Final Report on Guidelines specifying certain requirements of the Markets in Crypto Assets Regulation (MiCA) on investor protection – third package

17 December 2024 ESMA35-1872330276-1936 Final Report Guidelines specifying certain requirements of the Markets in Crypto Assets Regulation (MiCA) on investor protection – third package

ESMA - 201-203 rue de Bercy - CS 80910 - 75589 Paris Cedex 12 - France - Tel. +33 (0) 1 58 36 43 21 - www.esma.europa.eu 2

3 Table of Contents 1 Executive Summary.....................................................................................................5 2 Aspects of the suitability requirements applicable to the provision of advice and portfolio management in crypto-assets and the format of the periodic statement referred to in Article 81(14) of MiCA....................................................................................................................6 2.1 Background and legal basis..................................................................................6 2.2 Feedback to the consultation ................................................................................9 2.2.1 Suitability assessment ............................................................................................9 2.2.1 Periodic statement for portfolio management services..........................................13 3 Guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets ................................................................................16 3.1 Background and legal basis................................................................................16 3.2 Feedback to the consultation ..............................................................................19 4 Annexes ....................................................................................................................25 4.1 Annex I: Cost-benefit analysis.............................................................................25 4.2 Annex II: SMSG advice to ESMA on its third consultation paper on the Markets in Crypto Assets Regulation (MiCA)..................................................................................38 4.3 Annex III: Guidelines on certain aspects of the suitability requirements and format of the periodic statement for portfolio management activities under MiCA ....................45 4.4 Annex IV: Guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets.......................................................75

4 Acronyms and definitions used CP Consultation Paper ESMA European Securities and Markets Authority ESMA Regulation Regulation (EU) 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision 716/2009/EC and repealing Commission Decision 2009/77/EC EU European Union MiCA Regulation (EU) 2023/1114 of the European Parliament and the Council of 31 May 2023 on markets in crypto-assets1 MiFID II Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU NCAs National competent authorities SMSG Securities and Markets Stakeholder Group established under Regulation (EU) No 1095/2010 1 Regulation (EU) 2023/1114 of the European Parliament and the Council of 31 May 2023 on markets in crypto-assets (OJ L 150,9.6.2023, p. 40–205).

5 1 Executive Summary Reasons for publication MiCA requires ESMA to submit regulatory technical standards (RTS) and guidelines on a variety of topics. On 25 March 2024, ESMA published a CP to seek stakeholders’ views on ESMA’s proposals for 1 RTS and 3 sets of guidelines. The consultation period closed on 25 June 2024. ESMA received 32 responses, 7 of which were confidential. The answers received are available on ESMA’s website2 unless respondents requested otherwise. ESMA sought the advice of the SMSG established under Article 37 of the ESMA Regulation. Contents Sections 2 to 3 set out the feedback statements relating to i) the guidelines on certain aspects of the suitability requirements and the periodic statement for portfolio management and ii) the guidelines on the policies and procedures, including the rights of clients, providing transfer services for crypto-assets, which were both included in the aforementioned ESMA public consultation. Section 4 contains the Annexes. Annex I contains the cost-benefit analysis. Annex II sets out the advice of the SMSG. Annex III contains the full text of the guidelines on certain aspects of the suitability requirements and format of the periodic statement for portfolio management activities. Annex IV contains the guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets. Next Steps The two sets of guidelines in Annex III and IV will be translated into the official EU languages and published on ESMA’s website. The publication of the translations in all official languages of the EU will trigger a two-month period during which NCAs must notify ESMA whether they comply or intend to comply with the guidelines. 2 See: https://www.esma.europa.eu/press-news/consultations/consultation-technical-standards-specifying-certain-requirements￾mica-3rd#responses

6 Article 81(15) of MiCA: ESMA shall, by 30 December 2024, issue guidelines in accordance with Article 16 of Regulation (EU) No 1095/2010 specifying: […] (b) the information referred to in paragraph 8; and (c) the format of the periodic statement referred to in paragraph 14 2 Aspects of the suitability requirements applicable to the provision of advice and portfolio management in crypto￾assets and the format of the periodic statement referred to in Article 81(14) of MiCA 2.1 Background and legal basis Legal background Suitability assessment

1. The assessment of suitability is an important investor protection requirement under MiCA. It applies to the provision of advice on crypto-assets (whether independent or not) and portfolio management of crypto-assets. In accordance with the obligations set out in paragraphs 1, 8 and 10 to 13 of Article 81 of MiCA, crypto-asset service providers providing advice on crypto-assets or portfolio management of crypto-assets have to provide suitable recommendations to their clients or have to make suitable investment decisions on behalf of their clients.
2. Article 81(15) of MiCA gives ESMA a mandate to issue guidelines on the information that crypto-asset service providers shall obtain from their clients or prospective clients regarding their knowledge of, and experience in, investing (including in crypto-assets), their investment objectives (including risk tolerance), their financial situation (including their ability to bear losses), and their basic understanding of the risks involved in purchasing crypto-assets, so as to enable crypto-asset service providers to recommend to clients or prospective clients whether or not the crypto-assets and crypto-asset services are suitable for them and, in particular, are in accordance with their risk tolerance and ability to bear losses.

7 Periodic statement for portfolio management services 3. Under Article 81(14) of MiCA, crypto-asset service providers providing the service of portfolio management of crypto-assets shall provide to their clients periodic statements of the portfolio management activities carried out on their behalf. 4. Article 81(15)(c) of MiCA gives mandate to ESMA to issue guidelines on the format of the periodic statement referred to in Article 81(14) of MiCA. Background Suitability assessment 5. ESMA, in accordance with the mandate it has received under Article 81(15)(b) addresses the information that crypto-asset service providers shall collect from clients in the guidelines presented in Annex III. ESMA is however of the view that further aspects of the suitability requirements under MiCA are worthy of guidance to ensure a consistent and harmonised application of the requirements related to the suitability assessment, so as to strengthen investor protection, a key objective for ESMA. ESMA therefore is complementing the guidelines issued on the basis of the mandate in Article 81(15) of MiCA by own-initiative guidelines in the same area, based on Article 16(1) of the ESMA Regulation. 6. Hence, the draft guidelines also deal with topics such as the criteria for the assessment of client’s knowledge and experience, the importance of the information provided to clients about the suitability assessment and the necessary arrangements to ensure the suitability of an assessment. 7. In addition, ESMA has taken the ESMA Guidelines on certain aspects of the MiFID II suitability requirements3 (the “MiFID II guidelines”) as a basis for the draft guidelines in the CP. This is because the MiCA suitability requirements obey to the same principles as, and are similar to, the suitability requirements provided by MiFID II, in relation to which ESMA has built extensive guidance. 8. ESMA is of the view that some principles provided in the MiFID II guidelines should apply to market participants providing advice or portfolio management services, be it in relation to financial instruments (under MiFID II) or crypto-assets (under MiCA). Clients should also benefit from the same level of protection when they invest in financial instruments and/or in crypto-assets, especially as such services may be provided by the same entity engaging in activities related to both categories of investment products. 3 Available here.

8 9. ESMA is of the view that such approach is in line with MiCA as the suitability requirements provided in MiCA are almost identical to the MiFID II requirements, although less detailed. 10. For the purpose of the draft guidelines presented in the CP, ESMA however considered and adapted the MiFID II guidelines through the prism of crypto-assets markets. Periodic statement for portfolio management services 11. The periodic statement for portfolio management services shall include a fair and balanced review of the activities undertaken and of the performance of the portfolio during the reporting period, an updated statement of how the activities undertaken meet the preferences, objectives and other characteristics of the client, as well as an updated information on the suitability assessment referred to in paragraph 1 or its review under paragraph 12. 12. This periodic statement is to be provided at least every 3 months, unless the client has access to an online system where up-to-date valuations of the client’s portfolio and updated information on the suitability assessment referred to in paragraph 1 can be accessed. The crypto-asset service provider must however have evidence that the client has accessed a valuation at least once during the relevant quarter. 13. The legal mandate under Article 81(15)(c) of MiCA requires ESMA to issue guidelines further specifying the format of the periodic statement for portfolio management services (referred to in Article 81(14) of MiCA). Article 81(14) of MiCA already provides that the periodic statement shall be provided in an electronic format. ESMA considered that further aspects related to the format of the periodic statement should be further clarified (Guideline 1 of the draft guidelines in the CP). 14. In addition, ESMA considered that other aspects pertaining to the periodic statement for portfolio management services, which are not addressed by the mandate in Article 81(15)(c) of MiCA, may also benefit from guidance, especially since the obligation for crypto-asset service providers offering portfolio management services to provide such statement is entirely new. 15. A similar requirement also applies under the MiFID II framework to investment firms providing portfolio management services and the MiFID II framework regulates additional aspects in comparison to Article 81(14) of MiCA. Besides, the same entities may be providing portfolio management services under MiCA and MiFID II. For consistency purposes between the two regimes, it may thus be appropriate to provide further guidance under MiCA to ensure consistency between the two regimes, when this is possible.

9 16. On this basis, ESMA decided to draw on the existing MiFID II requirements to also provide further guidance in relation to the periodic statement for portfolio management services to be provided under MiCA. 2.2 Feedback to the consultation 2.2.1 Suitability assessment 17. The point that seemed to raise the most comments and objections was that the draft guidelines in the CP took the view that there is no safe crypto-assets. Many respondents disagreed with this statement. Some objected that this could not be said for asset￾referenced tokens and electronic money tokens. 18. Asset-referenced tokens are crypto-assets designed to be more stable as they are backed by a specific pool of underlying assets (called reserve of assets under MiCA), including fiat currencies, and are meant to be maintaining a stable value thanks to that reserve of assets. Electronic money tokens also purport to maintain a stable value by referencing the value of one official currency. In addition, both asset-referenced tokens and electronic money tokens are subject to more stringent requirements attached to their issuance and their issuers are subject to authorisation requirements. 19. ESMA agrees that asset-referenced tokens and electronic money tokens should, generally, be considered safer than crypto-assets other than asset-referenced tokens and electronic money tokens. This is because they are backed by a reserve of assets, including fiat currencies, and should therefore have reduced volatility. They are also more scrutinised by national competent authorities which should reduce the risk of mismanagement. 20. Consequently, ESMA amended the guidelines attached hereto in Annex III so as to remove this statement. Q8: Do you agree with ESMA’s approach regarding consistency between the MiCA and MiFID II suitability regimes? If you think that the two regimes should diverge, where and for which reasons? 21. The vast majority of respondents, including the SMSG, agreed with the approach taken by ESMA to have consistency between the MiCA and MiFID II regimes with respect to the suitability assessment. Only 3 respondents strongly disagreed with this approach – 2 of which are significant crypto-asset services firms – and argued instead for a lighter regime under MiCA for a variety of reasons such as: crypto-asset service providers are newly regulated actors and should thus benefit from a more gradual and proportional approach, or crypto-assets are not as varied as financial instruments under MiFID II and,

10 consequently, the suitability assessment need not be as thorough as required under MiFID II. 22. The MiCA and MiFID II suitability regimes are based on the same core principles. Article 81(8) of MiCA makes it clear that the same factors must be considered when conducting a suitability assessment under MiCA as under MiFID II. These include the client’s knowledge and experience in investments (including crypto-assets), their investment objectives (including risk tolerance), their financial situation and ability to bear losses, and their basic understanding of the risks associated with purchasing crypto-assets. 23. Therefore, all the information required by Article 81(8) of MiCA must be collected, and the suitability of a crypto-asset should be evaluated based on all these factors before a crypto-asset service provider can present it as suitable for the client or invest in it on their behalf, as part of portfolio management services. 24. Co-legislators introduced some proportionality and a more flexible regime in MiCA, which does not impose appropriateness requirements, unlike MiFID II. Nevertheless, when the suitability requirements apply, a full suitability assessment must be conducted before a crypto-asset can be deemed suitable for the client. 25. On this basis as well as the largely positive feedback received, ESMA confirmed the approach adopted in the CP in the guidelines attached hereto as Annex III. 26. ESMA also noted, based on the responses received, that there seems to be some confusion or misunderstanding, at least for certain actors, as to the scope and how the suitability assessment works. One respondent also expressed concerns relating to the unclarity of the definition of advice under MiCA. 27. ESMA would like to clarify that the requirement to conduct a suitability assessment is only required where a crypto-asset service provider provides advice on crypto-assets or portfolio management on crypto-assets. There is no such requirement for other crypto￾asset services. Therefore, where crypto-asset service providers do not want to have to carry out a suitability assessment, they should ensure that they cannot be regarded as providing advice or portfolio management services on crypto-assets.4 However, if they are providing advice, the suitability assessment should be conducted in every instances, even for occasional advice. 28. Lastly, one respondent also argued that the suitability assessment under MiCA should be lighter than the suitability assessment under MiFID II because there are many 4 Although issued in relation to investment advice on financial instruments under the MiFID II framework, the following supervisory briefing may provide some helpful guidance on the circumstances where advice is provided: ESMA Supervisory Briefing on understanding the definition of advice under MiFID II.

11 categories of financial instruments under MiFID II whilst crypto-assets are more homogeneous. 29. ESMA fundamentally disagrees with such interpretation. While MiCA indeed refers to only 3 categories of crypto-assets (asset-referenced tokens (ARTs), electronic money tokens (EMTs) and other crypto-assets that are not ARTs and EMTs), the suitability assessment applies in any case to the individual crypto-asset/transaction and the risks it carries. Q9: Do you think that the draft guidelines should be amended to better fit crypto-assets and the relevant crypto-asset services? In which regard? Please justify your answer. 30. Many respondents, even those agreeing with ESMA’s overall approach, were of the view that the guidelines should be amended to better fit crypto-assets. Many, however, did not specify how. Understanding of the underlying technology and risks associated (Guideline 3) 31. Some respondents suggested to include in the guidelines the requirement that, as part of the assessment of a client’s knowledge and experience, crypto-asset service providers should also collect information and assess whether the client understands the underlying technology and risks associated with it (for instance, risk of transferring crypto-assets to the wrong address, hacking risks). 32. ESMA would like to point out that draft Guideline 3, paragraph 52, second bullet point, in the CP already included wording to the effect that crypto-asset service providers should ensure that the information regarding a client’s or potential client’s knowledge and experience in investing, including in the crypto-asset field, includes whether the client understands distributed ledger technology, on which crypto-assets are based, and the risks inherent to it. ESMA, however, amended paragraph 34 of Guideline 3 in Annex III to include examples of risks inherent to the underlying technology. Good practice in relation to environmental, social and governance (ESG) factors (Guideline 2) 33. Many respondents disagreed with the inclusion in the draft guidelines in the CP of the good practice relating to ESG factors (paragraph 27 of Guideline 2 (Arrangements necessary to understand clients) in the CP). As previously explained in the CP, the MiFID II guidelines were reviewed recently to integrate new obligations relating to sustainability preferences into the suitability requirements under MiFID II.5 In contrast with MiFID II and the MiFID II Delegated Regulation, MiCA does not include an express obligation to 5 Delegated Regulation (EU) 2021/1253 as regards the integration of sustainability factors, risks and preferences into certain organisational requirements and operating conditions for investment firms, which was part of the Commission ‘s Action Plan ‘Financing Sustainable Growth’, published in March 2018.

12 collect information on clients’ or potential clients’ sustainability preferences. ESMA thus did not include in the draft guidelines in the CP the new additions relating to sustainability preferences that were introduced in the latest version of the MiFID II guidelines. 34. ESMA believes that, while not mandatory, this good practice could be beneficial, as some clients may be interested in selecting crypto-assets that align more closely with their ESG objectives. Since different crypto-assets may have varying ESG impacts, such criteria could be relevant when conducting suitability assessments, though they are not required. Inconsistencies in the data collected (Guideline 4) 35. Some respondents requested clarifications on circumstances where the data collected, either under MiCA solely or under MiCA and MiFID II, included inconsistencies. 36. ESMA wishes to highlight that such occurrence is already addressed in the draft guidelines in the CP in paragraph 55 of draft Guideline 4. Where this happens crypto￾asset service providers should “contact the client in order to resolve any material potential inconsistencies or inaccuracies”. Portfolio approach (Guideline 8) 37. A number of respondents also objected to the draft guidelines allowing crypto-asset service providers providing portfolio management services to assess the suitability of crypto-assets taking into consideration the portfolio of the client as a whole (paragraph 84 of the draft guidelines in the CP). 38. ESMA wishes to clarify that the portfolio approach (that is also permitted under MiFID II) would actually provide some flexibility to crypto-asset service providers. It consists in evaluating the suitability of a transaction by considering the client’s entire investment portfolio, rather than assessing each investment in isolation. It is a possibility but not an obligation. Paragraph 84 of draft Guideline 8 in the CP makes this clear: “When conducting a suitability assessment, a crypto-asset service provider providing the service of portfolio management of crypto-assets […] On the other hand, with regard to the client’s financial situation and investment objectives, the suitability assessment about the impact of the crypto-asset(s) and transaction(s) can be done at the level of the client’s portfolio as a whole” [emphasis added] and “When a crypto-asset service provider conducts a suitability assessment based on the consideration of the client’s portfolio as a whole within the service of advice on crypto-assets, this means that, on the one hand, the level of knowledge and experience of the client should be assessed regarding each crypto-asset and risks involved in the related transaction. On the other hand, with regard to the client’s financial situation and investment objectives, the suitability assessment about the impact of the product and transaction can be done at the level of the client’s portfolio” [emphasis added].

13 39. On this basis, ESMA chose to keep this possibility in Guideline 8 as set out in Annex III hereto. Categorisation of clients 40. Few respondents also expressed the wish that MiCA would provide for the categorisation of clients depending on their knowledge and experience. According to such respondents, this should translate into a lighter suitability assessment for the most knowledgeable and experienced clients. 41. ESMA would like to state that, although MiCA does not provide for the categorisation of clients, crypto-asset service providers are required to assess the knowledge and experience of their clients as part of the suitability assessment. Nothing prevents crypto￾asset service providers from having an internal categorisation, provided that they always comply with the MiCA suitability requirements. 2.2.1 Periodic statement for portfolio management services 42. Generally speaking, the advice received to the consultation was very divided. About half of the respondents considered that the approach adopted by ESMA was too strict and demanding on a relatively new industry such as the crypto industry, whilst the other half considered that more stringent terms for the periodic statement should be provided. 43. Specific comments received to the CP are addressed below. Q10: Do you agree with the approach followed by ESMA regarding periodic statements provided in relation to portfolio management of crypto-assets? Scope of the requirement to provide a periodic statement 44. Few respondents argued that crypto-asset service providers would not be able to provide information on the valuation of the portfolio and that they could only provide the value of the transactions entered into. Another respondent argued that only “fully custodial crypto￾asset service providers” should be required to provide the periodic statement. 45. ESMA wishes to point out that the level 1 requirements relating to the periodic statement are clear and apply to all crypto-asset service providers providing portfolio management on crypto-assets. 46. MiCA defines such service as “managing portfolios in accordance with mandates given by clients on a discretionary client-by-client basis where such portfolios include one or more crypto-assets”. To provide such service, the crypto-asset service provider managing the portfolio should either have custody of the crypto-assets included in the

14 portfolio or have access to them and have the power to enter into transactions on behalf of the client. 47. Therefore, it is not clear to ESMA why such respondents raised the aforementioned concerns, unless there was some misunderstanding as to the scope of portfolio management services on crypto-assets or the requirements to provide a periodic statement (which ESMA clarified above). Therefore, crypto-asset service providers that do provide portfolio management services should certainly be able to provide the valuation of the crypto-assets included in the portfolio, unless such crypto-assets are so illiquid that the valuation is impossible, in which case this should be specified in the periodic statement. Periodicity of reporting 48. Few respondents called for a more frequent reporting (such as monthly), whilst a couple others said that the reporting every 3 months was not workable and that, in any case, clients are generally able to access an online valuation of their portfolio at any time. 49. ESMA notes that the periodicity of the reporting (every 3 months) does not originate from the guidelines. It is a requirement of the level 1 text and therefore the guidelines may not change this requirement. However, crypto-asset service providers providing portfolio management services may decide to provide more frequent reporting, such as on a monthly basis. Format of the periodic statement (Guideline 1) 50. As MiCA already provides that the periodic statement shall be provided in an electronic format, ESMA amended Guideline 1 to clarify that the format mentioned in Guideline 1 should be understood as an electronic format which is also a durable medium. This is to avoid that Guideline 1 may be understood as being inconsistent with the level 1 text by allowing paper forms. Content of the periodic statement 51. Some respondents were of the view that the periodic statement should also include information on additional topics such as technological and other risk metrics, performance benchmarks, digital delivery and accessibility and other educational content such as market abuse measures. 52. ESMA agrees that crypto-asset service providers may decide to include additional information in the periodic statement, notably to educate investors on the risks associated with crypto-assets (technological or other). However, the guidelines focus on

15 further specifying the level 1 requirements and thus may not require that such content always be included since it cannot be read as deriving from the level 1 requirements. 53. One respondent also stated that they did not consider that crypto-asset service providers shall provide information on the periodic assessment. ESMA would like to clarify that this is a level 1 requirement. Indeed, Article 81(14) requires crypto-asset service providers to include in the periodic statement “an updated information on the suitability assessment referred to in paragraph 1 or its review under paragraph 12”. Article 81(12) of MiCA requires crypto-asset service providers providing advice on crypto-assets or portfolio management of crypto-assets to regularly review for each client the suitability assessment referred to in article 81(1), at least every two years after the initial assessment made in accordance with that paragraph. There should thus be no doubt that such information should be included in the periodic statement.

16 Article 82(2) of MiCA: ESMA, in close cooperation with EBA, shall issue guidelines in accordance with Article 16 of Regulation (EU) No 1095/2010 for crypto-asset service providers providing transfer services for crypto-assets on behalf of clients as regards procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets. 3 Guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets 3.1 Background and legal basis Legal background 54. MiCA sets out a new legal framework which encompasses requirements for the provision of ten different crypto-asset services. These services include the provision of transfer services for crypto-assets on behalf of clients, defined in Article 3(1)(26) of MiCA as “providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another”. 55. With regards to crypto-asset service providers’ policies and procedures in relation to crypto-asset transfer services, MiCA does not set out any specific requirements. Article 82(2) of MiCA, however, gives a mandate to ESMA to issue, in close cooperation with EBA, guidelines in accordance with Article 16 of the ESMA Regulation (Regulation (EU) No 1095/2010) for crypto-asset service providers providing transfer services for crypto￾assets as regards procedures and policies, including the rights of clients. Background 56. The guidelines set out in Annex IV hereto should be read having in mind several aspects relating to the scope of transfer services for crypto-assets on behalf of clients. Firstly, the European Commission has published Q&A (2071) on the scope of crypto￾asset transfer services and, more specifically, on crypto-asset transfers as component of another crypto-asset service or as a separate crypto-asset transfer service.6 6 ESMA Q&A 2071, available here.

17 57. In addition, Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto￾assets7 (the “TFOR”) also regulates transfer services for crypto-assets. It lays down rules on the information on originators and beneficiaries accompanying transfers of crypto￾assets, for the purposes of preventing, detecting and investigating money laundering and terrorist financing. ESMA gave due regard to the TFOR to ensure that there was no inconsistency with the guidelines contained in Annex IV hereto. 58. Finally, as the provision of transfer services for crypto-assets on behalf of clients share similarities with payment services regulated under Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market (“PSD 2”), ESMA drew on relevant PSD 2 provisions in developing the guidelines in Annex IV. Policies and procedures in relation to information to clients (Guidelines 1 and 2) 59. ESMA is of the view that crypto-asset service providers providing transfer services on behalf of clients should have in place policies and procedures to ensure that clients are provided with adequate information relating to i) the essential features and conditions of the transfers for crypto-assets that are offered and ii) their execution. Consequently, in the CP, ESMA proposed to include Guideline 1 on the information to be provided to clients prior to them being bound by any agreement for the provision of transfer services for crypto-assets and Guideline 2 on the information to be provided to clients in relation to the status of individual crypto-asset transfers. 60. In the CP, ESMA noted that the purpose of draft Guideline 1 is to ensure that crypto￾asset service providers providing transfers for crypto-assets on behalf of clients have in place adequate policies and procedures (including appropriate tools) to provide the client with some essential information on the conditions of the provision of the service, in good time before the client enters into any agreement for the provision of crypto-asset transfer services. These procedures and policies should aim at disclosing relevant pre￾contractual information to the client to enable him to choose the most suitable provider of crypto-asset transfer services. ESMA further noted that such pre-contractual information should include, for instance, information on the identity of the crypto-asset service provider, the DLT network used for the transfer of crypto-assets, the costs applicable to the service or how to initiate a transfer. 61. Additionally, ESMA proposed in the CP to include Guideline 2 so as to ensure that clients that have sent an instruction to transfer crypto-assets also receive important information about the transaction itself, before such a transaction becomes irreversible. Such information should include (i) a brief warning if and when the crypto-asset transfer will be 7 Regulation (EU) 2023/1113 of the European Parliament and the of the Council of 31 May 2023.

18 irreversible or sufficiently irreversible in case of probabilistic settlement and (ii) information on all charges for the crypto-asset transfer payable by the client. 62. Draft Guideline 2 also clarified that crypto-asset service providers should have appropriate policies and procedures to ensure that, after the execution of individual crypto-asset transfers, the client is provided with certain minimum information, including: a reference enabling the client to identify each crypto-asset transfer, the amount and type of crypto-assets transferred or received and all costs relating to the transfer for crypto-assets. 63. Lastly, ESMA proposed to also address in Guideline 2 the information that crypto-asset service providers should provide to their clients in case a crypto-asset transfer is rejected, returned or suspended (for instance, the reason for the rejection, return or suspension and how to remedy such rejection, return or suspension as well as any costs incurred). Policies and procedures in relation to the execution of transfers of crypto-assets (Guidelines 3 and 4) 64. In the CP, ESMA proposed that crypto-asset service providers offering transfer services on behalf of clients should implement policies and procedures addressing a minimum set of elements. These should include the conditions for executing crypto-asset transfers (Guideline 3) and the criteria for deciding whether to execute, reject, return, or suspend such transfers (Guideline 4). 65. In draft Guideline 3, ESMA proposed clarifying the minimum set of elements related to the process of transferring crypto-assets. Draft Guideline 3 specifies that crypto-asset service providers should include in their policies and procedures some key elements of the transfer process. This includes setting maximum execution times based on the crypto-asset transferred, as well as determining the number of block confirmations needed for the transfer of crypto-assets to be irreversible on the DLT network (or sufficiently irreversible in case of probabilistic settlement), for each DLT network. 66. In draft Guideline 4, ESMA proposed clarifying that crypto-asset service providers should establish, implement and maintain adequate risk-based policies and procedures for determining whether and how to execute, reject, return or suspend a transfer of crypto￾assets. Such policies and procedures should particularly take into account the provisions of the TFOR applicable to crypto-asset service providers, as also specified in the EBA Guidelines preventing the abuse of funds and certain crypto-assets transfers for money laundering and terrorist financing purposes8 . 8 Available here.

19 Liability of the crypto-asset service provider (Guideline 5) 67. Finally, in draft Guideline 5, ESMA proposes clarifying that crypto-asset service providers should establish, implement, and maintain adequate policies and procedures outlining the conditions under which they would be liable to clients in cases of unauthorized or incorrectly initiated or executed crypto-asset transfers. Given the specific risks associated with crypto-asset transfers, such as hacking or the risk of sending assets to the wrong address, ESMA believes that service providers should have clear policies and procedures regarding their liability to clients. 3.2 Feedback to the consultation 68. The following paragraphs summarize the feedback received to ESMA’s consultation on the draft guidelines on the policies and procedures for crypto-asset service providers providing transfer services for crypto-assets on behalf of clients. The feedback reflects broad support for ESMA’s approach, though respondents also provided specific suggestions on areas such as pre-contractual disclosures, ex-ante fee transparency, and information on transfer irreversibility. These inputs, alongside ESMA's responses, are detailed below. Q11: Do you agree with the approach taken by ESMA in the draft guidelines for crypto￾asset service providers providing transfer services for crypto-assets on behalf of clients as regards procedures and policies, including the rights of clients? Please also state the reasons for your answer. 69. Most respondents, including the SMSG, agreed with the approach taken by ESMA in its proposed draft guidelines for CASPs providing crypto-asset transfer services on behalf of clients. However, respondents made suggestions on specific elements included in the draft guidelines which are addressed below. On the format of pre-contractual information to clients (Guideline 1) and ex-ante disclosures (Guideline 2) 70. A few respondents suggested that the information required under draft guidelines 1 and 2 should not need to be provided on a durable medium, as currently proposed in the CP. In the view of those respondents, crypto-asset service providers should instead provide this information in an “electronic format” (for example, based on the definition of Article 4(4)(62a) MiFID II). These respondents noted that providing the information in an electronic format would ensure making available the relevant information to clients whilst simultaneously facilitating the disclosure and internal processing of this information for crypto-asset service providers.

20 71. In MiFID II, the definition of “electronic format” in Article 4(4)(62a) builds on the definition of “durable medium” (in Article 4(4)(62) of MiFID II) as it means “any durable medium other than paper”. In the CP, ESMA referred to “durable medium” to ensure i) that clients had the possibility to store the relevant information in a way accessible for future reference and for an adequate period of time and ii) that the unchanged reproduction of the information stored was made possible. Therefore, the reference to “electronic format” would be in line with ESMA’s policy objectives. 72. In addition, MiCA refers, in several instances, to information being provided in an “electronic format” (but makes no reference to “durable medium”). Lastly, clients using a digital financial service like crypto-asset transfers are, in all probability, able to access and handle the relevant information in an electronic format. 73. For the abovedescribed reasons, ESMA has amended guidelines 1 and 2 to refer to “electronic format”. On the policies and procedures on the ex-ante disclosure of charges to clients (Guideline 2) 74. Some respondents highlighted the relevance of crypto-asset service providers disclosing any charges related to the crypto-asset transfer and payable by the client, prior to the execution of the transaction (as proposed in paragraph 16 of draft Guideline 2 (Information on individual transfers for crypto-assets) in the CP). They argued that such an ex-ante disclosure would help clients select the most suitable service. In addition, these respondents suggested that crypto-asset service providers should separately disclose the costs incurred through the relevant DLT network (e.g., gas fees) from the fees crypto-asset service providers charge for their own services. 75. In contrast, a few respondents proposed to instead require crypto-asset service providers to disclose any charges through a standardised table (a price list) which could be provided to the client as part of the pre-contractual information (in Guideline 1) rather than disclosing charges for each individual transfers. Only if the charges of the transaction differed from the information contained in the pre-contractual information, the crypto-asset service provider would have to disclose these additional costs prior to the transaction. 76. Contrary to standardised price lists, individualised fee disclosures reflect the actual costs a client will incur, including network-related fees as they can fluctuate significantly depending on network congestions and other factors such as the size of the transfer. This level of transparency will allow clients to decide on the most cost-effective and suitable service for each transaction, especially since fees in the crypto-assets market can vary greatly across crypto-asset service providers and networks. ESMA thus maintained the current wording in Guideline 2, including in relation to the breakdown that should be provided to clients. It is indeed important that clients understand what portion

21 of the total charges is attributable to fees charged by the crypto-asset service provider and what part is attributable to the DLT network. This will allow clients to manage their transactions more effectively as they can better understand whether network conditions and their own needs warrant to execute a transfer immediately. On the policies and procedures for pre-contractual information and warning related to the irreversibility of crypto-asset transfers 77. With regards to the disclosure of information related to the irreversibility of crypto-asset transfers, respondents’ comments addressed mainly two topics: (i) the pre-contractual information on the number of block confirmations needed for the transfer of crypto-assets to be irreversible on the relevant DLT network (or sufficiently irreversible in case of probabilistic settlement) (in paragraph 12 of draft Guideline 1 in the CP) and (ii) the brief and standardised warning as to whether and when the crypto-asset transfer will be irreversible or sufficiently irreversible (in case of probabilistic settlement) (in paragraph 16 of draft Guideline 2 in the CP). 78. Firstly, a few respondents explicitly supported the disclosure of pre-contractual information on the number of block confirmations needed for the transfer of crypto-assets to be (sufficiently) irreversible on the DLT, as proposed in paragraph 12 of draft Guideline 1). Conversely, a few respondents suggested changes to such pre-contractual information, for example: ● disclosing time ranges and additional information, inter alia, to motivate clients to send a test transaction with a small amount to a wallet that is already familiar; ● to refrain from proposing the disclosure of a fixed amount of time for the period needed to obtain the block confirmations for the transfer to be irreversible on the DLT network, thereby accounting for the impact of varying levels of blockchain usage (as heavy blockchain traffic can extend the required time); ● leaving the determination of the number of block confirmations (for a crypto-asset transfer to be irreversible) to national competent authorities. In the view of these respondents, this could avoid that competing crypto-asset service providers of a certain jurisdiction provide different numbers of block confirmations for a given transaction to be considered irreversible. 79. The number of block confirmations needed for irreversibility depends on different factors, including the relevant DLT network protocol rules, if consensus has been reached in the crypto community, as well as each crypto-asset service provider’s policies and procedures on how many confirmations are needed before they consider a crypto-asset transfer irreversible. Such policies and procedures may themselves depend on the crypto-asset service provider’s risk tolerance or the transaction type and size. In addition, ESMA is of the view that the related pre-contractual information would improve transparency, reduce the risk of premature actions from the client, allow crypto-asset

22 service providers to manage expectations and would also have the potential to reduce disputes. Consequently, ESMA is of the view that such pre-contractual information is a key information for clients to understand the reliability and speed of a crypto-asset transfer (e.g. in comparison to other, traditional payment services). Therefore, ESMA maintained the wording included in paragraph 12 of Guideline 1 in the CP to the effect that crypto-asset service providers should have policies and procedures to ensure that the client receives the relevant pre-contractual information related to transfer irreversibility. 80. However, varying levels of blockchain usage may lead to differences in the period of time needed to obtain the number of block confirmations for irreversibility. Thus, ESMA proposes to include in paragraph 23 of Guideline 1 that the information on the time needed for the transfer to be irreversible on the DLT network should be based on reasonable estimations. It is crucial that such estimations are made on a reasonable basis to provide clients with a realistic time period so that they may decide whether the time is right to execute a transaction. Additionally, ESMA notes that further supervisory convergence work by ESMA and the NCAs could be done in the future, if needed, to set out in more detail what is meant by a “reasonable estimation of the time or block confirmations needed for the transfer to be irreversible on the DLT network”. 81. Secondly, some respondents supported the proposed warning for clients (in paragraph 16 of draft Guideline 2 in the CP) as informing client about the irreversibility conditions helps them understand that a transaction might not be final and secure right after it is submitted. However, a few respondents expressed the view that a warning would not be necessary and that crypto-asset service providers should instead be given more flexibility in providing the relevant information about the restrictions related to crypto-asset transfers to clients. 82. ESMA is of the view that such brief and standardised warning has the potential to further improve transparency as it may raise clients’ awareness of this topic if not sufficiently flagged through pre-contractual disclosures. In addition, since Guideline 2 only refers to a brief and standardised warning and leaves crypto-asset service providers great flexibility in how they provide it, ESMA found that such warning was proportionate and, consequently, did not amend paragraph 16 of Guideline 2. On the policies and procedures for pre-contractual information related to the means of communication (Guideline 1) 83. A few respondents invited ESMA to provide clarification of the wording “the means of communication, including the technical requirements for the client’s equipment and software, agreed between the parties for the transmission of information or notifications related to the crypto-asset transfer service”, included in paragraph 12 of draft Guideline 1 in the CP.

23 84. ESMA considers essential that as part of the pre-contractual information provided to clients crypto-asset service providers make clear how the clients may communicate with them for their crypto-assets transfers and, if there are any technical requirements relating to what type of equipment and software the client should have, what such requirements are. To clarify this, ESMA included examples of such communication technologies (for example, via a message service on the crypto-asset service provider’s website or mobile phone application). Additional elements of information to clients 85. Additionally, a few respondents suggested including new information elements into the guidelines to provide additional information to clients on i) crypto-asset service providers’ complaints-handing mechanisms and ii) educational resources enabling clients to learn about secure transfers, involved risks and how to identify and avoid scams. 86. The requirements on complaints handling procedures of crypto-asset service providers set out in Article 71 of MiCA already include disclosure requirements applicable to crypto￾asset service providers and relating to the possibility to file a complaint free of charge and how to do so. Such requirements have been further specified in the Commission Delegated Regulation on handling complaints by crypto-asset service providers 9 and also apply to crypto-asset service providers providing transfer services for crypto-assets on behalf of clients. ESMA is of the view that there is thus no need for duplicative disclosures in relation to complaints handling and, consequently, did not add the requested additional disclosure as part of the guidelines. 87. With respect to the suggestion to add educational resources on transfers of crypto-assets as part of the disclosures that crypto-asset service providers make to clients, as ESMA recognises that it may have educational values and that it may be beneficial to manage expectations of clients, a new paragraph 16 has been added to Guideline 2 to encourage (as a good practice) crypto-asset service providers to provide educational resources to enable clients to learn about their rights and the functioning and risks related to transfers of crypto-assets. Q12: Do you think that the draft guidelines address sufficiently the risks for clients related to on- and off-DLT crypto-asset transfers? Please justify your answer. 88. A majority of respondents agreed that the draft guidelines in the CP addressed sufficiently the risks for clients related to crypto-asset transfers. One respondent was of the view that the proposed requirements go beyond what is required to address risks for clients relating to such transfers. A few respondents also mentioned specifically which aspects of the draft guidelines address especially relevant risks for clients. These 9 Available: here; and the Annex: here.

24 included the provision of pre-contractual information to clients, the brief and standardised warning on the irreversibility of transactions and the disclosure of charges and fees related to crypto-asset transfers. 89. With regards to whether the draft guidelines address sufficiently the on- and off-DLT crypto-asset transfers related risks for clients, a few respondents noted that the features of off-chain transactions (e.g. transfer between clients of the same provider) would differ significantly from on-chain transfers. These respondents were also of the view that the draft guidelines should focus on on-chain transactions and invited ESMA to clarify that these guidelines only refer to on-chain crypto-asset transfers. Additionally, a few respondents noted that the draft guidelines could also address off-chain transfers (in addition to one-chain ones), which would however require some changes to the currently proposed provisions (for example, in Guideline 2). 90. In light of the definition of “providing transfer services for crypto-assets on behalf of clients” set out in Article 3(1)(26) of MiCA and to focus on the most relevant category of crypto-asset transfers, ESMA notes that these guidelines aim at addressing the risks for clients related to on-DLT crypto-asset transfers. Q13: Are there any additional comments that you would like to raise and/or information that you would like to provide, for example, on whether other relevant points or clients’ rights should be considered? 91. Few respondents replied to this question and their responses were addressed as part of the feedback statement on questions 11 and 12.

25 4 Annexes 4.1 Annex I: Cost-benefit analysis 4.1.1.MiCA guidelines on certain aspects of the suitability requirements and the periodic statement for portfolio management Impact of the Guidelines

1. As per Article 16(2) of Regulation (EU) No 1095/2010, any guidelines developed by ESMA are to be accompanied by an analysis of ‘the related potential costs and benefits of issuing such guidelines’. Such analysis shall be ‘proportionate in relation to the scope, nature and impact of the guidelines’.
2. MiCA requires crypto-asset service providers to undertake a suitability assessment when providing advice on crypto-assets and portfolio management on crypto-assets, the objective being that the crypto-assets advised to the client or invested in on behalf of the client be suitable, taking into consideration the client’s knowledge and experience, investment objectives and financial situation. Similar requirements have existed for a long time for investment firms providing investment advice or portfolio management under MiFID II but the MICA requirements are entirely new for crypto-assets markets. To ensure the adequate implementation of the MiCA requirements by providing clarity to the crypto-assets market, thereby also enhancing investor protection, ESMA is issuing the guidelines attached in Annex III hereto.
3. In addition, under Article 81(14) of MiCA, crypto-asset service providers providing the service of portfolio management of crypto-assets shall provide to their clients periodic statements of the portfolio management activities carried out on their behalf.
4. This periodic statement should include a fair and balanced review of the activities undertaken and of the performance of the portfolio during the reporting period, an updated statement of how the activities undertaken meet the preferences, objectives and other characteristics of the client, as well as an updated information on the suitability assessment referred to in paragraph 1 or its review under paragraph 12.
5. This periodic statement is to be provided at least every 3 months, unless the client has access to an online system where up-to-date valuations of the client’s portfolio and updated information on the suitability assessment referred to in paragraph 1 can be accessed. The crypto-asset service provider must however have evidence that the client has accessed a valuation at least once during the relevant quarter.

26 6. Article 81(15)(c) of MiCA gives mandate to ESMA to issue guidelines on the format of the periodic statement referred to in Article 81(14) of MiCA. 7. The next paragraphs present the cost-benefit analysis of the main policy options included in this Final Report on the guidelines on certain aspects of the suitability requirements and periodic statement for portfolio management under Article 81 of MiCA. Problem identification 8. The MiCA requirements relating to the suitability assessment and periodic statement for portfolio management are entirely new for crypto-asset service providers. Whilst these requirements are established under MiCA, it is crucial to offer guidance on their application to provide clarity to the market, ensure a harmonised implementation and enhance investor protection. 9. Moreover, feedback received to the consultation indicates that there is still significant misunderstanding within the crypto-asset industry regarding the scope and application of the suitability requirements. 10. Therefore, ESMA considers it essential to clarify how these requirements should be applied and what is expected of crypto-asset service providers in relation to the suitability standards set by MiCA. 11. Similar issues arise with the periodic statement requirements for portfolio management, though to a lesser degree. As a result, ESMA has also chosen to issue guidelines under Article 81(15)(c) of MiCA, albeit at a higher level. Policy objectives 12. The strategic objective of the guidelines is to strengthen investor protection by ensuring an adequate and harmonised implementation of the suitability requirements under Article 81 of MiCA, as well as to provide clarity on the requirements for the periodic statement for portfolio management services. Baseline scenario 13. In the absence of guidelines, crypto-asset service providers would need to comply with the suitability requirements and the requirements applicable to the periodic statement for portfolio management under Article 81 of MiCA without additional guidance. This could result in varied practices across entities and Member States, leading to fragmented investor protection and inefficiencies in regulatory oversight. 14. As such requirements are entirely new to the crypto-asset industry (or at least, the most part of it), such guidance is particularly essential.

27 Options considered and preferred options 15. This section presents the main policy options discussed and the decisions made when developing the guidelines. The policy options’ respective advantages and disadvantages and the preferred options resulting from this analysis are assessed below. Policy issue 1: Exhaustiveness and extensiveness of the guidelines on the suitability requirements under Article 81 of MiCA 16. The legal mandate under Article 81(15)(b) of MiCA requires ESMA to issue guidelines further specifying the information that crypto-asset service providers shall obtain from their clients or prospective clients in accordance with Article 81(8) of MiCA: “the necessary information regarding their knowledge of, and experience in, investing, including in crypto-assets, their investment objectives, including risk tolerance, their financial situation including their ability to bear losses, and their basic understanding of the risks involved in purchasing crypto-assets, so as to enable crypto-asset service providers to recommend to clients or prospective clients whether or not the crypto-assets are suitable for them and, in particular, are in accordance with their risk tolerance and ability to bear losses”. 17. ESMA’s mandate under MiCA thus covers the information to be collected from clients or prospective clients by crypto-asset service providers to perform the suitability assessment. 18. Against this backdrop, ESMA considered 4 policy options with regards to the exhaustiveness and level of detail of the guidelines set out in Annex III hereto. Option 1a: Focus on the mandate given to ESMA under Article 81(15)(b) of MiCA and remain high level Option 1b: Focus on the mandate given to ESMA under Article 81(15)(b) of MiCA and provide comprehensive guidance Option 1c: Provide guidance on the topic covered by the mandate given to ESMA under Article 81(15)(b) of MiCA10 and also issue some guidelines11 on other relevant aspects of the suitability assessment, but remain high level in the guidance provided 10 On the necessary information to be collected by crypto-asset service providers for the purpose of the suitability assessment. 11 Under Article 16(1) of the ESMA Regulation.

28 Option 1d: Provide guidance on the topic covered by the mandate given to ESMA under Article 81(15)(b) of MiCA12 and also issue some guidelines13 on other relevant aspects of the suitability assessment and provide comprehensive guidance. 19. ESMA considered that Options 1a and 1b were inadequate for several reasons: i) other aspects of the suitability requirements, which are not addressed by the mandate in Article 81(15)(b) of MiCA, also benefit from guidance, especially since the obligation for crypto-asset service providers offering advice or portfolio management services to conduct a suitability assessment is entirely new; ii) there is already extensive guidance available under the MiFID II framework that pertains to similar suitability assessment requirements, and this guidance encompasses a broader range of topics than those covered by the mandate in Article 81(15)(b) of MiCA; iii) the same entities may be providing advice and portfolio management services under MiCA and MiFID II, for consistency purposes between the two regimes, it is appropriate to also ensure consistency between the two suitability regimes; iv) in order to avoid regulatory arbitrage between the MiCA and the MiFID II regimes, it is also important to ensure that the two regimes are consistent. 20. ESMA also regarded Option 1c as inadequate because, although the guidance provided under such option would have been more exhaustive in terms of aspects of the suitability requirements covered, ESMA deems that, for such a complex topic as the suitability assessment, high level guidance is not appropriate. In addition, Option 1c would also not be adequate to ensure consistency between the MiCA and the MiFID II suitability regimes and to avoid regulatory arbitrage. 21. Option 1d, on the other hand, enables ESMA to provide more extensive guidance on the most essential aspects of the suitability assessment under MiCA. Given that this obligation is new to the crypto-asset industry and that this is a complex topic, it was also important to ensure that the guidance provided was sufficiently detailed to provide clarity to the market and ensure a harmonised implementation as well as enhanced investor protection. Lastly, it ensures consistency between the MiCA and the MiFID II regimes, which is also an important aspect given that the same firms may be providing advice or portfolio management services under the two regimes and/or clients may be using these services under the two regimes as well. It would be confusing for firms and clients if the same requirement (to undertake a suitability assessment) applied differently depending on the type of product advised on or included in the portfolio. 12 On the necessary information to be collected by crypto-asset service providers for the purpose of the suitability assessment. 13 Under Article 16(1) of the ESMA Regulation.

29 22. Therefore, Option 1d has been chosen as the preferred option. Policy issue 2: Exhaustiveness and extensiveness of the guidelines on the suitability requirements under Article 81 of MiCA 23. Article 81(14) of MiCA requires that crypto-asset service providers providing the service of portfolio management of crypto-assets shall provide to their clients periodic statements of the portfolio management activities carried out on their behalf. This periodic statement must be provided in an electronic format, shall include a fair and balanced review of the activities undertaken and of the performance of the portfolio during the reporting period, an updated statement of how the activities undertaken meet the preferences, objectives and other characteristics of the client, as well as an updated information on the suitability assessment referred to in Article 81(1) or its review under Article 81(12). 24. In addition, this periodic statement is to be provided at least every 3 months, unless the client has access to an online system where up-to-date valuations of the client’s portfolio and updated information on the suitability assessment referred to in Article 81(1) of MiCA can be accessed. The crypto-asset service provider must however have evidence that the client has accessed a valuation at least once during the relevant quarter. 25. However, the legal mandate under Article 81(15)(c) of MiCA solely requires ESMA to issue guidelines further specifying the format of the periodic statement for portfolio management services (referred to in Article 81(14) of MiCA). 26. Against this backdrop, ESMA considered 4 policy options with regards to the range of topics covered by and the level of detail of the related guidelines set out in Annex III hereto. Option 2a: Focus on the mandate given to ESMA under Article 81(15)(c) of MiCA and remain high level Option 2b: Focus on the mandate given to ESMA under Article 81(15)(c) of MiCA and provide comprehensive guidance, maybe even a template Option 2c: Provide guidance on the topic covered by the mandate given to ESMA under Article 81(15)(c) of MiCA14 and also issue guidelines15 on other relevant aspects related to the periodic statement, but remain high level in the guidance provided Option 2d: Provide guidance on the topic covered by the mandate given to ESMA under Article 81(15)(c) of MiCA16 and also issue guidelines17 on other relevant aspects of the suitability assessment and provide comprehensive guidance. 14 On the format of the periodic statement. 15 Under Article 16(1) of the ESMA Regulation. 16 On the format of the periodic statement. 17 Under Article 16(1) of the ESMA Regulation.

30 27. ESMA considered that Options 2a and 2b were inadequate for several reasons: i) other aspects pertaining to the periodic statement for portfolio management services, which are not addressed by the mandate in Article 81(15)(c) of MiCA, also necessitate guidance, especially since the obligation for crypto-asset service providers offering portfolio management services to provide such statement is entirely new; ii) the same requirement also applies under the MiFID II framework to investment firms providing portfolio management services and the MiFID II framework regulates additional aspects in comparison to Article 81(14) of MiCA iii) the same entities may be providing portfolio management services under MiCA and MiFID II, for consistency purposes between the two regimes, it may thus be appropriate to provide further guidance under MiCA to ensure consistency between the two regimes. 28. ESMA also regarded Option 2d as inadequate because, although for the reasons explained above it is appropriate to cover several aspects linked to the periodic statement, ESMA does not consider that such topic necessarily requires extensive and detailed guidance (such as a template). High level guidance is, in this case, more adequate so as to leave flexibility to crypto-asset service providers as to how they want to present such periodic report. 29. Therefore, Option 2c has been chosen as the preferred option. Cost-benefit analysis 30. Considering the main objectives of these guidelines (extensively illustrated in the foregoing), the following paragraphs aim at explaining the benefits and costs of the key policy choices that are presented for consultation. 31. It should be preliminary observed that since the requirements on the suitability assessment and periodic statement for portfolio management are provided under MiCA, the impact of the proposed guidelines should be considered having in mind those legal provisions that they support. While crypto-asset service providers will likely incur certain costs for implementing these guidelines, they will also benefit from the increased legal certainty and the harmonised application of the requirements across Member States. Investors would in turn benefit from an improved suitability of the crypto-assets that are being recommended or purchased on their behalf as well as an increased transparency. The guidelines should also facilitate competent authorities’ efforts to improve the overall compliance with MiCA requirements, thereby increasing investors’ confidence in the crypto industry. Costs

31 32. The main costs that crypto-asset service providers are likely to incur stem from the initial one-off and ongoing costs related to procedural and organisational arrangements necessary for the implementation of the guidelines where crypto-asset service providers provide advice on crypto-assets and/or portfolio management on crypto-assets. Such costs may include initial and ongoing IT costs, HR costs to ensure that staff providing advice and portfolio management services is appropriately qualified and is able to comply with the relevant obligations of the crypto-asset service provider under MiCA and costs linked to the collection of information from clients and prospective clients. 33. For national competent authorities, these guidelines will lead to limited ongoing costs for the supervision of crypto-asset service providers to ensure compliance (or not) with the guidelines. National competent authorities might also have to slightly extent their resources applied to the supervision of CASPs in light of the relevant MiCA requirements. Benefits 34. In terms of benefits, the guidelines will promote the convergence of national competent authorities’ supervisory activities, thereby contributing to one of the main objectives of MiCA, to foster investor protection. The guidelines also promote fair competition between crypto-asset service providers independently of the home Member State. 35. Clients benefit from the guidelines due to the improved suitability of the crypto-assets recommended to them or purchased on their behalf, as well as the improved transparency related to the periodic statement for portfolio management services. Clients with mixed portfolios (financial instruments and crypto-assets) also benefit from the consistency of the two regimes. 36. Finally, crypto-asset service providers also benefit from the guidelines as they provide clarity as to how to apply the MiCA suitability requirements and those relating to the periodic statement for portfolio management. The resulting surge in the suitability of the crypto-assets recommended to or purchased on behalf of clients as well as the increased transparency should therefore enhance clients’ trust in the crypto-asset industry. In addition, entities providing advice or portfolio management services under both the MiCA and the MiFID II regimes, will benefit from the consistency between the two regimes. 37. Considering what has been illustrated above, ESMA believes that the overall costs associated with the implementation of the guidelines set out in Annex III are fully justified by the objectives described above.

32 Table: costs and benefits Stakeholder groups affected Costs Benefits Crypto￾asset service providers Initial one-off and ongoing costs related to procedural and organisational arrangements necessary for the implementation of the guidelines (IT costs, HR costs, costs related to the collection of information from clients…) Enhanced clients’ trust in the crypto￾asset industry. Consistency between the MiFID II and MiCA regimes for entities operating under both frameworks. Competent authorities Limited ongoing cost of supervision to ensure that crypto-asset service providers have properly implemented the guidelines. Slight extension of their resources dedicated to the supervision of the MiCA framework may be needed. Enhanced consistency of supervision of the MiCA requirements related to the suitability assessment and the periodic statement for portfolio management. Safer crypto-asset market and mitigation of investor detriment due to the improved suitability of the crypto￾assets recommended or purchased on behalf of clients and the improved transparency. Clients None Improved suitability of the crypto-assets recommended or purchased on their behalf. Improved transparency. Consistency between the MiFID II and MiCA regimes for clients with mixed portfolios.

33 4.1.2 MiCA guidelines on the policies and procedures, including the rights of clients, for transfer services for crypto-assets Impact of the guidelines under the first subparagraph of Article 82(2) of MiCA 38. As per Article 16(2) of Regulation (EU) No 1095/2010, any guidelines developed by ESMA are to be accompanied by an analysis of ‘the related potential costs and benefits of issuing such guidelines’. Such analysis shall be ‘proportionate in relation to the scope, nature and impact of the guidelines’. 39. MiCA sets out a new legal framework which encompasses requirements for the provision of ten different crypto-asset services. These services include the provision of transfer services for crypto-assets on behalf of clients defined in Article 3(1)(26) of MiCA as “providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another”. Article 82(2) of MiCA gives a mandate to ESMA to issue, in close cooperation with EBA, guidelines in accordance with Article 16 of Regulation (EU) No 1095/2010 for crypto-asset service providers providing transfer services for crypto-assets as regards procedures and policies, including the rights of clients. 40. The next paragraphs present the cost-benefit analysis of the main policy options included in this Final Report on the guidelines for providing transfer services for crypto-assets on behalf of clients under Article 82 of MiCA. Problem identification 41. Crypto-asset transfers play a crucial role in the practical utilisation of these assets, allowing clients to manage and deploy their crypto-assets in line with their specific needs and investment strategies. For instance, they may transfer crypto-assets to a wallet for secure storage or move then to an exchange for trading and liquidity purposes. At the same time, crypto-asset transfers also present potential challenges: (i) the functionality and risks associated with crypto-assets and the underlying DLT technology are often less familiar to many investors compared to traditional financial instruments like shares or ETFs, (ii) certain characteristics of crypto-asset transfers, such as their irreversibility, pose risks for investors, potentially leading to adverse outcomes (such as the loss of crypto-assets, if transferred to the incorrect address or wallet). 42. To address these challenges and ensure a higher level of investor protection and harmonisation, MiCA gives ESMA a mandate, in close cooperation with the EBA, to issue guidelines for crypto-asset service providers providing transfer services for crypto-assets on behalf of clients. These guidelines should address procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets. By establishing clear standards, ESMA seeks to ensure that crypto-asset service providers adopt robust

34 policies and procedures to minimize errors, protect clients from avoidable losses, and build trust in the broader crypto-asset ecosystem. Policy objectives 43. The strategic objective of the guidelines is to strengthen investor protection and enhance the safety of crypto-assets markets by: a) ensuring that crypto-asset service providers implement the necessary minimum policies and procedures for conducting transfer services for crypto-assets on behalf of clients; and b) promoting client awareness of the terms and conditions governing the execution of crypto-asset transfer services. Baseline scenario 44. In the absence of any guidance from ESMA on the policies and procedures for crypto￾asset service providers providing transfer services of crypto-assets, the risks associated with crypto-asset transfers would likely become more prominent. Without clear regulatory expectations, crypto-asset service providers may lack or adopt inconsistent or inadequate policies and procedures. This lack of standardization could result in a fragmented market where service quality and risk management vary widely across providers, leading to a higher likelihood of errors, fraud, or loss of crypto-assets during transfers. 45. Investors, especially those less familiar with the complexities of blockchain technology and crypto-asset transfers, would face heightened risks. In the absence of any guidance, many crypto-asset service providers may not provide sufficient information or education to clients regarding the specific risks involved, such as the consequences of sending assets to incorrect addresses or the difficulty of recovering lost funds. This could erode investor confidence in crypto-asset markets, leading to lower participation and potentially hampering the growth of the sector. 46. Moreover, the lack of regulatory guidance may also undermine market integrity. Without a clear framework for best practices, crypto-asset service providers might not prioritize transparency, security, or proper risk management, resulting in vulnerabilities that could be exploited by bad actors. Options considered and preferred options 47. This section presents the main policy options discussed and the decisions made when developing the guidelines. The policy options’ respective advantages and disadvantages and the preferred options resulting from this analysis are assessed below.

35 Policy issue 1: Exhaustiveness and level of detail of the policies and procedures related to transfer services for crypto-assets 48. The legal mandate under Article 82 requires ESMA to issue guidelines on the policies and procedures, including the rights of clients, of crypto-asset service providers providing crypto-asset transfer services on behalf of clients. Against this backdrop, ESMA considered 2 policy options with regards to the exhaustiveness and level of detail of the guidelines set out in Annex IV hereto. Option 1a: Focus on the topics relating to the most prominent challenges presented by transfers for crypto-assets on behalf of clients and provide guidance on such topics to be included in the procedures and policies, without being overly comprehensive Option 1b: Provide exhaustive and detailed guidance on all topics that crypto-asset service providers should cover in their policies and procedures on crypto-asset transfer services. 49. At this stage, ESMA considered that Option 1b was not representing a balanced approach, based on the (current) perceived level of issues raised by crypto-asset transfers and the efforts that would have been required by crypto-asset service providers to align their policies and procedures with very detailed and prescriptive guidelines. 50. Option 1a, on the other hand, enables ESMA to focus on the topics that seem the most essential to tackle at this stage (such as information to clients, irreversibility of crypto￾asset transfers) whilst giving crypto-asset service providers enough guidance and sufficient flexibility when covering such topics in their policies and procedures. Option 1a thus represents, at this stage, a balanced approach. 51. Therefore, Option 1a has been chosen as the preferred option. It is, however, without prejudice to market developments and the possible revision of the guidelines attached hereto in Annex IV so as to adopt a more prescriptive and exhaustive approach if needed. Cost-benefit analysis 52. The guidelines are expected to result in limited costs for crypto-asset service providers and national competent authorities, while also providing benefits for clients, crypto-asset service providers and national competent authorities. Costs 53. The main costs that crypto-asset service providers are likely to incur stem from (i) the initial one-off costs related to the implementation of the guidelines in their procedures and policies related to the provision of crypto-asset transfer services and (ii) limited

36 ongoing costs of keeping the relevant information related to the guidelines updated in their procedures and policies. 54. For national competent authorities, these guidelines will lead to limited ongoing costs for the supervision of crypto-asset service providers to ensure compliance (or not) with the guidelines. National competent authorities might also have to slightly extent their resources applied to the supervision of CASPs in light of the relevant MiCA requirements. Benefits 55. In terms of benefits, the guidelines will promote the convergence of national competent authorities’ supervisory activities, thereby contributing to one of the main objectives of MiCA, to foster investor protection. The guidelines also promote fair competition between crypto-asset service providers independently of home Member State, as the provisions set out more specific information to better inform clients about the functioning, risks and costs of crypto-asset transfer services. 56. Clients benefit from the guidelines through receiving relevant information about functioning, risks and costs, facilitating their choice of the most suitable crypto-asset transfer services. 57. Finally, crypto-asset service providers also benefit from the guidelines as they aim to help them to better inform clients, manage expectations and should therefore enhance clients’ trust in the recently emerged crypto-asset transfer services.

37 Table: costs and benefits Stakeholder groups affected Costs Benefits Crypto￾asset service providers Limited, due to (i) initial one-off costs related to the implementation of the guidelines in their policies and procedures on the provision of crypto-asset transfer services and (ii) ongoing costs for keeping the relevant guidance updated. The costs incurred should be particularly limited as it is expected that crypto-asset service provider already have policies and procedures on crypto-asset transfer services. The implementation costs would thus be limited to bring the current policies and procedures in line with the guidelines. Better information of clients. Managing clients’ expectations. Enhanced clients’ trust in crypto-asset transfer services. Competent authorities Limited ongoing cost of supervision to ensure that crypto-asset service providers have properly implemented the guidelines on crypto-asset transfer services. Slight extension of their resources dedicated to the supervision of the MiCA framework may be needed. Enhanced consistency of supervision of the MiCA requirements related to crypto-asset transfer services. Safer crypto-asset market, mitigation of investor detriment due to problems with crypto-asset transfer services. Clients None Receive better information about functioning and risks of crypto-asset transfer services, allowing them to choose the most suitable crypto-asset transfer service.

38

1. Executive Summary The SMSG provides opinions and comments on a selection of issues discussed in the third MiCA consultation paper. Proportionality and riskiness in market abuse monitoring. Proportionality is key to avoiding barriers to small-size players, holding constant all measures targeted to the soundness of the crypto ecosystem. Article 2.3.(a) of the draft RTS on market abuse requires that arrangements, systems and procedures “are appropriate and proportionate in relation to the scale, size and nature of their business activity”. The SMSG considers that the risk of market abuse also depends on other factors (e.g., on the interaction between the scale of the PPAETs activity and the size of the crypto-asset market) and suggests that proportionality should be allowed 4.2 Annex II: SMSG advice to ESMA on its third consultation paper on the Markets in Crypto Assets Regulation (MiCA) Advice to ESMA SMSG advice to ESMA on its third consultation paper on the Markets in Crypto Assets Regulation (MiCA) Table of Contents 1 Executive Summary.......................................................................................................38 2 Background ...................................................................................................................40 3 SMSG opinions and comments on market abuse ..........................................................41 3.1 General approach, proportionality and riskiness in market abuse monitoring ............4 3.2 Outsourcing and systemic risk ..................................................................................5 3.3 Coordination procedures between competent authorities..........................................5 4 SMSG opinions and comments on suitability .................................................................41 4.1 General approach and the understanding of the risks .............................................41 4.2 Sustainability preferences.......................................................................................42 5 SMSG opinions and comments on transfer services for crypto-assets...........................43

39 only when the person professionally arranging or executing transactions (PPAET) shows – e.g., based on empirical evidence or establishing appropriate policies and procedures – that its activity does not imply risks of market abuse at a material level. The SMSG also considers that it would be helpful to clarify whether the monitoring and detection of market abuse for cryptos requires special mechanisms and tools with respect to the mechanisms and tools usually applied to securities markets. Outsourcing and systemic risk. Article 3.4 of the draft RTS on market abuse sets out the requirements for the outsourcing of the prevention, monitoring and detection activities. To ensure that PPAETs remain in control of those functions, the draft RTS sets out some necessary requirements, such as the existence of a written agreement between the parties and the retention of access to the relevant information and the necessary expertise so the PPAET may assess the work conducted by the delegated party. The SMSG believes that the outsourcing of such sensitive tasks should also consider systemic risks (e.g., when several PPAETs delegate the same provider). The relevant authorities may need to monitor the competition and concentration levels of the market related to the outsourced activities. Coordination procedures between competent authorities. Article 11 of the draft RTS on market abuse requires the competent authority suspecting a case of cross-border market abuse to “report the status of its preliminary assessment to the other competent authorities concerned”. However, there is no expected timing for this reporting activity to occur. To avoid ambiguity and to foster convergence, the SMSG believes that it would be useful to specify a precise timing for the exchange of information. By contrast, the receiving competent authorities shall share information about the existence of any supervisory activity or criminal investigation on the same case “without undue delay”. It appears that an asymmetry in the expected timing exists between the NCA originating the coordination activity and the NCA receiving the preliminary assessment. The draft RTS also foresees the possibility that competent authorities inform ESMA of the start of an investigation or an enforcement activity. The SMSG believes that, instead of being a possibility, ESMA should always be informed in order to have a comprehensive view of the ongoing market abuse investigations in the EU. Suitability requirements and the understanding of the risks. Article 81(15) of MiCA gives ESMA a mandate to issue guidelines on suitability requirements under MiCA, including the information that crypto-asset service providers (CASPs) shall obtain from their clients or prospective clients. In this respect, Article 81(8) of MiCA requires CASPs to obtain information – among other things – about their basic understanding of the risks involved in purchasing crypto-assets. The SMSG believes that, for reasons related to both investor protection and level-playing field, regulation for crypto-assets should be as similar as possible to securities regulation and only differ if this is warranted by differences in product characteristics or risk

40 2 Background

1. On 25 March 2024, ESMA released the third MiCA consultation paper as part of a series of three packages. Each package includes a number of draft implementing technical standards (RTS) and draft implementing technical standards (ITS). The first consultation paper was published on 20 July 2023 and the SMSG provided an Advice to ESMA on 6 October 2023. The second consultation paper was published on 5 October 2023 and the SMSG provided an Advice to ESMA on 5 December 2023. This third consultation paper covers the following aspects: i. market abuse in crypto assets18; ii. suitability requirements for portfolio management activities under MiCA19; 18 The consultation paper includes a draft RTS on arrangements, systems and procedures for detecting and reporting suspected market abuse in crypto assets. 19 The consultation paper includes draft guidelines on certain aspects of the suitability requirements and format of the periodic statement for portfolio management activities under MiCA. between MiFID financial instruments and MiCA crypto-assets. With this objective in mind, the requirement of a ‘basic’ understanding of the risks involved in purchasing crypto-assets – although included in the MiCA regulation – appears to be a source of concern in terms of investor protection. The SMSG also notes that the analogous requirement in the MiFID framework refers to understanding (i.e., without ‘basic’). Sustainability preferences. MiCA suitability guidelines are largely based on the MiFID II guidelines. However, the two sets of guidelines differ in relation to sustainability preferences. ESMA did not include in the draft MiCA guidelines the new additions relating to sustainability preferences that were introduced in the latest version of the MiFID II guidelines (although the draft of the MiCA suitability guidelines suggest that it could be a good practice for CASPs to collect information about the preferences on ESG factors of the client). The SMSG highlights that, as the level 1 texts for both MiFID II and MiCA are aligned, level 3 texts should also be aligned. Transfer services and the relations with clients. The features of the provision of transfer services of crypto-assets share some similarities with payment services, regulated under the Directive on payment services in the internal market (“PSD 2”). Therefore, ESMA has drawn on PSD 2 provisions – where relevant – in developing the draft guidelines. The SMSG is in favor of this approach and highlights the need that crypto-asse service providers set up appropriate policies and procedures to assist their customers, as it commonly happens for payment services.

41 iii. transfer services for crypto-assets20; iv. systems and security access protocols21 . 2. In this Advice, the SMSG provides its views on specific questions raised by ESMA in the consultation paper as well as comments on more general issues that are related to the topics discussed in this consultation. 3. SMSG opinions and comments on market abuse […] 4. SMSG opinions and comments on suitability 4.1 General approach and the understanding of the risks 18. The assessment of suitability is an important investor protection requirement under MiCA. It applies to the provision of advice on crypto-assets and portfolio management of crypto-assets. 19. Article 81(15) of MiCA gives ESMA a mandate to issue guidelines on the following aspects of the suitability requirements under MiCA: (i) the criteria for the assessment of client’s knowledge and competence; and (ii) the information that crypto-asset service providers shall obtain from their clients or prospective clients regarding their knowledge of, and experience in, investing (including in crypto-assets), their investment objectives (including risk tolerance), their financial situation (including their ability to bear losses), and their basic understanding of the risks involved in purchasing crypto-assets, so as to enable crypto-asset service providers to recommend to clients or prospective clients whether or not the crypto-assets are suitable for them and, in particular, are in accordance with their risk tolerance and ability to bear losses. 20. The SMSG believes that, for reasons related to both investor protection and level-playing field, regulation for crypto-assets should be as similar as possible to securities regulation and only differ if this is warranted by differences in product characteristics or risk between MiFID financial instruments and MiCA crypto-assets. With this objective in mind, the requirement of a ‘basic’ understanding of the risks involved in purchasing crypto-assets – although included in the MiCA regulation – appears to be a source of concern in terms 20 The consultation paper includes draft guidelines on procedures and policies, including the rights of clients, in the context of transfer services for crypto-assets. 21 The consultation paper includes draft guidelines on maintenance of systems and security access protocols in conformity with appropriate Union standards.

42 of investor protection. The SMSG also notes that the analogous requirement in the MiFID framework refers to understanding (i.e., without ‘basic’)22 . 4.2 Sustainability preferences 21. ESMA chose to largely base the MiCA suitability guidelines on the MiFID II guidelines. This is because the MiCA suitability requirements are also largely based on the MiFID II suitability requirements. 22. However, the two sets of guidelines differ in relation to sustainability preferences. The MiFID II guidelines were reviewed recently to integrate new obligations relating to sustainability preferences into the suitability requirements under MiFID II (Delegated Regulation (EU) 2021/1253). In contrast with MiFID II and the MiFID II Delegated Regulation, MiCA does not include an express obligation to collect information on clients’ or potential clients’ sustainability preferences. 23. ESMA thus did not include in the draft guidelines presented in the third MiCA consultation paper the new additions relating to sustainability preferences that were introduced in the latest version of the MiFID II guidelines. However, paragraph 27 of Guideline 2 (Arrangements necessary to understand clients) of the draft guidelines suggests that, at this stage, it could be a good practice for crypto-asset service providers to collect information about the preferences on environmental, social and governance factors of the client or potential client. 24. The SMSG highlights that, as the level 1 texts for both MiFID II and MiCA are aligned, level 3 texts should also be aligned for the following reasons. Both the MiFID II and MiCA level 1 texts refer to the need to assess clients’ “investment objectives, including risk tolerance”, without referring to sustainability preferences. In respect of MiFID II, the level 2 Delegated Regulation (EU) 2017/565 has introduced a definition of sustainability preferences (art. 2(7)) and develops the requirement to ask information on investment objectives by stating that investment firms should obtain information on clients’ “investment objectives including the client’s risk tolerance and any sustainability preferences” (art. 54(2) a)). In respect of MiCA the Level 1 text did not give a mandate to the Commission to issue a level 2 text in respect of the suitability requirements. The SMSG is of the view that this not a sufficient reason to have different level 3 guidelines since (i) the level 1 texts of MiFID II and MiCA in respect of the suitability test use exactly the same wording (“investment objectives, including risk tolerance”); and (ii) level 2 texts can only supplement or amend non-essential elements of the Level 1 Act (art. 290 TFEU). It is clear that MiFID II Delegated Regulation (EU) 2017/565 has not issued a 22 ESMA guidelines on certain aspects of the MiFID II suitability requirements state in paragraph 23 that “firms should also take reasonable steps to assess the client’s understanding of investment risk as well as the relationship between risk and return on investments”.

43 new legal rule, but merely clarified how broadly the term “investment objectives” should be interpreted (i.e., also including sustainability preferences). The fact that MiCA does not provide for a Level 2 Delegated Act, does therefore not prevent ESMA to fully align the MiCA guidelines with the MiFID II guidelines in respect of sustainability preferences. From a legal coherence perspective, it would also make more sense to fully align the MiFID II and MiCA suitability guidelines on this point. Nor from a legal perspective, nor on the basis of differences in product characteristics or risks between financial instruments and crypto-assets, the SMSG believes there are any reasons to apply different requirements in relation to sustainability preferences. 5. SMSG opinions and comments on transfer services for crypto-assets 5.1 General approach and the relations with clients 25. The features of the provision of transfer services of crypto-assets share some similarities with payment services, regulated under the Directive on payment services in the internal market (“PSD 2”). Therefore, ESMA has drawn on PSD 2 provisions – where relevant – in developing the draft guidelines. 26. The SMSG is in favor of this approach and highlights the need that crypto-asset service providers set up appropriate policies and procedures to assist their customers, especially when the access to the wallets (or similar services) is only based on keys and pass codes, as it commonly happens for payment services.

44 This advice will be published on the Securities and Markets Stakeholder Group section of ESMA’s website. Adopted on 21 June 2024 [signed] Veerle Colaert Chair Securities and Markets Stakeholder Group [signed] Giovanni Petrella Rapporteur

45 4.3 Annex III: Guidelines on certain aspects of the suitability requirements and format of the periodic statement for portfolio management activities under MiCA 1 Scope Who?

1. These guidelines apply to competent authorities and crypto-asset service providers, as defined in Article 3(1)(15) of MiCA, where they provide, as relevant, advice on crypto￾assets or portfolio management of crypto-assets. What?
2. These guidelines apply in relation to: (i) the suitability requirements under Article 81(1), (7), (8), (10), (11) and (12) of MiCA; and (ii) the requirements applicable to the format of the periodic statement to be provided by CASPs providing portfolio management of crypto-assets, in accordance with Article 81(14) of MiCA. When?
3. These guidelines apply 60 calendar days from the date of their publication on ESMA’s website in all official EU languages.

46 2 Legislative references, abbreviations and definitions 2.1 Legislative references ESMA Regulation Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC23 . MiCA Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) 1095/2010 and Directives 2013/36/EU and (EU) 2019/193724 . 2.2 Abbreviations ESFS European System of Financial Supervision ESMA European Securities and Markets Authority EU European Union 2.3 Definitions Suitability assessment The whole process of collecting information about a client and the subsequent assessment by the crypto-asset service provider that a given crypto-asset is suitable for him, based also on the crypto-asset service provider’s solid understanding of the crypto-assets that it can recommend or invest into on behalf of the client. Robo-advice The provision of advice on crypto-assets or portfolio management of crypto-assets (in whole or in part) through an automated or semi-automated system used as a client-facing tool. 23OJ L 331, 15.12.2010, p. 84. 24 OJ L 150, 9.6.2023, p. 40.

47 3 Purpose 4. These guidelines are based on Article 81(15) of MiCA and Article 16(1) of the ESMA Regulation. The objectives of these guidelines are to establish consistent, efficient and effective supervisory practices within the ESFS and to ensure the common, uniform and consistent application of the provisions in 81(1), (7), (8), (10), (11), (12) and (14) of MiCA, as relevant. 5. In particular, they aim to promote greater convergence in the application of, and supervisory approaches to, the MiCA suitability requirements and requirements applicable to the format of the periodic statement to be provided by crypto-asset service providers providing portfolio management of crypto-assets. 6. By identifying a number of important issues as set out in the guidelines below and thereby helping to ensure that crypto-asset service providers comply with regulatory standards, ESMA anticipates a corresponding strengthening of investor protection.

48 4 Compliance and reporting obligations 4.1 Status of the guidelines 7. In accordance with Article 16(3) of the ESMA Regulation, competent authorities and financial market participants must make every effort to comply with these guidelines. 8. Competent authorities to which these guidelines apply should comply by incorporating them into their national legal and/or supervisory frameworks as appropriate, including where particular guidelines are directed primarily at financial market participants. In this case, competent authorities should ensure through their supervision that financial market participants comply with the guidelines. 4.2 Reporting requirements 9. Within two months of the date of publication of the guidelines on ESMA’s website in all EU official languages, competent authorities to which these guidelines apply must notify ESMA whether they (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines. 10. In case of non-compliance, competent authorities must also notify ESMA within two months of the date of publication of the guidelines on ESMA’s website in all EU official languages of their reasons for not complying with the guidelines. 11. A template for notifications is available on ESMA’s website. Once the template has been filled in, it shall be transmitted to ESMA. 12. Financial market participants are not required to report whether they comply with these guidelines.

49 5 Guidelines on certain aspects of the suitability requirements under MiCA 5.1 Information to clients about the purpose of the suitability assessment and its scope (Guideline 1) Relevant legislation: Articles 66(1) and (2) and 81(1), (8), (10) and (11) of MiCA. 13. Crypto-asset service providers should inform their clients clearly and simply about the suitability assessment and its purpose which is to enable the crypto-asset service provider to act in the client’s best interest. This should include a clear explanation that it is the crypto-asset service provider’s responsibility to conduct the assessment, so that clients understand (i) the reason why they are asked to provide certain information, (ii) the importance that such information is up-to-date, accurate and complete and (iii) that, without such information, the crypto-asset service provider will not recommend crypto￾asset services or crypto-assets, nor begin the provision of portfolio management of crypto-assets. Such information may be provided in a standardised format. 14. Information about the suitability assessment should help clients understand the purpose of the requirements. It should encourage them to provide up-to-date, accurate and sufficient information about their knowledge, experience, investment objectives (including their risk tolerance) and financial situation (including their ability to bear losses). Crypto-asset service providers should highlight to their clients that it is important to gather complete and accurate information so that the crypto-asset service provider can recommend suitable crypto-assets or crypto-asset services to the client. Without this information, crypto-asset service providers cannot provide advice on crypto-assets or portfolio management of crypto-assets. 15. It is up to the crypto-asset service provider to decide how they will inform their clients about the suitability assessment. The format used should however enable controls to check if the information was provided. 16. Crypto-asset service providers should not create any ambiguity or confusion about their responsibilities in the process when assessing the suitability of crypto-asset services or crypto-assets. Notably, crypto-asset service provider should avoid stating, or giving the impression, that it is the client who decides on the suitability of the investment or the service, or that it is the client who establishes which crypto-assets or crypto-asset services fit his own risk profile. For example, crypto-asset service providers should avoid indicating to the client that a certain crypto-asset is the one that the client chose as being suitable, or requiring the client to confirm that a crypto-asset or crypto-asset service is suitable. 17. Any disclaimers (or other similar types of statements) aimed at limiting the crypto-asset service provider’s responsibility for the suitability assessment would not in any way impact the characterisation of the crypto-asset service provided in practice to clients nor the assessment of the crypto-asset service provider’s compliance to the corresponding

50 requirements. For example, when collecting clients’ information required to conduct a suitability assessment (such as their investment horizon/holding period or information related to risk tolerance), crypto-asset service providers should not claim that they do not assess the suitability. 18. In order to address potential gaps in clients’ understanding of the crypto-asset services provided through robo-advice, crypto-asset service providers should inform clients, in addition to other required information, on the following: ● a very clear explanation of the exact degree and extent of human involvement and if and how the client can ask for human interaction; ● an explanation that the answers clients provide will have a direct impact in determining the suitability of the investment decisions recommended or undertaken on their behalf; ● a description of the sources of information used to generate an investment advice or to provide the portfolio management service (e.g., if an online questionnaire is used, crypto-asset service providers should explain that the responses to the questionnaire may be the sole basis for the robo-advice or whether the crypto￾asset service provider has access to other client information or accounts); ● an explanation of how and when the client’s information will be updated with regard to his/her situation, personal circumstances, etc. 19. Crypto-asset service providers should also carefully consider whether their disclosures are designed to be effective (e.g., the disclosures are made available directly to clients and are not hidden or incomprehensible). For crypto-asset service providers providing robo-advice this may in particular include: ● emphasising the relevant information (e.g., through the use of design features such as pop-up boxes); ● considering whether some information should be accompanied by interactive text (e.g., through the use of design features such as tooltips) or other means to provide additional details to clients who are seeking further information (e.g., through F.A.Q. section). 5.2 Arrangements necessary to understand clients (Guideline 2) Relevant legislation: Article 81(1), (8) and (10) of MiCA.

51 20. Where collecting the information necessary to conduct a suitability assessment for each client, crypto-asset service providers should ensure that the questions they ask their clients are specific enough, are likely to be understood correctly, take into account the elements developed in guideline 3 and that any method used to collect information is designed to get the information required for a suitability assessment. 21. Crypto-asset service providers should ensure that the assessment of information collected about their clients is done in a consistent way irrespective of the means used to collect such information. 22. For example, crypto-asset service providers could use questionnaires (notably in a digital format) completed by their clients, information collected during discussions with them or other information already gathered through the crypto-asset service provider’s existing relationship with the client. For instance, a payment default on other obligations may indicate a difficult financial situation. 23. When designing the questionnaires aiming at collecting information about their clients for the purpose of a suitability assessment, crypto-asset service providers should be aware and consider the most common reasons why clients could fail to answer questionnaires correctly. In particular: ● attention should be given to the clarity, exhaustiveness and comprehensibility of the questionnaire, avoiding misleading, confusing, imprecise and excessively technical language; ● the layout should be carefully elaborated and should avoid orienting clients’ choices (font, line spacing…); ● presenting questions in batteries (collecting information on a series of items through a single question, particularly when assessing knowledge and experience and the risk tolerance) should be avoided; ● crypto-asset service providers should carefully consider the order in which they ask questions in order to collect information in an effective manner. ● in order to be able to ensure necessary information is collected, the possibility not to reply should generally not be available in questionnaires (particularly when collecting information on the client’s financial situation). 24. Crypto-asset service providers should also take reasonable steps to assess the client’s understanding of investment risk as well as the relationship between risk and return on investments, as this is key to enable crypto-asset service providers to act in accordance with the client’s best interest when conducting the suitability assessment. When presenting questions in this regard, crypto-asset service providers should explain clearly

52 and simply that the purpose of answering them is to help assess clients’ attitude to risk (risk profile), and therefore whether crypto-assets services or the crypto-assets are suitable for them (and, if suitable, which types and risks are attached to them). 25. Information necessary to conduct a suitability assessment includes different elements that may affect, for example, the analysis of the client’s financial situation (including his ability to bear losses) or investment objectives (including his risk tolerance). Examples of such elements are the client’s: ● marital status (especially the client’s legal capacity to commit assets that may belong also to his partner); ● family situation (changes in the family situation of a client may impact his financial situation e.g. a new child or a child of an age to start university); ● age (which is mostly important to ensure a correct assessment of the investment objectives, and in particular the level of financial risk that the client is willing to take, as well as the holding period/investment horizon, which indicates the willingness to hold an investment for a certain period of time); ● employment situation (the degree of job security or the fact that the client is close to retirement may impact his financial situation or his investment objectives); ● need for liquidity in certain relevant investments or need to fund a future financial commitment (e.g. property purchase, education fees). 26. When determining what information is necessary, crypto-asset service providers should keep in mind the impact that any significant change regarding that information could have concerning the suitability assessment. 27. ESMA considers it would be a good practice for crypto-asset service providers to consider non-financial elements when gathering information on the client’s investment objectives, and – beyond the elements listed in paragraph 25 – collect information on the client’s preferences on environmental, social and governance factors in order to take them into account into the suitability assessment. 28. Crypto-asset service providers should take all reasonable steps to sufficiently assess the understanding by their clients of the main characteristics and the risks related to the product types in the offer of the crypto-asset service provider. The adoption by crypto￾asset service providers of mechanisms to avoid unduly relying on client’s self￾assessment and ensure the consistency of the answers provided by the client 25 is 25 See guideline 4.

53 particularly important for the correct assessment of the client’s knowledge and experience. Information collected by crypto-asset service providers about a client’s knowledge and experience should be considered altogether for the overall appraisal of his understanding of the products and services and of the risks involved in the transactions recommended or in the management of his portfolio. 29. It is also important that crypto-asset service providers appraise the client’s understanding of basic financial notions such as investment risk (including concentration risk) and risk￾return trade off. To this end, crypto-asset service providers should consider using indicative, comprehensible examples of the levels of loss/return that may arise depending on the level of risk taken and should assess the client’s response to such scenarios. 30. As part of the assessment of a client’s knowledge and experience, crypto-asset service providers should ensure that the client understands crypto-assets specifically and, in particular, the risks inherent to the use of distributed ledger technology (for instance, cybertheft, hacks, loss or destruction of private keys), on which crypto-assets are based. 31. Crypto-asset service providers should design their questionnaires so that they are able to gather the necessary information about their client. This is particularly relevant for crypto-asset service providers providing robo-advice services given the limited human interaction. In order to ensure their compliance with the requirements concerning that assessment, crypto-asset service providers should take into account factors such as: ● whether the information collected through the online questionnaire allows the crypto-asset service provider to conclude that the advice provided is suitable for their clients on the basis of their knowledge and experience, their financial situation and their investment objectives and needs; ● whether the questions in the questionnaire are sufficiently clear and/or whether the questionnaire is designed to provide additional clarification or examples to clients when necessary (e.g., through the use of design features, such as tool-tips or pop￾up boxes); ● whether some human interaction (including remote interaction via emails or mobile phones) is available to clients when responding to the online questionnaire; ● whether steps have been taken to address inconsistent client responses (such as incorporating in the questionnaire design features to alert clients when their responses appear internally inconsistent and suggest them to reconsider such responses; or implementing systems to automatically flag apparently inconsistent information provided by a client for review or follow-up by the crypto-asset service provider).

54 5.3 Extent of information to be collected from clients (proportionality) (Guideline 3) Relevant legislation: Article 81(1), (8) and (10) of MiCA 32. Before providing advice on crypto-assets or portfolio management of crypto-assets, crypto-asset service providers need to collect all ‘necessary information’26 about the client’s knowledge and experience, financial situation, investment objectives and their basic understanding of the risks involved in purchasing crypto-assets, giving due consideration to the nature and extent of the service provided. The extent of ‘necessary’ information may vary and crypto-asset service providers should determine the extent of the information to be collected from clients in light of all the features of the advice on crypto-assets or portfolio management of crypto-assets to be provided to those clients. Notably, crypto-asset service providers should take into account the features of the advice on crypto-assets or portfolio management of crypto-assets to be provided, the type and characteristics of the crypto-assets to be considered and the characteristics of the clients. 33. In determining what information is ‘necessary’, crypto-asset service providers should consider, in relation to a client’s knowledge and experience, financial situation, investment objectives and their basic understanding of the risks involved in purchasing crypto-assets: ● the type of crypto-assets or transactions or services that the crypto-asset service provider may recommend or enter into (including the complexity and level of risk); ● the nature and extent of the service that the crypto-asset service provider may provide; ● the needs and circumstances of the client; ● the features of the client (e.g., their level of sophistication, knowledge of investing (including in relation to crypto-assets), financial situation…). 34. Crypto-asset service providers should ensure that the information regarding a client’s or potential client’s knowledge and experience in investing, including in the crypto -asset field, includes the following, to the extent appropriate to the nature of the client, the nature and extent of the service to be provided and the type of crypto-asset or transaction envisaged, including their complexity and the risks involved: 26 ‘Necessary information’ should be understood as meaning the information that crypto-asset service providers must collect to comply with the suitability requirements under MiCA.

55 ● the types of service, transaction and financial products with which the client is familiar; ● whether the client understands distributed ledger technology, on which crypto￾assets are based, and the risks inherent to it such as the risk to transfer crypto￾assets to the wrong wallet or address or the risks of hacking; ● the nature, volume, and frequency of the client's transactions, including in crypto￾assets, and the period over which they have been carried out; ● the level of education, and profession or relevant former profession of the client or potential client. 35. When assessing a client’s knowledge of crypto-assets or a particular type of crypto￾assets, crypto-asset service providers should not solely rely on such client’s transaction history but should ensure the client’s understanding of the product. 36. While the extent of the information to be collected may vary, the standard for ensuring that a recommendation or an investment made on the client’s behalf is suitable for the client will always remain the same. MiCA allows crypto-asset service providers to collect the level of information that is adequate for and proportionate to the products and services they offer, or on which the client requests specific advice on crypto-assets or portfolio management of crypto-assets. It does not allow crypto-asset service providers to lower the level of protection due to clients. 37. The information regarding the investment objectives of the client or potential client should include, where relevant, information on the length of time for which the client wishes to hold the investment, his or her preferences regarding risk taking, his or her risk profile, and the purposes of the investment. 38. When providing access to more complex or risky crypto-assets, crypto-asset service providers should collect more in-depth information about the client than they would collect when less complex or risky products are at stake. This is so that crypto-asset service providers can assess the client’s capacity to understand, and financially bear, the risks associated with crypto-assets.27 ESMA expects crypto-asset service providers to carry out a robust assessment amongst others of the client’s knowledge and experience, including, for example, the ability to understand the mechanisms which make the crypto-asset recommended or traded “risky” and, possibly, “complex”, whether the client has already traded in crypto-assets and the specific type of crypto-assets (for 27 To ensure clients understand the investment risk and potential losses they may bear, the crypto-asset service provider should, as far as possible, present these risks in a clear and understandable way, potentially using illustrative examples of the extent of losses in the event of a crypto-asset performing poorly, and with due consideration of Article 81(9) of MiCA.

56 example, a stablecoin or a utility token), the length of time he has been trading them for, etc. 39. For illiquid crypto-assets28, the ‘necessary information’ to be gathered should include information on the length of time for which the client is prepared to hold the investment. 40. As information about a client’s financial situation will always need to be collected, the extent of information to be collected may depend on the type of crypto-assets and services to be recommended or entered into. For example, as many crypto-assets are highly speculative investments, ‘necessary information’ to be collected may include all of the following elements as necessary to ensure whether the client’s financial situation allows him to invest or be invested in such crypto-assets: ● the extent of the client’s regular income and total income, whether the income is earned on a permanent or temporary basis, and the source of this income (for example, from employment, retirement income, investment income, rental yields, etc.); ● the client’s assets, including liquid assets, investments and real property, which would include what financial investments, personal and investment property, pension funds and any cash deposits, etc. the client may have. The crypto-asset service provider should, where relevant, also gather information about conditions, terms, access, loans, guarantees and other restrictions, if applicable, to the above assets that may exist. ● the client’s regular financial commitments, which would include what financial commitments the client has made or is planning to make (client’s debits, total amount of indebtedness and other periodic commitments, etc.). 41. In determining the information to be collected, crypto-asset service providers should also take into account the nature of the service to be provided. Practically, this means that: ● when advice on crypto-assets is to be provided, crypto-asset service providers should collect sufficient information in order to be able to assess the ability of the client to understand the risks and nature of each of the crypto-assets and services that the crypto-asset service provider envisages recommending to that client; ● when portfolio management of crypto-assets is to be provided, as investment decisions are to be made by the crypto-asset service provider on behalf of the client, the level of knowledge and experience needed by the client with regard to 28 It is up to each crypto-asset service provider to define a priori which of the crypto-assets included in its offer to investors it considers as being illiquid.

57 all the crypto-assets that can potentially make up the portfolio may be less detailed than the level that the client should have when an advice on crypto-assets service is to be provided. Nevertheless, even in such situations, the client should at least understand the overall risks of the portfolio (including the risks inherent to distributed ledger technology) and possess a general understanding of the risks linked to each type of crypto-assets that can be included in the portfolio. Crypto￾asset service providers should gain a very clear understanding and knowledge of the degree of understanding of crypto-assets and of the investment profile of the client. 42. Similarly, the extent of the service requested by the client may also impact the level of detail of information collected about the client. For example, crypto-asset service providers should collect more information about clients asking for advice covering their entire financial portfolio than about clients asking for specific advice on how to invest a given amount of money that represents a relatively small part of their overall portfolio. 43. Crypto-asset service providers should also take into account the nature of the client when determining the information to be collected. For example, more in-depth information would usually need to be collected for potentially vulnerable clients (such as older clients could be) or inexperienced ones asking for advice on crypto-assets or portfolio management of crypto-asset services for the first time. 44. Information to be collected will also depend on the needs and circumstances of the client. For example, a crypto-asset service provider is likely to need more detailed information about the client’s financial situation where the client’s investment objectives are multiple and/or long-term, than when the client seeks a short-term investment. 45. Information about a client’s financial situation includes information regarding his or her investments (in crypto-assets and other products). This implies that crypto-asset service providers are expected to possess information about the client’s financial investments he holds with the crypto-asset service provider on a crypto-asset by crypto-asset basis. Depending on the scope of advice provided, crypto-asset service providers should also encourage clients to disclose details on investments they hold with other crypto-asset service providers or financial investments they hold with financial institutions, if possible also on a product-by-product basis. 5.4 Reliability of client information (Guideline 4) Relevant legislation: Article 81(1) and (10) of MiCA. 46. Clients are expected to provide correct, up-to-date and complete information necessary for the suitability assessment. However, crypto-asset service providers should take all reasonable steps and have appropriate tools to ensure that the information collected

58 about their clients is reliable, accurate and consistent, without unduly relying on clients’ self-assessment. This should include, without limitation: ● ensuring clients are aware of the importance of providing accurate and up-to-date information; ● ensuring all tools, such as risk assessment profiling tools or tools to assess a client’s knowledge and experience, employed in the suitability assessment process are fit-for-purpose and are appropriately designed for use with their clients, with any limitations identified and actively mitigated through the suitability assessment process; ● ensuring questions used in the process are likely to be understood by clients, capture an accurate reflection of the client’s objectives and needs, and the information necessary to understand the suitability assessment; and ● taking steps, as appropriate, to ensure the consistency of client information, such as by considering whether there are obvious inaccuracies in the information provided by clients. 47. Crypto-asset service providers remain responsible for ensuring they have the necessary information to conduct a suitability assessment. In this respect, any agreement signed by the client, or disclosure made by the crypto-asset service provider, that would aim at limiting the responsibility of the crypto-asset service provider with regard to the suitability assessment, would not be considered compliant with the relevant requirements in MiCA. 48. To avoid unduly relying on client’s self-assessment, any auto-evaluation should be counterbalanced by factual information gathered on the basis of objective criteria. For example: ● instead of asking whether a client understands the notions of risk-return trade-off and risk diversification, the crypto-asset service provider should present some practical examples of situations that may occur in practice, for example by means of graphs or through positive and negative scenarios which are based on reasonable assumptions; ● instead of asking whether a client has sufficient knowledge about the main characteristics and risks of specific types of crypto-assets, the crypto-asset service provider should for instance ask questions aimed at assessing the client’s real knowledge about the specific types of crypto-assets, for example by asking the client multiple choice questions to which the client should provide the right answer; ● instead of asking a client whether he feels sufficiently experienced to invest in certain crypto-assets, the crypto-asset service provider should ask the client what

59 types of crypto-assets the client is familiar with and how recent and frequent his trading experience with them is; ● instead of asking whether clients believe they have sufficient funds to invest, the crypto-asset service provider should ask clients to provide factual information about their financial situation, e.g. the regular source of income and whether outstanding liabilities exist (such as bank loans or other debts, which may significantly impact the assessment of the client’s ability to financially bear any risks and losses related to the investment); ● instead of asking whether a client feels comfortable with taking risk, the crypto￾asset service provider should ask what level of loss over a given time period the client would be willing to accept, either on the individual investment or on the overall portfolio. 49. In assessing a client’s knowledge and experience, a crypto-asset service provider should also avoid using overly broad questions with a yes/no type of answer and or a very broad tick-the-box self-assessment approach (for example, crypto-asset service providers should avoid submitting a list of crypto-assets to the client and asking him/her to indicate which s/he understands). Where crypto-asset service providers pre-fill answers based on the client’s transactions history with that crypto-asset service provider (e.g., through another crypto-asset service provided), they should ensure that only fully objective, pertinent, and reliable information is used and that the client is given the opportunity to review and, if necessary, correct and/or complete each of the pre-filled answers to ensure the accuracy of any pre-populated information. Crypto-asset service providers should also refrain from predicting clients’ experience based on assumptions. 50. A client’s prior investments in crypto-assets should not be sufficient in itself for the crypto￾asset service provider to conclude that such client understands crypto-assets and crypto￾asset services (especially the risks associated with crypto-assets). 51. When assessing the risk tolerance of their clients through a questionnaire, crypto-asset service providers should not only investigate the desirable risk-return characteristics of future investments but they should also take into account the client’s risk perception. To this end, whilst self-assessment for the risk tolerance should be avoided, explicit questions on the clients’ personal choices in case of risk uncertainty could be presented. Furthermore, crypto-asset service providers could for example make use of graphs, specific percentages or concrete figures when asking the client how he would react when the value of his portfolio decreases. 52. Where crypto-asset service providers rely on tools to be used by clients as part of the suitability process (such as questionnaires or risk-profiling software), they should ensure that they have appropriate systems and controls to ensure that the tools are fit for

60 purpose and produce satisfactory results. For example, risk-profiling software could include some controls of coherence of the replies provided by clients in order to highlight contradictions between different pieces of information collected. 53. Crypto-asset service providers should also take reasonable steps to mitigate potential risks associated with the use of such tools. For example, potential risks may arise if clients were encouraged to provide certain answers in order to get access to crypto￾assets or crypto-asset services that may not be suitable for them (without correctly reflecting the clients’ real circumstances and needs). 29 54. In order to ensure the consistency of client information, crypto-asset service providers should view the information collected as a whole. Crypto-asset service providers should be alert to any relevant contradictions between different pieces of information collected, and contact the client in order to resolve any material potential inconsistencies or inaccuracies. Examples of such contradictions are clients who have little knowledge or experience and an aggressive attitude to risk, or who have a prudent risk profile and ambitious investment objectives. 55. Crypto-asset service providers should adopt mechanisms to address the risk that clients may tend to overestimate their knowledge and experience, for example by including questions that would help crypto-asset service providers assess the overall clients’ understanding about the characteristics and the risks of crypto-assets in general and the different types of crypto-assets. Such measures may be particularly important in the case of robo-advice, since the risk of overestimation by clients may result higher when they provide information through an automated (or semi-automated) system, especially in situations where very limited or no human interaction at all between clients and the crypto-asset service provider’s employees is foreseen. 5.5 Updating client information (Guideline 5) Relevant legislation: Article 81(1), (8), (10) and (12) of MiCA. 56. Where a crypto-asset service provider has an ongoing relationship with the client (such as by providing ongoing advice on crypto-assets or portfolio management of crypto￾assets), in order to be able to perform the suitability assessment, crypto-asset service providers should adopt procedures defining: (a) what part of the client information collected should be subject to updating and at which frequency; (b) how the updating should be done and what action should be undertaken by the crypto-asset service provider when additional or updated information is received or when the client fails to provide the information requested. 29 In this regard, see also paragraph 59 of guideline 5, which addresses the risk of clients being influenced by crypto-asset service providers to change answers previously provided by them, without there being any real modification in their situation.

61 57. Crypto-asset service providers should regularly review client information to ensure that it does not become manifestly out of date, inaccurate or incomplete. To this end, crypto￾asset service providers should implement procedures to encourage clients to update the information originally provided where significant changes occur. 58. Frequency of update might vary depending on, for example, clients’ risk profiles and taking into account the type of crypto-asset recommended. Based on the information collected about a client under the suitability requirements, a crypto-asset service provider will determine the client’s risk profile, i.e. what type of crypto-asset services or crypto￾assets can in general be suitable for him taking into account his knowledge and experience, his financial situation (including his ability to bear losses) and his investment objectives (including his risk tolerance). For example, a risk profile giving to the client access to a wider range of riskier products is an element that is likely to require more frequent updating. Certain events might also trigger an updating process; this could be so, for example, for clients reaching the age of retirement or facing unemployment. 59. Due to the requirement to review the suitability assessment at least every two years (in accordance with Article 81(12) of MiCA), updates should occur at least every two years to ensure that the updated suitability assessment is not based on outdated client’s information. This also implies that the update should be done prior to any new suitability assessment occurring on the two-year deadline. 60. Updating could, for example, be carried out by sending an updating questionnaire to clients. Relevant actions might include changing the client’s profile based on the updated information collected. 61. It is also important that crypto-asset service providers adopt measures to mitigate the risk of inducing the client to update his own profile so as to make appear as suitable a certain investment product or service that would otherwise be unsuitable for him, without there being a real modification in the client’s situation.30 As an example of a good practice to address this type of risk, crypto-asset service providers could adopt procedures to verify, before or after transactions are made, whether a client’s profile has been updated too frequently or only after a short period from last modification (especially if this change has occurred in the immediate days preceding a recommended investment). Such situations would therefore be escalated or reported to the relevant control function. These policies and procedures are particularly important in situations where there is a heightened risk that the interest of the crypto-asset service provider may come into conflict with the best interests of its clients, e.g. in situations in which the crypto-asset service provider is placing crypto-assets with its own clients. Another relevant factor to 30 Also relevant in this context are measures adopted to ensure the reliability of clients’ information as detailed under guideline 4, paragraph 46.

62 consider in this context is also the type of interaction that occurs with the client (e.g. telephone conversation vs through an automated system). 62. Crypto-asset service providers should inform the client when the additional information provided results in a change of his profile, whether it becomes more risky (and therefore, potentially, a wider range of riskier and more complex crypto-assets may as a result be suitable for him, with the potential to incur in higher losses) or vice-versa more conservative (and therefore, potentially, a more restricted range of crypto-assets may as a result be suitable for him). 5.6 Client information for legal entities or groups (Guideline 6) Relevant legislation: Article 81(1), (8) and (10) of MiCA. 63. Where a client is a legal person or a group of two or more natural persons or where one or more natural persons are represented by another natural person, the crypto -asset service provider should establish and implement a policy, on an ex-ante basis, on the procedure and criteria that should be followed in order to comply with the MiCA suitability requirements in such situations. This includes (i) who should be subject to the suitability assessment, (ii) how the suitability assessment should be done in practice, including from whom information about knowledge and experience, financial situation and investment objectives should be collected and (iii) the possible impact this could have for the relevant clients, in accordance with the existing policy. 64. Where a client is a legal person or a natural person represented by another natural person, the financial situation and investment objectives should be assessed in light of those of the underlying client (the legal person or the natural person that is being represented) rather than of the representative. The knowledge and experience to be assessed should be that of the representative. This would imply amongst others that they verify that the representative is indeed – according to relevant national law – authorised to carry out transactions on behalf of the client. 65. Crypto-asset service providers should consider whether the applicable national legal framework provides specific indications that should be taken into account for the purpose of conducting the suitability assessment (this could be the case, for instance, where the appointment of a legal representative is required by law: e.g. for underage or incapacitated persons or for a legal person). 66. The policy should make a clear distinction between situations where a representative is foreseen under applicable national law, as it can be the case for example for legal persons, and situations where no representative is foreseen, and it should focus on these latter situations. Where the policy foresees agreements between clients, they should be made aware clearly and in written form about the effects that such agreements may have regarding the protection of their respective interests. Steps taken by the crypto-asset

63 service provider in accordance with its policy should be appropriately documented to enable ex-post controls. 67. Where the client is a group of two or more natural persons and no representative is foreseen under applicable national law, the crypto-asset service provider’s policy should identify from whom necessary information will be collected and how the suitability assessment will be done. Clients should be properly informed about the crypto-asset service provider’s approach (as decided in its policy) and the impact of this approach on the way the suitability assessment is done in practice. 68. Approaches such as the following could possibly be considered by crypto-asset service providers: (a) they could choose to invite the group of two or more natural persons to designate a representative; or, (b) they could consider collecting information about each individual client and assessing the suitability for each individual client. Inviting the group of two or more natural persons to designate a representative 69. If the group of two or more natural persons agrees to designate a representative, the same approach as the one described in paragraph 64 above could be followed: the knowledge and experience shall be that of the representative, while the financial situation and the investment objectives would be those of the underlying client(s). Such designation should be made in written form as well as according to and in compliance with the applicable national law, and recorded by the relevant crypto-asset service provider. The clients - part of the group - should be clearly informed, in written form, about the impact that an agreement amongst clients could have on the protection of their respective interests. 70. The crypto-asset service provider’s policy could however require the underlying client(s) to agree on their investment objectives. 71. If the parties involved have difficulties in deciding the person/s from whom the information on knowledge and experience should be collected, the basis on which the financial situation should be determined for the purpose of the suitability assessment or on defining their investment objectives, the crypto-asset service provider should adopt the most prudent approach by taking into account, accordingly, the information on the person with the least knowledge and experience, the weakest financial situation or the most conservative investment objectives. Alternatively, the crypto-asset service provider’s policy may also specify that it will not be able to provide advice on crypto-assets or portfolio management of crypto-assets in such a situation. Crypto-asset service providers should at least be prudent whenever there is a significant difference in the level of knowledge and experience or in the financial situation of the different clients part of the group.

64 Collecting information about each individual client and assessing the suitability for each individual client 72. When a crypto-asset service provider decides to collect information and assess suitability for each individual client part of the group, if there are significant differences between the characteristics of those individual clients (for example, if the crypto-asset service provider would classify them under different investment profiles), the question arises about how to ensure the consistency of the advice on crypto-assets or portfolio management of crypto-assets provided with regard to the crypto-assets or portfolio of that group of clients. In such a situation, a crypto-asset may be suitable for one client part of the group but not for another one. The crypto-asset service provider’s policy should clearly specify how it will deal with such situations. Here again, the crypto-asset service provider should adopt the most prudent approach by taking into account the information on the client part of the group with the least knowledge and experience, the weakest financial situation or the most conservative investment objectives. Alternatively, the crypto-asset service provider’s policy may also specify that it will not be able to provide advice on crypto-assets or portfolio management of crypto-assets in such a situation. In this context, it should be noted that collecting information on all the clients part of the group and considering, for the purposes of the assessment, an average profile of the level of knowledge and competence of all of them, would unlikely be compliant with the MiCA overarching principle of acting in the clients’ best interests. 5.7 Arrangements necessary to understand crypto-assets (Guideline 7) Relevant legislation: Article 81(10) of MiCA. 73. Crypto-asset service providers should have adequate policies and procedures in place to ensure that they understand the characteristics, nature, features, including costs and risks of crypto-asset services and crypto-assets selected for their clients and that they assess, while taking into account cost and complexity, whether equivalent crypto-asset services or crypto-assets can meet their client’s profile. 74. Crypto-asset service providers should adopt robust and objective procedures, methodologies and tools that allow them to appropriately consider the different characteristics and relevant risk factors (such as credit risk, market risk, liquidity risk31 , operational risk including hacking risk, etc.) of each crypto-asset they may recommend or invest in on behalf of clients. Considering the level of ‘complexity’ of products is 31 It is particularly important that the liquidity risk identified is not balanced out with other risk indicators (such as, for example, those adopted for the assessment of credit/counterparty risk and market risk). This is because the liquidity features of crypto￾assets should be compared with information on the client’s willingness to hold the crypto-assets for a certain length of time, i.e. the so called ‘holding period’.

65 particularly important, and this should be matched with a client’s information (in particular regarding their knowledge and experience). 75. Crypto-asset service providers should adopt procedures to ensure that the information used to understand and correctly classify crypto-assets included in their product offer is reliable, accurate, consistent and up-to-date. When adopting such procedures, crypto￾asset service providers should take into account the different characteristics and nature of the crypto-assets considered. 76. In addition, crypto-asset service providers should review the information used so as to be able to reflect any relevant changes that may impact the product’s classification. This is particularly important, taking into account the continuing evolution and growing speed of crypto-asset markets. 5.8 Arrangements necessary to ensure the suitability of crypto-assets or crypto￾asset services (Guideline 8) Relevant legislation: Article 81(1), (10), (11) and (12) of MiCA. 77. In order to match clients with suitable investments and services, crypto-asset service providers should establish policies and procedures to ensure that they consistently take into account: ● all available information about the client necessary to assess whether a crypto￾asset or service is suitable, including the client’s current portfolio of investments (and asset allocation within that portfolio which should not be limited to crypto assets allocation); ● all material characteristics of the crypto-assets and services considered in the suitability assessment, including all relevant risks and any direct or indirect costs to the client. 78. Crypto-asset service providers are reminded that the suitability assessment is not limited to recommendations to buy a crypto-asset. Every recommendation must be suitable, whether it is, for example, a recommendation to buy, hold or sell a crypto-asset, or not to do so. 79. Crypto-asset service providers that rely on tools in the suitability assessment process (such as model portfolios, asset allocation software or a risk-profiling tool for potential investments), should have appropriate systems and controls to ensure that the tools are fit for purpose and produce satisfactory results.

66 80. In this regard, the tools should be designed so that they take account of all the relevant specificities of each client or crypto-asset. For example, tools that classify clients or crypto-assets broadly would not be fit for purpose. 81. A crypto-asset service provider should establish policies and procedures which enable it to ensure inter alia that: ● the advice on crypto-assets and portfolio management of crypto-assets services provided to the client take account of an appropriate degree of risk diversification, including regarding the type of instruments held in the portfolio (crypto assets, financial instruments, etc.); ● the client has an adequate understanding of the relationship between risk and return, i.e. of the necessarily low remuneration of risk free assets, of the incidence of time horizon on this relationship and of the impact of costs on his investments; ● the financial situation of the client can finance the crypto-assets and the client can bear any possible losses resulting from the investments; ● any personal recommendation or transaction entered into in the course of providing advice on crypto-assets or portfolio management of crypto-assets, where an illiquid product is involved, takes into account the length of time for which the client is prepared to hold the investment; and ● any conflicts of interest are prevented from adversely affecting the quality of the suitability assessment. 82. When making a decision on the methodology to be adopted to conduct the suitability assessment, the crypto-asset service provider should also take into account the type and characteristics of the crypto-asset services provided and, more in general, its business model. 83. When conducting a suitability assessment, a crypto-asset service provider providing the service of portfolio management of crypto-assets should, on the one hand, assess - in accordance with the second bullet point of paragraph 41 of these guidelines - the knowledge and experience of the client regarding each type of crypto-asset that could be included in his portfolio, and the types of risks involved in the management of his portfolio. Depending on the level of complexity of the crypto-assets involved, the crypto￾asset service provider should assess the client’s knowledge and experience more specifically than solely on the basis of the type to which the crypto-asset belongs (e.g., an asset-referenced token linked to a basket of emerging markets currencies versus an asset-referenced token solely linked to EUR and USD). On the other hand, with regard to the client’s financial situation and investment objectives, the suitability assessment about the impact of the crypto-asset(s) and transaction(s) can be done at the level of the

67 client’s portfolio as a whole. In practice, if the portfolio management agreement defines in sufficient details the investment strategy that is suitable for the client with regard to the suitability criteria defined by MiCA and that will be followed by the crypto-asset service provider, the assessment of the suitability of the investment decisions could be done against the investment strategy as defined in the portfolio management agreement and the portfolio of the client as a whole should reflect this agreed investment strategy. When a crypto-asset service provider conducts a suitability assessment based on the consideration of the client’s portfolio as a whole within the service of advice on crypto - assets, this means that, on the one hand, the level of knowledge and experience of the client should be assessed regarding each crypto-asset and risks involved in the related transaction. On the other hand, with regard to the client’s financial situation and investment objectives, the suitability assessment about the impact of the product and transaction can be done at the level of the client’s portfolio. 84. When a crypto-asset service provider conducts a suitability assessment based on the consideration of the client’s portfolio as a whole, it should ensure an appropriate degree of diversification within the client’s portfolio, taking into account the client’s portfolio exposure to the different financial risks (geographical exposure, currency exposure, etc.). Crypto-asset service providers should be especially prudent regarding credit risk: exposure of the client’s portfolio to one single issuer or to issuers part of the same group should be particularly considered. This is because, if a client’s portfolio is concentrated in products issued by one single entity (or entities of the same group), in case of default of that entity, the client may lose up to his entire investment. 85. In order to ensure the consistency of the suitability assessment conducted through automated tools (even if the interaction with clients does not occur through automated systems), crypto-asset service providers should regularly monitor and test the algorithms that underpin the suitability of the transactions recommended or undertaken on behalf of clients. When defining such algorithms, crypto-asset service providers should take into account the nature and characteristics of the crypto-assets and services included in their offer to clients. In particular, crypto-asset service providers should at least: ● establish an appropriate system-design documentation that clearly sets out the purpose, scope and design of the algorithms. Decision trees or decision rules should form part of this documentation, where relevant; ● have a documented test strategy that explains the scope of testing of algorithms. This should include test plans, test cases, test results, defect resolution (if relevant), and final test results; ● have in place appropriate policies and procedures for managing any changes to an algorithm, including monitoring and keeping records of any such changes. This

68 includes having security arrangements in place to monitor and prevent unauthorised access to the algorithm; ● review and update algorithms to ensure that they reflect any relevant changes (e.g. market changes and changes in the applicable law) that may affect their effectiveness; ● have in place policies and procedures enabling to detect any error within the algorithm and deal with it appropriately, including, for example, suspending the provision of advice if that error is likely to result in an unsuitable advice and/or a breach of relevant law/regulation; ● have in place adequate resources, including human and technological resources, to monitor and supervise the performance of algorithms through an adequate and timely review of the advice provided; and ● have in place an appropriate internal sign-off process to ensure that the steps above have been followed. 86. Where advice on crypto-assets or portfolio management of crypto-assets are provided in whole or in part through an automated or semi-automated system, the responsibility to undertake the suitability assessment should remain with the crypto-asset service provider providing the service and shall not be reduced by the use of an electronic system in making the personal recommendation or decision to trade. 5.9 Costs and complexity of equivalent products (Guideline 9) Relevant legislation: Article 81(1), (10) and (12) of MiCA. 87. Suitability policies and procedures should ensure that, before a crypto-asset service provider makes a decision on the crypto-asset(s) that will be recommended, or invested in the portfolio managed on behalf of the client, a thorough assessment of the po ssible crypto-assets and crypto-asset services alternatives is undertaken, taking into account products’ cost and complexity. 88. A crypto-asset service provider should have a process in place, taking into account the nature of the service, its business model and the type of crypto-assets that are provided, to assess crypto-assets available that are ‘equivalent’ to each other in terms of ability to meet the client’s needs and circumstances, such as crypto-assets with similar target clients and similar risk-return profile. 89. When considering the cost factor, crypto-asset service providers should take into account all costs and charges covered by the relevant provisions under Article 81(4) of MiCA. As for the complexity, crypto-asset service providers should refer to the criteria

69 identified in the above guideline 7. For crypto-asset service providers with a restricted range of crypto-assets, or those recommending one type of crypto-asset, where the assessment of ‘equivalent’ crypto-asset could be limited, it is important that clients are made fully aware of such circumstances. In this context, it is particularly important that clients are provided appropriate information on how restricted the range of crypto-assets offered is, pursuant to Article 81(2)(b) of MiCA.32 90. Where a crypto-asset service provider uses common portfolio strategies or model investment propositions that apply to different clients with the same investment profile (as determined by the crypto-asset service provider), the assessment of cost and complexity for 'equivalent’ crypto-assets could be done on a higher level, centrally, (for example within an investment committee or any other committee defining common portfolio strategies or model investment propositions) although a crypto-asset service provider will still need to ensure that the selected crypto-assets are suitable and meet their clients’ profile on a client-by-client basis. 91. Crypto-asset service providers should be able to justify those situations where a more costly or complex crypto-asset is chosen or recommended over an equivalent crypto￾asset, taking into account that for the selection process of products in the context of advice on crypto-assets or portfolio management further criteria can also be considered (for example: the portfolio’s diversification, liquidity, or risk level). Crypto-asset service providers should document and keep records about these decisions, as these decisions should deserve specific attention from control functions within the crypto-asset service provider. The respective documentation should be subject to internal reviews. When providing advice on crypto-assets crypto-asset service providers could, for specific well￾defined reasons, also decide to inform the client about the decision to choose the more costly and complex crypto-asset. 5.10 Costs and benefits of switching investments (Guideline 10) Relevant legislation: Article 81(1), (10) and (12) of MiCA. 92. As part of the policies and procedures on the suitability assessment, crypto-asset service providers should undertake an analysis of the costs and benefits of a switch such that crypto-asset service providers are reasonably able to demonstrate that the expected benefits of switching are greater than the costs. 93. For the purpose of this guideline, investment decisions such as rebalancing a portfolio under management, in the case of a “passive strategy” to replicate an index (as agreed 32 In accordance with MiCA, crypto-asset service providers are therefore not expected to consider the whole universe of possible crypto-asset options existing in the market in order to follow guideline 7.

70 with the client) would normally not be considered as a switch. For the avoidance of doubt, any transaction without maintaining these thresholds would be considered as a switch. 94. Crypto-asset service providers should take all necessary information into account, so as to be able to conduct a cost-benefit analysis of the switch, i.e. an assessment of the advantages and disadvantages of the new crypto-asset(s) considered. When considering the cost dimension, crypto-asset service providers should take into account all costs and charges covered by the relevant provisions under Article 81(4) of MiCA. In this context, both monetary and non-monetary factors of costs and benefits could be relevant. These may include, for example: ● the expected net return of the proposed alternative transaction (which also considers any possible up-front cost to be paid by the client(s)) vs the expected net return of the existing investment (that should also consider any exit cost which the client(s) might incur to divest from the crypto-asset already in his/their portfolio); ● a change in the client’s circumstances and needs, which may be the reason for considering the switch, e.g. the need for liquidity in the short term as a consequence of an unexpected and unplanned family event; ● a change in the crypto-assets’ features and/or market circumstances, which may be a reason for considering a switch in the client(s) portfolio(s), e.g. if a crypto￾asset becomes illiquid due to market trends; ● benefits to the client’s portfolio stemming from the switch, such as (i) an increase in the portfolio diversification (by geographical area, type of crypto-asset, type of issuer, etc.); (ii) an increased alignment of the portfolio’s risk profile with the client’s risk objectives; (iii) an increase in the portfolio’s liquidity; or (iv) a decrease of the overall credit risk of the portfolio. 95. When providing advice on crypto-assets, a clear explanation of whether or not the benefits of the recommended switch are greater than its costs should be included in the suitability report33 the crypto-asset service provider has to provide to the client before the transaction is made. 96. Crypto-asset service providers should also adopt systems and controls to monitor the risk of circumventing the obligation to assess costs and benefits of recommended switch, for example in situations where an advice to sell a crypto-asset is followed by an advice to buy another crypto-asset at a later stage (e.g. days later), but the two transactions were in fact strictly related from the beginning. 33 The report on suitability referred to in Article 81(13) of MiCA.

71 97. Where a crypto-asset service provider uses common portfolio strategies or model investment propositions that apply to different clients with the same investment profile (as determined by the crypto-asset service provider), the costs/benefits analysis of a switch could be done on a higher level than at the level of each individual client or each individual transaction. More especially, when a switch is decided centrally, for example within an investment committee or any other committee defining common portfolio strategies or model investment propositions, the costs/benefits analysis could be done at the level of that committee. If such a switch is decided centrally, the costs/benefits analysis done at that level would usually be applicable to all comparable client portfolios without making an assessment for each individual client. In such a situation also, the crypto-asset service provider could determine, at the level of the relevant committee, the reason why a switch decided will not be performed for certain clients. Although the costs/benefits analysis could be done at a higher level in such situations, the crypto￾asset service provider should nevertheless have appropriate controls in place to check that there are no particular characteristics of certain clients that might require a more discrete level of analysis. 98. Where a portfolio manager has agreed a more bespoke mandate and investment strategy with a client due to the client’s specific investment needs, a cost-benefit analysis of the switch at client-level should be performed, in contrast to the above. 99. Notwithstanding the above, if a portfolio manager considers that the composition or parameters of a portfolio should be changed in a way that is not permitted by the mandate agreed with the client, the portfolio manager should discuss this with the client and review or conduct a new suitability assessment to agree a new mandate. 5.11 Qualifications of staff (Guideline 11)34 Relevant legislation: Articles 68(5) and 81(7) of MiCA. 100. Crypto-asset service providers are required to ensure that staff involved in material aspects of the suitability process have an adequate level of skills, knowledge and expertise with regard to crypto-assets and crypto-asset services. 101. Staff should understand the role they play in the suitability assessment process and possess the skills, knowledge and expertise necessary, including sufficient knowledge of the relevant regulatory requirements and procedures, to discharge their responsibilities. 34 As per the mandate under Article 81(15)(a) of MiCA, ESMA will, at a later date, issue more general guidelines on the criteria for the assessment of knowledge and competence in accordance Article 81(7) of MiCA.

72 102. Staff should possess the necessary knowledge and competence, including with regard to the suitability assessment. To that effect, crypto-asset service providers should give staff appropriate training. 103. Other staff that does not directly face clients but is involved in the suitability assessment in any other way should still possess the necessary skills, knowledge and expertise required depending on their particular role in the suitability process. This may regard, for example, setting up the questionnaires, defining algorithms governing the assessment of suitability or other aspects necessary to conduct the suitability assessment and controlling compliance with the suitability requirements. 104. Where relevant, when employing automated tools (including hybrid tools), crypto-asset service providers should ensure that their staff involved in the activities related to the definition of these tools: ● have an appropriate understanding of the technology and algorithms used to provide digital advice (particularly they are able to understand the rationale, risks and rules behind the algorithms underpinning the digital advice); and ● are able to understand and review the digital/automated advice generated by the algorithms.

73 6. Guidelines on the format of the periodic statement for portfolio management of crypto-assets 6.1 Durable medium (Guideline 1) Relevant legislation: Article 81(14) of MiCA. 105. Crypto-asset service providers should provide each such client with the periodic statement provided for in Article 81(14) of MiCA in an electronic format that is also a durable medium. 106. Such medium should enable a client to i) store the information addressed personally to that client in a way accessible for future reference and for a period of time adequate for the purposes of the information; and ii) allow the unchanged reproduction of the information stored. 6.2 Access to an online system (Guideline 2) Relevant legislation: Article 81(14) of MiCA. 107. For the purposes of Article 81(14), second subparagraph of MiCA, crypto-asset service providers should ensure that: ● the online system their clients have access to qualifies as a durable medium; ● the client is notified electronically of where and how the information may be accessed (for instance, if the online system is a website, the client should be notified of the address of the website, and the place on the website where the information may be accessed); ● the client is notified when a new periodic statement is made available; and ● the information is accessible continuously through that online system and for such period of time as the client may reasonably need to inspect it. 6.3 Content of the periodic statement (Guideline 3) Relevant legislation: Article 81(14) of MiCA. 108. To ensure that clients get a fair and balanced review of the activities undertaken, of the performance of the portfolio and of how the activities undertaken meet the preferences, objectives and updated information on the suitability assessment during the reporting period, the periodic statement should include, as a minimum:

74 ● a statement of the contents and the valuation of the portfolio, including details of each crypto-asset held, its market value, or fair value if market value is unavailable and the cash balance, all at the beginning and at the end of the reporting period; ● the performance of the portfolio during the reporting period, including any tokens received for free for the continuity of operations of a proof-of-work and proof-of￾stake- blockchain consensus mechanisms (staking awards); ● the total amount of fees and charges incurred during the reporting period, itemising at least total management fees and total costs associated with execution, and including, where relevant, a statement that a more detailed breakdown will be provided on request; ● a comparison of performance during the period covered by the statement with the performance benchmark (if any) agreed between the crypto-asset service provider and the client; ● for each transaction executed during the period, the main characteristics of the relevant transaction; ● an explanation as to how the activities or lack of activity meet the preferences, objectives and other characteristics of the client. 109. Crypto-asset service providers should also specify the date of the last suitability assessment or its review and, if relevant, on which basis it was last updated (e.g. new information provided by the client causing a change in the client’s profile, new criteria applied by the crypto-asset service provider).

36 OJ L 150, 9.6.2023, p. 40–205. 75 4.4 Annex IV: Guidelines on the procedures and policies, including the rights of clients, in the context of transfer services for crypto￾assets 1 Scope Who?

1. These guidelines apply to: (i) competent authorities and (ii) crypto-asset service providers that act as providers of transfer services for crypto￾assets on behalf of clients within the meaning of Article 3(1)(26) of MiCA. What?
2. These guidelines apply in relation to Article 82 of MiCA. When?
3. These guidelines apply 60 calendar days from the date of their publication on ESMA’s website in all official EU languages. 2 Legislative references, abbreviations and definitions 2.1 Legislative references ESMA Regulation Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC35 MiCA Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) 1095/2010 and Directives 2013/36/EU and (EU) 2019/193736 TOFR Regulation (EU) 2023/1113 of the European Parliament and the Council of 31 May 2023 on information accompanying 35 OJ L 331, 15.12.2010, p. 84.

37 OJ L 150, 9.6.2023, p. 1–39. 76 transfers of funds and certain crypto-assets and amending Directive (EU) 2015/84937 2.2 Abbreviations EC European Commission ESFS European System of Financial Supervision ESMA European Securities and Markets Authority EU European Union 3 Purpose 4. These guidelines, developed by ESMA in close cooperation with EBA, are based on Article 82(2) of MiCA. The objectives of these guidelines are to establish consistent, efficient and effective supervisory practices within the ESFS and to ensure the common, uniform and consistent application of the provisions in Article 82 of MiCA. In particular, they aim at providing more clarity on the requirements for crypto-asset service providers providing transfer services for crypto-assets on behalf of clients as regards procedures and policies, including the rights of clients, in the context of transfer services for crypto - assets. In this regard, ESMA anticipates a corresponding strengthening of investor protection. These guidelines apply without prejudice to the relevant rules under PSD 2, where applicable to relevant transfers of crypto-assets, notably EMTs. 4 Compliance and reporting obligations 4.1 Status of the guidelines 5. In accordance with Article 16(3) of the ESMA Regulation, competent authorities and crypto-asset service providers shall make every effort to comply with these guidelines. 6. Competent authorities to which these guidelines apply should comply by incorporating them into their national legal and/or supervisory frameworks as appropriate, including where particular guidelines are directed primarily at financial market participants. In this case, competent authorities should ensure through their supervision that crypto-asset service providers comply with the guidelines. 4.2 Reporting requirements

77 7. Within two months of the date of publication of the guidelines on ESMA’s website in all EU official languages, competent authorities to which these guidelines apply must notify ESMA whether they (i) comply, (ii) do not comply but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines. 8. In case of non-compliance, competent authorities must also notify ESMA within two months of the date of publication of the guidelines on ESMA’s website in all EU official languages of their reasons for not complying with the guidelines. 9. A template for notification is available on ESMA’s website. 38 Once the template has been filled in, it shall be transmitted to ESMA. 10. Crypto-asset service providers are not required to report whether they comply with these guidelines. 5 Guidelines on the policies and procedures in the context of transfer services for crypto-assets 5.1 General provisions on the policies and procedures on transfer of crypto-assets (Guideline 1) 11. Crypto-asset service providers should establish, implement and maintain adequate policies and procedures (including appropriate tools) to ensure that, in good time before the client enters into any agreement for the provision of transfer services for crypto￾assets, they provide the client, in an electronic format, with the information and conditions related to the transfer services for crypto-assets. 12. The information provided should include at least the following: • the name of the crypto-asset service provider, the address of its head office, and any other address and means of communication, including electronic mail address, relevant for communication with the crypto-asset service provider; • the name of the national competent authority in charge of supervising the crypto￾asset service provider; • a description of the main characteristics of the transfer service for crypto-assets to be provided; • a description of the form of and procedure for initiating or consenting to a transfer of crypto-assets and withdrawing an instruction or consent, including the specification of the information that has to be provided by the client in order for a 38 See: https://www.esma.europa.eu/sites/default/files/library/esma42-110- 1132_confirmation_of_compliance_with_guidelines.pdf

78 transfer of crypto-assets to be properly initiated or executed (including, how to authenticate); • the conditions under which the crypto-asset service provider may reject an instruction to carry out a transfer of crypto-assets; • a reference to the procedure or process established by the crypto-asset service provider to determine the time of receipt of an instruction or consent to a transfer of crypto-assets and any cut-off time established by the crypto-asset service provider; • an explanation per crypto-asset, of which distributed ledger technology (DLT) network is supported for the transfer of this crypto-asset; • the maximum execution time for the transfer of crypto-assets service to be provided; • for each DLT network, reasonably estimated time or number of block confirmations needed for the transfer to be irreversible on the DLT network or considered sufficiently irreversible in case of probabilistic settlement taking into account the rules and circumstances of the DLT network; • all charges, fees or commissions payable by the client in relation to the crypto￾assets transfer service, including those connected to the manner in and frequency with which information is provided or made available and, where applicable, the breakdown of the amounts of such charges; • the means of communication, including basic information about the technical requirements for the client’s equipment and software (for example, the minimum software or mobile operating system), agreed between the parties for the transmission of information or notifications related to the crypto-asset transfer service ; • the manner in, and frequency with which, information related to the service of crypto-asset transfer is to be provided or made available; • the language or languages in which the agreement referred to in Article 82(1) of MiCA will be concluded and communication during this contractual relationship undertaken; • the secure procedure for notification of the client by the crypto-asset service provider in the event of suspected or actual fraud or security threats; • the means and time period within which the client is to notify the crypto-asset service provider of any unauthorised or incorrectly initiated or executed transfers of crypto-assets as well as the crypto-asset service provider’s liability, including maximum amount thereof, for unauthorised or incorrectly initiated or executed transfers;

79 • the right of the client to terminate the agreement on the provision of crypto-asset transfer services and the modalities to do so; 13. The policies and procedures relating to the transfer services of crypto-assets should ensure that the crypto-asset service provider provides the relevant information in easily understandable words and in a clear and comprehensible form. 14. The policies and procedures referred to in paragraph 12 should also ensure that: • at any time during the contractual relationship related to the crypto-asset transfer services, the client should be able to access or receive, on request, the agreement referred to in Article 82(1) of MiCA as well as the information listed in paragraph 12, in an electronic format; • the client is made aware, of any intended change to the information listed in paragraph 12 in good time before such change starts to apply. 15. Crypto-asset service providers should be able to provide the relevant information at the time of providing a copy of the draft agreement referred to in Article 82(1) of MiCA. 16. As a good practice, crypto-asset service providers are encouraged to also take into account, in the policies and procedures referred to in paragraph 11, how to provide clients with educational material helping them to learn about and better understand their rights and the function and risks of crypto-asset transfers. 5.2 Information on individual transfers for crypto-assets (Guideline 2) 17. Crypto-asset service providers should establish, implement and maintain adequate policies and procedures (including appropriate tools) to ensure that, after receipt of an instruction to transfer crypto-assets, but before the execution of the transfer of crypto￾assets, the crypto-asset service provider provides the client with at least the following information: • a brief and standardised warning as to whether and when the crypto-asset transfer will be irreversible or sufficiently irreversible in case of probabilistic settlement39; • the amount of any charges for the crypto-asset transfer payable by the client and, where applicable, a breakdown of the amounts of such charges, distinguishing, for example, between the gas fees charged for the transaction through the relevant DLT network and other fees crypto-asset service providers charge for their services. 39 Depending on the type of consensus algorithms relating to the relevant DLT.

80 18. The policies and procedures referred to in the previous paragraph should also ensure that initiation or execution of the transfer does not take place before adequate steps have been taken to ensure compliance with TOFR, including Article 14 thereof. 19. Crypto-asset service providers should establish, implement and maintain adequate policies and procedures (including appropriate tools) to ensure that, after execution of individual transfers for crypto-assets, the crypto-asset service provider provides the client with at least the following information: • the names of the originator and the beneficiary; • the originator’s distributed ledger address or crypto-asset account number; • the beneficiary’s distributed ledger address or crypto-asset account number; • a reference enabling the client to identify each transfer of crypto-assets; • the amount and type of crypto-assets transferred or received; • the debit value date or the credit value date of the transfer of crypto-assets. • the amount of any charges, fees or commissions relating to the transfer of crypto￾assets and, where applicable, a breakdown of the amounts of such charges. 20. The policies and procedures referred to in paragraph 19 should also cover the periodicity of the information listed in paragraph 19, any fees or charges incurred for the provision of the information and how the information is to be provided. 21. The information listed in paragraph 19 should be provided in an electronic format and, where not provided more frequently than once a month, free of charge 22. Crypto-asset service providers should establish, implement and maintain adequate policies and procedures (including appropriate tools) to ensure, without prejudice to other applicable regulatory requirements, that, where a transfer of crypto-assets is rejected, returned or suspended, the client is provided with, at least, the following information: • the reason for the rejection, return or suspension; • if applicable, how to remedy the rejection, return or suspension; • the amount of any charges or fees incurred by the client and whether reimbursement is possible. 5.3 Execution times and cut-off times (Guideline 3) 23. Crypto-asset service providers should establish, implement and maintain adequate policies and procedures relating to, at least:

81 • the cut-off times for instructions for the transfer of crypto-assets to be regarded as received on the same business day; • the maximum execution times depending on the crypto-asset transferred • the reasonable estimation of the time or number of block confirmations needed for the transfer of crypto-assets to be irreversible on the DLT, or sufficiently irreversible in case of probabilistic settlement, for each DLT network. 5.4 Rejection or suspension of an instruction to transfer crypto-assets or return of crypto-asset transferred (Guideline 4) 24. Crypto-asset service providers should establish, implement and maintain adequate risk￾based policies and procedures for determining whether and how to execute, reject, return or suspend a transfer of crypto-assets. Such policies and procedures should particularly take into account the provisions of TOFR, as relevant and as specified in the European Banking Authority’s Guidelines preventing the abuse of funds and certain crypto-assets transfers for money laundering and terrorist financing purposes. 5.5 Liability of the crypto-asset service provider (Guideline 5) 25. Crypto-asset service providers should establish, implement and maintain adequate policies and procedures determining the conditions of the liability of the crypto-asset service provider to clients in case of unauthorised or incorrectly initiated or executed transfers of crypto-assets.