In the previous article in this series, we compared the rules under Serbian Digital Assets Act (DAA) and MiCAR concerning the offerors (issuers) of crypto-assets and persons seeking admission to trading in such assets. The two pieces of legislation also apply to entities performing various crypto-asset services, such as custody, exchange, transfer, and trading. While DAA and MiCAR substantially differ when regulating the issuance of, and secondary trading in, crypto-assets, rules regarding crypto-asset service providers are similar.
Provision of services
The definitions of crypto-asset services under DAA and MiCAR are almost identical, and include, among others, the exchange of crypto-assets for funds or other crypto-assets, the operation of trading platforms, provision of custody, and administration of crypto-assets on behalf of clients. Both pieces of legislation subject crypto-asset service providers to the obligation to obtain authorisation from the competent supervisory authority. The difference in authorisation requirements between the two acts is that the offering of advice on crypto-assets does not necessitate an authorisation under the DAA, whereas such a service does require authorisation under MiCAR. Furthermore, DAA includes the service related to the maintenance of the pledge registry as a distinct crypto-asset service.
Legal form
Under DAA, a crypto-asset service provider must have the legal form of a company within the meaning of the Company Act in Serbia. DAA does not provide for any rule regarding the residence of the management. Under MiCAR, crypto-asset service provider must be a legal entity and have a place of business and effective management also in the EU. One of its directors must be an EU resident.
Specific authorisation and operational requirements
Both DAA and MiCAR contain similar set of requirements for crypto-assets service providers as far as their organization is concerned. This includes the fit and proper requirement for the members of the management, reputation requirement for shareholders, and staffing requirements. Crypto-asset service providers must also implement policies and measures ensuring continuity and regularity of performance of services (resilient and secure ICT systems), internal control and risk assessment mechanism, policies ensuring integrity and confidentiality, and the safekeeping of clients’ crypto-assets and funds. Additionally, crypto-asset service providers are also subject to special requirements depending on the specific services they offer and the unique risks associated with each type of service.
Under DAA, crypto-asset service providers must maintain a minimum capital requirement ranging from EUR 20,000 to EUR 125,000, depending on the type of services they provide. Under MiCAR, crypto-assets service providers are required to comply with prudential requirements which should be set either as a fixed minimum capital requirement or in proportion to the fixed overhead of crypto-assets service providers for the preceding year, whichever is higher. Minimum capital requirements under MiCAR range between EUR 50,000 to EUR 150,000, depending on the type of services particular crypto-assets service providers provide.
Compliance with the requirements and the adoption of policies and procedures is necessary for obtaining the initial authorisation to conduct the operation, as well as later in the course of the provision of its services. MiCAR foresees that the European Commission will adopt a number of technical standards and guidelines to be developed by the European Securities and Markets (ESMA) and European Banking Authority (EBA), specifying the crypto-asset service provider’s obligations in greater detail. Similarly, both the National Bank of Serbia and the Securities Commission have the power to adopt and have indeed adopted a number of bylaws regulating crypto-asset service providers’ obligations in more detail.
Reporting and supervision by competent authorities
DAA and related by-laws provide for extensive obligations of crypto-asset service providers to inform competent supervisory authorities of certain facts and events. The providers must inform their respective supervisory body (National Bank of Serbia or Securities Commission) of any changes to the documents submitted for obtaining the authorisation to perform the crypto-asset services or on any changes regarding the information in the registries maintained by the competent authority. Also, crypto-asset service providers must periodically provide information to their respective supervisory bodies on the fulfilment of the capital requirements and on the users of crypto-asset services and their transactions, as well as submit annual financial reports. Crypto-asset service providers must report to the competent authority the incidents and events connected with the breach of the ICT system’s security, migration of the data on a new trading platform, and the outsourcing of ICT services. Crypto-asset service providers must also inform competent supervisory authority on the implemented authentication procedures and provide it with a detailed risk assessment.
By contrast, no reporting requirements exist under MiCAR except for the reporting obligations related to the asset-referenced tokens. Instead, crypto-asset service providers must keep records of all crypto-asset services, activities, orders, and transactions in order to enable competent authorities to effectively supervise their activities.
When it comes to the significant changes in the composition of the management board or in the qualifying holding of crypto-asset service providers, DAA again differs from MiCAR. DAA requires prior approval of the supervisory authority for the appointment of members of the management and acquisition of a qualifying holding, whereas MiCAR contains only a notification requirement followed by the assessment by the supervisory authority of whether the newly appointed manager or a shareholder acquiring a qualifying holding satisfies all conditions under the Regulation. Nevertheless, the assessment under MiCAR can lead to the suspension of the nomination of shareholders or the suspension of the acquisition of qualifying holding. DAA also requires prior approval for the amendments of any general acts of the crypto-asset service provider, whereas under MiCAR no such obligation exists.
Passporting and reverse solicitation
DAA does not have any rules on passporting for crypto-asset service providers. Thus, a foreign crypto-asset service provider, including that from the EU, would need to register a legal entity in Serbia and obtain a licence from the competent authority to be able to conduct business in Serbia. Furthermore, DAA does not employ the concept of reverse solicitation, under which a foreign-based entity may provide services without having to obtain a licence from the national authorities, so long as the service was provided on the sole initiative of a domestic client.
On the other hand, allowing crypto-asset service providers authorised in any of the EU Member States to operate without further authorisation requirements in any other EU Member Sate is one of the key features of the MiCAR. If a crypto-asset service provider incorporated in an EU Member State intends to provide crypto-asset services in more than one Member State it must only notify the competent authority of the home Member State. EU’s passporting system for financial services is essential for the unified financial market and it is based on the assumption that all financial institutions operate under the same set of standards no matter where they have been initially authorised.
MiCAR also sets the rules under which a non-EU crypto-asset service provider may operate in the EU without the need to obtain a licence. Thus, a crypto-asset service provider from a non-EU country will not be required to obtain a licence in the EU if the provision of services to a client in the EU was done on the sole initiative of such a client. MiCAR further provides that if a firm from a non-EU country solicits clients within the EU or promotes or advertises crypto-asset services, such services should not be considered as being provided on the client’s own initiative. These rules contained in MiCAR were further clarified by ESMA in its Guidelines on reverse solicitation.
DAA does not contain any rules on the conditions under which foreign crypto-asset service providers may offer services to Serbian residents. However, the National Bank of Serbia in its recent public statement, offered some guidelines, from which one might infer that a foreign-based crypto-asset provider may provide services to Serbian residents if such provision was solely initiated by the Serbian resident. According to the Bank, where a foreign crypto-asset service provider targets Serbian residents as recipients of the service, the service provider must first establish a company in the Republic of Serbia and submit an appropriate request for a license to the National Bank of Serbia. Without such establishment and a license, a foreign-based crypto-asset service provider targeting the Serbian market cannot operate a Serbian-language website that displays contact details for Serbian citizens, install virtual currency ATMs in Serbia, advertise its services in local media, or similar. The inference that reverse solicitation is permissible is, at present, to be made cautiously, because the Guidance lacks an express wording to that effect.
Financial institutions and crypto-assets
DAA significantly restricts financial institutions from acting in the crypto-assets market. Thus, financial institutions in Serbia under the supervision of the National Bank of Serbia cannot: (i) hold crypto-assets on their balance, (ii) perform crypto-asset services safe for storing cryptographic keys in case of banks nor act as users of such services, (iii) have direct or indirect ownership in a crypto-asset service provider except in the case of ownership in broker-dealer or market operator offering services connected with crypto-assets nor act as a member of the management or any other corporate body of crypto-asset service provider or be directly engaged in management of provision of services within crypto-asset service provider, or (iv) accept pledge on crypto-assets as security.
Broker-dealer companies and market operators may perform services connected with crypto-assets upon special authorisation of the supervisory authority. Such special authorisation is given under less stringent requirements compared to authorisation for crypto-asset service providers other than financial institutions. Furthermore, National Bank of Serbia may, by a special by-law, allow financial institutions to invest in digital tokens having characteristics of a financial instrument.
In contrast, under MiCAR various financial institutions may conduct certain crypto-asset services without having to obtain a special authorisation. Such financial institutions include credit institutions authorised under Capital Requirements Directive (Directive 2013/36/EU), central securities depositories under the Regulation Improving Securities Settlement (Regulation (EU) No 909/2014), market operators under Markets in Financial Instruments Directive II (MiFID II) (Directive 2014/65/EU), electronic money institutions, UCITS management companies under Undertakings for Collective Investment in Transferable Securities Directive (Directive 2009/65/EC), alternative investment fund managers under Alternative Investment Fund Managers Directive (Directive 2011/61/EU), and investment firms authorised under the Markets in Financial Instruments Directive II (MiFID II) (Directive 2014/65/EU). Such institutions must nevertheless notify the supervisory authority that they will conduct crypto-asset services. In addition, they need to fulfil all the requirements regarding governance arrangement and business operations under MiCAR.
This article is published for information purposes only and does not constitute legal advice. For more information or assistance with the topic, please contact office@bdkadvokati.com.
Photo by Milad Fakurian on Unsplash
