MiCA in Poland - Internal documents of CASP
Preparing and reviewing the internal documents and policies of a CASP is the most crucial aspect of obtaining a CASP license in Poland under the MiCA, Regulation (EU) 2023/1114.
This article explores:
- the systematic classification of documents developed by our Law Firm in Poland;
- description and guidelines about on one of the document categories: Internal Compliance Documents of CASP under MiCA
CASP's document classification
MiCA requires European Securities and Markets Authority (ESMA) in close cooperation with European Banking Authority (EBA) to develop a series of Regulatory Technical Standards (RTS), Implementing Technical Standards (ITS) and Guidelines (in particular Article 62 (5) and (6) of MiCA)
ESMA adopted Final Report – Draft technical Standards specifying certain requirements of the Markets in Crypto Assets Regulation (MiCA) on 25 March 2024. Report is available to download here.
RTS issued by ESMA contains guidelines in regard of information to be included in the application for authorisation as a crypto-asset service provider. Therefore, this document should be main basis to applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of MiCA, Regulation (EU) 2023/1114.
Draft RTS pursuant to Article 62(5) of MiCA is available to download here. It is recommended that the above guideline be reviewed as the first step in preparing the documents related to obtaining a CASP license in Poland.
In accordance with the MiCA regulation and ESMA’s RTA our Law Firm in Poland has classified the information and documents required for obtaining a CASP license into four main groups::
- General information – information (data) and corporate documents of the applicant – art. 1 of RTS;
- Internal Compliance Documents of the applicant:
- Programme of Operations; – Article 2
- Governance and Internal Control Policy – information about governance arrangements and internal control mechanisms; – Article 4
- Business Continuity Plan; – Article 5
- AML Documentation – information on internal control mechanisms and policies and procedures to ensure compliance with the provisions of national law transposing Directive (EU) 2015/849 and with information on the risk assessment framework to manage risks relating to money laundering and terrorist financing; – Article 6
- Complaints-handling Procedures; – Article 11
- Commercial Policy; – Article 14
- Description of the procedure for the segregation of clients’ crypto-assets and fund; facultative– Article 10
- Personal information (identity and proof of good repute, knowledge, skills, experience):
- information for each member of the management body; – Article 7
- information relating to shareholders with qualifying holdings; – Article 8
- Technical documentation – the technical documentation of the ICT systems and security arrangements, and a description thereof in non-technical language – Article 9
In this article, the Internal Compliance Documents of the applicant seeking authorization as a Crypto-Asset Service Provider in Poland will be listed and described.
Programme of Operations
Programme of operations provides a overview of the business activities and services that the CASP in Poland intends to provide, ensuring it comply with the relevant regulatory requirements. The programme of operations is essential in helping regulators understand the firm’s structure, planned activities, and risk management practices. Programme of operations should cover a period of three years and contain following information:
- a list of crypto-asset services that the applicant intends to provide as well as the types of crypto-assets to which the crypto-asset services will relate;
- other planned activities, regulated in accordance with Union or national law or unregulated, including any services, other than crypto-asset services, that the applicant intends to provide;
- whether the applicant intends to offer crypto-assets to the public or seek admission to trading of crypto-assets and if so, of what type of crypto-assets;
- a list of jurisdictions, in and outside the European Union, in which the applicant plans to provide crypto-asset services, including information on the domicile of targeted clients and the targeted number by geographical area;
- types of prospective clients targeted by the applicant’s services;
- a description of the means of access to the applicant’s crypto-asset services by clients, including all of the following :
- the domain names for each website or other ICT-based application through which the crypto-asset services will be provided by the applicant and information on the languages in which the website will be available, the types of crypto-asset services that will be accessed through it and, where applicable, from which Member States the website will be accessible;
- the name of any ICT-based application available to clients to access the crypto-asset services, in which languages it is available and which crypto-asset services can be accessed through it;
- the planned marketing and promotional activities and arrangements for the crypto-asset services, including:
- all means of marketing to be used for each of the services, the means of identification that the applicant intends to use and information on the relevant category of clients targeted and types of crypto-assets;
- languages that will be used for the marketing and promotional activities;
- a detailed description of the human, financial and ICT resources allocated to the intended crypto-asset services as well as their geographical location;
- the applicant’s outsourcing policy and a detailed description of the applicant’s planned outsourcing arrangements, including intra-group arrangements, how the applicant intends to comply with the requirements set out in Article 73 of MiCA, Regulation (EU) 2023/1114. The applicant shall also include information on the functions or person responsible for outsourcing, the resources (human and ICT) allocated to the control of the outsourced functions, services or activities of the related arrangements and on the risk assessment related to the outsourcing;
- the list of entities that will provide outsourced services, their geographical location and the relevant services outsourced;
- a forecast accounting plan including stress scenarios at an individual and, where applicable, at consolidated group and sub-consolidated level in accordance with Directive 2013/34/EU. The financial forecast shall consider any intra-group loans granted or to be granted by and to the applicant;
- any exchange of crypto-assets for funds and other crypto-asset activities that the applicant intends to undertake, including through any decentralised finance applications with which the applicant wishes to interact on its own account.
Governance and Internal Control Policy - Information about governance arrangements and internal control mechanisms
- a detailed description of the organisational structure of the applicant, where relevant encompassing the group, including the indication of the distribution of the tasks and powers and the relevant reporting lines and the internal control arrangements implemented together with an organisational chart;
- the personal details of the heads of internal functions (management, supervisory and internal control functions), including their location and a curriculum vitae, stating relevant education, and professional training and professional experience and a description of the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them;
- the policies and procedures and a detailed description of the arrangements put in place to ensure that relevant staff are aware of the policies and procedures which must be followed for the proper discharge of their responsibilities, proposal: “Policy Awareness and Compliance Procedures”;
- the policies and procedures and a detailed description of the arrangements put in place to maintain adequate and orderly records of the business and internal organisation of the applicant in accordance with Article 68(9) of MiCA, Regulation (EU) 2023/1114, my proposal of the proposal: “Recordkeeping and Internal Organization Compliance Procedures”;
- the policies and procedures and arrangements to enable the management body to assess and periodically review the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2 and 3 of Title V of Regulation (EU) 2023/1114 in accordance with Article 68(6) of the same Regulation including all of the following (proposal: “Internal Control and Compliance Review Policy””:
- identification of the internal control functions in charge of monitoring the policy arrangements and procedures put in place to comply with Chapters 2 and 3 of Title V of MiCA, Regulation (EU) 2023/1114, together with the scope of their responsibility and reporting lines to the management body of the applicant;
- indication of the periodicity of internal control functions reporting to the management body of the applicant on the effectiveness of the policy arrangements and procedures put in place to comply with Chapters 2 and 3 of Title V of MiCA, Regulation (EU) 2023/1114;
- explanation of how the applicant ensures that the internal control functions operate independently and separately from the functions they control, have access to the necessary resources and information, and that those internal control functions can report directly to the management body of the applicant both at least once a year and on an ad hoc basis including where they detect a significant risk of failure for the applicant to comply with its obligations;
- a description of the ICT systems, safeguards and controls put in place to monitor the activities of the applicant and ensure compliance with Chapters 2 and 3 of Title V of MiCA, Regulation (EU) 2023/1114, including back–up systems, and ICT systems and risk controls, where not provided in accordance with Article 9 of this Regulation;
- the policies and procedures and a detailed description of the arrangements established by the applicant to ensure compliance with its obligations under Chapters 2 and 3 of Title V of MiCA, Regulation (EU) 2023/1114, including:
- the applicant’s record keeping arrangements in accordance with [RTS on recordkeeping by crypto-asset services providers];
- a detailed description of the procedures for the applicant’s employees to report potential or actual infringements of MiCA, Regulation (EU) 2023/1114 in accordance with Article 116 of MiCA Regulation (EU) 2023/1114;
- where relevant, a description of the arrangements put in place to prevent and detect market abuse in accordance with Article 92 of MiCA, Regulation (EU) 2023/1114; – “Prevention and Detection of Market Abuse Policy”
- whether the applicant has appointed or will appoint external auditors and, if that is the case, their name and contact details, when available;
- the accounting policies and procedures by which the applicant will record and report its financial information, including the start and end dates of the applied accounting year.
As part of the information on policies and procedures established to ensure compliance with Chapters 2 and 3 of Title V of MiCA, Regulation (EU) 2023/1114, applicants shall provide to the competent authority all of the following information on the management of risks relating to conflicts of interests:
- a copy of the applicant’s conflicts of interest policy, together with a description of how the policy:
- ensures that the applicant identifies and prevents or manages conflicts of interests in accordance with Article 72(1) of MiCA Regulation (EU) 2023/1114 and discloses conflicts of interest in accordance with Article 72(2) of MiCA, Regulation (EU) 2023/1114;
- is commensurate to the scale, nature and range of crypto-asset services that the applicant intends to provide and of the other activities of the group to which it belongs;
- ensures that the remuneration policies and procedures and arrangements do not create conflicts of interest;
- how the applicant’s conflicts of interest policy ensures compliance with Article 4(9) of [RTS on conflicts of interest of CASPs], including information on the systems and arrangements put in place by the applicant to:
- monitor, assess, review the effectiveness of its conflicts of interests policy and remedy any deficiencies;
- record cases of conflicts of interests, including the identification, assessment, remedy and whether the case was disclosed to the client.
Business Continuity Plan
- which steps shall be taken to ensure continuity and regularity in the performance of the applicant’s crypto-asset services;
- the description shall include details showing that the established business continuity plan is appropriate and that arrangements are set up to maintain and periodically test it. The description shall explain, with regard to critical or important functions supported by third-party service providers, how business continuity is ensured in the event that the quality of the provision of such functions deteriorates to an unacceptable level or fails. The description shall also explain how business continuity is ensured in the event of the death of a key person and, where relevant, political risks in the service provider’s jurisdiction.
AML Documentation
An applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of MiCA, Regulation (EU) 2023/1114 shall provide the competent authority with information on its internal control mechanisms and policies and procedures to ensure compliance with the provisions of national law transposing Directive (EU) 2015/849 and with information on the risk assessment framework to manage risks relating to money laundering and terrorist financing, including all of the following:
- the applicant’s assessment of the inherent and residual risks of money laundering and terrorist financing associated with its business, including the risks relating to the applicant’s customer base, to the services provided, to the distribution channels used and to the geographical areas of operation; – “Risk Assessment”
- the measures that the applicant has or will put in place to prevent the identified risks and comply with applicable anti-money laundering and counter-terrorist financing requirements, including the applicant’s risk assessment process, the policies and procedures to comply with customer due diligence requirements, and the policies and procedures to detect and report suspicious transactions or activities; – “Risk Assessment” and “AML Policy”;
- detailed information on how such mechanisms, systems and procedures are adequate and proportionate to the scale, nature, inherent money laundering and terrorist financing risk, range of crypto-asset services provided, the complexity of the business model and how they ensure the applicant’s compliance with Directive (EU) 2015/849 and TTR (Transfer of Funds) Regulation (EU) 2023/1113; – “Risk Assessment”;
- the identity of the person in charge of ensuring the applicant’s compliance with anti-money laundering and counter-terrorist financing obligations, and evidence of the person’s skills and expertise;
- arrangements, human and financial resources devoted to ensure that staff of the applicant is appropriately trained in anti-money laundering and counter-terrorist financing matters (annual indications) and on specific crypto-asset related risks;
- a copy of the applicant’s anti-money laundering and counter-terrorism policies and procedures, and systems;
- the frequency of the assessment of the adequacy and effectiveness of such mechanisms, systems and policies and procedures as well as the person or function responsible for such assessment; – “AML Policy – audit matters”
Complaints-handling procedures
Description of the applicant’s complaints handling policies and procedures, including all of the following:
- information on the human and technical resources allocated to complaints handling;
- information on the person in charge of the resources dedicated to the management of complaints, together with a curriculum vitae stating relevant education, professional training and professional experience justifying the skills, knowledge and expertise for the discharge of the responsibilities allocated to him or her;
- how the applicant ensures compliance with the requirements set out in Article 1 of [RTS on complaints handling by CASPs];
- how the applicant will inform clients or potential clients of the possibility to file a complaint free of charge, including where and how on the applicant’s website, or on any other relevant digital device that may be used by clients to access the crypto-asset services, is the information available as well as what information is provided;
- the applicant’s record-keeping arrangements in relation to complaints;
- the timeline provided in the complaints-handling policies and procedures of the applicant to investigate, respond and, where appropriate, take measures in response to complaints received;
- how the applicant will inform clients or potential clients of the available remedies;
- the procedural key steps of the applicant in making a decision on a complaint and how the applicant will communicate this decision to the client or potential client who filed the complaint.
Commercial Policy
- description of the commercial policy established in accordance with Article 77(1) of Regulation (EU) 2023/1114;
- the methodology for determining the price of the crypto-assets that the applicant proposes to exchange for funds or other crypto-assets in accordance with Article 77(2) of Regulation (EU) 2023/1114, including how the volume and market volatility of crypto-assets impact the pricing mechanism
Segregation of clients’ crypto-assets and fund
Where the applicant intends to hold crypto-assets belonging to clients or the means of access to such crypto-assets, or clients’ funds (other than e-money tokens), the applicant seeking authorisation as a crypto-asset service provider in accordance with Article 62 of Regulation (EU) 2023/1114 shall provide to the competent authority a detailed description of its policies and procedures for the segregation of clients’ crypto-assets and funds, including all of the following:
- how the applicant ensures that:
- clients’ funds are not used for its own account;
- crypto-assets belonging to the clients are not used for its own account;
- the wallets holding clients’ crypto-assets are different from the applicant’s own wallets;
- detailed description of the approval system for cryptographic keys and safeguarding of cryptographic keys (for instance, multi-signature wallets);
- how the applicant segregates clients’ crypto-assets, including from other clients’ cryptoassets in the event of wallets containing crypto-assets of more than one client (omnibus accounts);
- a description of the procedure to ensure that clients’ funds (other than e-money tokens) are deposited with a central bank or a credit institution by the end of the business day following the day on which they were received and are held in an account separately identifiable from any accounts used to hold funds belonging to the applicant;
- where the applicant does not intend to deposit funds with the relevant central bank, which factors the applicant is taking into account to select the credit institutions to deposit clients’ funds, including the applicant’s diversification policy, where available, and the frequency of review of the selection of credit institutions to deposit clients’ funds;
- how the applicant ensures that clients are informed in clear, concise and non-technical language about the key aspects of the applicant’s systems and policies and procedures to comply with Article 70(1), (2) and (3) of Regulation (EU) 2023/1114