JOINT GUIDELINES ON THE ASSESSMENT OF FIT AND PROPER STATUS

Joint Guidelines of the EBA and ESMA on the assessment of the fit and proper status of members of the management body of asset-referenced token issuers and crypto-asset service providers

EBA/GL/2024/09 ESMA75-453128700-10 04/12/2024

A. Compliance and Reporting Obligations

Status of these Guidelines

1. This document contains guidelines issued under Article 16 of Regulation (EU) No 1093/2010¹ and Article 16 of Regulation (EU) No 1095/2010². In accordance with Article 16(3) of Regulation (EU) No 1093/2010 and Regulation (EU) No 1095/2010, competent authorities, financial market participants and financial institutions must make every effort to comply with these Guidelines. These Guidelines establish appropriate supervisory practices within the European System of Financial Supervision and provide guidance on how Union law should be applied.

2. Competent authorities designated in Article 3(1)(35)(a) of Regulation (EU) 2023/1114 to which these Guidelines apply should comply with them by incorporating them into their practices in an appropriate manner (e.g., by amending their legal framework or supervisory procedures), among other things in cases where the Guidelines are primarily directed at financial market participants and financial institutions.

Reporting Requirements

3. Within two months of the publication of these Guidelines on the websites of the EBA and ESMA in all official languages of the EU, in accordance with Article 16(3) of Regulation (EU) No 1093/2010 and Regulation (EU) No 1095/2010, competent authorities must notify the EBA or ESMA whether they: i. are compliant, ii. are not compliant but intend to comply, or iii. are not compliant and do not intend to comply with these Guidelines. In the event of non-compliance, competent authorities must also notify the ESMA or the EBA within two months of the publication of these Guidelines on the ESMA and EBA websites in all official languages of the EU of the reasons for non-compliance with these Guidelines. Notifications should be sent by persons with appropriate authority to report on compliance on behalf of their competent authorities. Any change in compliance status must also be reported to the EBA or ESMA.

4. Financial market participants and financial institutions are not required to report on whether they act in accordance with these Guidelines.

5. Notifications will be published on the EBA website in accordance with Article 16(3) of Regulation (EU) No 1093/2010 and on the ESMA website in accordance with Article 16(3) of Regulation (EU) No 1095/2010.

---

¹ Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12). ² Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).

Subject matter, scope and definitions

Subject matter

1. In accordance with Article 21(3) and Article 63(11) of the Crypto-Asset Markets Regulation (CAMR), these joint guidelines relate to the assessment of the fit and proper status of members of the management body of asset-referenced token issuers and crypto-asset service providers.

Scope

2. These Guidelines apply at the time of granting approval and on an ongoing basis to the competent authorities as defined in Article 3(1)(35)(a) of the Crypto-Asset Markets Regulation, asset-referenced token issuers and crypto-asset service providers³, in accordance with Article 34(2) and Article 68(1) of the Crypto-Asset Markets Regulation regarding the assessment of the fit and proper status of members of the management body:

a. of an asset-referenced token issuer that submits an application in accordance with Article 18 of the Crypto-Asset Markets Regulation or that has received approval in accordance with Article 21 of that Regulation;

b. of a crypto-asset service provider that submits an application for approval under Article 62 of the Crypto-Asset Markets Regulation or a crypto-asset service provider that has received approval in accordance with Article 63 of that Regulation or, with reference to Article 68(1) of the Crypto-Asset Markets Regulation, that provides crypto-asset services under the approval under Article 60(2), (4), (5) and (6) of the Crypto-Asset Markets Regulation.

3. The fit and proper assessment is based on the condition that members of the management body of an asset-referenced token issuer and a crypto-asset service provider must meet the criteria set out in Article 34(2) and Article 68(1) respectively, which stipulate that members of the management body must have sufficiently good repute and be able to devote sufficient time to the effective performance of their duties, as well as on the assessment of whether members of the management body individually and collectively possess the appropriate knowledge, skills and experience to perform their duties. Members of the management body of an asset-referenced token issuer and a crypto-asset service provider must not have been convicted of money laundering or terrorist financing offences or any other criminal offences that would affect their good repute. The members of the management body to be assessed include persons who will become members of the management body of an asset-referenced token issuer or a crypto-asset service provider and members who are already serving in those functions. If the management body consists of a management function and a supervisory function, these Guidelines apply to both functions and to the members of both functions⁴.

Addressees

4. These Guidelines are addressed to the competent authorities as defined in Article 3(1)(35)(a) of the Crypto-Asset Markets Regulation.

5. These Guidelines are also addressed to:

a. issuers, as defined in Article 3(1)(10) of the Crypto-Asset Markets Regulation, who have received approval in accordance with Article 21 of that Regulation;

b. issuers applying for approval, as defined in Article 3(1)(11) of the Crypto-Asset Markets Regulation, who submit an application for approval under Article 18 of that Regulation;

c. crypto-asset service providers, as defined in Article 3(1)(15) of the Crypto-Asset Markets Regulation, who have approval in accordance with Article 63 of that Regulation or, with regard to Article 68(1) of the Crypto-Asset Markets Regulation, who provide crypto-asset services under their approval in accordance with Article 60(2), (4), (5) and (6) of the Crypto-Asset Markets Regulation;

d. crypto-asset service providers who have submitted an application for approval in accordance with Article 63 of the Crypto-Asset Markets Regulation.

Definitions

6. Terms used and defined within the Crypto-Asset Markets Regulation and the Joint Guidelines of the EBA and ESMA on the assessment of the fit and proper status of members of the management body and key function holders in accordance with Directive 2013/36/EU and Directive 2014/65/EU have the same meaning in these Guidelines. In addition, the following definitions apply:

Group means a group as defined in Article 2(11) of Directive 2013/34/EU.

Management body in the management function means the management body acting within its role of effective management of the asset-referenced token issuer and crypto-asset service provider and includes persons managing its business.

Management body in the supervisory function, if established, represents the management body acting within its role of supervision and monitoring of decision-making within management.

Directorship means a position of director in the capacity of a member of the management body of an institution or other legal entity, and if the management body, depending on the legal form of the entity, consists of one person, that position is also considered a directorship.

Member means a proposed or appointed member of the management body, acting on behalf of legal entities that are members of the management body.

Fit and proper in the context of a member of the management body means that the assessed individual is considered to have sufficiently good repute, including honesty and integrity, and that he or she has, individually and together with other members, appropriate knowledge, skills and experience and that he or she can individually devote sufficient time to performing the duties for which he or she is responsible.

---

³ In accordance with Article 60(10) of Regulation (EU) 2023/1114, entities referred to in Article 60(1) to (6) are not subject, among other things, to the provisions of Article 63 of that Regulation.

⁴ In Article 3(1)(27) of Regulation (EU) 2023/1114, the management body is defined as “the body or bodies of the issuer, offeror or person seeking admission to trading or the body or bodies of the crypto-asset service provider, which are appointed in accordance with national law, which have the power to set the strategy, objectives and general direction of the business of the entity and which oversee and monitor the decision-making of the management of the entity and include persons who actually manage the business of the entity”.

B. Implementation

Date of application

7. These Guidelines shall apply from 04/02/2025.

C. Joint Guidelines

C.1. Application of the proportionality principle

8. The principle of proportionality seeks to consistently align management systems with the individual risk profile and business model of the asset-referenced token issuer and crypto-asset service provider, taking into account the individual function in the management body for which the assessment is being conducted in order to effectively meet the objectives of regulatory requirements, i.e. that the member is fit and proper with regard to a specific function individually and as part of the collective management body.

9. Asset-referenced token issuers, crypto-asset service providers and competent authorities should take into account the size of the asset-referenced token issuer or crypto-asset service provider, their internal organisation and the nature, scale and complexity of the issued assets and services provided when assessing the sufficiency of individual and collective knowledge, experience and skills of members of the management body and that members can individually devote sufficient time to the effective performance of their duties compared to other obligations and deadlines they have.

10. Asset-referenced token issuers should have more advanced fit and proper assessment policies and procedures compared to issuers of insignificant asset-referenced tokens. The same applies to crypto-asset service providers, with regard to their size and the class of crypto-asset services provided in accordance with Annex IV to the Crypto-Asset Markets Regulation.

11. All members of the management body of an asset-referenced token issuer and a crypto-asset service provider should have sufficiently good repute and honesty and integrity regardless of the size of the company, its internal organisation and the nature, scale and complexity of its activities and the duties and responsibilities of the specific function.

12. For the purposes of applying the principle of proportionality in the assessment of fit and proper members with regard to knowledge and experience criteria, as well as the ability of members to devote sufficient time to that duty, asset-referenced token issuers, crypto-asset service providers and competent authorities should take into account the following criteria:

a. the size of the asset-referenced token issuer or crypto-asset service provider in terms of total balance sheet;

b. the legal form of the asset-referenced token issuer or crypto-asset service provider and whether it is listed on a stock exchange or not;

c. whether the asset-referenced token issuer or crypto-asset service provider is part of a group and, if so, the proportionality assessment for the group;

d. the nature and complexity of all business activities;

e. whether cross-border activities are provided and the scope of operations in each jurisdiction;

f. in the case of asset-referenced token issuers, the following additional criteria:

i. the quantity and number of asset-referenced tokens issued;

ii. the size of the asset reserve held by asset-referenced token issuers;

iii. the type and complexity of the asset to which the token is linked;

iv. the complexity of the instruments in which the asset reserve is invested;

g. in the case of crypto-asset service providers, the following additional criteria:

i. the type and scope of services provided and their importance for the functioning of the crypto-asset market;

ii. the type of clients.

C.2. Concepts of fit and proper in accordance with Article 34(2) and Article 68(1) of the Crypto-Asset Markets Regulation

C.2.1. Sufficiently good repute

13. When assessing whether members of the management body of an asset-referenced token issuer or a crypto-asset service provider have good repute, the assessment in accordance with Article 18(5)(a) and Article 62(3)(a) of the Crypto-Asset Markets Regulation should cover a certificate of good conduct and proof that no sanctions have been imposed on the person under relevant commercial law, insolvency law and financial services law or in connection with legislation on preventing money laundering and terrorist financing, fraud or professional liability. In addition, the assessment should cover all other known facts that could lead to an assessment that a member does not have sufficiently good repute, as set out in this section. These requirements apply on an ongoing basis in accordance with Article 34(2) and Article 68(1) of the Crypto-Asset Markets Regulation.

14. Members of the management body should not be subject to sanctions, embargoes or measures related to terrorism, terrorist financing or the proliferation of weapons under the regulations of Member States, the Union or international organisations, e.g. the United Nations. If a member of the management body is on a list of such targeted financial sanctions, that member should be prohibited from performing his or her function and dismissed from the management body.

15. The assessment of the good repute criteria for members of the management body of an asset-referenced token issuer or a crypto-asset service provider should be conducted based on information from delegated acts adopted by the Commission in accordance with Article 18(6) of the Crypto-Asset Markets Regulation in the case of asset-referenced token issuers and Article 62(5) of that Regulation in the case of crypto-asset service providers.

C.2.2. Individual appropriate knowledge, skills and experience

16. Members of the management body should understand and keep up to date with developments regarding the business activities of the asset-referenced token issuer or crypto-asset service provider and all associated risks at a level commensurate with their responsibilities. This includes an appropriate understanding of those areas for which an individual member is not directly responsible, but is collectively responsible together with other members of the management body.

17. Members of the management body should clearly understand the asset-referenced token issuer or the management system of the crypto-asset service provider, their role and responsibilities and, where applicable, the group structure.

18. Members of the management body should understand conflicts of interest that may exist between the asset-referenced token issuer or crypto-asset service provider and any of their stakeholders.

19. Members of the management body should be able to contribute to the implementation of appropriate corporate culture and risk culture, corporate values and behaviour within the management body to conduct business in a competent and responsible manner.

20. When assessing appropriate knowledge, skills and experience, the following should be taken into account:

a. the role and duties of the position and the required capabilities;

b. knowledge and skills acquired through education, training and practice;

c. practical and work experience acquired in previous positions and other current directorships; and

d. knowledge, skills and experience acquired and demonstrated through the professional conduct of the member.

21. The level and profile of the member's education should be considered and whether it is related to the financial sector, including crypto-asset markets, or other relevant areas. This specifically refers to education in the field of finance, including crypto-assets, economics, law, accounting, auditing, administration, financial regulation, information technology and quantitative methods which can generally be considered relevant for financial entities, including asset-referenced token issuers and crypto-asset service providers.

22. The assessment should not be limited to the level of education of the member nor to proof of a certain period of service in a financial entity, asset-referenced token issuer or crypto-asset service provider or other companies in areas related to crypto-asset markets and other financial markets. A more thorough analysis of the member's practical experience with regard to the activities of the asset-referenced token issuer or crypto-asset service provider is necessary because knowledge acquired in previous professions depends on the nature, scope and complexity of the business and the function the member performed within it.

23. In order to properly assess the skills of members of the management body, asset-referenced token issuers and crypto-asset service providers should consider applying the non-exhaustive list of relevant skills from Annex II of the Joint Guidelines of the EBA and ESMA on the assessment of the fit and proper status of members of the management body and key function holders based on Directive 2013/36/EU and Directive 2014/65/EU, taking into account the role and duties of the function of that member of the management body.

24. When assessing the appropriate knowledge and experience of a member, theoretical and practical experience relating to the following should be taken into account:

a. regulation of financial markets, particularly with regard to financial instruments defined in Article 4(1)(15) of Directive 2014/65/EU and financial instruments based on distributed ledger technology (DLT) defined in Article 2(1)(11) of Regulation (EU) 2022/858;

b. crypto-assets, including asset-referenced tokens and e-money tokens;

c. relevant understanding of the different nature of various types of crypto-assets;

d. principles and procedures of risk management;

e. management of liquidity risk, market and credit risks related to the business activities of the asset-referenced token issuer or crypto-asset service provider;

f. requirements of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector⁵;

g. requirements relating to the engagement of external service providers, including business process outsourcing agreements and management of external service providers;

h. accounting and auditing;

i. obligations to prevent money laundering and terrorist financing;

j. data protection requirements;

k. ability to assess the effectiveness of mechanisms of the asset-referenced token issuer or crypto-asset service provider that ensure effective management, supervision and internal control;

l. interpretation of financial information and identification of key issues based on that information;

m. managerial knowledge, including strategic planning, understanding of the business strategy or business plan of the institution and its implementation;

n. ability to present their views, discuss strategies and business objectives; and

o. if the member's function is within an asset-referenced token issuer, the relevant legal requirements for issuing asset-referenced tokens.

25. With regard to the previous point i., without prejudice to the transposition of Directive (EU) 2015/849 into national legislation, a member of the management body of a crypto-asset service provider who is identified as responsible for implementing the laws and other regulations necessary to comply with Directive (EU) 2015/849 should have adequate knowledge, skills and relevant experience regarding the identification and assessment of money laundering and terrorist financing risks as well as AML/CFT policies, controls and procedures. This person should have a good understanding of the extent to which the institution's business model is exposed to money laundering/terrorist financing risk.

26. When assessing practical and professional experience acquired in previous positions, particular attention should be paid to the following:

a. the nature of the function and its hierarchical level;

b. the duration of employment in that position;

c. the number of subordinate employees;

d. the nature and complexity of the activity within which the relevant position is located, including its organisational structure;

e. the scope of competences, decision-making powers and responsibilities of the member;

f. technical knowledge acquired in that position;

g. additional knowledge acquired through academic activities.

27. If applicable, members of the management body in the supervisory function should, as appropriate, be able to review decisions of the management body in the management function and other relevant management decisions and effectively supervise and monitor management decisions.

C.2.3. Collective appropriate knowledge, skills and experience

28. The composition of the management body should ensure that it collectively possesses the appropriate knowledge, skills and experience necessary to perform all business activities of the asset-referenced token issuer or crypto-asset service provider and to fulfil all its duties. This includes that the management body collectively understands all business areas and activities of the asset-referenced token issuer or crypto-asset service provider in an appropriate manner. The management body as a whole should also have appropriate knowledge, skills and experience regarding the aspects mentioned in section C.2.2 and additionally with regard to:

a. effective, quality and prudent management of the asset-referenced token issuer or crypto-asset service provider, including:

i. business continuity management;

ii. appropriate consideration of the interests of their clients and market integrity⁶;

iii. management of main risks related to the creation and use of crypto-assets and their management, operational risk management, including cyber risk;

iv. implementation of measures to detect and prevent fraud;

v. environmental, social and governance factors and risks, particularly with regard to the consensus mechanism;

b. the legal and regulatory environment;

c. contract law;

d. consumer protection;

e. information and communication technology and security and, where appropriate, applied consensus mechanisms;

f. distributed ledger technology or similar technology relevant to their business activities;

g. financial accounting and reporting;

h. activities of risk management functions or procedures, compliance monitoring and internal audit.

---

⁵ OJ L 333, 27.12.2022, p. 1 – 79.

⁶ See Regulatory Technical Standards on conflicts of interest.