration policy e (iii) to ensure any such arrangements are provided for in the management of outsourcing providers.

3 Applicant firms that are proposing to outsource activities must be satisfied that they can adhere to the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02)16 and the Central Bank of Ireland – Cross Industry Guidance on Outsourcing. A gap analysis demonstrating compliance with these guidance documents must be submitted

10 Ref. Details Supplementary detail l. The list of entities that will provide outsourced services, their geographical location and the relevant services outsourced. m. A forecast accounting plan including stress scenarios at an individual and, where applicable, at consolidated group and sub-consolidated level in accordance with Directive 2013/34/EU. The financial forecast shall consider any intra-group loans granted or to be granted by and to the applicant.4 This should include financial projections for the three years following the granting of authorisation on a baseline and stress scenario basis, including: forecast balance sheets; forecast income statements; forecast cash flow statements, where applicable; and clearly articulated underlying assumptions and the basisfor such assumptions. The stress testing should consider severe but plausible financial stress scenarios and non-financial stress scenarios, such as liquidity shocks, credit shocks, market risk shocks, redemption risk and operational and third party shocks. n. Any exchange of crypto-assets for funds and other crypto￾asset activities that the applicant intends to undertake, including through any decentralised finance applications with which the applicant wishes to interact on its own account. 2. Where the applicant intends to provide the service of reception and transmission of orders for crypto-assets on behalf of clients, please provide a copy of the policies and procedures and a description of the arrangements ensuring compliance with the requirements set out in Article 80 of Regulation (EU) 2023/1114.

4 See Section 3(b) below and Section 2(c) regarding alignment with business plan

11 3. Where the applicant intends to provide the service of placing of crypto-assets, please provide a copy of the policies and procedures and a description of the arrangements in place to comply with Article 79 of Regulation (EU) 2023/1114 as well as Article 9 of [RTS on conflicts of interest of CASPs]. 3. Prudential requirements An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide all of the following information: Please provide the following information: Ref. Details Supplementary detail a. A description of the applicant’s prudential safeguards in accordance with Article 67 of Regulation (EU) 2023/1114, consisting of: (i). the amount of the prudential safeguards that the applicant has in place at the time of the application for authorisation and the description of the assumptions used for its determination; (ii). the amount of the prudential safeguards covered by own funds referred to in Article 67(4), point (a), of Regulation (EU) 2023/1114, where applicable; (iii). the amount of the applicant’s prudential safeguards covered by an insurance policy referred to in Article 67(4), point (b), of Regulation (EU) 2023/1114, where applicable.

12 Ref. Details Supplementary detail b. Forecast calculations5 and plans to determine own funds, including: Refer to Section 2(m) above. (i). forecast calculation of the applicant’s prudential safeguards for the first three business years; (ii). planning assumptions including stress scenarios for the above forecast as well as explanations of the figures; (iii). expected number and type of clients, volume of orders and transactions and expected maximum amount of crypto￾assets under custody. c. For companies that are already active, the financial statements of the last three years approved, where audited, by the external auditor. d. A description of the applicant’s prudential safeguards planning and monitoring policies and procedures. Please submit a Capital Management policy setting out the applicant firm’s approach to capital planning and controls to monitor and manage prudential safeguards including how the approach to capital planning is aligned to the risk appetite statement and risk management framework. The policy should document the procedures for assessing any additional capital needs inherent to the business model, such as market or operational risks. e. Proof that the applicant meets the prudential safeguards in accordance with Article 67 of Regulation (EU) 2023/1114, including:

5 Detailed financial projections are required covering the first three years of operation including projected income statement, balance sheet and capital requirements in excel format showing all formulas. This should clearly set out all underlying assumptions. See Section 2(m) above.

13 Ref. Details Supplementary detail (i) in relation to own funds:

• Documentation on how the applicant has calculated the amount in accordance with Article 67 of Regulation (EU) 2023/1114;
• For undertakings in the process of being incorporated, a statement issued by a bank certifying that the funds are deposited in the applicant’s bank account; (ii). in relation to the insurance policy or comparable guarantee:
• The legal name, the date and Member State of incorporation or foundation, the address of the head office and, if different, of the registered office and contact details of the undertaking authorised to provide the insurance policy or comparable guarantee;
• A copy of the subscribed insurance policy incorporating all the elements necessary to comply with Article 67(5) and (6) of Regulation (EU) 2023/1114, where available, or
• A copy of the insurance agreement incorporating all the elements necessary to comply with Article 67(5) and (6) of Regulation (EU) 2023/1114 signed by an undertaking authorised to provide insurance in accordance with Union law or national law.

4. Governance arrangements and internal control mechanisms
5. An applicant seeking authorisation as a crypto asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide the following information on its governance arrangements and internal control mechanisms: Ref. Details Supplementary detail a. A detailed description of the organisational structure of the applicant, where relevant encompassing the group, including the indication of the distribution of the tasks and powers and the relevant reporting lines and the internal control arrangements implemented together with an organisational chart. Please also provide a description on how the applicant firm intends to comply with the requirement set out under Article 68(5) of Regulation (EU) 2023/1114. b. The personal details of the heads of internal functions (management, supervisory and internal control functions), Please cross-reference with Section 7 1(d) where relevant.

14 Ref. Details Supplementary detail including their location and a curriculum vitae, stating relevant education, and professional training and professional experience and a description of the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them. c. The policies and procedures and a detailed description of the arrangements put in place to ensure that relevant staff are aware of the policies and procedures, which must be followed for the proper discharge of their responsibilities. d. The policies and procedures and a detailed description of the arrangements put in place to maintain adequate and orderly records of the business and internal organisation of the applicant in accordance with Article 68(9) of Regulation (EU) 2023/1114. e. The policies and procedures and a detailed description of the arrangements to enable the management body to assess and periodically review the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2 and 3 of Title V of Regulation (EU) 2023/1114 in accordance with Article 68(6) of the same Regulation including all of the following: (i). identification of the internal control functions in charge of monitoring the policy arrangements and procedures put in place to comply with Chapters 2 and 3 of Title V of Regulation (EU) 2023/1114, together with the scope of their responsibility and reporting lines to the management body of the applicant; (ii). indication of the periodicity of internal control functions reporting to the management body of the applicant on the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2 and 3 of Title V of Regulation (EU) 2023/1114; (iii). explanation of how the applicant ensures that the internal control functions operate independently and separately from the functions they control, have access to the necessary resources and information, and that those internal control functions can report directly to the management body of the applicant both at least once a The submission should also document the role of the three lines of defence, and include the Risk Appetite Framework, Compliance and Internal Audit Plan.

15 Ref. Details Supplementary detail year and on an ad hoc basis including where they detect a significant risk of failure for the applicant to comply with its obligations; The documentation submitted should reflect the procedure for monitoring and reporting the risk management, compliance and internal audit activities, the effectiveness of controls and escalation processes. (iv). a description of the ICT systems, safeguards and controls put in place to monitor the activities of the applicant and ensure compliance with Chapters 2 and 3 of Title V of Regulation (EU) 2023/1114, including back–up systems, and ICT systems and risk controls, where not provided in accordance with Article 9 of this Regulation. f. The policies and procedures and a detailed description of the arrangements established by the applicant to ensure compliance with its obligations under Chapters 2 and 3 of Title V of Regulation (EU) 2023/1114, including: (i). the applicant’s record keeping arrangements in accordance with [RTS on recordkeeping by crypto-asset services providers]; (ii). a detailed description of the procedures for the applicant’s employees to report potential or actual infringements of MiCAR in accordance with Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law. g. Where relevant, a description of the arrangements put in place to prevent and detect market abuse in accordance with Article 92 of Regulation (EU) 2023/1114. Please refer to the draft regulatory technical standard (RTS) regarding arrangements, systems, and procedures for detecting and reporting suspected market abuse. Please also include a description of any alerting or market monitoring software used to detect market abuse.

16 Ref. Details Supplementary detail h. Whether the applicant has appointed or will appoint external auditors and, if that is the case, their name and contact details, when available. i. A description of the accounting policies and procedures by which the applicant will record and report its financial information, including the start and end dates of the applied accounting year. 2. As part of the information on policies and procedures established to ensure compliance with Chapters 2 and 3 of Title V of Regulation (EU) 2023/1114, please provide all of the following information on the management of risks relating to conflicts of interests: Ref. Details Supplementary detail a. A copy of the applicant’s conflicts of interest policy, together with a description of how the policy: Please refer to section 12(e) (ii) Custody and administration policy. (i). ensures that the applicant identifies and prevents or manages conflicts of interests in accordance with Article 72(1) of Regulation (EU) 2023/1114 and discloses conflicts of interest in accordance with Article 72(2) of Regulation (EU) 2023/1114; (ii). is commensurate to the scale, nature and range of crypto￾asset services that the applicant intends to provide and of the other activities of the group to which it belongs; (iii). ensures that the remuneration policies, procedures, and arrangements do not create conflicts of interest. b. How the applicant’s conflicts of interest policy ensures compliance with Article 4(9) of [RTS on conflicts ofinterest of CASPs], including information on the systems and arrangements put in place by the applicant to: (i). monitor, assess, review the effectiveness of its conflicts of interests policy and remedy any deficiencies; (ii). record cases of conflicts of interests, including the identification, assessment, remedy and whether the case was disclosed to the client;

17 5. Business continuity An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall submit to the competent authority a detailed description of the applicant’s business continuity plan, including which steps shall be taken to ensure continuity and regularity in the performance of the applicant’s crypto-asset services. In circumstances where an applicant firm gets into difficulty and cannot recover (this includes scenarios where the applicant firm may undertake a strategic exit as well as an unexpected crisis or insolvency event that makes the applicant unviable), it will need to be wound down in an orderly manner without significant externalities, with specific provision for the return of customer assets and funds in an efficient and timely manner. Please submit details of the applicant firms Wind-Down Plan that demonstrates compliance with Article 74 of Regulation (EU) 2023/1114. The description should include details showing that the established business continuity plan is appropriate and that arrangements are set up to maintain and periodically test it. The description should explain, with regard to critical or important functions supported by third￾party service providers, how business continuity is ensured in the event that the quality of the provision of such functions deteriorates to an unacceptable level or fails. The description should also explain how business continuity is ensured in the event of the death of a key person and, where relevant, political risks in the service provider’s jurisdiction. 6. Detection and prevention of money laundering and terrorist financing i) Registered VASPs Applicant firms registered as a VASP in Ireland should confirm that there have been no changes since registration to both the business model (nature, scale and complexity) and the AML/CFT Framework. If there have been changes, the applicant firm must highlight the rationale for any such changes and complete the Anti-Money Laundering, Countering the Financing of Terrorism and Financial Sanctions Pre-Authorisation Risk Evaluation Questionnaire. (ii) New applications Applicant firms not registered as a VASP in Ireland must complete the Anti-Money Laundering, Countering the Financing of Terrorism and Financial Sanctions Pre-Authorisation Risk Evaluation Questionnaire.

18 7. Management body Please do not complete this section until you have read and are familiar with the joint EBA and ESMA Guidelines on the suitability assessment of members of management body of issuers of asset-referenced tokens and of crypto-asset service providers. The information required, as outlined below, is requested under the Central Banks Fitness and Probity Regime and related processes and therefore does not need to be provided on this form; a clear reference to the Individual Questionnaire submitted will suffice. See additional information in the Fitness and Probity for Regulated Firms section of the Central Bank website. An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide all of the following information for each member of the management body: Ref. Details Supplementary detail a. The full name and, where different, name at birth. b. The place and date of birth, address and contact details of the current place of residence and of any other place of residence in the past ten years, nationality/ies, personal national identification number and copy of an official identity document or equivalent. c. Details of the position held or to be held by the person, including whether the position is executive or non￾executive, the start date or planned start date and, where applicable, the duration of mandate, and a description of the person’s key duties and responsibilities. d. A curriculum vitae stating relevant education, professional training and professional experience with the name and nature of all organisations for which the individual has worked and the nature and duration of the functions performed, in particular, highlighting any activities within the scope of the position sought, including professional experience relevant to financial services, crypto-assets, or other digital assets, distributed ledger technology, information technology, cybersecurity, or digital innovation; for positions held in the previous 10 years. When describing the aforementioned activities, details should be included on all delegated powers, internal decision-making powers held, and the areas of operations under control. Please submit a curriculum vitae as an attachment to the Individual Questionnaire in the Fitness and Probity Profile.

19 Ref. Details Supplementary detail e. Documentation relating to the person's reputation and experience, in particular, a list of reference persons including contact information and letters of recommendation. f. Personal history, including all of the following: (i). criminal records, including criminal convictions and any ancillary penalties and information on pending criminal proceedings or investigations or penalties (including relating to commercial law, financial services law, money laundering, and terrorist financing, fraud or professional liability), information on enforcement proceedings or sanctions, information on relevant civil and administrative cases and disciplinary actions, including disqualification as a company director, bankruptcy, insolvency and similar procedures, through an official certificate (if and so far as it is available from the relevant Member State or third country), or through another equivalent document, where such certificate does not exist. For ongoing investigations, the information may be provided through a declaration of honour. Official records, certificates and documents must have been issued within three months before the submission of application for an authorisation; (ii). information on any refusal of registration, authorisation, membership or licence to carry out a trade, business or profession; or the withdrawal, revocation or termination of such a registration, authorisation, membership or licence to carry out a trade, business or profession; or any expulsion by a regulatory or government body or by a professional body or association; (iii). information on dismissal from employment or a position of trust, fiduciary relationship, or similar situation; (iv). information on whether another competent authority has assessed the reputation of the individual, including the identity of that authority, the date of the assessment and information about the outcome of that assessment. The applicant will not need to submit such information about the previous assessment where the competent authority is already in possession of such information.

20 Ref. Details Supplementary detail g. A description of any financial and non-financial interests or relationships of the person and his/her close relatives to members of the management body and key function holders in the same institution, the parent institution and subsidiaries and shareholders. Such description shall include any financial interests, including crypto-assets, other digital assets, loans, shareholdings, guarantees or security interests, whether granted or received, commercial relationships, legal proceedings and whether the person was a politically exposed person as defined in point (9) of article 3 of Directive (EU) 2015/849 over the past two years. h. Where a material conflict of interest is identified, a statement of how that conflict will be satisfactorily mitigated or remedied, including a reference to the outline of the conflicts of interest policy. i. Information on the time that will be devoted to the performance of the person’s functions within the applicant, including all of the following: (i). the estimated minimum time, per year and per month, that the individual will devote to the performance of his or her functions within the applicant; (ii). a list of the other executive and non-executive directorships that the person holds, referring to commercial and non-commercial activities or set up for the sole purposes of managing the economic interests of the person concerned; (iii). information on the size and complexity of the companies or organisations where the mandates referred to in point (ii) are held, including total assets, based on the last available annual accounts whether or not the company is listed and the number of employees of those companies or organisations; Required in instances where such additional detail is relevant. (iv). a list of any additional responsibilities associated with the mandates referred to in point (ii), including chairing a committee; Required in instances where such additional detail is relevant.

21 Ref. Details Supplementary detail (v). the estimated time in days per year dedicated to each of the other mandates referred to in point (ii) and the number of meetings per year dedicated to each mandate. For the purposes of paragraph 1, points (f)(i) and (ii), the applicant should provide the information through an official certificate (if and so far as it is available from the relevant Member State or third country), or through another equivalent document, where such certificate does not exist. Official records, certificates and documents must have been issued within three months before the submission of application for an authorisation. For ongoing investigations, the information may be provided through a declaration of honour. Please provide the suitability policy and the results of any suitability assessment of each member of the management body performed by the applicant, and the results of the assessment of the collective suitability of the management body, including the relevant board minutes or suitability assessment report or documents on the outcome of the suitability assessment. 8. Shareholders or members with qualifying holdings Please do not complete this section until you have read and are familiar with the joint EBA and ESMA Guidelines on the suitability assessment of members of management body of issuers of asset-referenced tokens and of crypto-asset service providers. An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide all of the following information: Ref. Details Supplementary detail a. A detailed organogram of the holding structure of the applicant, including the breakdown of its capital and voting rights and the names of the shareholders or members with qualifying holdings.

22 Ref. Details Supplementary detail b. For each shareholder or member holding a direct or indirect qualifying holding in the applicant, the information and documents set out in Articles 1 to 4 of the [RTS specifying the content of the information necessary to carry out the assessment of the proposed acquisition of a qualifying holding] as applicable. c. The identity of each member of the management body who will direct the business of the applicant and will have been appointed by, or following a nomination from, such shareholder of member with qualifying holdings. d. For each shareholder or member holding a direct or indirect qualifying holding, information on the number and type of shares or other holdings subscribed, their nominal value, any premium paid or to be paid, any security interests or encumbrances, including the identity of the secured parties. e. Information referred to in Article 6, points (b), (d) and (e) and in Article 8 of the [RTS specifying the content of the information necessary to carry out the assessment of the proposed acquisition of a qualifying holding]. 9. ICT systems and related security arrangements Applicants seeking authorisation as a Crypto Asset Service Provider are required to comply with the Digital Operational Resilience Act (“DORA”) (Regulation (EU) 2022/2554) and Regulation (EU) 2023/1114. To support the authorisation application process the Central Bank utilises an IT Risk Questionnaire (“ITRQ”), which has been developed in line with the requirements of Regulation (EU) 2023/1114 and DORA, as the means of assessing an applicant’s compliance during the application stage for Authorisation. The Central Bank will provide the ITRQ to each applicant firm as the end of the Key Facts Document (KFD) stage together with additional guidance on completion.

23 10.Segregation of clients’ crypto-assets and funds Where the applicant intends to hold crypto-assets belonging to clients or the means of access to such crypto-assets, or clients’ funds (other than e-money tokens), the applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide a detailed description of its procedures for the segregation of clients’ crypto assets and funds, including all of the following: Ref. Details Supplementary detail a. How the applicant ensures that: (i). clients’ funds are not used for its own account; (ii). crypto-assets belonging to the clients are not used for its own account; (iii). the wallets holding clients’ crypto-assets are different from the applicant’s own wallets. In accordance with Article 75 (7), please include details on how crypto-assets held in custody are legally and operationally segregated from the crypto-asset service provider’s estate. b. A detailed description of the approval system for cryptographic keys and safeguarding of cryptographic keys (for instance, multi-signature wallets). Please include details of: i. the access controls and geographic location of staff with access to the cryptographic keys; ii. the infrastructure and security controls for crypto-assets held in a secured location; and iii. the wallet reconciliation process. c. How the applicant segregates clients’ crypto-assets, including from other clients’ crypto-assets in the event of wallets containing crypto-assets of more than one client (omnibus accounts). d. A description of the procedure to ensure that clients’ funds (other than e-money tokens) are deposited with a central bank or a credit institution by the end of the business day following the day on which they were received and are held in an account separately identifiable from any accounts used to hold funds belonging to the applicant. Please include details regarding: i. the bank account(s) where client funds will be deposited; ii. the internal controls relating to the

24 Ref. Details Supplementary detail safeguarding of clients’ funds including bank account access controls; and iii. the bank reconciliation processes. e. Where the applicant does not intend to deposit funds with the relevant central bank, which factors the applicant is taking into account to select the credit institutions to deposit clients’ funds, including the applicant’s diversification policy, where available, and the frequency of review of the selection of credit institutions to deposit clients’ funds. f. How the applicant ensures that clients are informed in clear, concise and non-technical language about the key aspects of the applicant’s systems and policies and procedures to comply with Article 70(1), (2) and (3) of Regulation (EU) 2023/1114. In accordance with Article 70(5) of Regulation (EU) 2023/1114, crypto-asset service providers that are electronic money institutions or payment institutions shall only provide the information listed in paragraph 1 above in relation to the segregation of clients’ crypto-assets. 11.Complaints-handling An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide a detailed description of the applicant’s complaints handling policies and procedures, including all of the following: Ref. Details Supplementary detail a. Information on the human and technical resources allocated to complaints handling. b. Information on the person in charge of the resources dedicated to the management of complaints, together with a curriculum vitae stating relevant education, professional training and professional experience justifying the skills, knowledge and expertise for the discharge of the responsibilities allocated to him or her.

25 Ref. Details Supplementary detail c. How the applicant ensures compliance with the requirements set out in Article 1 of [RTS on complaints handling by CASPs]. d. How the applicant will inform clients or potential clients of the possibility to file a complaint free of charge, including where and how on the applicant’s website, or on any other relevant digital device that may be used by clients to access the crypto-asset services. In addition, please outline what information will be provided. e. The applicant’s record-keeping arrangements in relation to complaints. f. The timeline provided in the complaints-handling policies and procedures of the applicant to investigate, respond and, where appropriate, take measures in response to complaints received. g. How the applicant will inform clients or potential clients of the available remedies. h. The procedural key steps of the applicant in making a decision on a complaint and how the applicant will communicate this decision to the client or potential client who filed the complaint.

26 12.Custody and administration policy An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 and intending to provide the service of custody and administration of crypto-assets on behalf of clients shall provide all of the following information: Ref. Details Supplementary detail a. A description of the arrangements linked to the type or types of custody offered to clients, a copy of the applicant’s standard agreement for the custody and administration of crypto-assets on behalf of clients as well as a copy of the summary of the custody policy made available to clients in accordance with Article 75(3) of Regulation (EU) 2023/1114. b. The applicant’s custody and administration policy, including a description of identified sources of operational and ICT risks for the safekeeping and control of the crypto￾assets or the means of access to the crypto-assets of clients, together with: (i). the policies and procedures, and a description of, the arrangements to ensure compliance with Article 75(8) of Regulation (EU) 2023/1114; (ii). the policies and procedures, and a description of the systems and controls, to manage those risks, including when the custody and administration of crypto-assets on behalf of clients is outsourced to a third party; (iii). the policies and procedures relating to, and a description of, the systems to ensure the exercise of the rights attached to the crypto-assets by the clients; (iv). the policies and procedures relating to, and a description of, the systems to ensure the return of crypto-assets or the means of access to the clients. Please include details of the information available to enable the efficient and effective distribution of client assets in the event of the crypto-asset service provider’s insolvency, including;  List of agreements with third parties holding client assets;  Location of books and records

27 Ref. Details Supplementary detail  Details of client asset accounts on the general ledger system  Location of most recent reconciliations and rebalancing statements. c. Information on how the crypto-assets and the means of access to the crypto-assets of the clients are identified. d. Information on arrangements to minimise the risk of loss of crypto-assets or of means of access to crypto-assets. e. Where the crypto-asset service provider has delegated the provision of custody and administration of crypto-assets on behalf of clients to a third-party: (i). information on the identity of any third-party providing the service of custody and administration of crypto-assets and its status in accordance with Article 59 or Article 60 of Regulation (EU) 2023/1114; (ii). a description of any functions relating to the custody and administration of crypto-assets delegated by the crypto￾asset service provider, the list of any delegates and sub￾delegates (as applicable) and any conflicts of interest that may arise from such a delegation; Please refer to section 4(2) (a) Governance arrangements and internal control mechanisms. (iii). a description of how the applicant intends to supervise the delegations or sub-delegations. Please refer to section 2(k) Programme of operations.

28 13.Operating rules of the trading platform and market abuse detection

1. An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 and intending to operate a trading platform for crypto-assets shall provide a description of all of the following: Ref. Details Supplementary detail a. Rules regarding the admission of crypto-assets to trading. b. The approval process for admitting crypto-assets to trading, including the customer due diligence carried out in accordance with Directive (EU) 2015/849. c. The list of any categories of crypto-assets that will not be admitted to trading and the description of the reasons for such exclusion. d. The policies, procedures, and fees for the admission to trading, together with a description, where relevant, of membership, rebates and the related conditions. e. The rules governing order execution, including any cancellation procedures for executed orders and for disclosing such information to market participants. f. The policies and procedures adopted to assess the suitability of crypto-assets in accordance with Article 76(2) of Regulation (EU) 2023/1114. g. The systems, procedures and arrangements put in place to comply with Article 76(7) points (a) to (h) of Regulation (EU) 2023/1114. h. The systems, procedures and arrangements to make public any bid and ask prices, the depth of trading interests at those prices which are advertised for crypto-assets through their trading platforms and price, volume and time of transactions executed in respect of crypto-assets traded on their trading platforms. Please also include information explaining any use of matched principal trading, as per Article 76(6) of Regulation (EU) 2023/1114. i. The fee structures and a justification of how they comply with the requirements laid down in Article 76(13) of Regulation (EU) 2023/1114. j. The systems, procedures and arrangements to keep data relating to all orders at the disposal of the Central Bank or

29 Ref. Details Supplementary detail the mechanism to ensure that the Central Bank has access to the order book and any other trading system. k. With regard to the settlement of transactions: (i). whether the final settlement of transactions is initiated on the distributed ledger or outside the distributed ledger; (ii). the timeframe within which the final settlement of crypto￾asset transactions is initiated; (iii). the systems and procedures to verify the availability of funds and crypto-assets; (vi). the procedures to confirm the relevant details of transactions; (v). the measures foreseen to limit settlement fails; (vi). the definition of the moment at which settlement is final and the moment at which final settlement is initiated following the execution of the transaction. l. The policies, procedures, and systems to detect and prevent market abuse, including information on the communications to the competent authority of possible market abuse cases. Please also include a description of any market surveillance software used to detect market abuse. 2. Applicants intending to operate a trading platform for crypto-assets should provide a copy of the operating rules of the trading platform and of any policies and procedures to detect and prevent market abuse.

30 14.Exchange of crypto-assets for funds or other crypto-assets An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 and intending to provide the service of exchange of crypto￾assets for funds or other crypto-assets shall provide all of the following information: Ref. Details Supplementary detail a. A description of the commercial policy established in accordance with Article 77(1) of Regulation (EU) 2023/1114. b. The methodology for determining the price of the crypto￾assets that the applicant proposes to exchange for funds or other crypto-assets in accordance with Article 77(2) of Regulation (EU) 2023/1114, including how the volume and market volatility of crypto-assets impact the pricing mechanism. Please include details of any data sources utilised for price discovery. 15.Execution Policy An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 and intending to provide the service of executing orders for crypto-assets on behalf of clients shall provide its execution policy, including all of the following: Ref. Details Supplementary detail a. The arrangements to ensure the client has provided consent on the execution policy prior to the execution of the order. b. A list of the trading platforms for crypto-assets on which the applicant will rely for the execution of orders and the criteria for the assessment of execution venues included in the execution policy in accordance with Article 78(6) of Regulation (EU) 2023/1114. c. Which trading platforms it intends to use for each type of crypto-asset and confirmation that it will not receive any form of remuneration, discount or non-monetary benefit in return for routing orders received to a particular trading platform for crypto-assets. d. How the execution factors of price, costs, speed, likelihood of execution and settlement, size, nature, conditions of custody of the crypto-assets or any other relevant factors

31 Ref. Details Supplementary detail are considered as part of all necessary steps to obtain the best possible result for the client. e. Where applicable, the arrangements for informing clients that the applicant will execute orders outside a trading platform and how the applicant will obtain the prior express client consent before executing such orders. f. How the client is warned that any specific instructions from a client may prevent the applicant from taking the steps that it has designed and implemented in its execution policy to obtain the best possible result for the execution of those orders in respect of the elements covered by those instructions. g. The selection process for trading venues, execution strategies employed, the procedures and processes used to analyse the quality of execution obtained and how the applicant monitors and verifies that the best possible results were obtained for clients. h. The arrangements to prevent the misuse of any information relating to clients’ orders by the employees of the applicant. i. The arrangements and procedures for how the applicant will disclose to clients information on its order execution policy and notify them of any material changes to their order execution policy. j. The arrangements to demonstrate compliance with Article 78 of Regulation (EU) 2023/1114 to the Central Bank, upon its request.

32 16.Provision of advice or portfolio management on crypto-assets An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 and intending to provide advice on crypto-assets or portfolio management of crypto-assets shall provide all of the following information: Ref. Details Supplementary detail a. The policies and procedures and a detailed description of the arrangements put in place by the applicant to ensure compliance with Article 81(7) of Regulation (EU) 2023/1114. This information shall include details on: (i). the mechanisms to control, assess and maintain effectively the knowledge and competence of the natural persons providing advice or portfolio management on crypto￾assets; (ii). the arrangements to ensure that natural persons involved in the provision of advice or portfolio management are aware of, understand and apply the applicant’s internal policies and procedures designed to ensure compliance with Regulation (EU) 2023/1114, especially Article 81(1) of Regulation (EU) 2023/1114 and anti-money laundering and anti-terrorist financing obligations in accordance with Directive (EU) 2015/849; (iii). the amount of human and financial resources planned to be devoted on a yearly basis by the applicant to the professional development and training of the staff providing advice or portfolio management on crypto￾assets. b. The arrangements adopted by the applicant to ensure that the natural persons giving advice on behalf of the applicant have the necessary knowledge and expertise to conduct the suitability assessment referred to in Article 81(1) of Regulation (EU) 2023/1114.

33 17.Transfer services An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 and intending to provide transfer services for crypto-assets on behalf of clients shall provide all of the following information: Ref. Details Supplementary detail a. Details on the types of crypto-assets for which the applicant intends to provide transfer services. b. Policies and procedures and a detailed description of the arrangements put in place by the applicant to ensure compliance with Article 82 of Regulation (EU) 2023/1114, including detailed information on the applicant’s arrangements and deployed ICT and human resources to address risks promptly, efficiently and thoroughly during the provision of transfer services for crypto-assets on behalf of clients, considering potential operational failures and cybersecurity risks. c. If any, a description of the applicant’s insurance policy, including on the insurance’s coverage of detriment to clients’ crypto-assets that may result from cyber security risks. d. Arrangements to ensure that clients are adequately informed about the policies and procedures and arrangements referred to in point (b).

34 18.Cross-border provision of crypto-asset services An applicant seeking to provide crypto-asset services in other EU Member States should provide all of the following information: Ref. Details Supplementary detail a. A list of the Member States in which the applicant intends to provide crypto-asset services. b. The crypto-asset services that the crypto-asset service provider intends to provide on a cross-border basis including the type of service provision (i.e. establishment of a branch, or free movement of services). c. Starting date of the intended provision of the crypto-asset services. d. List of all other activities proposed to be provided, in other Member States, by the crypto-asset service provider not covered by Regulation (EU) 2023/1114. 19.Other comments

www.centralbank.ie