Crypto-asset service providers: the complete guide

A decisive step in the regulation of cryptocurrencies, the MiCA (Markets in Crypto-Assets) Regulation harmonises and frames crypto-asset service providers (CASPs) at the European level.
A comprehensive overview of this more demanding status in terms of security, transparency and user protection.

The MiCA Regulation introduces a regulatory passport valid across the 27 EU Member States: once authorised as a CASP in one Member State, an operator may provide its services in other EU countries through a notification mechanism, without having to apply for a new local authorisation.

For example, once authorised in France, an operator may notify its intention to serve clients in Germany, Italy or Spain. The French authority transmits the information to the host countries’ authorities without any further substantive review. This mechanism significantly simplifies European expansion for crypto players.

Entities authorised as CASPs assume a key responsibility: implementing systems designed to enhance client protection and the operational security of assets. The AMF assesses the financial soundness of applicants, the good repute of their management, and the robustness of their operational processes before granting authorisation, which serves as a genuine mark of trust.

MiCA subjects the following categories of services to authorisation:

• Custody and administration of crypto-assets on behalf of clients.
• Operation of a crypto-asset trading platform.
• Exchange of crypto-assets for fiat currencies or other crypto-assets.
• Execution of orders for crypto-assets on behalf of clients.
• Placement of crypto-assets.
• Reception and transmission of orders for crypto-assets on behalf of clients.
• Provision of advice on crypto-assets.
• Portfolio management of crypto-assets under mandate.
• Transfer of crypto-assets on behalf of clients.

The PSAN regime was a pioneering French initiative but limited to the national territory. The introduction of CASPs under MiCA harmonises and strengthens the European market:

• Passport allowing operation across Europe via notification.
• Enhanced governance and security standards.
• Stronger client protection.

This harmonised framework reduces disparities between Member States and facilitates the development of pan-European players.

MiCA establishes a demanding standard for all market participants. Authorised CASPs are subject to the same ethical principles as traditional financial service providers: fairness, transparency and prioritisation of client interests.

Since December 2024, providing crypto-asset services in the European Union without CASP authorisation is illegal. This requirement serves a dual purpose: cleaning up the market by excluding unscrupulous operators and establishing common rules to enable fair competition between established players.

Documentary transparency becomes the rule. CASPs must provide clear, fair and non-misleading information and clearly explain the risks associated with crypto-assets.

For advisory and management services, a suitability assessment phase is required. The operator must understand each client’s personal situation before recommending an investment strategy.

Cybersecurity plays a central role. Protection protocols must comply with DORA and GDPR standards. Segregation of client funds, enhanced authentication, and continuous monitoring are required to prevent intrusion or asset theft.

The fight against illicit financing underpins the entire regulatory framework. The ACPR specifically supervises this aspect during the authorisation process. Operators must verify the identity of users (KYC for individuals or KYB for legal entities), continuously monitor transaction flows and immediately report any suspicious activity to the competent authorities.

Automated screening systems are becoming mandatory. Artificial intelligence, behavioural analysis and risk scoring enable the identification of abnormal transaction patterns. Clients presenting a high-risk profile are subject to enhanced due diligence, including additional documentary checks.

In the event of a serious alert, operators must act without delay: immediate suspension of transfers, temporary freezing of positions and in-depth internal investigation. Each action must be documented and reported to the relevant authorities.

Operators must ensure full transparency towards clients: detailed fee schedules, comprehensive information on supported projects (white papers) and a 14-day withdrawal period. Communications must be clear and understandable. Environmental impact disclosures are an additional best practice to strengthen user trust.

The CASP authorisation process is demanding and follows a structured timeline. The timeframe may vary significantly, reaching up to nine months depending on the complexity of the application and interactions with the regulator.

The application process involves several stages and ongoing exchanges with the supervisory authority.

Before preparing and submitting the application, everything starts with an in-depth analysis. The company must legally classify its activities under the MiCA framework, anticipate potential regulatory obstacles and assess the resources required. This preliminary mapping helps determine from the outset whether authorisation is appropriate.

An informal discussion with the AMF can be valuable at this stage. The regulator’s teams can clarify interpretation points and help avoid time-consuming missteps.

The application file includes several components:

• The business plan outlines the commercial strategy, expected revenue streams and financial projections.
• Governance details responsibilities, reporting lines and control functions.
• Procedures describe the systems in place for internal controls and operations, including: cybersecurity, market abuse detection, accounting, complaints handling and conflict-of-interest management.
• From a financial standpoint, eligibility depends on two criteria: maintaining a minimum level of permanent capital (depending on the services provided, see table below), or demonstrating own funds equal to 25% of annual overheads. An appropriate insurance policy may replace all or part of this capital requirement.

Governance must inspire confidence:

• Experienced management with financial expertise.
• Dedicated compliance officer.
• Independent audit committee.

The organisational chart should reflect organisational maturity.

The AMF centralises the review process, in coordination with the ACPR for AML/CFT aspects.

Review teams assess the application, verify consistency and may summon senior management for hearings. These interviews evaluate their understanding of regulatory issues and their ability to manage a complex organisation.

At the end of the process, the AMF Board decides whether to grant CASP authorisation. Three outcomes are possible:

• Authorisation without conditions.
• Authorisation subject to conditions to be met within a specified timeframe.
• Reasoned refusal, which may be appealed before administrative courts.

Given the length of the initial authorisation process, some players opt to acquire an already authorised entity. While this offers tactical advantages, it remains subject to regulatory scrutiny, particularly in the event of changes in ownership or governance.

Acquiring an operational CASP can significantly reduce time to market. The acquirer benefits from a compliant infrastructure, regulator-approved procedures and often an existing client base. Existing teams understand regulatory requirements and ensure business continuity. Financially, this option avoids initial set-up costs such as advisory fees, IT development and specialised recruitment.

Beyond authorisation itself, acquisition may provide access to proprietary technologies, established banking partnerships and valuable operational expertise.

Any significant shareholding in a CASP is subject to AMF review. The acquirer must notify the regulator, which assesses:

• Profile of new shareholders (repute and ability to manage a regulated entity).
• Source of funds.
• Validity and exact scope of the authorisation.
• Compliance with AML/CFT obligations.
• History of interactions with the regulator.
• Robustness of IT systems.

From a tax perspective, the acquirer must ensure there are no ongoing reassessments and that the tax treatment of services (particularly VAT) is correct.

Acquiring a CASP is not always appropriate. Authorisation is tied to the original scope of activities. Any significant change in the business model may require a variation of authorisation or additional approval, triggering a new regulatory review. For example, a provider authorised solely for custody cannot launch a crypto exchange service without additional authorisation.

The risk of hidden liabilities is another major concern: unprovisioned fines, undisclosed client disputes, undetected security breaches or weaknesses in internal controls. The acquirer may inherit risks materialising post-transaction. Asset and liability guarantees in the sale agreement provide initial protection and may be supplemented by clauses addressing regulatory risks.

MiCA provides a harmonised foundation for crypto-asset service providers at the European level. However, its practical application continues to be clarified through technical standards (RTS and ITS), guidance from European authorities and Q&A publications from supervisors.

Providers must maintain active regulatory monitoring, adapt their processes to evolving interpretations and invest in continuous staff training.

Technologies are also evolving: decentralised finance, non-fungible tokens and algorithmic stablecoins raise new questions that regulation will progressively need to address at the European level.