EST · MMXXVI
Home/Insights/Tech/CASP authorisation under mica: Practical Lessons for Boards
Licensing & Registration

CASP authorisation under mica: Practical Lessons for Boards

Casp authorisation under mica: Practical Lessons for Boards. Cross-border digital-asset legal counsel for business – licensing, disputes and structuring. Talk t

CASP Authorisation Under MiCA: Practical Lessons for Boards

A crypto exchange or token issuer expanding into European markets discovers quickly that CASP authorisation (the Crypto-Asset Service Provider licence under the Markets in Crypto-Assets Regulation, MiCA) is not a checkbox exercise. It is a structural commitment. The application interrogates your governance, your capital model, your AML programme and your cross-border footprint simultaneously. Boards that treat it as a compliance project handed to one department routinely stall – sometimes fatally – at assessment stage. This analysis draws on the MiCA regime as supervised by ESMA and the relevant national competent authorities, and on the practical reality we see in cross-border mandates where the applicant entity sits in one jurisdiction while its users and banking sit elsewhere.

CASP authorisation under MiCA is the mandatory gateway for any entity wishing to provide regulated crypto-asset services to clients in the EU or EEA. The regime, administered by ESMA and enforced through national competent authorities, carries passporting rights across the single market. Getting it wrong costs months. Getting it right early means the licence pays for itself in market access.

What follows is a board-level analysis of where applications succeed, where they fail and how the cross-border structure around a MiCA entity shapes the outcome. We address the most common structural errors, a decision matrix by operator profile and the interaction between the CASP licence and the wider tax, banking and custody stack.

What MiCA Actually Authorises – and What It Does Not Cover

MiCA authorises a defined list of crypto-asset services, not a blanket permission to operate in digital assets across Europe. The regulated activities under the MiCA regime include the operation of a trading platform for crypto-assets, the exchange of crypto-assets for fiat or for other crypto-assets, custody and administration of crypto-assets on behalf of clients, the execution of orders, the reception and transmission of orders, portfolio management in crypto-assets, advice on crypto-assets and transfer services. Each activity can be authorised separately or in combination, and the capital own-funds floor rises with the breadth of the authorisation sought.

Critically, MiCA also establishes distinct regimes for asset-referenced tokens (ARTs) and e-money tokens (EMTs) – both of which require issuer-level authorisation, not merely a CASP licence. A stablecoin issuer targeting EU users needs to analyse whether its instrument is an ART, an EMT or a third category of crypto-asset, because the obligations, the whitepaper requirements and the ongoing supervision differ substantially. ESMA has issued technical standards that shape how national competent authorities assess these distinctions, and the line between an ART and an EMT turns on the composition of the reference basket, not on marketing language. Boards should not assume that a legal opinion issued before the MiCA text was finalised remains accurate.

What MiCA does not cover is equally important. Decentralised protocols without an identifiable issuer or service provider are not, in the current regime, subject to MiCA authorisation at the protocol layer. NFTs that are unique and non-fungible fall outside the regulation in principle, though ESMA guidance has signalled that mass-issued NFTs may be recharacterised. Financial instruments that happen to be tokenised remain subject to existing securities law, not MiCA. Boards building products on the boundary need a classification opinion before the whitepaper is drafted, not after it is published.

Where Applications Stall: The Four Structural Failure Points

Most CASP applications that stall do so at one of four structural failure points, and in our practice we see the same patterns repeat regardless of the applicant's size or sophistication. Understanding these failure points before drafting begins is the single highest-return investment a board can make in its authorisation timeline.

The first failure point is governance architecture. National competent authorities expect to see a real management body – qualified directors who are genuinely responsible for the regulated entity's operations in the relevant member state, not figureheads nominated to satisfy a local-presence requirement. The fit-and-proper assessment under the applicable MiCA provisions covers criminal history, regulatory history and technical competence in crypto-asset markets. A director who has never worked in financial services, or who holds simultaneous executive roles at six other entities, is a likely refusal point. In our cross-border practice, we have seen applications delayed by six months or more while the governance structure was rebuilt to satisfy the national competent authority's expectations – expectations that are broadly consistent across the EU but applied with varying rigour depending on the member state.

The second failure point is the AML and compliance programme. The MiCA regime interacts directly with the EU Anti-Money Laundering framework, and national competent authorities will assess the applicant's AML policies, procedures and senior compliance function as part of the authorisation review. A generic AML policy copied from a template and not calibrated to the specific activities, geographies and client profile of the applicant will not pass. The Travel Rule – the obligation to pass originator and beneficiary data with each qualifying transfer – must be operationally embedded, not merely described in a policy document. Regulators increasingly ask for evidence of system testing, not just a statement of intent.

The third failure point is the cross-border footprint. MiCA passporting applies once authorisation is granted in one member state. But the choice of home member state affects the timeline, the depth of supervisory review and the ongoing compliance costs. Some national competent authorities have published detailed guidance and application checklists; others have less developed practice. A board that selects a member state based solely on perceived ease of authorisation – without analysing the supervisory culture, the local talent market for compliance staff and the long-term relationship with the regulator – may win a faster licence only to face harder ongoing supervision or difficulties in the banking market.

The fourth failure point is capitalization. The MiCA regime sets minimum own-funds requirements that vary by the nature and scope of the services being provided. A business that plans to launch with broad activity permissions but a lean capital structure will need either to reduce the scope of its initial authorisation or to raise capital before applying. We have seen both outcomes. Neither is impossible. But a board that discovers the capital gap three weeks before filing has lost material negotiating time and, in some cases, has had to delay a planned launch by a full quarter.

For a scoped structural review of your MiCA application before you file, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity structure, the user base, the banking relationships and the activity mix – change the analysis in ways that a template approach will not surface. Map your options before the application clock starts.

Is MiCA Passporting as Simple as Regulators Suggest?

MiCA passporting is real – an authorised CASP notifies its home competent authority, which notifies the host competent authority, and the entity may begin providing services in the host member state. The process is not, however, instantaneous, and the host member state retains supervisory powers that boards sometimes underestimate. Passporting does not mean operating without local compliance obligations in the host state. Local AML obligations, marketing rules and consumer-protection requirements may apply on top of the MiCA baseline, and a business that treats a passport notification as the end of its compliance work in a new market will eventually receive a supervisory query it was not expecting.

The more nuanced issue is that passporting applies to the services listed in the authorisation. If the business subsequently wants to add an activity – say, adding portfolio management to an existing exchange and transfer service – it must apply to amend its authorisation in the home member state. That takes time. A board that roadmaps its product development without mapping the licence amendment process will find that commercial timelines and regulatory timelines diverge.

Cross-border structure also matters here. A CASP entity authorised in, say, Lithuania must maintain genuine substance there under the applicable MiCA provisions. If the group's technology, treasury and senior management all sit elsewhere, the national competent authority will question whether the regulated entity genuinely directs and controls its own operations. ESMA has been explicit that letter-box entities are not a compliant model under MiCA. The practical consequence is that a MiCA structure requires real investment in the home member state – not just a registered address.

Decision Matrix: Which Profile Should Pick Which Path

Not every operator approaches CASP authorisation with the same profile. The right path varies by the business's existing regulatory history, its user geography, its capital position and the breadth of activities it intends to offer.

Profile A – Established exchange with existing VASP registration in an EU member state. This profile has the strongest starting position. The prior registration demonstrates at least a minimal compliance history in the EU, and the national competent authority will generally be familiar with the entity. The pathway to CASP authorisation is an upgrade of the existing registration, with a detailed assessment of the expanded own-funds, governance and AML requirements under MiCA. The timeline, while not short, tends to be more predictable than a greenfield application. The key risk is assuming the prior registration means the regulator views the entity favourably – a VASP registration under the prior AML regime was a lighter-touch process, and the national competent authority's full assessment of a CASP application is categorically more demanding.

Profile B – New entrant, no EU regulatory history. This profile faces the full application process. The choice of home member state is strategic. The applicant should assess not just published timelines but the national competent authority's current application backlog, its guidance documentation, its engagement culture and the availability of locally qualified compliance talent. A faster initial timeline means little if the licensing process generates a wave of follow-up questions that the applicant is not staffed to answer promptly. The capital structure must be finalised before filing, because a capital-gap query from the regulator mid-review is difficult to manage without delay.

Profile C – Token issuer seeking both ART/EMT authorisation and a CASP licence. This is the most complex profile. The two authorisation tracks interact but are not identical, and the whitepaper obligations for an ART or EMT involve disclosure standards that require input from legal, finance and technology simultaneously. We advise token issuers to sequence the classification analysis first, then the whitepaper, then the CASP application – in that order, because a misclassification at step one corrupts all subsequent work. The timeline for this profile should be measured in months, not weeks, and the board should plan for at least one round of regulator feedback on the whitepaper.

Profile D – Non-EU operator seeking EU market access via a subsidiary. This profile is common: a business licensed under VARA in Dubai, or under the MAS Payment Services Act in Singapore, or under the SFC's VASP regime in Hong Kong, that now wants to serve EU clients. The subsidiary model requires a genuine EU presence – not merely a holding company. The parent entity's licence does not transfer. The cross-border structuring work here covers the allocation of activities between the parent and the EU subsidiary, the intra-group service agreements, the capital adequacy of the subsidiary on a standalone basis and the AML responsibilities at each entity layer. In our practice, we regularly advise on exactly this configuration, and the most common error is underestimating the capital and governance requirements of the EU subsidiary when the parent is well-capitalised.

How AML and the Travel Rule Shape the MiCA Application

The MiCA application is not purely a licensing exercise – it is, in parallel, a demonstration that the applicant has a functioning AML and CFT programme that meets the standards expected of a regulated EU financial institution. The applicable AML obligations for CASPs are set by the EU Anti-Money Laundering framework, which incorporates FATF Recommendation 15 on virtual assets and, critically, the Travel Rule obligation.

The Travel Rule requires that originator and beneficiary information travels with each qualifying virtual-asset transfer. For a CASP, this means having the technology, the counterparty agreements and the operational procedures to collect, verify, transmit and receive that data for every in-scope transfer. The specific threshold above which the Travel Rule applies varies by jurisdiction and by the applicable EU implementing measures, and applicants should verify the current operational threshold with current legislation rather than relying on general guidance. What does not vary is the expectation that the CASP's compliance systems are built before authorisation is granted, not after.

In a recent authorisation support matter, a payments-focused CASP had drafted a comprehensive AML policy but had not integrated Travel Rule data fields into its transaction monitoring system. The national competent authority's assessment identified the gap in the third month of review, requiring a technical remediation that delayed the application by approximately two months. The board had assumed that a strong written policy would carry the assessment. The regulator wanted evidence of tested operational capability. These are not the same thing.

Boards should also note that the AML obligations do not end at authorisation. The ongoing supervision cycle under MiCA includes AML-focused examinations, and a CASP that obtained its licence with a policy-level AML programme but failed to operationalise it will face supervisory risk that is, in some respects, more serious than a delayed application – because it involves a post-licence compliance failure rather than a pre-licence gap.

Cross-Border Banking: The Layer MiCA Does Not Solve

A MiCA CASP licence does not solve the banking problem. This is the reality that surprises operators most. The authorisation confirms that the entity is permitted to provide regulated crypto-asset services in the EU. It does not compel any bank to provide the entity with a payment account, a custody relationship or access to fiat settlement rails. The banking relationship is a commercial and risk decision made by the bank, and many EU banking groups remain cautious about onboarding CASPs regardless of their regulatory status.

The practical consequence is that a CASP applicant should be working on its banking relationships in parallel with, not after, the licence application. A board that plans to open banking accounts after the licence is granted may find that the banking process takes as long as – or longer than – the authorisation itself. In some member states, the availability of bank accounts for regulated CASPs is wider than in others, and the choice of home member state should take banking market depth into account alongside the regulatory considerations.

The cross-border dimension adds further complexity. A CASP group that holds client fiat in accounts at a non-EU bank, routes settlement through a third-country payment processor or relies on a crypto-native treasury model for its operational capital will face questions from both the national competent authority and, later, from institutional banking partners about the group's fiat liquidity architecture. These questions are manageable when planned for. They are disruptive when raised mid-application or at a critical business moment.

If your application has stalled or your banking architecture is under regulatory scrutiny, write to OBOLUS at info@oboluslaw.com. A second read of the structure can surface the reason for the impasse and the route back. Map your options before you file an amendment or respond to a supervisory query.

A Common Assumption Boards Should Test: The Single Offshore Licence Fallacy

A common assumption in the market is that a single offshore licence – whether from the BVI FSC, CIMA in the Cayman Islands or a registration in a lighter-touch jurisdiction – is sufficient to serve clients across the EU, the UK and Asia simultaneously. This assumption does not survive contact with the applicable regimes. MiCA applies to CASPs providing services to clients located in the EU, regardless of where the service provider is incorporated. The FCA in the United Kingdom applies its own registration and financial-promotion rules independently of MiCA. The MAS in Singapore, the SFC in Hong Kong and VARA in Dubai each apply territorial rules that are not satisfied by an offshore registration in a jurisdiction outside their scope.

The offshore licence has legitimate uses. For a fund structure domiciled in the Cayman Islands or the BVI, the local VASP registration may satisfy the structural requirements of that entity. For a treasury entity or a holding company with no direct client relationships, a lighter-touch regime may be appropriate. But for any business that actively acquires and serves clients in regulated markets – particularly EU, UK or Singapore-based clients – relying on a single offshore registration as the sole regulatory permission is an enforcement risk, a banking risk and, increasingly, a reputational risk with institutional counterparties. Operators we advise routinely discover, when they map their actual client geography against their licence stack, that their permissions cover a smaller share of their business than they believed.

The correct model for a business with multi-jurisdictional reach is a deliberate licence stack: the right entity structure, the right permissions at each layer (operating, custody and payment), and an ongoing process of mapping new markets against the existing permissions before products are launched there. This is not a one-time exercise. As regimes converge on the MiCA model and jurisdictions that previously tolerated unlicensed crypto activity tighten their rules, the stack requires periodic review.

Board Self-Assessment: Is Your CASP Application Ready to File?

A board can use the following questions to assess readiness before instructing counsel to file. Each question corresponds to a failure point that national competent authorities have raised in assessment reviews under the MiCA regime.

First: has the entity finalised its activity list? The specific combination of services determines the capital floor and the scope of the programme-of-operations document. Applying for a narrower set of activities to meet a commercial launch date, with a plan to amend later, is a legitimate strategy – but the board must understand the amendment process and timeline before committing to that path.

Second: does the management body meet the fit-and-proper standard? This means verified criminal-record and regulatory-history checks for each proposed director, documentation of relevant professional experience and confirmation that each director has sufficient time available to discharge their responsibilities. A director who is also an executive at a regulated entity in another jurisdiction should seek advice on whether that dual role is compatible with the national competent authority's expectations.

Third: is the AML programme operational, not just documented? The programme must be in a form that the national competent authority can assess as a functioning compliance system. This includes documented risk assessments, tested transaction-monitoring rules, evidence of Travel Rule capability and a named MLRO (money-laundering reporting officer) with appropriate qualifications. The MLRO must be accessible to and empowered by the management body – not a contracted external consultant with no day-to-day authority.

Fourth: has the capital position been verified against the own-funds requirement for the specific combination of services? This requires a calculation, not an estimate. The calculation must reflect the applicable own-funds rules under MiCA for each activity category in the application. If the entity is below the required threshold, the board needs a capital plan – fundraising, a parental guarantee where the regime permits, or a reduction in the scope of services – before filing.

Fifth: is the home member state selection strategic? The board should be able to articulate why it selected the home member state beyond cost and perceived ease. The national competent authority in the chosen member state will want to understand the genuine business connection to that jurisdiction – the location of management, the employment of local staff, the location of operational systems. A selection based purely on perceived regulatory leniency is a risk indicator, not a strategy.

In our cross-border practice, we have seen boards answer all five questions confidently and still encounter delays at the detailed programme-of-operations stage, because the written document did not reflect the governance and technology decisions the board believed were settled. The application is a stress test of the business's own institutional clarity – and it surfaces internal misalignments that are better discovered in a board review than in a regulator's assessment letter.

Related at OBOLUS

FAQ

How long does a crypto licence take to obtain?

The timeline for CASP authorisation under MiCA varies by home member state, the breadth of activities applied for and the completeness of the initial application. Applications with governance gaps or incomplete AML programmes typically generate rounds of follow-up queries that extend the review. We recommend planning for several months from a complete filing to a determination, and building the banking and operational setup process in parallel rather than sequentially.

Which jurisdiction is best for licensing my crypto business?

There is no single correct answer. The right jurisdiction depends on the business's target client geography, its capital position, the regulatory culture of the available options and the depth of the local banking market. A business targeting EU clients needs a MiCA CASP authorisation. A business targeting the Gulf may prioritise VARA or FSRA. A business with global reach may need a deliberate stack of permissions across multiple regimes. We map this analysis before you commit to a structure.

Do I need a separate custody licence?

Under MiCA, the custody and administration of crypto-assets on behalf of clients is a separately authorised service. A CASP that wishes to provide custody must include it in its activity list and meet the associated own-funds and safeguarding requirements. A business that operates an exchange but also holds client assets in custody is providing both services. Failing to include custody in the application, and then operating custody services post-licence, is a compliance failure under the applicable MiCA provisions. Legal advice on the activity classification should be obtained before the application is drafted.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. We advise crypto exchanges, custodians, token issuers and funds across more than seventy licensing jurisdictions, and we map the licence stack across operating, custody and payment layers before you commit to a structure. Digital assets are the whole of our practice. To discuss your situation, contact info@oboluslaw.com or message us via t.me/oboluslaw.

By Roman Levitt, Technology & DeFi Counsel – specialises in the regulatory classification of digital-asset products and the technical compliance architecture required for CASP authorisation under MiCA.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours