Guidelines on procedures and policies, including client rights, in the context of crypto-asset transfer services under the Markets in Crypto-Assets Regulation (MiCA) regarding investor protection

26/02/2025 ESMA35-1872330276-2032 Guidelines on procedures and policies, including client rights, in the context of services for the transfer of crypto-assets in accordance with the Regulation on Markets in Crypto-assets (MiCA) regarding investor protection

ESMA – 201-203 rue de Bercy – CS 80910 – 75589 Paris Cedex 12 – France – Tel. +33 (0) 1 58 36 43 21 – www.esma.europa.eu 2

3 Contents 1 Scope .........................................................................................................................4 2 Legislative references, abbreviations and definitions .................................................4 2.1 Legislative references...........................................................................................4 2.2 Abbreviations.......................................................................................................5 3 Purpose.......................................................................................................................5 4 Compliance and reporting obligations ..........................................................................6 4.1 Status of the Guidelines .......................................................................................6 4.2 Reporting requirements .........................................................................................6 5 Guidelines on policies and procedures in the context of crypto-asset transfer services ........7 5.1 General provisions on crypto-asset transfer policies and procedures (Guideline 1.) ..7 5.2 Information on individual crypto-asset transfers (Guideline 2.)....................9 5.3 Execution times and cut-off times (Guideline 3.) ....................................10 5.4 Refusal or suspension of a client’s instruction for the transfer of crypto-assets or return of transferred crypto-assets (Guideline 4.)..........................................................................11 5.5 Liability of crypto-asset service providers (Guideline 5.) ........11

4 1 Scope Who?

1. These Guidelines apply to: (i) competent authorities and (ii) crypto-asset service providers acting as crypto-asset transfer service providers on behalf of clients within the meaning of Article 3(1)(26) of the Regulation on Markets in Crypto-assets (MiCA). What?
2. These Guidelines apply in relation to Article 82 of the Regulation on Markets in Crypto-assets (MiCA). When?
3. These Guidelines shall start to apply 60 calendar days after the date of their publication on the ESMA website in all official EU languages. 2 Legislative references, abbreviations and definitions 2.1 Legislative references ESMA Regulation Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC1 MiCA Regulation Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/19372

1 OJ L 331, 15.12.2010, p. 84. 2 OJ L 150, 9.6.2023, p. 40. – 205.

5 TOFR Regulation Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/8493 2.2 Abbreviations EC European Commission ESFS European System of Financial Supervision ESMA European Securities and Markets Authority EU European Union 3 Purpose 4. These Guidelines, developed by ESMA in close cooperation with the EBA, are based on Article 82(2) of the MiCA Regulation. The purpose of these Guidelines is to establish consistent, effective and efficient supervisory practices within the ESFS and to ensure a common, uniform and consistent application of the provisions of Article 82 of the MiCA Regulation. In particular, their purpose is to clarify the requirements for crypto-asset service providers providing crypto-asset transfer services on behalf of clients regarding procedures and policies, including client rights, in the context of crypto-asset transfer services. ESMA expects appropriate strengthening of investor protection in this regard. These Guidelines apply without prejudice to relevant rules under the other Payment Services Directive, if applicable, to relevant crypto-asset transfers, in particular e-money tokens.

3 OJ L 150, 9.6.2023, p. 1. – 39.

6 4 Compliance and reporting obligations 4.1 Status of the Guidelines 5. In accordance with Article 16(3) of the ESMA Regulation, competent authorities and crypto-asset service providers must make efforts to comply with these Guidelines. 6. Competent authorities to which these Guidelines apply should comply with them by incorporating them into their national legal or supervisory frameworks in an appropriate manner, even where certain Guidelines primarily relate to financial market participants. In such cases, competent authorities should ensure through supervision that crypto-asset service providers comply with the Guidelines. 4.2 Reporting requirements 7. Within two months from the date of publication of the Guidelines on the ESMA website in all official EU languages, the competent authorities to which the Guidelines apply must notify ESMA of i. that they are compliant with the Guidelines, ii. that they are not compliant with the Guidelines but intend to comply with them or iii. that they are not compliant with the Guidelines and do not intend to comply with them. 8. In case of non-compliance, competent authorities must also notify ESMA of the reasons for non-compliance with the Guidelines, within two months from the publication of the Guidelines on the ESMA website in all official EU languages. 9. The notification form is available on the ESMA website. 4 After completion, the form is forwarded to ESMA. 10. Crypto-asset service providers are not obliged to report on compliance with these Guidelines.

4 See: https://www.esma.europa.eu/sites/default/files/library/esma42-110- 1132_confirmation_of_compliance_with_guidelines.pdf

7 5 Guidelines on policies and procedures in the context of crypto-asset transfer services 5.1 General provisions on crypto-asset transfer policies and procedures (Guideline 1.) 11. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures (including appropriate tools) to provide the client with information and terms related to crypto-asset transfer services in a timely manner, in electronic form, before the client enters into any agreement for the provision of crypto-asset transfer services. 12. The information provided should include at least the following elements: • name of the crypto-asset service provider, address of its registered office and all other addresses and means of communication relevant for communication with the crypto-asset service provider, including email address • name of the competent national authority responsible for supervising the crypto-asset service provider • description of the main features of the crypto-asset transfer service to be provided • description of the form and procedure for initiating or giving consent for the transfer of crypto-assets and withdrawal of the client’s instruction or consent, including specification of the information the client must provide to properly initiate or execute the crypto-asset transfer (including authentication method) • conditions under which the crypto-asset service provider may refuse the client’s instruction to execute the crypto-asset transfer • reference to the procedure or process established by the crypto-asset service provider to determine the time of receipt of the client’s instruction or consent for the crypto-asset transfer and any cut-off time established by the crypto-asset service provider • explanation, per crypto-asset, of which distributed ledger technology (DLT) network is supported for the transfer of the relevant crypto-asset • the longest execution time for the crypto-asset transfer service • for each DLT network, a reasonably estimated time or number of block confirmations required for the transfer to be irreversible on the DLT network or to be considered sufficiently irreversible in the case of probabilistic settlement, taking into account the rules and circumstances of the DLT network

8 • all fees, charges or commissions payable by the client in connection with the crypto-asset transfer service, including those related to the manner and frequency of providing or making available information and, where appropriate, a breakdown of the amounts of these fees • means of communication, including basic information on technical requirements for client equipment and software (e.g. minimum software or mobile operating system), which the parties have agreed upon for the transfer of information or notifications related to the crypto-asset transfer service • manner and frequency of providing or making available information related to the crypto-asset transfer service • language or languages in which the agreement referred to in Article 82(1) of the MiCA Regulation will be concluded and communication will be conducted during that contractual relationship • secure procedure used by the crypto-asset service provider to notify the client in case of suspicion of fraud, actual fraud or security threats • means and time frame within which the client should notify the crypto-asset service provider of any unauthorized or incorrectly initiated or executed crypto-asset transfers, as well as the liability of the crypto-asset service provider, including the maximum amount for which it assumes liability, for unauthorized, incorrectly initiated or incorrectly executed transfers • client’s right to terminate the agreement for the provision of crypto-asset transfer services and the ways in which it can do so. 13. Policies and procedures relating to crypto-asset transfer services should ensure that the crypto-asset service provider provides relevant information in an easily understandable manner and in a clear and comprehensible form. 14. Policies and procedures under paragraph 12 should also ensure the following: • the client should be able to access or receive, upon request, at any time during the contractual relationship related to crypto-asset transfer services, the agreement referred to in Article 82(1) of the MiCA Regulation, as well as the information listed in paragraph 12, in electronic form • the client is informed in a timely manner of any planned changes to the information listed in paragraph 12 before the start of application of such changes. 15. Crypto-asset service providers should be able to provide relevant information at the time of delivery of a copy of the draft agreement referred to in Article 82(1) of the MiCA Regulation.

9 16. As a good practice, crypto-asset service providers are encouraged to take into account in the policies and procedures under paragraph 11 how to provide clients with educational materials to help them better understand their rights and the function and risks associated with the transfer of crypto-assets. 5.2 Information on individual crypto-asset transfers (Guideline 2.) 17. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures (including appropriate tools) to ensure that after receiving the client’s instruction for the transfer of crypto-assets, but before executing the crypto-asset transfer, the crypto-asset service provider provides the client with at least the following information: • a short and standardized warning on whether and when the crypto-asset transfer will be irreversible or sufficiently irreversible in the case of probabilistic settlement5 • the amount of all fees for the crypto-asset transfer payable by the client and, if applicable, a breakdown of the amounts of these fees, distinguishing, for example, transaction fees (gas fees) charged for the transaction via the relevant DLT network and other fees charged by crypto-asset service providers for their services. 18. Furthermore, the policies and procedures under the previous paragraph should ensure that the transfer is not initiated or executed before taking appropriate steps to achieve compliance with the TOFR Regulation, including its Article 14. 19. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures (including appropriate tools) to ensure that after the execution of individual crypto-asset transfers, the crypto-asset service provider provides the client with at least the following information: • names of the sender and recipient of the transfer • address of the sender’s distributed ledger or sender’s crypto-asset account number • address of the recipient’s decentralized ledger or recipient’s crypto-asset account number • reference code enabling the client to identify each crypto-asset transfer

5 Depending on the type of consensus algorithms associated with the relevant DLT.

10 • amount and type of crypto-assets transferred or received • value date of the debit or value date of the credit of the crypto-asset transfer • amount of all fees, charges or commissions related to the crypto-asset transfer and, where appropriate, a breakdown of the amounts of these charges. 20. The policies and procedures under paragraph 19 should also cover the frequency of providing the information listed in that paragraph, all charges or fees charged for providing the information, and the manner of providing the information. 21. The information listed in paragraph 19 should be provided in electronic form and, if not provided more frequently than once a month, free of charge. 22. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures (including appropriate tools) to ensure that, without prejudice to other applicable regulatory requirements, in the event of refusal, return or suspension of a crypto-asset transfer, the client is provided with at least the following information: • reason for the refusal, return or suspension • if applicable, how to rectify the situation of refusal, return or suspension • amount of all fees or charges payable by the client and the possibility of refund of costs. 5.3 Execution times and cut-off times (Guideline 3.) 23. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures relating to at least: • cut-off time for receipt of client instructions for crypto-asset transfers which are considered to be received on the same working day • longest execution time depending on the crypto-asset transferred • reasonable estimate of the time or number of block confirmations required for the crypto-asset transfer to be irreversible on the DLT or sufficiently irreversible in the case of probabilistic settlement for each DLT network.

11 5.4 Refusal or suspension of a client’s instruction for the transfer of crypto-assets or return of transferred crypto-assets (Guideline 4.) 24. Crypto-asset service providers should establish, implement and maintain appropriate risk-based policies and procedures to determine whether and how to execute, refuse, return or suspend a crypto-asset transfer. Such policies and procedures should specifically take into account the relevant provisions of the TOFR Regulation, as referred to in the Guidelines of the European Banking Authority on preventing the use of the financial system for the purpose of money laundering and terrorist financing through certain crypto-asset transfers. 5.5 Liability of crypto-asset service providers (Guideline 5.) 25. Crypto-asset service providers should establish, implement and maintain appropriate policies and procedures determining the conditions for the liability of the crypto-asset service provider towards clients in the event of unauthorized, incorrectly initiated or incorrectly executed crypto-asset transfers.