FTX under MiCA: Would EU Law Have Prevented the Loss of Clients’ funds?

The article outlines the rules of the EU Markets in Crypto-assets (MiCA) regulation dedicated to Crypto-asset service providers (CASPs) that would have been relevant in the FTX case, with a particular focus on the custody and management of clients’ funds.

Credits @B3Rhunter

1. Introduction

The FTX saga that brought to the bankruptcy of one of the major crypto-exchanges in the world is already considered one of the worst events in the crypto history. It affected a known player in the crypto ecosystem, who was actively contributing also on the regulatory side through donations to US politicians and in publicly advocating on several media. Understandably, people are now scared and demand transparency and accountability.

This article tackles an hypothetical scenario: what would have happened if FTX exercised its activities under the proposed EU Markets in Crypto-assets (MiCA) Regulation? The scenario is merely hypothetical because MiCA has still not been enacted (the final voting will probably be in February 2023) and luckily FTX should not harm users any longer, given that it has filed for bankruptcy under chapter 11.

Nevertheless, the question is intriguing. On the one hand, many people state that the collapses of the exchange and of the Alameda investment vehicle are a result of lack of regulation and transparency. On the other hand, others argue that a proper US law on crypto-exchanges would not have prevented FTX’s death spiral, as the main headquarters of FTX are located on the Bahamas, outside of the US jurisdiction. Some US crypto lawyers point out that the discussed DCCPA proposed crypto regulation (for which SBF was advocating) would not have prevented the detrimental effects of FTX’s bad behavior, because it is difficult to detect and prevent cases of pure fraud.

It is my firm belief that regulation of crypto-exchanges shall be made of two essential components: organizational requirements and strong prudential supervision by independent authorities. In the end, it’s nothing new. I imagine a regulation which is very similar to the one applied to banks, other subjects that deal with assets belonging to their customers. Crypto-exchanges are often correctly described as crypto-banks. They act as banks indeed, and not surprisingly during the FTX saga banking terminology has often been used in describing the situation, notably with the so-called “bank run” which brought to the “liquidity crunch” faced by FTX. The only difference is that so-far crypto-exchanges are almost never regulated as banks. Let’s now look at how FTX would have been treated by the EU MiCA regulation.

2. Definition of crypto assets service providers (CASPs)

First of all it’s important to frame the scope of application of the rules concerning centralized service providers in the field of crypto. MiCA defines a crypto-assets service provider (CASP) as a “legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to third parties on a professional basis, and are allowed to provide crypto-asset services”. MiCA provides a list of crypto-asset services that undergo the new regulation:

• the custody and administration of crypto-assets on behalf of third parties;
• the operation of a trading platform for crypto-assets;
• the exchange of crypto-assets for funds;
• the exchange of crypto-assets for other crypto-assets;
• the execution of orders for crypto-assets on behalf of third parties;
• placing of crypto-assets;
• providing transfer services for crypto-assets on behalf of third parties;
• the reception and transmission of orders for crypto-assets on behalf of third parties;
• providing advice on crypto-assets;
• providing portfolio management on crypto-assets.

MiCA encompasses clear definitions of the above listed activities. The activities performed by FTX would certainly fall within the scope of MiCA. This aspect deserves, therefore, no further discussion.

3. Scope of application and registered office within the European Union

MiCA applies to CASPs that provide services related to crypto-assets in the European Union. An important element in the matter under scrutiny is that, in order to enable effective supervision and to eliminate the possibility to evade or circumvent such supervision, under MiCA crypto-asset services should only be provided by legal persons that have a registered office in a EU Member State in which they have substantial business activities. In this context, it must be clarified that MiCA does not exclude that customers have contacts with CASPs that are located outside the EU (third country firms). In these cases, if the initiative is merely on the customers the foreign entity does not have to comply with MiCA. But if the CASP or a subsidiary directs its activity towards the European Union, MiCA applies and the concerned legal person would infringe European law in not having a registered office within the European Union and an authorization within a European Member State. This applies regardless of any contractual clause or disclaimer purporting to state otherwise, including any clause or disclaimer that the third country firm will be deemed to respond to the exclusive initiative of the client.

The registered office within a EU Member State is held as essential in order to avoid undermining effective prudential supervision, and to ensure the enforcement of requirements under MiCA, which is intended to secure investor protection, market integrity and financial stability. In addition, close and direct contact between the supervisors and the responsible management of CASPs integrates a fundamental element of such supervision. With a registered office within the EU, the CASPs can operate in other EU Member States. In fact, CASPs that provide crypto-asset services on a cross-border basis shall not be required to have a physical presence in the territory of a so-called “host Member State”.

In the light of the magnitude and the global reach of FTX, it is not thinkable that such a CASP would not have directed its activity towards the European Union. In fact, FTX traded in many European countries through a subsidiary based in Cyprus, called FTX EU Ltd. The company is also authorized and regulated by the Cyprus Securities and Exchange Commission with the license no. 273/15. Moreover, the website of FTX EU states that FTX offers tokenized stock trading in partnership with K-DNA and FTX Switzerland GmbH, utilizing a German license in concert with FTX Trading GmbH. A subsidiary called FTX Switzerland GmbH provides financial services and limited custody services and it is registered for AML purposes with SRO Treuhand Suisse. Another subsidiary, called DAAG Certificates GmbH, has an approved base prospectus for various tokenized financial instruments, which is valid in Switzerland and is passported across the EEA. All this leads to two conclusions: a) FTX would have been eligible to deal with MiCA; b) the “soft” licensing acquired by FTX EU Ltd. was absolutely not capable of detecting the organizational and structural fragility of FTX.

4. The authorization

MiCA confers the power to authorize and supervise CASPs to national competent authorities. The authorization should be granted, refused or withdrawn by the competent authority of the Member State where the entity has its registered office. Such an authorization should indicate the crypto-asset services for which the CASP is authorized and is valid for the entire Union. Moreover, EU credit institutions may provide crypto-asset services if they notify the competent authority of the home Member State, at least 40 working days before providing those services.

Interested CASPs shall apply for authorization to the competent authority of their home Member State. They have to provide a list of information. Among the more relevant, they have to indicate:

• a programme of operations setting out the types of crypto-asset services that the applicant CASP wishes to provide, including where and how these services are to be marketed;
• a description of the applicant crypto-asset service provider’s governance arrangements;
• proof that members of the management body of the applicant CASP are of sufficiently good repute and possess appropriate knowledge, skills and experience to manage that provider;
• the identities of any natural or legal persons that have qualifying holdings in the applicant crypto-asset service provider, and the amounts of those holdings, as well as proof that those persons are of good repute;
• a description of the applicant crypto-asset service provider’s internal control mechanism, policies, controls and procedures to identify, assess and manage risks, including ML/TF risks, and business continuity plan;
• the technical documentation of the IT systems and security arrangements, and a description in non-technical language;
• a description of the procedure for the segregation of client’s crypto-assets and funds.

Other information that the CASPs have to provide concerns the specific activity exercised by the CASP (trading platform, custody, transfer of funds, etc.).

An important provision for the assessment of MiCA’s impact on a business like the one of FTX states that the competent authority shall refuse authorization if the laws, regulations or administrative provisions of a third country governing one or more natural or legal persons with which the CASPs has close links, or difficulties involved in their enforcement, prevent the effective exercise of its supervisory functions. Such provision is important in the FTX case: in fact, if — for instance — the headquarters of a CASP are located in a jurisdiction which is not collaborative or which does not grant transparency the authorization can be refused. The European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA) shall jointly develop guidelines on the assessment of the suitability of the members of the management body of the crypto-asset service provider and of the natural or legal persons that have qualifying holdings in the crypto-asset service provider. Although they received a top level education it seems factual that the FTX management did not demonstrate a sufficient level of experience to run a complex crypto-asset service business. Once granted, the authorization can be withdrawn if the CASP no longer meets the requirements set by MiCA.

5. Obligations of the CASPs and organizational requirements

The authorizations are just the beginning. MiCA provides a full set of obligations that CASPs have to fulfill. Some are general and apply to every CASP, others are specific to the type of service offered by the CASP. Some of the obligations which concern all the crypto-assets are quite obvious, but it’s important to recall them in the light of the FTX case. First of all, CASPs “shall act honestly, fairly and professionally in accordance with the best interests of their clients and potential clients.” Moreover, CASPs “shall provide their clients with fair, clear and not misleading information, including in marketing communications.” Other provisions oblige CASPs to act transparently with respect to applied fees and communicate risks associated with crypto-assets.

According to MiCA, CASPs shall maintain and operate an effective policy to identify, prevent, manage and disclose conflicts of interest, taking into account the scale, the nature and range of crypto-asset services provided. The relationship between FTX and Alameda shows significant conflicts of interests and the absence of a reliable policy.

The most relevant parts are the prudential safeguards set by MiCA, which aim to assure financial stability of the authorized CASPs. MiCA provides for an amount of permanent minimum capital requirement that depends on the type of activity which is exercised. This minimum capital requirement can be fulfilled with tier 1 equity or an insurance policy covering the territories of the Union where the crypto-asset services are provided or a comparable guarantee. A combination of the two is also accepted. For CASPs that offer custody and administration of crypto-assets on behalf of third parties the minimum capital requirement is 125k Euro; for CASPs operating a trading platform for crypto-assets the minimum capital requirement is 150k Euro.

CASPs shall arrange for records, to be kept for 5 years, of all crypto-asset services, activities, orders, and transactions undertaken by them. Those records shall be sufficient to enable competent authorities to fulfill their supervisory tasks and to perform the enforcement actions, and in particular to ascertain whether the CASP has complied with all obligations including those with respect to clients or potential clients and to the integrity of the market.

6. Safekeepings of clients funds

Central to the FTX scandal is the use of clients’ funds that were lent to Alameda. Such a behavior could certainly not be admitted under MiCA. In fact, CASPs that hold crypto-assets belonging to clients or the means of access to such crypto-assets shall make adequate arrangements to safeguard the ownership rights of clients, especially in the event of the CASP’s insolvency, and to prevent the use of a client’s crypto-assets for their own account. Such a standard and obvious organizational provision was unfortunately not applied by FTX.

As to the specific requirements that MiCA provides for CASPs that are authorized for the custody and administration of crypto-assets on behalf of third parties, under the EU regulation CASPs shall establish a custody policy with internal rules and procedures to ensure the safekeeping or the control of such crypto-assets, or the means of access to the crypto-assets, such as cryptographic keys. Some information requirements are similar to the ones concerning banks. For instance, CASPs that are authorized for the custody and administration of crypto-assets on behalf of third parties shall provide their clients, at least once every three months and at each request of the client concerned, with a statement of position of the crypto-assets recorded in the name of those clients.

More importantly, CASPs shall segregate holdings of crypto-assets on behalf of their clients from their own holdings and ensure that the means of access to crypto-assets of their clients are clearly identified as such. They shall ensure that, on the DLT, their clients’ crypto-assets are held on separate addresses from those on which their own crypto-assets are held. The application of such a provision on segregation of funds would certainly have played a fundamental role in the FTX case. Moreover, the crypto-assets held in custody must be insulated from the CASP’s estate in the interest of the clients of the crypto-asset service provider under relevant law, such that creditors of the CASP have no recourse on the crypto-assets held in custody, in particular in the event of insolvency.

7. The importance of prudential oversight

What has been indicated above is of course very important. But one should never forget that blackletter rules create just a framework. The level of effectiveness depends on the willingness of the regulated players to seriously comply with the rules and on the prudential oversight exercized by competent authorities. This latter aspect seems well covered by MiCA. Not only CASPs need to be authorized prior to offer their services to the public, in addition MiCA entitles competent authorities with effective powers.

The EU regulation establishes that Member States shall designate the competent authorities responsible for carrying out the functions and duties provided for in this Regulation and shall inform the EBA and ESMA thereof. Among the powers granted to the competent authorities, these are the most relevant:

• to require any natural or legal person to provide information and documents which the competent authority considers could be relevant for the performance of its duties;
• to suspend, or to require a CASP to suspend, the provision of crypto-asset services for a maximum of 30 consecutive working days on any single occasion where there are reasonable grounds for believing that MiCA has been infringed;
• to prohibit the provision of crypto-asset services where it is found that MiCA has been infringed;
• to disclose, or to require a CASP to disclose, all material information which may have an effect on the provision of the crypto-asset services in order to ensure the protection of the interests of the clients, in particular retail holders, or the smooth operation of the market;
• to make public the fact that a CASP is failing to comply with its obligations;
• to suspend, or to require a CASP to suspend, the provision of crypto-asset services where the competent authorities consider that the crypto-asset service provider’s situation is such that the provision of the crypto-asset service would be detrimental to clients’ interests, in particular retail holders;
• to require the transfer of existing contracts to another CASP in cases where a CASP’s authorisation is withdrawn, subject to the agreement of the clients and the receiving CASP;
• where there is a reason to assume that a person is providing crypto-asset services without authorization, to order the immediate cessation of the activity without prior warning or imposition of a deadline;
• to suspend or prohibit marketing communications where there are reasonable grounds for believing that MiCA has been infringed;
• to allow auditors or experts to carry out verifications or investigations;
• to require the removal of a natural person from the management body.

Where no other effective means are available to bring about the cessation of the infringement of MiCA and in order to avoid the risk of serious harm to the interests of clients and holders of crypto-assets, authorities have also the power: (i) to take all necessary measures to remove content or to restrict access to an online interface or to order the explicit display of a warning to clients and holders of crypto-assets when they access an online interface; (ii) to take all necessary measures to order a hosting service provider to remove, disable or restrict access to an online interface; or (iii) to take all necessary measures to order domain registries or registrars to delete a fully qualified domain name and to allow the competent authority concerned to register it, including by requesting a third party or other public authority to implement such measure.

In principle, the task of controlling CASPs is on the competent authorities of the concerned Member states, but ESMA can directly intervene in cases of urgency or where the Member State authority is not performing its tasks in an adequate manner. Also authorities of “host” Member States can signal a potential infringement of MiCA’s rules to ESMA. In general terms, the legal framework encourages a strong collaboration and exchange of information among all the involved authorities. Such a collaboration can be particularly effective when it comes to relevant CASPs with a wide customer base.

8. Conclusion

A leading member of the European Parliament stated that FTX’s collapse is due to a lack of regulation and that the adoption of MiCA as a global set of regulatory standards would have prevented such a collapse from happening. In looking at MiCA’s provisions and on the controls and power that competent authorities will exercise, the observation seems to be correct.

MiCA will have a great impact on the organizational requirements of CASPs. The legal standards are not entirely new as they have been widely influenced by previous European legislation. A special focus is put on the experience and good repute of the management and on the segregation and safekeeping of customers’ funds. The requirements are already detailed but will be further clarified through prudential guidance expressed by ESMA.

Getting an authorization under MiCA will not be an easy task and ongoing controls excercized by competent authorities will generate significant and recurring compliance activity by the CASPs.

The new rules seem capable of enhancing the level of protection of users. Every CASP that operates on a global level will need to deal with them. MiCA will probably set global standards, as it happened with the EU General Data Protection Regulation (GDPR) in the last few years. Information and transparency will be the core, but no requirement of “proof of reserves” is contained in MiCA. This demonstrates that blockchain technology could even enhance the effectiveness of the requirements set by the new EU regulation.

Some small players will be outpriced by the legal costs connected to MiCA’s CASP framework. Given the magnitude of the FTX scandal and the harm to users and credibility of the crypto-industry, it seems wise to adopt strict rules and control mechanisms able to detect and sanction bad players. The technological innovation should be promoted on the public, decentralized and permissionless blockchains.

eaglelex is a Law Professor and qualified Italian attorney. He advises on regulatory matters concerning blockchain and crypto. He currently assists several web3 projects and CASPs seeking to obtain a registration in Europe.

If you would like to know more about the Blockchain Lawyers Group visit our Website, join our Discord and follow us on Twitter. Please note that Blockchain Lawyers Group’s members are not affiliated in the joint practice of law; each member is independent and renders professional services on an individual and separate basis. In reading the article you accept that its contents are not legal advice. The aim of the article is merely educational.