Crypto-Asset Service Provider (CASP) License in Poland
CASP (Crypto-Asset Service Provider) is a term used specifically under the EU’s MiCA regulation, focusing on a wide range of crypto-asset-related services and imposing comprehensive regulatory obligations, including market integrity, consumer protection, and AML/CTF measures.
Whereas VASP (Virtual Asset Service Provider) is a broader international term defined by the Financial Action Task Force (FATF) to cover entities engaged in virtual asset activities, with a primary focus on ensuring compliance with AML/CTF requirements across different jurisdictions.
To generalise CASPs are EU-focused, with a broader regulatory framework under MiCA, while VASPs have an international scope, primarily regulated for AML/CTF purposes under FATF standards.
Under MiCA, a Crypto-Asset Service Provider (CASP) includes a wide range of services related to crypto-assets, including:
- Custody and administration of crypto-assets.
- Operation of trading platforms.
- Exchange of crypto-assets for fiat or other crypto-assets.
- Execution of orders on behalf of clients.
- Providing advice or portfolio management on crypto-assets.
- Placing of crypto-assets (marketing crypto-assets, either directly or through third parties).
- Reception and transmission of orders for crypto-assets.
- Providing transfer services for crypto-assets.
- Safekeeping in addition to custody and administration.
- Offering payment services using crypto-assets.
- Investment advice related to crypto-assets.
The Regulation categorizes crypto-assets into three distinct groups, each with different regulatory requirements based on the level of risk they present. The classification hinges on whether a crypto-asset attempts to stabilize its value by linking it to other assets. The first group includes crypto-assets designed to maintain a stable value by being tied to a single official currency. These assets function similarly to electronic money, as defined in Directive 2009/110/EC, and serve as digital substitutes for traditional currency, making them useful for payments. Such assets are referred to in this Regulation as ‘e-money tokens.’
The second category encompasses ‘asset-referenced tokens,’ which aim to stabilize their value by being backed by a combination of assets, including one or more official currencies. These tokens, unlike e-money tokens, are supported by other asset classes.
The third category includes all other crypto-assets, such as utility tokens, which are not tied to assets to fix its value, and therefore cover a wide range of crypto-assets alongside with asset-referenced and e-money tokens. CASP Legal Entity Requirement
CASPs are required to be established as a legal entity in an EU member state. This means they cannot operate as unregistered or decentralized entities. The service provider must have a registered office where it conducts substantive business activities within the European Union, ensuring transparency and accountability. To offer crypto-asset services, a CASP must be authorized by a national competent authority in the member state where it is based. The authorization covers specific crypto-asset services that the CASP is licensed to provide.
Minimum CASP Initial Share Capital Requirements
- €150,000 capital is required for CASPs trading platforms or entities providing custodial services for crypto-assets.
- €125,000 is required for CASPs offering crypto-asset portfolio management services.
- €50,000 for CASPs offering services like crypto-asset advice, execution of orders, or placement of crypto-assets.
Crypto-Asset Service Providers shall also maintain capital that covers either a fixed minimum amount (as described above), or
25% of the CASP’s fixed overheads from the previous year, ensuring a financial buffer to handle operational risks.
These funds can be kept in the form of equity capital, reserves, retained earnings, or other high-quality capital instruments.
CASPs must maintain minimum capital reserves to cover operational risks and ensure financial stability. These reserves vary depending on the services offered but are typically calculated as a proportion of the firm’s overheads.
For instance, for custodial services, a higher capital buffer is mandated due to the risk of holding client assets.
Other CASPs shall meet prudential requirements in line with their business model, ensuring they have sufficient financial backup to continue operations in challenging conditions.
CASP Management Body
The management body of a CASP shall follow the requirements:
CASP’s management body representatives should have no criminal records related to money laundering, terrorist financing, or other financial crimes.
They should also demonstrate expertise& knowledge in managing financial services, particularly CASP activities.
At least one director must be the EU resident.
The national regulation on obtaining a crypto license in Poland does not impose an obligation for a director to reside within the EU.
Organizational Requirements for Crypto-Asset Service Provider
According to MiCA Regulation Crypto-Asset Service Providers shall:
1. Develop risk management procedures to assess and mitigate risks, i.e. related to fraud and market abuse.
2. Develop internal control mechanisms that ensure data security, integrity, and confidentiality, in particular with regards to clients' crypto-assets.
3. Develop business continuity plans to ensure continuous operations in case of disruptions.
CASPs must also have a dedicated position to ensure ongoing compliance to regulatory requirements, including anti-money laundering (AML) and counter-terrorism financing (CTF) regulations.
CASPs Offering Custodial Services Requirements
Crypto-Asset Service Provider’s offering custodial services shall establish mechanisms to separate client assets from their own, while ensuring that clients' crypto-assets are protected and not used by the CASP for the purpose of its operations or that mentioned assets are exposed to operational risks.
CASPs shall also maintain accurate records of client transactions and holdings to ensure transparency and allow seamless auditing by regulators.
CASPs shall also implement cybersecurity and fraud prevention measures, which include but are not limited to systems detecting unauthorized access, market manipulation, or other illegal activities.
Companies providing virtual asset related services must regularly test their systems to identify vulnerabilities and report any incidents to the appropriate authorities.
CASPs involved in high-risk activities may be required to adopt two-factor authentication (2FA), encryption, and secure key storage solutions to protect customer data and their assets.
Disclosure and Reporting Obligations
CASPs shall submit regular reports on their activities to the regulators, which shall include:
CASP’s financial information (e.g., annual financial statements, risk exposure).
Client asset balances for custodial services.
Transaction volumes and types, particularly for high-risk clients or transactions exceeding certain thresholds.
If the CASP identifies any market abuse or suspicious transactions, it shall immediately notify the relevant national authority.
CASP Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Compliance Obligations
CASPs shall stay compliant with applicable AML/CTF obligations as specified by the EU’s Anti-Money Laundering Directive, i.e.:
- Conducting customer due diligence, particularly for transactions over a set threshold.
- Implementing Know Your Customer (KYC) procedures to verify the identity of CASP’s clients and account beneficial owners.
- Monitoring transactions for signs of money laundering or terrorist financing and reporting any suspicious activity.
Marketing and Client Protection Legal Requirements
CASP’s marketing communications and promotions must be fair, clear, and not misleading. They also must not understate the risks of trading or holding crypto-assets.
CASPs shall maintain complaint-handling procedures to address customer concerns in effective way.
CASPs offering services to individual clients must ensure they deliver adequate information related to risks associated with the offered products.
Regulation mandates CASPs with an obligation to publish a white paper. The MiCA Regulation exempts certain crypto-asset offers from the requirement to draft and publish a white paper by CASP. Specifically, this obligation does not apply to offers involving crypto-assets, excluding asset-referenced tokens or e-money tokens, that are targeted at fewer than 150 individuals per Member State, or directed solely to qualified investors and these assets remain exclusively in the hands of such investors. Small and medium-sized enterprises (SMEs) and start-ups should not be subject to excessive administrative burdens. Therefore, public offers of crypto-assets (excluding asset-referenced or e-money tokens) within the European Union, with a total value not exceeding EUR 1,000,000 over a 12-month period, are also exempt from the white paper publishing requirement.
To further reduce unnecessary administrative hurdles, competent national authorities are not mandated to pre-approve a crypto-asset white paper before it is made public. However, these authorities retain the right to request changes to the white paper or any related marketing materials, and, if necessary, may demand the addition of further information to ensure the document meets regulatory standards.
CASPs bear civil liability for any inaccurate or misleading information provided to customers in their communications, advertisements, or crypto-asset white papers.
CASPs must offer a 14-day right of withdrawal to retail clients, allowing them to reconsider their purchase of crypto-assets within this period without penalty.
CASP Shareholder Requirements
Shareholders or members holding qualifying stakes in a CASP (defined as significant influence or control) must be of good repute.
Competent authorities may assess these individuals to ensure their past activities, affiliations, or financial standing do not pose risks to the sound management of the CASP.
Additional Prudential Requirements for Risky CASP Activities
CASPs engaging in activities deemed higher risk (such as custody of assets or operating exchanges) might be subject to higher capital buffers. Competent national authorities can adjust the capital requirements based on:
The volume and type of crypto-assets under custody.
The risk profile of the CASP's business model.
The liquidity and volatility of the assets managed by the CASP.
These adjustments allow regulators to tailor capital requirements to reflect the specific risks posed by individual service providers.
FAQ
What are the Significant CASP requirements? Are they any different?
For significant CASPs (e.g., those with a large market share, high transaction volumes, or systemic importance), additional capital requirements may apply. These firms might be required to:
Hold higher capital reserves to manage the increased risks associated with their size and operations.
Implement liquidity management policies to ensure they can meet client demands for withdrawals or redemptions, especially during periods of market stress.
Competent authorities have discretion to increase capital requirements for significant CASPs, reflecting their potential impact on financial stability.
Should Client’s Funds be Segregated in CASP?
There’s a requirement for the CASPs that provide custodial services for clients’ crypto-assets must implement strict measures to segregate client assets from their own. This requirement protects client funds from being used for the CASP’s operational activities.
In the event of insolvency or liquidation, client assets must remain unaffected and must be returned to clients.
What are the CASP supervisory and reporting requirements, if any?
CASPs are required to submit regular reports to their competent authorities detailing their capital adequacy and financial status. These reports ensure that regulators can monitor compliance with capital requirements and act if any risks are identified.
CASPs must report significant changes in their financial position, such as a reduction in capital below the required thresholds or substantial operational losses.